Forensics and Data
Collection
LSP Data Solutions provides a comprehensive suite of forensic services unparalleled in the marketplace. Our experts work closely with our clients to perform targeted collections to ensure the correct datasets are captured, analyzed and prepared for the eDiscovery process.
Contact Us
How We Leverage Technology
LSP forensic experts use leading edge technology to acquire and analyze data from a wide array of data sources. No matter the source, our experts will identify and implement the appropriate solution to achieve the necessary results.
Why You Can Trust Us
LSP forensic experts and certified partners are trained to handle all types of data collection from a single Gmail account to servers in multiple locations.
The LSP Difference
Our staff will provide consultation to help you make the most informed decision as to the direction the collection should go within your budget parameters. Whether it be on location, remote, or having the media shipped directly to our facility, LSP is equipped to handle your data collection needs.
Always Defensible
Detailed reporting, including a complete audit trail, ensures your data collections are defensible—every time.
Data Sources We Can Capture Include:
Social Media Sites
Microsoft Azure
Dropbox
Mega
MS Teams
Slack
Box
iCloud
Amazon
Cloud Sites
Lyft
AWS S3
Microsoft Azure
OneDrive
Sharepoint
Mobile Devices
Apple AirTags
iPhone
Apple Watch
Apple iPad
Android Phone
Apple Computers
Windows Computers
Linux Computers
Data Sources We Can Capture Include:
Social Media Sites
Microsoft Azure
Login and access logs: Azure logs all login attempts and access to resources. These logs can reveal the IP address, time, and type of access (e.g., read, write, delete) for each login or access event.
Azure Resource Manager (ARM) templates: ARM templates define the resources that are deployed to an Azure account. These templates can be examined to determine what resources were provisioned and how they were configured.
Virtual machine disks: Virtual machine disks can be extracted from Azure storage and analyzed using traditional forensic tools to recover deleted files, search for artifacts of malicious activity, and recover system artifacts.
Azure Active Directory (AAD) logs: AAD logs contain information about user authentication, directory changes, and other events related to user accounts. These logs can be analyzed to determine if any unauthorized access or changes were made to user accounts.
Azure Key Vault: Key Vault is a cloud-based service that allows users to securely store and manage cryptographic keys, secrets, and certificates. Forensic analysis of Key Vault can reveal information about encryption keys, passwords, and other sensitive data that may have been accessed or manipulated.
Azure Storage: Azure Storage is used to store and manage data objects in the cloud. Forensic analysis of Azure Storage can reveal information about data stored in the account, including deleted data, access logs, and metadata.
Drop Box
Login and access logs: Dropbox logs all login attempts and access to files. These logs can reveal the IP address, time, and type of access (e.g., read, write, delete) for each login or access event.
File metadata: File metadata in Dropbox can reveal information about when a file was created, last modified, and who modified it. This information can be used to determine if any unauthorized access or changes were made to files.
Deleted files: Dropbox stores deleted files in a hidden trash folder for 30 days. Forensic analysis of this folder can recover deleted files and determine if any malicious activity occurred.
File contents: Forensic analysis of the contents of files stored in Dropbox can reveal information about user activities, such as email addresses, passwords, and other sensitive data.
Shared links: Dropbox allows users to share files via shared links. Forensic analysis of shared links can reveal who accessed the files, when they accessed them, and what actions they performed on the files.
Third-party applications: Dropbox allows third-party applications to access user data. Forensic analysis can reveal which third-party applications were granted access, what data they accessed, and when they accessed it.
Login and access logs: Facebook logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Profile information: Facebook profiles contain a wealth of information, including name, location, interests, education, and employment history. This information can be used to build a profile of the user and potentially identify them.
Messages: Facebook allows users to send and receive messages, which can contain valuable information about user activities, including communication with other users, sharing of files, and discussions about sensitive topics.
Posts and comments: Facebook posts and comments can reveal a user’s interests, opinions, and social connections. Forensic analysis of these artifacts can provide valuable insights into the user’s behavior and activities.
Friend lists: Facebook friend lists can reveal a user’s social connections and potentially identify other users who may be involved in the user’s activities.
Ads and ad targeting data: Facebook allows advertisers to target users based on demographic and interest data. Forensic analysis of ad targeting data can reveal valuable insights into the user’s interests and potentially identify other users who share similar interests.
Gmail: Email messages sent and received through the user’s Gmail account, including metadata such as sender and recipient addresses, message content, and dates and times.
Google Drive: Files and folders stored on Google Drive, including metadata such as file names, creation and modification dates, and file sizes.
Google Calendar: Calendar data synced with Google Calendar, including metadata such as event details, dates, and times.
Google Contacts: Contact data synced with Google Contacts, including metadata such as contact names, phone numbers, email addresses, and other details.
Google Maps: Location data, search history, and other activity data collected by Google Maps, including metadata such as dates and times of activity.
Google Photos: Photos and videos stored in Google Photos, including metadata such as dates and locations of capture.
Google Voice: Call logs, voicemails, and text messages sent and received through Google Voice, including metadata such as caller and recipient phone numbers and dates and times of activity.
Google Search: Search history and other activity data collected by Google Search, including metadata such as search terms, dates and times of activity, and IP addresses.
Google Analytics: Website usage and other activity data collected by Google Analytics, including metadata such as dates and times of activity, IP addresses, and other information about the user’s browsing behavior.
