# Google Workspace Forensic Artifacts Reference

**Total Artifacts:** 8 | **Generated:** 2026-03-07

---

## Identity & Directory

### Google Workspace Admin Audit Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > Admin log events`

Administrative audit events covering privileged changes in Google Workspace, including admin-role updates, security-setting changes, application configuration changes, and delegated-admin actions.

**Forensic Value:** Admin audit events are the primary source for reconstructing attacker changes in Google Workspace. They show who changed tenant settings, which admin role was used, the originating IP address, and which controls were weakened or disabled during the compromise window.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > Admin log events > Filter by actor, event name, and date range > Export to CSV or Google Sheets`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/admin?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [Admin SDK Reports API overview](https://developers.google.com/workspace/admin/reports/v1/get-start/overview)
- [Admin audit log events](https://support.google.com/a/answer/4580120)

**Collection Constraints:**
- Available event families and lookback depth depend on Google Workspace edition, retention settings, and delegated admin privileges.
- Exports capture audit metadata, not the underlying document or mailbox content.

### Google Workspace OAuth Token and App Access Audit Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > OAuth log events`

Audit events related to OAuth token issuance, third-party app access, API client authorization, and application grants against Google Workspace data.

**Forensic Value:** OAuth and token events are the main evidence source for consent-style persistence in Google Workspace. They reveal when a malicious application gained token-based access, which user granted that access, and which app or client ID must be revoked to fully remove persistence.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > OAuth log events > Filter by application name, client ID, user, and event > Export the incident window`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/token?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [OAuth log events](https://support.google.com/a/answer/6124308)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- Token and app-access logs show authorization activity, but investigators still need downstream Gmail, Drive, or Vault evidence to prove what data was accessed.
- Visibility depends on admin privilege, configured logging, and surviving retention windows.

## Authentication & Access

### Google Workspace User Account and Login Audit Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > User log events / Login log events`

User-account and authentication events covering account creation and suspension, password resets, login attempts, 2-step verification changes, and risk-relevant sign-in context.

**Forensic Value:** These logs establish who authenticated, from where, and what account lifecycle changes occurred before or after suspicious access. They are critical for distinguishing a simple password reset from a full identity takeover involving MFA changes or high-risk login behavior.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > Login log events or User log events > Filter by user, IP, event name, and status > Export results`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/login?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [User log events](https://support.google.com/a/answer/4579579)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- Login and user-event visibility depends on admin roles, API scopes, and service retention; older events may already have expired.
- These logs show authentication and account changes, not mailbox or Drive content access by themselves.

### Google Workspace SAML Log Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > SAML log events`

Federation-related audit events for SAML sign-in activity, identity-provider interactions, and SSO-related account access within Google Workspace.

**Forensic Value:** SAML logs help determine whether federated authentication was abused, whether an attacker used an external identity provider to reach Google Workspace, and which federation path was involved during suspicious sign-ins.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > SAML log events > Filter by user, IdP, event name, and status > Export matching events`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/saml?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [Audit and investigation tool data sources](https://support.google.com/a/answer/14718444)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- SAML coverage depends on federated sign-in being in use and the relevant audit stream being available for the tenant.
- Correlating Google Workspace SAML events with the external IdP logs is required for full attribution.

## Email Security

### Google Workspace Gmail Log Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > Gmail log events`

Email-activity logs covering message delivery, route changes, spam/phish actions, mailbox access context, and selected message-handling metadata within Google Workspace.

**Forensic Value:** Gmail log events are essential for phishing, BEC, and data-exfiltration cases. They help determine which mailboxes were touched, whether suspicious forwarding or transport actions occurred, and which sending infrastructure or delivery path was involved.

**Tools:** Google Admin Console, Gmail log search, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > Gmail log events > Filter by sender, recipient, IP, and message ID > Export the result set`
- **Gmail log search:** `Apps > Google Workspace > Gmail > Gmail log search > Search by sender/recipient/message ID and export the results for the incident window`

**Official References:**
- [Gmail log events](https://support.google.com/a/answer/11479100)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- Gmail log events provide message-routing and audit context, not full mailbox content; content preservation requires Vault or mailbox export workflows.
- Some searches and exports are limited by admin role, license, and retention boundaries.

## Data Access & Storage

### Google Workspace Drive Audit Log Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > Drive log events`

Google Drive and shared-drive audit events covering file access, downloads, external sharing, permission changes, ownership transfers, and bulk data movement indicators.

**Forensic Value:** Drive audit events are high-value evidence for insider threat, token abuse, and data-exfiltration cases. They identify exactly which documents were accessed or shared, by whom, from which IP, and whether sharing or permission changes expanded exposure.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > Drive log events > Filter by actor, owner, shared-drive, and document ID > Export evidence`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/drive?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [Drive log events](https://support.google.com/a/answer/4579696)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- Drive audit logging shows file actions and sharing metadata, not a preserved copy of the document content.
- Shared-drive and cross-domain visibility depends on admin scope and retention settings at export time.

### Google Workspace Takeout Log Events
**Location:** `Google Admin Console > Reporting > Audit and investigation > Google Takeout log events`

Audit events related to Google Takeout export activity, including export initiation and related user actions that may indicate bulk data collection from Google Workspace services.

**Forensic Value:** Takeout events are high-signal evidence for data-theft investigations because they show attempts to package large volumes of user data for export outside normal collaboration workflows. They also help separate bulk export behavior from normal per-file access.

**Tools:** Google Admin Console, Reports API, SIEM

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Admin Console:** `Reporting > Audit and investigation > Google Takeout log events > Filter by user and time range > Export the log set`
- **Reports API:** `GET https://admin.googleapis.com/admin/reports/v1/activity/users/all/applications/takeout?startTime=2026-03-01T00:00:00.000Z`

**Official References:**
- [Google Takeout log events](https://support.google.com/a/answer/10276199)
- [Reports retention and availability](https://support.google.com/a/answer/7061566)

**Collection Constraints:**
- Takeout logs record export activity, not the actual exported dataset contents or where an archive was later moved.
- Longer-term evidence still depends on audit retention and whether a preservation workflow such as Vault was available in time.

### Google Vault Search and Export Evidence
**Location:** `Google Vault > Matters > Searches and Exports`

Preserved search results and export packages from Google Vault for Gmail, Drive, Chat, Groups, and other retained Workspace content sources.

**Forensic Value:** Vault is the primary evidence-preservation workflow for Google Workspace content. It enables legal hold and targeted export of mailbox and collaboration evidence, preserving datasets that may outlive standard audit-log retention and supporting defensible offline review.

**Tools:** Google Vault, Google Admin Console, eDiscovery tooling

**Technologies:** Google Workspace

**Collection Commands:**
- **Google Vault:** `Create a matter, define the custodians and search scope, preview the result count, then export the preserved Gmail/Drive/Chat content with hashes and case metadata`

**Official References:**
- [Export search results from Vault](https://support.google.com/vault/answer/2473458)

**Collection Constraints:**
- Vault content visibility depends on Google edition, configured retention rules, holds, and investigator permissions.
- Vault exports are point-in-time preservation artifacts; deleted content outside Vault retention is not recoverable through this workflow.

---
*Generated by DFIR Assist*