Updated OneDrive Evolution. You can now compare two versions of OneDrive and see what has changed. #DFIR

malwaremaloney.blogspot.com/p/onedrive-e...

Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub Change Log Fixed ODL bug fix FileUsageSynce bug fix

Something you may not know. OneDriveExplorer also works for the OneDrive sync client for macOS.

github.com/Beercow/OneD...

Today we learned Fishrocket (the one with the doughnut) has cancer. It’s an aggressive form of mast cell tumors. Treatment usually involves removing them but there are too many. They prescribe prednisone because they itch. Has diabetes so can’t give him prednisone. Poor guy.

1/ I successfully tested a LSASS dumping technique on a Windows 10 lab machine, which we encountered on a recent Incident Response engagement (no EDR, default Defender installed).

The "MiniDumpWriteDump" technique, as described here [1], was successful in writing the LSASS process to disk.

Another interesting forensic artifact in OneDrive. UXDatabase.db

MALoney (It's in the name): Weekly Update 6/6/2025 OneDrive Evolution OneDrive Evolution has been updated to OneDrive version 25.106.0602.0001. Starting with version 25.102.0527.0001, there ...

Updates on the OneDrive sync client.

malwaremaloney.blogspot.com/2025/06/week...

New folder and databases in the OneDrive sync client. Not sure what feature they are tied to yet. More to come. #DFIR

New laptop, new stickes. 😜

Release v2025.05.30 · Beercow/OneDriveExplorer · GitHub Change Log Fixed ODL bug fix FileUsageSynce bug fix

Found a few bugs that would cause crashes in OneDriveExplorer around ODL and FileUsageSync. Update available.

github.com/Beercow/OneD...

MALoney (It's in the name): OneDrive Evolution and Schema Updates OneDrive Evolution Updates OneDrive Evolution has been updated to v25.093.0514.0001 OneDrive Evolution SyncEngine Schema Updates  Schemas 34...

Finally caught up. Updates to OneDrive Evolution and database schemas.

malwaremaloney.blogspot.com/2025/05/oned...

MALoney (It's in the name): OneDriveExplorer now supports Microsoft.FileUsageSync.db Recently, I have been focused on adding support for Microsoft.FileUsageSync.db. See my previous post on Microsoft.FileUsag...

Been a little while. Was busy adding support for Microsoft.FileUsageSync.db to OneDriveExplorer. Update brings in data on files shared via email, Teams, SharePoint and more. Thank you Heather Barnhart for the bug report on search function issues. #DFIR

malwaremaloney.blogspot.com/2025/05/oned...

15 strips would have at least been correct.

Original post: infosec.exchange/@13reak/1143...

Ah gotcha. I threw some on the stick table also. It was nice meeting you.

Did you snag them from CypherCon?

Hmmmm. What are we up to here? 🤔

Interesting thing with OneDrive Offline Mode for web. You can get the last two modification times of a file. Could come in handy. #DFIR

MALoney (It's in the name): OneDrive Microsoft.FileUsageSync.db I recently started to look into the Microsoft.FileUsageSync.db . The database can be found in %localappdat...

I started exploring OneDrive’s FileUsageSync.bd. There is some useful information on files shared via email, Teams, etc… that may not be in the user’s OneDrive.

https://malwaremaloney.blogspot.com/2025/02/onedrive-microsoftfileusagesyncdb.html

I am OneDrive.

I just came across email information in one of the OneDrive databases. Sender, recipients, subject, mailbox, attachments, etc…
Pretty much everything except the body. More to come. 🤔 #DFIR

MALoney (It's in the name): OneDriveExplorer Offline Mode Edition Changes to OneDriveExplorer (ODE) With this release, there are a few things to be aware of that have chan...

OneDriveExplorer now supports and parses Offline Mode for web.

https://malwaremaloney.blogspot.com/2025/02/onedriveexplorer-offline-mode-edition.html

Working on adding this to ODE. 🙂

Flaw in Microsoft's OneDrive Offline Mode Stores OCR Data Insecurely - WinBuzzer Cybersecurity experts warn that Microsoft’s OneDrive Offline Mode leaves sensitive OCR data vulnerable in unprotected local databases.

https://winbuzzer.com/2025/01/28/flaw-in-microsofts-onedrive-offline-mode-stores-ocr-data-insecurely-xcxwbn/

https://www.msn.com/en-gb/money/technology/microsoft-onedrive-for-business-allegedly-keeps-ocr-ed-data-in-an-unprotected-format/ar-AA1xXUyl?ocid=entnewsntp&pc=LCTS&cvid=bfb3ccf8c62447bb85c4cbf855defaec&ei=35

MALoney (It's in the name): OneDrive Offline Mode (Recallish vibes) Back in April 2024, Microsoft announced a new feature coming to OneDrive for Business called Offline Mode. The feature al...

There seemed to be enough interest so I decided to do a write up on what I have found about OneDrive Offline Mode. Hate to burn a forensic artifact but I’m concerned about what Microsoft feels is secure. #DFIR

https://malwaremaloney.blogspot.com/2025/01/onedrive-offline-mode-recallish-vibes.html

MALoney (It's in the name): Running Autopsy Auto Ingest in Headless Mode In this post we are going to look at running auto ingest in a headless state. This will allow the auto ingest server to be...

Did you know you can run Autopsy Automated Ingest Nodes as a service. This eliminates human interaction and survives reboots.
https://malwaremaloney.blogspot.com/2025/01/running-autopsy-auto-ingest-in-headless.html

MALoney (It's in the name): <UserCid>_import.dat Location %LOCALAPPDATA%\Microsoft\Onedrive\Settings\<Personal,Business1-9> Created when Save photos and videos from devices is on. Structure...

Added new artifact to All Things OnDrive. <UserCid>_import.dat is created when “Save photos and videos from device” is enabled. It records data on imported photos and videos.

https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives_16.html

Autopsy Hardening Guide: Part 2 This is part one of a two part series on hardening an Autopsy Multi-user Cluster. The Autopsy documentation states, "A mul...

Autopsy Hardening Guide: Part 2. This post covers encrypting passwords and securing the web-console of ActiveMQ.

malwaremaloney.blogspot.com/2025/01/auto...

MALoney (It's in the name): <UserCid>_screenshot.dat Location %LOCALAPPDATA%\Microsoft\Onedrive\Settings\<Personal,Business1-9> Created when Save screenshots I capture to OneDrive is on. Struct...

Added new artifact to All Things OnDrive. <UserCid>_screenshot.dat is created when “Save screenshots I capture to OneDrive” is enabled. It records data on the last screenshot saved.

https://malwaremaloney.blogspot.com/p/location-localappdatamicrosoftonedrives.html

I’m not that ambitious. lol