Cirrus: Open-source Google Cloud forensic collection
Cirrus is an open-source Python-based tool designed to streamline Google Cloud forensic evidence collection. It can streamline environment access and evidence collection in investigations involving Google Workspace and GCP. The tool simplifies incident response activities and enhances an organization’s security posture.
Key features
The main capabilities of Cirrus include the following:
- Aggregate logs and configurations from different Google Cloud components.
- Access user-specific data in Gmail.
- Automate access prerequisites in preparation for evidence collection.
- Obtain significant insights to improve security posture.
- Provide an intuitive and efficient method of collecting specific or all available logs.
Cirrus scripts
Cirrus consists of two scripts:
- Assistant: Automates the setup and cleanup of Google Cloud access.
- Collector: Gathers logs, configurations, and user data.
The Assistant script automates the necessary access prerequisites for a Google Cloud environment, preparing it for evidence collection by the Collector. Designed for execution in Google Cloud Shell, the Assistant script sets the stage for the Collector, which can run from any terminal.
The Collector script uses a service account key file to authenticate to the Google Cloud environment. This key file can be generated by the Assistant script or manually.
Cirrus is available for free download on GitHub.
Must read:
- 20 free cybersecurity tools you might have missed
- 15 open-source cybersecurity tools you’ll wish you’d known earlier
- 20 essential open-source cybersecurity tools that save you time