Skip to main content

This article applies to Cloud.

Available in:

Small Business
Forensic File Search

Code42 Support

Forensic File Search reference guide

This article applies to Cloud.

Available in:

Small Business
Forensic File Search


Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. This enables administrators to search file metadata to gain a clearer understanding of file activity throughout the organization.

To enable Forensic File Search, see Configure Forensic File Search.

Forensic File Search

To access Forensic File Search:

  1. Sign in to the administration console.
  2. Select Security Center > Forensic Search.
What is a "file event?"
Forensic File Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.

Forensic File Search Results

Item Description
a Search type

Select an item from the dropdown to search based on:




  • File Size
  • Filename
  • File Path
  • File Owner
  • MD5 Hash
  • SHA256 Hash


b Search operator

Search operator options vary based on search type.

  • Single value
    • Is: Returns events that match the search criteria
    • Is not: Excludes events that match the search criteria
  • Multi-value (or)
    • Includes any: Returns events that match any item in the list of search criteria (this search is evaluated as though the "or" operator exists between each value).
    • Includes none: Returns events that do not match the items included in the list of search criteria.

For date searches, select onon or after, on or before, or is in range to specify a single date or date range.

For File Size, select is greater than or is less than.

c Search criteria

Defines the criteria for the search. Searches are case insensitive.


For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.


For Filename and File Path searches, use the * wild card character in combination with a partial string. Use the ? wildcard to replace a single character. For example:

  • Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, etc.
  • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, etc.
  • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
    • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
    • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.

For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).

d Remove search criteria Removes this search criteria.
e Add search criteria Adds another search criteria. Search results only return events that match all criteria.
f Update Search Performs a search based on the current search criteria.

Column selector

column selector icon

Displays a list of available columns. Select or deselect items to customize the format of your search results. Column selections reset to the default view upon page refresh.

Expand/collapse event details

file details icon

Expands or collapses all file event details.

Column sort

column sort icon

Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.

Date Observed

Date and time that the Code42 service on the device detected an event for the file. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).


File activity can be detected in two ways:

  • Real-time: Reported by the operating system as changes occur.
  • Scanner: The Code42 app performs a scan once per day to identify any changes that might have been missed by the real time file watcher. The scan runs once every 24 hours and cannot be configured.
k Event Type

Indicates the type of file event observed:

  • New file: Indicates this is the first event detected for this filename and file path on the device. New file events are reported when:
    • A new file is created.
    • An existing file is moved to a new location.
    • Forensic File Search is initially enabled on a device. As part of the initial device scan, New file events are created for the existing files on the device.
  • Modified: Indicates file contents changed for a file Code42 already detected with this filename and file path on the device.
  • No longer observed: Indicates the filename and file path for a previously detected file no longer exists on the device. The metadata displayed for this event is the metadata from the last New file or Modified event. No longer observed file events are reported when:
    • A file is deleted.
    • A file is moved or renamed.
l File Size Size of the file.
m Filename The name of the file, including the file extension.
n File Path The file location on the user's device.
o MD5 Hash The MD5 hash of the file contents. 
  SHA256 Hash
(not pictured)
The SHA256 hash of the file contents.
p File Owner The name of the user who owns the file, as reported by the device's file system.
q File Created Date File creation timestamp as reported by the device's operating system. Applies to Mac and Windows NTFS devices only. This appears in Coordinated Universal Time (UTC).
r File Modified Date File modification timestamp as reported by the device's operating system. This only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. This appears in Coordinated Universal Time (UTC).
s Hostname The name reported by the device's operating system. This may be different than the device name in the Code42 administration console. You must enter the complete hostname. Wildcard searches are not supported.
t Fully Qualified Domain Name Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host.
u Username

The Code42 username used to sign in to the Code42 app on the device. For Code42 cloud environments, this is always the user's email address.


The username is reported independently of file activity. This enables existing events to update the displayed User Name if the username changes. If the username hasn’t yet been reported, this displays as NAME_NOT_AVAILABLE.

v IP Address (public) The external IP address of the user's device.
w IP Address (private)

The IP address of the user's device on your internal network. This includes:

  • Network interfaces
  • Virtual Network Interface controllers (NICs)
  • Loopback/non-routable addresses (for example, 127.0.01)

If there is more than one active network interface, this displays a comma-separated list.

x Export Results Downloads the current search results to a CSV file. Exports are limited to 200,000 results. 
y Events per page Select to display 10, 25, 50, or 100 events per page.
Missing file metadata
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.

File exclusions

To reduce file event search results for unimportant files, some file locations are excluded from Forensic File Search monitoring. For a detailed list of these exclusions, contact our Customer Champions​ for Code42 for Enterprise support.

  • Was this article helpful?