In this article, we will focus on analyzing forensic data from a Bitwarden self-hosted instance, based on the assumption that the server underneath is breached. We will explore the information that a threat actor with high privileges and access to Bitwarden installation databases can find. Then we will take a look at and enumerate interesting Bitwarden logs to help blue team members track Bitwarden malicious activity.