Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Forensic Search reference guide

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Forensic Search is a powerful search interface that enables security teams to monitor and investigate suspicious file activity. Forensic Search provides detailed visibility about files:

  • Stored on user devices
  • Stored in corporate cloud storage services, such as Google Drive and Microsoft OneDrive
  • Synced to personal cloud storage services, such as Box, Dropbox, iCloud, and OneDrive
  • Moved to removable media
  • Sent as email attachments in Microsoft Office 365 and Gmail
  • Sent to printers (Mac and Linux only)

This enables security personnel to gain a clearer understanding of file activity throughout the organization.

In order to see results in Forensic Search, at least one detection type must be enabled

For corporate cloud storage and email services configuration instructions, see Introduction to adding data connections.

Forensic Search

To access Forensic Search:

  1. Sign in to the Code42 console.
    You must have a role with permissions that allow access to Forensic Search.
  2. Select Forensic Search > Search.
What is a "file event"?
Forensic Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.

Search results

Forensic Search results

Item   Description
a Risk settings

Displays all risk indicators and associated scores.

 

To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

b Load Saved Search Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.
c Date selector

All searches must specify a date range. Select one the following options:

  • Events observed in the last: Select a pre-defined time period ranging from the past 15 minutes to the past 30 days. This is especially useful for saved searches because they can be used at any time in the future and still search the same relative time period.
  • Events observed on or after: Search events on or after a specific date and time. To include all events on the start date, enter a time value of 00:00:00.
  • Events observed on or before: Search events on or before a specific date and time. To include all events on the end date, enter a time value of 23:59:59. 
  • Events observed is in range: Search events between specific start and end dates/times. Enter a time range of 00:00:00 to 23:59:59 to include all events on the start and end dates.

Times are evaluated as Coordinated Universal Time (UTC).

d Filter

Select an item from the menu or type the name of a filter to include in your search:

Risk

  • Risk indicator
  • Risk severity

Event

Print

  • Printer name
  • Print job name

File

  • Filename
  • File path
  • File size
  • File category
  • File owner
  • MD5 hash
  • SHA256 hash
  • File classification

Device

  • Hostname
  • Username (signed in to device)
  • IP address (public)
  • IP address (private)
  • Remote activity

Cloud (visible only with licensing for one or more corporate cloud storage data connections)

  • Directory ID
  • Actor
  • Shared with users
  • Shared
  • File exposure changed to

Exposure (visible only with licensing for the endpoint data source)

  • Exposure type
  • Destination category
  • Destination name
  • Device vendor
  • Device name
  • Device media name
  • Device volume name
  • Device partition ID
  • Device serial number
  • Active tab URL (browser)
  • Active tab title (browser or other app)
  • Sync destination
  • Sync username

Email (visible only with licensing for the email data source)

  • Policy names (Microsoft Office 356 DLP data connection only. Deprecated September 2021.)
  • Subject
  • Sender
  • From
  • Recipients

Source

  • Source category
  • Source name
  • Active tab URL (browser)
  • Active tab title (browser)

Process

  • Executable name
  • Process user
e Operator

Search operator options vary based on the search filter.

  • Single value
    • Is: Returns events that match the search criteria
    • Is not: Excludes events that match the search criteria
    • Exists: Returns events including any value for the search criteria
    • Does not exist: Returns events with no value for the search criteria
  • Multi-value (OR)
    • Includes any: Returns events that match any item in the list of search criteria. This search is evaluated as though the "OR" operator exists between each value.
    • Includes none: Returns events that do not match the items included in the list of search criteria.

For File Size, select is greater than or is less than.

f Value

Defines the search criteria. Searches are case-insensitive.

 

For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.

 

Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:

  • Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, and so on.
  • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, and so on.

Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.

Avoid starting a search term with a wildcard
Entering a search string that begins with a wildcard or contains only wildcards is not recommended (for example, filename is * or file path is *documents). These searches may take a long time to complete and can return many millions of results, which are not practical to review or export.
  • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
    • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
    • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.

