Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Forensic Search reference guide

...

Early access  The Print section shows print event details and a link to download an image of the printed file. The Print section only appears for Printed event types.

...

If the file cannot be hashed, anerror messageexplains why.

 

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/ul[1]/li[2]/em/span, line 1, column 10
    
    's initial extraction.
  • Files over 3 GB (
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/ul[1]/li[3]/em/span, line 1, column 10
    
     version 8.5 and later).
If the file cannot be hashed, anerror messageexplains why.

 

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/ul[2]/li[2]/em/span, line 1, column 10
    
    's initial extraction.
  • Files over 3 GB (
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/ul[2]/li[3]/em/span, line 1, column 10
    
    version 8.5 and later)
Item Description
File type mismatch
(not pictured)

If

ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[1]/td[2]/p/span, line 1, column 10
detects the file contents do not match the file extension, a File Type Mismatch row appears with details about the mismatch (for example, the file extension is .jpg but the file contains source code content). This may indicate an attempt to disguise and exfiltrate data.

Filename

The name of the file, including the file extension. If applicable, links to download the file appear below the filename.


Endpoint file activity

  • If the file is included in the user's
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[2]/td[2]/ul[1]/li/span[1], line 1, column 10
    
    backup file selection, or among files backed up by other users in your
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[2]/td[2]/ul[1]/li/span[2], line 1, column 10
    
    , links to download the file contents appear.

Depending on available versions, one or both links may appear:

  • Most Recent Version: Downloads the most recent version of the file in the backup archive.
  • Exact Match: Downloads the version of the file in the backup archive which matches the MD5 hash of the this specific file event.

If the most recent version also matches the MD5 hash for this event, only the Exact Match link appears.

 

You must be signed in as a user with either the Customer Cloud Admin or Security Center - Restore role to download files.

 

Cloud file activity

Click the filename to open the file in the respective cloud service's file viewer. To view the file:

  • The file must still exist in the cloud service.
  • You must have permission to access the file. Depending on how the file is shared, you may have to sign in to your cloud service's user account before viewing it. For example, for Box, you must be logged in to the "Admin Console" for the link to be valid.

Email file activity

Click the filename to open the file attached to the email. (Microsoft Office 365 Email only)

 

File path

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

File category The type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. For a complete list of file categories and the specific file types in each category, see
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[4]/td[2]/span, line 1, column 10
.
File size

Size of the file.

Not available for Google file types (for example, Google Sheets or Google Docs).

File owner The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events).
MD5 hash

The MD5 hash of the file contents.

SHA256 hash

The SHA256 hash of the file contents. 

File created

File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC).

Mac and Windows NTFS devices only.

File modified

File modification timestamp as reported by the device's operating system or the data connection.

 

For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.

 

This appears in Coordinated Universal Time (UTC).

File classification
(not pictured)

File classification data, as reported by your external data classification vendor. Classification data contains two values:

  • Classification: The classification value applied to the file. For example: Confidential.
  • Vendor: The name of the vendor that classified the file. For example: Microsoft Information Protection (MIP).

A single file may have more than one classification.

 

Applies only to endpoint file events.

...

Item Description
Policy Names

The name of the data loss prevention (DLP) policy that detected this file, as defined in your Microsoft Office 365 Security & Compliance Center.

 

If the attachment is detected by more than one policy, only one policy is listed.

 

Only applies to emails detected by the Microsoft Office 365 DLP data connection.sent via Microsoft Office 365.

Subject The subject of the email message.
Sender The address of the entity responsible for transmitting the message. In many cases, this is the same as From, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.
From The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.
Recipients

The email addresses of those who received the email. Includes the To, Cc, and Bcc recipients.

 

...

Other changes:

  1. /body/p[14]/img/@src:
  2. "/@api/deki/files/33340/FS_Print_Details-2021_01_29-export.png""/@api/deki/files/33899/FS_Print_Details-2021_05_20-export.png"
  • Was this article helpful?