Forensic Search use cases

Scenario

You are informed that an employee with access to files containing valuable intellectual property has given a two-week notice and is leaving to work for a competitor. While you may be able to start more closely monitoring activity and restricting access now that you know the employee is leaving, what about visibility into this user's actions before publicly giving notice? 

Forensic Search can help you determine how the user was moving files in the days and weeks leading up to the resignation, including:

• File activity on external devices, such as an external drive or memory card
• Files opened in apps that are commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl
• Files placed in a folder used for syncing with cloud services, including iCloud, Box, Dropbox, Google Drive, and Microsoft OneDrive

Steps 

1. Sign in to the Code42 console.
2. Select Investigation > Forensic Search.
3. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
4. Select the search type Exposure Type.
5. Select the exposure types to include or exclude.
   By default, Activity on removable media, Read by browser or other app, and Synced to cloud service are all selected.
6. Click the plus icon to add additional search criteria.
7. Select Username (Code42) and enter the user's email address.
8. Click Search.
9. For each result, click the  icon to expand the event details.
10. (Optional) From the Filename section, download the file contents:
    • Endpoint events: Click Most Recent Version or Exact Match to download the file.
      Only files backed up by Code42 are available to download.
    • Cloud and email events: Click the filename to open the file.
11. Note the Exposure section for each event. This lists details about files on removable media, synced to a cloud service, and accessed with a web browser.
12. Use these results to determine which files require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
13. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Scenario

Your organization uses Google Drive or OneDrive so teams can easily collaborate both internally and externally. You need to identify files that are shared outside your organization that should not be public. Forensic Search can help you determine which files have been shared externally.

Steps

1. Sign in to the Code42 console.
2. Select Investigation > Forensic Search.
3. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
4. Select the search type Exposure > Exposure Type.
5. Select the search operator includes any.
6. Click any exposure type to show all options.
   By default, all options are selected.
7. Select or deselect options so only the cloud exposure types you want to review are selected (for example, Public on the web (Google Drive only), Public via direct link, and Outside trusted domain).

8. (Optional) Click the plus icon to add search criteria (for example, a specific user or filename).
9. Click Search.
10. Use these results to determine which files require further investigation. Click the  icon to expand the details for any file event.
    • File events with the Exposure Type Public on the web (Google Drive only) indicate the file is available on public search engines and accessible to the entire World Wide Web.
    • File events with the Exposure Type Public via direct link indicate the file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a Google Drive or OneDrive account to see the file.
    • File events with the Exposure Type Outside trusted domain indicate the file was shared with a domain not included in your list of Trusted Domains.
    • In some case, the Shared With details may list specific users who have been granted to access the file.
11. (Optional) Click Export Results to download the results as a CSV file for additional analysis.
12. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Scenario

There are many ways confidential files can be accidentally or maliciously distributed to an unintended audience. Consider these two examples:

• An early draft of a quarterly earnings report intended only for the executive team was accidentally saved to a shared drive accessible to anyone in the company. The report was shared to the drive at some point in the last two weeks, but no one knows exactly when. This is non-public information and it’s critical that no one sees it prior to the public release of the earnings report. This is especially urgent because the draft contained inaccurate information which would create fear, uncertainty, and doubt about the company’s financial future if it became public.
• An HR report intended only for executives that contains employee salary information, social security numbers, and other critical personally identifiable information (PII) was accidentally emailed to an expanded distribution list of managers and administrative assistants. The sender noticed the mistake immediately and notified IT, who removed all copies from the company email server.  However, the email was in the wild for about 15 minutes.

In both of these examples, you need to discover if anyone in the organization saved a copy of the confidential information to a device monitored by Code42. Forensic Search can help identify the scope of unwanted file distribution to aid with remediation efforts.

Steps

1. Obtain the filename of the accidentally-shared file.
2. Sign in to the Code42 console.
3. Select Investigation > Forensic Search.
4. In the date filter, select Events observed on or after and enter the earliest possible date the confidential information could have been accidentally shared.
5. Select the search type Filename. 
6. Enter the complete filename, including the file extension. If you only know part of the file name, use the * wildcard character in your search string. For example, *salary*.
7. Click the plus icon to add search criteria.
8. (Optional) Add search criteria to exclude authorized users:
   1. Click the plus icon to add a search criteria.
   2. Select Username (Code42).
   3. Select is not.
   4. Enter the username of an authorized user.
      If there is more than one authorized user, add another is not search criteria for each user.
9. Click Search.
10. For each result, click the  icon to expand the event details.
11. (Optional) From the Filename section, download the file contents:
    • Endpoint events: Click Most Recent Version or Exact Match to download the file.
      Only files backed up by Code42 are available to download.
    • Cloud and email events: Click the filename to open the file.
12. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
    For a specific device, if the results in the Event Type column display a New file event followed shortly by a No longer observed event, it could mean the file was deleted, moved to an external drive, or renamed. For information about tracking files moved to external drives or to cloud storage, see User Activity. For information about detecting name changes, see the tip below.

Video

Watch the short video tutorial below for another example of how to locate confidential files in unauthorized locations. For more videos, visit the Code42 University.

Scenario

Your organization has a few critical financial files that need to be tightly controlled. Forensic Search can help you determine if these files exist in unexpected places and/or if they are being stored on devices that belong to unauthorized users.

Steps

Repeat these steps for each critical file:

1. Obtain the filename.
2. Obtain the usernames for the users who are authorized to access the file.
3. Sign in to the Code42 console.
4. Select Investigation > Forensic Search.
5. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
6. Select the search type Filename.
7. Enter the complete filename, including the file extension. Alternatively, use the * wildcard character to search for a partial filename. For example, *financial*.

8. Click the plus icon to add a second search criteria.
9. Select the search type Username (Code42).
10. Select is not.
11. Enter the username of the authorized user.
    If there is more than one authorized user, add another is not search criteria for each user.
12. Click Search / Update Search.
13. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis. If no results are found, the file only exists in authorized locations.
14. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.
15. (Optional) Click the  icon to expand the event details. From the Filename section, download the file contents:
    • Endpoint events: Click Most Recent Version or Exact Match to download the file.
      Only files backed up by Code42 are available to download.
    • Cloud and email events: Click the filename to open the file.

Video

Watch the short video tutorial below for another example of how to monitor the location of critical files and save the search criteria for future use. For more videos, visit the Code42 University.

Scenario

Your network team notices unusual upload traffic and suspects someone may be engaging in unapproved file sharing activity. Forensic Search can help you identify if any .torrent files exist on user devices, which may indicate unsanctioned peer-to-peer file sharing activity.

Steps

1. Sign in to the Code42 console.
2. Select Investigation > Forensic Search.
3. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
4. Select the search type Filename.
5. Enter this search string: *.torrent
   This searches for any files with the .torrent file extension on user devices.
6. (Optional) Click the plus icon to add search criteria (for example, a specific user or device).
7. Click Search.
8. For each result, click the  icon to expand the event details.
9. (Optional) From the Filename section, download the file contents:
   • Endpoint events: Click Most Recent Version or Exact Match to download the file.
     Only files backed up by Code42 are available to download.
   • Cloud and email events: Click the filename to open the file.
10. Use these results to determine which users or devices require further investigation. Optionally, click Export Results to download the results as a CSV file for additional analysis.
11. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Video

Watch the short video tutorial below for another example of how to find users with unauthorized software. For more videos, visit the Code42 University.

Scenario

You want to know if internal users are maliciously searching for valuable data. A common way to identify this behavior is by creating a honeypot. A honeypot is essentially a decoy system (for example, a network, device, or specific file) that looks like it contains valuable data, but has no real business value and only exists so it can be monitored for suspicious activity.

Forensic Search can help you determine if copies of files in the honeypot exist anywhere else in your environment. (This likely indicates a user found a honeypot file and copied it.)

Steps

1. Create a file that looks like it contains valuable information but is really a fake. Place the file somewhere on your network where you think a malicious user could find it.
2. Obtain the MD5 or SHA256 hash of the honeypot file.
3. Sign in to the Code42 console.
4. Select Investigation > Forensic Search.
5. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
6. Select the search type MD5 Hash or SHA256 Hash.
7. Enter the hash you obtained in step 2.
8. (Optional) Click the plus icon to add search criteria (for example, a specific user or device).
9. Click Search.
10. For each result, click the  icon to expand the event details.
11. (Optional) From the Filename section, download the file contents:
    • Endpoint events: Click Most Recent Version or Exact Match to download the file.
      Only files backed up by Code42 are available to download.
    • Cloud and email events: Click the filename to open the file.
12. Review the results to determine if any unauthorized users saved a copy of the honeypot file. Optionally, click Export Results to download the results as a CSV file for additional analysis
13. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

Video

Watch the short video tutorial below for another example of how to identify users who may have fallen for a honeypot trap. For more videos, visit the Code42 University.

Scenario

Applications or other executable files outside the standard Program Files or Applications folders may be an indication of malware or other unwanted activity on user devices. Forensic Search can show you if any applications exist in non-standard locations.

Steps

1. Sign in to the Code42 console.
2. Select Investigation > Forensic Search.
3. Select a date range.
   The date search defaults to Events observed in the last, but you can also choose a specific date and time range.
4. Select the search type Filename.
5. Enter one of the following search strings:
   • Windows: *.exe
   • Mac: *.app
     Optionally, perform another search for extensions such as msi, cmd, bat, vbs (Windows) or sh, pkg (Mac).
6. Click the plus icon to add search criteria.
7. Select the search type File Path.
8. Select the search operator is not.
9. Enter one of the following search strings:
   • Windows: C:/Program Files/* 
   • Mac: */Applications/*
10. Click Search.
11. For each result, click the  icon to expand the event details.
12. (Optional) From the Filename section, download the file contents:
    • Endpoint events: Click Most Recent Version or Exact Match to download the file.
      Only files backed up by Code42 are available to download.
    • Cloud and email events: Click the filename to open the file.
13. Review the results to determine if any devices require action. Optionally, click Export Results to download the results as a CSV file for additional analysis.
14. (Optional) Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.

External resources

• Microsoft PowerShell Support: Get-FileHash

Related topics

• Detect and respond to insider threats with Code42 
• Search file activity with Forensic Search
• Forensic Search reference guide 
• Forensic Search API
• Training course: Forensic Search