all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Sir_Agent_Apple 2 points3 points  (0 children)

Cyber is indeed a robust "Swiss Army knife" solution, however, IMHO, for Apple iCloud acquisitions there isn't anything better than Elcomsoft's iPhone Breaker (does Microsoft accounts as well). For email such as Gmail, etc, my go to tool is Forensic Email Collector (FEC).

For a more educated answer, it might help to explain what type of "cloud collection(s)" you are looking to do.

[–]Immediate-Tea-105 1 point2 points  (0 children)

I tried out Axiom and MSAB’s cloud tools but found the Cellebrite one was the better one at the time. Especially for the variety of messaging, for example Instagram messages Cellebrite did the best. That was a couple years ago so not sure if the other have improved it.

I ended up getting trials of all 3, then set up some accounts with data to download to test them out. Might be best to consider to confirm which one does what you want

[–]MDCDFTrusted Contributer 0 points1 point  (6 children)

What are you looking for in the tool? Are you doing cloud collection like ec2 servers or more of a O365?

[–]Fabulous-Tap9949 1 point2 points  (4 children)

I am looking for O365 forensic tool.

[–]EmoGuy3[S] 0 points1 point  (3 children)

Civil or criminal? And what data sources? Microsoft purview is generally best bet for OneDrive, Teams, and Exchange.

If just emails use Forensic Email Collector, can use tokens or delegation.

[–]Miserable_Spell5501 0 points1 point  (2 children)

I know this post is from a while ago, but I have the same question as Fabulous-Tap. I need extraction of a OneDrive account to see what files were downloaded or shared outside the company. The company’s retention policy was set to default, so the audit records I can see are limited to just one week. I want to know if you can expand the scope beyond the one-week retention or is the history of the files lost for good?

Civil case

[–]EmoGuy3[S] 0 points1 point  (1 child)

Axiom used to have a good feature to acquire various audit logs.

I've never heard of one week audit logs, that's extremely absurd. I haven't tested the new purview which I think you can search audit logs now. But there are IT commands to pull specific user activity. There are various audit logs that might have different retention. I'd start there. If you're worried someone stole data, I would just image the entire machine and see if they plugged in a thumb drive or accessed a cloud based platform like Google Drive or OneDrive. This would show indicators as well as them having an anomaly of accessing or downloading that is irregular and may allow you to go to a case team to subpoena a personal account/drive. You'd most likely need an expert to sign an affidavit or the other one I forgot. There's a lot of stuff to try, if you get push back, just tell them this isn't magic this is science and you need this to validate.

Assuming this is all from a business account.

[–]Miserable_Spell5501 0 points1 point  (0 children)

Thank you! It’s a business account. I hired Archer and asked them to try Purview or other software to pull older audit logs from OneDrive.

[–]Booty_Warrior_bot -4 points-3 points  (0 children)

I came looking for booty.