Skip to content

GCP IR

Work in Progress

This section is a work in progress: It will probably drastically change in the upcoming days.

General Guides

Link Notes
Cloudy with a Chance of Bad Logs: Cloud Platform Log Configurations to Consider in Investigations
  • Post describing a hypothetical scenario of a cloud platform compromise with multiple components that would require investigation
  • Each component is an example of a real intrusion tactic that Mandiant has investigated across various cloud platforms, sometimes with logs available and sometimes without logs available

How To: Build

Link Notes

How To: Investigate

Link Notes
GCP How to conduct live network forensics in GCP Collect and preserve vital evidence for the digital forensic process while the incident response team resolves an incident
Incident Response in Google Cloud: Forensic Artifacts Forensic artifacts available in GCP and recommendations for triage and prioritization
Analyzing Volatile Memory on a Google Kubernetes Engine Node Post explaining in detail how memory analysis works and how it can be used on any GKE node in production today

Investigations

Link Notes

Tools

Link Notes
terraform-google-log-export Creates log exports at the project, folder, or organization level
Cirrus A command-line tool to facilitate environment access and evidence collection across Google Cloud
Automated Audit Log Forensic Analysis for Google Workspace Acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework