This article applies to Cloud.
Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. This enables administrators to search file metadata to gain a clearer understanding of file activity throughout the organization.
To enable Forensic File Search, see Configure Forensic File Search.
Forensic File Search
To access Forensic File Search:
- Sign in to the administration console.
- Select Security Center > Forensic Search.
Forensic File Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.
Select an item from the dropdown to search based on:
Search operator options vary based on search type.
For date searches, select on, on or after, on or before, or is in range to specify a single date or date range.
For File Size, select is greater than or is less than.
Defines the criteria for the search. Searches are case insensitive.
For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.
For Filename and File Path searches, use the * wild card character in combination with a partial string. Use the ? wildcard to replace a single character. For example:
For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).
|d||Remove search criteria||Removes this search criteria.|
|e||Add search criteria||Adds another search criteria. Search results only return events that match all criteria.|
|f||Update Search||Performs a search based on the current search criteria.|
|Displays a list of available columns. Select or deselect items to customize the format of your search results. Column selections reset to the default view upon page refresh.|
Expand/collapse event details
|Expands or collapses all file event details.|
|Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.|
Date and time that the Code42 service on the device detected an event for the file. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).
File activity can be detected in two ways:
Indicates the type of file event observed:
|l||File Size||Size of the file.|
|m||Filename||The name of the file, including the file extension.|
|n||File Path||The file location on the user's device.|
|o||MD5 Hash||The MD5 hash of the file contents.|
|The SHA256 hash of the file contents.|
|p||File Owner||The name of the user who owns the file, as reported by the device's file system.|
|q||File Created Date||File creation timestamp as reported by the device's operating system. Applies to Mac and Windows NTFS devices only. This appears in Coordinated Universal Time (UTC).|
|r||File Modified Date||File modification timestamp as reported by the device's operating system. This only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. This appears in Coordinated Universal Time (UTC).|
|s||Hostname||The name reported by the device's operating system. This may be different than the device name in the Code42 administration console. You must enter the complete hostname. Wildcard searches are not supported.|
|t||Fully Qualified Domain Name||Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host.|
The Code42 username used to sign in to the Code42 app on the device. For Code42 cloud environments, this is always the user's email address.
The username is reported independently of file activity. This enables existing events to update the displayed User Name if the username changes. If the username hasn’t yet been reported, this displays as NAME_NOT_AVAILABLE.
|v||IP Address (public)||The external IP address of the user's device.|
|w||IP Address (private)||
The IP address of the user's device on your internal network. This includes:
If there is more than one active network interface, this displays a comma-separated list.
|x||Export Results||Downloads the current search results to a CSV file. Exports are limited to 200,000 results.|
|y||Events per page||Select to display 10, 25, 50, or 100 events per page.|
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.
To reduce file event search results for unimportant files, some file locations are excluded from Forensic File Search monitoring. For a detailed list of these exclusions, contact our Customer Champions for Code42 for Enterprise support.