On-Prem vs. Cloud Forensics in 2026: Side-by-Side

TL;DR. On-prem forensics works from physical media you can image, preserve, and examine on your timeline. Cloud forensics works from provider audit logs and APIs that are subject to short default retention windows and provider-controlled access paths. In 2026 most business matters require both, with cloud preservation being time-critical because retention defaults are short (M365 180 days, Workspace ~180 days, AWS CloudTrail Event History 90 days).

At a glance

2026 cloud audit-log retention defaults you must know

• Microsoft 365 Purview Audit (Standard): Unified Audit Log retains 180 days for events generated on or after October 17, 2023. Older events may still be at the prior 90-day limit. Audit Premium (E5) extends Exchange, SharePoint, OneDrive, and Entra ID to 1 year by default, optionally up to 10 years.
• Google Workspace: Most log event types (Admin, Drive, Gmail, Meet, Chat) retained ~180 days. Admins cannot delete log data or shorten retention.
• AWS CloudTrail: Event History retains management events 90 days per Region per account. Longer retention requires a Trail to S3.
• Microsoft Azure Activity Log: default 90 days; longer retention requires export to Log Analytics, Storage, or Event Hubs.
• Google Cloud Audit Logs: Admin Activity logs retained 400 days; Data Access logs 30 days by default; can be exported to Cloud Storage / BigQuery / Pub/Sub for longer.
• Salesforce, Slack, Dropbox, Box, etc.: retention varies by tier; assume short by default and verify per tenant.

What on-prem forensics is still uniquely good at

• USB device history, ShellBags, Volume Shadow Copies, and prefetch – pure Windows artifacts not visible to cloud logs
• Local-only files that were never synced
• Memory artifacts on a live system (process trees, injected code, network sockets)
• Local-only logs that show pre-compromise baseline state
• OneDrive / Google Drive client-side metadata that complements cloud audit logs

What cloud forensics is uniquely good at

• Reconstructing authentication, especially impossible-travel and OAuth abuse
• Mailbox rule manipulation in Business Email Compromise matters
• SharePoint / OneDrive / Drive sharing changes (the “who got access to what, when” question)
• Multi-tenant attacker pivoting (service-account abuse, cross-tenant tokens)
• SaaS-level attack reconstruction where there is no endpoint to image

The order of operations that matters most in 2026

1. Within 24 hours: place a litigation hold and a tenant-side preservation hold on the affected mailboxes / drives.
2. Within 7 days: export audit logs covering the suspected window plus a buffer. Once retention expires, the data is gone.
3. Within 14 days: image the relevant on-prem endpoints (or capture EDR-side equivalents).
4. Within 30 days: deliver a draft timeline that correlates cloud and on-prem evidence into a single narrative.

Legal access paths that differ

• Tenant-admin access: the fastest path. The cloud customer is the data controller and can pull what they need.
• Provider legal process: subpoena, court order, or warrant served on Microsoft, Google, AWS, etc. Used when the tenant is uncooperative, hostile, or unavailable; slower and narrower.
• End-to-end encrypted cloud (e.g., iCloud Advanced Data Protection, WhatsApp E2E Backup): provider cannot decrypt; the only path is the customer’s own credentials.

How Elite Digital Forensics handles hybrid matters

Nearly every business engagement we run in 2026 is hybrid. We typically scope on-prem and cloud workstreams in parallel, send preservation requests within the first 48 hours, and integrate findings into a single timeline. Free 20-minute consultation to map the artifact sources for your specific matter.