# Forensic Analysis

The Forensic Analysis page is an investigation hub that provides direct access to three forensic data tools: Audit Activity, File Access by User, and Configuration Changes. Use this page when you need to investigate a security incident, conduct an access review, or gather evidence for compliance. Keep in mind this feature set is made available via the Activity Monitoring feature set configured during Account Linkage. 

<figure><img src="/files/BdHMrVhPKWiClvgQ1XZY" alt=""><figcaption></figcaption></figure>

***

### Available Tools

We offer three tools to assist with forensic analysis: Audit Activity, File Access by User, and Configuration Changes. This feature set is available when Activity Monitoring&#x20;

| Card                  | Description                                                                                                     | Destination           |
| --------------------- | --------------------------------------------------------------------------------------------------------------- | --------------------- |
| Audit Activity        | Raw CloudTrail event logs with complete API call records. Search by user, event type, resource, and time range. | Audit Activity        |
| File Access by User   | Detailed S3 access logs showing exactly which files each user or principal accessed, and what they did.         | File Access by User   |
| Configuration Changes | Complete history of configuration changes to your cloud resources, with before-and-after snapshots.             | Configuration Changes |

***

### Recommended Investigation Workflow

When investigating a potential incident:

1. **Start with Audit Activity** to get a timeline of API calls and identify the account or user involved.
2. **Move to File Access by User** to determine if any sensitive files were accessed or exfiltrated.
3. **Check Configuration Changes** to see if the attacker made any changes to your infrastructure (e.g. disabling logging, modifying IAM policies, opening public access).
4. Cross-reference findings with Suspected Attacks to see if DataDefender has already correlated the events into an attack chain.

***

### Audit Activity

The Audit Activity tool lets you search and query your AWS CloudTrail and S3 Server Access Logs. Use it to find out who did what, when, and on which resources.

<figure><img src="/files/BqnnC0y4jXuWfahVSNhJ" alt=""><figcaption></figcaption></figure>

#### Search Filters

Build a query before fetching results. Click the **Search Filters** header to expand or collapse the panel.

**Filter conditions** — Add one or more conditions to narrow results:

| Field     | Description                                                           |
| --------- | --------------------------------------------------------------------- |
| Attribute | The event property to filter on (e.g. Identity, Event Name, Resource) |
| Operator  | How to match: Equals, Contains, or Does Not Contain                   |
| Value     | The value to match against                                            |

Click **+ Add Condition** to add another row. Click **×** to remove a condition.

**Date range:** Choose a preset (Last 24 hours, Last 7 days, Last 30 days) or select a custom start and end date.

Click **Search** to run the query. Click **Reset** to clear all conditions.

#### Tips

* Start with a narrow date range if you know roughly when an event occurred — it returns results faster.
* Filter **Event Name = GetObject** with a specific **Identity** to trace which files a user downloaded.
* Filter **Status = Failed** to find unauthorized access attempts or permission errors.
* Export to CSV options are available after a query is built.

***

### File Access by User

The File Access by User tool provides granular S3 access logs showing exactly which files each user or service principal accessed, when they accessed them, and what they did.

<figure><img src="/files/jLAdnL6DhONMrhKlugEm" alt=""><figcaption></figcaption></figure>

#### Search Filters

| Field      | Description                                              |
| ---------- | -------------------------------------------------------- |
| Identity   | The AWS user, role, or service that performed the access |
| Resource   | The S3 bucket to search within                           |
| Path       | (Optional) A specific file path or prefix to filter to   |
| Date Range | The time window to search, in UTC                        |

Select your criteria and click **Search** to load results.

<figure><img src="/files/tOM3ADOuubgOL5qvEYX2" alt=""><figcaption></figcaption></figure>

#### Access Activity Grid

Each row represents one file access event.

<table><thead><tr><th width="374">Column</th><th>Description</th></tr></thead><tbody><tr><td>Date / Time</td><td>When the access occurred</td></tr><tr><td>Account ID</td><td>AWS Account ID</td></tr><tr><td>User</td><td>The identity that performed the access</td></tr><tr><td>Action</td><td>The action performed: GET (download), PUT (upload), DELETE (delete)</td></tr><tr><td>Resource Name</td><td>The resource container that was accessed</td></tr><tr><td>Object Path</td><td>The full path to the file within the bucket</td></tr><tr><td>Source IP</td><td>The IP address the request came from</td></tr><tr><td>Resource Type</td><td>The actual object type that was accessed</td></tr><tr><td>Event Name</td><td>Operation performed </td></tr></tbody></table>

<figure><img src="/files/oRnbpoFlf78L8XfaF4Zx" alt=""><figcaption></figcaption></figure>

#### Tips

* Search by a specific user to see everything they accessed during a given time window.
* Look for high-volume GET requests on a bucket as a sign of bulk data exfiltration.
* A large number of DELETE operations may indicate data destruction.
* Cross-reference the Source IP with known company IP ranges to identify access from unexpected locations.

***

### Configuration Changes

The Configuration Changes tool is a daily audit log that tracks every resource added, deleted, or modified across your storage services. It is updated nightly and lets you filter changes by date range and expand any record to see a detailed before-and-after diff of exactly what changed.

<figure><img src="/files/kIW3xla5oMyG5LuO1smZ" alt=""><figcaption></figcaption></figure>

#### Grid Columns

| Column                | Description                                                                         |
| --------------------- | ----------------------------------------------------------------------------------- |
| Change Detected (UTC) | When the change was recorded. Supports date range filtering (maximum 31-day range). |
| Change Type           | What happened to the resource: Created, Modified, Deleted, or Baseline              |
| Account ID            | The AWS account where the change occurred                                           |
| Location              | The AWS region or location                                                          |
| Resource ID           | The identifier of the affected resource                                             |
| Resource Name         | The name of the affected resource                                                   |
| Resource Type         | The type of AWS resource (e.g. S3 Bucket, RDS Instance)                             |

All columns support filtering. Set filters (Account ID, Location, Resource Type, Change Type) show selectable values from your environment. Resource ID and Resource Name support text search (contains or equals).

#### Change Types

| Type         | Meaning                                                                       |
| ------------ | ----------------------------------------------------------------------------- |
| **Created**  | A new resource was detected that did not exist before                         |
| **Modified** | An existing resource had one or more configuration properties changed         |
| **Deleted**  | A resource was removed                                                        |
| **Baseline** | The initial snapshot recorded when DataDefender first discovered the resource |

#### Viewing a Diff

Click the expand arrow on any **Modified** row to see the detailed property-level diff. Each changed property is shown with its previous value and new value, displayed inline or side-by-side.

<figure><img src="/files/XJf9E5Nacr3mjgDSeqGx" alt=""><figcaption></figcaption></figure>

#### Tips

* Use **Change Type = Modified** combined with a narrow date range to investigate what changed on a specific day.
* If a security check finding appeared recently, check Configuration Changes for the same resource around the same date to see what was altered.
* The **Baseline** change type is not an alert, it simply marks when DataDefender first recorded a resource's configuration.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.datadefender.io/portal-overview/supporting-information/forensic-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.