Honeybadger Solutions LLC

Enterprise Cloud Forensics: SaaS & IaaS Evidence

Enterprise cloud forensics is the discipline of preserving and reconstructing evidence from SaaS platforms (Microsoft 365, Google Workspace, Salesforce, Box, Dropbox) and IaaS/PaaS estates (AWS, Azure, GCP) where the client organization, not the provider, owns the evidence duty. Because logs rotate, containers vanish, and access is API-mediated, certified examiners must act within hours through admin-console exports, forensic APIs, and legal process — not weeks.

For general counsel, boards, and IT leadership, the modern enterprise no longer keeps its evidence on a server rack down the hall. It lives across a dozen consoles: a Microsoft 365 tenant, a Google Workspace domain, a Salesforce org, a Box or Dropbox content library, and a sprawling AWS, Azure, or GCP footprint of virtual machines, containers, and serverless functions that spin up and disappear in minutes. When litigation, an insider-threat departure, a breach, or a regulatory inquiry demands answers, the question is never whether the evidence exists — it is whether anyone preserved it before the platform’s own lifecycle rules erased it first.

What Makes Enterprise Cloud Evidence Different From Consumer Cloud Evidence?

Consumer cloud forensics — the world of a personal iCloud account, a private Gmail inbox, or a family Microsoft account — is a matter of serving legal process on the provider and waiting on a warrant return. Our companion resource on consumer cloud account forensics covers that terrain in depth, and it is a fundamentally different exercise from what boards and general counsel face inside a corporate estate.

Enterprise cloud evidence lives inside a tenant the organization itself administers. The company’s own IT and security teams already hold the keys — the Microsoft 365 admin center, the Google Workspace Admin Console, Salesforce Setup, the AWS Management Console — and in most cases the fastest, most complete, most defensible evidence path runs through those admin consoles and their forensic-grade export APIs, not through a subpoena to Redmond or Mountain View. The organization’s own retention policy, not the provider’s consumer terms of service, controls how long the evidence survives. That distinction changes the entire playbook: speed, internal coordination, and API-based collection replace the warrant-and-wait posture of consumer cases.

Who Actually Controls the Evidence in a Shared-Responsibility Cloud Estate?

Every major cloud provider operates on a shared-responsibility model, and understanding where that line sits is the first forensic decision an examiner makes. For infrastructure platforms — AWS, Azure, GCP — the provider secures the physical data centers, the hypervisor, and the network fabric (security of the cloud). The customer is responsible for everything built on top of it: identity and access configuration, data classification, logging configuration, network segmentation, and workload security (security in the cloud). That means the customer, not the provider, typically controls whether CloudTrail, Azure Activity Log, or GCP Cloud Audit Logs were even turned on, how long they were retained, and whether they were exported to an immutable store before rotation deleted them.

For SaaS platforms — Microsoft 365, Google Workspace, Salesforce, Box, Dropbox — the provider manages the application and its infrastructure end to end, but the customer administers licensing tiers, retention policies, audit log enablement, and user permissions. A Microsoft 365 E3 tenant retains Unified Audit Log data for a fraction of the window an E5 or Purview-licensed tenant does. A Salesforce org without Event Monitoring or Shield enabled may have almost nothing granular to reconstruct a data-exfiltration timeline. In other words: the licensing and configuration decisions IT made months or years before an incident directly determine what an examiner can recover today. Reviewing our guidance on corporate email investigation forensics and Slack and Teams message forensics alongside this framework gives counsel the full picture of what a modern collaboration stack can and cannot yield.

Which Logs and Evidence Sources Matter Across the Major Platforms?

No two platforms expose evidence the same way, and no two retention clocks run at the same speed. The table below summarizes the primary evidence sources our examiners target across the platforms most common in enterprise estates, along with the collection realities counsel should know before a hold is even issued.

Platform / ModelPrimary Evidence SourceTypical RetentionKey Collection Limitation
Microsoft 365 (SaaS)Unified Audit Log, Purview eDiscovery, Entra ID sign-in logs90 days to 1 year, license-dependentGranularity and duration scale with license tier (E3 vs. E5/Purview)
Google Workspace (SaaS)Admin Console audit logs, Google Vault, login/device activity6 months to 180 days by log type, extendable via VaultVault must be provisioned before the incident to hold data past default windows
Salesforce (SaaS/PaaS)Setup Audit Trail, Event Monitoring, Field/Login HistorySetup Audit Trail ~6 months; Event Monitoring varies by Shield licenseDeep transaction-level logs often require Shield/Event Monitoring add-on
Box / Dropbox (SaaS)Admin event stream, content access API, version historyTypically 6 months to 1 year on business tiersFile version history can be overwritten by user-level retention actions
AWS (IaaS/PaaS)CloudTrail, CloudWatch Logs, VPC Flow Logs, S3 access logs90-day default event history; indefinite if exported to S3/CloudWatchMust be pre-configured to export; default trail can miss data-plane events
Azure (IaaS/PaaS)Azure Activity Log, Entra ID sign-in/audit logs, Diagnostic Settings90 days native; longer via Log Analytics/Storage exportResource-level diagnostic logging is opt-in per resource
GCP (IaaS/PaaS)Cloud Audit Logs, Access Transparency, VPC Flow LogsAdmin Activity logs 400 days; Data Access logs 30 days defaultData Access logs must be explicitly enabled per service

