Forensics In The Cloud: How To Conduct An Office 365 Investigation


Join the forum discussion here.

View the webinar on YouTube here.

Read a full transcript of the webinar here.
Warren: Hi everyone. Good morning. My name is Warren Pamukoff, and I’m a Product Marketing Manager here at Magnet Forensics. Today I’m joined by my colleague in Product Management, Tayfun, and first off, we want to thank you very much for joining our webinar, our ‘Forensics in the Cloud’ webinar, ‘How to conduct an Office 365 investigation’. And I just want to let you guys know that we are recording this webinar, so if you have to run out or you miss parts of this, we will be sending this out, hopefully by the end of this week. So don’t worry about that, there will be a recording.

And today I just want to do a quick reminder of what we’re covering. So we’re going to go over industry trends related to cloud services, we’re going to talk about the types of corporate investigations that are most prominent with our customers, and that we’re hearing in the industry when we go to events, and then also talk about those investigations that we can help you solve. We’re going to talk about the key capabilities that you need to complete a forensically sound cloud investigation, specifically an Office 365 investigation. And then we’re going to walk through a demonstration of two key use cases that we see, and that’s where Tayf is going to walk through a full cloud investigation.

So, to start things off, I just wanted to talk about some of the trends going on in the industry. And I think it’s pretty fair to say right now that cloud services are growing at an incredible pace. You know, in fact, Gartner is predicting that the cloud computing market is going to hit $411 billion by 2020. This really makes sense, because we’ve seen a huge shift that started with over-the-top messaging apps storing their data in the cloud, now we have digital platforms and connected devices, things like Fitbits and everything sending their data or doing their computer processing in the cloud, and eventually we’re going to move to industrial sectors and smart cities in the cloud. So there’s definitely a big shift as more and more data moves towards the cloud.

And what we’re hearing from our customers – it’s kind of a broad story here – so, with our law enforcement customers, they’re starting to get into cloud investigations, but there are a lot of issues, specifically not around technical issues, more around legal issues related to warrants, concerns about getting data that’s stored in another country. And this is causing a bit of a hesitation. But over the last three to six months, we’re hearing more and more from law enforcement about having the ability or enquiring about the ability to do cloud investigations.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Now, on the other hand, and more probably relevant to this webinar is corporate customers and forensic consultants that we work with and talk to, they’re diving head-in to cloud investigations. So, as more and more data is being stored in the cloud, and as mobile device encryption becomes more of a challenge, it’s just easier and it makes sense to pull backups and photos and chat histories, and get that rich forensic data from the cloud. In fact, it’s almost needed, given the state of encryption now – you want to augment the data you find on the device, and you need to find that cloud evidence.

And then, like I mentioned … just previously mentioned, as we move towards this platform world, you really … and more data is shifting to the cloud. Pretty much every investigation in the next few years is going to involve cloud.

Now I want to jump in and talk a little more about corporate cloud trends. Basically, what we’ve seen and heard around the industry is that enterprises are fully embracing the cloud market. We’re seeing more and more data stored on content services like SharePoint, [Box], and Dropbox. But I think the most interesting trends relate to Office 365. Specifically, Microsoft’s own numbers have stated that right now over 50% of all business Office users are on Office 365, and they actually predict that 2/3rds of their customer base will be on Office 365 by 2019.

In addition to that, 70% of Exchange Outlook users are expected to be using the cloud version instead of on-premise versions by 2019. So this is a pretty prolific shift, because Microsoft Office is pretty much the dominant player in enterprise, and as they shift to the cloud, it’s becoming more and more important that you have the tools and capabilities to complete a cloud investigation. You need to do more than just look at an employee’s computer if you want to see the full story.

And again, unlike law enforcement, there’s far fewer legal constraints to examine cloud evidence in a corporate setting, because it is your content. You have the password, you have the administrator credentials, you can access this data. So it is becoming a core competency for corporate investigation.
What I want to do now is, with that background, I want to move on and talk about the types of investigations that we’re hearing the most about. And I think definitely the most popular investigation that we hear about is insider threats that lead to data [05:14]. As you can see on my slide here, in a recent study by Forrester, more than half of their survey respondents stated that their firm experienced an insider incident, either from a malicious actor or an inadvertent actor. And they also stated that detecting insider threats requires a defined process and a focused team and dedicated technologies, including digital forensics. And they actually called out computer and cloud forensics capabilities.

