Forensic Search reference guide

If

Callstack:
    at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[1]/td[2]/p/span, line 1, column 10

The name of the file, including the file extension. If applicable, links to download the file appear below the filename.

Endpoint file activity

• If the file is included in the user's
  ParseError: EOF expected (click for details)

  Callstack:
      at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[2]/td[2]/ul[1]/li/span[1], line 1, column 10
  

  backup file selection, or among files backed up by other users in your
  ParseError: EOF expected (click for details)

  Callstack:
      at (Article_Update_Log/2021-07-01/Forensic_Search_reference_guide), /content/body/table[1]/tbody/tr[2]/td[2]/ul[1]/li/span[2], line 1, column 10
  

  , links to download the file contents appear.

Depending on available versions, one or both links may appear:

• Most Recent Version: Downloads the most recent version of the file in the backup archive.
• Exact Match: Downloads the version of the file in the backup archive which matches the MD5 hash of the this specific file event.

If the most recent version also matches the MD5 hash for this event, only the Exact Match link appears.

You must be signed in as a user with either the Customer Cloud Admin or Security Center - Restore role to download files.

Cloud file activity

Click the filename to open the file in the respective cloud service's file viewer. To view the file:

• The file must still exist in the cloud service.
• You must have permission to access the file. Depending on how the file is shared, you may have to sign in to your cloud service's user account before viewing it. For example, for Box, you must be logged in to the "Admin Console" for the link to be valid.

Email file activity

Click the filename to open the file attached to the email. (Microsoft Office 365 Email only)

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

Size of the file.

Not available for Google file types (for example, Google Sheets or Google Docs).

The MD5 hash of the file contents.

The SHA256 hash of the file contents. 

File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC).

Mac and Windows NTFS devices only.

File modification timestamp as reported by the device's operating system or the data connection.

For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.

This appears in Coordinated Universal Time (UTC).

File classification data, as reported by your external data classification vendor. Classification data contains two values:

• Classification: The classification value applied to the file. For example: Confidential.
• Vendor: The name of the vendor that classified the file. For example: Microsoft Information Protection (MIP).

A single file may have more than one classification.

Applies only to endpoint file events.

The name of the data loss prevention (DLP) policy that detected this file, as defined in your Microsoft Office 365 Security & Compliance Center.

If the attachment is detected by more than one policy, only one policy is listed.

Only applies to emails detected by the Microsoft Office 365 DLP data connection.sent via Microsoft Office 365.

The email addresses of those who received the email. Includes the To, Cc, and Bcc recipients.