Let’s talk about something that often comes up during Google Workspace investigations: how do we actually collect logs and evidence properly? If you’ve ever worked an incident involving Google Workspace, you already know that the platform gives you a lot of data—but not all of it is equally easy to collect or analyze. Broadly speaking, there are two main ways to collect evidence from Google Workspace: Using the Workspace Admin interface (UI) Using the Workspace Admin SDK /

In this new series, we'll be diving deep into investigation and forensics within Google Workspace (the Google ecosystem). So tighten your seatbelt—let's go! When diving into cloud forensics—especially in Google Workspace—there’s a lot more to unravel than just user credentials or login timestamps. One of the most overlooked but crucial areas is how permissions are managed within the environment. let's break down two key building blocks of Google Workspace that matter a lot

Enough theory. Now let’s actually touch NetFlow data . If you’re doing DFIR, threat hunting, or even basic network investigations, one toolkit you must be comfortable with is the nfdump suite. This suite gives you three extremely important tools: nfcapd – the collector nfpcapd – the pcap-to-NetFlow converter nfdump – the analysis engine ----------------------------------------------------------------------------------------------------------- nfcapd: The NetFlow Collector (W

Let’s talk about where NetFlow either becomes incredibly powerful… or painfully slow. Most NetFlow analysis are done on GUI: browser-based or thin clients that are basically a browser wrapped with authentication, branding, and access control Nothing wrong with that — in fact, it makes a lot of sense. In most deployments, the GUI or console is hosted close to the storage laye r or on the same system entirely. That design choice is intentional. When analysts start querying mo

I’ll be honest. For a long time, I never really gave NetFlow the priority it deserves. PCAP was always the gold standard in my head. If you want to know what really happened on the network, you go straight to packet capture. End of story. But after reading more, testing more, and actually thinking about scale, cost, and real-world SOC/DFIR constraints, my opinion changed. Today, I want to talk about why NetFlow matters , when it actually makes your job easier, and why full