Overview#
A SOC team responding to a credential-stuffing campaign discovers that a compromised account accessed SharePoint, forwarded emails through a rule in Exchange Online, and downloaded a bulk export from Salesforce, all within an eight-minute window at 03:00 local time. None of those actions touched an on-premises system. The evidence exists entirely in cloud audit logs, access tokens, and API call records spread across three different SaaS platforms.
Traditional disk-based forensics cannot reach this evidence. Cloud Forensics and SaaS Investigation addresses the unique challenges of cloud-based investigations: multi-tenant architectures, distributed data storage, ephemeral compute resources, and provider-controlled access mechanisms. The module collects, preserves, and correlates cloud evidence in a forensically defensible manner while working within the constraints that cloud providers impose.
Open Standards#
- OASIS STIX 2.1: Cloud-collected indicators of compromise, threat actors, and attack patterns are converted to and from STIX 2.1 Structured Threat Information Expression bundles, enabling interoperable intelligence sharing with MISP, OpenCTI, and other CTI platforms.
- OASIS TAXII 2.1: Threat intelligence gathered during cloud investigations can be disseminated or ingested via analyst-configured TAXII 2.1 feed subscriptions, using the standard GET /collections/{id}/objects/ polling mechanism with added_after filtering.
- W3C Verifiable Credentials Data Model v2.0: Every piece of collected cloud evidence is issued a signed W3C VC (Ed25519 over a compact JWT) recording the collection event and each subsequent custody transfer, providing a cryptographically verifiable chain of custody.
- RFC 3161 (Internet X.509 PKI Time-Stamp Protocol): Evidence records can be sealed with an RFC 3161 trusted timestamp at acquisition time, producing court-admissible proof that the evidence existed in its current state at a specific instant.
- OAuth 2.0 / RFC 6749: SaaS application APIs (Microsoft 365, Exchange Online, SharePoint) are accessed using the OAuth 2.0 client credentials grant against Microsoft Entra, ensuring authenticated and auditable evidence collection without relying on user passwords.
- FIPS 180-4 / FIPS 202 (SHA-256, SHA-512, SHA3-256): File integrity is verified at acquisition using SHA-256 as the primary digest, with SHA-512, SHA3-256, and BLAKE2b computed in parallel, satisfying forensic best-practice requirements for hash-based evidence integrity.
- ISO 4217: Financial evidence artefacts (transaction records, payment exports from SaaS platforms) use ISO 4217 three-letter currency codes to ensure unambiguous currency identification across multi-currency cloud data sources.
Last Reviewed: 2026-02-05 Last Updated: 2026-04-14
Key Features#
Multi-Cloud Evidence Acquisition#
Forensic data acquisition from Amazon Web Services, Microsoft Azure, and Google Cloud Platform. API-based collection methods maintain evidence admissibility while working within cloud service constraints. Collection is logged and hashed at the point of acquisition to establish integrity.
SaaS Application Forensics#
Evidence collection from enterprise SaaS applications including Office 365, Google Workspace, Salesforce, and Slack. The module captures user activity, document modifications, access patterns, and configuration changes, all of which are critical artefacts in insider threat and data breach cases.
Cloud-Native Log Correlation#
Aggregate and correlate logs from multiple cloud service layers: infrastructure audit logs, application-level activity logs, and access management events. The result is a complete event timeline that crosses provider boundaries and reveals the full scope of attacker or insider activity.
Ephemeral Resource Handling#
Containers, serverless functions, and short-lived virtual machines disappear within minutes or hours. Specialized procedures preserve evidence from these temporary resources, capturing log entries, configuration snapshots, and metadata before the environment is recycled or destroyed.
Cross-Service Timeline Reconstruction#
Correlate evidence across multiple cloud services and providers to build comprehensive investigation timelines. Lateral movement, data exfiltration, and unauthorized access patterns become visible when events from disparate services are combined into a single chronological view.
Chain of Custody for Cloud Evidence#
Detailed documentation covers acquisition procedures, authentication methods, and evidence handling specific to cloud environments. Each collection step is recorded with timestamps, the identity of the collecting system, and cryptographic verification, maintaining forensic soundness for evidence gathered through provider APIs.
Use Cases#
- Data Breach Investigation: Trace unauthorized access across cloud services, identify compromised accounts, and document the scope of data exposure through log correlation and access analysis.
- Insider Threat: Investigate unauthorized data access, policy violations, and data exfiltration through SaaS applications and cloud storage services, where traditional endpoint forensics yields nothing.
- Incident Response: Rapidly collect and preserve cloud-based evidence during active security incidents before ephemeral resources are destroyed. Integrates with TheHive for case tracking and GRR for endpoint correlation.
- Regulatory Compliance: Support regulatory investigations requiring evidence from cloud-hosted systems with proper chain of custody documentation aligned to GDPR, NIS2, and sector-specific data handling requirements.
Integration#
Connects with major cloud provider APIs (AWS, Azure, GCP), SaaS application interfaces, and on-premises evidence management systems. Integrates with TheHive for incident case management, MISP for IOC correlation, and CyberChef for log data transformation. Supports multi-tenant evidence scoping to keep organisational data isolated throughout the investigation lifecycle.