When you connect Code42 to a Box, Google Drive, or Microsoft OneDrive environment, Code42 detects file events and file sharing activity in that environment as it occurs. Code42 then displays information about this file activity in the file event metadata that appears throughout Incydr. This article describes how to use Forensic Search to locate and view cloud storage file activity to aid investigations.
Search for cloud storage activity in Forensic Search
To search for general cloud storage file activity in Forensic Search, use the Share type or Event observer filters. You can add all of the sharing types or all cloud storage providers to these filters to locate all of the activity detected in your cloud environments, or you can search only for activity matching specific types or environments.
To narrow your search further, add additional filters for details that you know about the file, such as the filename, actor, or hash value.
Cloud storage file activity results
Information about cloud storage file activity is listed in several fields in the file event metadata.
- Review the Event section for basic details about what happened.
- As noted above, Event action identifies whether the file is new, was modified, was shared, or was deleted from the environment.
- If the file was shared, Share type identifies the file's sharing permission. If you have the Insider Risk Admin or Insider Risk Respond role, you can also view the file's full sharing permissions list.
- Event observer identifies the environment in which the file was shared, created, or modified.
- Under User, the Username identifies who made the change to the file.
- Under File, Filename lists the name of the file and allows you to copy the link to the file for further investigation. If you have the Security Center - Restore role, you can click View file to request temporary view access to the file if you cannot access it.
- Under Destination, User identifies the users the file has been shared with. Users can only be listed here when they are specifically identified by the Shared with specific people share type (by selecting the Invited people only (Box), Restricted (Google), or Specific people (OneDrive) permissions in those cloud storage environments).
Because other sharing permissions simply generate a link that can be shared using tools within or outside the cloud environment (such as email or text messages), there's no way to capture the users with whom that link has been shared for the Anyone with the link or Anyone in your organization sharing types.
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Code42. After detecting activity, Code42 makes a best effort to interpret the user's actions on a file in cloud storage. Code42 may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.
Throttling of API requests by the cloud storage vendor can also slow Code42's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Code42's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.
Use case: Cloud storage events in Forensic Search
The following table walks through a common cloud sharing use case and shows examples of how such activity appears in Forensic Search. (See more use cases in Forensic Search use cases.) Note that Forensic Search automatically hides fields that are blank or that do not have any data. In addition, to focus on how cloud activity is displayed in Forensic Search, the examples below show only the sections most applicable to those results.
|Activity||As displayed in Forensic Search|
|Eva creates a new presentation to describe new product features and saves it in the corporate \ProductRoadmap cloud directory.||
|Eva shares the presentation with her colleagues, developers Taylor and Matthias, for review and feedback.||
Even though Eva has shared the file with others, her share doesn't cause additional risk because both developers' email addresses use the internal "@example.com" domain that is included on the company's trusted activity list.
|She's under a tight deadline, so Eva adds her personal email address to the presentation so that she can work on it at home in the evening.||
For this new sharing event, the Trusted activity and Share type fields show that the file has been newly shared with a specific user outside the company's trusted domains and her personal email address appears in the Destination User field.
Note that the file is still shared with Taylor and Matthias. This event shows only the new sharing that Eva added.
|After creating a final draft, she shares it with her company's #DevManagers Slack channel to collect any final comments prior to their sales kickoff.||
When Eva shared the file with the channel, Slack updated the file's sharing permissions to "Anyone at Example with the link" using its connection to the organization's Google Drive environment. The Share type field for this event indicates that the file is shared with Anyone in your organization.
|Kickoff was a success! Marketing moves Eva's presentation to a public folder to support training for internal sales representatives and external channel partners.||
The folder to which Eva's presentation was moved in the company's Google Drive environment has a permission setting of "Anyone with the link." Eva's presentation inherits this permission (along with the permissions it already has), and thus the Share type for this event indicates Anyone with the link.