Cirrus: Open-source Google Cloud forensic collection

Cirrus is an open-source Python-based tool designed to streamline Google Cloud forensic evidence collection. It can streamline environment access and evidence collection in investigations involving Google Workspace and GCP. The tool simplifies incident response activities and enhances an organization’s security posture.

google cloud forensic

Key features

The main capabilities of Cirrus include the following:

  • Aggregate logs and configurations from different Google Cloud components.
  • Access user-specific data in Gmail.
  • Automate access prerequisites in preparation for evidence collection.
  • Obtain significant insights to improve security posture.
  • Provide an intuitive and efficient method of collecting specific or all available logs.

Cirrus scripts

Cirrus consists of two scripts:

  • Assistant: Automates the setup and cleanup of Google Cloud access.
  • Collector: Gathers logs, configurations, and user data.

The Assistant script automates the necessary access prerequisites for a Google Cloud environment, preparing it for evidence collection by the Collector. Designed for execution in Google Cloud Shell, the Assistant script sets the stage for the Collector, which can run from any terminal.

The Collector script uses a service account key file to authenticate to the Google Cloud environment. This key file can be generated by the Assistant script or manually.

Cirrus is available for free download on GitHub.

Must read:

OPIS OPIS


Don't miss