Additionally, here you can see a recent study by IBM, the Threat Intelligence Index here, that there are specific industries that are really prominent with regard to insider threats, those being in financial services and healthcare. And what I think is really important here is what I just talked about: the impact of both the malicious insiders, so someone willingly exfiltrating data; and then someone unknowingly being the cause of this, so someone who may have had their credentials lost or been fished, and they’re unknowingly the cause of this data exfiltration. And this is why it’s so important to have the capability to visualize where this data is being accessed, and look at audit logs to kind of find IP addresses and see what credentials are being used. And we’ll definitely be getting into that more in our demonstration, as Tayf is going to be able to show you how important those Office 365 logs are.

With regard to insider threats, I just wanted to cover the bases here. I know that you guys are probably aware of this. But there are three main categories that we commonly hear from customers. The one that comes up the most in my instance – and I don’t know if this is the same as Tayf, maybe he can talk about these later – but the one that comes up with me the most is IP theft. So basically, whether it’s malicious or not, someone’s leaking out secret formulas or source code, blueprints or M&A documentation, and this is the type of investigation where it’s really critical to see the whole history of a file, where it came from, when it was opened, who it was opened by, who it was sent to, and where those documents live now. So, this is something where you really need to see the relationship between the cloud evidence and the devices that it touched, and all the users that it touched.

Now, the other problem in investigation that we hear about, and specifically this one comes up a lot with healthcare customers, is really the fraud insider threat. And this is really about leaking sensitive data, whether it’s patient or client data, modifying records, or stealing, transferring money. And both of these are really in that large bucket of data exfiltration that comes a lot with our customers.

And the third type of insider threat investigation relates to sabotage and destruction. And this is typically corrupting data, planting a logic bomb, installing malware. And a lot of this relates specifically to a client investigation, and trying to find the root cause – when this happened, doing that root cause analysis, and pulling down evidence from the cloud and seeing what was accessed by who, and when, and what was installed.

So those are the main types of investigations here. What I want to do now is just highlight the cost of a data breach, and just wrap things up on the insider threat [08:44]. The Ponemon study … Ponemon Institute recently did a study of 419 companies in over 13 countries or geographic regions. And they actually found that the average cost of a data breach is $3.62 million, in USD.

So that’s a huge amount of money for these data breaches. And the actual average cost of a single record they found was $141. The last key finding I want to highlight here is that almost 30% of people that they surveyed in the study, they’re expecting a material breach over the next two years. So, you can see how prevalent data exfiltration is in the industry, and what the costs are. And because of these high costs and the high prevalence of this, it’s really important to be able to do that, that root cause analysis, and find out what was taken, who it was taken by, what systems were accessed. And this is something that we can really help you out with, and that Tayf is going to cover in our demonstration.

The next type of investigation that I want to talk about here, that also comes up, is the employee misconduct. You guys, you may know about this as an HR investigation or an internal investigation. And these are commonly brought on by HR, employee relations, or legal. And these include things like sexual harassment, bullying and harassment, policy violations, misuse of company assets. There’s tons of different investigations here, and usually, these investigations focus on reviewing communications, whether that’s email or instant message history, looking for pictures or videos or files stored in content repositories. And based on what I talked about earlier in the presentation, as companies increasingly shift to the cloud or to Office 365, you can no longer just investigate a computer. You’re going to need to pull down data from the cloud in order to get that whole story. And when it comes to misusing company assets, you might need to review things like browser histories or look at audit logs, and really connect files to the devices that they were opened on, and where the data was stored at. So, you really need to pull in that cloud data to get the full picture.

Then, I think it’s … lastly, on this, it’s really important to note that given the current climate and the heightened awareness around bullying and sexual harassment, it’s really critical to have the tools to investigate employee misconduct. You really need to be able to decipher whether this happened, what specifically happened, given the increased awareness in the media at this point in time.

And then, just like I did for internal threats, I want to highlight some of the costs here. The US Equal Employment Opportunity Commission has estimated that companies have paid out $698 million to employees for alleged harassment. And this doesn’t include cases that were settled privately, so this is probably a gross underestimation. So, you can really see how much money is being spent over these things. And when you look at cases settled out of court, they typically cost between $75-$125k again, based on the Equal Employment Opportunity Commission, but if you go to trial, these cases could be in the millions. We’ve seen numerous cases in the media being settled for this. And if they’re going to be paying out this money, you really need to figure out what exactly happened, and you need the tools to find that information out.

The ERC, which is an HR society based in Ohio, has estimated that Fortune 500 companies are losing, on average, basically around $7 million to employee misconduct. And this includes things like missed time, loss of productivity … there’s a lot of things that go into this equation. And basically, if this is all happening, you really need to have the tools to find out what’s going on inside your company.

Now that we’ve kind of covered the types of investigations going on, the trend towards the cloud, I really want to highlight some of the critical capabilities for doing a cloud investigation.

