Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Allow Code42 Forensic File Search access to your Google Drive

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.


To help protect data from loss, you can use Code42 Forensic File Search to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data source for Forensic File Search, you must authorize Code42 as a registered client API using your administrator account in G Suite. Once connected, Forensic File Search monitors your organization's Google Drive environment to capture when a user: 

  • Creates a file
  • Shares a file
  • Deletes a file
  • Modifies a file

This article explains how to add Google Drive as a data source for Forensic File Search. It also explains why Code42 needs this level of access to your Google environment. 


  • To allow Code42 access to Google Drive, you must be a G Suite administrator.
  • Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives. Learn more about what Code42 monitors
  • You cannot edit the authenticating administrator information once you register the cloud service. If you need to change that information, you must start over and add a new cloud service. 
  • File events do not immediately appear when sharing with Google domains that are not configured with Code42 Forensic File Search.  
  • You cannot deauthorize or remove Google Drive as a cloud service in Code42. Instead, you can remove the API client access in your G Suite Admin console if necessary.
  • Code42 Google Drive for Forensic File Search supports both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional considerations.
  • You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email and we will connect you.
Monitoring and alerting tools may report download activity
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

Configure Forensic File Search before adding Google Drive as a cloud service data source.


  1. Sign in to the Code42 administration console
  2. Select Security Center > Data Sources
    Cloud Services
  3. Click Add.
    The Cloud Service Connection dialog appears.
  4. From Cloud Service, select Google Drive.
    Note the Client ID and API Scope details that appear on the bottom of the screen. You will need this information later in this procedure.
  5. Enter a display name. This display name must be unique. 
  6. From the G Suite Admin Console, log in using your G Suite administrator email and password.
  7. From the Google Admin console, go to Security > Advanced Settings. 
  8. Click Manage API client access.Manage API Client Access in Google Admin Console
  9. Enter the Client ID from the Code42 administration console in the Client Name field in the Google Admin console. 
  10. Enter the API Scope from the Code42 administration console.
  11. Click Authorize
    The Client Name and API Scope appear in the Manage API Client Access table.
  12. Go back to the Code42 administration console.
  13. Click Continue.
  14. Enter the G Suite email address that you used in step 6. 
  15. Click Authorize
    Google Drive is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information. 
When will I start seeing file events in Forensic File Search?
The first step to adding cloud service information into Forensic File Search is called initial extraction. This is where Code42 scans the cloud service to get baseline information on your environment. How long this step takes depends on how many files are in your cloud service environment.

For most environments, this step takes about 24 hours. Once the initial extraction is complete, it takes about 20 minutes for a new event to appear in search results.

Next steps

Once you've have added Google Drive as a data source for Forensic File Search, learn more about:


Watch the video below for a demonstration of enabling Forensic File Search for Google Drive. For more videos, visit the Code42 University

Google Drive permissions

Forensic File Search collects file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.

In the configuration steps above, Code42 provides the client name and API scope for you to enter in your Google Admin Console. Code42 uses the following API scope

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.

More information on file activity 
For more information on the specific metadata and file events collected and stored by Forensic File Search, see the Forensic File Search reference guide


File events for Google Backup and Sync appear twice

Google Drive has two options for syncing files: Backup and Sync and Drive File Stream.

If your organization uses Backup and Sync, file events may show up twice in Forensic File Search. This happens because Backup and Sync saves content locally on your computer as well as in the cloud.  As a result, when you configure endpoints as a data source for Forensic File Search, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud data source, Code42 monitors the files within Google Drive. 

This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic File Search results: once for the endpoint source and once for the cloud source

If your organization only uses Drive File Stream, this issue does not happen. Drive File Stream doesn't save files locally, so file events only appear from the cloud source.