Collecting Evidence from Google Workspace

If you’ve ever worked an incident involving Google Workspace, you already know that the platform gives you a lot of data—but not all of it is equally easy to collect or analyze. Broadly speaking, there are two main ways to collect evidence from Google Workspace:

1. Using the Workspace Admin interface (UI)

2. Using the Workspace Admin SDK / APIs

On paper, both give you access to similar information. In reality, they behave quite differently—and those differences really matter during forensic analysis

-------------------------------------------------------------------------------------------------------------

Option 1: Using the Google Workspace Admin Interface

The Admin interface is usually where everyone starts—and honestly, it’s not a bad place to begin.

It gives you a visual and human-friendly way to explore logs. You can click through different sections, filter events, and clearly see what’s going on. '

• You’re doing a quick triage

• You need to show evidence to a manager, legal team, or client

• You want to visually confirm suspicious activity

The downside?

All the useful data is scattered across different screens.

If you want to investigate a full Workspace compromise, you’ll likely need to:

• Jump between Drive logs

• Check login and authentication activity

• Review OAuth and third‑party app access

• Inspect Admin console changes

Each of these lives in a different place. That means a lot of clicking, filtering, exporting, and repeating the process again and again. It works—but it’s slow.

Export limitations

There are a few important limitations to keep in mind:

• You can only export 10,000 or 100,000 events per log type.

• If you exceed that limit, you must split your search into smaller time ranges

• Logs are exported only as Google Sheets (GSheet) from the UI

-------------------------------------------------------------------------------------------------------------

Option 2: Collecting Logs via the Workspace Admin SDK (API)

Now this is where things get really interesting for forensic work.

The Workspace Admin SDK allows you to collect logs programmatically using API calls. Once set up, this becomes the fastest and most consistent way to gather evidence.

Yes, the initial setup takes some effort—you’ll need:

• A Service Account

• The right Workspace permissions

• Some basic scripting knowledge

But once that’s done, everything becomes repeatable and scalable.

Types of reports you can collect

Using the API, you can pull two main types of reports:

1. Activity Reports

These tell you what actually happened across Workspace services, including:

• Google Drive activity

• Authentication and login events

• OAuth and third‑party application access

• Admin console changes

These are gold during investigations because they help you track changes, abuse, and attacker actions.

2. Usage Reports

These focus more on how user accounts are being used over time. They’re great for spotting anomalies or misuse patterns.

Why investigators prefer API logs

There are several big advantages here:

• No event limits like the UI exports

• Logs are returned in JSON format, which is perfect for:

  • SIEM ingestion

  • Timeline creation

  • Custom parsing and analysis

• All timestamps are in UTC, which avoids time zone confusion

• Collection can be fully scripted, ensuring consistency every time

-------------------------------------------------------------------------------------------------------------

Option 3: Sending Google Workspace Logs to Google Cloud Logging

There’s a third option that often gets overlooked—but it’s extremely powerful.

Google Workspace can send certain logs directly to Google Cloud Logging. This allows you to:

• Retain logs for a much longer period

• Query them using Cloud Log Explorer

• Correlate Workspace logs with other Google Cloud activity

The catch

Not all Workspace logs are sent to Google Cloud.

Only five log types are forwarded—and while these are some of the most valuable ones for investigations, they don’t always tell the full story.

For example:

• Email transit and email access logs are not included

• You cannot customize which logs are sent

• Google decides what gets forwarded—you only choose whether forwarding is enabled or not

-------------------------------------------------------------------------------------------------------------

Permissions: A Common Roadblock

If you try to search Workspace logs in Google Cloud and run into permission errors—don’t panic.

This usually means your account doesn’t have enough rights to query logs.

https://docs.cloud.google.com/logging/docs/access-control

The fix is simple:

• Go to IAM & Admin in Google Cloud

• Grant the appropriate role (typically Logging Admin or equivalent)

  

Querying Workspace Logs in Google Cloud

When Workspace logs arrive in Google Cloud, they are spread across a few service names. To search them together, you can use a query like this in Log Explorer:

protoPayload.serviceName = (
  "admin.googleapis.com" OR
  "cloudidentity.googleapis.com" OR
  "login.googleapis.com" OR
  "oauth2.googleapis.com"
)

protoPayload.serviceName = (
  "login.googleapis.com" 
)

-------------------------------------------------------------------------------------------------------------

Final Thoughts

If we simplify everything:

• Admin UI → great for quick checks and visual walkthroughs

• Admin SDK / API → best for fast, consistent, forensic‑grade evidence collection

• Google Cloud Logging → excellent for long‑term retention and centralized querying

------------------------------------------Dean-------------------------------------------------------------