This document outlines our procedure for gathering Microsoft Office 365 evidence in a professional, efficient, and user-friendly manner. We adhere to relevant technical and expert evidence standards. This is not the full procedure, but an accessible outline for non-technical readers.
Why This Process Exists
This process serves to assist in real-time cyber breach responses (facilitating containment and impact assessment), as well as support ongoing internal and external breach investigations and workplace investigations.
To ensure accuracy and reliability in evidence collection, we strictly adhere to the NIST 800-86 Guide to Integrating Forensic Techniques into Incident Response procedure, the relevant jurisdiction’s expert code of conduct and Notion Digital Forensics’ procedures. In Australia, the federal expert code is GPN-EXPT, while states and territories have similar codes. In New Zealand, its the High Court Rules 2016 Schedule 4.
For live ongoing hacks or incidents, we also strictly adhere to NIST 800-61 Rev 2 – Computer Security Incident Handling Guide1, NIST 800-86 and Notion Digital Forensics’ procedures.
Process for Microsoft Office 365 Forensic Extractions
We require appropriate administrative credentials and consent to access the Microsoft Office 365 environment, including audit logs, login logs, files, emails, connected services, and connected devices.
- Audit and Login Logs: We collect and analyze audit logs and login logs to identify unauthorized access, security control changes, and other relevant activities.
- Device Forensics: Sometimes, we examine connected devices like computers and phones for forensic evidence, following our device-based forensic extraction process. This is necessary because data saved by Microsoft may be incomplete.
- SharePoint and OneDrive Metadata: We analyze metadata in SharePoint and OneDrive files, including progressive version history, to identify suspicious activities and data breaches.
- Encryption keys: We collect encryption keys (BitLocker) that protect company laptops prior to a deeper examination of the laptops for other forensic information.
- Connection and disconnection of machines from services like InTune Autopilot, Defender (or other cybersecurity protection systems).
- Other data depending on the case.
Types of Questions We Have Answered with This Process
- What information was stolen during a cyber breach or insider breach?
- How did someone gain unauthorized access to a system?
- What emails or files were deleted, and when? Who did it?
- Were cybersecurity controls turned off or circumvented?
- Who knew what when?
- Did a collection of staff engage in a conspiracy to defraud an organization?
- Were there any unauthorized changes to critical documents, and who made those changes?
- What settings were made to login processes that may have allowed a cyber attack?
- Was information shared to a personal device or personal address?
- Was information downloaded because a user caused it to be downloaded, or was it automated?
Tools and Techniques
We use a combination of specialist tools and custom scripts we have developed to obtain rapid and accurate answers to investigative questions. All of the gathered evidence are via the processes outlined in NIST 800-86, which includes hashing to prevent the accidental damage of evidence or evidence tampering.
- Cichonski, P. et al. (2012) Computer Security Incident Handling Guide, Computer Security Resource Centre. National Institute of Standards and Technology (NIST) (USA). Available at: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final (Accessed: April 25, 2023).