Google Drive Forensics Lab: Finding Cloud Access Emails with sync_log.log

In this digital forensics lab, we walk through how to identify which email account was used to access Google Drive by examining the sync_log.log file inside a user’s profile with FTK Imager. This exercise focuses on navigating forensic evidence to the Google Drive application data directory, locating the log file, and reviewing its contents to uncover cloud access information tied to the user account. It’s a great hands-on lab for students learning cloud forensics, application artifacts, user attribution, and how investigators can use sync logs to connect activity to a specific email address. This lab also reinforces an important investigative concept: even when cloud activity happens online, local systems often retain valuable forensic traces that can reveal who accessed a service and what applications were in use. Disclaimer: This video is for educational purposes only. This lab is based on material from Guide to Computer Forensics and Investigations, 7th Edition — Cengage. The material is used here for instructional and academic discussion. All credit for the original source material belongs to the respective author(s) and publisher. This video is intended only to support authorized learning in digital forensics, cybersecurity, and cloud investigation education.