Cirrus Collector gathers forensic artifacts across a Google Cloud environment.
Cirrus Collector is a wrapper script that encloses two separate modules:
- Google Workspace/Cloud Identity Collector
- Google Cloud Platform (GCP) Collector
- Cirrus Collector supports and was tested with Python3
- Clone repository
- (Optional) Set up virtual environment
- Install dependencies
- Obtain service account key file (via Cirrus Assistant or other method)
- Specify Google Workspace (
gw
) or Google Cloud Platform (gcp
), associated flags, and execute script
Usage examples:
cirrus.py gw --key-file /path/to/creds.json --super-admin [email protected] --override-cache all
cirrus.py gcp --key-file /path/to/creds.json logs --project-id test-project-1,test-project-2 --logs all_logs --start-time 2022-01-01T00:00:00Z --end-time 2022-01-08T00:00:00Z
For detailed information regarding Google Workspace or Cloud Identity evidence collection, visit reference documentation.
For detailed information regarding GCP evidence collection, visit reference documentation.
The collectors were developed and tested using Python v3.9. The collectors can be executed from both standalone machines or directly from Google Cloud Shell as the Cirrus Assistant.