Best Practices for Google Workspace & Microsoft 365 Forensics

Introduction

Google workspace formerly known as G suite and Microsoft 365 formerly known as Office 365 are both cloud-based or powered productivity and collaboration platforms that are designed to overcome modern business challenges and to help individuals and organizations to collaborate, communicate and manage work efficiently. They are developed and offered by google and Microsoft respectively. Both offer a comprehensive set of applications and services, but they differ in approach, features, and strengths.

So, what is Cloud-Based Productivity and Collaboration Platforms/suite?

Well, these are integrated platforms that offer a wide range of services and tools for basically helping organizations or individuals work, communicate and collaborate efficiently, in real time all through the internet. Some of the core services include cloud storage, real-time collaboration, integrated communications, project and workflow management, security and access controls and cross-platform compatibility. Even though Google workspace and Microsoft 365 are most used platforms, there are others like Zoho workplace and Apple iCloud (with iWork) that are gradually gaining ground.

Forensic importance of Cloud-based Productivity and Collaboration Platforms

Platforms like Google Workspace and Microsoft 365, play a critical role in operations of modern businesses. Incidents like data breaches, insider threats or policy violations are common, and the forensic importance lies in the ability to investigate, collect, analyse, and preserve digital evidence following these incidents. These platforms are important in digital forensics as they centralize communication and data, they keep extensive logs, retain historical data and they are also subject to legal holds and compliance requirements. Forensic readiness in cloud-based productivity and collaboration platforms is essential for:

• Rapid and accurate incident investigation

• Ensuring evidence integrity and admissibility

• Supporting legal and regulatory compliance

• Minimizing business impact from security incidents

Cloud environments are complex and exceptionally large in scale therefore requiring specialized tools, collaborative architectures, and continuous adaptation of forensic methods to effectively secure and investigate digital activities within these platforms.

Best Practices for Google Workspace Forensics

Google workspace forensics involves the investigation, extraction and analysis of data from google workspace services like Gmail, google calendar, drive, etc., to detect unauthorised access, data exfiltration or misuse. Conducting digital forensics in Google workspace requires a structured approach to ensure evidence integrity, compliance and effective analysis.

One of the critical areas in google workspace forensics is acquisition of evidence data and there are several methods to acquire them. These methods can be different based on the different investigation scenarios, data types or access level. Some of the main methods and their best practices to be followed are:

1.       Google Admin Export Tool - This is a native tool within the Google workspace admin console that allows super administrators to export all user data from the organization. This method is ideal for internal investigations, and it creates a zip archive structured like Google takeout that can be parsed in tools like Magnet Axiom or FTK. The main requirements are the user must be a super admin, and the Google workspace must be active for more than 30 days. Exports are allowed once every 30 days and Google Cloud Platform (GCP) must be enabled to store the export. Share drive data will also be present in the exports.

2.       Google Takeout – This method enables the export of an individual user’s data without requiring admin access. It requires the user’s account credentials and two-factor authentication. Note that shared drive data is not included, and Google Admin policies may restrict Google Takeout due to security reasons. Ensure that Access Log Activity is enabled, as it is disabled by default.

3.       Google Workspace Investigation Tool – This tool allows real time searching and filtering on logs, data about devices., Gmail messages, etc. This tool is great to investigate malicious emails and user across data sources. Admins can suspend users, revoke tokens, or force password resets directly from the tool. Use this tool for triage purposes. Data can be exported to be analysed in spreadsheets.

4.       Google Vault – This is an eDiscovery and archiving tool designed to support forensic investigations, legal hold, compliance, and internal inquiries. It enables administrators to search and export data from Gmail, Drive, Chat, Meet, Groups, and more. The tool allows for placing specific data on legal hold, ensuring retention even if the user deletes the content. Emails can be exported in MBOX or PST formats, while Drive files are exported as ZIP files with the original folder structure. All exports are timestamped and include metadata, ensuring integrity and traceability.

5.     Open-source Log Collection Tools - GWS Log Collection Tool and ALFA (Automated Log Forensic Analysis) are two open-source tools used for collecting logs from workspaces. Both tools utilize API-based acquisition of audit logs. ALFA also includes a scoring mechanism to highlight potentially malicious behaviour. Use these tools when log completeness and automated analysis are required, and ensure that API access is preconfigured with the proper credentials.

