Skip to main content

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Code42 Support

Forensic File Search use cases

This article applies to Cloud.

Available in:

Small Business
StandardPremiumEnterprise
Forensic File Search

Overview

Forensic File Search is a powerful and flexible tool for monitoring file activity on user devices. This article provides example use cases to illustrate the types of things you can do with Forensic File Search in your Code42 environment, such as:

  • Find malware
  • Check for critical files being stored on devices that belong to unauthorized users
  • Investigate unwanted distribution of confidential files
  • Search for unsanctioned applications
  • Search for executable files in unexpected locations

These are only examples and are not intended to be an exhaustive list. If you have questions about how to best leverage Forensic File Search in your Code42 environment, contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com.

Considerations

  • You must have credentials for a Code42 user with either the Customer Cloud Admin or Security Center User role.
  • You must be licensed for Forensic File Search. Contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com for assistance with licensing.
  • Forensic File Search is only available in Code42 cloud environments.

Before you begin

Use case 1: Find known malware

Scenario

You suspect a specific piece of known malware exists or existed on user devices. For example, the application CCleaner was compromised with malware in 2017. If you know this application is used in your environment, Forensic File Search can help you determine if the malicious version of the application still exists on any user devices.

Steps

  1. Obtain the MD5 or SHA256 hash of the malware.
    If you have a quarantined copy of the malware, there are various online and command-line tools for calculating the hash value. Open-source databases and publicly-posted Indicators Of Compromise (IOC) also list hashes of known malware.
  2. Sign in to the Code42 administration console.
  3. Select Security Center > Forensic Search.
  4. Select the search type MD5 Hash or SHA256 Hash.
  5. Enter the hash you obtained in step 1.
  6. (Optional) Click the plus icon to add search criteria to target a specific user or device.
  7. Click Search.
    • If no results are found, the malware no longer exists in your environment.
    • If results are returned, continue with the steps below.
  8. For each result, click the Expand file event details icon icon to expand the event details.
  9. Note the hostname, file path, and filename for each event.
  10. Perform a new search for each value noted above.
  11. At the top of the Date Observed column, click the sort icon Column sort icon to sort the events by date.
  12. Verify that the most recent file Event Type is No longer observed. This indicates the file was deleted. If there is not a No longer observed event, or other events occurred after the No longer observed event, the malware still exists on the device.
  13. Use these results to determine which devices require action to remove the malware. Optionally, click Export Results to download the results as a CSV file for additional analysis.
  14. After removing the malware from each device, wait 15 minutes and then perform the search again to confirm the malware no longer exists on any device.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to search for malware. For more videos, visit the Code42 University.

Use case 2: Monitor location of critical files

Scenario

Your organization has a few critical financial files that need to be tightly controlled. Forensic File Search can help you determine if these files exist in unexpected places and/or if they are being stored on devices that belong to unauthorized users.

Steps

Repeat these steps for each critical file:

  1. Obtain the filename.
  2. Obtain the usernames for the users who are authorized to access the file.
  3. Sign in to the Code42 administration console.
  4. Select Security Center > Forensic Search.
  5. Select the search type Filename.
  6. Enter the complete filename, including the file extension. Alternatively, use the * wildcard character to search for a partial filename. For example, *financial*.
  7. Click the plus icon to add a second search criteria.
  8. Select the search type Username.
  9. Select is not.
  10. Enter the username of the authorized user.
    If there is more than one authorized user, add another is not search criteria for each user.
  11. Click Search.
  12. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis. If no results are found, the file only exists in authorized locations.

Search for unauthorized users

Use case 3: Investigate unwanted file distribution

Scenario

There are many ways confidential files can be accidentally or maliciously distributed to an unintended audience. Consider these two examples:

  • An early draft of a quarterly earnings report intended only for the executive team was accidentally saved to a shared drive accessible to anyone in the company. The report was shared to the drive at some point in the last two weeks, but no one knows exactly when. This is non-public information and it’s critical that no one sees it prior to the public release of the earnings report. This is especially urgent because the draft contained inaccurate information which would create fear, uncertainty, and doubt about the company’s financial future if it became public.
  • An HR report intended only for executives that contains employee salary information, social security numbers, and other critical personally identifiable information (PII) was accidentally emailed to an expanded distribution list of managers and administrative assistants. The sender noticed the mistake immediately and notified IT, who removed all copies from the company email server.  However, the email was in the wild for about 15 minutes.