For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).

g Remove search criteria Removes this search criteria.
h Add search criteria Adds another item to the search criteria. Search results only return events that match all criteria.
i Save As Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name.
j Update Search Performs a search based on the current search criteria.
k Modify columns Displays a list of available columns. Select or deselect items to customize the format of your search results.
l Export results

Downloads the current search results to a CSV file.

  • Exports are limited to 200,000 results.
  • Only includes the fields applicable to your product plan.
  • The CSV file is UTF-8 encoded.
    The CSV file also includes a leading byte order mark (BOM) specifying the file is UTF-8 encoded. If you use customized scripts to parse the CSV export, you may need to account for the BOM at the start of the file to ensure column headings are read correctly.
m Select all Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case.
n Event selector Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case.
o

Column sort indicator Column sort icon - ascending Column sort icon - descending

Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order.
p Risk score

Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

To learn more about how risk scores are calculated, see Risk settings reference.

q Add to case Add to case icon

Click to add the file event to a Case:

  1. Select an existing case from the list of available options.
  2. Click Create case to create a new case and add this event to it.
  3. To view the case, click the case name in the confirmation message that appears upon adding the event. Alternatively, navigate to Response > Cases.

Only available in Incydr product plans.

r View details Expand event details icon Displays all metadata for the file event. See the sections below for detailed descriptions of each field.
s Events per page Select to display 10, 25, 50, or 100 events per page.

File event details

To view file event details within search results:

  1. From the list of search results, click View details Expand file event details icon to show all metadata for a file event.
    Event details slide in from the right.
    Click View details icon from search result row
  2. Within the Event details, scroll to view all metadata for the event. See the sections below for detailed descriptions of each field.

Expanded Forensic Search results

Missing file metadata
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.

Risk

The Risk section displays the overall risk severity for the event and lists all associated risk indicators. To learn more about risk indicators and how risk scores are calculated, see Risk settings reference.

Forensic Search results - risk details

Item Description
Risk severity

The file event's overall risk severity, based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated
Risk score

The sum of the scores for all risk indicators associated with this event. Higher scores denote higher risk severity.

Risk indicators List of risks that determine the overall severity and score for this event.

Event

The Event section provides summary information about the event, including date observed, event type, and event source.

Forensic Search results - event details

Item Description

Date observed 

Endpoint file activity
Date and time that the Code42 service on the device detected an event for the file. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).

 

File activity can be detected in two ways:

  • Real-time: Reported by the operating system as changes occur.
  • Scanner: The Code42 app performs a scan once per day to identify any changes that might have been missed by the real-time file watcher. The scan runs once every 24 hours and cannot be configured.

Cloud file activity

Date and time that Code42 detected activity in the cloud service. This may not be the exact time the activity occurred, but should be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).

 

Email file activity

  • Microsoft Office 365 DLP: Date and time Code42 was notified that an email attachment was detected by a data loss prevention (DLP) policy, as defined in your Microsoft Office 365 Security & Compliance Center.
  • Gmail and Microsoft Office 365: Date and time Code42 was notified that an email was sent with any attachment.

This may not be the exact time the email was sent, but should typically be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).

Event type 

The type of file event observed:

  • New file: This is the first event detected for this filename and file path on the device (for endpoint events) or in the cloud service (for cloud events). New file events are reported when:
    • A new file is created (endpoint) or uploaded (cloud).
    • An existing file is moved to a new location.
    • File Metadata Collection is initially enabled for a cloud service. As part of the initial scan, New file events are created for all existing files. 
  • Modified
    • Endpoint events: File contents changed for a file Code42 already detected with this filename and file path on the device.
    • Cloud events: The cloud service detected a new file version. This occurs when file contents are modified or the file is renamed, moved, or shared.
  • No longer observed: The filename for a previously detected file no longer exists in this file path on the device (for endpoint events) or in the cloud service (for cloud events). The metadata shown for this event is the metadata from the last New file or Modified event. No longer observed file events are reported when:
    • A file is deleted.
    • A file is moved or renamed.
  • Browser or app read: The file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
  • Emailed: The file was sent as an email attachment via Gmail or Microsoft Office 365.
  • Printed: The file was sent to a printer.
  • Download: The file was downloaded from a web browser.
Event observer 

