The Cloud Begins to Dissipate

In this blog post I will be talking about the local database file and the Session files.

Local Database File

After a backup has completed within IDrive, a local SQLite 3 database file is create.  This file is located: C:\Users\Username\AppData\Local\IDrive\IBCOMMON\idriveusername\LDBNEW\.

The file naming convention for the database file is: “idriveusername.idbs”.  This file contains details about every file that was backed up to IDrive, from the very first backup, including files that were deleted or cleaned up from the IDrive backup set.  Within this database are two important tables called “ibfile” and “ibfolder”.

ibfile

This table contains a table with a list of all of the files backed up to IDrive.  This file provides the name of the file, the last modified date of the file, the file size, the directory identification number (DIRID), the file identification number (FILEID), and the name of the backup set that the file was located in.

ibfile

ibfolder

This table contains a list of the folders that were backed up to IDrive.  This table details the directory identification number (DIRID), the file path of the folders, and the last modified date of the folder.  When cross-referencing the two database tables, an investigator will be able to tell what files were stored in which folders by comparing the DIRID numbers for the folders and the files.  For instance, the highlighted file in the image above has a DIRID of 36, which is the same DIRID as the "Documents" folder, meaning that the "HTC Fuze Report.pdf" file was stored in this directory.

ibfolder

Session Folder

The “Session” folder is a very important folder for an investigator as it contains specific details about all actions performed in IDrive.  The location of this folder is: C:\Users\Username\AppData\Local\IDrive\IBCOMMON\Session\.  There are 7 folders that can be potentially added to the "Session" folder, which are created after different actions performed in IDrive.

Session Folder

The “Backup”, “Delete”, “Archive Cleanup”, “PutBack”, and “Restore” folders all contain similar files.  The naming convention for the files in each folder is the same, “MM-DD-YYYY HH-MM-SS”.  A file is created for every time that a backup, delete, restore, putback (moving files from IDrive trash to their original location) or archive cleanup operation is performed.  Within the contents of each file found in these action folders, an investigation can expect to find the username of the user that performed the action, the backup set name, the start date/time and/or end date/time of the operation, the type of operation, the date/time of the specific files being backed up or deleted, and the file names and file paths of the entire backed up, restored, or deleted content.

Example of a Session File