Skip to main content

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Code42 Support

Configure Forensic File Search

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Overview

This tutorial explains how to enable Forensic File Search in your Code42 environment and how to search for file activity. Forensic File Search provides detailed visibility for Code42 administrators about:

  • Files on user devices, including files not selected for backup
  • Files stored only in cloud services

Forensic File Search can help you answer questions such as:

  • Who in my organization has, or previously had, a specific file?
  • What files in your Microsoft OneDrive or Google Drive account have public links or have been shared with users outside your organization?
  • Given the filename and/or MD5 or SHA256 hash of a virus or malware that has spread throughout the organization, who was the first user to possess it?
  • Is there file activity that looks like malicious activity (malware, insider threat)?
  • Which devices in my network were part of a phishing attack?
  • What file activity occurred during a security incident?
  • Is there evidence of covering up malicious activity (deleting files, changing extensions, etc.)?
  • Has a malicious file been remediated on impacted devices (removed or updated)?
  • What network interfaces were active on a device during a security incident?

Before you begin

Search considerations

  • Forensic File Search reports on file events detected by Code42. A file event is any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.
  • Search results return file events for all organizations in your Code42 environment.
  • File activity is monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.
  • From the time a file event is detected on a device, it may take up to 15 minutes for the event to appear in search results.

Step 1: Enable or disable Forensic File Search

Start with a test organization
Code42 recommends enabling Forensic File Search in a small, test organization at first. This helps ensure user devices and search results are performing as expected. Once you see the desired results with a small number of users, then enable Forensic File Search for additional organizations.

If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) at csmsupport@code42.com for assistance creating a deployment strategy.
  1. Sign in to the administration console.
  2. Select Organizations > Active.
  3. Select an organization.
  4. From the action menu in the upper-right, select Edit.
  5. Select Endpoint Monitoring.
  6. Select or deselect Forensic search.
    Within two minutes of enabling, devices start scanning existing files and sending file metadata to Code42. It may take up to 15 minutes for events to appear in search results.

Enable Forensic Search

Step 2 (Optional): Configure cloud service data sources

If your Forensic File Search product plan includes one or more cloud service data sources (for example, Google Drive or Microsoft OneDrive), you must authorize Code42 to access this data. See the tutorials linked below for detailed instructions:

Step 3: Perform a search

  1. Sign in to the administration console.
  2. Select Security Center > Forensic Search.
  3. Select a search type (for example, Filename).
  4. Select the search operator:
    • Is returns events that match the search criteria. Is not excludes events that match the search criteria
    • If searching for Date Observed, select on, on or after, on or before, or is in range to specify a single date or date range.
  5. Enter the search criteria.
    • For Filename and File Path searches, use the * wild card character to search for results including a partial string. Use the ? wildcard to replace a single character. For example:
      • Enter the search string expenses* to return events for any filename beginning with the string expenses, such as expenses.xlsexpenses.docexpenses to review.txt, etc.
      • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xlsexpenses2017.xls, etc.
    • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
      • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
      • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.
  6. (Optional) Click the + icon to add additional search criteria, then repeat steps 3-5. Click the icon to remove search criteria.
    Search results only return events that match all selected criteria.
  7. Click Update Search.
    After an event is detected on a device, it may take up to 15 minutes to appear in search results.
  8. (Optional) Click the column selector icon Column selector icon to select which columns appear in the results.
  9. Click the arrow icon File event details arrow icon to expand or collapse details for a specific file event. See the Forensic File Search reference guide for more details about specific event attributes.
  10. (Optional) Click Export Results to download the current search results as a CSV file for additional analysis.

Forensic File Search results

Additional considerations

Search results
  • File events are retained and searchable for 90 days after the Date Observed. For files that have not changed in over 90 days, only the most recent file event for that file is retained. 
  • Observed times for file events are reported in Coordinated Universal Time (UTC). Similarly, when conducting a search for a specific time range, user-entered times are evaluated as UTC, not local time.
  • When paging through search results, each page load refreshes the search results. If your search query does not contain a date range, or includes the current date, search results may change as you change pages.
  • The Code42 app on each user device is configured to send file events to the Code42 server every two minutes. This has several implications for search results:
    • If a file is modified more than once during the two-minute window, the search results only display a single modification event.
    • If a file is created and then deleted within two minutes, the New file and No longer observed events are captured and do appear in search results, but some file metadata may not be collected.
    • Device metadata, such as IP Address and Hostname, is collected once per two-minute interval for each batch of file events. File events reported in the same batch always report the same device metadata.
  • Changes to filenames are reported in the search results as a No longer observed event (for the old file name), immediately followed by a New file event (for the new file name).
  • File changes that occur within one second of each other may not be detected. For example, if a file is created and then deleted in less than a second, these events may not appear in search results. This varies somewhat by operating system: Windows devices are more likely to capture events in quick succession (within milliseconds) than Mac devices.
  • Updating a user's Code42 username does not update search results for existing events (events created prior to the change report the old username).
  • In some rare scenarios, the Username might report NAME_NOT_AVAILABLE.
  • Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. MD5 and SHA256 hashes are not calculated for these shortcut files since they have no content. However, if your Forensic File Search product plan includes one or more cloud service data sources (for example, Google Drive or Microsoft OneDrive), hashes are available for the actual files stored in the cloud service.
  • Google Drive cloud file events do not immediately appear when sharing with Google domains that are not configured with Code42 Forensic File Search.
User devices
  • Forensic File Search is not supported for per user installations. The Code42 app must be installed for everyone.
  • Linux devices have a default limit for the number of files and directories applications are allowed to monitor. This can impact the Code42 app's ability to capture file events for all locations on the device. To increase this default limit, follow the steps in Linux real-time file watching errors.
  • The File Created Date is not available for file events on Linux devices.
  • Code42 app CPU settings apply only to backup activity. They do not apply to Forensic File Search.
  • If a device is offline, file events are collected and stored locally on the device. Offline devices can store up to 1 GB of file events locally, which is approximately one million events. For normal device use, this is enough to capture up to 100 days of offline file events. Once a network connection is available, these events are sent to the Code42 server. If a device is offline long enough to generate more than 1 GB of file events, some events may not be reported.