Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Forensic File Search use cases

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

Forensic File Search is a powerful and flexible tool for monitoring file activity on user devices. This article provides example use cases to illustrate the types of things you can do with Forensic File Search in your Code42 environment, such as:

  • Monitor activity of departing employees before and after they give notice
  • Identify cloud files shared with external users
  • Search for unsanctioned applications, executable files in unexpected locations, unwanted distribution of confidential files, malware, and more.

These are only examples and are not intended to be an exhaustive list. If you have questions about how to best leverage Forensic File Search in your Code42 environment, contact your Customer Success Manager (CSM) for enterprise support. If you're not sure how to reach your CSM, email csmsupport@code42.com and we will connect you.

Considerations

  • You must have credentials for a Code42 user with either the Customer Cloud Admin or Security Center User role.
  • You must be licensed for Forensic File Search. Contact your Customer Success Manager (CSM) for enterprise support for assistance with licensing.
  • Forensic File Search is only available in Code42 cloud environments.

Before you begin

Use case 1: What did a departing employee do before giving notice? 

Scenario

You are informed that an employee with access to files containing valuable intellectual property has given a two-week notice and is leaving to work for a competitor. While you may be able to start more closely monitoring activity and restricting access now that you know the employee is leaving, what about visibility into this user's actions before publicly giving notice? 

Forensic File Search can help you determine how the user was moving files in the days and weeks leading up to the resignation, including:

  • File activity on external devices, such as an external drive or memory card
  • Files opened in apps that are commonly used for uploading files, such as a web browser, Slack, FTP client, or curl
  • Files placed in a folder used for syncing with cloud services, including iCloud, Box, Dropbox, Google Drive, and Microsoft OneDrive

Steps 

  1. Sign in to the Code42 administration console.
  2. Select Investigation > Forensic Search.
  3. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  4. Select the search type Exposure Type.
  5. Select the exposure types to include or exclude.
    By default, Activity on removable media, Read by browser or other app, and Synced to cloud service are all selected.
  6. Click the plus icon to add additional search criteria.
  7. Select Username (Code42) and enter the user's email address.
  8. Click Search.
  9. For each result, click the Expand file event details icon icon to expand the event details.
  10. (Optional) In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.
  11. Note the Exposure section for each event. This lists details about files on removable media, synced to a cloud service, and accessed with a web browser.
  12. Use these results to determine which files require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
  13. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Use case 2: Identify cloud files shared with external users

Scenario

Your organization uses Google Drive or OneDrive so teams can easily collaborate both internally and externally. You need to identify files that are shared outside your organization that should not be public. Forensic File Search can help you determine which files have been shared externally.

Steps

  1. Sign in to the Code42 administration console.
  2. Select Investigation > Forensic Search.
  3. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  4. Select the search type Exposure > Exposure Type.
  5. Select the search operator includes any.
  6. Click any exposure type to show all options.
    By default, all options are selected.
  7. Select or deselect options so only the cloud exposure types you want to review are selected (for example, Public on the web (Google Drive only) and Public via direct link).

Cloud sharing search

  1. (Optional) Click the plus icon to add search criteria (for example, a specific user or filename).
  2. Click Search.
  3. Use these results to determine which files require further investigation. Click the Expand file event details icon icon to expand the details for any file event.
    • File events with the Exposure Type Public on the web (Google Drive only) indicate the file is available on public search engines and accessible to the entire World Wide Web.
    • File events with the Exposure Type Public via direct link indicate the file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a Google Drive or OneDrive account to see the file.
    • In some case, the Shared With details may list specific users who have been granted to access the file.
  4. (Optional) Click Export Results to download the results as a CSV file for additional analysis.
  5. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Use case 3: Investigate unwanted file distribution

Scenario

There are many ways confidential files can be accidentally or maliciously distributed to an unintended audience. Consider these two examples:

  • An early draft of a quarterly earnings report intended only for the executive team was accidentally saved to a shared drive accessible to anyone in the company. The report was shared to the drive at some point in the last two weeks, but no one knows exactly when. This is non-public information and it’s critical that no one sees it prior to the public release of the earnings report. This is especially urgent because the draft contained inaccurate information which would create fear, uncertainty, and doubt about the company’s financial future if it became public.
  • An HR report intended only for executives that contains employee salary information, social security numbers, and other critical personally identifiable information (PII) was accidentally emailed to an expanded distribution list of managers and administrative assistants. The sender noticed the mistake immediately and notified IT, who removed all copies from the company email server.  However, the email was in the wild for about 15 minutes.

In both of these examples, you need to discover if anyone in the organization saved a copy of the confidential information to a device monitored by Code42. Forensic File Search can help identify the scope of unwanted file distribution to aid with remediation efforts.