The data source that captured the file event:

  • Endpoint: The file activity occurred on a user device.
  • Google Drive: The file activity occurred in Google Drive.
  • OneDrive: The file activity occurred in OneDrive.
  • Box: The file activity occurred in Box.
  • Office 365 Email: The file was sent as an attachment in Microsoft Office 365 email.
  • Gmail: The file was sent as an attachment in Gmail.

This field appears only if you are licensed for more than one data source.

Trusted activity

Indicates if this is activity you trust, as defined by your Data Preferences and any cloud data connections configured for monitoring by Incydr.

  • True: The activity occurred in a location on your list of trusted activity or was observed in a corporate cloud data service monitored by Incydr. Trusted activity may also include an additional explanation of why the event is trusted. For example: True - Trusted browser URL.
  • False: The activity occurred in a location not on your list of trusted activity or was not observed in a corporate cloud data service monitored by Incydr.

Applies only to Endpoint and Email events. For Cloud events, use the Exposure Type filter Outside trusted domain.

Username 

Indicates the user associated with the event for the following Event observer types:

  • Endpoint: The Code42 username used to sign in to the Code42 app on the device. Code42 usernames must be email addresses.
  • Cloud: The cloud service username of the person who caused the event. In rare cases, the Username may be blank if it is not provided by the cloud service. 
  • Email: The address of the person who sent the message.

If the Username matches a Code42 user, a View profile link is included. Click to review the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.

Print

Does not apply to Incydr Professional and Enterprise.

The Print section shows print event details and a link to download an image of the printed file. The Print section only appears for Printed event types.

Print detection is only supported on Mac and Linux devices and requires Code42 app version 8.0 or later.

Printer file event details

Item Description
Printer name

The name of the printer.

Print job name

The name of the print job. This is often the name of the printed document. Click Download file to download an image of the printed file.

File

The File section provides a link to download the file, along with details such as the file's name, path, owner, and other metadata.

Forensic Search results - file event details

Item Description
File type mismatch
(not pictured)

If Code42 detects the file contents do not match the file extension, a File Type Mismatch row appears with details about the mismatch (for example, the file extension is .jpg but the file contains source code content). This may indicate an attempt to disguise and exfiltrate data.

Filename

The name of the file, including the file extension. If applicable, links to download the file appear below the filename.

 

Endpoint file activity

  • Incydr Professional and Enterprise: All exfiltrated files are available for download.
  • Incydr Basic and Advanced, CrashPlan Cloud, and other plans: If the file is included in the user's Code42 backup file selection, or among files backed up by other users in your Code42 environment, links to download the file contents appear.

Depending on available versions, one or both links may appear:

  • Most Recent Version: Downloads the most recent version of the file in the backup archive. Does not apply to Incydr Professional and Enterprise.
  • Exact Match: Downloads the version of the file which matches the MD5 hash of the this specific file event.

If the most recent version also matches the MD5 hash for this event, only the Exact Match link appears.

 

You must be signed in as a user with the Security Center - Restore role to download files.

 

Cloud file activity

Click the filename to open the file in the respective cloud service's file viewer. To view the file:

  • The file must still exist in the cloud service.
  • You must have permission to access the file. Depending on how the file is shared, you may have to sign in to your cloud service's user account before viewing it. For example, for Box, you must be logged in to the "Admin Console" for the link to be valid.
Security updates may cause unexpected link behavior for Google Drive
Due to a security update implemented by Google, links to files stored in Google Drive environments may not lead to the target file as expected. New event activity generated after September 13, 2021 contains updated links that allow access to those files.

