As you guys remember, I have created a complete series on Velociraptor. If you didn't check it out, do check it out - link below. https://www.cyberengage.org/courses-1/mastering-velociraptor%3A-a-comprehensive-guide-to-incident-response-and-digital-forensics Now, why am I here again? Because I recently tried to install Velociraptor with the latest version on my laptop and ran into some issues. Well, not exactly "issues" - I'd say it's more like modifications in how things wor

If you’ve ever had to investigate a Google Workspace account takeover , you already know one thing: it’s not about one  log — it’s about connecting multiple logs and understanding how Google thinks . The Two Logs You Must  Know When it comes to tracking user behavior (and especially account compromise), there are four core log types you’ll always come back to: Admin log events User log events ( Previously it was seperated into two logs) (Login Audit Log + User Accounts Audi

Now let’s talk about Email Log Search , because this is one of the most commonly used  (and misunderstood) tools when you’re investigating phishing, mailbox compromise, or suspicious inbound email. If a user reports: “I got a weird email” This is usually where you end up first. First thing to understand: the 30‑day rule Google stores email transaction logs  differently depending on how old the email is. This affects what you can search , how you can search , and what results

Let me be honest upfront: this setup looks scary  the first time you see it. Google makes you jump back and forth between Google Cloud Console  and Google Workspace Admin , and it feels like you’re doing something wrong the entire time. You’re not. That’s just how Google designed it. Once you understand the full flow , everything suddenly clicks. This walkthrough assumes: You are a Google Workspace Super Admin You want to collect audit / activity logs  using the Admin SDK – R

Let’s talk about something that often comes up during Google Workspace investigations: how do we actually collect logs and evidence properly? If you’ve ever worked an incident involving Google Workspace, you already know that the platform gives you a lot  of data—but not all of it is equally easy to collect or analyze. Broadly speaking, there are two main ways  to collect evidence from Google Workspace: Using the Workspace Admin interface (UI) Using the Workspace Admin SDK /