First, his mouse moved on its own. Just a pixel, late at night. Then, files appeared in his Google Drive folder—spreadsheets he didn’t create, filled with rows of IP addresses. The Ghost Win 8 had quietly linked his local machine to a hidden sync folder in someone else’s Google Drive. He wasn’t using the OS. The OS was using him.

Screenshot of Google Drive search for "Ghost Win 8" + Red warning circle overlay.

The increasing reliance on cloud storage services like Google Drive has led to a rise in complex digital forensic investigations involving cloud-synced files. This paper presents a forensic analysis of the interactions between Windows 8 and Google Drive, with a focus on identifying and understanding the artifacts left behind by the synchronization process. Our research reveals that Google Drive creates a multitude of artifacts on a Windows 8 system, including file system metadata, registry entries, and cache files. We also demonstrate how these artifacts can be used to reconstruct a timeline of user activity, including file uploads, downloads, and edits. Our findings have significant implications for digital forensic investigators and highlight the need for specialized tools and techniques to analyze cloud-synced data.

: Custom builds like "Ghost Spectre" or "Potato Edition" are designed for low-end hardware. Resource Management