Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article applies to Code42 cloud environments.
When security incidents such as data leaks, malware attacks, or phishing scams strike, we're all under pressure to investigate and respond to them as quickly as possible. Code42 Forensic Search enables security teams to answer incident-related questions in seconds, rather than days or weeks.
In this course, we'll show you how to configure and use Forensic Search. This course:
- Provides a technical overview of how Forensic Search works
- Details the individual data collection sources used by Forensic Search and shows how to enable them
- Runs through the basics of performing a search
- Presents use cases
Time to complete course: 1 hour
For more training courses, visit Code42 University.
Module 1: Technical overview
When a security incident occurs, or an indicator of compromise is published, the challenge for IT and InfoSec teams begins with the simple question of "Were we exposed to risk? If so, where, and how large is our exposure?" Traditional tools which rely on querying endpoints in real time or scanning devices after the fact may take hours or days to answer this question. And all too often, the event can be missed entirely.
Code42 doesn't wait for an incident to occur to begin collecting data. And it allows incident response teams to search for indicators of compromise across their entire deployment within a matter of seconds, whether collection sources are online or not.
- Traditional forensic tools
- File events
- Licensing (product plan)
Module 2: Configuration for endpoints
The first location where your end users likely store their data is on their computers (also known as endpoints). And Code42 allows for all file events on computers to be sent to the Code42 cloud for searching with Forensic Search. Once you've got the Code42 app installed, event collection may not be enabled by default. Before you can use it, you'll need to confirm it's turned on.
In this video, we'll show you how to enable File Metadata Collection for a specific organization.
- Locate organization
- Open details pane
- Enable File Metadata Collection (formerly Forensic File Search)
Module 3: Configuration for cloud services
Today, most organizations take advantage of cloud services so that their users can efficiently sync and share files. This means a lot of file activity can take place somewhere other than on your users' endpoints. Code42 allows you to add cloud data sources for use with Forensic Search, letting you monitor file activity when users create, share, delete, or modify files on that cloud service.
In this video, we'll show you how to enable File Metadata Collection for a cloud service, specifically for Google Drive. (You can also enable File Metadata Collection for other cloud services.)
- Add a new data source
- Authorize using cloud service credentials
Module 4: Performing a search
Forensic Search is a key component of Code42's investigation capability. Once enabled, it collects event data when files are created, modified, or deleted. These events are then searchable in the Code42 Code42 console.
By the end of this video, you'll be able to search these events, inspect their details, export the results, and save a search.
- Perform a search
- View results
- Save a search
Module 5: Use cases
The videos in this module present Forensic Search use cases for a variety of security investigation scenarios.
Earnings report in the wild
Suppose the accounting team is preparing a quarterly earnings report for the executive team and accidently forwards the report to the wrong distribution list. This report is non-public information and it's critical that no one sees these numbers prior to public release. We need to determine if anyone in the organization who received the email saved a copy of the report before the email was pulled, and we need to do this fast.
- Search for the report file by filename and MD5 hash
- See who downloaded the file
Who has unauthorized software?
In the hands of a malicious actor, legitimate IT tools can become weapons against your organization. The challenge facing security teams? Identifying users or devices that have tools they shouldn't.
- Search for unauthorized software by filename
- See what other files a user has in a specific folder
A standard approach to detecting whether an insider is probing for weaknesses in defensive security layers, or looking for valuable data, is to use a honeypot. In the security world, honeypots are systems or resources that appear legitimate, but are actually isolated and monitored and appear to contain information of value to attackers who are then blocked, tracked, or monitored.
- Search for a honeypot file by its MD5 hash
- View file events associated with a honeypot file
Is malware in your environment?
When deployed in your environment, the investigation capabilities of Code42 can help you answer the question "Does known malware have a foothold in my environment?
- Search for malware by filename and MD5 hash
- View file events associated with the malware
Whether it's source code, architectural drawings, or a secret formula, intellectual property files are at the heart of most businesses, and are your "crown jewels."
- Search for intellectual property files using SHA256 hashes
- Exclude users who are supposed to have access to the files
- Save your search