Login and access logs: Instagram logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Profile information: Instagram profiles contain a wealth of information, including name, location, interests, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Posts and comments: Instagram posts and comments can reveal a user’s interests, opinions, and social connections. Forensic analysis of these artifacts can provide valuable insights into the user’s behavior and activities.
Direct messages: Instagram allows users to send and receive direct messages, which can contain valuable information about user activities, including communication with other users, sharing of files, and discussions about sensitive topics.
Stories: Instagram allows users to post short-lived “stories” that can reveal a user’s current activities, location, and social connections.
Followers and following lists: Instagram followers and following lists can reveal a user’s social connections and potentially identify other users who may be involved in the user’s activities.
Hashtags and search history: Instagram allows users to search for content using hashtags, and logs these searches. Forensic analysis of hashtag and search history data can reveal a user’s interests, activities, and potentially sensitive information.
Mega
File uploads and downloads: Mega allows users to upload and download files to and from their accounts, and logs these activities. Forensic analysis of file upload and download data can reveal a user’s file-sharing activities, including the types of files shared and potentially sensitive information.
File metadata: Mega files contain metadata, such as file names, sizes, and creation/modification dates. Forensic analysis of file metadata can reveal information about a user’s file usage patterns and potentially identify other users who have shared or accessed the files.
Contact information: Mega users can create and manage contacts within the app, which can be analyzed to identify potential witnesses or accomplices.
Account creation and login history: Mega logs all account creation and login attempts, which can reveal information about a user’s account usage patterns and potentially identify other users who have accessed the account.
Encryption keys: Mega encrypts user files using end-to-end encryption and user-controlled encryption keys. Forensic analysis of encryption keys can potentially reveal valuable information about a user’s file sharing activities and any sensitive information contained within the files.
MS Teams
Communication history: Microsoft Teams logs all communications made by the user, including chat messages, audio and video calls, and file sharing activities. Forensic analysis of communication history data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
Meeting history: Microsoft Teams logs all meetings attended by the user, including meeting titles, start and end times, and other metadata. Forensic analysis of meeting history data can reveal information about a user’s work schedule, meeting attendance patterns, and potentially sensitive information discussed during meetings.
User profile information: Microsoft Teams user profiles contain a range of information, including name, email address, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Channel and group information: Microsoft Teams allows users to create and join channels and groups, which can contain valuable information about user activities and potentially sensitive information discussed within the channel or group.
Device information: Microsoft Teams logs information about the devices used to access the account, including device types, operating systems, and IP addresses. Forensic analysis of device information data can reveal information about a user’s work environment and potentially identify other users who have accessed the account.
Access logs: Microsoft Teams logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Slack
Communication history: Slack logs all communications made by the user, including chat messages, audio and video calls, and file sharing activities. Forensic analysis of communication history data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
User profile information: Slack user profiles contain a range of information, including name, email address, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Channel and group information: Slack allows users to create and join channels and groups, which can contain valuable information about user activities and potentially sensitive information discussed within the channel or group.
File uploads and downloads: Slack allows users to upload and download files to and from their accounts and logs these activities. Forensic analysis of file upload and download data can reveal a user’s file-sharing activities, including the types of files shared and potentially sensitive information.
Access logs: Slack logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
App and integration data: Slack allows users to install and use a wide range of apps and integrations, which can provide valuable insights into user activities and potentially sensitive information shared within the app or integration.
Tweets and direct messages: Twitter logs all tweets and direct messages sent and received by the user. Forensic analysis of tweet and direct message data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
User profile information: Twitter user profiles contain a range of information, including name, bio, location, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Follower and following information: Twitter logs information about the users that the account follows and the users that follow the account. Forensic analysis of follower and following data can reveal a user’s interests and potentially sensitive information about their network.
Account activity: Twitter logs all activity related to the account, including login attempts and device information. Forensic analysis of account activity data can reveal information about a user’s login patterns, location, and potentially identify other users who have accessed the account.
Hashtags and mentions: Twitter logs all hashtags and mentions used by the user. Forensic analysis of hashtag and mention data can reveal a user’s interests and potentially sensitive information about their network.
App and integration data: Twitter allows users to install and use a wide range of apps and integrations, which can provide valuable insights into user activities and potentially sensitive information shared within the app or integration.
Message history: WhatsApp stores messages, including text, images, videos, and audio files, on the device’s local storage. This data can be extracted from the device and analyzed forensically.
Contact information: WhatsApp collects contact information from the user’s device and stores it on its servers. This information can include the user’s name, phone number, and profile picture.
Call logs: WhatsApp allows users to make voice and video calls. Call logs, including call duration, timestamps, and call participants, can be extracted from the device’s local storage.
Media files: WhatsApp allows users to send and receive images, videos, and audio files. These files are stored on the device’s local storage and can be extracted forensically.
Location data: WhatsApp allows users to share their location with others. The location data can be extracted from the device’s local storage and used to track the user’s movements.
Box
File metadata: This includes file name, creation date, modification date, file size, and file type.
Access logs: Details of user access to files, including the user’s IP address, date and time of access, and the file accessed.
User information: Such as name, email address, and login history.
Collaboration data: Insights into user relationships and file usage patterns resulting from collaboration on files and folders.
Deleted files: Potentially recoverable data from deleted files that Box retains for a period of time before permanent deletion.
iCloud
Device backups: Full or partial backups of the user’s iOS or macOS devices, including data such as contacts, messages, call logs, photos, videos, and app data.
iCloud Drive: Files and folders stored on iCloud Drive, including metadata such as file names, creation and modification dates, and file sizes.
