Skip to content
AIR Knowledge Base

OneDrive Logs

Overview

Section titled “Overview”

Evidence: OneDrive Logs
Description: Collect OneDrive Logs
Category: Applications
Platform: windows
Short Name: ondrvls
Is Parsed: No
Sent to Investigation Hub: No
Collect File(s): Yes

Background

Section titled “Background”

Microsoft OneDrive maintains comprehensive logs of synchronization activities, errors, and file operations. These logs track uploads, downloads, conflicts, and sync events for OneDrive and OneDrive for Business.

Data Collected

Section titled “Data Collected”

This collector gathers structured data about onedrive logs.

Collection Method

Section titled “Collection Method”

This collector gathers OneDrive log directories from both OneDrive and Windows OneDrive locations in Local AppData.

Forensic Value

Section titled “Forensic Value”

OneDrive logs reveal file synchronization activities, uploads to cloud storage, downloads, sharing events, and sync errors. This is essential for investigating data exfiltration to Microsoft cloud storage, identifying synchronized sensitive files, and establishing timelines for cloud storage activities.