The pattern across every row is the same: default retention is short, granular logging is usually opt-in, and the organization’s pre-incident configuration decisions — not the incident itself — determine what survives long enough to be collected. This is precisely why our methodology follows the evidence-handling principles in NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, which frames order-of-volatility and defensible collection sequencing for exactly this kind of distributed, time-limited evidence environment.

How Do You Capture Evidence From Infrastructure That Is Designed to Disappear?

Modern IaaS and PaaS architecture is built for elasticity, and elasticity is the enemy of static forensic evidence. A container spins up, handles a workload, and is destroyed in seconds. A serverless function — an AWS Lambda, an Azure Function, a Google Cloud Function — executes, logs a line or two, and leaves no persistent file system behind at all. An autoscaling group terminates virtual machines the moment load drops, and with them goes any local disk state, temp file, or in-memory artifact that was never shipped to centralized logging.

This is the defining forensic challenge of the cloud-native era: by the time an examiner is engaged, the compute resource that generated the evidence may no longer exist in any form. There is no disk to image, because there is no disk. What survives is only what was deliberately streamed off the ephemeral instance before it terminated — centralized log aggregation, container runtime audit trails, orchestration-platform (Kubernetes, ECS, Cloud Run) event history, and snapshot policies taken before scale-down events. Organizations that have not architected for this reality — that rely on local logging inside containers that vanish, or that lack automated pre-termination snapshotting — often discover, mid-investigation, that the most relevant thirty minutes of activity simply left no trace anywhere.

Because retroactive memory or disk capture is frequently impossible once an ephemeral resource is gone, our approach front-loads two things the moment we’re engaged: a rapid inventory of what centralized, immutable logging already exists (so we know precisely what window of truth is recoverable), and — where the estate is still live and the incident is ongoing — immediate guidance to the client’s own DevOps/SRE function on pausing auto-scaling or termination policies for implicated resources until a snapshot or forensic image can be pulled. Every hour of delay against an active autoscaling policy is potential evidence that cannot be recreated.

What Legal Process Is Required to Compel Provider-Held Data?

Most enterprise cloud evidence never requires process against the provider at all — it sits in the customer’s own admin console and is collectible under the organization’s existing agreements and internal authority, typically through a litigation hold and a properly documented internal collection. But there are scenarios where the customer’s own logs are insufficient — deleted-account recovery beyond the tenant’s retention window, provider-side infrastructure telemetry the customer cannot see, or data implicated in a matter where the account holder is a third party (a vendor, a former employee’s personal cloud storage linked to corporate systems, a co-defendant’s SaaS tenant). In those cases, formal legal process — subpoena, civil discovery request, or in criminal matters a warrant under the Stored Communications Act framework — becomes necessary, and provider response times and data-retention practices vary widely by platform and jurisdiction.

Whichever path applies, the evidentiary end goal is the same: a record that will survive an authentication challenge in court. Federal Rule of Evidence 902, particularly the self-authentication provisions for certified records generated by an electronic process or system (902(13)) and certified data copied from an electronic device or storage medium (902(14)), exists precisely so that hash-verified, properly certified cloud exports and provider-produced records can be admitted without a live, testifying custodian for every export — provided the certification and hash-verification chain is built correctly from the first collection step forward. Sloppy, undocumented API pulls forfeit that benefit entirely and put a live-witness authentication fight back on the table.

For organizations coordinating a broader incident response alongside the forensic collection — particularly where a breach may trigger regulatory notification obligations — the Cybersecurity and Infrastructure Security Agency (CISA) maintains current guidance and reporting channels that frequently intersect with the evidentiary timeline counsel is managing in parallel.

How Do Data Residency and Multi-Tenancy Complicate Cross-Border Investigations?

Global enterprises rarely control precisely which physical region hosts a given tenant’s data, and cloud providers frequently replicate or shard data across regions for redundancy and performance. That creates two distinct complications for an investigation. First, jurisdiction: evidence physically resting in the EU, the UK, or APAC may trigger data-protection and cross-border-transfer obligations before it can be exported to the United States for analysis, even when the requesting entity is the data’s own corporate owner. Second, multi-tenancy: SaaS and IaaS platforms co-locate many customers’ workloads on shared infrastructure, and provider-side telemetry is engineered to prevent one tenant’s logs from ever surfacing another tenant’s data — which means the customer’s own tenant-scoped exports are usually the ceiling of what is collectible, not a floor with more available behind it if only the provider would look harder.