Photos and videos: Photos and videos stored in iCloud Photos, including metadata such as dates and locations of capture.
Contacts and calendars: Contact and calendar data synced with iCloud, including metadata such as contact names, phone numbers, email addresses, and event details.
Notes: Notes stored in the user’s iCloud account, including metadata such as the note content, creation and modification dates, and tags.
Mail: Email messages sent and received through the user’s iCloud email account, including metadata such as sender and recipient addresses, message content, and dates and times.
App data: Data stored in iCloud by third-party apps, including metadata such as app names, file names, and creation and modification dates.
iCloud Keychain: Stored usernames, passwords, and other sensitive data synced across the user’s devices.
Amazon
Purchase history: Amazon stores a record of all purchases made through the user’s account, including the date, time, and amount of the purchase, as well as the items purchased. Forensic analysis of this data can reveal insights into the user’s spending habits and interests.
Order information: In addition to purchase history, Amazon stores information about orders, including shipping addresses, payment information, and delivery status. This information can be extracted forensically and used to track the user’s order history.
Wishlist data: Amazon allows users to create wishlists of products they are interested in purchasing. Forensic analysis of wishlist data can provide insights into the user’s preferences and interests.
Prime membership information: Amazon Prime is a paid subscription service that provides users with additional benefits, such as free two-day shipping, streaming of movies and TV shows, and access to exclusive deals. Forensic analysis of Prime membership information can reveal insights into the user’s Amazon usage patterns.
Reviews and ratings: Amazon allows users to leave reviews and ratings for products they have purchased or used. Forensic analysis of review and rating data can provide insights into the user’s opinions and preferences.
Cloud Sites
Lyft
Ride history: Information about the user’s ride history, including the pick-up and drop-off locations, dates and times, driver and vehicle information, and ride fares.
Payment information: Information about the user’s payment methods used on the platform, including credit card numbers, bank account information, and transaction history.
User account information: Information about the user’s Lyft account, including the username, email address, phone number, and login history.
Device information: Information about the user’s device(s) used to access the Lyft platform, including device type, operating system, and device ID.
User activity logs: Logs generated by the user’s activity on the platform, such as login times, ride requests, and other interactions with the Lyft interface.
Communications: Messages and other communications between the user and Lyft support or other users on the platform.
AWS S3
Bucket and object metadata: Metadata about the buckets and objects stored in the S3 account, including information such as creation and modification dates, permissions, and encryption status.
Access logs: S3 provides access logs that show a record of all requests made to the user’s buckets and objects, including metadata such as the date and time of the request, requester’s IP address, and details about the requested resource.
CloudTrail logs: CloudTrail logs can provide a record of all activity in the AWS account, including changes to S3 resources, metadata about the changes, and the AWS Identity and Access Management (IAM) user who made the change.
Server logs: S3 server logs contain information about the requests made to S3 buckets and objects, including metadata such as the date and time of the request, IP address of the requester, and details about the requested resource.
Bucket and object ACLs: Access Control Lists (ACLs) define the permissions for buckets and objects in the S3 account, and can provide insight into who has access to the data stored in the account.
Encryption keys: If the user has enabled server-side encryption for their S3 data, forensic examiners may be able to recover the encryption keys used to protect the data.
Microsoft Azure
Virtual machines: Information about the virtual machines created in the Azure account, including metadata such as virtual machine names, creation and modification dates, and disk images.
Storage accounts: Information about the storage accounts created in the Azure account, including metadata such as account names, creation and modification dates, and storage containers.
Azure SQL databases: Information about the SQL databases created in the Azure account, including metadata such as database names, creation and modification dates, and server names.
Network traffic: Network traffic logs can provide information about the user’s network activity, including IP addresses, ports, and protocols used.
Audit logs: Azure provides audit logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, IP address, and details about the resource involved.
Security Center data: The Azure Security Center provides information about security events and vulnerabilities in the user’s environment, including metadata such as the date and time of the event, severity level, and details about the affected resource.
OneDrive
File metadata: Information about the files stored in the OneDrive account, including file names, creation and modification dates, file size, and file type.
Access logs: OneDrive provides access logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, IP address, and details about the file involved.
Deleted files: OneDrive keeps a record of all files that have been deleted from the account, including metadata such as the file name, deletion date, and user ID.
Shared files: OneDrive allows users to share files with other users, and forensic analysis can reveal information about the files shared, including metadata such as the file name, user ID, and date and time of the share.
Version history: OneDrive allows users to store multiple versions of a file, and forensic analysis can reveal information about the different versions of a file, including metadata such as the version number, date and time of the version, and user ID.
Sync data: OneDrive can be configured to automatically sync files to local devices, and forensic analysis can reveal information about the sync activity, including metadata such as the date and time of the sync, user ID, and details about the files involved.
Sharepoint
Site metadata: Information about the SharePoint sites that the user has access to, including site names, creation and modification dates, and site owners.
User activity logs: SharePoint provides activity logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, and details about the item involved.
Document metadata: Information about the documents stored in the SharePoint account, including document names, creation and modification dates, document type, and document size.
Deleted documents: SharePoint keeps a record of all documents that have been deleted from the account, including metadata such as the document name, deletion date, and user ID.
Access permissions: SharePoint allows users to grant access permissions to other users, and forensic analysis can reveal information about the access permissions, including metadata such as the user ID, access level, and date and time of the permission grant.