First and foremost, you really need access to those cloud accounts – I think that’s fairly obvious. You can use user credentials, in many cases you might need to have two-factor authentication capabilities. But with regards to corporate accounts, the easiest way to do an investigation is to use administrator credentials. You might not want to tip off a user by resetting their password, and you might just want to collect things while they’re … late at night … or just use your admin credentials to see what they’re doing without tipping them off.

Another key capability is being able to preserve evidence and that key metadata. So, if you’re trying to prove intent or attribution to a specific suspect, you want to look at that metadata and see what was accessed, where it was accessed, when it was accessed, see what was copied. And you’ll need a solution that will preserve those timestamps and that key metadata. And then, with regard to collecting evidence, given the size of the repository, the size of the … the amount of files that an employee might have, you might need to have a solution that can selectively acquire this information, as opposed to just grabbing everything, because that just might grow to be something that’s just unwieldly over time.

Additionally … I kind of hit on this before with audit logs, but you really do need to figure out who, when, and where files were accessed. This is key if you’re looking to see if an account’s been compromised, if there’s a lot of activity from a foreign country, off hours. There are where the audit logs are critical, to determine if someone from outside your organization is using credentials to access and exfiltrate data from your company.

With regard to seeing the whole story, it’s really critical to follow the history of a file, from where it was stored and the content repository where it was downloaded to, what devices it was shared with, and who it was shared with. Finding all that evidence is key with regard to IP [stats] and data exfiltration. You really want to see that whole story, and see all the devices that were related to this cloud evidence.

And then lastly, it’s important to have a simple site capability to report. You’re going to be dealing with non-technical users, whether it’s legal, whether it’s an executive, whether its HR. And you’re going to need to be able to report this information back to them in a way that they can understand it. So having the ability to visualize – if there was someone that was accessing your data from a foreign country, visualize where that first log came from, rebuilding chat histories in a way that’s user-friendly to someone who might not be technical, just to show them how it might have looked in a harassment case. These are all capabilities that are key when dealing with non-technical users.

So, now that we’ve talked about these critical capabilities, I think now it’s time to actually show you a cloud investigation, so I’m going to turn things over to my colleague Tayf here, and he’s going to walk through two demonstrations of things that I’ve kind of talked about already. So, first and foremost, we’re going to talk about an insider threat related to an IP theft, and then we’re also going to talk about a compromised account and someone who might be an inadvertent actor with regard to data exfiltration. So I’ll turn things over to Tayf now.

Tayfun: Great. Thanks, Warren. I’m just going to bring up Axiom. And … let me just bring this up. So, the first thing I’ll do is actually walk through the cloud acquisition process – actually setting up, connecting to an Office 365 account and acquiring specific data. Then I’ll go through the two use cases on how to examine the data that comes back.

So, if I start here, I’ll create a new case. Running low on disk space. [chuckles] Got a lot of cases on this computer. You’ll see here – from the Case Details screen, I can fill in some details about this case. First, I’ll start with Evidence Sources on the left-hand side. Like Warren mentioned, we do support computers, mobile, and cloud evidence, and you can combine these into one case and draw connections between them. For this one, I’ll start with Cloud, and Acquire Evidence.

When I do this, there’s a checkbox to say I have proper search authorization. This affects law enforcement, and is more than the civil investigations or the corporate and insider investigations that you may be doing. So, when I check that off, you’ll see that there’s actually a bunch of services here that we support, Microsoft being the one that we’re going to focus on today. So, if I click Microsoft, I can sign in using the username and password. The username and password – this could either be the username and password for the account specifically, or it can be admin credentials. I’ve actually got a test account that I’ll log in with, which has administrator credential access.

And this is just one of our test accounts, so it doesn’t have a ton of corporate data on it, but it gives you an idea of what you would see if you process your own Office 365. I’m logging in using these admin credentials. Once this logs in, you’ll see that it’ll populate a few things. It’ll show a bunch of services that we support, on the bottom here, and I can set a date range for my acquisition. If I have hard goalposts of what I want to acquire, I can enter that after, before, or a date range.

Down here, you’ll see a few things. You’ll see Office 365 mails – so this is if you want to acquire the email. Right now, I’m signed in as an admin, and I’ll show you how to choose what users you want to acquire. We also support OneDrive, SharePoint, and Office 365 Audit Logs. For OneDrive, again, you can edit and select the user that you want to acquire the OneDrive for. For SharePoint, we’ve got a tree that you can browse, the SharePoint, and this one actually doesn’t have much data here. But you’d be able to browse this tree. And then, the newest version of Axiom, we have a little search bar, where you can paste in the URL of a SharePoint page to acquire the documents from that page.

Audit logs – there’s no edit option for audit logs, that will acquire all audit logs for a [19:43] account that it can access, and you can still [turn on] that data after it’s been acquired.

