In rare cases, Code42 may report file events with an unexpected event action of Modified, especially for files moved to removable media (such as a USB drive). This article explains how these unexpected events can occur and includes tips that help you identify prior activity for such files.
Unexpected Modified events can occur for any file activity, but are most commonly seen for files that have been copied or moved to removable media.
Unexpected Modified file events can occur in the following situations:
- A new file moved to removable media generates two events in Forensic Search: a Created event (which is expected) followed by a Modified file event for the same file with an unchanged hash value. This second event is unexpected: why is the event indicating that the file was modified when its hash value is unchanged?
- A new file moved to removable media generates only a single Modified file event in Forensic Search. This is unexpected: why is this file being reported as Modified (instead of as Created) if it's never existed on the removable media before?
Under the hood
These unexpected file events result from how operating systems record file system activity and how Code42 processes and interprets those records.
- When moving files to removable media, some operating systems first create the file, then write data to it, then write more data to it, and so on until the entire file exists in the new destination. In the file system, the operating system records the initial creation along with subsequent events for each time data is written to the new file. Code42 generally consolidates such similar, closely related records into a single file event to best reflect the user's action. However, the operating system's recording of this file system activity can be delayed, especially for removable media. This delay can cause Code42 to interpret the activity as separate events instead of one consolidated action, causing an unexpected Modified event with an unchanged hash value.
- When recording file system information, some operating systems (particularly macOS) use additive flags to identify file activity. When the file is first created (on a user's endpoint, for example), the file gets a "new file" flag. Then when it is updated to move it to removable media, a "modified" flag is added in addition to any flags that already exist. This causes the file to have both a "new file" and a "modified" flag after it is moved to the new destination. Code42 makes a best effort to interpret these flags, but generally reports this activity as a single Modified file event without a prior Created event and may be contrary to what the file's hash value indicates.
Solution: Identify prior activity for unexpected Modified events
Use Forensic Search to locate previous activity for unexpected Modified file events. You can search for the filename or the file's hash value to identify previous activity involving the file across user endpoints or cloud storage services. This activity can show you where the file was located previously and moved from, providing additional context for your investigation.
- Sign in to the Code42 console.
You must have a role with permissions that allow access to Forensic Search.
- Select Forensic Search > Search.
- Choose a date range.
- Select a filter to search for the file. For example, select Filename, MD5 hash, or SHA256 hash.
- Click Search.
The results show all events for that file, and may help you identify when and where the file was created or moved from before it was seen on the removable media.