Forensic Search reference guide
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
Forensic Search is a powerful search interface that enables security teams to monitor and investigate suspicious file activity. Forensic Search provides detailed visibility about files:
- Stored on user devices, including files not selected for backup
- Stored in corporate cloud services, such as Google Drive and Microsoft OneDrive
- Synced to personal cloud services, such as Box, Dropbox, iCloud, and OneDrive
- Moved to removable media
- Sent as email attachments in Microsoft Office 365 and Gmail
- Sent to printers (Mac and Linux only)
This enables security personnel to gain a clearer understanding of file activity throughout the organization.
In order to see results in Forensic Search, you must first enable File Metadata Collection.
For cloud services and email services configuration instructions, see Introduction to adding data connections.
Forensic Search
To access Forensic Search:
- Sign in to the Code42 console.
- Select Forensic Search > Search.
Forensic Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.
Search results
Item | Description | |
---|---|---|
a | Load Saved Search | Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results. |
b | Date selector |
All searches must specify a date range. Select one the following options:
Times are evaluated as Coordinated Universal Time (UTC). |
c | Search filters |
Select an item from the menu or type the name of a filter to include in your search:
Cloud (visible only with licensing for one or more cloud service data sources)
Exposure (visible only with licensing for the endpoint data source)
Email (visible only with licensing for the email data source)
|
d | Search operator |
Search operator options vary based on the search filter.
For File Size, select is greater than or is less than. |
e | Value |
Defines the search criteria. Searches are case-insensitive.
For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.
Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:
Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.
For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB). |
f | Remove search criteria | Removes this search criteria. |
g | Add search criteria | Adds another item to the search criteria. Search results only return events that match all criteria. |
h | Save As | Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name. |
i | Update Search | Performs a search based on the current search criteria. |
j | Modify columns | Displays a list of available columns. Select or deselect items to customize the format of your search results. |
k | Export results |
Downloads the current search results to a CSV file.
|
l | Select all | Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case. |
m |
Column sort indicator |
Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order. |
n | Event selector | Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case. |
o | Risk indicator ![]() |
Denotes file activity that may indicate a greater insider risk, such as a file extension that does not match the file contents, or activity performed outside a user's typical active hours. |
p | Add to case ![]() |
Click to add the file event to a Case:
Only available in the Incydr Advanced product plan. |
q | View details ![]() |
Displays all metadata for the file event. See the sections below for detailed descriptions of each field. |
r | Events per page | Select to display 10, 25, 50, or 100 events per page. |
File event details
To view file event details within search results:
- From the list of search results, click View details
to show all metadata for a file event.
Event details slide in from the right.
- Within the Event details, scroll to view all metadata for the event. See the sections below for detailed descriptions of each field.
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.
Event
The Event section provides summary information about the event, including date observed, event type, and event source.
Item | Description |
---|---|
Indicates file activity that may be a greater risk.
For more details, see Introduction to risk indicators. |
|
Endpoint file activity
File activity can be detected in two ways:
Cloud file activity Date and time that Code42 detected activity in the cloud service. This may not be the exact time the activity occurred, but should be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).
Email file activity
This may not be the exact time the email was sent, but should typically be within 5 minutes. The time is reported in Coordinated Universal Time (UTC). |
|
Event type |
The type of file event observed:
|
Source |
The source of the file event:
This field appears only if you are licensed for more than one data source. |
Process user | The username of the process owner, as reported by the device's operating system. Applies only to Printed and Browser or app read events. |
Trusted activity |
Indicates if this is activity you trust, as defined by your Data Preferences.
Applies only to Endpoint and Email events. For Cloud events, use the Exposure Type filter Outside trusted domain. |
Username |
Indicates the user associated with the event for the following sources:
If the Username matches a Code42 user, a View profile link is included. Click to review the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk. |
Early access
The Print section shows print event details and a link to download an image of the printed file. The Print section only appears for Printed event types.
Print detection is only supported on Mac and Linux devices and requires Code42 app version 8.0 or later.
Item | Description |
---|---|
Printer name |
The name of the printer. |
Print job name |
The name of the print job. This is often the name of the printed document. Click Download file to download an image of the printed file. |
File
The File section provides a link to download the file, along with details such as the file's name, path, owner, and other metadata.
Item | Description |
---|---|
File type mismatch (not pictured) |
If Code42 detects the file contents do not match the file extension, a File Type Mismatch row appears with details about the mismatch (for example, the file extension is .jpg but the file contains source code content). This may indicate an attempt to disguise and exfiltrate data. |
Filename |
The name of the file, including the file extension. If applicable, links to download the file appear below the filename.
Depending on available versions, one or both links may appear:
If the most recent version also matches the MD5 hash for this event, only the Exact Match link appears.
You must be signed in as a user with either the Customer Cloud Admin or Security Center - Restore role to download files.
Cloud file activity Click the filename to open the file in the respective cloud service's file viewer. To view the file:
Email file activity Click the filename to open the file attached to the email. (Microsoft Office 365 only)
|
File path |
The file location on the user's device. Endpoint file events only. Cloud and email events do not include a file path. |
File category | The type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. For a complete list of file categories and the specific file types in each category, see Forensic Search file categories. |
File size |
Size of the file. Not available for Google file types (for example, Google Sheets or Google Docs). |
File owner | The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events). |
MD5 hash |
The MD5 hash of the file contents.
Not available for:
|
SHA256 hash |
The SHA256 hash of the file contents.
Not available for:
|
File created |
File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC). Mac and Windows NTFS devices only. |
File modified |
File modification timestamp as reported by the device's operating system or the data connection.
For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.
This appears in Coordinated Universal Time (UTC). |
Device
The Device section provides detailed information about the device, including the hostname, IP address, and other metadata.
