Home > Digital Forensics

Storage & IAM Investigations

Storage and IAM investigations are core components of cloud forensics. When an incident occurs in AWS, Azure, or GCP, attackers most commonly target two areas:

  1. Storage systems → for data theft, malware hosting, staging, or exfiltration

  2. Identity and Access Management (IAM) → for privilege escalation and long-term persistence

Because cloud environments are permission-driven and storage is often internet-facing, these two areas become the highest-value evidence sources during investigation.

This chapter explains how forensic analysts examine cloud storage systems and IAM activity logs to identify unauthorized access, data manipulation, exfiltration attempts, and privilege abuse.

Why Storage & IAM Investigations Matter

Attackers frequently abuse cloud storage and IAM for:

  • Stealing sensitive data

  • Uploading malicious files

  • Hosting C2 payloads

  • Creating or modifying privileged accounts

  • Gaining long-term persistence via access keys

  • Altering permissions to bypass restrictions

Storage and IAM logs provide the clearest proof of attacker actions.

Storage Investigations in Cloud Forensics

Cloud storage services record extensive logs that show exactly who accessed what data and when.

1. AWS Storage Forensics

S3 Access Logs / CloudTrail S3 Events

Logs show:

  • GetObject → downloads

  • PutObject → uploads

  • ListBucket → enumeration attempts

  • DeleteObject → tampering

  • Source IP and IAM identity

Forensics focus:

  • Unauthorized downloads

  • Public bucket exposure

  • Large batch downloads

  • Access from new regions

  • Anonymous (Unauthenticated) access

EBS & Snapshot Forensics

Key API calls:

  • CreateSnapshot

  • CopySnapshot

  • ModifySnapshotAttribute

Suspicious indicators:

  • Snapshots copied to attacker-owned accounts

  • Unusual snapshot creation in inactive regions

2. Azure Storage Forensics

Azure Blob Storage Logs

Logs show:

  • Read / Write / List operations

  • Authentication type (key, token, anonymous)

  • IP addresses

  • Access key usage

Indicators:

  • Access using Shared Access Signatures (SAS) from unknown IPs

  • Anonymous container access

  • New container permissions

Azure Files / Table / Queue Storage

Forensic use cases:

  • Detecting data exfiltration

  • Reviewing privilege changes on containers

3. GCP Storage Forensics

Cloud Storage Access Logs

Tracks:

  • File reads/writes

  • Authorization method (OAuth, service account)

  • User email

  • Source IP

Indicators:

  • Unexpected service account usage

  • Large read operations

  • Access from unknown locations

BigQuery Forensics

Logs show:

  • Table exports

  • Query patterns

  • Job execution

  • API-based extraction attempts

BigQuery exports are a major exfiltration technique.

Key Techniques for Storage Investigations

1. Identify Who Accessed the Data

Check:

  • IAM user

  • Service account

  • Access key

  • Anonymous access

  • Temporary credentials

2. Analyze Read/Write Patterns

Signs of exfiltration:

  • GetObject spikes

  • Repeated HEAD requests

  • Large BigQuery/Blob/S3 downloads

  • Access to rarely used data

3. Check for Permission Modifications

Examples:

  • Buckets made public

  • IAM policies granting s3:*

  • SAS tokens with long expiration

  • Container ACL changes

4. Detect Data Manipulation

Look for:

  • Deleted files

  • Altered metadata

  • Overwritten logs

  • Unauthorized uploads

Attackers often plant backdoors or malicious payloads.

5. Track Cross-Account Access

Suspicious behavior:

  • External AWS account accessing S3

  • GCP service account keys used outside normal environment

  • Azure storage keys used on foreign networks

IAM Investigations in Cloud Forensics

IAM forensics determine whether attacker-controlled identities were created or abused.

Core IAM Artifacts to Investigate

1. Unauthorized IAM Changes

Look for CloudTrail/Azure/GCP events such as:

  • CreateUser

  • CreateAccessKey

  • AttachRolePolicy

  • AddUserToGroup

  • PutUserPolicy

  • SetIamPolicy (GCP)

Unauthorized IAM manipulation indicates privilege escalation.

2. Compromised Access Keys

Indicators:

  • Keys used from suspicious IP ranges

  • Usage outside business hours

  • Sudden increase in API calls

  • Keys not tied to any legitimate workloads

Key leakage often leads to full account compromise.

3. Privilege Escalation Attempts

Examples:

  • Adding AdministratorAccess

  • Elevating service accounts

  • Creating new roles with broad permissions

  • Over-permissive policies (e.g., s3:* or "*:*")

4. Rogue Service Accounts / Identities

Attackers may create:

  • New IAM users

  • New Azure AD apps

  • New GCP service accounts

  • Federated identity providers

  • OAuth consent grants

These provide persistence.

5. Federation & OAuth Abuse

Cloud identity systems allow attackers to backdoor authentication.

Examples:

  • AWS STS temporary tokens

  • Azure Enterprise App OAuth tokens

  • GCP workload identity theft

6. MFA Bypass Attempts

Indicators:

  • MFA disabled

  • New MFA devices added

  • Suspicious login patterns

How Investigators Analyze IAM Events

1. Review Timeline of IAM Actions

Build a chronology of:

  • Logins

  • Permission modifications

  • Service account use

  • Access key creation

  • Failed login attempts

  • Data access events

2. Correlate IAM Activity with Storage Activity

Example attack chain:

  1. Attacker obtains access key

  2. Attaches admin privilege

  3. Lists S3 buckets

  4. Downloads confidential files

  5. Deletes CloudTrail

IAM + Storage logs reveal the full impact.

3. Detect Identity Misuse Patterns

  • Impossible travel

  • Role switching anomalies

  • High-volume API access

  • Login from unfamiliar services/IPs

Tools for Storage & IAM Investigations

AWS

  • CloudTrail

  • S3 Access Logs

  • IAM Access Advisor

  • Athena Log Queries

  • GuardDuty

Azure

  • Azure Monitor

  • Azure AD Logs

  • Log Analytics Workspace

  • Sentinel Queries

GCP

  • Cloud Audit Logs

  • BigQuery logs

  • IAM Recommender

  • Chronicle

SIEM Platforms:

  • Splunk

  • Elastic

  • Microsoft Sentinel

Red Flags in Storage & IAM Incidents

  • Bucket unexpectedly public

  • Large number of S3/Blob/Cloud Storage downloads

  • IAM policy suddenly becomes broader

  • Newly created IAM users/keys

  • Service account used outside expected environment

  • Data exported from BigQuery

  • Access from unknown IPs/regions

  • SAS tokens with excessive permissions

  • Attempt to delete audit logs

Intel Dump

  • Storage investigations focus on identifying unauthorized reads, writes, deletions, cross-account access, and data exfiltration across S3, Azure Blob, GCP Storage, and BigQuery.

  • IAM investigations target privilege escalation, new account creation, access key misuse, policy modification, rogue identities, and MFA tampering.

  • API logs reveal every identity action, while storage logs expose data access abuse.

  • Forensic analysts correlate IAM changes with storage events to expose full attack chains, including entry, escalation, exfiltration, and persistence.

HOME COMMUNITY CAREERS DASHBOARD