Forensic Search reference

Last updated
Save as PDF

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2

Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Overview

Forensic Search is a powerful search interface that enables security teams to monitor and investigate suspicious file activity. Forensic Search provides detailed visibility about insider risks caused by files:

Stored on user devices
Stored in corporate cloud storage services, such as Google Drive and Microsoft OneDrive
Synced to personal cloud storage services, such as Box, Dropbox, iCloud, and OneDrive
Uploaded via web browsers
Moved to removable media
Sent as email attachments in Microsoft Office 365 and Gmail
Sent to printers (Mac and Linux only)

The type of file activity returned in Forensic Search results varies based on which detection types and data connections are enabled in your Code42 environment.

This article describes how to use the Forensic Search interface. For detailed descriptions of each field returned in search results, see the File event metadata reference guide.

Forensic Search

To access Forensic Search:

Sign in to the Code42 console.
You must have a role with permissions that allow access to Forensic Search.
Select Forensic Search > Search.

What is a "file event"?
Forensic Search reports on file events detected by Code42. A file event is defined as any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions.

Search results

Forensic Search results

Item		Description
a	Risk settings	Displays all risk indicators and associated scores. To edit risk settings, you must have the Insider Risk Admin or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
b	Load Saved Search	Displays a searchable list of searches created and saved by users in your Code42 environment. Click the name of a search to immediately execute that search and display the results.
c	Date selector	All searches must specify a date range. Select one the following options: Events observed in the last: Select a pre-defined time period. This is especially useful for saved searches because they can be used at any time in the future and still search the same relative time period. Events observed on or after: Search events on or after a specific date and time. To include all events on the start date, enter a time value of 00:00:00. Events observed on or before: Search events on or before a specific date and time. To include all events on the end date, enter a time value of 23:59:59. Events observed is in range: Search events between specific start and end dates/times. Enter a time range of 00:00:00 to 23:59:59 to include all events on the start and end dates. Times are evaluated as Coordinated Universal Time (UTC).
d	Filter	Select an item from the menu or type the name of a filter to include in your search. For detailed descriptions of all filter options, see the File event metadata reference guide.
e	Operator	Search operator options vary based on the search filter. Single value Is: Returns events that match the search criteria Is not: Excludes events that match the search criteria Exists: Returns events including any value for the search criteria Does not exist: Returns events with no value for the search criteria Multi-value (OR) Includes any: Returns events that match any item in the list of search criteria. This search is evaluated as though the "OR" operator exists between each value. Includes none: Returns events that do not match the items included in the list of search criteria. For File Size, select is greater than or is less than.
f	Value	Defines the search criteria. Searches are case-insensitive. For multi-value searches (includes any or includes none), enter each value on a separate line. Do not enter a comma-separated list. Use the * wildcard character to search for a partial string. Use the ? wildcard to replace a single character. File size For example: Enter the search string expenses* to return events for any filename beginning with the phrase expenses, such as expenses.xls, expenses.doc, expenses to review.txt, and so on. Enter the search string expenses201?.xls to return events only for filenames matching that exact pattern, such as expenses2016.xls, expenses2017.xls, and so on. Wildcards are supported for all search filters except MD5 hash, SHA256 hash, IP address, and file size. Avoid starting a search term with a wildcard Do not enter a search string that begins with a wildcard or contains only wildcards (for example, `filename is ` or `file path is documents`). These searches may take a long time to complete and can return many millions of results, which are not practical to review or export. File Path searches require a trailing slash (/) or wildcard at the end of the search term. For example: Enter /Users/Clyde/ExampleFolder/ to view only events for files in ExampleFolder. Enter /Users/Clyde/ExampleFolder* to view events for files in ExampleFolder and any subfolders. For File Size, enter a whole number (decimals are not supported) and then select a unit of measurement (bytes, kB, MB, or GB).
g	Remove search criteria	Removes this search criteria.
h	Add search criteria	Adds another item to the search criteria. Search results only return events that match all criteria.
i	Save As	Adds the current search criteria to the list of saved searches. When viewing an existing saved search, you can either Save As a new search or Save changes under the same name.
j	Reset	Clears all search filters and results.
k	Update Search	Performs a search based on the current search criteria.
l	Modify columns	Displays a list of available columns. Select or deselect items to customize the format of your search results.
m	Export results	Downloads the current search results to a CSV file. Exports are limited to 200,000 results. Only includes the fields applicable to your product plan. The CSV file is UTF-8 encoded. The CSV file also includes a leading byte order mark (BOM) specifying the file is UTF-8 encoded. If you use customized scripts to parse the CSV export, you may need to account for the BOM at the start of the file to ensure column headings are read correctly. Some CSV column headers have different names than the corresponding field labels in Forensic Search. See Field name mapping and definitions for complete details.
n	Select all	Click to select or deselect all search results on the current page. When multiple results are selected, click Add to case in the upper right to add them all to a case.
o	Event selector	Click to select a file event. When multiple results are selected, click Add to case in the upper right to add them all to a case.
p	Column sort indicator	Indicates how the results are currently sorted and displayed. Click any column heading to sort by that column. Click the heading again to switch between ascending and descending order.
q	Risk score	Indicates the risk severity for the file event, based on observed risk indicators. Higher scores denote higher severity. 9+: Critical 7-8: High 4-6: Moderate 1-3: Low 0: No risk indicated To learn more about how risk scores are calculated, see Risk settings reference.
r	Add to case	Click to add the file event to a Case: Select an existing case from the list of available options. Click Create case to create a new case and add this event to it. To view the case, click the case name in the confirmation message that appears upon adding the event. You can also navigate to Response > Cases and select it there. Only available in Incydr product plans.
s	View details	Displays all metadata for the file event. For detailed descriptions of each field, see the File event metadata reference guide.
t	Events per page	Select to display 10, 25, 50, or 100 events per page.

File event details

To view file event details within search results:

From the list of search results, click View details to show all metadata for a file event.
Event details slide in from the right.
Within the Event details, scroll to view all metadata for the event.
- For detailed descriptions of each field, see the File event metadata reference guide.
- Use the and arrow icons to view file event details for the next or previous event.
- Click the menu icon next to any field for options to copy the value or add it to a new or existing search.

Forensic Search results with expanded file event details

Missing file metadata
Some file events may not capture all metadata. Missing metadata is indicated by a dash (–) in the field. Most commonly, this occurs if the file did not exist on disk long enough for Code42 to capture all the metadata.

Saved searches

To view the list of saved searches, select Forensic Search > Saved Searches.

Saved searches list

Item		Description
a	Saved search name	The name of the saved search.
b	Created	Lists the date the search was created and the user who created it.
c	Last modified	Lists the most recent date the search was modified and the user who modified it.
d	Run search	Executes the saved search and displays the search results.
e	Actions	Click to view search options: Edit filters: Opens the Search tab, from which you can add, remove, and update search criteria. Edit name and notes: Displays the saved search name and an optional notes field. Notes are limited to 2,500 characters. Delete: Permanently deletes the saved search for all users in your Code42 environment.

Overview

Forensic Search

Search results

File event details

Saved searches

Related topics