Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Configure Forensic File Search

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

Forensic File Search is a powerful component of Code42 Next-Gen Data Loss Protection, providing detailed visibility for Code42 administrators about:

  • Files on user devices, including files not selected for backup
  • Files stored only in cloud services

This tutorial explains how to enable Forensic File Search in your Code42 environment so you can start monitoring and investigating file activity on user devices and in cloud services.

Video

Watch the short video below to learn more about how Forensic File Search collects file event data.

Before you begin

Step 1: Enable Forensic File Search

Start with a test organization
Code42 recommends enabling Forensic File Search in a small, test organization at first. This helps ensure user devices and search results are performing as expected. Once you see the desired results with a small number of users, then enable Forensic File Search for additional organizations.

If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) for assistance creating a deployment strategy.
  1. Sign in to the administration console as a user with either the Customer Cloud Admin or Security Center User role.
  2. Select Organizations > Active.
  3. Select an organization.
  4. From the action menu in the upper-right, select Edit.
  5. Select Endpoint Monitoring.
  6. Select Forensic search.
    Within five minutes of enabling, devices start scanning existing files and sending file metadata to Code42. It may take up to 15 minutes for events to appear in search results.
  7. Click Save.

Enable Forensic Search

Disabling and re-enabling may cause duplicate endpoint events
If you disable and then re-enable the Forensic search setting, the file scan on the device starts over. This may cause duplicate endpoint file events and/or cause file events that were queued for processing at the time the setting is disabled to be lost.

If you have already disabled and re-enabled Forensic search, you can reduce duplicate search results by only searching for events that occurred after the date and time Forensic search was last enabled. 

Video

Watch the short video below for a demonstration of how to enable Forensic File Search for an organization. 

Step 2 (Optional): Configure cloud service data sources

If your product plan includes one or more cloud service data sources (for example, Google Drive or Microsoft OneDrive), you must authorize Code42 to access this data. See the tutorials linked below for detailed instructions:

Video

Watch the short video below to learn how to enable Forensic File Search for Google Drive.

Next steps