DFIR Evidence Collection and Preservation for the Cloud

  • Tuesday, 25 Oct 2022 6:30PM JST (25 Oct 2022 09:30 UTC)
  • Speaker: Josh Lemon

The assumption that a change in where or how data is stored always seems to lead to the false belief that forensics is dead. With the cloud, digital forensics is given new capabilities and depth that do not exist in the on-premise world. However, this is only useful if you know how to correctly configure and set up evidence preservation for your cloud environments.
One of the most significant challenges with cloud environments today is that evidence retention works on a continuous sliding time window. This could mean your evidence is slowly ageing out of existence, if you don't know where to collect it immediately, or that your evidence may never have been generated if you have not already configured your cloud platform correctly.
This presentation will take attendees through a quickfire set-up of how best to configure their; Azure, Amazon Web Services, Google Cloud Platform, Microsoft 365, or Google Workspace platforms, to ensure they have the best possible chance of maintaining evidence for digital forensics and incident response investigations. The techniques shown during this session are derived from the SANS FOR509: Enterprise Cloud Forensics and Incident Response course.