Comprehensive Guide to Forensic Investigations in Microsoft 365 and Cloud PCs

In the realm of enterprise security, the cloud has emerged as both a boon and a bane. While it offers unparalleled flexibility and scalability, it also introduces unique challenges, especially when it comes to forensic investigations. Microsoft 365, being a predominant cloud service, is no exception. Capturing forensic evidence within this platform requires a nuanced understanding of its architecture, logging mechanisms, and the tools at an investigator's disposal.

Understanding Microsoft 365's Logging Infrastructure​

Microsoft 365's logging infrastructure is multifaceted, encompassing various services and portals. Central to this is the Unified Audit Log (UAL), which aggregates logs from multiple services, including Exchange Online, SharePoint Online, and Teams. The UAL serves as a comprehensive repository, capturing user and administrative activities across the platform.
Key Components of the UAL:

• Azure Active Directory (Azure AD) Sign-ins: These logs provide insights into user authentication activities, highlighting successful and failed sign-in attempts.
• Azure AD Administrative Activities: This encompasses changes to policies, user and group modifications, application alterations, and administrative role assignments.
• Office 365 Activities: Logs detailing user interactions within services like Exchange Online, SharePoint Online, and Teams.

Accessing these logs can be achieved through multiple avenues:

• Azure AD Portal: Located at Microsoft Entra admin center, this portal offers a view into sign-ins, risk events, and administrative activities.
• Microsoft 365 Defender Portal: Accessible via Sign in to your account, it provides tools like Advanced Hunting and Audit Search for in-depth log analysis.
• Defender for Cloud Apps: Found at https://portal.cloudappsecurity.com, this portal, when configured, stores data in the Activity log and offers alert templates to detect and respond to security events.

Understanding the retention policies is crucial. By default, UAL data is retained for 90 days, but this can extend up to 365 days for E5/F5/A5/G5 licensed customers or those with the appropriate add-on package. This extended retention is invaluable for investigations that require historical data analysis.

Harnessing Advanced Audit for Forensic Investigations​

Advanced Audit in Microsoft 365 is a pivotal tool for forensic investigations. It not only extends audit log retention but also provides access to critical events essential for thorough analyses.
Steps to Leverage Advanced Audit:

• Manage and Configure Audit Log Retention Policies: Given that breaches can remain undetected for extended periods, having a longer retention period is beneficial. Advanced Audit supports retaining audit log data for key workloads like Exchange, SharePoint, and Azure Active Directory for up to one year by default. For organizations with regulatory obligations requiring longer retention, audit log records can be retained for up to 10 years by adding the 10-year Audit Log Retention license to Advanced Audit.
• Utilize Search Patterns to Scope and Assess Attacker Intentions: Once compromised accounts are identified, search patterns can help determine the scope of the breach and assess attacker intentions by providing insights into searches performed using the compromised accounts.
• Monitor for Email Forwarding to External Mailboxes: Attackers often exfiltrate sensitive information by forwarding emails to external accounts. Advanced Audit allows identification of emails sent from potentially compromised accounts using the mail send event, even if the attacker deletes the sent message from the Sent Items folder.
• Export Audit Signals for Further Analysis: Audit log data can be exported and shared with relevant teams, such as legal departments or external forensic investigators, for further action.

By systematically following these steps, organizations can effectively harness Advanced Audit to power their forensic investigations.

Digital Forensics with Windows 365 Enterprise Cloud PCs​

Windows 365 Enterprise Cloud PCs present unique considerations for digital forensics. Unlike traditional physical devices, these cloud-based PCs require specific procedures to ensure the integrity and admissibility of forensic evidence.
Key Considerations:

• Placing a Cloud PC Under Review: Windows 365 offers the capability to place a Cloud PC under review, securely saving a snapshot of the Cloud PC to the organization's Azure Storage Account. This snapshot serves as a tamper-evident record, essential for forensic analysis.
• Ensuring Data Integrity: To maintain the integrity of the snapshot, it's advisable to create a file hash immediately after saving it to the Azure Storage account. This hash acts as a digital fingerprint, ensuring the data remains unaltered.
• Access Control and Chain of Custody: Maintaining a clear chain of custody is paramount. Only authorized personnel should have access to the forensic evidence, and all actions taken should be meticulously documented to ensure legal admissibility.

By adhering to these considerations, organizations can effectively conduct digital forensics on Windows 365 Enterprise Cloud PCs, ensuring that evidence is preserved and analyzed in a manner that upholds its integrity and legal standing.

Utilizing Microsoft Protection Logs (MPLogs) for Forensic Investigations​

The Microsoft Protection Log (MPLog) is a valuable artifact on Windows operating systems, offering a wealth of data to support forensic investigations. Generated by Windows Defender or Microsoft Security Essentials, MPLogs can provide historical evidence of process execution, threats detected, scan results, and actions taken.
Key Insights from MPLogs:

• Process Execution: MPLogs can reveal evidence of process execution, including the process image name, total time spent in scans, and the number of scanned files accessed by the process.
• Threat Detection: These logs document threats detected by Windows Defender, including details about the threat and actions taken.
• Scan Results: MPLogs provide information on scan results, including the duration of scans and the files involved.

By analyzing MPLogs, forensic investigators can gain insights into system activities, aiding in the reconstruction of events leading up to and following a security incident.

Best Practices for Preserving Forensic Evidence​

Preserving forensic evidence is a critical aspect of any investigation. The initial response, often referred to as the "golden hour," can significantly impact the success of the investigation.
Key Steps:

• Document the Scene: Photograph and record external connections to the device, such as printers or USB drives, and any screen activities visible.
• Isolate the Device: Remove any network cables and disable Wi-Fi or Bluetooth connections to prevent further data transmission or potential tampering.
• Determine the Device State: If the device is off, leave it off. If it's on, document the screen and running processes before proceeding.
• Seek Expert Advice: Before taking further action, consult with a digital forensics expert to ensure proper procedures are followed.

By adhering to these best practices, organizations can ensure that forensic evidence is preserved in a manner that maintains its integrity and admissibility in legal proceedings.

Conclusion​

Capturing forensic evidence within Microsoft 365 is a complex but essential task in the modern enterprise security landscape. By understanding the platform's logging infrastructure, leveraging tools like Advanced Audit, and adhering to best practices for evidence preservation, organizations can effectively conduct forensic investigations. This proactive approach not only aids in incident response but also fortifies the organization's overall security posture, ensuring resilience against future threats.

---

Source: csoonline.com How to capture forensic evidence for Microsoft 365