Performing Cloud Forensics with AWS CloudTrail When to Use - When investigating suspected AWS account compromise - After detecting unauthorized API calls or credential exposure - During incident response involving cloud infrastructure - When analyzing S3 data exfiltration or IAM privilege escalation - For post-incident forensic timeline reconstruction Prerequisites - AWS account with CloudTrail enabled (management and data events) - IAM permissions for cloudtrail:LookupEvents, s3:GetObject, athena:StartQueryExecution - boto3 Python SDK installed - CloudTrail logs delivered to S3 with optional…