Version history: SharePoint allows users to store multiple versions of a document, and forensic analysis can reveal information about the different versions of a document, including metadata such as the version number, date and time of the version, and user ID.
Site settings: SharePoint site settings contain information about the site’s configuration, including metadata such as the site name, site owner, and site permissions.
Mobile Devices
Apple Air-Tags
Location data: AirTags use Bluetooth and Ultra-Wideband (UWB) technology to track their location. Forensically extracting this data can provide insights into the movements of the user and the item to which the AirTag is attached.
Device pairing data: When an AirTag is first set up, it must be paired with an Apple device, such as an iPhone or iPad. Extracting this data can provide information about the user of the AirTag and the devices they use.
Battery usage data: AirTags have a replaceable battery that can be used for up to a year. Extracting this data can provide information about when the AirTag was last used and whether it was active during a specific period relevant to the investigation.
Timestamp data: AirTags record timestamps when they are in proximity to Apple devices, providing information about when and where the AirTag was detected.
User information: AirTags can be customized with a name and contact information. Extracting this data can provide information about the user of the AirTag and their contact details.
iPhone
Call Logs and Text Messages: Investigators can extract data on incoming and outgoing calls, text messages, and multimedia messages (MMS) from the iPhone. This information can provide insights into communication patterns and potential evidence relevant to the investigation.
Emails: Emails sent and received from the iPhone can be extracted to provide a record of email communication.
Contacts and Calendars: The iPhone stores contact information and calendar events, including dates, times, and locations. This data can provide valuable insights into the activities of the user.
Social Media and Instant Messaging: Many social media and instant messaging apps are available on the iPhone, and data from these apps can be extracted to provide communication records and other relevant information.
Internet and App Usage: Forensic investigators can extract data on internet browsing history and app usage to determine user behavior and activities.
Location Data: iPhones have built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Apple Watch
Health and Fitness Data: The Apple Watch collects and stores a variety of health and fitness data, including heart rate, step count, and workout information. This information can provide insights into the physical activities of the user.
GPS and Location Data: Apple Watch has built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Communication and Notification Data: The Apple Watch can receive and display notifications from the user’s iPhone, including text messages, phone calls, and other app notifications. This data can provide insights into communication patterns and potential evidence relevant to the investigation.
Digital Wallet Data: The Apple Watch can store digital wallet information, including credit and debit card data. Forensic investigators can extract this data to identify financial transactions that may be relevant to the investigation.
Third-Party App Data: Many third-party apps are available on the Apple Watch, and data from these apps can be extracted to provide communication records and other relevant information.
App Usage Data: Forensic investigators can extract data on app usage from the Apple Watch, including the types of apps used and the frequency of use.
Biometric Data: The Apple Watch also collects and stores biometric data, including fingerprints, that may be relevant to an investigation.
Apple iPad
Emails and Messaging: Investigators can extract data on incoming and outgoing emails, as well as instant messaging communications, from the iPad. This information can provide insights into communication patterns and potential evidence relevant to the investigation.
Contacts and Calendars: The iPad stores contact information and calendar events, including dates, times, and locations. This data can provide valuable insights into the activities of the user.
Internet and App Usage: Forensic investigators can extract data on internet browsing history and app usage to determine user behavior and activities.
Multimedia Files: The iPad can store a variety of multimedia files, including photos, videos, and audio recordings. Forensic investigators can extract this data to identify relevant media files that may be used as evidence.
Location Data: iPads have built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Third-Party App Data: Many third-party apps are available on the iPad, and data from these apps can be extracted to provide communication records and other relevant information.
Android Phone
Call Logs: Forensic analysis can reveal call logs which includes the date, time, and duration of each call, as well as the phone numbers involved.
Text Messages: Text messages sent and received on the device can be extracted, including the content of the messages, the date and time they were sent, and the phone numbers involved.
Internet Browsing History: Internet browsing history can be extracted, revealing which websites were visited, the date and time they were accessed, and potentially any searches that were performed.
GPS Location Data: GPS location data can be extracted, which can be used to track the physical location of the device at specific times.
Media Files: Photos, videos, and audio recordings stored on the device can be extracted, along with metadata such as the date and time the files were created or modified.
App Data: Forensic analysis can reveal data stored by various apps installed on the device, such as login credentials, browsing history, and chat logs.
Contacts and Calendar: Forensic analysis can reveal contact information, including names, phone numbers, email addresses, and other relevant data, as well as any calendar events or appointments that were stored on the device.
Email: Email messages and attachments can be extracted from the device, along with metadata such as the sender, recipient, date, and time of each message.
Apple Computers
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Apple Mail or Microsoft Outlook.
Chat Logs: Chat logs from messaging applications, such as iMessage or Skype, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the keychain or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Cloud Data: Forensic analysis can reveal data stored on cloud services such as iCloud, including device backups, synced data, and metadata related to the usage of the cloud service.
Windows Computers
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Microsoft Outlook or Mozilla Thunderbird.
Chat Logs: Chat logs from messaging applications, such as Skype or WhatsApp, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the Windows Registry or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Registry Data: The Windows Registry contains configuration information about the computer and installed applications, which can be analyzed to determine user activity and application usage.
Cloud Data: Forensic analysis can reveal data stored on cloud services such as OneDrive, Dropbox, or Google Drive, including device backups, synced data, and metadata related to the usage of the cloud service.
Linux Computers
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Mozilla Thunderbird or Evolution.
