Forensic Search reference guide
...
...
Item | Description |
---|---|
File type mismatch (not pictured) |
If (click for details) detects the file contents do not match the file extension, a File Type Mismatch row appears with details about the mismatch (for example, the file extension is .jpg but the file contains source code content). This may indicate an attempt to disguise and exfiltrate data.
Callstack:
at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[1]/td[2]/p/span, line 1, column 10
|
Filename |
The name of the file, including the file extension. If applicable, links to download the file appear below the filename.
Depending on available versions, one or both links may appear:
If the most recent version also matches the MD5 hash for this event, only the Exact Match link appears.
You must be signed in as a user with either the Customer Cloud Admin or Security Center - Restore role to download files.
Cloud file activity Click the filename to open the file in the respective cloud service's file viewer. To view the file:
Email file activity Click the filename to open the file attached to the email. (Microsoft Office 365 Email only)
|
File path |
The file location on the user's device. Endpoint file events only. Cloud and email events do not include a file path. |
File category | The type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. For a complete list of file categories and the specific file types in each category, see (click for details) . Callstack:
at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[4]/td[2]/span, line 1, column 10
|
File size |
Size of the file. Not available for Google file types (for example, Google Sheets or Google Docs). |
File owner | The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events). |
MD5 hash |
The MD5 hash of the file contents. |
SHA256 hash |
The SHA256 hash of the file contents. |
File created |
File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC). Mac and Windows NTFS devices only. |
File modified |
File modification timestamp as reported by the device's operating system or the data connection.
For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.
This appears in Coordinated Universal Time (UTC). |
File classification (not pictured) |
File classification data, as reported by your external data classification vendor. Classification data contains two values:
A single file may have more than one classification.
Applies only to endpoint file events. |
...
...
Other changes:
- /body/p[14]/img/@src: