If you’ve worked in Google Workspace long enough, you already know this truth: Google Drive is where data leaks love to happen. Not always malicious. Sometimes it’s just: “Oops, shared it publicly” “Oops, shared it with the wrong domain” “Oops, didn’t realize Anyone with the link means literally anyone” So when data exposure happens, we usually care about two questions: What happened to the file? Can we still access or recover it? That’s where Google Drive investigation tool

As you guys remember, I have created a complete series on Velociraptor. If you didn't check it out, do check it out - link below. https://www.cyberengage.org/courses-1/mastering-velociraptor%3A-a-comprehensive-guide-to-incident-response-and-digital-forensics Now, why am I here again? Because I recently tried to install Velociraptor with the latest version on my laptop and ran into some issues. Well, not exactly "issues" - I'd say it's more like modifications in how things wor

If you’ve ever had to investigate a Google Workspace account takeover , you already know one thing: it’s not about one log — it’s about connecting multiple logs and understanding how Google thinks . The Two Logs You Must Know When it comes to tracking user behavior (and especially account compromise), there are four core log types you’ll always come back to: Admin log events User log events ( Previously it was seperated into two logs) (Login Audit Log + User Accounts Audi

Now let’s talk about Email Log Search , because this is one of the most commonly used (and misunderstood) tools when you’re investigating phishing, mailbox compromise, or suspicious inbound email. If a user reports: “I got a weird email” This is usually where you end up first. First thing to understand: the 30‑day rule Google stores email transaction logs differently depending on how old the email is. This affects what you can search , how you can search , and what results

Let me be honest upfront: this setup looks scary the first time you see it. Google makes you jump back and forth between Google Cloud Console and Google Workspace Admin , and it feels like you’re doing something wrong the entire time. You’re not. That’s just how Google designed it. Once you understand the full flow , everything suddenly clicks. This walkthrough assumes: You are a Google Workspace Super Admin You want to collect audit / activity logs using the Admin SDK – R