Dropbox is one of the most well known cloud-based file hosting service that offers a platform for users to sync, share, and access files and folders across various devices and platforms. Think of it like a flash drive in the cloud that is accessible from phones, and computers. Although it is a super helpful service for keeping files handy, Dropbox is frequently used in Child Sexual Abuse Material investigations for pedophiles to share their horrible photos and videos. This post provides a quick primer on Dropbox and what evidence you can collect from them.
How Dropbox Works:
Dropbox is headquartered in San Francisco, California and search warrants must be addressed to:
Dropbox Inc.
Attn: Dropbox Legal Compliance
1800 Owens St., Ste. 200
San Francisco, CA 94158
Telephone: (844) 383-8524
Additionally, Dropbox requests that search warrants be served by digital upload to their law enforcement portal: https://dropbox-legal.force.com
While the flash drive in the sky analogy is a bit of an over simplification, it is an accurate one.
When talking about Dropbox and similar technology, the term “cloud storage” is used frequently and refers to saving data to an off-site storage system maintained by a third party. Instead of storing information to your computer’s hard drive or other local storage device, the files are saved in a remote database. The Internet provides the connection between your computer and the cloud database.
Cloud storage has several advantages over traditional data storage. For example, if you store your data on a cloud storage system, you will be able to get to that data from any location that has Internet access without the need to carry around a physical storage device or use the same computer to save and retrieve your information. Dropbox user have the ability to make certain files public so that anyone is the world, with the link to the file, can access it. If the link is passed around, the file’s owner may not actually know the people downloading their files.
Dropbox uses a “freemium” business model, where users are offered a free account with a set storage size, with paid subscriptions available that offer more capacity and additional features. Dropbox Basic users are given 2 gigabytes of free storage space. Dropbox Plus users are given 1 terabyte of storage space, as well as additional features, including advanced sharing controls, remote wipe, and an optional Extended Version History add-on. When a file or folder is deleted, users can recover it within 30 days. For Dropbox Plus users, this recovery time can be extended to one year, by purchasing an Extended Version History add-on. The functionality of Dropbox can be integrated into third-party applications through by enabling a “Save to Dropbox” feature where files created or viewed in the app can be saved directly in the user’s Dropbox account.
Information Available from Dropbox
In response to a search warrant, Dropbox is only able to provide records that constitute a “complete reconstruction” of an account as of the date of warrant service or the date of a prior preservation request. Dropbox does not have the technical capability to filter their responses to include only files on a single date or during a specific time period. By default, Dropbox can only produce the state of a Dropbox account as it was on the day we process the warrant, unless the search warrant specifically requests content pursuant to a previous preservation request.
Any Dropbox search warrant should ask for the following
- Complete Account Reconstruction:
- Records that constitute a “complete reconstruction” of the Target Account as of the date of warrant service or the date of a prior preservation request.
- Account Information:
- Basic subscriber and service plan information.
- Access and Upload Logs:
- Records of access made to the account by the customer as well as individuals accessing shared files.
- Remember to ask for the dates and times of the access as well as IP addresses logged per visit.
- IP Address Logs:
- Logged IP addresses when the account was created and those recorded on logins and file uploads.
- Shared File Information
- Records of files shared by the customer to include dates and times that the file was shared, the total number of times the file was accessed or downloaded, and metrics of persons accessing the file such as region, IP address, and device characteristics.
For California law enforcement, any search warrant to Dropbox must comply with the California Electronic Communications Privacy Act requirements. This can be tricky as the ECPA requires that the search warrant specify a date range of records to be reviewed or seized. Because Dropbox cannot filter the files and produce only a complete reconstruction, we suggest implementing a search protocol where the warrant collects all files, but only those created or modified within the specified window are reviewed. Check out our guide on CalECPA for more information on writing compliant warrants.
NOTE: When investigating Dropbox, it is important not to take the incident at face value and consider the context of the records. With data breaches and password compromises, we have seen criminals use stolen Dropbox credentials to host illegal content without the account holders knowledge. IP address logs are often an overlooked resource but may show a sudden flurry of activity from foreign countries.
Warrant Builder is easiest way to write search warrants for online storage providers. To learn more, check out our Understanding Search Warrants series about Technology Search Warrants.