To ensure a smooth acquisition from google workspace always remember to match the methods to your investigative goals. Admin tools can be used for organizational-wide investigations while takeouts can be used for user-level data with credentials. For timeline reconstruction and log-based threat detection, IR tools and API scripts can be used.

Some other best practices that can be followed are:

· Maintaining Chain of Custody - Record when, how, and by whom data was accessed/exported and what all was done on it.

· Beware of workspace alerts - Takeout exporting and admin tool exporting can trigger workspace alerts so beware of the notifications as it can reach the suspect also.

· Preconfigure environments for speed - It is a best practice to set up GCP and necessary API access in advance to enable rapid response during an investigation and to reduce delays.

Just like admin export tool, another important part of the admin console is Audit and Investigation. Google Admin Console provides audit logs that tracks user and admin actions across Google Workspace apps and Investigation tool that allows real-time log search, filtering, and export. These tools are used primarily for incident response, insider threat detection, compliance audit and Behavioural timeline reconstruction. Audit logs capture detailed records of users and admins across all the services.

Some of the common audit services which contain forensic relevant data are admin, login, drive, Gmail and meet audits. Export logs immediately in CSV format for long-term retention and correlation with other sources. Since all the admin actions in the audit log are timestamped, it helps in maintaining chain of custody also. By default, general logs are held for six months and email logs for one month.

3^rd party forensic tools like FTK, magnet Axiom or Splunk can work together with the exported logs to parse and create timelines or for advanced log correlation and dashboards.

Best Practices for Microsoft 365 Forensics

The key areas for forensic investigation in Microsoft 365 include E-Discovery, Content Search, and Unified Audit Logs. In the event of an incident, Microsoft 365 retains mailboxes—including deleted emails—for up to 30 days, even if the license has been removed from the suspect’s account.

Microsoft Exchange Online offers an E-Discovery feature that enables authorized personnel to export the entire mailbox, including deleted or even purged emails. This makes E-Discovery a crucial tool for identifying, preserving, and producing electronic evidence during legal or investigative proceedings within the Microsoft 365 environment.

Content search is a standalone capability used within eDiscovery cases. It allows to search across exchange online, OneDrive, SharePoint, teams, etc.

Some of the best practices that is a must follow for eDiscovery and content search are:

1. E-Discovery Roles – There are two primary roles in Microsoft 365, they are eDiscovery Manager and eDiscovery Administrator. The managers can create, manage, and add members to their cases and can also perform content searches, previews, and exports related to their cases. The eDiscovery administrators on the other hand have all the powers of the eDiscovery managers but also can manage and access all the eDiscovery cases within the organization.

2. E-Discovery Role Assignment Best Practices

a. Dedicated eDiscovery Administrator Account – Use a separate, independent account specifically for eDiscovery administration. This minimizes the risk of privilege escalation in case a regular user account is compromised.

b. Multi-Factor Authentication (MFA) – Ensure that MFA is enabled for the eDiscovery administrator account to add an extra layer of security.

c. Activity Monitoring – Regularly monitor critical activities such as logon attempts and other actions performed by the eDiscovery administrator account.

d. Least Privilege Access for eDiscovery Managers – Assign only the necessary permissions by creating separate, dedicated accounts for eDiscovery managers. MFA should also be enabled for these accounts to ensure secure access.

3. E-Discovery Case- Creating an eDiscovery case is essential, as it serves as a container for all related searches, legal holds, and exports tied to a specific investigation. It ensures better organization, access control, and traceability throughout the forensic process.

4. Legal Hold- A Litigation Hold prevents deletion or modification of data that may be critical to an investigation. As a best practice, ensure that all relevant sources—such as mailboxes, SharePoint sites, OneDrive, and Microsoft Teams—are placed under a legal hold within the eDiscovery case.

5. eDiscovery Content Search- Multiple content searches can be created within a case. You can define the scope by selecting specific data sources and applying filters, keywords, and conditions to refine your search queries based on the investigative requirements.

6. Exporting Mailboxes in PST Format- For a forensically sound export, it is recommended to include all items, even those that are encrypted, of unknown formats, or not indexed. Creating a single PST file containing all messages in one folder simplifies evidence management. Ensure that the PST size limit is increased via registry settings to allow for larger, consolidated exports.

7. Hashing and Integrity Verification- Always generate cryptographic hashes (e.g., SHA-256) for exported data to verify its integrity and maintain the chain of custody. This ensures the data remains unaltered and admissible in legal proceedings.

