beercow / onedriveexplorer Goto Github PK

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file.

License: MIT License

Python 100.00%

onedriveexplorer's Introduction

OneDriveExplorer Summary

OneDriveExplorer is a command line and GUI based application for reconstructing the folder structure of OneDrive from the <UserCid>.dat and <UserCid>.dat.previous file. Also supports parsing OneDrive logs with extensions .odl, .odlgz, .odlsent and .aold. Log parsing is heavily based on the work of Yogesh Khatri odl.py.

Usage

Settings and log files are found in the following loacations:

\AppData\Local\Microsoft\OneDrive\logs\Business<1-9>
\AppData\Local\Microsoft\OneDrive\logs\Personal

Log files will be unobfuscated if the ObfuscationStringMap.txt and\or general.keystore file(s) are present.

Requirements

This project requires several additional modules. You can install them with the provided requirements.txt file as follows:

python3 -m pip install -r requirements.txt

*Note: pytsk3 and quickxorhash require a compiler to install. Using the executables is recommended.

Command line

To use OneDriveExplorer, simply provide the .\<UserCid>.dat file to the -f argument

OneDriveExplorer.py -f business1\d1a7c039-6175-4ddb-bcdb-a8de45cf1678.dat

Depending on the options, OneDriveExplorer can produce JSON, CSV, or HTML files of the parsed data. The --pretty option can be used to output the JSON into a more human readable layout.

A user registry hive can be supplied with the -r argument. This will resolve some of the mount points associated with OneDrive. Along with the registry hive, $Recycle.Bin can be added with the -rb option to look for deleted files.

Example output

JSON

CVS

HTML

GUI

The GUI consists of two panes: the folder structure on the left and details on the right. By clicking on one of the entries in the left pane, the details pane will populate with various data such as name, whether it is a file or folder, UUIDs and the number of children, if any.

The GUI is capable of parsing the live system and dat files, along with loading JSON or CSV from a previously parsed dat file. OneDriveExplorer GUI also supports loading multiple files. When loading a dat file, an additional dialog will appear to allow you to supply a registry file. This can be disabled by holding down SHIFT or disabling it in the preferences menu.

*Experamental: OneDrive ODL logs can be enabled in the Preferences menu.

Through the preferences menu, there are options available for saving the parsed dat file to JSON, CSV, and HTML. There is also an option to disable the hive dialogue.

OneDriveExplorer GUI is also capable of performing a simple search.

There are right click menus to help perform various tasks and sin options.

The messages dialogue can be accessed by double clicking on the number in the lower right corner. From this dialogue, you can view, clear and export debug messages.

Projects can also be created to save your work without having to parse the files again. This has the advantage of loading the data more quickly.

If ODL log files are enabled, additional tabs for each users logs will be created.

File location

The default file location of the .dat files are:

Personal: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\settings\Personal\<UserCid.dat>
Business: C:\Users\<USERNAME>\AppData\Local\Microsoft\OneDrive\settings\Business1\<UserCid.dat>

Todo

Documentation for command line
Documentation for mapping files

onedriveexplorer's People

Contributors

Stargazers

Watchers

Forkers

andrewrathbun stark4n6 crypt0rr killvxk wikijm thatawesomeguy4 jenxp glyle funihao cybersecops

onedriveexplorer's Issues

X button in Preferences window doesn't work

Love the tool, great work on it. However, this X button, which is a critical cog to the OneDriveExplorer machine, doesn't currently work!

OneDrive Explorer GUI is dropping ode.settings on desktop

I have a desktop shortcut for OneDrive Explorer GUI. When I launch the app by clicking on the desktop shortcut, the file ode.settings is created on the desktop. Is there a way to disable this. Would it be better to create that settings file in the folder where OneDrive Explorer GUI is installed?

Feature request: Clear button for keyword searches

Clearing the results of a "Find" operation are a bit awkward, requiring a second "empty" search. It would be nice to have a "Clear" button that would clear any search results.

Clarification

Hey,
What are the diffrences between loading .dat or SQLite DB?
Would appricate a reference..

Errors out while attempting to process Administrator files

OneDriveExplorer throws an error while running under KAPE, or independently. The error states "Unable to parse Administrator_Personal sqlite database" then terminates without any file output. OneDriveExplorer is being run with admin priveleges. Debug output below:

`PS C:\utils\KAPE\Modules\bin> .\OneDriveExplorer.exe --debug -d E:\ --csv C:\Temp\testout.csv