Email file activity

Click the filename to open the file attached to the email. (Microsoft Office 365 email data connections only)

 

File path

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

File category The type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. For a complete list of file categories and the specific file types in each category, see Incydr file categories.
File size

Size of the file.

Not available for Google file types (for example, Google Sheets or Google Docs).

File owner The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events).
MD5 hash

The MD5 hash of the file contents. If the file cannot be hashed, an error message explains why.

 

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since Code42's initial extraction.
  • Files over 3 GB (Code42 app version 8.5 and later).
SHA256 hash

The SHA256 hash of the file contents. If the file cannot be hashed, an error message explains why.

 

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since Code42's initial extraction.
  • Files over 3 GB (Code42 app version 8.5 and later)
File created

File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC).

Mac and Windows NTFS devices only.

File modified

File modification timestamp as reported by the device's operating system or the data connection.

 

For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.

 

This appears in Coordinated Universal Time (UTC).

File classification
(not pictured)

File classification data, as reported by your external data classification vendor. Classification data contains two values:

  • Classification: The classification value applied to the file. For example: Confidential.
  • Vendor: The name of the vendor that classified the file. For example: Microsoft Information Protection (MIP).

A single file may have more than one classification.

 

Applies only to endpoint file events.

Device

The Device section provides detailed information about the device, including the hostname, IP address, and other metadata.

Device details are only visible only if you are licensed for the endpoint data source. Device details do not apply to cloud events.

Forensic Search results - device event details

  Description
Hostname 

The device name reported by the device's operating system. The hostname may be different than the device name in the Code42 console.

 

You must enter the complete hostname. Wildcard searches are not supported.

Fully qualified domain name Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host.
Username (signed in to device)

The username signed in to the device when the file activity was observed, as reported by the device’s operating system. 

 

For devices with multiple user accounts, this helps you identify the user responsible for the file activity.

IP address (public)

The external IP address of the user's device, as seen by Code42 via the device's outbound connection to the Code42 cloud.

 

If the IP address is not included in your list of in-network IP addresses, it is labeled Remote activity.

IP address (private) 

The IP address of the user's device on your internal network. This includes:

  • Network interfaces
  • Virtual network interface controllers (VNICs)
  • Loopback/non-routable addresses (for example, 127.0.01)

If there is more than one active network interface, this displays a list.

Cloud

The Cloud section provides detailed information about how and where the file is exposed in the corporate cloud storage environment.

Visible only with licensing for one or more cloud storage data connections. Cloud details do not apply to endpoint events.

Forensic Search results - cloud event details

Item Description
Directory ID
 

Unique identifier of the cloud drive or folder that contains the file. Search by this ID to find events for files within the same drive or folder.

 

Google Drive files that exist at the root level of the cloud drive display the value None.

 

Some cloud services allow users to add a file to multiple folders, so Directory ID may display a list of values.

Actor

 

The cloud service username of the person who caused the event.  

 

In some cases, if multiple users interact with the same file within a 5-minute window, only the last user to take an action on the file is displayed.

Shared with users 
 

At the time the event occurred, the list of users who have been granted to access the file. Click View to display a searchable list of usernames.

 

This only includes users the file is explicitly shared with. It does not capture users who only accessed a shared link.

 

This list can include:

  • Individual email addresses
  • Group email addresses
  • First and last name (for OneDrive users without an email address)

Google Drive users without email addresses (for example, service or integration accounts with sharing permissions) are not listed.

Shared
 

Indicates the shared status of the file at the time the event occurred, but does not capture whether or not a link to the file has been shared:

  • True: One or more users were granted explicit access to the file.
  • False: No users were granted explicit access to the file.