Unified Audit Log (UAL) in Microsoft 365

The Unified Audit Log (UAL) is a centralized logging system in Microsoft 365 that captures user and administrator activities across all Microsoft 365 services. It includes data from sources such as Exchange Online, SharePoint Online, OneDrive, Microsoft Teams, and Azure Active Directory (Azure AD).

UAL logs a wide range of actions, including:

• Exchange Online: Email sends, forwards, deletions

• SharePoint Online & OneDrive: File access, edits, deletions

• Teams: Chats, file sharing, meeting participation

• Azure AD: Sign-ins, password changes, group modifications, and admin activities

The UAL is particularly valuable for investigating spoofing, phishing, and Business Email Compromise (BEC) incidents. It enables investigators to reconstruct timelines and determine who performed what actions, when, and from where.

As a comprehensive and detailed audit source, UAL is critical for incident response, security investigations, and maintaining regulatory compliance within the Microsoft 365 environment.

Some of the best practices that is a must follow for UALs are:

1. Acquisition Method – The Unified Audit Logs can be downloaded through the PowerShell. Microsoft provides specific cmdlets to query and to retrieve these logs. Investigators can also use PowerShell to filter the logs by activity type, date range or other parameters to download only the relevant data.

2. Analysis - The downloaded logs can be uploaded to Security Information and Event Management (SIEM) platforms such as Splunk for advanced querying, correlation, and visualization. By parsing the raw logs, the data can be converted into a structured format, allowing key fields to be extracted efficiently. SIEM tools can help detect suspicious patterns such as unusual login activity, mass email deletions, privilege escalations, and other anomalies. During analysis, visual summaries—including charts, graphs, and timelines—can be generated to enhance understanding. These visualizations, along with the analytical findings, can be exported and incorporated into the forensic investigation report for documentation and presentation purposes.

There are other areas also inside Microsoft 365 that we can also focus on for forensics. The other areas and best practices one should follow are:

1. Leverage Advanced Hunting in Microsoft 365 Defender - Advanced hunting can be used to search for threats and suspicious activity using Kusto query language (KQL). Custom detection rules can also be created for ongoing monitoring and use the activity logs to review to Office 365 audit data and correlate events.  

2. Maintain Chain of Custody - Every time evidence is accessed, transferred, or handled, record the details. This log forms the backbone of the chain of custody documentation. Use ticketing systems for traceability and accountability.

3. Integration of 3^rd Party Tools – 3rd party forensic and SOC tools can be integrated which can help in in depth insights.

4. Conduct Regular Readiness Checks - Perform regular threat hunting exercises, simulate incidents and validate alerting mechanisms.

5. Copying OST or PST file directly from the user system or by logging in – OST files can be copied directly from the system from the default path of C:\Users\<username>\AppData\Local\Microsoft\Outlook\. The data can be converted to the PST file and then exported also directly from Outlook.

Conclusion

In today’s digital-first world, platforms like Microsoft 365 and Google Workspace are more than just productivity tools, they are core components of modern business infrastructure. Understanding how to conduct forensic investigations in these environments is crucial for protecting sensitive data and ensuring compliance. By utilizing their built-in tools, logs, and audit features and incorporating third-party solutions, organizations can perform detailed and legally valid investigations.

Microsoft 365 shines with its Unified Audit Log (UAL), which records comprehensive user and admin activities while Google Workspace shines with its tools present in its admin console like admin export and audit and investigation tools. Both platforms also offer efficient methods for data export whether through options like Google Takeout, Admin Export, and Google Vault by google or through eDiscovery in the case of Microsoft 365.

A key best practice for both Google Workspace and Microsoft 365 forensics is maintaining a reliable chain of custody and ensuring the hashing of collected evidence.

This can be achieved through comprehensive audit logs, secure data exports, and proper documentation of every step in the investigation process. These measures help preserve the integrity, authenticity, and admissibility of digital evidence throughout the forensic lifecycle.

In both the platforms, forensic experts face challenges like limited Access to Raw Logs, licensing limits, scattered data, data volatility and limited real time monitoring but by deploying a Forensics-Ready Architecture and by utilizing native and 3^rd party investigative and forensic tools, we can confidently face these challenges.

By adopting best practices for forensic investigations in both Microsoft 365 and Google Workspace, organizations can ensure their digital forensics processes are thorough, reliable, and aligned with industry standards.