Langley, BC
(604) 800-9060
Teradrive Forensics

Cloud Forensics

Cloud forensics for modern Canadian investigations.

Most workplace evidence now lives in the cloud. We collect, preserve, and analyse Microsoft 365, Google Workspace, AWS, Slack, Teams, and Salesforce data with a court-defensible methodology.

Book a consultation about cloud forensics See our methodology
Cloud Forensics — editorial illustration

When this service is needed

Typical scenarios where counsel and corporate clients retain us.

  • Departing employee data exfiltration to personal accounts
  • Microsoft 365 audit log preservation under legal hold
  • Google Workspace investigation
  • Slack and Teams chat preservation
  • AWS S3 and CloudTrail forensic capture
  • SaaS account compromise investigation

How we approach it

A defensible, repeatable process.

01

Tenant-level scoping

We confirm the platforms, the custodians, the date range, and the data types within scope. We document tenant configuration (license tier, retention policies, audit log status) because these determine what is recoverable.

02

Preservation

We act fast on the data types with the shortest retention. M365 unified audit log retention is 90 to 180 days by default. Google Workspace admin audit data retention varies by event type. We export, archive, and hash-verify the relevant logs before they expire.

03

Collection

For mailboxes, document libraries, and chat history, we use Microsoft Purview or Google Vault search-and-export, supplemented with API-based collection where the platform's native tools fall short. For SaaS apps without first-party export tools, we use Magnet AXIOM Cyber and custom collection scripts.

04

Analysis

We reconstruct user activity timelines, identify exfiltration patterns (large downloads, mass forwards, OAuth grants to suspicious third-party apps), and surface anomalous administrative actions.

05

Reporting

The deliverable is a written report tied to specific audit-log entries, with exhibit indexing for use in affidavits, expert reports, or regulator-ready breach notifications.

Tools we apply

Named, current, and listed in every report.

  • Magnet AXIOM Cyber
  • Google Workspace Vault
  • Custom collection scripts for AWS, Slack, Salesforce

Standards we follow

Aligned to Canadian and international guidance.

  • Google Workspace Vault retention
  • AWS CloudTrail retention
  • Sedona Canada Principles on cloud ESI

What you receive

Deliverables built for counsel, the regulator, and the court.

  • A preserved, hash-verified export of the relevant cloud data and audit logs.
  • A written examiner report tying findings to specific audit-log entries and timestamps.
  • Exhibit indexing and timeline visualizations.
  • An expert affidavit if the matter requires sworn evidence.
  • A chain-of-custody record covering the collection and processing workflow.

Common questions

Cloud Forensics questions from Canadian counsel and corporate clients.

How long are Microsoft 365 audit logs retained for forensic investigation?

By default, 90 days for E3 licences and 180 days for E5 with Purview Audit Premium, depending on the event type. Some events (such as Exchange mailbox audit) have separate retention. The window is short, so preservation should begin as soon as a matter is anticipated.

Can deleted Slack messages be recovered for a legal hold?

Sometimes. Slack's native retention depends on the workspace plan. Pro and Business+ plans support legal hold with retention overrides. Free and Standard plans do not, and content can be hard-deleted after retention windows expire. We assess plan-level capability at intake.

Are cloud backups admissible in Canadian court?

Yes, when the backup is preserved through a defensible process and authenticated under section 31.1 of the Canada Evidence Act. Source-tenant audit logs supporting the backup's integrity strengthen admissibility.

What is the chain of custody for cloud evidence?

We document tenant access, query parameters, export tool versions, output file hashes, transport storage, and post-export handling. Every step is timestamped and signed. The chain begins when we are authorized and ends when evidence is archived.

Can a cloud forensic investigation be done remotely?

Yes. Cloud collections are by definition remote. We need administrator-level access to the relevant tenants (or the assistance of someone who has it), and a clear scoping document. Onsite presence is not required.

How quickly should a cloud preservation start after a triggering event?

Immediately. The default M365 audit retention window starts counting down from the moment the event occurs. Each day of delay risks losing relevant log entries. We can begin preservation within hours of engagement when a matter is urgent.

Browse all forensic FAQs

Related services

Often retained alongside cloud forensics.

Computer Forensics

Forensic imaging and analysis of Windows, macOS, and Linux systems for litigation, internal investigations, and expert witness work.

Explore service

Data Breach Investigation

Defensible breach investigation built for PIPEDA, BC PIPA, and OPC or OIPC interface.

Explore service

Expert Witness

Court-qualified expert witnesses delivering affidavits, expert reports, and trial testimony in Canadian civil and criminal matters.

Explore service

Cloud evidence to preserve before the retention window closes?

Speed matters. Tell us about the matter and we will reach out as soon as possible.

Book a consultation Call (604) 800-9060