Decrypting More Dropbox Files: config.dbx

Back in March of this year we released a free tool to decrypt the Dropbox filecache.dbx file which stores information about the files in a user’s Dropbox repository (for more details read the blog post, and the Part 2 post).

Paul Henry (Website: http://www.vnetsecurity.com, twitter: @phenrycissp) is a SANS instructor and the lead author and teacher of the FOR559 course, Cloud Forensics & Incident Response. In one of our discussions Paul mentioned the potential value of the config.dbx file, so we started looking into the possibility of decrypting that file as well.

I’m pleased to announce that we’ve now updated the free Dropbox Decryptor tool to also decrypt the config.dbx file. I’ll detail how to use the new tool further down in this post, but first, since you may be wondering what’s in the config.dbx file, especially since it’s encrypted, let’s look at the information you can find in it.

The config.dbx file (after being decrypted 🙂 ) is a simple SQLite file, like the filecache.dbx file. It contains a number of records, but the most interesting data includes: the registered email address of the Dropbox user (needed when requesting data from Dropbox through a legal request), a list of recently changed files, the Host ID (some kind of host signature), and local path to the user’s Dropbox folder.

Below is a screenshot showing some sample data from a decrypted config.dbx file:

Dropbox Decryptor - config.dbx

As you can see, the user’s email address is under the (well named 🙂 ) “email” column, the Dropbox folder is listed under “dropbox_path”, and the Host ID is in the “host_id” column.

The recently changed files data (“recently_changed3” column) is a bit tougher to view. To see the contents of that cell we need to double-click it and open up the window below:

Dropbox Decryptor - config.dbx

In the expanded cell view we can see a list of recently changed/modified files, prefixed with the Dropbox database/user ID (207727442 in this case) and surrounded by other metadata characters (meaning unknown at this time). There are no timestamps in this set of data, but you can get that from the filecache.dbx file.

As you can see, there are interesting pieces of information in the config.dbx file, especially the registered email address of the Dropbox user, which is vital to have when investigating Dropbox cases. There are other .dbx Dropbox files (photo.dbx, notifications.dbx, etc) which also contain potentially useful information, which we’ll cover another time. The new version of the Dropbox Decryptor tool (v1.2) will decrypt all of these .dbx files.

Using the new Dropbox Decryptor tool is easy; you use it the same as before, but you can now point it at the config.dbx file as well as the filecache.dbx file (see below for a sample screenshot).

Dropbox Decryptor - config.dbx

The rest of the files/information is still required, and only files from XP and Vista systems are supported.

We have recently been able to do offline decryption of Dropbox files from Windows 7 machines successfully, however, and this support will be added to IEF in the next release. (Dropbox decryption on live Windows XP to Windows 8 operating systems is currently available via IEF Triage.)

We also hope to have decryption for Dropbox files on Linux/Mac operating systems in the future as well.

To download the new Dropbox Decryptor, click here.

If you have an older version of the tool already installed, you can just install this on top the old install. Customers can log-in to the Customer Portal to download the new version to avoid filling the form out.

As always, if you have any questions, suggestions for our software or blog post topics, feel free to reach out to me at jad(at)magnetforensics(dot)com.

Have a great week!
Jad and the Magnet team