FORGC1

IMAP (and POP3) clients will download individual emails using a Bind operation. This is an advantage, as you can track individual emails by following the "Message ID" field through various log entries.

The PowerShell command "Get-OrganizationConfig | Format-List AuditDisabled" will help you confirm that audit logs are not disabled (meaning they are enabled). The double negative can be confusing: false means that auditing is turned on.

By providing the application ID (ClientID) and the client secret, you can make a call to the Graph API and obtain an authorization token.

Serverless and containers are hot topics. Containers are a great way to sandbox an application, while serverless is an efficient way to run a small amount of code. From a DFIR perspective, they both represent challenges. Containers are likely to purge all log data on exit, while serverless typically runs for a short amount of time, leaving very little in terms of logs.

Each cloud vendor has a shared responsibility model explaining what they will take care of versus what the customer is expected to handle. Regardless of cloud type, the customer is ultimately responsible for the information and data they put in the cloud.

Clouds use a per-consumption model, which means everything you do has a cost. Disks and snapshots are examples of persistent costs, which accrue constantly until the resource or object is deleted. There are also temporary costs, which accrue only when the resource is running, such as with a virtual machine.

The SoftDelete action moves messages to the Recoverable Items folder. HardDelete purges items from that folder. MoveToDeletedItems moves them to the Deleted Items folder. MailItemsAccessed shows when items are accessed, not when they are deleted.

Simple API calls are made using HTTP methods, and Microsoft Graph API supports several, including PATCH, which is used to change an entity or update user properties.

Microsoft Graph API supports the following methods:

• GET: Used to fetch data from Microsoft Graph
• POST: Used to create a new entity
• PUT: Used to modify an entity with existing data (not used a lot in Graph API)
• PATCH: Used to change an entity (note that you only need to specify new or changed information)
• DELETE: Used to remove an entity

Bind access is used by IMAP, POP3, and web clients such as Outlook Web Access (OWA). Each email is recorded in the audit log. In rare cases, if more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online will stop generating auditing records for MailItemsAccessed activity. Sync access is used by Outlook and generates audit events for the mail folder being synced.