This article applies to Cloud.
When you add Google Drive as a data source for Forensic File Search, you must authorize Code42 as a registered client API using your administrator account in G Suite. Once connected, Forensic File Search monitors your organization's Google Drive environment to capture when a user:
- Creates a file
- Shares a file
- Deletes a file
- Modifies a file
This article explains how to add Google Drive as a data source for Forensic File Search. It also explains why Code42 needs this level of access to your Google environment.
- To allow Code42 access to Google Drive, you must be a G Suite administrator.
- You cannot edit the authenticating administrator information once you register the cloud service. If you need to change that information, you must start over and add a new cloud service.
- File events do not immediately appear when sharing with Google domains that are not configured with Code42 Forensic File Search.
- You cannot deauthorize or remove Google Drive as a cloud service in Code42. Instead, you can remove the API client access in your G Suite Admin console if necessary.
- Code42 Google Drive for Forensic File Search supports both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional considerations.
- You must be licensed for Code42 Forensic File Search. If you need assistance with licensing, contact your Customer Success Manager (CSM) for enterprise support.
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.
Code42 never stores file contents or writes them to disk during this process.
Before you begin
- Configure Forensic File Search before adding Google Drive as a cloud service data source.
- Define monitoring scope. The G Suite administrator credentials that you use to connect Forensic File Search with Google Drive determine the scope of files that are accessible for monitoring by Forensic File Search. Code42 has permission to see all users that the administrator has control over.
If you require a smaller scope of users, use an administrator account that has a limited scope of users, or configure your Google Drive settings to set file-sharing permissions for organizations.
- Sign in to the Code42 administration console.
- Select Security Center > Data Sources.
- Click Add.
The Cloud Service Connection dialog appears.
- From Cloud Service, select Google Drive.
Note the Client ID and API Scope details that appear on the bottom of the screen. You will need this information later in this procedure.
- Enter a display name. This display name must be unique.
- From the G Suite Admin Console, log in using your G Suite administrator email and password.
- From the Google Admin console, go to Security > Advanced Settings.
- Click Manage API client access.
- Enter the Client ID from the Code42 administration console in the Client Name field in the Google Admin console.
- Enter the API Scope from the Code42 administration console.
- Click Authorize.
The Client Name and API Scope appear in the Manage API Client Access table.
- Go back to the Code42 administration console.
- Click Continue.
- Enter the G Suite email address that you used in step 6.
- Click Authorize.
Google Drive is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information.
The first step to adding cloud service information into Forensic File Search is called initial extraction. This is where Code42 scans the cloud service to get baseline information on your environment. How long this step takes depends on how many files are in your cloud service environment.
For most environments, this step takes about 24 hours. Once the initial extraction is complete, it takes about 20 minutes for a new event to appear in search results.
Google Drive permissions
Forensic File Search collects file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.
In the configuration steps above, Code42 provides the client name and API scope for you to enter in your Google Admin Console. Code42 uses the following API scope:
https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.customer.readonly
This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.
File events for Google Backup and Sync appear twice
If your organization uses Backup and Sync, file events may show up twice in Forensic File Search. This happens because Backup and Sync saves content locally on your computer as well as in the cloud. As a result, when you configure endpoints as a data source for Forensic File Search, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud data source, Code42 monitors the files within Google Drive.
This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic File Search results: once for the endpoint source and once for the cloud source.
If your organization only uses Drive File Stream, this issue does not happen. Drive File Stream doesn't save files locally, so file events only appear from the cloud source.