Skip to main content

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Code42 Support

Forensic File Search API

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Overview

This article explains how to use the Code42 API with Forensic File Search. While the administration console contains a flexible and powerful web interface to perform searches and view results, the Code42 API provides additional capabilities for performing more complicated or customized searches.

The examples in this article use curl, but the concepts apply to any tool you choose for interacting with the Code42 API.

Forensic File Search API structure and syntax

Summary

API rate limits
To ensure optimal performance throughout your Code42 environment, Code42 limits the Forensic File Search API to 120 requests per minute. Requests that exceed this limit are blocked and do not return results.

Authorization

The Forensic File Search API requires an authorization token in the header of all requests. To obtain an authorization token, use your Code42 administrator credentials to submit a GET request to https://sts-east.us.code42.com/api/v1/login-user

For example:

curl -X GET -u "username:password" -H "Accept: application/json" https://sts-east.us.code42.com/api/v1/login-user

A successful request returns an authorization token. For example:

{
    "v3_user_token": "eyJjdHkiOiJKV1QiLCJlbmMiOiJBMTI4R0NNIiwiZXhwIjoiMjAxOC0wNC0zMFQyMTo0MDoyNy4xMDZaIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.0H-4bl43zA3cIE5D3o_8vZzJIUgtJt64mZbimNa2TNha761RgVBFaTfttMODXF1ntLUTHl-rD0JuHEAMrIxjpnaODictPizrDVeTA1PgkPrsKot9jp6D7uTEC1Y56qHS1qjP6WHQBpv6ADBfrAfePX3NnwkA5a1I8pB88kSWc1MXZ4uMt-rFcNtlLLPVfwtEXHyNG_bxYJOOn28y2ysJGSBD_Xx1-uK4zKvjWwXfVQG581TntFPy0LamJfJ7IM4wOIG-QrKeV796fJAaHBxNfOe4UWC8WeNcDEvgNZvOPchWTHY4l66OaOjHNeEkoKkxvc35j4V_QpYxe6GXRYK4NA.TJXe9M6goiZbw-tr.y0lUTHHkHU5tRS7bWI8jntMLcxv0HajXTXquV62IG4400i7wi0YSX-6vpsXVgivzztxnPaukgUsLavhZ8-wCiMdEkut4GfijTlDAM_tfmJyZG6Cn5GKIJgSCENrR1JTxvC6dhTvHc41p6T3jXqBWikoJwD9z9Ec3u-OhM3gotQZUfCq0rR8T043RZSN9-0TpxhpPUEUAS6rkAI07QP08l_nUqdQTsNF0Tafe1yfPTYJabkslHhYMlLRYuXwhWr_39h5BY89ud0cW_OyUtjzz83m9iGxv6sba9VBIb2Y95ipXLu6Ie-5wz8zivfjizX6ZQatp5Ep4UZxzsMdqD9j0BFXkXQZuITJLtKfmUX-FZYR8utNrbwtt8u2tvNUK8Ix4Fwa3bWPxlkwrhOdz70M-mxluxpR6EKSrf8xwHagMcahzVPcW5NVL2khr4MwMUKyRV69dAdGiaTKh2rd52znA0aE3OCtelnBrBn4rls0KX71_qZEAdPaLyyqZ4VaurWUfl35zSi2LW_a3-TebgIebHZxC-MxvFEH4DQq6gJDdoX92_YEYEn4tO_dhUTlD0CZ9HhT39XFrO9MBe4DoDzG-Iql_A-nhmCyOrRmQvUlR72XpHVFQQx3X6tqdPxFocgDh5z03-kLB4SjznQSlzJNbzl_knXTBGopoFLn3WHvjX8q327Vmwx1hjrQnO8Eg5rJMoXTJCMEEOkMyjkbFeEzEhTf2jcvvAlnNnxdtjb1Zo05RWwMsPwwHAgGr-0mm-ungNjIGW0MyMTZtK0StP1uRqfI1Q6ghqnGZxEZN_0fvsVlsz4u9A1eBYRE0xzg8p-0g62nAQ8GftpYaUoymgqbL2WCL15r38emLklXSruztosGU4Dtusg4JHEhYPxO4ieqeBu6FLX9fPSA_y3zmd_AEjW40-_6zC3quPYJwytaEIwVH6phtfa2phsOLLw-U-b2QY09-d27YirIjgNRZ7rO4GF3iX8hW3LfFIWj0WKA5HGtGHg.JzHVCE8zfy1qRBf__rhchA"
}
Token considerations
  • Use this authorization token in your search requests (see examples below).
  • Authorization tokens expire after one hour.
  • You must have credentials for a Code42 user with either the Customer Cloud Admin or Security Center User role.
  • The authorization example above only applies to users who authenticate locally with Code42. Single sign-on (SSO) users must also complete SAML authorization with their SSO provider. If you need assistance with this process, contact your SSO provider.
  • The URL to obtain the authorization token is different than the URL used to query file event data.

Groups and filters

Forensic File Search API queries are organized by groups of filters. This structure facilitates complicated requests with multiple "AND" or "OR" conditions. For example, use case 1 in the next section searches for files matching any one of 11 different file extensions that also exist in any one of nine different locations. Search queries are limited to a total of 1,024 criteria per request.

