/OneDriveExplorer

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file.

Primary LanguagePythonMIT LicenseMIT

OneDriveExplorer Summary

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file. Also supports parsing OneDrive logs with extensions .odl, .odlgz, .odlsent and .aold. Log parsing is heavily based on the work of Yogesh Khatri odl.py.

Usage

Settings and log files are found in the following loacations:

  • \AppData\Local\Microsoft\OneDrive\logs\Business<1-9>
  • \AppData\Local\Microsoft\OneDrive\logs\Personal

Log files will be unobfuscated if the ObfuscationStringMap.txt and\or general.keystore file(s) are present.

Requirements

This project requires several additional modules. You can install them with the provided requirements.txt file as follows:

python3 -m pip install -r requirements.txt

*Note: pytsk3 and quickxorhash require a compiler to install. Using the executables is recommended.

Command line

cmd_help

To use OneDriveExplorer, simply provide the .\<UserCid>.dat file to the -f argument

OneDriveExplorer.py -f business1\d1a7c039-6175-4ddb-bcdb-a8de45cf1678.dat

Depending on the options, OneDriveExplorer can produce JSON, CSV, or HTML files of the parsed data. The --pretty option can be used to output the JSON into a more human readable layout.

A user registry hive can be supplied with the -r argument. This will resolve some of the mount points associated with OneDrive. Along with the registry hive, $Recycle.Bin can be added with the -rb option to look for deleted files.

Example output

JSON

json

CVS

csv

HTML

html

GUI

The GUI consists of two panes: the folder structure on the left and details on the right. By clicking on one of the entries in the left pane, the details pane will populate with various data such as name, whether it is a file or folder, UUIDs and the number of children, if any.

gui

The GUI is capable of parsing the live system and dat files, along with loading JSON or CSV from a previously parsed dat file. OneDriveExplorer GUI also supports loading multiple files. When loading a dat file, an additional dialog will appear to allow you to supply a registry file. This can be disabled by holding down SHIFT or disabling it in the preferences menu.

*Experamental: OneDrive ODL logs can be enabled in the Preferences menu.

file_menu hive

Through the preferences menu, there are options available for saving the parsed dat file to JSON, CSV, and HTML. There is also an option to disable the hive dialogue.

preferences

OneDriveExplorer GUI is also capable of performing a simple search.

search

There are right click menus to help perform various tasks and sin options.

right_click1 right_click2

skins

The messages dialogue can be accessed by double clicking on the number in the lower right corner. From this dialogue, you can view, clear and export debug messages.

indicator messages

Projects can also be created to save your work without having to parse the files again. This has the advantage of loading the data more quickly.

project menu

If ODL log files are enabled, additional tabs for each users logs will be created.

ODL logs

File location

The default file location of the .dat files are:

  • Personal: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\settings\Personal\<UserCid.dat>
  • Business: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\settings\Business1\<UserCid.dat>

Todo

  • Documentation for command line
  • Documentation for mapping files