In both of these examples, you need to discover if anyone in the organization saved a copy of the confidential information to a device monitored by Code42. Forensic File Search can help identify the scope of unwanted file distribution to aid with remediation efforts.

Steps

  1. Obtain the filename of the accidentally-shared file.
  2. Sign in to the Code42 administration console.
  3. Select Security Center > Forensic Search.
  4. Select the search type Filename
  5. Enter the complete filename, including the file extension. If you only know part of the file name, use the * wildcard character in your search string. For example, *salary*.
  6. Click the plus icon to add search criteria.
  7. In the second criteria, select Date Observed.
  8. Select on or after and enter the earliest possible date the confidential information could have been accidentally shared.
  9. (Optional) Add search criteria to exclude authorized users:
    1. Click the plus icon to add a search criteria.
    2. Select Username.
    3. Select is not.
    4. Enter the username of an authorized user.
      If there is more than one authorized user, add another is not search criteria for each user.
  10. Click Search.
  11. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
    For a specific device, if the results in the Event Type column display a New file event followed shortly by a No longer observed event, it could mean the file was deleted, moved to an external drive, or renamed. For information about tracking files moved to external drives or to cloud storage, use Code42's Security Center to view user activity. For information about detecting name changes, see the tip below.
  12. (Optional) If the file is included in the backup file selection of the device, use the Code42 administration console to perform a web restore, which downloads a copy of the file to a location accessible by the administrator. This enables you to view the actual contents of the file on the user's device.
Detecting a filename change
Searching by filename is useful if you're sure a file name has not changed. However, if a user changes a file name in an attempt to disguise it, you can still use Forensic File Search to track the file's existence based on its MD5 or SHA256 hash value. In most cases, Forensic File Search detects the initial file creation event on a user's device with the original filename, so you should find at least one result with that name. The file event data includes the MD5 and SHA256 hashes, which you can then use to perform a second search to look for additional copies of the file with the same content but a different name.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to locate confidential files in unauthorized locations. For more videos, visit the Code42 University.

Use case 4: Search for unsanctioned applications

Scenario

Your network team notices unusual upload traffic and suspects someone may be engaging in unapproved file sharing activity. Forensic File Search can help you identify if any .torrent files exist on user devices, which may indicate unsanctioned peer-to-peer file sharing activity.

Steps

  1. Sign in to the Code42 administration console.
  2. Select Security Center > Forensic Search.
  3. Select the search type Filename.
  4. Enter this search string: *.torrent
    This searches for any files with the .torrent file extension on user devices.
  5. (Optional) Click the plus icon to add search criteria to target a specific user, device, or date range.
  6. Click Search.
  7. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.

Video

Watch the short video tutorial below for another example of how you can use Forensic File Search to find users with unauthorized software. For more videos, visit the Code42 University.

Use case 5: Search for executables in unusual locations

Scenario

Applications or other executable files outside the standard Program Files or Applications folders may be an indication of malware or other unwanted activity on user devices. Forensic File Search can show you if any applications exist in non-standard locations.

Steps

  1. Sign in to the Code42 administration console.
  2. Select Security Center > Forensic Search.
  3. Select the search type Filename.
  4. Enter one of the following search strings:
    • Windows: *.exe
    • Mac: *.app
      Optionally, perform another search for extensions such as msi, cmd, bat, vbs (Windows) or sh, pkg (Mac).
  5. Click the plus icon to add search criteria.
  6. Select the search type File Path.
  7. Select the search operator is not.
  8. Enter one of the following search strings:
    • Windows: C:/Program Files/* 
    • Mac: */Applications/*
  9. Click Search.
  10. Review the results to determine if any devices require action. Optionally, click Export Results to download the results as a CSV file for additional analysis.

External resources