International Research Journal of Engineering and Technology (IRJET)
e-ISSN: 2395-0056
Volume: 12 Issue: 12 | Dec 2025
p-ISSN: 2395-0072
www.irjet.net
Digital Forensic Analysis of Google Drive Activities in Windows Systems Dija S, Veena Vijayan Centre for Development of Advanced Computing, Thiruvanathapuram, India ---------------------------------------------------------------------***---------------------------------------------------------------------
Abstract - Browser Forensics is an inevitable part in a
Cloud services have become deeply embedded in daily computing workflows, enabling rapid data sharing and flexible access from multiple devices. While these features improve productivity, they also create opportunities for misuse by the criminals. Criminals increasingly leverage cloud platforms to store, transfer, and conceal digital evidence or illicit material. Studies on cloud storage forensics emphasize the rising frequency of incidents involving Google Drive misuse in data theft, intellectual property breaches, and various types of cybercrimes [1].
cyber-crime investigations due to the high dependence on internet for everyday tasks. Thus, identifying a suspect’s Internet activities and browser habits is crucial in any investigation. In that context, a particularly important aspect is collecting information about files uploaded to and downloaded from cloud-based storage platforms such as Google Drive. Every interaction with Google Drive—whether uploading or downloading—produces a set of artifacts on a Windows OS System. These details appear in locally-generated Browser Files by Web Browsers and logs created by the locally installed Google Drive application. This research presents a novel forensic methodology for identifying Google Drive activities done in a Windows OS System and the associated details including name and email-id of the user, who initiated the activity. It analyzes the browser files stored locally across major web browsers, Chrome, Edge, Opera, Yandex, UC Browser, Maxthon, and Firefox. It also analyzes the log files saved by the local Google Drive application to identify the Google Drive activities. The paper outlines artifact locations along with the forensic significance to correlate and reconstruct crucial Internet activities of the Suspect related to the Google Drive Activities. The results demonstrate how cybercrime investigators can accurately identify a suspect’s Google Drive activities in A Windows OS System.
Every action performed through Google Drive generates identifiable local traces in a Windows OS system. This includes authentication through email credentials and upload/download operations. These actions leave behind browser-level artifacts in SQLite databases, cookies, session restore files, JSON metadata, and IndexedDB caches. Prior forensic studies highlight the persistence and evidentiary value of these artifacts [3], [4], [7]. Beyond web browsers, the Google Drive Desktop App—DriveFS—maintains a rich collection of logs, metadata caches, and internal event records. These include file synchronization details, remote FileIDs, local file paths, upload/download timestamps, and account identifiers. DriveFS logs are instrumental for reconstructing timelines that are otherwise incomplete from browser sources alone.
Key Words: Digital Forensics, Google Drive Forensics, Browser Forensics, Cloud Forensics, Internet Forensics
2. BROWSER FORENSICS Browser forensics is an indispensable component of Google Drive investigations, as most Drive interactions occur through web browsers. Most of the users may not locally install the Google Drive Application their systems. Thus the major focus of the Investigators while trying to analyze Forensic research consistently shows that browsers retain extensive remnants of cloud service usage [3], [4], [7], [9]. These remnants serve as evidence of Gmail accounts used, sessions initiated, and Drive files accessed.
1. INTRODUCTION Web browsers have become the primary gateway to the Internet in everyday computing, supporting everything from routine browsing to critical business operations, which is why they play a major role in cybercrime investigations. Browser forensics focuses on locating and interpreting the traces created by the Web Browser. This includes crucial information including the details like visited websites, search queries, downloaded files, bookmarks, cookies, and cached content, all of which help investigators understand what a user was doing online. The browsers store a significant amount of this information locally in the form of SQLite databases, JSON files, cache folders, and session data, providing dependable evidence of browsing activities. This data becomes an important source of evidence in digital investigations, especially when trying to link user behavior with the Google Drive Activities.
© 2025, IRJET
|
Impact Factor value: 8.315
2.1 Browser File Locations The default locations for browser profile artifacts in commonly used web browsers on a Windows system are listed in Table 1. These artifacts are stored within the “OS_Drive://Users/User/AppData” directory, and depending on the browser, the files may be located either in the “Local” folder or the “Roaming” folder.
|
ISO 9001:2008 Certified Journal
|
Page 29