Google Workspace

See below for a list of Google Workspace Tools.

Tool	Description
ALFA	ALFA stands for Automated Audit Log Forensic Analysis for Google Workspace. You can use this tool to acquire all Google Workspace audit logs and to perform automated forensic analysis on the audit logs using statistics and the MITRE ATT&CK Cloud Framework.
DriveFS Sleuth	DriveFS Sleuth is a Python tool that automates investigating Google Drive File Stream disk artifacts, the tool has been developed based on research that has been performed by mounting different scenarios and noting down the changes in the Google Drive File Stream disk artifacts.
GAM	Command line management for Google Workspace

See below for a list of Google Workspace Artifacts.

Artifact or Process	Resource
Gmail	Dots do matter: Why dots in Gmail addresses impact Google Workspace investigations
Google Chrome	Has the user logged into this account, or not? (Google Chrome’s Login Data-Part 1)
Google Chrome	Has the user logged into this account, or not? (Google Chrome’s Web Data-Part 2)
Google Chrome	Chrome Media History
Google Chrome	Chrome Media History Tracking Your Viewing Habits
Google Chrome	Chromium Session Storage and Local Storage
Google Chrome	Investigating Google Chrome Web Browser
Google Chrome	Google Chrome Platform Notification Analysis
Google Drive	Data Exfiltration Using Google Drive — Forensic Investigation
Google Drive	Investigating Google Drive
Google Drive	Investigating Windows Google Drive - Forensafe
Google Drive File Stream (DriveFS)	DriveFS Sleuth — Your Ultimate Google Drive File Stream Investigator!
Google Drive File Stream (DriveFS)	DriveFS Sleuth — Revealing The Hidden Intelligence
Google Drive File Stream (DriveFS)	Hunting for File Deletion Artifacts in Google File Stream Data
Google Takeout	Google Takeout Forensics: The Art of Investigation [Explained]
Google Tasks	Check Marks the Spot - Google Tasks from Takeout - Stark4n6
Google Workspace Forensics	Respond and Investigate a Compromised Google Workspace User