Who is this article for?
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Forensic Search is a powerful tool for detecting and investigating insider threat, providing detailed visibility for Code42 administrators about:
- Files on user devices, including files not selected for backup
- Files stored only in cloud services
This tutorial explains how to search for file activity to help answer questions such as:
- What did a departing employee do before giving notice?
- What files in your Microsoft OneDrive or Google Drive account have public links or have been shared with users outside your organization?
- Are confidential or sensitive files being stored on devices that belong to unauthorized users?
- Given the filename and/or MD5 or SHA256 hash of a file, does it exist in your organization? If so, who was the first user to possess it?
- What file activity occurred during a security incident?
- Is there evidence of attempts to cover up malicious activity (deleting files, changing extensions, etc.)?
- What network interfaces were active on a device during a security incident?
For more examples, see Forensic Search use cases.
Before you begin
Follow the steps in Enable File Metadata Collection (formerly Forensic File Search) to enable File Exfiltration Detection for at least one organization in your Code42 environment.
Perform a search
For details about all possible search options and required syntax for each type of search criteria, see the Forensic Search reference guide
Forensic Search reports on file events detected by Code42. A file event is any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.
To search file events:
- Sign in to the Code42 console.
- Select Investigation > Forensic Search.
- Choose a date range.
- Select a search filter.
- Select the search operator.
- Enter the search value.
Entering a search string that begins with a wildcard or contains only wildcards is not recommended (for example,
filename is *or
file path is *documents). These searches may take a long time to complete and can return many millions of results, which are not practical to review or export.
- (Optional) Click the + icon to add additional search criteria, then repeat steps 4-6. Click the x icon to remove search criteria.
Search results only return events that match all selected criteria.
- Click Search. If search results are already displayed, click Update Search.
After an event is detected on a device, it may take up to 15 minutes to appear in search results.
- (Optional) Select Modify columns to select which columns appear in the results.
- Click the arrow icon to expand or collapse details for a specific file event. See the Forensic Search reference guide for more details about specific event attributes.
- (Optional) Click Most Recent Version or Exact Match to download the file contents.
Files are only available to download if they're backed up by Code42.
- (Optional) Click Save As to save the current search filters and criteria (search results are not saved). This is useful if you plan to perform the search again later.
- (Optional) Click Export Results to download the current search results as a CSV file for additional analysis.
- (Optional) Click the Add to case icon to add an event to a case.
Watch the short video below to see how to perform a search, inspect the results, and save the search for reuse. For more videos, visit the Code42 University.
- Search results return file events for all organizations in your Code42 environment.
- File events are retained and searchable for 90 days after the Date Observed.
- Observed times for file events are reported in Coordinated Universal Time (UTC). Similarly, when conducting a search for a specific time range, user-entered times are evaluated as UTC, not local time.
- When paging through search results, each page load refreshes the search results. If your search query includes the current date, search results may change as you change pages.
- From the time a file event is detected on a device, it may take up to 15 minutes for the event to appear in search results.
- The Code42 app on each user device is configured to send file events to the Code42 server every five minutes. This has several implications for search results:
- If a file is modified more than once during the five-minute window, the search results only display a single modification event.
- If a file is created and then deleted within five minutes, the New file and No longer observed events are captured and do appear in search results, but some file metadata may not be collected. If the same file is created and deleted multiple times in five minutes, a maximum of 25 events are captured for the file.
- Device metadata, such as IP Address and Hostname, is collected once per five-minute interval for each batch of file events. File events reported in the same batch always report the same device metadata.
- Changes to filenames are reported in the search results as a No longer observed event (for the old file name), immediately followed by a New file event (for the new file name).
- File changes that occur within one second of each other may not be detected. For example, if a file is created and then deleted in less than a second, these events may not appear in search results. This varies somewhat by operating system: Windows devices are more likely to capture events in quick succession (within milliseconds) than Mac devices.
- Updating a user's Code42 username does not update search results for existing events (events created prior to the change report the old username).
- In some rare scenarios, the Username may be blank or may display NAME_NOT_AVAILABLE.
- Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. MD5 and SHA256 hashes are not calculated for these shortcut files since they have no content. However, if your product plan includes one or more cloud service data sources (for example, Google Drive or Microsoft OneDrive), hashes are available for the actual files stored in the cloud service.
- Google Drive cloud file events do not immediately appear when sharing with Google domains that are not configured with Code42.
To reduce file event search results for unimportant files, some file locations are excluded from monitoring. In addition, file activity is only monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.
If you have specific questions about exclusions, contact our Customer Champions for support.
To add your own custom exclusions, see File Metadata Collection exclusions (formerly Forensic File Search).
- File metadata collection is not supported for per user installations. A single instance of the Code42 app must be installed for all user accounts on the device.
- File activity is monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.
- Linux devices have a default limit for the number of files and directories applications are allowed to monitor. This can impact the Code42 app's ability to capture file events for all locations on the device. To increase this default limit, follow the steps in Linux real-time file watching errors.
- The File Created Date is not available for file events on Linux devices.
- If a device is offline, file events are collected and stored locally on the device. Offline devices can store up to 1 GB of file events locally, which is approximately one million events. For normal device use, this is enough to capture up to 100 days of offline file events. Once a network connection is available, these events are sent to the Code42 server. If a device is offline long enough to generate more than 1 GB of file events, some events may not be reported.