For example, the JSON below uses two groups of filters:

  • The first group uses a filterClause value of OR, which returns results if any of the four MD5 values are found (db349b97c37d22f5ea1d1841e3c89eb4 or 84c82835a5d21bbcf75a61706d8ab549 or f351e1fcca0c4ea05fc44d15a17f8b36 or 7bf2b57f2a205768755c07f238fb32cc).
  • The second group uses a filterClause value of AND, which returns results only if all criteria in the filter are met (in this example, on or after 2018-02-01 and before 2018-02-07).
  • Finally, to link these two groups together, the groupClause value of AND returns results only if both the first group and second group criteria are met. 
{
  "groups": [
    {
      "filters": [
        {
          "operator": "IS",
          "term": "md5Checksum",
          "value": "db349b97c37d22f5ea1d1841e3c89eb4"
        },
        {
          "operator": "IS",
          "term": "md5Checksum",
          "value": "84c82835a5d21bbcf75a61706d8ab549"
        },
        {
          "operator": "IS",
          "term": "md5Checksum",
          "value": "f351e1fcca0c4ea05fc44d15a17f8b36"
        },
        {
          "operator": "IS",
          "term": "md5Checksum",
          "value": "7bf2b57f2a205768755c07f238fb32cc"
        }
      ],
      "filterClause": "OR"
    },
    {
      "filters": [
        {
          "operator": "ON_OR_AFTER",
          "term": "eventTimestamp",
          "value": "2018-02-01T00:00:00.00Z"
        },
        {
          "operator": "ON_OR_BEFORE",
          "term": "eventTimestamp",
          "value": "2018-02-07T00:00:00.00Z"
        }
      ],
      "filterClause": "AND"
    }
  ],
  "groupClause": "AND",
  "pgNum": 1,
  "pgSize": 100,
  "srtDir": "asc",
  "srtKey": "eventTimestamp"
}

Sample request

This simple example demonstrates a search for all files on all devices with the file extension .docx that exist anywhere except the file path C:/Users. For more complicated examples with multiple groups and additional filters, see the sample use cases in the next section. Use this simple example as a starting point for your own searches and replace the content of the -d section with your specific search criteria.

curl -X POST  https://console.us.code42.com/forensic-search/queryservice/api/v1/fileevent \
-H 'content-type: application/json' \
-H "authorization: v3_user_token <authoriztion token goes here (without the angle brackets)>" \
-d '{
    "groups": [{
        "filters": [{
            "operator": "IS", 
            "term": "fileName", 
            "value": "*.docx"       
        },
        {
            "operator": "IS_NOT",
            "term": "filePath",
            "value": "C:/Users*"
        }
    ],
    "filterClause": "AND"
    }], 
    "groupClause": "AND",
    "pgNum": 1, 
    "pgSize": 100
}'
Format results as CSV
To receive results in CSV format instead of JSON, use the fileevent/export resource instead of fileevent. For example: https://console.us.code42.com/forensic-search/queryservice/api/v1/fileevent/export

Sample Use Cases

Use case 1: Search for application files in unexpected locations

The sample JSON below shows how to search for files with any of these extensions (.action, .app, .bat, .bin, .cmd, .com, .command, .cpl, .exe, .msc, .osx) that exist outside these locations:

  • C:\Program Files
  • /Applications
  • /Library
  • /User/*/Applications
  • /User/*/Library
  • /usr/bin
  • /usr/local/bin
  • /sbin
  • /bin

Sample JSON search query for application files in specific locations

Click the + or x icon in the heading above to expand or collapse the sample JSON.

Sample results of application files in specific locations

Click the + or x icon in the heading above to expand or collapse the sample results.

Use case 2: Search for WannaCry MD5 values within a specific date range

The sample JSON below shows how to search for files files matching any of four MD5 values (which are known values for WannaCry ransomware) that existed on devices between February 1 and 7, 2018. 

Sample JSON search query for MD5 values between two dates

Click the + or x icon in the heading above to expand or collapse the sample JSON.

Sample results of file events matching the MD5 values and date range

Click the + or x icon in the heading above to expand or collapse the sample results.

Use case 3: Search for evidence of WannaCry ransomware on specific devices

The sample JSON below shows how to search for files matching any of four MD5 values (which are known values for WannaCry ransomware) that exist on any of these three devices: CO-SAMPLE-1, CO-SAMPLE-2, or CO-SAMPLE-3.

Sample JSON search query for MD5 values on specific devices

Click the + or x icon in the heading above to expand or collapse the sample JSON.

Sample results of file events matching the MD5 values and device name

Click the + or x icon in the heading above to expand or collapse the sample results.

Missing or unknown values
Some file events may not capture all metadata. Reasons for omitted metadata can include:
  • The file did not exist on disk long enough for Code42 to capture all the metadata.
  • Several values, including deviceUserName , deviceStatus, and userUid are captured and reported from the Code42 cloud instead of directly from the user device. If those values haven't been reported yet, they may display as UNKNOWN or NAME_NOT_AVAILABLE. In those cases, you can use the deviceUid to get details via the Computer API resource.

External resources

  • Was this article helpful?