So, jumping into the email here – I’ll hit edit, and you’ll see here I’ve got the one account here. I can search for an account … so you’ll see a couple of names come up. Or I can add all accounts. In a big corporation, with a couple of hundred thousand emails, you probably don’t want to do that. But you’ll see … I’ll do it on this one, just to show you, when I do this, it will show you … for this admin account that I have, I’ve only been assigned one email address that I can actually read. So we actually have a Microsoft guide that tells you how to set read access for the mailboxes that you want to acquire. So in this case, I’ve only got read access. Even though I’m an admin, you still have to add explicit permissions for specific inboxes.

So, I can actually acquire Harriette’s email here, hit Next … so that’s been edited. And again, I can do the same for OneDrive if I wanted to. So, I’ll hit Next. So you’ll see here, the Microsoft cloud has been added to my queue. I can actually go to Computer here and add a computer image as well. I think this is really powerful, and I’ll show a use case after – but if you do have the employee’s computer image, if you’re doing computer forensics, you can load that in here. And we draw connections between what was on the computer and what was uploaded to the cloud. That’s really a popular use case with our customers.

Warren: Yeah, I think, Tayf, you actually mentioned to me that given the prevalence of email investigations in corporations, and the shift to Office 365, you might need to get both the computer and the cloud account in order to get all that email evidence, right?

Tayfun: That’s correct. I’ve noticed this on my own Office 365 – if you use Office 365, obviously, all the emails are stored in the cloud. But if you use … your user is using Outlook on the desktop, there are still email being cached in a PST on the desktop computer. So you can copy that PST and process it through Axiom with the cloud account. And there may be different data in that PST versus the cloud, depending on the [sink] status. So that’s something just to keep in mind. It’s really powerful to be able to take that PST from the computer and the cloud evidence.

I won’t go into all the processing options, but I will show one – ‘Add keywords to search’. Since I’m acquiring that inbox, I could actually add a bunch of keywords here. So, if I want it to automatically tag items that need a certain keyword in those emails, I can add that here, or I can do keyword searches after the fact as well. That’s for more ad hoc searches. But if there are standard keywords that you’re looking for for your investigation, you could load them here and have them pre-processed while you’re acquiring your evidence.

One thing we do recommend – we’ve heard this from many customers – when you’re doing an investigation, sometimes you only want to acquire email that meet a certain criteria in Office 365. So, I only want to acquire emails that have this keyword. We’re working on that capability for the future, but what we’re hearing from a lot of customers is, often, they like to acquire the mailbox entirely, and then do keyword searching, because as you go through these different services like Google, Microsoft, there are searching abilities within their own platforms, and the way they parse keywords and things may be different. So, you may actually be missing things by pre-filtering stuff that’s coming down. So if you have the ability to pull down everything and then do the keyword search, at least you’ve got the full dataset, and then you can investigate it after.

I’ll go to the cloud artifacts here, you’ll see I’ve only signed into Microsoft, so I’ve got four items here. What’s important to know here, and what we’re not showing, but it’s an important point, is we reprocess all the cloud evidence that we pull down with our computer and mobile artifacts. So, for example, somebody uploaded – and this is a real example – somebody actually uploaded their Skype folder to their Dropbox, in this case. But if they’ve uploaded a bunch of files, since we know how to parse the Dropbox data, we were actually able to pull Dropbox information out of things that were uploaded to the cloud. So there’s a lot of use cases where, if people are uploading specific things, like PDS is obviously a good example. We’ll parse this PDS as documents, as well as keep the Office 365 metadata associated with it.

From here, I would hit ANALYZE EVIDENCE at the bottom, to acquire that data. I won’t do it here, but I do have a case that’s pre-processed with the same account, that I’ll bring up. Let me just bring it up here.
I’ll go through some of the details that were pulled from this account. Again, like I said, there’s not much data in it, but it gives you an idea of what’s there. And then, I’ll get into the use cases. So, what you’ll see here on the left-hand side is all the items that were recovered. I’ve expanded the cloud section because that’s what we’re focusing on. So, you’ll see, we’ve got a bunch of audit logs, we’ve got some email, some OneDrive files, and not many SharePoint documents.

You’ll see here under email, I’ve got a bunch of emails between folks … a test account … but you’ll see we actually generate the HTML preview. And if I look at some of these emails here, we’ve got a full HTML preview of this email, so you can read the email. We also … if I scroll down, you’ll see we have the plain text of the email, so, if you really need to look at the raw email data. We’ve got date stamps of when the email was created, when it was delivered, and then header information as well. So, a lot of this can be very useful in an investigation. And what folder, obviously, the email was in.

