Now let’s talk about Email Log Search , because this is one of the most commonly used  (and misunderstood) tools when you’re investigating phishing, mailbox compromise, or suspicious inbound email. If a user reports: “I got a weird email” This is usually where you end up first. First thing to understand: the 30‑day rule Google stores email transaction logs  differently depending on how old the email is. This affects what you can search , how you can search , and what results

Let me be honest upfront: this setup looks scary  the first time you see it. Google makes you jump back and forth between Google Cloud Console  and Google Workspace Admin , and it feels like you’re doing something wrong the entire time. You’re not. That’s just how Google designed it. Once you understand the full flow , everything suddenly clicks. This walkthrough assumes: You are a Google Workspace Super Admin You want to collect audit / activity logs  using the Admin SDK – R

Let’s talk about something that often comes up during Google Workspace investigations: how do we actually collect logs and evidence properly? If you’ve ever worked an incident involving Google Workspace, you already know that the platform gives you a lot  of data—but not all of it is equally easy to collect or analyze. Broadly speaking, there are two main ways  to collect evidence from Google Workspace: Using the Workspace Admin interface (UI) Using the Workspace Admin SDK /

In this new series, we'll be diving deep into investigation and forensics within Google Workspace (the Google ecosystem). So tighten your seatbelt—let's go! When diving into cloud forensics—especially in Google Workspace—there’s a lot more to unravel than just user credentials or login timestamps. One of the most overlooked but crucial areas  is how permissions  are managed within the environment. let's break down two key building blocks of Google Workspace that matter a lot

Enough theory. Now let’s actually touch NetFlow data . If you’re doing DFIR, threat hunting, or even basic network investigations, one toolkit you must  be comfortable with is the nfdump suite. This suite gives you three extremely important tools: nfcapd – the collector nfpcapd – the pcap-to-NetFlow converter nfdump – the analysis engine ----------------------------------------------------------------------------------------------------------- nfcapd: The NetFlow Collector (W