Showing posts from April, 2017

Brush up on Dropbox DBX decryption

Few weeks ago I was contacted about how to decrypt Windows Dropbox DBX files and the same topic appeared on SANS DFIR mailing list too. So I decided to create an Open Source toolkit and this post to brush up on the DBX files create by the Dropbox client on a Windows machine. The Windows Dropbox client keeps its own files - user info, configuration, ' my dropbox ' files sync status and even more - inside the user profile: on the Windows 7 and Windows 10 machines I used for test they reside in ' \Users\%USERNAME%\AppData\Local\Dropbox\ ' and sub folders. Among them there are files with .DBX extension, which are the target of this post. When you take a raw  look at them, you see garbage, noise ... encryption  is in place. Without too much suspence , this is well-known. Nicolas Ruff and Florian Ledoux had a talk at   2012 on the topic, “ A critical analysis of Dropbox software security ” ( here ). They discovered that the encryption key used for DBX fi