Skip to main content

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Code42 Support

Forensic File Search reference guide

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Overview

Forensic File Search provides detailed visibility for Code42 administrators about files stored:

  • On user devices, including files not selected for backup
  • In cloud services, such as Google Drive and Microsoft OneDrive

This enables administrators to search file metadata to gain a clearer understanding of file activity throughout the organization.

To enable Forensic File Search, see Configure Forensic File Search

For cloud services configuration instructions, see Allow Code42 Forensic File Search access to your Google Drive or Allow Code42 Forensic File Search access to OneDrive

Forensic File Search

To access Forensic File Search:

  1. Sign in to the administration console.
  2. Select Security Center > Forensic Search.
What is a "file event"?
Forensic File Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.

Search results

Forensic File Search Results

Item   Description
a Search Displays search criteria and results.
b Saved Searches Displays the list of Saved Searches.
c Saved Searches (quick view) Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.
d Search type

Select an item from the menu to base your search on:

Event

File

  • File Size
  • Filename
  • File Path
  • File Owner
  • MD5 Hash
  • SHA256 Hash

Device

Cloud (visible only with licensing for one or more cloud service data sources)

  • Directory ID
  • Actor
  • Shared With
  • Shared
e Search operator

Search operator options vary based on search type.

  • Single value
    • Is: Returns events that match the search criteria
    • Is not: Excludes events that match the search criteria
  • Multi-value (or)
    • Includes any: Returns events that match any item in the list of search criteria. This search is evaluated as though the "or" operator exists between each value.
    • Includes none: Returns events that do not match the items included in the list of search criteria.

For date searches, select onon or after, on or before, or is in range to specify a single date or a date range.

For File Size, select is greater than or is less than.

 

For Shared With, select Contains or Does not contain to enter search criteria for a specific user.

f Search criteria

Defines the criteria for the search. Searches are case-insensitive.

 

For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.

 

For FilenameFile Path, File Owner, and Shared With searches, use the * wildcard character in combination with a partial string. Use the ? wildcard to replace a single character. For example:

  • Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, etc.
  • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, etc.
  • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
    • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
    • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.

For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).

g Remove search criteria Removes this search criteria.
h Add search criteria Adds another item to the search criteria. Search results only return events that match all criteria.
i Save As Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you have the option to either Save As a new search or Save changes under the same name.
j Update Search Performs a search based on the current search criteria.
k Export Results Downloads the current search results to a CSV file. Exports are limited to 200,000 results.
l

Column selector column selector icon

Displays a list of available columns. Select or deselect items to customize the format of your search results. Column selections reset to the default view upon page refresh.
m

Column sort column sort icon

Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.
n

Expand/collapse event details file details icon

Expands or collapses all file event details.
o Events per page Select to display 10, 25, 50, or 100 events per page.

File event details

Forensic File Search file event details

Item   Description
a

Expand / collapse event details

file details icon

Expands or collapses all file event details.
Event
b

Date Observed

Endpoint file activity
Date and time that the Code42 service on the device detected an event for the file. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).

 

File activity can be detected in two ways:

  • Real-time: Reported by the operating system as changes occur.
  • Scanner: The Code42 app performs a scan once per day to identify any changes that might have been missed by the real-time file watcher. The scan runs once every 24 hours and cannot be configured.

Cloud file activity

Date and time that Code42 detected activity in the cloud service. This may not be the exact time the activity occurred, but should be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).

c Event Type

The type of file event observed:

  • New file: This is the first event detected for this filename and file path on the device (for endpoint events) or in the cloud service (for cloud events). New file events are reported when:
    • A new file is created (endpoint) or uploaded (cloud).
    • An existing file is moved to a new location.
    • Forensic File Search is initially enabled on a device or for a cloud service. As part of the initial scan, New file events are created for all existing files.
  • Modified
    • Endpoint events: File contents changed for a file Code42 already detected with this filename and file path on the device.
    • Cloud events: The cloud service detected a new file version. This occurs when file contents are modified or the file is renamed, moved, or shared.
  • No longer observed: The filename for a previously detected file no longer exists in this file path on the device (for endpoint events) or in the cloud service (for cloud events). The metadata shown for this event is the metadata from the last New file or Modified event. No longer observed file events are reported when:
    • A file is deleted.
    • A file is moved or renamed.
d Source

The source of the file event:

  • Endpoint: The file activity occurred on a user device.
  • Google Drive: The file activity occurred in Google Drive.
  • OneDrive: The file activity occurred in OneDrive.

This field appears only if you are licensed for more than one data source.

File
e File Size

Size of the file.

Not available for Google file types (for example, Google Sheets or Google Docs).

f Filename The name of the file, including the file extension.
g File Path

The file location on the user's device.

Endpoint file events only. Cloud events do not include a file path.

h MD5 Hash The MD5 hash of the file contents.
Not available for Google file types (for example, Google Sheets or Google Docs).
i SHA256 Hash The SHA256 hash of the file contents.
Not available for Google file types (for example, Google Sheets or Google Docs).
j File Owner The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events).
k File Created Date

File creation timestamp as reported by the device's operating system. This appears in Coordinated Universal Time (UTC).

Mac and Windows NTFS devices only.

l File Modified Date File modification timestamp as reported by the device's operating system. This only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. This appears in Coordinated Universal Time (UTC).
Device
Visible only with licensing for the endpoint data source. Device details do not apply to cloud events.
m Hostname

The name reported by the device's operating system. The hostname may be different than the device name in the Code42 administration console.

 

You must enter the complete hostname. Wildcard searches are not supported.

n Fully Qualified Domain Name Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host.
o Username (Code42)

The Code42 username used to sign in to the Code42 app on the device. For Code42 cloud environments, this is always the user's email address.

 

The username is reported independently of file activity. This enables existing events to update the displayed User Name if the username changes. If the username hasn’t yet been reported, this appears as NAME_NOT_AVAILABLE.

p IP Address (public) The external IP address of the user's device.
q IP Address (private)

The IP address of the user's device on your internal network. This includes:

  • Network interfaces
  • Virtual network interface controllers (VNICs)
  • Loopback/non-routable addresses (for example, 127.0.01)

If there is more than one active network interface, this displays a comma-separated list.

Cloud
Visible only with licensing for one or more cloud service data sources. Cloud details do not apply to endpoint events.
r

URL
 

URL reported by the cloud service at the time the event occurred. If the file still exists at this location, and you have permission to access it, clicking the link opens the file.
s Directory ID
 

Unique identifier of the cloud drive or folder that contains the file. Search by this ID to find events for files within the same drive or folder.

 

Google Drive files that exist at the root level of the cloud drive display the value None.

 

Some cloud services allow users to add a file to multiple folders, so Directory ID may display a list of values.

t

Actor

 

The cloud service username of the person who caused the event.
u Shared With
 

At the time the event occurred, the list of users who have been granted to access the file. Click View to display a searchable list of usernames.

 

This only includes users the file is explicitly shared with. It does not capture users who only accessed a shared link.

 

This list can include specific usernames and general groups of users, including:

  • External (public): The file is indexed by public search engines and can be accessed by anyone.
  • External (anyone with a link): The file can be accessed by anyone who has the link, but is not indexed by public search engines.
  • Internal: If the Shared With value includes the display name for this data source, it indicates that the file can be accessed by any user in your domain with access to this instance of the cloud service.
v Shared
 

Indicates the shared status of the file at the time the event occurred, but does not capture whether or not a link to the file has been shared:

  • True: One or more users were granted explicit access to the file.
  • False: No users were granted explicit access to the file.
Missing file metadata
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.

Saved searches

Saved searches list

Item   Description
a Name The name of the saved search.
b Created by User who created the search.
c Date Created Date the search was created.
d Last Modified by Last user to modify the search.
e Last Modified Most recent date the search was modified.
f Expand and collapse details icon Expand / collapse search details Click to view and edit search details, including the search name and any notes about the search (items i and j below).
g Saved_Search_Execute_Search_Icon-source.png Execute search Executes the saved search and displays the search results.
h

Saved_Search_Option_Menu_Icon-source.png Search options

Click to view search options:

  • Edit Filters: Opens the Search tab, from which you can add, remove, and update search criteria.
  • Delete Saved Search: Permanently deletes the saved search for all users in your Code42 environment.
i Name Editable name of this search
j Notes (Optional) Free-form text field to enter detailed notes about the search. Notes are limited to 2,500 characters.

File exclusions

To reduce file event search results for unimportant files, some file locations are excluded from Forensic File Search monitoring. In addition, file activity is only monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.

If you have specific questions about exclusions, contact our Customer Champions​ for Code42 for Enterprise support.

To add your own custom exclusions, see Forensic File Search exclusions.

  • Was this article helpful?