Cloud breaches are on the rise, and none of these breaches are small. Understanding the TTPs is key to determining where to look among the plethora of services available through Cloud Service Providers such as AWS and Azure. In this session we'll enumerate sources of forensic evidentiary data among the vastness of AWS Cloudtrail, GuardDuty, Microsoft Graph, and more. A very clearly defined methodology will be provided as a baseline for combing through this data in a precise and expedited way. Examples from real world breaches will be highlighted providing practical approaches to exposing the attacker's methods and compromise.