File exposure changed to 

Identifies an increase in exposure due to a change in sharing permissions for the file:

  • Public via direct link: The file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a cloud services account to see the file.
  • Public on the web (Google Drive only): The file is available on public search engines and accessible to the entire World Wide Web. Users do not need to be signed in to a cloud services account to see the file.
  • Outside trusted domain: The file is shared with a domain not included in your list of Trusted Domains.

Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in Box and OneDrive may be delayed. For this reason, the File exposure changed to value may be blank when a file inherits a permissions change from its parent folder. This avoids attributing that change to an incorrect actor.

Exposure

The Exposure section provides detailed information about where the file is exposed.

Forensic Search results - exposure event details

Each Exposure Type displays different metadata
No single event contains values for all items in the table below. For example, the image above does not include removable media metadata (such as Device Name), because this exposure event was detected in a web browser, not on removable media.
Removable media metadata
Available values vary based on the device manufacturer. In some cases, one or more values may not be supplied by the manufacturer or provided by the device's operating system.

That's why we provide multiple pieces of information for removable media events. For example, if a drive does not report a serial number, you may be able to reference a combination of Capacity, Device Partition ID, and other unique fields to confirm the drive's identity during an investigation. 
Item Description
Exposure type

The type of exposure risk, based on both cloud and device activity.

 

In cloud services

The exposure status of the file at the time the activity was observed.

  • Public on the web (Google Drive only): The file is available on public search engines and accessible to the entire World Wide Web. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears in the Google Drive user interface as "Public on the Web."
  • Public via direct link: The file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears in the cloud service's user interface as follows:
    • Box: "People with the link"
    • Google Drive: "Anyone with the link"
    • Microsoft OneDrive: "Anyone with the link"
  • Shared with corporate domain: The file is not publicly accessible, but is available to all users on your corporate domain. For Google Drive, this includes both files that users on your domain can find on their own, and files that require users to know the specific link. The method used to share the file appears in the cloud service's user interface as follows:
    • Box: "People in your company"
    • Google Drive: "Anyone at <your company> with the link"
    • Microsoft OneDrive: "People in <your company> with the link"
  • Outside trusted domain: The file is shared with a domain not included in your list of Trusted Domains. Applies only to Cloud file activity. For Endpoint and Email activity, use the Trusted Activity filter.

 

On the device

Windows and Mac devices only

  • Activity on removable media: The file activity occurred on an external device, such as an external drive or memory card.
  • Read by browser or other app: The file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
  • Synced to cloud service: The file exists in a folder on the device used for syncing with one of these cloud services:
    • Apple iCloud
    • Box
    • Box Drive
    • Dropbox
    • Google Backup and Sync
    • Google Drive
    • Microsoft OneDrive
Destination category

The general category of where the file was sent. Categories include:

  • Cloud Storage: The file was sent to a cloud service, either via a web browser upload or synced via an installed app.
  • Device: The file was sent to another device via AirDrop.
  • Email: The file was uploaded to an email provider via a web browser.
  • Messaging: The file was shared via a messaging service. 
  • Social Media: The file was shared via social media. This does not necessarily mean it's posted publicly; for example, the file could have been sent in a direct message on LinkedIn, etc.
  • Source Code Repository: The file was uploaded to a location typically used for storing code files.
  • Uncategorized: The destination could not be matched to one of the above categories.
  • Unknown: Unable to determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details.

If the user accessed more than one tab while uploads were in progress, the destination category may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.

 

Applies to Read by browser or other app and Synced to cloud service events.

 

Destination name

The specific location where the file was sent. Example names for each category are listed below, but this is not a complete list:

Destination Category Example Destination Names
Cloud Storage Dropbox, OneDrive, Box
Device Clyde's iPhone, Carmen's MacBook Pro
Email Gmail, Outlook, Comcast
Messaging Slack, Teams, WhatsApp
Social Media Facebook, Twitter, Reddit
Source Code Repository Bitbucket, Github

 

If the user accessed more than one tab while uploads were in progress, the destination name may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.

