Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article applies to Cloud.
Forensic File Search is a powerful component of Code42 Next-Gen Data Loss Protection, providing detailed visibility for Code42 administrators about:
- Files on user devices, including files not selected for backup
- Files stored only in cloud services
This tutorial explains how to enable Forensic File Search in your Code42 environment so you can start monitoring and investigating file activity on user devices and in cloud services.
Watch the short video below to learn more about how Forensic File Search collects file event data.
Before you begin
- Create a test organization, and then add a small number of test users to use in the steps below for initial Forensic File Search testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.
- Your Code42 product plan must include Forensic File Search. Contact your Customer Success Manager (CSM) for enterprise support for assistance with product plans. If you're not sure how to reach your CSM, email firstname.lastname@example.org and we will connect you.
- The Code42 app must already be installed on user devices to collect endpoint file activity..
- Forensic File Search can only be enabled in organizations that use Standard archive encryption. Archive key password and Custom key encryption are not supported.
Step 1: Enable Forensic File Search
Code42 recommends enabling Forensic File Search in a small, test organization at first. This helps ensure user devices and search results are performing as expected. Once you see the desired results with a small number of users, then enable Forensic File Search for additional organizations.
If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) for assistance creating a deployment strategy.
- Sign in to the administration console as a user with either the Customer Cloud Admin or Security Center User role.
- Select Organizations > Active.
- Select an organization.
- From the action menu in the upper-right, select Edit.
- Select Endpoint Monitoring.
- Select Forensic search.
Within five minutes of enabling, devices start scanning existing files and sending file metadata to Code42. It may take up to 15 minutes for events to appear in search results.
- Click Save.
If you disable and then re-enable the Forensic search setting, the file scan on the device starts over. This may cause duplicate endpoint file events and/or cause file events that were queued for processing at the time the setting is disabled to be lost.
If you have already disabled and re-enabled Forensic search, you can reduce duplicate search results by only searching for events that occurred after the date and time Forensic search was last enabled.
Watch the short video below for a demonstration of how to enable Forensic File Search for an organization.
Step 2 (Optional): Configure data sources
If your product plan includes one or more data sources (for example, cloud services such as Google Drive or Microsoft OneDrive), you must authorize Code42 to access this data. For instructions, see Introduction to adding data sources for Forensic File Search.
Watch the short video below to learn how to enable Forensic File Search for Google Drive.