So, that’s quickly looking at email data within Office 365. We’ve got a few emails here that we can go through. We also do have an attachments column, and if an email has an attachment, we’ll list the filename here, so you’ll see this one here does have an attachment, and we can actually preview these attachments here.

Jumping into OneDrive – fairly straightforward. We’ve got a picture there. One picture was uploaded to OneDrive. But it’s important, if I just [close this panel] here, you’ll see … we don’t need to focus so much on the picture, but the metadata. So, you can see the owner ID – so who it was that uploaded that image. It also gives you the name, so that makes it easy to know who did it. And filename, file path, where it was stored. And that’s specifically in an employee’s OneDrive. That’s just one example there.

SharePoint – similar thing. We’ve got documents. We’ll list all the documents we’ve pulled from SharePoint. In this case, we’ve only got two folders. But again, preserving that metadata, the time the folder was created, who it was shared with, the file ID, and all that key metadata that you need for each file.
I’ll dig into audit logs a little bit later, but I will just show it here. You’ll see that we’re collecting a whole bunch of audit logs in different services within 365. So, we’ve got Active Directory, we’ve got SharePoint files that are being modified, we’ve got Exchange, and then we’ve got OneDrive and things like that. But we’ll come back to that after I show you the use case on the IP theft.

If I just jump into the IP theft case … yes, this is it. So, I’m going to just bring in this IP theft case here. I’ll set up the situation. The situation is we’ve got a leaked document. This document is an Excel document that got leaked or sent to somebody that it shouldn’t have. And this document contains personal information of the employees of a startup company. So I believe it had salary information, it had [SSN] numbers – social security numbers – and a bunch of other identifying information, obviously sensitive information that shouldn’t be leaked outside the startup company. And in this case, we know that the company is called M57. So we’re looking for an Excel document to start, and this employee Jean claims she was the only one who owned this document, so she was the only one who had access to it. And she claims she never sent it to anybody. So, obviously, a common claim, and we just want to … we’ve acquired her email and a bunch of her computer data, and we want to make sure … find out where that document was, and whether or not she actually sent it.

And really, we’re just trying to find the root cause here. We understand that that document was already sent out to somebody who it shouldn’t have. It’s gone. But now we need to do a root cause analysis, and that’s what I’ll show you here.

To start, we know it’s an Excel document that got sent out, so we’ll go straight down on the left-hand side to the Documents section, and we’ve got Excel Documents. So, you’ll see here, there’s only ten on this computer, but you’ll see there’s one called m57biz. It’s the only one with a filename, but I could go through and look at each one of these Excel documents. So, I go through, I’m trying to find … this one didn’t have much data in it. This one has a filename that seems very suspicious. I’ve got … this is the information we’re looking for.

So, we knew that that file had this information, and so, clearly, this is the one that got leaked. So we want to know where it was and where it came from, where it went. So if I scroll down, we’ve got the preview, and then the details. You’ll see that there’s all the metadata associated with the file, and you’ll see this file is stored on her desktop. But the same thing can apply for OneDrive. If this was from OneDrive, this would actually say OneDrive. And for this file, using our new Connections feature in Axiom, you’ll see … the filename here … we want to know, was this file seen anywhere else on the computer, in the cloud, in email?

So I’ll click this little Connections icon – anytime you see this icon, it means you can draw connections on that piece of data that you’re looking at. So, I can draw connections on Jean specifically, or I can draw connections on this filename. So I’ll start with the filename.

This’ll jump us to our Connections view. And I’ll see here, we’ve got a graph. And if I just zoom out a little bit, you’ll see there’s a couple of things going on. I’ll just move this out here to clear it up. We’ll see that the filename … we’ve got all relevant items on the right-hand side too. We’ll see this file is associated with Excel. It was transferred with Outlook, which is interesting. We’ll come back to that. It was modified by Alison, and it was transferred by Jean. So, that’s some of the interesting connections that are there. But the most interesting is this filename was transferred to Alison.

So, this is suspicious. Jean says she never emailed this. And that means – again, that file was transferred. We don’t know the [names] yet, but if we look on the right-hand side, you’ll see there’s an Outlook email referencing this same document. And if I open up the details, you’ll see, in this email, I can see the preview, “I’ve attached information that you have requested to this email message.” And again, this was Alison, and you’ll see it says, “Hi Jean, I’m sorry to bother you, but I really need that information now.” And if I scroll down on this email, you’ll see there was attachments … that file was attached to this email. If I click this, you’ll see it’s the same file.

Again, a very simple use case. But this email was attached to an Outlook email and was transferred to Alison. So, in this case, we’ve shown that Jean had access to that file, transferred it to Alison through her email.

Warren: Tayf, just to clarify, if this hasn’t … came from the cloud, we’d still see the connections between everything, like downloaded from the repository. You’ve just really simplified this for the sake of demonstration.

Tayfun: Yeah. That’s right. I think what’s important to note here – it’s this … and I do have cases that show this. If this same file was, let’s say, uploaded to OneDrive, we’d see a connection here that says, “This file was uploaded (or downloaded) from OneDrive.” So it’s important to know where that file lived and all the places that it touched. Because if it was in OneDrive, as anyone who works with Office 365 often, you’ll know that OneDrive documents can be shared with external parties fairly simply, just right-clicking the file and sharing it. And actually, you can see that activity in all the logs as well, which I’ll go through. So, if something’s in OneDrive, it’s good to know that and to investigate that space, because that also opens up other doors for leaks.

So, I’m going to jump into the audit logs use case here again, because there are some interesting things we can show. And again, like I said, this is a test account, so we don’t have all of the different types of audit logs that you’d expect in a big organization, but we do have some really interesting ones already.

I could go through this list and read through these audit logs and see what happens. But it’s actually much more interesting if … for example, if I want to see the use case of somebody … somebody who locked out … an enquiry comes into the office, and their account’s locked out because somebody was trying to log into it repeatedly. And you want to know what happened there.

So, I could actually do a quick search here in the top right, and just search for “login”. This is going to filter the audit logs down to “login”. You can see “AccountLogon” as your events. And now that I’ve done this, you can see the action – PasswordLogonInitialAuthUsingPassword. Someone’s logging in using a password. And again, these are just normal logins. As people log into their accounts, you’ll get these records. You’ll see IP addresses of where people logged into their account from, which is very important. And you’ll see status – success, fail.

In the case of … I want to know who logged into this account, and I only want to see failures. If I type … again, sorry, I’ve got … do the login search, and then I do the … do the login search, and then if I scroll over, and see the Status column, right-click and do a filter. I only want to see the fails. So I’ll just put “fail” and search. Now I’ve got the two keyword searches, login and failure. Now I’m seeing just the login failures for these accounts.

Again, if I wanted to filter just on HPotter, I could do that. Again, filtering on this column. Now I’m down to one. So, I can see this account actually failed to login from this IP address, and on the right-hand side, I’ve got all the details of that audit log. I’ve got the IP address, the date-time that that login failed.

We also do provide the raw data that we pull from audit logs as well. We parse out some of the key information. Like if you go through some of this raw data, you’ll start to see things that may be relevant to your investigation, are not … you can see here what the actual login error was. “The entered and stored passwords do not match.” So, this means, obviously, they got the wrong password. But there’s other little details in this raw data section that you could go through as well. And our keyword search will parse that as well. It’ll search these. So, that’s one example of a login failure.

Another example, which I’ll filter on, just to show some of the audit log capabilities … if I wanted to see account creation, I can search for “account”. So, account logons are there. You can see here, some of the actions that are happening. All the password stuff’s there actually … if I clear this … “user add”. Sorry, I should clear my filters. Again. So, if I jump into the audit logs again, under AzureActiveDirectory, you’ve got ‘Add service principal’. This user was added to a group.

This is an interesting one. Added member to role. So, if I click that, you’ll see that a user was added to a specific role. So if you have roles like admin accounts, or different hierarchies of permissions within your 365 account, it’ll tell you which role they were added to, the display name is Service or Administrator. So that means, in this case, this is actually an admin for Office 365. But again, you could have different roles that they may have been added to.

And this is important, because if a malicious person has gotten access into your Office 365 instance, and they start adding random users to certain roles because they’re trying to compromise that account … this is a common use case, where they try and compromise an account, create an admin role, and then get access to your entire Office 365. So, it’s important to know that.

One other thing I’ll touch on with audit logs – I mean, there’s a ton of different things here, but … it’s not uncommon, even in an incident response, an incident happens, you may get a notification from your [SOC] saying something happened at this period of time…

So, if I clear my filters here, I can actually do a date-time filter, a date range and a time range, and focus in on that time range that I care about, when that incident [39:24] notification for an incident that happened, and then I can see the activity in Office 365 that happened at that time. Now, in an IR situation, where your machine is compromised or someone got access, there’s any number of systems that you have to go and check to figure out where this breach happened. But being able to do that through Office 365 specifically here is really powerful. Because you can cross that off your list and say, “I went through the audit logs of Office, and I ran those times, and I didn’t see any user activity within Active Directory,” for example.

That’s all I have for the demo there. Again, there’s … in your environment, I encourage you to grab a trial of Axiom and try the clouds with your environment, because you’re going to have very different audit logs and things that you care about, so definitely give that a shot.

And Warren is going to go through a little bit more detail on how Axiom Cloud can help your investigations.

Warren: Sure. Thanks, Tayf. I just wanted to highlight here just some of the key capabilities of Axiom Cloud. First and foremost, finding more evidence, and then competitive solutions, and I think the key here is really what Tayf hit on – because we do the mobile, computer, and cloud artifacts, all on one, we’re really able to pull files that other solutions can’t, as most of the cloud forensic solutions come from the mobile background. Well, we come from both a mobile and computer background, so we’re going to find all the files that are uploaded into the cloud that Tayf hit on.

With regard to discovering connections between cloud evidence, I think Tayf showed that great use case there of showing … centering on the file and showing all the people associated with that file, all the services associated, where it was stored and opened, whether it was on a desktop. And this is really critical for showing all the people that touched a file in a data exfiltration case. And then, also being able to show intent. If someone says that they didn’t actually do this maliciously, but that file was stored in a hidden folder and opened three times in the last day, that’s a good way to show that maybe that story of “I didn’t mean to do this” isn’t really true.

With regard to preserving and collecting corporate data, Tayf just showed all the great use cases and audit logs and keeping that key metadata to show when things were accessed. I think this is again really key, in that inadvertent actor scenario where a suspect may claim that they had no idea of this, and when you look at those logs, you might see, “Oh, okay, this happened at three in the morning, and the IP address accessing this is from Russia, this is clearly someone that is a malicious actor from outside the company,” and this is all collected from our corporate evidence, and preserving that data.

And then lastly, something that we didn’t get to show in our demo but I think is really powerful – and Tayf has talked about it with customers – is being able to locate and visualize that cloud evidence. So, using our [map] view and actually seeing where the person accessed this data from can be really key in your investigation to prove whether this was malicious or whether this was inadvertent. That the person is always accessing data from their home, or from the office, and then, all of a sudden, data is being accessed from around the world with a different time zone, and you can actually see this on the map. It really proves the case that they didn’t do this maliciously.

So, again, just to highlight some of the key Office 365 capabilities that [43:01]: administrator credentials, really critical for investigations. We hear this from customers all the time. They don’t want to reset passwords and tip off employees that they’re being investigated. If you have those admin credentials, like we do, it makes the investigation go much smoother.

Selective acquisitions for the Microsoft services – again, given the files that we’re dealing with and the amount of content that people are creating these days, selective acquisition is really critical. You may not want to dump the whole file and get gigs and gigs of data. It just might be too much – so having the ability to selectively acquire specific files and folders is key.

And then lastly, we just went through the power of having audit logs, in addition to being able to pull all that evidence down from the cloud.

And then, lastly, I just wanted to highlight other cloud capabilities that are somewhat related to the corporate environment, and maybe for private consultants that are doing this, and maybe looping in, or if you have BYOD policy and you’re able to get data off an employee’s device as well as corporate content servers – being able to take tokens from mobile devices, so if you have a mobile device, you can take the cloud token, and then you can get into those cloud accounts without needing a password. So, we support acquiring cloud tokens, we also support ingesting tokens from third parties, we also support keychain, and then we support 52 different cloud services.

So, if you wanted to look at inappropriate messaging on Instagram or on Facebook or Twitter and things like that, we do support those services as well as corporate services. And I just wanted to call that out. So, we do have a robust solution for both corporate use and consumer use.

The last thing I want to talk about here – just a call to action, if you’re interested – we have our Magnet User Summit coming up. There’s four big dates – London, Paris, Dusseldorf, and Las Vegas. So, if you are interested in learning more about Magnet overall … I believe Tayf will actually be presenting there, and we’ll be showing a number of our capabilities. We’ll definitely be talking about cloud and our abilities to do corporate investigations there as well. So, if you are interested, please visit the URL and sign up.

And that’s pretty much everything we have for today. I know there’s been a number of questions that Tayf has received, so I think we’ll just start answering some of those. And again, if you do have a specific question, feel free to Tayfun or myself up on LinkedIn and message us directly. We’re happy to interact with you if you need a trial or anything. We’re definitely happy to send that out and really get you to test out our cloud capabilities.

So, I’ll hand things over to Tayf, and he can answer some of your questions.

Tayfun: Great. Thank you. Just going through the questions here … actually, a great question that’s come up a couple of times, and I do want to address it, because we are working on it.

So, is there a way that you can configure a proxy or firewall through Axiom Cloud? Not yet, but it’s something that we’re actually working on – so the ability to be able to set proxy settings. I know a lot of corporate environments, you may have to go through a proxy. That’s coming down the pipes.

There was a question about Security and Compliance Center in Office 365 – so that’s a Microsoft add-in to O365, to help you do e-discovery and some of these things. We don’t integrate with it today, but it’s something that we’re looking at. So, if you have … again, [46:38] specific things there that you’re missing from Security Center or you want us to integrate with, please let us know.

