I think forensics might be the wrong term. Digital forensics means finding digital evidence that something has been tampered with. It could be recovering deleted files or following a trail of breadcrumbs that an attacker left in a server. The act of performing digital forensics is usually done after or during an attack. Your scope is small, usually focused on a few things.
Cloud security and the collection of logs differs between platforms. For example IAM logs in AWS, or the equivalent in azure. I think the process of how you approach collecting evidence for an attack is the same for both local and cloud platforms, but the technical aspects are different for each platform. It depends on the services you are running, what your network looks like, etc. I think it helps if you have security systems in place to aid the gathering of evidence.
Think of suricata and elk. Collecting network logs and system logs everywhere. That will help greatly when performing forensics.
My input might not be what you are looking for. What comes to mind when I read this is your definition of forensics is way to broad.