GCP IR
Work in Progress
This section is a work in progress: It will probably drastically change in the upcoming days.
General Guides¶
| Link | Notes |
|---|---|
| Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations |
|
How To: Build¶
| Link | Notes |
|---|---|
How To: Investigate¶
| Link | Notes |
|---|---|
| GCP How to conduct live network forensics in GCP | Collect and preserve vital evidence for the digital forensic process while the incident response team resolves an incident |
| Incident Response in Google Cloud: Forensic Artifacts | Forensic artifacts available in GCP and recommendations for triage and prioritization |
| Analyzing Volatile Memory on a Google Kubernetes Engine Node | Post explaining in detail how memory analysis works and how it can be used on any GKE node in production today |
Investigations¶
| Link | Notes |
|---|---|
Tools¶
| Link | Notes |
|---|---|
| terraform-google-log-export | Creates log exports at the project, folder, or organization level |
| Cirrus | A command-line tool to facilitate environment access and evidence collection across Google Cloud |
| Automated Audit Log Forensic Analysis for Google Workspace | Acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework |