How is cloud forensics different from traditional digital forensics?

Traditional forensics examines physical drives and memory. Cloud forensics analyzes API logs, virtual machine snapshots, container images and cloud service audit trails. Evidence is distributed across regions and services rather than contained on a single device. The ephemeral nature of cloud resources means evidence can disappear when instances are terminated or containers are destroyed.

What cloud platforms do you investigate?

We investigate incidents across AWS, Microsoft Azure and Google Cloud Platform. This includes analysis of CloudTrail, VPC Flow Logs and GuardDuty findings on AWS; Azure Activity Logs, NSG Flow Logs and Microsoft Defender alerts on Azure; and GCP Audit Logs, VPC Flow Logs and Security Command Center findings on Google Cloud.

Can you forensically analyze containers and Kubernetes clusters?

Yes. Container forensics involves capturing container images before termination, analyzing Kubernetes audit logs, examining pod network traffic and tracing lateral movement between containers. The ephemeral nature of containers makes rapid evidence preservation critical. We work with your team to snapshot compromised containers and extract forensic artifacts.

How do you preserve SaaS application data for investigations?

SaaS data preservation involves API-based extraction of audit logs, user activity records, file access histories and configuration changes from platforms like Microsoft 365, Google Workspace, Salesforce and Slack. We document chain of custody for all extracted data and produce forensically sound exports suitable for legal proceedings.

What happens if cloud logs have been deleted or tampered with?

Log deletion is itself a forensic finding. We analyze log gap patterns, cross-reference multiple log sources and examine immutable log destinations like S3 buckets with Object Lock or CloudTrail log file integrity validation. Secondary evidence sources such as billing records, DNS logs and third-party monitoring tools often provide corroborating evidence.

Cloud Investigation

Cloud Forensics

Incident response and forensic investigation across AWS, Azure and Google Cloud environments.

Sherlock Forensics provides cloud forensic investigation and incident response for AWS, Azure and GCP environments. Services include CloudTrail and audit log analysis, container and Kubernetes forensics, SaaS data preservation, serverless function investigation and multi-cloud incident reconstruction. CISSP, ISSAP, ISSMP certified. Since 2006.

Cloud environments generate massive volumes of telemetry data across dozens of services. When a breach occurs, the evidence is scattered across API logs, network flow records, identity provider audit trails and ephemeral compute instances that may no longer exist. Traditional forensic disk imaging does not apply. Cloud forensics requires deep understanding of cloud-native logging architectures, IAM permission models and the specific artifacts each service produces. Sherlock Forensics brings digital forensics discipline to cloud incident investigation, transforming raw cloud logs into a coherent narrative of attacker activity.

Start Investigation Order Online

Investigation Services

Cloud Forensic Capabilities

Cloud Log Analysis

Deep analysis of cloud-native audit logs to reconstruct attacker activity. On AWS we analyze CloudTrail management and data events, VPC Flow Logs, S3 access logs and GuardDuty findings. On Azure we examine Activity Logs, Sign-in Logs, NSG Flow Logs and Defender alerts. On GCP we investigate Admin Activity audit logs, Data Access logs and VPC Flow Logs. Cross-referencing multiple log sources reveals the complete attack timeline.

Container and Kubernetes Forensics

Containerized environments present unique forensic challenges. Containers are ephemeral by design and critical evidence is lost when pods are terminated. We perform live container image capture, Kubernetes audit log analysis, pod network traffic examination and container runtime artifact extraction. Our methodology preserves evidence from compromised containers before orchestration systems destroy them.

SaaS Data Preservation

Business-critical data increasingly resides in SaaS platforms rather than on-premise servers. We perform forensic preservation of Microsoft 365, Google Workspace, Salesforce, Slack and other SaaS platforms through API-based extraction. This includes email content, file access histories, audit logs, user activity records and administrative configuration changes with full chain of custody documentation.

Serverless Investigation

Serverless functions (AWS Lambda, Azure Functions, Google Cloud Functions) execute without persistent infrastructure. When compromised, the only evidence is in cloud logs and the function code itself. We analyze function invocation logs, execution contexts, IAM role permissions and event source configurations to determine how serverless resources were exploited and what data was accessed.

Multi-Cloud Incident Response

Organizations operating across multiple cloud providers face compounded investigation complexity. Attackers exploit trust relationships between cloud environments, pivot through federated identity systems and leverage cross-cloud service integrations. We correlate evidence across AWS, Azure and GCP to trace lateral movement, identify the initial access vector and determine the full scope of compromise.

IAM and Identity Investigation

Cloud breaches frequently begin with compromised credentials or misconfigured IAM policies. We analyze identity provider logs, role assumption chains, permission escalation paths and access key usage patterns to determine which accounts were compromised, what permissions the attacker obtained and which resources were accessed. This analysis often reveals the difference between a limited breach and full environment compromise.

Evidence Sources

Cloud Log Sources We Analyze

Provider	Primary Logs	Security Services
AWS	CloudTrail, VPC Flow Logs, S3 Access Logs	GuardDuty, Security Hub, Detective
Azure	Activity Logs, Sign-in Logs, NSG Flow Logs	Microsoft Defender, Sentinel
GCP	Admin Activity, Data Access, VPC Flow Logs	Security Command Center, Chronicle

Frequently Asked Questions

Cloud Forensics FAQs

How is cloud forensics different from traditional digital forensics?: Traditional forensics examines physical drives and memory. Cloud forensics analyzes API logs, virtual machine snapshots, container images and cloud service audit trails. Evidence is distributed across regions and services rather than contained on a single device. The ephemeral nature of cloud resources means evidence can disappear when instances are terminated.
What cloud platforms do you investigate?: We investigate incidents across AWS, Microsoft Azure and Google Cloud Platform. This includes analysis of CloudTrail, VPC Flow Logs and GuardDuty on AWS; Activity Logs and Microsoft Defender on Azure; and GCP Audit Logs and Security Command Center on Google Cloud.
Can you forensically analyze containers and Kubernetes clusters?: Yes. Container forensics involves capturing container images before termination, analyzing Kubernetes audit logs, examining pod network traffic and tracing lateral movement between containers. The ephemeral nature of containers makes rapid evidence preservation critical.
How do you preserve SaaS application data?: SaaS data preservation involves API-based extraction of audit logs, user activity records, file access histories and configuration changes from platforms like Microsoft 365, Google Workspace, Salesforce and Slack. We document chain of custody for all extracted data.
What happens if cloud logs have been deleted or tampered with?: Log deletion is itself a forensic finding. We analyze log gap patterns, cross-reference multiple log sources and examine immutable log destinations like S3 buckets with Object Lock. Secondary evidence sources such as billing records and DNS logs often provide corroborating evidence.

Get Started

Cloud breach? We find the evidence.

Contact Sherlock Forensics for cloud incident response and forensic investigation across AWS, Azure and GCP environments.

Since 20064.8/5 ratingCISSP, ISSAP, ISSMP certified

Call 604.229.1994

Investigate Your Cloud Incident

Call to discuss your cloud forensic investigation. We handle AWS, Azure, GCP log analysis, container forensics and SaaS data preservation.

Call 604.229.1994

Phone: 604.229.1994
Headquarters: Burnaby and Coquitlam, BC
Certifications: CISSP, ISSAP, ISSMP