Another good point here – I mentioned that there’s a guide on how to set read access to specific accounts, to be able to use them in Axiom. We’ll share that guide out with the video recording. It’s a Microsoft Knowledge Base article. We’ll share it out, and it’s pretty clear, it’ll tell you how to log in and how to set the permissions on those accounts.

Another great question, and something that actually aligns with what we’re trying to have the product be capable of – the question was: Did you get emails for the entire subscription or just one person? In this case, since we’re doing a root cause analysis on specific users, I did acquire the email for just one account. Again, when you log into your admin credentials … when you log in with your admin credentials within the processing stage, you can hit the Edit button on the emails, and then enter the users that you want to acquire. So, that’s really important, because often, you’re investigating one or two people, you want to direct your acquisition to those mailboxes.

From the evidentiary side, is there a hash value for evidence stored? Yes. We provide hash values … in general, with cloud acquisitions, the true forensic hash doesn’t exist, because the data … it’s not like you’re removing a hard drive and imaging it and getting a consistent hash. But we do hash our cloud image. So, all the data we acquire and put into a zip container, and we hash that. That way, if that zip container ever changes, you know that the hash is changed. We also do provide hashes for all the documents that were pulled from an account. So, let’s say you’ve pulled 20 PDFs from someone’s OneDrive, we provide the MD5 and [48:42] hashes for those PDFs. So, all that evidentiary, forensic metadata is preserved.

This is a really good question, and it’s a tough one to answer, but I’ll give it a shot, because I think it’s a very common question. Can the data that’s being extracted from a cloud source be exported out to an image file, to be processed in other forensic tools? And my answer, again – in forensics, I find I’m always saying this – but it depends, and it’s yes and no. For email, we store all email that we’re pulling down into a PST. For that, that’s compatible across the forensic tools that you have that support PST parsing. For certain things, like, again, OneDrive, we store the metadata … in general, for our cloud acquisitions, we’ll store all the metadata and file details in an XML file.

So, if the tools you use support XML, you can pull that in and look at that. But the actual content that we pull down, we put into a folder and it gets zipped to preserve timestamps. So, again, that zip is a generic zip, it’s not proprietary, you can take that and put it into other forensic tools. But connecting that XML metadata to the loose files that are zipped up in your cloud image, that’s where Axiom will join those two together. There’s no standard for cloud imaging … image formats. Out there, we’ve been open, we’ve kept open format zip and XML, to be transparent with how the data is being stored. But again, taking that as is and putting it into another tool doesn’t always work, because everyone’s doing it a little bit differently.

There’s a couple of questions about connections, and I’ll talk about that a little bit. There’s questions about how the connections are being drawn, what are the criteria. So, it’s a slew of things – again, filenames are one way that we match. Again, if someone changes a filename, it’s a pretty simple way to try and hide a document, that connection won’t be shown, but we do use file hashes as well. So if there’s a file hash of a document that’s the same as another one, we’ll draw those connections. At this time, we don’t have any fuzzy matching, so if a document is similar to another one but slightly changed, we don’t match on that, but that’s something that we’re also working on as well.

Does Connections pull in information from audit logs? Absolutely. Connections works on all artifacts that we support. As long as it has some identifying information – so I’ll give a good example for audit logs. The username of the Office 365 account will be pulled – you can draw connections on that. As well as IP addresses – so if there’s an IP address, you can draw connections on that, as well as the other items in that column, a lot of those data fragments can draw connections.

A lot of similar questions on connections – yeah, we match on hash and a couple of other criteria as well.

Warren: You know, I think one of the cool things about Connections is if you do that trial, we’re absolutely interested in seeing your feedback and how you use Connections in your own case. The thing is we want to keep expanding that, and we’ve heard from customers that it is definitely incredibly valuable when they’re looking at things like IP leaks, and looking at where a file originated from or where it ended up, and just drawing those connections automatically for them. We’re not saying that it will always work perfectly 100% of the time, but it does give you a great starting base, and does let you visualize and actually show this to non-technical users. And that’s been somethings that’s resonated very strongly with customers that we’ve talked to.

Okay, I think that’s it for us for today. So if you do have any other specific questions, please let us know. You can look up Tayfun or myself on LinkedIn, and we’re happy to follow up with you. Or if you do want to get a trial of Axiom, please let us know. We’ll reach out to you with the recording and that user guide that Tayf mentioned. So again, thank you very much. We appreciate this. And good luck with your future cloud investigations.

End of Transcript

The Office 365 document referenced in the webinar can be found here.

1 thought on “Forensics In The Cloud: How To Conduct An Office 365 Investigation”

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles