Cloud-only employees: where the evidence actually lives

When an employee works entirely in cloud services without a company-issued device, the forensic evidence lives in the cloud tenants the employee accessed: Microsoft 365 audit logs, Google Workspace audit data, Slack and Teams chat history, Salesforce activity logs, and any third-party SaaS apps integrated through OAuth. Endpoint forensics is largely irrelevant because there is no managed endpoint. The investigation strategy shifts entirely to cloud preservation, audit-log analysis, and OAuth grant inventory. This guide walks through the practical workflow.

Table of contents

1. The cloud-only employee profile
2. Why endpoint forensics is irrelevant
3. The cloud evidence sources you need to know
4. Preservation timing
5. Investigation patterns
6. Limits of cloud-only forensics
7. FAQ

1. The cloud-only employee profile

The cloud-only employee is now common. The profile:

• Uses a personal laptop (BYOD) or no laptop at all (mobile-only).
• Accesses Microsoft 365 or Google Workspace through a browser.
• Uses Slack, Teams, or Zoom for collaboration.
• Stores documents in OneDrive, Google Drive, or SharePoint Online.
• Accesses sales tools (Salesforce, HubSpot), project tools (Asana, Monday.com, Linear), or other SaaS apps directly through their browser.
• Does not have a managed endpoint with EDR, asset management, or backup configured by the employer.

For matters involving these employees, the traditional endpoint-forensics workflow does not work. There is no laptop to image, no MFT to parse, no Windows Event Log to capture.

2. Why endpoint forensics is irrelevant

Even where the employee has a personal device, endpoint forensics is usually not the right strategy:

• Limited employer access. The personal device is BYOD, with the limits described in our BYOD blog post.
• Limited evidence. Cloud-first work patterns mean most artifacts of interest live in the cloud, not on the endpoint. Browser cache and history may show some activity but the rich event data is server-side.
• Time and cost. Even when endpoint acquisition is lawful, the yield is usually low compared to cloud preservation.

For cloud-only employees, the investigation budget should go to cloud preservation, not endpoint imaging.

3. The cloud evidence sources you need to know

The primary sources, by platform:

Microsoft 365.

• Unified audit log (covers Exchange, SharePoint, OneDrive, Teams, Entra activity).
• Mailbox audit log (per-mailbox activity).
• Message trace (mail flow).
• OneDrive and SharePoint activity logs (file-level events).
• Microsoft Entra (Azure AD) sign-in logs.
• Microsoft Purview Audit Premium events for E5 tenants.

Google Workspace.

• Admin audit log (workspace-wide events).
• Gmail audit log.
• Drive audit log.
• Login audit log.
• Token audit log.
• Calendar, Meet, and other application-specific logs.

Slack and Teams.

• Workspace export (Slack Enterprise Grid or Business+).
• Microsoft Teams audit events through M365 unified audit log.
• Per-channel and per-DM message history.

Salesforce.

• Setup audit trail.
• Login history.
• Login forensics (with Shield).
• Object-level audit history.
• Reports and dashboards usage.

Other SaaS.

• Each platform varies. The pattern is to identify what audit logging is enabled, what retention is configured, and how to export.

4. Preservation timing

Cloud audit logs have short default retention. M365 unified audit log defaults to 90 days for E3, 180 days for E5 with Premium audit. Google Workspace varies by event type. Microsoft Entra sign-in logs default to 7 days free.

For cloud-only employees, preservation has to start within hours of the engagement. Each day reduces what is recoverable.

The preservation order:

1. Sign-in and authentication logs first. Shortest retention.
2. Audit logs for the affected accounts. Within the same day if possible.
3. Mailbox content and chat history. Through Purview eDiscovery or Google Vault.
4. Document libraries. OneDrive, SharePoint, Google Drive content.
5. OAuth grant inventory. Third-party app permissions that may persist after offboarding.

5. Investigation patterns

Common investigation patterns for cloud-only employees:

Departing employee exfiltration. Look for OneDrive or Google Drive download spikes, share-link creation, OAuth grants to third-party file-sharing services, mass email forwarding rules, Slack workspace exports, large file movements to personal cloud accounts.

Account compromise or insider threat. Look for unusual sign-in patterns (impossible travel, anomalous IPs), MFA-device additions, conditional-access policy changes, OAuth grants to suspicious third-party apps, mass file access patterns.

Workplace misconduct. Look for relevant message threads in Slack and Teams, email content via Purview eDiscovery, file-sharing patterns that surface relevant evidence.

Compliance or regulatory. Look for retention-policy changes, data-loss-prevention alert history, eDiscovery search activity, audit-log export history.

The pattern is the same: cloud preservation first, audit-log analysis second, structured reporting tied to specific log entries.

6. Limits of cloud-only forensics

Cloud forensics has constraints worth flagging at scoping:

• Audit log gaps. Default audit configuration may not capture every relevant event. Premium licensing tiers usually record more.
• Retention windows. Already discussed. Once events age out, they are gone.
• Third-party SaaS variability. Each SaaS platform has its own audit and retention model. Some are excellent (Microsoft, Google, Salesforce). Some are limited (smaller SaaS apps may have minimal audit logging).
• Offline content. If the employee downloaded content to a personal device, the cloud audit log records the download but does not show what the employee did with the file afterward.
• Encrypted content. End-to-end encrypted communications (Signal, encrypted private channels) are not visible to cloud audit logs even when they pass through corporate networks.

A complete investigation often requires both cloud forensics and (where lawful) targeted endpoint or BYOD work to address these gaps.

Reference: Microsoft Purview Audit documentation. Google Workspace audit log reference.

7. FAQ

Q: Can a cloud forensic investigation be done remotely? A: Yes. Cloud collections are by definition remote. We need administrator-level access to the relevant tenants and a clear scoping document.

Q: What if our employee uses Slack but we are on the Free plan? A: Free and Standard Slack plans do not preserve indefinitely. Preservation requires a specific export and is time-sensitive. Pro and Business+ plans support legal hold.

Q: How fast can preservation start? A: Within hours of engagement during business days.

Q: What if the employee used personal cloud accounts (personal Gmail, personal Dropbox) for work? A: The work content is potentially in scope; the personal account itself is the employee's. Recovery usually requires consent, interrogatories, or a production order.

Q: Do we need to image the employee's personal laptop? A: Often no. For cloud-only work, the cloud audit log usually has the relevant evidence. Endpoint imaging adds cost without commensurate yield in most cases.

Related posts

• Microsoft 365 forensic investigation: what survives, what to capture
• BYOD investigations in Canada under PIPEDA and BC PIPA
• Departing employee data theft: 12 signs and the playbook

CTA strip

Headline: Have a cloud-only employee matter? Primary CTA: Book a confidential consultation Secondary text: Or call (604) 800-9060