Chat Logs: Chat logs from messaging applications, such as Pidgin or Empathy, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the passwd and shadow files or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Configuration Files: Configuration files for installed applications can provide valuable information about the system and user activities, such as network connections and application usage.
Bash History: The Bash shell history file contains a record of commands executed by the user, which can provide insight into user activities on the system.
Login and access logs: Azure logs all login attempts and access to resources. These logs can reveal the IP address, time, and type of access (e.g., read, write, delete) for each login or access event.
Azure Resource Manager (ARM) templates: ARM templates define the resources that are deployed to an Azure account. These templates can be examined to determine what resources were provisioned and how they were configured.
Virtual machine disks: Virtual machine disks can be extracted from Azure storage and analyzed using traditional forensic tools to recover deleted files, search for artifacts of malicious activity, and recover system artifacts.
Azure Active Directory (AAD) logs: AAD logs contain information about user authentication, directory changes, and other events related to user accounts. These logs can be analyzed to determine if any unauthorized access or changes were made to user accounts.
Azure Key Vault: Key Vault is a cloud-based service that allows users to securely store and manage cryptographic keys, secrets, and certificates. Forensic analysis of Key Vault can reveal information about encryption keys, passwords, and other sensitive data that may have been accessed or manipulated.
Azure Storage: Azure Storage is used to store and manage data objects in the cloud. Forensic analysis of Azure Storage can reveal information about data stored in the account, including deleted data, access logs, and metadata.
Login and access logs: Dropbox logs all login attempts and access to files. These logs can reveal the IP address, time, and type of access (e.g., read, write, delete) for each login or access event.
File metadata: File metadata in Dropbox can reveal information about when a file was created, last modified, and who modified it. This information can be used to determine if any unauthorized access or changes were made to files.
Deleted files: Dropbox stores deleted files in a hidden trash folder for 30 days. Forensic analysis of this folder can recover deleted files and determine if any malicious activity occurred.
File contents: Forensic analysis of the contents of files stored in Dropbox can reveal information about user activities, such as email addresses, passwords, and other sensitive data.
Shared links: Dropbox allows users to share files via shared links. Forensic analysis of shared links can reveal who accessed the files, when they accessed them, and what actions they performed on the files.
Third-party applications: Dropbox allows third-party applications to access user data. Forensic analysis can reveal which third-party applications were granted access, what data they accessed, and when they accessed it.
Login and access logs: Facebook logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Profile information: Facebook profiles contain a wealth of information, including name, location, interests, education, and employment history. This information can be used to build a profile of the user and potentially identify them.
Messages: Facebook allows users to send and receive messages, which can contain valuable information about user activities, including communication with other users, sharing of files, and discussions about sensitive topics.
Posts and comments: Facebook posts and comments can reveal a user’s interests, opinions, and social connections. Forensic analysis of these artifacts can provide valuable insights into the user’s behavior and activities.
Friend lists: Facebook friend lists can reveal a user’s social connections and potentially identify other users who may be involved in the user’s activities.
Ads and ad targeting data: Facebook allows advertisers to target users based on demographic and interest data. Forensic analysis of ad targeting data can reveal valuable insights into the user’s interests and potentially identify other users who share similar interests.
Gmail: Email messages sent and received through the user’s Gmail account, including metadata such as sender and recipient addresses, message content, and dates and times.
Google Drive: Files and folders stored on Google Drive, including metadata such as file names, creation and modification dates, and file sizes.
Google Calendar: Calendar data synced with Google Calendar, including metadata such as event details, dates, and times.
Google Contacts: Contact data synced with Google Contacts, including metadata such as contact names, phone numbers, email addresses, and other details.
Google Maps: Location data, search history, and other activity data collected by Google Maps, including metadata such as dates and times of activity.
Google Photos: Photos and videos stored in Google Photos, including metadata such as dates and locations of capture.
Google Voice: Call logs, voicemails, and text messages sent and received through Google Voice, including metadata such as caller and recipient phone numbers and dates and times of activity.
Google Search: Search history and other activity data collected by Google Search, including metadata such as search terms, dates and times of activity, and IP addresses.
Google Analytics: Website usage and other activity data collected by Google Analytics, including metadata such as dates and times of activity, IP addresses, and other information about the user’s browsing behavior.
Login and access logs: Instagram logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Profile information: Instagram profiles contain a wealth of information, including name, location, interests, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Posts and comments: Instagram posts and comments can reveal a user’s interests, opinions, and social connections. Forensic analysis of these artifacts can provide valuable insights into the user’s behavior and activities.
Direct messages: Instagram allows users to send and receive direct messages, which can contain valuable information about user activities, including communication with other users, sharing of files, and discussions about sensitive topics.
Stories: Instagram allows users to post short-lived “stories” that can reveal a user’s current activities, location, and social connections.
Followers and following lists: Instagram followers and following lists can reveal a user’s social connections and potentially identify other users who may be involved in the user’s activities.
Hashtags and search history: Instagram allows users to search for content using hashtags, and logs these searches. Forensic analysis of hashtag and search history data can reveal a user’s interests, activities, and potentially sensitive information.
File uploads and downloads: Mega allows users to upload and download files to and from their accounts, and logs these activities. Forensic analysis of file upload and download data can reveal a user’s file-sharing activities, including the types of files shared and potentially sensitive information.
File metadata: Mega files contain metadata, such as file names, sizes, and creation/modification dates. Forensic analysis of file metadata can reveal information about a user’s file usage patterns and potentially identify other users who have shared or accessed the files.
Contact information: Mega users can create and manage contacts within the app, which can be analyzed to identify potential witnesses or accomplices.
Account creation and login history: Mega logs all account creation and login attempts, which can reveal information about a user’s account usage patterns and potentially identify other users who have accessed the account.
Encryption keys: Mega encrypts user files using end-to-end encryption and user-controlled encryption keys. Forensic analysis of encryption keys can potentially reveal valuable information about a user’s file sharing activities and any sensitive information contained within the files.
Communication history: Microsoft Teams logs all communications made by the user, including chat messages, audio and video calls, and file sharing activities. Forensic analysis of communication history data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
Meeting history: Microsoft Teams logs all meetings attended by the user, including meeting titles, start and end times, and other metadata. Forensic analysis of meeting history data can reveal information about a user’s work schedule, meeting attendance patterns, and potentially sensitive information discussed during meetings.
User profile information: Microsoft Teams user profiles contain a range of information, including name, email address, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Channel and group information: Microsoft Teams allows users to create and join channels and groups, which can contain valuable information about user activities and potentially sensitive information discussed within the channel or group.
Device information: Microsoft Teams logs information about the devices used to access the account, including device types, operating systems, and IP addresses. Forensic analysis of device information data can reveal information about a user’s work environment and potentially identify other users who have accessed the account.
Access logs: Microsoft Teams logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
Communication history: Slack logs all communications made by the user, including chat messages, audio and video calls, and file sharing activities. Forensic analysis of communication history data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
User profile information: Slack user profiles contain a range of information, including name, email address, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Channel and group information: Slack allows users to create and join channels and groups, which can contain valuable information about user activities and potentially sensitive information discussed within the channel or group.
File uploads and downloads: Slack allows users to upload and download files to and from their accounts and logs these activities. Forensic analysis of file upload and download data can reveal a user’s file-sharing activities, including the types of files shared and potentially sensitive information.
Access logs: Slack logs all login attempts and access to user accounts. These logs can reveal the IP address, time, and type of access (e.g., login, logout) for each event.
App and integration data: Slack allows users to install and use a wide range of apps and integrations, which can provide valuable insights into user activities and potentially sensitive information shared within the app or integration.
Tweets and direct messages: Twitter logs all tweets and direct messages sent and received by the user. Forensic analysis of tweet and direct message data can reveal valuable insights into user activities, including discussions about sensitive topics and interactions with other users.
User profile information: Twitter user profiles contain a range of information, including name, bio, location, and profile picture. This information can be used to build a profile of the user and potentially identify them.
Follower and following information: Twitter logs information about the users that the account follows and the users that follow the account. Forensic analysis of follower and following data can reveal a user’s interests and potentially sensitive information about their network.
Account activity: Twitter logs all activity related to the account, including login attempts and device information. Forensic analysis of account activity data can reveal information about a user’s login patterns, location, and potentially identify other users who have accessed the account.
Hashtags and mentions: Twitter logs all hashtags and mentions used by the user. Forensic analysis of hashtag and mention data can reveal a user’s interests and potentially sensitive information about their network.
App and integration data: Twitter allows users to install and use a wide range of apps and integrations, which can provide valuable insights into user activities and potentially sensitive information shared within the app or integration.
Message history: WhatsApp stores messages, including text, images, videos, and audio files, on the device’s local storage. This data can be extracted from the device and analyzed forensically.
Contact information: WhatsApp collects contact information from the user’s device and stores it on its servers. This information can include the user’s name, phone number, and profile picture.
Call logs: WhatsApp allows users to make voice and video calls. Call logs, including call duration, timestamps, and call participants, can be extracted from the device’s local storage.
Media files: WhatsApp allows users to send and receive images, videos, and audio files. These files are stored on the device’s local storage and can be extracted forensically.
Location data: WhatsApp allows users to share their location with others. The location data can be extracted from the device’s local storage and used to track the user’s movements.
File metadata: This includes file name, creation date, modification date, file size, and file type.
Access logs: Details of user access to files, including the user’s IP address, date and time of access, and the file accessed.
User information: Such as name, email address, and login history.
Collaboration data: Insights into user relationships and file usage patterns resulting from collaboration on files and folders.
Deleted files: Potentially recoverable data from deleted files that Box retains for a period of time before permanent deletion.
Device backups: Full or partial backups of the user’s iOS or macOS devices, including data such as contacts, messages, call logs, photos, videos, and app data.
iCloud Drive: Files and folders stored on iCloud Drive, including metadata such as file names, creation and modification dates, and file sizes.
Photos and videos: Photos and videos stored in iCloud Photos, including metadata such as dates and locations of capture.
Contacts and calendars: Contact and calendar data synced with iCloud, including metadata such as contact names, phone numbers, email addresses, and event details.
Notes: Notes stored in the user’s iCloud account, including metadata such as the note content, creation and modification dates, and tags.
Mail: Email messages sent and received through the user’s iCloud email account, including metadata such as sender and recipient addresses, message content, and dates and times.
App data: Data stored in iCloud by third-party apps, including metadata such as app names, file names, and creation and modification dates.
iCloud Keychain: Stored usernames, passwords, and other sensitive data synced across the user’s devices.
Purchase history: Amazon stores a record of all purchases made through the user’s account, including the date, time, and amount of the purchase, as well as the items purchased. Forensic analysis of this data can reveal insights into the user’s spending habits and interests.