Device details are only visible only if you are licensed for the endpoint data source. Device details do not apply to cloud events.
Description | |
---|---|
Hostname |
The device name reported by the device's operating system. The hostname may be different than the device name in the Code42 console.
You must enter the complete hostname. Wildcard searches are not supported. |
Fully qualified domain name | Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host. |
Username (signed in to device) |
The username signed in to the device when the file activity was observed, as reported by the device’s operating system.
For devices with multiple user accounts, this helps you identify the user responsible for the file activity. |
IP address (public) |
The external IP address of the user's device, as seen by Code42 via the device's outbound connection to the Code42 cloud.
If the IP address is not included in your list of in-network IP addresses, it is labeled Remote activity. |
IP address (private) |
The IP address of the user's device on your internal network. This includes:
If there is more than one active network interface, this displays a list. |
Cloud
The Cloud section provides detailed information about how and where the file is exposed in the cloud service.
Visible only with licensing for one or more cloud service data sources. Cloud details do not apply to endpoint events.
Item | Description |
---|---|
Directory ID |
Unique identifier of the cloud drive or folder that contains the file. Search by this ID to find events for files within the same drive or folder.
Google Drive files that exist at the root level of the cloud drive display the value None.
Some cloud services allow users to add a file to multiple folders, so Directory ID may display a list of values. |
Actor
|
The cloud service username of the person who caused the event.
In some cases, if multiple users interact with the same file within a 5-minute window, only the last user to take an action on the file is displayed. |
Shared with users |
At the time the event occurred, the list of users who have been granted to access the file. Click View to display a searchable list of usernames.
This only includes users the file is explicitly shared with. It does not capture users who only accessed a shared link.
This list can include:
Google Drive users without email addresses (for example, service or integration accounts with sharing permissions) are not listed. |
Shared |
Indicates the shared status of the file at the time the event occurred, but does not capture whether or not a link to the file has been shared:
|
Identifies an increase in exposure due to a change in sharing permissions for the file:
Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in Box and OneDrive may be delayed. For this reason, the File exposure changed to value may be blank when a file inherits a permissions change from its parent folder. This avoids attributing that change to an incorrect actor. |
Exposure
The Exposure section provides detailed information about where the file is exposed.
No single event contains values for all items in the table below. For example, the image above does not include removable media metadata (such as Device Name), because this exposure event was detected in a web browser, not on removable media.
Item | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Exposure type |
The type of exposure risk, based on both cloud and device activity.
In cloud services
The exposure status of the file at the time the activity was observed.
On the device
Windows and Mac devices only
|
||||||||||||||
Destination category |
The general category of where the file was sent. Categories include:
If the user accessed more than one tab while uploads were in progress, the destination category may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.
Applies to Read by browser or other app and Synced to cloud service events.
|
||||||||||||||
Destination name |
The specific location where the file was sent. Example names for each category are listed below, but this is not a complete list:
If the user accessed more than one tab while uploads were in progress, the destination name may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.
Applies to Read by browser or other app and Synced to cloud service events. |
||||||||||||||
Bus type |
The type of removable media connection. For example: USB, eSATA, Thunderbird. Applies only to removable media events. |
||||||||||||||
Capacity |
The storage capacity of the removable media. Applies only to removable media events. |
||||||||||||||
Vendor name |
The brand name of the removable media. For example: Lexar, SanDisk, Seagate. Applies only to removable media events. |
||||||||||||||
Device name |
The volume name of the removable media. Applies only to removable media events. |
||||||||||||||
Device media name |
The media name of the device, as reported by the vendor/device. This is usually very similar to the Device Name, but can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, this may be the combination of the drive model and the enclosure model.
This value is not provided by all devices, so it may be null in some cases. Applies only to removable media events. |
||||||||||||||
Device volume name |
The name assigned to the volume when it was formatted, as reported by the device's operating system. This is also frequently called the "partition" name. Applies only to removable media events. |
||||||||||||||
Device partition ID |
A unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the Applies only to removable media events. |
||||||||||||||
Serial number |
Serial number of the connected hardware, as reported by the device's operating system. Applies only to removable media events.
|
||||||||||||||
Executable name |
The path on disk of the executable, for example: \Device\Volume\Program Files\Google\Chrome\Application\chrome.exe
On Mac devices, AirDrop activity is indicated by the process name /usr/libexec/sharingd.
Applies only to read by browser or other app events. |
||||||||||||||
The name of the browser tab or title of the application window active at the time the file is read by the browser or other app. For web browsers, the URL of the active tab may also be included. This information helps determine the destination of an uploaded file.
|
|||||||||||||||
Sync destination |
The name of the cloud service the file is synced with, for example: Dropbox, Google Drive, Microsoft OneDrive. Applies only to synced to cloud service events. |
||||||||||||||
Sync username |
The name of the user signed in to the cloud sync application on the device. This additional context can help you determine whether the file is synced with an approved cloud service.
For example, the Sync Username could indicate if a file synced with Google Drive is being stored in your corporate Google Workspace, or in an unsanctioned personal Google account.
Applies only to synced to cloud service events. |
The Email section provides detailed information about the email sender, recipients, and DLP policy that detected this file (if applicable).
Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.
Saved searches
Item | Description | |
---|---|---|
a | Name | The name of the saved search. |
b | Created by | User who created the search. |
c | Date Created | Date the search was created. |
d | Last Modified by | Last user to modify the search. |
e | Last Modified | Most recent date the search was modified. |
f | ![]() |
Click to view and edit search details, including the search name and any notes about the search (items i and j below). |
g | ![]() |
Executes the saved search and displays the search results. |
h |
|
Click to view search options:
|
i | Name | Editable name of this search |
j | Notes | (Optional) Free-form text field to enter detailed notes about the search. Notes are limited to 2,500 characters. |