AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Microsoft 365

See below for a list of Microsoft 365 Tools.

ToolDescription
Blue-team-app-Office-365-and-AzureThe Blue team app for Office 365 and Azure is developed to help you investigate the Microsoft 365 Audit log.
GraphRunnerA Post-exploitation Toolset for Interacting with the Microsoft Graph API
A Defenders Guide to GraphRunner — Part I
A Defenders Guide to GraphRunner — Part II
Microsoft-Extractor-SuiteA PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
O365 Python ParserParsing O365 UAL using Python
OneDriveExplorerCommand line and GUI based application for reconstructing the folder structure of OneDrive
What's New in OneDriveExplorer
OneDriveExplorer ODL Parsing Issues

See below for a list of Microsoft 365 Artifacts.

Artifact or ProcessResource
Email ForensicsEmail Forensics – Definition and Guideline - Salvation Data
Email ForensicsTechniques In Email Forensic Analysis
Email ForensicsEmail Header Forensic Analysis - Joseph Moronwi
Email ForensicsInvestigating Suspicous Emails!
Email ForensicsPhishing emails – a breakdown from an Incident Responder getting phished: Part 1.
EnrichedOffice365AuditLogs The mystery of the EnrichedOffice365AuditLogs solved
MailItemsAccessedEverything you need to know about MailItemsAccessed and more
MailItemsAccessedMailItemsAccessed Woes: M365 Investigation Challenges
Microsoft OfficeAn Inside View of Office Document Cache Exploitation
Microsoft OfficeInvestigating Microsoft Office - Forensafe
Microsoft OneDriveOneDrive and NTFS last access timestamps
Microsoft OneDriveInvestigating OneDrive
Microsoft OneDriveReading OneDrive Logs: Part 1 Part 2 - SwiftForensics
Microsoft OneDriveThe $MFT flag that you have never considered before – OneDrive not synchronized files. - CyberDefNerd
Microsoft OneDriveRecreating OneDrive’s Folder Structure from .dat
Microsoft OneDriveReading OneDrive Logs - SwiftForensics
Microsoft OutlookInvestigating Outlook Windows Application
Microsoft Teams Microsoft Teams artifacts and chat logs
Microsoft TeamsMicrosoft Teams and Skype Logging Privacy Issue
Microsoft TeamsMicrosoft Teams Logs for Activity
Microsoft TeamsCollecting from Microsoft Teams using PowerShell
Microsoft TeamsMS Teams Desktop Forensic - Misconfig
Microsoft TeamsInvestigating Microsoft Teams IndexedDB Data
Unified Audit Log (UAL)Wrangling the M365 UAL with PowerShell and SOF-ELK (Part 1 of 3)
Unified Audit Log (UAL)Wrangling the M365 UAL with SOF-ELK on EC2 (Part 2 of 3)
Unified Audit Log (UAL)Wrangling the M365 UAL with SOF-ELK and CSV Data (Part 3 of 3)
Unified Audit Log (UAL)What DFIR experts need to know about the current state of the Unified Audit Log