A very brief introduction to Office 365 cloud forensics

An introduction to Forensics in an Office 365 Environment

What is Office 365?

Office 365 is the online version of the Microsoft Office suite. It allows the applications and their documents to be saved in a cloud environment, with access restricted to authorised personnel only.

What is this cloud?

The cloud is essentially a number of servers which are remote to the user. They are not on-site. Due to this, they have to provide access to the user. With this in mind, If I have a team of people all over the world, we can use Office 365’s cloud environment to store our documents. We can all edit at the same time, on the same document.

Alternatively, a company may store sensitive information in the cloud. Netflix for example, use the cloud to perform data analytics.

What does this mean for forensics?

Artefacts may not be resident to a computer anymore, in that they will be found within the cloud. A word document belonging to a terrorist group wouldn’t appear as a file in the computer, but would however, be present in the cloud, along with information about who else has access to it.

In addition to this, sensitive material may be compromised. With multiple users having access, a forensic investigator must be able to identify how this happened, and who was involved.

Tools

There are tools thankfully, which make the process significantly­­ easier. Uploads can be made from both the computer and the cloud, allowing correlation between artefacts. The tool also allows for visual analysis, making it easier to identify important things.

I highly recommend you watch the following video. The video covers a basic investigation in Office 365.