When I got this popup while moving a file from a Dropbox folder, I immediately thought Alternate Data Stream:
I ran my filescanner on the file, and found an ADS with name com.dropbox.attributes:
From the Magic HEX value, we can see that the content of the stream (frozen-sea-foam.mp4:com.dropbox.attributes) starts with 0x78 (and the streamsize is 83 bytes). 0x78 hints at zlib deflated data.
If you are not that familiar with magic values, you can use my file-magic tool:
Trying to decompress the ADS with translate.py gives us JSON data {“dropbox_fileid_local”: {“machineid_attr”: {“data”: “aa4xliox7z5n0qewxOlT3Q==”}}}:
The data field looks like BASE64, so let’s try to decode it with base64dump.py:
It decodes with BASE64 to data that looks random. From the names in the JSON data, we can deduce that this is probably a machine ID.
Remark 1: as it could well be my unique machine ID, I altered the value of the ID.
Remark 2: my file-magic.py tool is beta.
Remark 3: if you wonder what the video frozen-sea-foam is, I have it on Instragram.
Didier Stevens 