AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Google Workspace

See below for a list of Google Workspace Tools.

ToolDescription
ALFAALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.
DriveFS SleuthDriveFS Sleuth is a Python tool that automates investigating Google Drive File Stream disk artifacts, the tool has been developed based on research that has been performed by mounting different scenarios and noting down the changes in the Google Drive File Stream disk artifacts.
GAMCommand line management for Google Workspace

See below for a list of Google Workspace Artifacts.

Artifact or ProcessResource
GmailDots do matter: Why dots in Gmail addresses impact Google Workspace investigations
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Login Data-Part 1)
Google ChromeHas the user logged into this account, or not? (Google Chrome’s Web Data-Part 2)
Google ChromeChrome Media History
Google Chrome Chrome Media History Tracking Your Viewing Habits
Google ChromeChromium Session Storage and Local Storage
Google ChromeInvestigating Google Chrome Web Browser
Google ChromeGoogle Chrome Platform Notification Analysis
Google DriveData Exfiltration Using Google Drive — Forensic Investigation
Google DriveInvestigating Google Drive
Google DriveInvestigating Windows Google Drive - Forensafe
Google Drive File Stream (DriveFS)DriveFS Sleuth — Your Ultimate Google Drive File Stream Investigator!
Google Drive File Stream (DriveFS)DriveFS Sleuth — Revealing The Hidden Intelligence
Google Drive File Stream (DriveFS)Hunting for File Deletion Artifacts in Google File Stream Data
Google TakeoutGoogle Takeout Forensics: The Art of Investigation [Explained]
Google TasksCheck Marks the Spot - Google Tasks from Takeout - Stark4n6
Google Workspace ForensicsRespond and Investigate a Compromised Google Workspace User