The following steps need to be followed to perform forensics on OneDrive:
- Open your forensic software of choice and navigate to the relevant folder, depending on whether you are using a smartphone or a computer for forensic analysis (see the previous paragraphs for details).
- The backend of the OneDrive folder is actually not of particular forensic interest. In the logs folder listed above you will find two subfolders: Common and Personal. The Common folder lists all elements the operating system automatically runs, namely StandaloneUpdater and telemetryCache files. These refer to automated updates to OneDrive.
Fig 10.5 StandaloneUpdater ...