Order information: In addition to purchase history, Amazon stores information about orders, including shipping addresses, payment information, and delivery status. This information can be extracted forensically and used to track the user’s order history.
Wishlist data: Amazon allows users to create wishlists of products they are interested in purchasing. Forensic analysis of wishlist data can provide insights into the user’s preferences and interests.
Prime membership information: Amazon Prime is a paid subscription service that provides users with additional benefits, such as free two-day shipping, streaming of movies and TV shows, and access to exclusive deals. Forensic analysis of Prime membership information can reveal insights into the user’s Amazon usage patterns.
Reviews and ratings: Amazon allows users to leave reviews and ratings for products they have purchased or used. Forensic analysis of review and rating data can provide insights into the user’s opinions and preferences.
Ride history: Information about the user’s ride history, including the pick-up and drop-off locations, dates and times, driver and vehicle information, and ride fares.
Payment information: Information about the user’s payment methods used on the platform, including credit card numbers, bank account information, and transaction history.
User account information: Information about the user’s Lyft account, including the username, email address, phone number, and login history.
Device information: Information about the user’s device(s) used to access the Lyft platform, including device type, operating system, and device ID.
User activity logs: Logs generated by the user’s activity on the platform, such as login times, ride requests, and other interactions with the Lyft interface.
Communications: Messages and other communications between the user and Lyft support or other users on the platform.
Bucket and object metadata: Metadata about the buckets and objects stored in the S3 account, including information such as creation and modification dates, permissions, and encryption status.
Access logs: S3 provides access logs that show a record of all requests made to the user’s buckets and objects, including metadata such as the date and time of the request, requester’s IP address, and details about the requested resource.
CloudTrail logs: CloudTrail logs can provide a record of all activity in the AWS account, including changes to S3 resources, metadata about the changes, and the AWS Identity and Access Management (IAM) user who made the change.
Server logs: S3 server logs contain information about the requests made to S3 buckets and objects, including metadata such as the date and time of the request, IP address of the requester, and details about the requested resource.
Bucket and object ACLs: Access Control Lists (ACLs) define the permissions for buckets and objects in the S3 account, and can provide insight into who has access to the data stored in the account.
Encryption keys: If the user has enabled server-side encryption for their S3 data, forensic examiners may be able to recover the encryption keys used to protect the data.
Virtual machines: Information about the virtual machines created in the Azure account, including metadata such as virtual machine names, creation and modification dates, and disk images.
Storage accounts: Information about the storage accounts created in the Azure account, including metadata such as account names, creation and modification dates, and storage containers.
Azure SQL databases: Information about the SQL databases created in the Azure account, including metadata such as database names, creation and modification dates, and server names.
Network traffic: Network traffic logs can provide information about the user’s network activity, including IP addresses, ports, and protocols used.
Audit logs: Azure provides audit logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, IP address, and details about the resource involved.
Security Center data: The Azure Security Center provides information about security events and vulnerabilities in the user’s environment, including metadata such as the date and time of the event, severity level, and details about the affected resource.
File metadata: Information about the files stored in the OneDrive account, including file names, creation and modification dates, file size, and file type.
Access logs: OneDrive provides access logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, IP address, and details about the file involved.
Deleted files: OneDrive keeps a record of all files that have been deleted from the account, including metadata such as the file name, deletion date, and user ID.
Shared files: OneDrive allows users to share files with other users, and forensic analysis can reveal information about the files shared, including metadata such as the file name, user ID, and date and time of the share.
Version history: OneDrive allows users to store multiple versions of a file, and forensic analysis can reveal information about the different versions of a file, including metadata such as the version number, date and time of the version, and user ID.
Sync data: OneDrive can be configured to automatically sync files to local devices, and forensic analysis can reveal information about the sync activity, including metadata such as the date and time of the sync, user ID, and details about the files involved.
Site metadata: Information about the SharePoint sites that the user has access to, including site names, creation and modification dates, and site owners.
User activity logs: SharePoint provides activity logs that show a record of all user activity in the account, including metadata such as the date and time of the activity, user ID, activity type, and details about the item involved.
Document metadata: Information about the documents stored in the SharePoint account, including document names, creation and modification dates, document type, and document size.
Deleted documents: SharePoint keeps a record of all documents that have been deleted from the account, including metadata such as the document name, deletion date, and user ID.
Access permissions: SharePoint allows users to grant access permissions to other users, and forensic analysis can reveal information about the access permissions, including metadata such as the user ID, access level, and date and time of the permission grant.
Version history: SharePoint allows users to store multiple versions of a document, and forensic analysis can reveal information about the different versions of a document, including metadata such as the version number, date and time of the version, and user ID.
Site settings: SharePoint site settings contain information about the site’s configuration, including metadata such as the site name, site owner, and site permissions.
Location data: AirTags use Bluetooth and Ultra-Wideband (UWB) technology to track their location. Forensically extracting this data can provide insights into the movements of the user and the item to which the AirTag is attached.
Device pairing data: When an AirTag is first set up, it must be paired with an Apple device, such as an iPhone or iPad. Extracting this data can provide information about the user of the AirTag and the devices they use.
Battery usage data: AirTags have a replaceable battery that can be used for up to a year. Extracting this data can provide information about when the AirTag was last used and whether it was active during a specific period relevant to the investigation.
Timestamp data: AirTags record timestamps when they are in proximity to Apple devices, providing information about when and where the AirTag was detected.
User information: AirTags can be customized with a name and contact information. Extracting this data can provide information about the user of the AirTag and their contact details.
Call Logs and Text Messages: Investigators can extract data on incoming and outgoing calls, text messages, and multimedia messages (MMS) from the iPhone. This information can provide insights into communication patterns and potential evidence relevant to the investigation.
Emails: Emails sent and received from the iPhone can be extracted to provide a record of email communication.
Contacts and Calendars: The iPhone stores contact information and calendar events, including dates, times, and locations. This data can provide valuable insights into the activities of the user.
Social Media and Instant Messaging: Many social media and instant messaging apps are available on the iPhone, and data from these apps can be extracted to provide communication records and other relevant information.
Internet and App Usage: Forensic investigators can extract data on internet browsing history and app usage to determine user behavior and activities.
Location Data: iPhones have built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Health and Fitness Data: The Apple Watch collects and stores a variety of health and fitness data, including heart rate, step count, and workout information. This information can provide insights into the physical activities of the user.
GPS and Location Data: Apple Watch has built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Communication and Notification Data: The Apple Watch can receive and display notifications from the user’s iPhone, including text messages, phone calls, and other app notifications. This data can provide insights into communication patterns and potential evidence relevant to the investigation.
Digital Wallet Data: The Apple Watch can store digital wallet information, including credit and debit card data. Forensic investigators can extract this data to identify financial transactions that may be relevant to the investigation.
Third-Party App Data: Many third-party apps are available on the Apple Watch, and data from these apps can be extracted to provide communication records and other relevant information.
App Usage Data: Forensic investigators can extract data on app usage from the Apple Watch, including the types of apps used and the frequency of use.
Biometric Data: The Apple Watch also collects and stores biometric data, including fingerprints, that may be relevant to an investigation.
Emails and Messaging: Investigators can extract data on incoming and outgoing emails, as well as instant messaging communications, from the iPad. This information can provide insights into communication patterns and potential evidence relevant to the investigation.
Contacts and Calendars: The iPad stores contact information and calendar events, including dates, times, and locations. This data can provide valuable insights into the activities of the user.
Internet and App Usage: Forensic investigators can extract data on internet browsing history and app usage to determine user behavior and activities.
Multimedia Files: The iPad can store a variety of multimedia files, including photos, videos, and audio recordings. Forensic investigators can extract this data to identify relevant media files that may be used as evidence.
Location Data: iPads have built-in GPS technology that can track location data, which can be extracted to provide insights into the movements of the user.
Third-Party App Data: Many third-party apps are available on the iPad, and data from these apps can be extracted to provide communication records and other relevant information.
Call Logs: Forensic analysis can reveal call logs which includes the date, time, and duration of each call, as well as the phone numbers involved.
Text Messages: Text messages sent and received on the device can be extracted, including the content of the messages, the date and time they were sent, and the phone numbers involved.
Internet Browsing History: Internet browsing history can be extracted, revealing which websites were visited, the date and time they were accessed, and potentially any searches that were performed.
GPS Location Data: GPS location data can be extracted, which can be used to track the physical location of the device at specific times.
Media Files: Photos, videos, and audio recordings stored on the device can be extracted, along with metadata such as the date and time the files were created or modified.
App Data: Forensic analysis can reveal data stored by various apps installed on the device, such as login credentials, browsing history, and chat logs.
Contacts and Calendar: Forensic analysis can reveal contact information, including names, phone numbers, email addresses, and other relevant data, as well as any calendar events or appointments that were stored on the device.
Email: Email messages and attachments can be extracted from the device, along with metadata such as the sender, recipient, date, and time of each message.
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Apple Mail or Microsoft Outlook.
Chat Logs: Chat logs from messaging applications, such as iMessage or Skype, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the keychain or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Cloud Data: Forensic analysis can reveal data stored on cloud services such as iCloud, including device backups, synced data, and metadata related to the usage of the cloud service.
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Microsoft Outlook or Mozilla Thunderbird.
Chat Logs: Chat logs from messaging applications, such as Skype or WhatsApp, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the Windows Registry or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Registry Data: The Windows Registry contains configuration information about the computer and installed applications, which can be analyzed to determine user activity and application usage.
Cloud Data: Forensic analysis can reveal data stored on cloud services such as OneDrive, Dropbox, or Google Drive, including device backups, synced data, and metadata related to the usage of the cloud service.
File System Metadata: The file system metadata contains information about the files and directories on the computer, including creation and modification dates, file sizes, and permissions.
Internet Browsing History: Forensic analysis can reveal internet browsing history, which can include the URLs of websites visited, the date and time of access, and any searches performed.
Email Data: Email data, including email messages and attachments, can be extracted from email clients installed on the computer, such as Mozilla Thunderbird or Evolution.
Chat Logs: Chat logs from messaging applications, such as Pidgin or Empathy, can be extracted and analyzed.
User Account Information: User account information, such as usernames, passwords, and stored login credentials, can be extracted from various sources, such as the passwd and shadow files or browser history.
System Logs: System logs record system events and activities, including logins, shutdowns, and application launches.
Metadata from Media Files: Metadata from media files, such as photos and videos, can be extracted, including date and time stamps, camera settings, and geolocation data.
Configuration Files: Configuration files for installed applications can provide valuable information about the system and user activities, such as network connections and application usage.
Bash History: The Bash shell history file contains a record of commands executed by the user, which can provide insight into user activities on the system.