 _____                ___                           ___                 _
(  _  )              (  _`\        _               (  _`\              (_ )
| ( ) |  ___     __  | | ) | _ __ (_) _   _    __  | (_(_)       _ _    | |    _    _ __   __   _ __
| | | |/' _ `\ /'__`\| | | )( '__)| |( ) ( ) /'__`\|  _)_ (`\/')( '_`\  | |  /'_`\ ( '__)/'__`\( '__)
| (_) || ( ) |(  ___/| |_) || |   | || \_/ |(  ___/| (_( ) >  < | (_) ) | | ( (_) )| |  (  ___/| |
(_____)(_) (_)`\____)(____/'(_)   (_)`\___/'`\____)(____/'(_/\_)| ,__/'(___)`\___/'(_)  `\____)(_) v2023.05.05
                                                                | |        by @bmmaloney97
                                                                (_)

2023-06-30 11:21:45, INFO, Searching for OneDrive data in E:\

2023-06-30 11:21:45, INFO, Found NTUSER.DAT for Administrator

2023-06-30 11:21:45, INFO, Found NTUSER.DAT for Default

2023-06-30 11:21:46, INFO, Found NTUSER.DAT for derekarmstrong.z

Parsing Administrator OneDrive

2023-06-30 11:21:46, INFO, Start parsing Personal. Registry hive: E:\C\Users\Administrator\NTUSER.DAT

2023-06-30 11:21:46, WARNING, Unable to parse E:\C\Users\Administrator\AppData\Local\Microsoft\OneDrive\settings\Personal\SyncEngineDatabase.db. Execution failed on sql 'SELECT scopeID FROM od_ScopeInfo_Records': no such table: od_ScopeInfo_Records

2023-06-30 11:21:46, WARNING, Unable to parse E:\C\Users\Administrator\AppData\Local\Microsoft\OneDrive\settings\Personal\SafeDelete.db. Execution failed on sql 'SELECT parentResourceId, resourceId, itemName, notificationTime FROM items_moved_to_recycle_bin': no such table: items_moved_to_recycle_bin

Unable to parse Administrator_Personal sqlite database.

2023-06-30 11:21:46, WARNING, Unable to parse Administrator_Personal sqlite database.`

Hangs after clicking "Remove OneDrive folder"

Hello,

I was relieved and excited to find this project. OneDrive has been making my life hell for so long and the other day I discovered it wasn't done yet. I've performed the registry edits suggested in other articles, disabled the service and renamed the folder but my system still thinks those files need a cloud provider and the associate exception is thrown when I try to access them.

The {CIS}.DAT file was loaded successfully and whenI realised the utility isn't going to be able to copy the contents of the files, I right-clicked ont he top level of the tree-view and selected "Remove". The hourglass appeared and it's been like that ever since, the window fading in that familiar way when a program is not responding.

I know that the files do have content - they were never cloud-only files. It's just 1D doing things without asking that has put that folder structure in an inconsistent state. Surely this utility doesn't require OneDrive to be running in order to remove the folder?

Either way, if you can offer any help as to how I can bypass this interference so that my C# application attempting to move these files can work, it'd be very much appreciated, even if this issue cannot constructively be addressed.

Cheers,
.pd.

One Drive update removes user.dat file

Hi,

In the latest insider release of OneDrive, the dat file have been completely removed by Microsoft. The ini file is still found under C:\Users\<userName>\AppData\Local\Microsoft\OneDrive\settings\Business1.

OneDriveExplorer Exits with Error using -d option

Executing command (outside of KAPE) "C:\Utils\KAPE\Modules\bin>OneDriveExplorer.exe -d E:\D\Users\Stack --csv C:\Mod\FileKnowledge" generates an error and the program exits.

 _____                ___                           ___                 _
(  _  )              (  _`\        _               (  _`\              (_ )
| ( ) |  ___     __  | | ) | _ __ (_) _   _    __  | (_(_)       _ _    | |    _    _ __   __   _ __
| | | |/' _ `\ /'__`\| | | )( '__)| |( ) ( ) /'__`\|  _)_ (`\/')( '_`\  | |  /'_`\ ( '__)/'__`\( '__)
| (_) || ( ) |(  ___/| |_) || |   | || \_/ |(  ___/| (_( ) >  < | (_) ) | | ( (_) )| |  (  ___/| |
(_____)(_) (_)`\____)(____/'(_)   (_)`\___/'`\____)(____/'(_/\_)| ,__/'(___)`\___/'(_)  `\____)(_) v2022.05.18
                                                                | |        by @bmmaloney97
                                                                (_)

Parsing Stack OneDrive

Traceback (most recent call last):
File "OneDriveExplorer.py", line 448, in
File "OneDriveExplorer.py", line 443, in main
File "OneDriveExplorer.py", line 278, in parse_onedrive
File "pandas\core\generic.py", line 5575, in getattr
AttributeError: 'DataFrame' object has no attribute 'ParentId'
[3648] Failed to execute script 'OneDriveExplorer' due to unhandled exception!

I have tried the previous versions (all the ones where -d option is available) and all give the same error.