Google Workspace Forensics - Insights from Real-World Hunts & IR

Presented at BSidesLV 2023, Aug. 8, 2023, 2 p.m. (25 minutes).

Google Workspace is now the core IT infrastructure for many organizations, according to Google's "2021 Year in Review", 3 billion people use Google Workspace, drawing hackers to directly attack GWS users and resources. Forensics investigators may struggle identifying threats in GWS logs efficiently because of the complexity and the uniqueness of the logs. In this talk, we share our knowledge & expertise on how to hunt and perform IR investigation over Google Workspace logs based on real-world threat hunt focused on data exfiltration from Google Drive. In this presentation, we will show the work of forensic investigator in Google Workspace (formerly G Suite) domain. We believe this knowledge is necessary for those who want to investigate Google Workspace logs.

Presenters:

  • Ariel Szarf
    Ariel Szarf works as a Senior Cloud Security Researcher at Mitiga. Prior to that, Ariel was a Cyber Security Specialist Officer in the IDF. In addition, Ariel has a Master's degree in Computer Science. Today, Ariel researches potential attacks on cloud services and SaaS, and investigates incidents.
  • Doron Karmi
    Doron Karmi has worked in the field of cyber security since 2011. Doron began their career as a Team Lead and Data & Intelligence Analyst at 8200 Unit in 2011. In 2014, they joined The DigiTrust Group as an Information Security Analyst. In 2016, they were a Cyber Security Analyst at Check Point Software Technologies, Ltd. From 2017 to 2020, they worked at CyberInt as a Threat Hunter and Cyber Security Incident Responder. In 2020, they were a Senior Threat Hunter at Palo Alto Networks. Currently, Doron is a Cloud Security Researcher and Senior Incident Responder at Mitiga. Doron Karmi has obtained a GIAC GCFA from the SANS Technology Institute in 2018, as well as certifications from Akamai Technologies in Bot Manager Foundations and Kona Site Defender, and a GIAC Certified Forensic Analyst (GCFA) from GIAC Certifications.

Links:

Similar Presentations: