Forensic Search use cases
Who is this article for?
Incydr Professional and Enterprise, yes.
Incydr Basic and Advanced, yes.
CrashPlan Cloud, no.
Other product plans, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
Forensic Search is a powerful search interface for monitoring and investigating file activity and risk exposure on endpoints, removable media, and in cloud services. This article provides example use cases to illustrate the types of things you can do with Forensic Search, such as:
- Identify files shared with external users or synced to personal cloud services
- Find files uploaded via a web browser and identify where they were sent
- Monitor activity of departing employees before and after they give notice
These are only examples and are not intended to be an exhaustive list. If you have questions about how to best leverage Forensic Search in your Code42 environment, contact your Customer Success Manager (CSM). If you do not know your CSM, please contact our Customer Champions.
Considerations
- Some use cases below require:
- Enabling all endpoint monitoring detection types
- Specific risk detection sources to be included in your product plan.
Contact your Customer Success Manager (CSM) for assistance with licensing.
- To monitor endpoint activity, the Code42 app must be installed on user devices.
Search basics
For all use cases below, follow these steps to start your search and review the results. Additional search criteria varies by use case.
- Sign in to the Code42 console.
- Select Forensic Search > Search.
- Select a date range.
- Select the Filter, Operator, and Value for the first search criteria of your use case.
- Click the plus icon as needed to add more search criteria.
- Click Search.
- Explore file event details:
- Review the search results to determine which file events require further investigation. Click View details
to show the details for any file event. For in-depth descriptions of all file event details, see the Forensic Search reference guide. - All metadata is included in the expanded file event details, but you can also click Modify columns to add or remove columns from the search results.
- Review the search results to determine which file events require further investigation. Click View details
- Download files from the Filename section:
- Endpoint events: Click Exact Match or Most Recent Version to download the file.
- Incydr Professional and Enterprise: All exfiltrated files are available to download.
- Incydr Basic and Advanced, CrashPlan Cloud, and other plans: Files backed up by Code42 are available to download.
- Cloud and email events: Click the filename to open the file.
- Endpoint events: Click Exact Match or Most Recent Version to download the file.
- Save and export
- Click Export Results to download the results as a CSV file for additional analysis.
- Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.
- (Optional) Add file events to a Case to help you manage and respond to security investigations.
- To add a single file event, click Add to case
for the event you want to add. - To add multiple events at once:
- Close the Event details.
- Select the checkbox for each event you want to add.
- Click the Add to case icon in the upper right.
- To add a single file event, click Add to case
Use cases
Files synced to personal cloud services
Search for files on an endpoint synced with a personal cloud service account via an installed app. For example, files synced via a personal Google Drive account instead of your corporate Google Workspace (formerly G Suite).
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Trusted Activity | Exclude | -- | Excludes file activity from users on your list of trusted domains. |
| Destination Category | includes any | Cloud Storage |
Returns results for files sent to cloud storage by either:
|
| Event Type | includes none | No longer observed | Optional Returns files that were synced but no longer exist on the device. This may indicate the user deleted the file after syncing it to their personal cloud service. |
To see who is signed in to an installed cloud agent, click Modify columns and add Sync Username (Cloud). Alternatively, expand the file event details and review the Exposure > Sync Username metadata.
Files shared publicly via Google Drive
Search for files in your Google Drive environment shared with users outside your domain or with publicly-accessible links. Requires you to configure Google Drive as a data source.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Source | includes any | Google Drive | |
| Trusted Activity | -- | Exclude | Excludes files shared with users on your list of trusted domains. |
| File exposure changed to | -- |
Public via direct link Outside trusted domain |
Returns results for files:
|
| Actor | is | *@yourdomain.com |
Optional Restricts results to sharing activity performed by users on your domain.
To return all publicly accessible files, do not include this criteria. |
Sensitive file access in cloud services
Search for activity related to a specific file in a cloud service. For example, a financial forecast shared with unauthorized users. Requires configuration of at least one cloud data source.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Source | includes none | Endpoint | Excludes file activity on user devices. |
| Filename | is |
Q4_earnings.xlsx (for example) |
Enter a complete filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*. |
| Username | includes none | <list of email addresses> | Optional If you know specific users are allowed to access the file, you can exclude them from search results by adding a list of their email addresses. |
Cloud files shared with outside users
Search for any file in a cloud service shared by a user on your domain to a user not on your domain and not on your listed of trusted domains. Requires configuration of at least one cloud data source.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Trusted Activity | -- | Exclude | Excludes file activity on your list of trusted domains from the search results. |
| Shared With Users | is not | *@yourdomain.com | Excludes files shared with users on your domain. (If your domain is included in your list of trusted domains, this filter is is not necessary.) |
| Shared With Users | is | *@* |
Only required for the OneDrive data source
Restricts results to files shared with an email address. In some circumstances, your OneDrive users may display only a first and last name instead of an email address. Outside outside actors always display an email address. |
| Actor | is | *@yourdomain.com | Only returns events performed by users on your domain. |
| File exposure changed to | -- | Outside trusted domain |
Returns results for files shared with a domain not included in your list of trusted domains. |
Cloud files with public links
Search for files in cloud services that were configured to be shared publicly or outside of trusted domains by a user outside of your company. Requires configuration of at least one cloud data source.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Trusted Activity | -- | Exclude | Excludes file activity on your list of trusted domains from the search results. |
| Actor | is not | *@yourdomain.com | Only returns events performed by users outside your domain. |
| Source | includes any |
Google Drive OneDrive Box |
|
| File exposure changed to | -- |
Public via direct link Outside trusted domain |
Returns results for files:
|
Important files sent to Dropbox
Search for a specific file or any file within a specific directory that is synced to Dropbox.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
|
Filename or File Path |
includes any |
Q4_earnings.xlsx (for example) |
Enter a complete file path or filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*. |
| Event Type | includes none | No longer observed | Excludes deleted file events. |
| Destination Name | includes | Dropbox |
Returns results for files sent to Dropbox by either:
|
Web browser upload to Dropbox
Search for any file uploaded to a URL containing "dropbox.com." Searching for a specific URL is especially helpful if searching by Destination Name or Destination Category does not return results for the domain.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Tab URL (Browser) | is | *dropbox.com* | |
| Trusted Activity | -- | Exclude | Optional You only need to exclude trusted activity if you include another Dropbox URL in your list of trusted domains (for example, yourcompany.dropbox.com). |
Web browser upload to Slack
Search for any files attached to Slack messages in a web browser. Searching for a specific URL is especially helpful if searching by Destination Name or Destination Category does not return results for the domain.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Tab URL (Browser) | is | *app.slack.com* |
Files shared via the Slack desktop application
Search for any files attached to messages via the Slack desktop app. Searching for a specific executable name is especially helpful if searching by Destination Name or Destination Category does not return results for that application.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Executable Name | is | *slack* |
Browser upload to alternative cloud storage
Search for any files uploaded via web browser to a defined list of less common cloud storage providers.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Event Type | includes any | Browser or app read | The file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl. |
| Tab URL (Browser) | includes any |
*pcloud.com *idrive.com |
Use a wildcard (*) before the domain name to include all subdomains. This example lists only a few possible cloud storage options. Customize this list for your environment. |
File extension mismatch
Search for files with potential exposure where the file extension does not match the file contents (for example, a file with the .jpg extension that contains source code content). This may indicate an attempt to disguise and exfiltrate data.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Risk Indicator | includes any | File Mismatch | Returns file activity where the file extension does not match the file contents. |
| Exposure Type | exists | -- |
Optional Only returns results for file activity with an exposure risk (for example, sharing, uploading, moving to removable media, and so on).
Do not include this criteria if you want to find all instances of file extension mismatches. |
Review a departing employee's activity before giving notice
Scenario: An employee with access to files containing valuable intellectual property gives a two-week notice and is leaving to work for a competitor. This search can help you determine how the user was moving files in the days and weeks leading up to the resignation, including:
- File activity on external devices, such as an external drive or memory card
- Files opened in apps that are commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl
- Files placed in a folder used for syncing with cloud services, including iCloud, Box, Dropbox, Google Drive, and Microsoft OneDrive
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
| Exposure Type | exists | -- | Returns results for file activity with an exposure risk (for example, sharing, uploading, moving to removable media, and so on). |
| Username | is | user@example.com | Enter the email address of the departing employee. |
Track critical files
Scenario: There are many scenarios where you may need to quickly locate all copies of a confidential file. For example:
- A sensitive file was accidentally emailed to the wrong distribution list or saved to a shared drive accessible to anyone in the company. You need to determine if any unauthorized users saved a copy.
- Your organization has a few critical financial files that need to be tightly controlled. You want to know if these files exist in unexpected places and/or if they are being stored on devices that belong to unauthorized users.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
|
Filename or File path |
is | Q4_Earnings.xlsx (for example) |
Enter a complete file path or filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*. |
| Event Type | includes none | No longer observed | Excludes deleted file events. |
| Username | includes none | <list of email addresses> |
Optional |
| Exposure Type | exists | -- |
Optional Only returns results for file activity with an exposure risk (for example, sharing, uploading, moving to removable media, and so on).
Do not include this criteria if you want to find all instances of the file. |
Searching by filename is useful if you're sure the file's name has not changed. However, if a user changes a filename in an attempt to disguise it, you can still track the file's existence based on its MD5 or SHA256 hash value. In most cases, Code42 detects the initial file creation event on a user's device with the original filename, so you should find at least one result with that name. The file event data includes the MD5 and SHA256 hashes, which you can then use to perform a second search to look for additional copies of the file with the same content but a different name.
Watch the short video tutorials below for additional examples of how to locate confidential files in unauthorized locations, monitor the location of critical files, and save the search criteria for future use.
Monitor a honeypot for data exfiltration
Scenario: You want to know if internal users are maliciously searching for valuable data. A common way to identify this behavior is by creating a honeypot. A honeypot is essentially a decoy system (for example, a network, device, or specific file) that looks like it contains valuable data, but has no real business value and only exists so it can be monitored for suspicious activity.
This search can help you determine if copies of files in the honeypot exist anywhere else in your environment. (This likely indicates a user found a honeypot file and copied it.)
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
|
MD5 Hash or SHA256 Hash |
is | <MD5 or SHA256 value> | Use the MD5 or SHA256 hash of the honeypot file. |
Watch the short video tutorial below for another example of how to identify users who may have fallen for a honeypot trap.
Search for executables in unusual locations
Scenario: Applications or other executable files outside the standard Program Files or Applications folders may be an indication of malware or other unwanted activity. Use this search to find applications that exist in non-standard locations.
Search criteria:
| Filter | Operator | Value | Notes |
|---|---|---|---|
|
Filename |
includes any |
*.exe *.app |
Optionally, include additional extensions such as msi, cmd, bat, vbs (Windows) or sh, pkg (Mac) |
| File Path | includes none |
C:/Program Files/* */Applications* |
Excludes results for applications in expected locations (Program Files for Windows and Applications for Mac) |
External resources
- Microsoft PowerShell Support: Get-FileHash