Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Allow Code42 Forensic File Search access to Google Drive

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

To help protect you from data loss, you can use Code42 Forensic File Search to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data source for Forensic File Search, you must authorize Code42 as a registered client API using your administrator account in G Suite. Once connected, Forensic File Search monitors your organization's Google Drive environment to capture when a user: 

  • Creates a file
  • Shares a file
  • Deletes a file
  • Modifies a file

This article explains how to add Google Drive as a data source for Forensic File Search. It also explains why Code42 needs this level of access to your Google environment. 

Video

Watch the video below for a demonstration of enabling Forensic File Search for Google Drive. For more videos, visit the Code42 University

Considerations

  • To allow Code42 access to Google Drive, you must be a G Suite administrator.
  • Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives. Learn more about what Code42 monitors
  • You cannot edit the authenticating administrator information once you register the cloud service. If you need to change that information, you must start over and add a new cloud service. 
  • File events do not immediately appear when sharing with Google domains that are not configured with Code42 Forensic File Search.  
  • You cannot deauthorize or remove Google Drive as a cloud service in Code42. Instead, you can remove the API client access in your G Suite Admin console if necessary.
  • Code42 Google Drive for Forensic File Search supports both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional considerations.
  • You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email csmsupport@code42.com and we will connect you.
  • If a user is suspended or the drive SDK is disabled in Google Drive, Code42 does not monitor file activity on the user's Google Drive account. 
Monitoring and alerting tools may report download activity
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

Configure Forensic File Search before adding Google Drive as a cloud service data source.

Steps

Step 1: Connect Code42 and Google Drive

  1. Sign in to the Code42 administration console
  2. Add a cloud service connection:
    1. Select Investigation > Data Sources
      Cloud services.
    2. Click Add.
      The Add Cloud Service Connection dialog appears.
    3. From Cloud Service, select Google Drive.
      Note the Client Name and API Scope details that appear on the bottom of the screen. You will need this information later in this procedure.
    4. Enter a display name. This display name must be unique. 
      Add a Google Drive connection.
  3. Authorize the Code42 app in Google:
    1. Go to your G Suite Admin Console and log in using your G Suite administrator email and password.
    2. Go to Security > Settings > Advanced Settings > Manage API Client Access.
    3. Copy and paste the Client Name from the Code42 administration console in the Client Name field. 
    4. Copy and paste the API Scope from the Code42 administration console in the One or More API Scopes field.
    5. Click Authorize
      The Client Name and API Scope fields appear in the Manage API Client Access table.Manage API Client Access in Google Admin Console

Step 2: Add Users

  1. Return to the Code42 administration console.
  2. In the Add Cloud Service Connection dialog, click Continue. 
    The Add Users panel displays.
    Add Google Drive users.
  3. Select one of the following options:

Step 3: Verify the setup

  1. In the Add Cloud Service Connection dialog, click Continue.
    The Verify panel displays.
    Verify the Google Drive connection.
  2. Enter the G Suite email address that you used earlier to log in to the G Suite Admin Console. 
  3. Click Authorize
    Google Drive is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information. For details, see Initial extraction below.

Next steps

Once you have added Google Drive as a data source for Forensic File Search, learn more about:

Upload a .csv file

In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Google Drive users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.
  • All shared drives are monitored.

Upload a .csv file listing Google Drive users

To get a list of Google Drive users, see G Suite Admin Help. Create a .csv file from this list that contains only the users you want to monitor. Code42 reads usernames from column headers labeled Email Address [Required]Email Address, or Emails in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.

Upload a .csv file listing Google Drive groups

See the G Suite Admin Help for information about Google Drive groups. Create a .csv file that contains only the groups you want to monitor. Code42 reads the names of groups from the column header labeled Group Name or Groups in the .csv file. If neither of these column headers are specified, the upload produces an error.

When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.

As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly. Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic File Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Initial extraction

Once you complete authorization, Code42 begins the initial extraction of user activity data from your cloud service. During this process, Code42 discovers the drives and indexes all their files one drive at a time. The time to complete initial extraction on a drive is directly related to the number of files within the drive, not the size of the files. 

As Code42 progresses through initial extraction, the Status column in the Data Sources panel shows the number of drives that have completed initial extraction compared to the number of drives remaining (for example, "Initializing 34 / 567"). All team drives are included by default, but are not added to the status count.

As each drive completes initial extraction, Code42 begins monitoring file activity on the drive and sends events to Forensic File Search. To speed up initial extraction, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the SHA256 Hash field displayed for these files in Forensic File Search. However, the files will be hashed when file events occur.

For most environments, initial extraction takes between 24 and 48 hours. Once initial extraction is complete for each drive, it takes about 20 minutes for a new event from that drive to appear in search results in Forensic File Search. 

After initial extraction, Code42 processes new files in existing drives immediately, and looks for new drives every 24 hours.

Google Drive permissions

Forensic File Search collects file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.

In the configuration steps above, Code42 provides the client name and API scope for you to enter in your Google Admin Console. Code42 uses the following API scope

https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.

More information on file activity 
For more information on the specific metadata and file events collected and stored by Forensic File Search, see the Forensic File Search reference guide

Troubleshooting

File events for Google Backup and Sync appear twice

Google Drive has two options for syncing files: Backup and Sync and Drive File Stream.

If your organization uses Backup and Sync, file events may show up twice in Forensic File Search. This happens because Backup and Sync saves content locally on your computer as well as in the cloud.  As a result, when you configure endpoints as a data source for Forensic File Search, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud data source, Code42 monitors the files within Google Drive. 

This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic File Search results: once for the endpoint source and once for the cloud source

If your organization only uses Drive File Stream, this issue does not happen. Drive File Stream doesn't save files locally, so file events only appear from the cloud source. 

Slowed performance

Google uses API quotas to limit API requests from third-party integrations such as Code42. Throttling these API requests allows Google to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring Forensic File Search access to Google Drive.

For faster performance, perform the following in the G Suite Admin Console:

  • Increase the quotas for the Code42 integration.
  • Add additional Super Admin users, which will enable Code42 to process data more quickly.

Maximum user drive number exceeded

Code42's maximum number of drives allowed for monitoring in Google Drive connections is 27,500. If Code42 detects more than this number of drives, it displays the following error in the Data Sources panel:

The number of supported user drives (27,500) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 27,500 drives.

If you receive this message:

  1. Deauthorize the cloud service connection.
  2. Reauthorize the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 27,500 drive limit.