Practically, this means an early conversation with the client’s data-protection officer or outside privacy counsel about residency and applicable cross-border rules is not a bureaucratic delay — it is a forensic prerequisite that determines which collection method is even lawful before a single export is triggered.

What Is the Step-by-Step Framework for Preserving Cloud Evidence Before Retention Windows Close?

Every hour between the moment an issue is identified and the moment a defensible preservation action is taken is an hour a default retention policy, a log-rotation job, or an autoscaling event could be silently destroying the record. Our engagement framework for enterprise cloud matters follows this sequence:

  1. Issue an internal litigation hold the moment a credible trigger exists, naming the specific tenants, accounts, and cloud accounts in scope.
  2. Inventory every platform touched — SaaS tenants, IaaS/PaaS accounts, third-party integrations — and identify which admin consoles and API scopes the organization already controls.
  3. Suspend or override any automated data-lifecycle policy (retention auto-deletion, log rotation, mailbox purge schedules) that could destroy in-scope evidence before collection.
  4. Where infrastructure is ephemeral (containers, serverless, autoscaling groups), pause termination/scale-down policies on implicated resources and trigger immediate snapshots.
  5. Collect via forensic-grade, read-only administrative APIs and export tools — never through end-user interfaces that can alter metadata or trigger read receipts.
  6. Hash every exported artifact at the point of collection and log the collection method, timestamp, examiner, and tool version.
  7. Preserve associated identity and access logs (sign-in history, conditional-access decisions, admin role changes) alongside content, since access context is often the case.
  8. Where provider-held data beyond the tenant’s own visibility is required, initiate the appropriate legal process in parallel rather than waiting on internal collection to finish.
  9. Maintain unbroken chain of custody documentation from first touch through final report, sufficient to support self-authentication under evidentiary rules.
  10. Report findings in a court-ready format that ties every conclusion back to a specific, hash-verified source artifact.

This sequence mirrors the order-of-volatility principle at the heart of NIST SP 800-86: collect what is disappearing fastest first, and never let a lower-priority task delay the preservation of a higher-priority, faster-decaying source.

When Should Legal Counsel Engage a Cloud Forensics Team?

The trigger points are consistent across industries: a departing executive or engineer with broad cloud administrative access; a suspected data-exfiltration event touching Salesforce, Box, or a production AWS account; an M&A diligence process where a target company’s cloud estate needs an independent evidentiary baseline before close; a regulatory inquiry into a SaaS-hosted customer database; or any litigation where a claim or defense turns on what happened inside a Microsoft 365 tenant, a Google Workspace domain, or a multi-cloud production environment. In every one of these scenarios, the single most consequential decision counsel makes is how quickly they engage a team that can move within the platform’s actual retention clock — not the clock counsel assumes exists.

Representative scenario: a mid-market company suspects a departing sales director exported client and pricing data from Salesforce and a shared Box folder in the final weeks of employment. Because Event Monitoring had not been enabled and default Setup Audit Trail retention was already ticking down, the forensic priority was not analysis — it was an immediate export of every available audit artifact, sign-in log, and file-access record before the retention window closed, followed by full analysis once the record was secured. That sequencing — preserve first, analyze second — is the operating principle of enterprise cloud forensics.

Frequently asked questions

Can our own IT team collect this evidence, or does it need a forensic examiner?

IT can often perform the initial export, but a certified examiner should direct the method, hashing, and documentation from the outset. Evidence collected through end-user tools, without hash verification or a defensible chain of custody, is far more vulnerable to an authentication challenge — even if the underlying data was accurate, the process used to obtain it can become the fight.

How fast do cloud retention windows actually close?

It varies sharply by platform and license tier — anywhere from 30 days for some granular access logs to roughly a year for premium-tier audit retention — but the operating assumption should always be days, not months. Default configurations skew short, and log rotation does not pause for an internal investigation to get organized.

Do you need administrative credentials to our cloud tenants to investigate?

We work through read-only, scoped administrative access provisioned by your own IT or security team wherever possible, consistent with least-privilege practice. Collection is performed through forensic-grade export APIs and admin-console tools rather than broad standing credentials, and every access is logged as part of the chain of custody.

What happens if a container or serverless function has already terminated before we’re engaged?

Once ephemeral compute is gone, only what was streamed to centralized, persistent logging before termination survives — there is no disk left to image. Our first step is always inventorying what centralized logging, snapshots, and orchestration-platform history already exist, since that defines the true boundary of what is recoverable.

About Honeybadger Solutions: Honeybadger Solutions is an Arizona-licensed security and investigations firm with in-house digital forensics and cybersecurity capability, headquartered in Casa Grande, with offices in Phoenix and Oro Valley. Our certified examiners perform hash-verified acquisitions, maintain unbroken chain of custody, and deliver court-ready reporting for enterprise cloud, SaaS, and infrastructure investigations nationwide and internationally, remote-by-design from our Arizona home command. When retention windows are closing on a cloud estate, call 602-725-2818 to engage a team that can move today.