Inside Proton’s Vault: Uncovering Android Proton Drive Artifacts

By -
Proton Drive is Proton’s answer to secure, privacy-first cloud storage, and its Android app extends that same protection to mobile users. Proton is well known for its encrypted ecosystem: Proton Mail delivers end-to-end encrypted email, while Proton VPN provides anonymous, protected internet access. Proton Drive fits seamlessly into this suite of privacy-focused services, enabling users to upload, sync, and share files with all data being encrypted both in transit and at rest, ensuring that sensitive information remains under the user’s control.

When approaching Proton Drive from a forensic perspective, just like other cloud storage apps, the first questions are often the simplest: what is the user account information, and what data is actually being stored? so these questions are what I am going to focus on. Of course, with Proton’s well-advertised model of end-to-end encryption and data at rest encryption, it causes some challenges that are not as common with more mainstream cloud storage providers.

The core artifact that contains User Account Information and Drive contents is the db-drive SQLite database: 

db-drive location: data\data\me.proton.android.drive\databases\

I have looked at many SQLite databases over my career, and I must admit this database is intimidating. It has 110 tables and is littered with PGP artifacts that are used to encrypt and decrypt certain data. 

User Account Information

Starting off with the easy one, the User account information is stored in the UserEntity Table. The table does have a lot of columns, but the important ones are the following:
  • UserID - The ID for the User Account
  • Email - The email associated with the proton account
  • Name - The proton account username
  • createdAtUTC - Unix Milliseconds Timestamp when the Account was created
  • usedspace - Drive space used in bytes
  • maxspace - Max drive space in bytes

Download Link: Android-ProtonDrive-UserAccountInfo.sql


The User account information can also be found in the Account Entity table. This has the userId, username and email just like the UserEntity table, but it also contains Session information:

  • State - The state of the application
  • SessionState - Whether the session is successfully authenticated


Stored Files

The linkEntity table gives information about the files and folders that are stored in Proton Drive. While it contains a wide range of fields, the most valuable field (file name) is stored inside a PGP-encrypted message rather than plaintext.

Below are some of the Key fields:
  • id - The ID for file/folder
  • share_id - Id for the share a file or folder belongs to
  • user_id - The Proton account ID that owns the share the file or folder belongs to
  • parent_id - id for the folder that the current file or folder resides in
  • Type - Indicates the type of item
    • Type 1 = Folder
    • Type 2 = File
  • Name - The name of the file or folder. The value in this field is stored as a PGP-Encrypted message vs being in plain text
  • State - Indicates the state of the item. I have only observed 2 values here
    • State 1 = Active
    • State 2 = Trashed
  • Size - The size of the file in bytes. For folders this value will be 0
  • Mime_Type - The mime type of the item. This will give you an indication of the type of file.
  • creation_time - Unix timestamp for when the file/folder was originally created in Proton Drive.
  • last_modified - Unix timestamp for when the file/folder was last modified in Proton Drive.
  • trashed_time - Unix timestamp for when the file/folder was moved to the Trash in Proton Drive.
  • is_shared - Indicates whether the file or folder is being shared with other users
    • 0 - The item is not shared
    • 1 - The item is being shared with other users
  • number_of_accesses - Records how many times a file/folder has been accessed within Proton Drive.
 
Query Results Part 1:



Query Results Part 2:

Query Results Part 3:



Whilst we can get some file metadata, we do not get the names of the files/folders as they are stored inside a PGP Encrypted Message in the Name field. 

-----BEGIN PGP MESSAGE-----
Version: ProtonMail

wV4DejL6yNW5J8kSAQdAf+H/sHBRd40bI+6EfqWctDbeKTeaqLUj/tbQcXRN
VEIw1FTDuu3iEnsYJesq9gud9cJQLyYxETsK+XHiHgrXfRq83e651g93Bi0J
vY0T6gO40l0BzTUHRZLcR2vpnMBfjTxXMS90tKKapspmY2dy/2eeWy+o65ZN
aHCG5FSR3mCm6ItAoQON2KqxtgSljmJzc/KcA2LltbNsURq+QgpRmVm/P3Ae
Ex2E9o7rfJOLmZQ=
=tXIA
-----END PGP MESSAGE-----

Extracting out the Session Key Information of the PGP Message, we can identify the Key ID for the PGP Key that can decrypt the name; however, that key is not stored in the database (not for lack of searching).


Conclusion

Whilst we can identify the account information and the ids of owners involved in shared files and folders, the privacy-centric design of Proton Drive means we can recover only limited high-level metadata about the items themselves. Anytime we face PGP encryption, the nature of the examination changes because critical components such as file contents, emails, and filenames (as seen in this example), become inaccessible without the associated private key to decrypt the contents, which is often protected by a password.

However, even with the encrypted fields in the LinkEntity table, we can still obtain valuable forensic insights. Timestamps, structural hierarchy, share indicators, access counts, and cryptographic metadata can all be used to reconstruct user activity, understand folder relationships, and assess what was stored, even if the plaintext filenames remain protected.

Comments

Post a Comment

Popular posts from this blog

The Duck Hunters Guide - Blog #6 - DuckDuckGo Fireproof Sites (Android)

By -
Image
In this post I want to talk about fireproof sites in the Android version of the DuckDuckGo web browser and what information is immune to the fire button when a site is fireproofed. The concept of Fireproofing a site is a little misleading and when I searched online there is not much chatter about what this feature in the browser actually does. One would think that fireproofing a site would make browsing relating artifacts immune to the fire button, but this is not true. As part of my research process, I fireproofed a site  and then examined what data remained after clearing browsing data using the Fire Button. What I found is that the Fireproof feature preserves cookies for the selected site so users  don’t need to log in again after clearing data (session cookies remain intact). However, browsing history, cache, and other site data are still cleared , even for fireproofed sites. We will start with determining what sites the user has fireproofed. This information can be foun...
Read more

The Realm Files - Vol 1 - Intro to RealmDB

By -
Image
In this new blog series, "The Realm Files", I’ll be digging into the physical structure of RealmDB. The goal is to give examiners a deeper understanding of how Realm actually works, so they can validate what their tools parse if supported and have a clear methodology to extract the data when the tool does not support it. Unlike other database formats such as SQLite or LevelDB, the file structure of RealmDB is not well documented in the public domain. While a few academic papers touch on specific applications that utilize Realm databases, and one mobile forensics book includes a chapter on the subject, there are still significant gaps. What is missing is detailed guidance on how to interpret the payload of an array and rebuild the database. This process is not as straightforward as it might first appear. Below is the link to the Realm Forensics Chapter in the Mobile Forensics - The File Format Handbook which has a great introduction to RealmDB  Realm Forensics Chapter:  Mobile...
Read more

The Duck Hunters Guide - Blog #2 - DuckDuckGo Browsing History (Android)

By -
Image
Over the past few days, I started combing through the Android version of DuckDuckGo. The version I have been testing is the latest version (5.222.0). In this blog post I want to talk specifically about the history.db. This SQLite database stores all the browsing history. This includes back/forward navigations in tabs similar to other web browsers that we see during examinations.  I will start by talking about the structure of the database and its contents and then discuss how the history clearing options and its impact on this database. The History.db is a very basic database, just 2 tables of interest with very minimal information about the URL's being visited. History.db Location: data\data\com.duckduckgo.mobile.android\databases\ As it is an SQLite database, I first get information about the database settings: Page Size: 4096 Journal_Mode: WAL Auto_Vacuum: On   The useful information this gives me is primarily for record recovery purposes. The database uses Write-Ahead ...
Read more