Cloud Forensics - Google Apps for Work

Currently, the area of ​​forensic expertise is the area that takes care of collecting digital evidence to prove the criminal action of an individual.

However, until certain times, there was nothing in the cloud and all the data was relatively easy to find: On the hard drive of the criminal's computer.

However, today the scenario is very different because the cyber criminal can use countless cloud computers on Amazon and can carry out his crimes. Until a systems audit stops using these servers, he could have already used the giant infrastructure of this company and obtained information from all over the Internet and / or sent spam to all users in seconds.

And how to get permission from a cloud service to perform forensic expertise?

We checked Google Apps for Work, and identified some ways to actually analyze an "audit" system, which allows customers (companies) to audit their employees.

How Forensic Auditing Works in Google Apps for Work

Google Apps for Work was developed by Google to be the work tool of companies, which is certified in ISO 27001, guarantees confidentiality, integrity and availability, but not only this; it also allows the customer to configure their organization's rules and usage policies and audit the resources used.

In the simplest version, Google Apps for Work, in the corporate E-mail service, it is possible to analyze all the e-mails where it came from and where it went, but it is not possible to see the content of the message, however it serves as an audit for make sure the message actually passed through Google’s servers.

Using the item "Reports" in Google Apps for Work, we have access to several reports.
For forensic expertise, the most interesting are the reports of the "Audit" group.

Using the "Email log search" menu, we can search for source or destination email and check if there was a message.

In this case, we searched for an email that did not exist in the organization, which sent SPAM.

At the same level of audit reports, we have several others such as activity log for Google Apps account administrators and their control panel actions.

There is also the "login" report, to find out which employee has authenticated with Google Apps.

It is also possible to set some triggers to notify account super administrators of any suspicious actions.

With these reports, it is possible to obtain more than enough research information even though it is a cloud service.

For complete expertise, Google suggests Google Apps Valut, where it also stores users' email messages and searches for relevant information, but for this, the customer has to purchase the service before the incident has occurred.

The cost for this service increases, from $ 5.00 per user to $ 10.00 per user / month.

No comments