AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Google Workspace

See below for a list of Google Workspace Tools.

ToolDescription
ALFAALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.
GAMCommand line management for Google Workspace

See below for a list of Google Workspace Artifacts.

Artifact or ProcessResource
GmailDots do matter: Why dots in Gmail addresses impact Google Workspace investigations
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Login Data-Part 1)
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Web Data-Part 2)
Google ChromeChrome Media History
Google Chrome Chrome Media History Tracking Your Viewing Habits
Google ChromeChromium Session Storage and Local Storage
Google ChromeInvestigating Google Chrome Web Browser
Google DriveData Exfiltration Using Google Drive — Forensic Investigation
Google DriveInvestigating Google Drive
Google DriveInvestigating Windows Google Drive - Forensafe
Google TakeoutGoogle Takeout Forensics: The Art of Investigation [Explained]
Google TasksCheck Marks the Spot - Google Tasks from Takeout - Stark4n6