AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

Office 365 DFIR

A planned methodology for developing and implementing a forensically sound incident response plan in Microsoft’s Office 365 cloud environment must be thoroughly researched and re-evaluated over time as the system evolves, new features are introduced, and older capabilities are deprecated. This presentation will walk through the numerous forensic, incident response, and evidentiary aspects of Office 365. The presentation is based on two years’ worth of collection of forensics and incident response data in Microsoft’s Office 365 and Azure environments. It combines knowledge from more than a hundred Office 365 investigations, primarily centered around Business Email Compromise (BEC) and insider threat cases.

I have spoken at SANS DFIR Summit, Magnet User Summit (MUS) 2019, NetDiligence (1) and several other conferences over the years on conducting DFIR in Microsoft’s Office 365 environment touching on everything from the Activities API (aka Unicorn Logs aka Back-end Infrastructure logs) to forensic defensibility of actor activity to auditable events beyond the Unified Audit Logs (UAL).  Below are a few samples of those specific speaking engagements.

Forensically Sound Incident Response in Microsoft’s Office 365 Cloud – SANS DFIR Summit 2018


Conducting DFIR in an Office 365 Post-Activities API World – Magnet User Summit (MUS2019)

Related Posts