 

Applies to Read by browser or other app and Synced to cloud service events.

Bus type

The type of removable media connection. For example: USB, eSATA, Thunderbird.

Applies only to removable media events.

Capacity

The storage capacity of the removable media.
Applies only to removable media events.

Vendor name

The brand name of the removable media. For example: Lexar, SanDisk, Seagate.

Applies only to removable media events.

Device name

The volume name of the removable media.

Applies only to removable media events.

Device media name

The media name of the device, as reported by the vendor/device. This is usually very similar to the Device Name, but can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, this may be the combination of the drive model and the enclosure model.

 

This value is not provided by all devices, so it may be null in some cases.

Applies only to removable media events.

Device volume name

The name assigned to the volume when it was formatted, as reported by the device's operating system. This is also frequently called the "partition" name.

Applies only to removable media events.

Device partition ID

A unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the VolumeGuid. On Mac devices, this is the Disk / Partition UUID, which appears when running the Terminal command diskUtil info.

Applies only to removable media events.

Serial number

Serial number of the connected hardware, as reported by the device's operating system.

Applies only to removable media events.

 

Active tab titles and URLs 

The name of the browser tab or title of the application window active at the time the file is read by the browser or other app. For web browsers, the URL of the active tab may also be included. This information helps determine the destination of an uploaded file.

  • For Windows devices, the tab title and URL are collected automatically. For Mac devices, administrators must first authorize the Code42 app to capture data from web browsers.
  • URLs are only supported in Chrome, Firefox, Chromium Edge, and Opera. Tab titles are supported for all browsers.
  • If the user accessed more than one tab while uploads were in progress, all tab titles/URLs visited during the upload are listed.

If the tab title or URL cannot be captured, it is listed as Unavailable and may also display one of these reasons:

  • Permissions not set: On Macs, Code42 requires specific permissions to obtain this data.
  • Metadata not supported for this application: The event occurred in an unsupported browser.
  • Metadata not used by this application: The event occurred in an application that doesn't use tab titles or URLs.
  • Metadata not supported for custom applications: Tab titles and URLs are not collected for your customized list of monitored applications.

Applies only to read by browser or other app events.

Sync destination

The name of the cloud service the file is synced with, for example: Dropbox, Google Drive, Microsoft OneDrive.

Applies only to synced to cloud service events.

Sync username

The name of the user signed in to the cloud sync application on the device. This additional context can help you determine whether the file is synced with an approved cloud service.

 

For example, the Sync Username could indicate if a file synced with Google Drive is being stored in your corporate Google Workspace, or in an unsanctioned personal Google account.

  • Not available for files synced to Dropbox.
  • For OneDrive events on Macs, usernames may occasionally contain underscores in place of non-alphanumeric characters. For example, the username clyde.bailey@example.com may appear as clyde_bailey_example_com.

Applies only to synced to cloud service events.

Email

The Email section provides detailed information about the email sender, recipients, and DLP policy that detected this file (if applicable).

Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.

Forensic Search results - email event details

Item Description
Policy Names

The name of the data loss prevention (DLP) policy that detected this file, as defined in your Microsoft Office 365 Security & Compliance Center.

 

If the attachment is detected by more than one policy, only one policy is listed.

 

Only applies to emails detected by the Microsoft Office 365 DLP data connection. Deprecated September 2021.

Subject The subject of the email message.
Sender The address of the entity responsible for transmitting the message. In many cases, this is the same as From, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.
From The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.
Recipients

The email addresses of those who received the email. Includes the To, Cc, and Bcc recipients.

 

Source

The Source section provides details about the origin of a downloaded file.

Source details only apply to Download events.

