File accessed time changed

---

harryisthename wrote:

... or someone at Dropbox is accessing them through the Dropbox service

---

Dropbox doesn't access your files through the normal operation of the service, and they certainly can't access the files on your computer. They may be able to access the files in your account while providing support (i.e. you've submitted a help desk ticket that requires them to access your account, etc.), but they aren't accessing your files otherwise.

That's what I would like to think.  Unfortunately, I have to do the deep forensics to discover what is doing this.  I can monitor access on my end and see if Dropbox is doing it locally.  That is, I still believe Dropbox service is doing this because it is very challenging and time consuming to verify the integrity of uploads of changed files.  That's because the computer can crash, files can be modified offline (command prompt from a recovery flash drive), there can be an over-reliance on the Volume Shadow Subsystem which can be problematic in a less than healthy computer, hard disk drive issues can occur (soft NTFS and hard disk errors), anti-virus filters screwing up (my Ransomware protection is off), the Dropbox service itself being problematic, etc., etc.   Note I have the Free Dropbox.  Thus integrity checking is paramount and the grand challenge is to do it without affecting local or Dropbox-server performance.  I have seen a few posts circa a few years ago about desiring file integrity checking with no clear answer.  Perhaps it finally got implemented.

That is, it is not enough to verify file integrity by looking at which files I have in my 1M files at startup and comparing only the filenames (paths) and file sizes and dates/time modified to what Dropbox has in the cloud or relying entirely on VSS.  Even calculating MD5 hashes is time consuming on 1M files.  At some point it behooves the Dropbox servers to sample individual files and do a true file compare or at the very least do an MD5 compare.  And if my (Free) Dropbox has 1M files, it certainly cannot do a true file compare at Windows Startup - too time consuming. With my Free Dropbox, it might instead do a MD5 hash compare on portions of the 1M files and flag which ones it has done -- it would do more and more over time to spread the load of it's servers (and my local machine) not being overwhelmed doing all 1M files MD5 compares at a time.  Such an MD5 compare would open and close the file locally and cause the date accessed to be changed.  This might explain what I saw.

Unfortunately, Dropbox does not (as far as I know) disclose under what conditions it will access the file locally -- you believe it **does not** and I respectfully believe it might.  It's important for me to know so I can take steps accordingly to monitor rogue file accesses.  Unless you are a Dropbox engineer who definitely knows the answer, the answer remains a puzzle.  Only someone from Dropbox can authoritatively answer this question, IMHO.

Hi all,

Thanks for your input on this. To explain a bit, there are two main components to how the Dropbox desktop application keeps your files in sync:

• During normal operation, it patiently waits for any file activity like a new file added/edited/deleted from your Dropbox folder. When that happens it syncs those changes to your account.
• During startup, the application indexes your Dropbox files to check for changes made locally while the application was off, or remotely from your other devices/accounts you share with. 

This is how Dropbox can keep your files in sync, even if your computer isn't online 24/7. So, even if you're not making changes to the files directly - this likely accounts for what you’re seeing as far access times.

From our side, rest assured that your files are safe, and if you're curious about our internal security procedures, we have lots of information in our security whitepaper. 

Hope this helps! 

Hi Samantha, thank you very much!  I need some time to investigate further.   Thank you for the useful whitepaper.  Perhaps you can comment on this:

Using SysInternals procmon, I am seeing that one or two times a day, Dropbox mysteriously chooses perhaps three or four files to do procmon operations of QueryEAFile on the file (say C:\Users\Admin\Dropbox\PITCH.51:COM.DROPBOX.ATTRS) (which BTW returns an INVALID PARAMETER code) and causes Windows Defender (Msmpeng.exe) to open and read the first 26 bytes of the original file (C:\Users\Admin\Dropbox\PITCH.51) and close the file.  This may be what causes the file access time to change.  I have no idea what provoked Dropbox todo the QueryEAFile (see https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-ntqueryinformationfile ) and I am aware many people have complained for years about such files being created and remaining around (not the case here - they do not remain around).  See https://help.dropbox.com/sync/extended-attributes  .

Dropbox always states it's likely a shared folder or syncing to a device that is using a different file system and this is needed to propagate extended attributes from one file system to another.  Fair enough.  But there are no other devices connected to the account (a Free account), everything has been revoked, the password was changed, 2FA was set up, sfc /scannow, chkdsk C: were done, no other anti-virus is running, I went through autoruns with a fine tooth comb and the issue persists and apparently had been going on for months.   I intend to study this, with hopefully your help -- otherwise I am overwhelmed trying to attempt this on another clean install of Windows 10.

Just a few files per day.  It gets more interesting: I will add that at one point I saw on the portal Security settings an Android device which was connected to an ASN router belonging to my ISP and a few miles from my home.  That was strange and smacks of (SWAG) MITM.  It's very challenging to research this and get Spectrum or Dropbox to help.  The natural inclination is: we do a great job and it has to be something on your end.  Understood.  But your help is appreciated and it's in your best interest to take this seriously, which I believe you do.  I deleted that connection and the issue persists.  I have never installed Dropbox on my Android phone.  If I am contacted privately, I will be happy to provide screenshots and more procmon logs.  Either I am being spied on (I have nothing to hide), my Dropbox is compromised/rogue, or my Windows Defender is compromised/rogue.  I will be studying this further. 

I am including a snippet of a procmon log for a file PITCH.51

This is important because Digital Forensics depends on the file access time for monitoring of file integrity and suspicious behaviors.  It is challenging enough to get that last access time correct and interpret it, Dropbox (or Windows defender) just confuse the matter if they are responsible for these (possibly) unnecessary file access updates.

I will continue to update as I learn more. 

Blessings!

Harry

Procmon for pitch.51

Hi Harry,

Thanks for the detailed information.

We'll look into it and get back to you to share some insights if available. 

Thanks for your patience so far!

• Change your password
• Review your connected devices: http://www.dropbox.com/account/security
• Disconnect any devices you don't recognise

Hi Samantha, thank you again for your thoughtful reply.  I believe you can see my email address from this message.  If so, can I trouble you to *PLEASE* privately email me as there are some rather very important things I would like to discuss with you privately.  I do intend, for transparency sake and as a professional courtesy to those who are following this post, to ask you at some point to summarize what we conclude privately, which may take a bit of time. Or perhaps I can summarize down the road.

In the meantime, my only comment about the sanity check scan -- it's good to know you do that from time to time BUT it does not apply here as the procmon tool did not reveal any Readfiles for the file compares -- just the Create, close and read (by Windows Defender) of the 26-byte com.dropbox.atttrs file.  If this were a sanity check, the dropbox service would have to read and return the data to the cloud for cloud-compare (or the cloud would have to download the cloud version of the file to the local machine data for the local machine to compare to it's local copy).

I look forward (hopefully) to your email. 

Blessings,

Harry

Hi Harry,

Not a problem, always happy to help.

Our team has been advised to contact you directly (via email).

Ps: if you haven't done so, please verify your email address, so we can fully assist you there: https://help.dropbox.com/account-access/verify-email

Thank you! 

Hi Samantha.  Thank you!  Are you able to confirm I verified?  I logged off and logged in to my dropbox account on the portal but no verification email was sent nor did I expect one -- 2FA was in effect and I got a code on my cell.  I did not state the device was a trusted device.  I'll wait to hear from Dropbox privately.  It's possible you meant a verification email from the community blog which I believe is separate (I am using the same email however); not sure. 

Thank you so much!

Harry

Hi Harry,

I've asked our team to resend the verification email, let me know if you got it. 

Thanks!