Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article applies to Cloud.
When you add Google Drive as a data source for Forensic File Search, you must authorize Code42 as a registered client API using your administrator account in G Suite. Once connected, Forensic File Search monitors your organization's Google Drive environment to capture when a user:
- Creates a file
- Shares a file
- Deletes a file
- Modifies a file
This article explains how to add Google Drive as a data source for Forensic File Search. It also explains why Code42 needs this level of access to your Google environment.
- To allow Code42 access to Google Drive, you must be a G Suite administrator.
- Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives. Learn more about what Code42 monitors.
- You cannot edit the authenticating administrator information once you register the cloud service. If you need to change that information, you must start over and add a new cloud service.
- File events do not immediately appear when sharing with Google domains that are not configured with Code42 Forensic File Search.
- You cannot deauthorize or remove Google Drive as a cloud service in Code42. Instead, you can remove the API client access in your G Suite Admin console if necessary.
- Code42 Google Drive for Forensic File Search supports both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional considerations.
- You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM) firstname.lastname@example.org.
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.
Code42 never stores file contents or writes them to disk during this process.
Before you begin
Configure Forensic File Search before adding Google Drive as a cloud service data source.
- Sign in to the Code42 administration console.
- Select Security Center > Data Sources.
- Click Add.
The Cloud Service Connection dialog appears.
- From Cloud Service, select Google Drive.
Note the Client ID and API Scope details that appear on the bottom of the screen. You will need this information later in this procedure.
- Enter a display name. This display name must be unique.
- From the G Suite Admin Console, log in using your G Suite administrator email and password.
- From the Google Admin console, go to Security > Advanced Settings.
- Click Manage API client access.
- Enter the Client ID from the Code42 administration console in the Client Name field in the Google Admin console.
- Enter the API Scope from the Code42 administration console.
- Click Authorize.
The Client Name and API Scope appear in the Manage API Client Access table.
- Go back to the Code42 administration console.
- Click Continue.
- Enter the G Suite email address that you used in step 6.
- Click Authorize.
Google Drive is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information.
The first step to adding cloud service information into Forensic File Search is called initial extraction. This is where Code42 scans the cloud service to get baseline information on your environment. How long this step takes depends on how many files are in your cloud service environment.
For most environments, this step takes about 24 hours. Once the initial extraction is complete, it takes about 20 minutes for a new event to appear in search results.
Once you've have added Google Drive as a data source for Forensic File Search, learn more about:
Watch the video below for a demonstration of enabling Forensic File Search for Google Drive. For more videos, visit the Code42 University.
Google Drive permissions
Forensic File Search collects file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.
In the configuration steps above, Code42 provides the client name and API scope for you to enter in your Google Admin Console. Code42 uses the following API scope:
https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.customer.readonly
This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.
File events for Google Backup and Sync appear twice
If your organization uses Backup and Sync, file events may show up twice in Forensic File Search. This happens because Backup and Sync saves content locally on your computer as well as in the cloud. As a result, when you configure endpoints as a data source for Forensic File Search, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud data source, Code42 monitors the files within Google Drive.
This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic File Search results: once for the endpoint source and once for the cloud source.
If your organization only uses Drive File Stream, this issue does not happen. Drive File Stream doesn't save files locally, so file events only appear from the cloud source.