Steps

  1. Obtain the filename of the accidentally-shared file.
  2. Sign in to the Code42 administration console.
  3. Select Investigation > Forensic Search.
  4. In the date filter, select Events observed on or after and enter the earliest possible date the confidential information could have been accidentally shared.
  5. Select the search type Filename
  6. Enter the complete filename, including the file extension. If you only know part of the file name, use the * wildcard character in your search string. For example, *salary*.
  7. Click the plus icon to add search criteria.
  8. (Optional) Add search criteria to exclude authorized users:
    1. Click the plus icon to add a search criteria.
    2. Select Username (Code42).
    3. Select is not.
    4. Enter the username of an authorized user.
      If there is more than one authorized user, add another is not search criteria for each user.
  9. Click Search.
  10. For each result, click the Expand file event details icon icon to expand the event details.
  11. (Optional) In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.
  12. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
    For a specific device, if the results in the Event Type column display a New file event followed shortly by a No longer observed event, it could mean the file was deleted, moved to an external drive, or renamed. For information about tracking files moved to external drives or to cloud storage, see User Activity. For information about detecting name changes, see the tip below.
Detecting a filename change
Searching by filename is useful if you're sure a file name has not changed. However, if a user changes a file name in an attempt to disguise it, you can still use Forensic File Search to track the file's existence based on its MD5 or SHA256 hash value. In most cases, Forensic File Search detects the initial file creation event on a user's device with the original filename, so you should find at least one result with that name. The file event data includes the MD5 and SHA256 hashes, which you can then use to perform a second search to look for additional copies of the file with the same content but a different name.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to locate confidential files in unauthorized locations. For more videos, visit the Code42 University.

Use case 4: Monitor location of critical files

Scenario

Your organization has a few critical financial files that need to be tightly controlled. Forensic File Search can help you determine if these files exist in unexpected places and/or if they are being stored on devices that belong to unauthorized users.

Steps

Repeat these steps for each critical file:

  1. Obtain the filename.
  2. Obtain the usernames for the users who are authorized to access the file.
  3. Sign in to the Code42 administration console.
  4. Select Investigation > Forensic Search.
  5. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  6. Select the search type Filename.
  7. Enter the complete filename, including the file extension. Alternatively, use the * wildcard character to search for a partial filename. For example, *financial*.

Search for unauthorized users

  1. Click the plus icon to add a second search criteria.
  2. Select the search type Username (Code42).
  3. Select is not.
  4. Enter the username of the authorized user.
    If there is more than one authorized user, add another is not search criteria for each user.
  5. Click Search / Update Search.
  6. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis. If no results are found, the file only exists in authorized locations.
  7. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.
  8. (Optional) Click the Expand file event details icon icon to expand the event details. In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to monitor the location of critical files and save the search criteria for future use. For more videos, visit the Code42 University.

Use case 5: Search for unsanctioned applications

Scenario

Your network team notices unusual upload traffic and suspects someone may be engaging in unapproved file sharing activity. Forensic File Search can help you identify if any .torrent files exist on user devices, which may indicate unsanctioned peer-to-peer file sharing activity.

Steps

  1. Sign in to the Code42 administration console.
  2. Select Investigation > Forensic Search.
  3. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  4. Select the search type Filename.
  5. Enter this search string: *.torrent
    This searches for any files with the .torrent file extension on user devices.
  6. (Optional) Click the plus icon to add search criteria (for example, a specific user or device).
  7. Click Search.
  8. For each result, click the Expand file event details icon icon to expand the event details.
  9. (Optional) In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.
  10. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
  11. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to find users with unauthorized software. For more videos, visit the Code42 University.

Use case 6: Monitor a honeypot for data exfiltration

Scenario

You want to know if internal users are maliciously searching for valuable data. A common way to identify this behavior is by creating a honeypot. A honeypot is essentially a decoy system (for example, a network, device, or specific file) that looks like it contains valuable data, but has no real business value and only exists so it can be monitored for suspicious activity.

Forensic File Search can help you determine if copies of files in the honeypot exist anywhere else in your environment. (This likely indicates a user found a honeypot file and copied it.)

Steps

  1. Create a file that looks like it contains valuable information but is really a fake. Place the file somewhere on your network where you think a malicious user could find it.
  2. Obtain the MD5 or SHA256 hash of the honeypot file.
  3. Sign in to the Code42 administration console.
  4. Select Investigation > Forensic Search.
  5. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  6. Select the search type MD5 Hash or SHA256 Hash.
  7. Enter the hash you obtained in step 2.
  8. (Optional) Click the plus icon to add search criteria (for example, a specific user or device).
  9. Click Search.
  10. For each result, click the Expand file event details icon icon to expand the event details.
  11. (Optional) In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.
  12. Review the results to determine if any unauthorized users saved a copy of the honeypot file. Optionally, click Export Results to download the results as a CSV file for additional analysis
  13. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to identify users who may have fallen for a honeypot trap. For more videos, visit the Code42 University.

Use case 7: Search for executables in unusual locations

Scenario

Applications or other executable files outside the standard Program Files or Applications folders may be an indication of malware or other unwanted activity on user devices. Forensic File Search can show you if any applications exist in non-standard locations.

Steps

  1. Sign in to the Code42 administration console.
  2. Select Investigation > Forensic Search.
  3. Select a date range.
    The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
  4. Select the search type Filename.
  5. Enter one of the following search strings:
    • Windows: *.exe
    • Mac: *.app
      Optionally, perform another search for extensions such as msi, cmd, bat, vbs (Windows) or sh, pkg (Mac).
  6. Click the plus icon to add search criteria.
  7. Select the search type File Path.
  8. Select the search operator is not.
  9. Enter one of the following search strings:
    • Windows: C:/Program Files/* 
    • Mac: */Applications/*
  10. Click Search.
  11. For each result, click the Expand file event details icon icon to expand the event details.
  12. (Optional) In the Filename section, click Most Recent Version or Exact Match to download the file contents.
    Files are only available to download for endpoint events and only for files included in the user's backup file selection.
  13. Review the results to determine if any devices require action. Optionally, click Export Results to download the results as a CSV file for additional analysis.
  14. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

External resources