Dropbox Reader is a set of Python scripts for forensic investigators. The scripts provide investigators with information about a particular Dropbox user’s account and activities, such as the registration e-mail, Dropbox identifier and most recently changed files.
Dropbox Reader was created by Cybermarshal, the computer forensics wing of ATC-NY.
Here’s a list and description of the tools from the product website:
read_config script outputs the contents of the Dropbox config.db file in human-readable form. This includes the user’s registered e-mail address and Dropbox identifier, software version information, and a list of the most-recently-changed files.
read_filecache_config script outputs configuration information from the Dropbox filecache.db file. This includes information about shared directories that are attached to the user’s Dropbox account.
read_filejournal script outputs information about Dropbox synchronized files stored in the filecache.db file. This includes local and server-side metadata and a list of block hashes for each Dropbox-synchronized file.
read_sigstore script outputs information from the Dropbox sigstore.db file, which is an additional source of block hashes.
hash_blocks script produces a block hash list for any file. This block hash list can be compared to the block hashes from read_filejournal or read_sigstore.
dropbox_contains_file script hashes one or more files (as per hash_blocks) and compares the resulting block hash list to the files listed in filecache.db (as per read_filejournal) and reports whether the files are partially or exactly the same as any Dropbox-synchronized files.