Forensic Search results - source event details

Item Description
Source category

The general category of where the downloaded file originated. Categories include:

  • Business tools: The file was received from a business platform.
  • Cloud Storage: The file was received from a cloud service, either via a web browser download or synced via an installed app.
  • Device: The file was received from another device via AirDrop.
  • Email: The file was downloaded from an email provider via a web browser.
  • Messaging: The file was shared via a messaging service. 
  • Social Media: The file was shared via social media. This does not necessarily mean it's posted publicly; for example, the file could have been received in a direct message on LinkedIn, etc.
  • Source Code Repository: The file was downloaded from a location typically used for storing code files.
  • Uncategorized: The source could not be matched to one of the above categories.
  • Unknown: Unable to determine the source. On Macs, this may indicate Code42 does not have the required permissions to collect the source details.

If the user accessed more than one tab while downloads were in progress, the source category may indicate Multiple possibilities. Review the Active tab titles and URLs (below) to identify all possible sources.

Source name

The specific location where the file downloaded originated. Example names for each category are listed below, but this is not a complete list:

Source Category Example Source Names
Business tools Salesforce
Cloud Storage Dropbox, OneDrive, Box
Device Clyde's iPhone, Carmen's MacBook Pro
Email Gmail, Outlook, Comcast
Messaging Slack, Teams, WhatsApp
Social Media Facebook, Twitter, Reddit
Source Code Repository Bitbucket, Github

 

If the user accessed more than one tab while downloads were in progress, the source name may indicate Multiple possibilities. Review the Active tab titles and URLs (below) to identify all possible sources.

Active tab titles and URLs

The name of the browser tab or title of the application window active at the time the file is read by the browser or other app. For web browsers, the URL of the active tab may also be included. This information helps determine the source of a downloaded file.

  • For Windows devices, the tab title and URL are collected automatically. For Mac devices, administrators must first authorize the Code42 app to capture data from web browsers.
  • URLs are only supported in Chrome, Firefox, Chromium Edge, and Opera. Tab titles are supported for all browsers.
  • If the user accessed more than one tab while downloads were in progress, all tab titles/URLs visited during the upload are listed.

If the tab title or URL cannot be captured, it is listed as Unavailable and may also display one of these reasons:

  • Permissions not set: On Macs, Code42 requires specific permissions to obtain this data.
  • Metadata not supported for this application: The event occurred in an unsupported browser.
  • Metadata not used by this application: The event occurred in an application that doesn't use tab titles or URLs.
  • Metadata not supported for custom applications: Tab titles and URLs are not collected for your customized list of monitored applications.

Process

The Process section provides details about the application and user associated with the file event.

Forensic Search results - process event details

Item Description
Executable name

The path on disk of the executable, for example: \Device\Volume\Program Files\Google\Chrome\Application\chrome.exe

 

On Mac devices, AirDrop activity is indicated by the process name /usr/libexec/sharingd.

  • Incydr Professional and Enterprise: Applies to all endpoint events.
  • Incydr Basic and Advanced, CrashPlan Cloud, and other plans: Applies only to Printed and Browser or app read events.
Process user

The username of the process owner, as reported by the device's operating system.

  • Incydr Professional and Enterprise: Applies to all endpoint events.
  • Incydr Basic and Advanced, CrashPlan Cloud, and other plans: Applies only to Printed and Browser or app read events.

Saved searches

To view the list of saved searches, select Forensic Search > Saved Searches.

Saved searches list

Item   Description
a Saved search name The name of the saved search.
b Created Lists the date the search was created and the user who created it.
c Last modified Lists the most recent date the search was modified and the user who modified it.
d Run search Executes the saved search and displays the search results.
e

Actions

Click to view search options:

  • Edit filters: Opens the Search tab, from which you can add, remove, and update search criteria.
  • Edit name and notes: Displays the saved search name and an optional notes field. Notes are limited to 2,500 characters.
  • Delete: Permanently deletes the saved search for all users in your Code42 environment.
  • Was this article helpful?