Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Forensic File Search file categories

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

Forensic File Search groups files into categories based on analysis of the file contents and file extension. This categorization enables you to narrow your searches to specific types of files. For example, performing a search for the Image file category returns file activity for .gif, .jpg, .png, and many other known image file types.

A complete list of categories and the types of files in those categories appears below.

File category searches can assist with a number of security investigation use cases, such as searching for unsanctioned applications or looking for executables in unusual locations.

Search by file category

To search for file events based on file category:

  1. Sign in to the administration console.
  2. Select Investigation > Forensic Search.
  3. Select a date range.
  4. Select search type File Category.
  5. Choose a search operator (includes any or includes none).
  6. Select one or more file categories. 
  7. (Optional) Click the + icon to add additional search criteria.
  8. Click Search.


File category search

File category details

The table below lists examples of file extensions to illustrate the types of files included in each category. However, each category contains many more file types than listed here, and file extensions are not the only criteria used to determine the file category.

File categories can help uncover mismatched file extensions
Where possible, Forensic File Search determines the file category based on the file contents, not the file extension. Examining the contents can highlight instances where a user changes a file extension. For example, if a file event has the file category Spreadsheet but the Filename uses the .jpg extension, it may indicate an attempt to hide or exfiltrate data.
File category

Example file extensions (each category contains more file types than listed below)

Archive dmg, iso, rar, tar, tgz, zip
Audio aac, aif, flac, m4a, mp3, wav, wma
Document doc, docx, pages, rtf, txt
Executable apk, app, com, dll, exe, jar, msi, pkg 
Image ai, bmp, dwg, eps, gif, jpg, png, psd, raw, svg, tif
PDF pdf
Presentation key, odp, otp, ppt, pptm, pptx
Script action, bash, bat, cmd, job, sh, vbs
Source code c, c++, class, go, h, java, js, php, py, r, rb, rs, swift, vb
Spreadsheet ods, xll, xlsm, xlsx, xlt
Video avi, flv, mkv, mov, mp4, mpeg, mpg, wmv
Virtual Disk Image dsk, hdd, hds, vdi, vhd, vhd, vhdx, vmdk