Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Forensic Search reference

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.


Forensic Search is a powerful search interface that enables security teams to monitor and investigate suspicious file activity. Forensic Search provides detailed visibility about insider risks caused by files:

  • Stored on user devices
  • Stored in corporate cloud storage services, such as Google Drive and Microsoft OneDrive
  • Synced to personal cloud storage services, such as Box, Dropbox, iCloud, and OneDrive
  • Uploaded via web browsers
  • Moved to removable media
  • Sent as email attachments in Microsoft Office 365 and Gmail
  • Sent to printers (Mac and Linux only)

The type of file activity returned in Forensic Search results varies based on which detection types and data connections are enabled in your Code42 environment.

This article describes how to use the Forensic Search interface. For detailed descriptions of each field returned in search results, see the File event metadata reference guide

Forensic Search

To access Forensic Search:

  1. Sign in to the Code42 console.
    You must have a role with permissions that allow access to Forensic Search.
  2. Select Forensic Search > Search.
What is a "file event"?
Forensic Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.

Search results

Forensic Search results

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.

Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.
Item   Description
a Risk settings

Displays all risk indicators and associated scores.


To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

b Load Saved Search Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.
c Date selector

All searches must specify a date range. Select one the following options:

  • Events observed in the last: Select a pre-defined time period. This is especially useful for saved searches because they can be used at any time in the future and still search the same relative time period.
  • Events observed on or after: Search events on or after a specific date and time. To include all events on the start date, enter a time value of 00:00:00.
  • Events observed on or before: Search events on or before a specific date and time. To include all events on the end date, enter a time value of 23:59:59. 
  • Events observed is in range: Search events between specific start and end dates/times. Enter a time range of 00:00:00 to 23:59:59 to include all events on the start and end dates.

Times are evaluated as Coordinated Universal Time (UTC).

d Filter

Select an item from the menu or type the name of a filter to include in your search. For detailed descriptions of all filter options, see the File event metadata reference guide

e Operator

Search operator options vary based on the search filter.

  • Single value
    • Is: Returns events that match the search criteria
    • Is not: Excludes events that match the search criteria
    • Exists: Returns events including any value for the search criteria
    • Does not exist: Returns events with no value for the search criteria
  • Multi-value (OR)
    • Includes any: Returns events that match any item in the list of search criteria. This search is evaluated as though the "OR" operator exists between each value.
    • Includes none: Returns events that do not match the items included in the list of search criteria.

For File Size, select is greater than or is less than.

f Value

Defines the search criteria. Searches are case-insensitive.


For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list.


Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example:

  • Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, and so on.
  • Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, and so on.

Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size.

Avoid starting a search term with a wildcard
Do not enter a search string that begins with a wildcard or contains only wildcards (for example, filename is * or file path is *documents). These searches may take a long time to complete and can return many millions of results, which are not practical to review or export.
  • File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example:
    • Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder.
    • Enter  /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders.

For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).

g Remove search criteria Removes this search criteria.
h Add search criteria Adds another item to the search criteria. Search results only return events that match all criteria.
i Save As Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name.
j Reset Clears all search filters and results.
k Update Search Performs a search based on the current search criteria.
l Modify columns Displays a list of available columns. Select or deselect items to customize the format of your search results.
m Export results

Downloads the current search results to a CSV file.

  • Exports are limited to 200,000 results.
  • Only includes the fields applicable to your product plan.
  • The CSV file is UTF-8 encoded.
    The CSV file also includes a leading byte order mark (BOM) specifying the file is UTF-8 encoded. If you use customized scripts to parse the CSV export, you may need to account for the BOM at the start of the file to ensure column headings are read correctly.

Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details.

n Select all Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case.
o Event selector Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case.

Column sort indicator Column sort icon - ascending Column sort icon - descending

Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order.
q Risk score

Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity.

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

To learn more about how risk scores are calculated, see Risk settings reference.

r Add to case Add to case icon

Click to add the file event to a Case:

  1. Select an existing case from the list of available options.
  2. Click Create case to create a new case and add this event to it.
  3. To view the case, click the case name in the confirmation message that appears upon adding the event. You can also navigate to Response > Cases and select it there.

Only available in Incydr product plans.

s View details Expand event details icon Displays all metadata for the file event. For detailed descriptions of each field, see the File event metadata reference guide.
t Events per page Select to display 10, 25, 50, or 100 events per page.

File event details

To view file event details within search results:

  1. From the list of search results, click View details Expand file event details icon to show all metadata for a file event.
    Event details slide in from the right.
    Click View details icon from search result row
  2. Within the Event details, scroll to view all metadata for the event.
    • For detailed descriptions of each field, see the File event metadata reference guide.
    • Use the File event details up arrow icon and File event details down arrow icon arrow icons to view file event details for the next or previous event.
    • Click the menu icon 3 dot menu icon next to any field for options to copy the value or add it to a new or existing search.

Forensic Search results with expanded file event details

Missing file metadata
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.

Saved searches

To view the list of saved searches, select Forensic Search > Saved Searches.

Saved searches list

Item   Description
a Saved search name The name of the saved search.
b Created Lists the date the search was created and the user who created it.
c Last modified Lists the most recent date the search was modified and the user who modified it.
d Run search Executes the saved search and displays the search results.


Click to view search options:

  • Edit filters: Opens the Search tab, from which you can add, remove, and update search criteria.
  • Edit name and notes: Displays the saved search name and an optional notes field. Notes are limited to 2,500 characters.
  • Delete: Permanently deletes the saved search for all users in your Code42 environment.
  • Was this article helpful?