Overview
Cases helps you manage and respond to investigations with tools that collect, organize, and retain user file activity. This tutorial explains how to create, update, export, close, and archive cases.
Specifically, Cases enables you to:
- Assemble evidence related to an investigation
- Add file events from Forensic Search
- Add notes to provide additional context
- Summarize and share findings with others in your organization
Considerations
- Case data is secured in the Code42 cloud in accordance with the security data collection details in the Code42 architecture article. For Incydr Basic, Advanced, and Gov F1, file contents are stored separately from preservation (backup) data.
Create a new case
There are two ways to create a case:
- From the Cases screen in the Code42 console
- While viewing file events in Forensic Search results
From Cases
- Sign in to the Code42 console.
- Select Cases.
- Select Create case.
- Enter a name for the case. Optionally, enter a description and assignee. The name, description, and assignee can also be edited later (until the case is closed).
- Click Submit.
- To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also select the case you just created from the list of all cases.
From Forensic Search
- Sign in to the Code42 console.
- Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
- Enter search criteria directly in Forensic Search.
- From event details in other sections of the Code42 console, click the Investigate in Forensic Search icon .
Forensic Search results appear.
- To add a single file event, click the Add to case icon for the event you want to add to a new case.
- (Optional) To add multiple events at once, select each event, then click the Add to case icon in the upper right.
- In the Add to case dialog, click Create case.
- Enter a name for the case.
- Click Save.
- To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also navigate to Cases and select the case you just created.
Add file events to an existing case
- Sign in to the Code42 console.
- Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
- Enter search criteria directly in Forensic Search.
- From event details in other sections of the Code42 console, click the Investigate in Forensic Search icon .
Forensic Search results appear.
- To add a single event, click the Add to case icon for the event you want to add.
- (Optional) To add multiple events at once, select each event, then click the Add to case icon in the upper right.
- In the Add to case dialog, select a case. Optionally, start typing the name of a case to filter the list of cases.
- To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also navigate to Cases and select the case you just added to.
Edit a case
To edit the case subject, details, and findings:
- Sign in to the Code42 console.
- Select Cases.
- From the list of cases, select a case. Optionally, click the filter icon to search by case status, date created, case name, or case subject.
The case details appear. - From the detailed case view, click the edit icon next to the section you want to update.
- Make your updates, then click Save.
- To remove a file event, click the Remove event icon for the event you want to remove.
For steps to add file activity, see the Add file events to an existing case section above.
Export a case
To export a case:
- Sign in to the Code42 console.
- Select Cases.
- From the list of cases, select the case you want to export.
The case details appear. - Click Export.
- Choose one or more components:
- Click Export.
Your web browser downloads the case export.
Close a case
To close a case:
- Sign in to the Code42 console.
- Select Cases.
- From the list of cases, select the case you want to close.
The case details appear. - Click Close case.
Once a case is closed, it cannot be reopened or edited in any way.
Archive a case
To archive a case:
- Sign in to the Code42 console.
- Select Cases.
- From the list of cases, select the case you want to archive.
The case details appear. - Click Archive case.
Archival considerations
- An archived case is no longer active and cannot be un-archived or modified.
- Archiving a case permanently deletes the file events and file contents in the case. Only the case subject, details, and findings remain available.
- To preserve the file events and file contents, Export the case before archiving it.
- Cases can be manually archived at any time (see steps above).
- Cases that are not manually archived are automatically archived on a pre-defined date, as shown in the Cases list. The automatic archival date varies based on your product plan and ranges from 90 to 365 days after the case's Created date.
Delete a case
To delete a case:
- Sign in to the Code42 console.
- Select Cases.
- From the list of cases, select the case you want to delete.
The case details appear. - Click Delete case.
Once a case is deleted, it cannot be recovered. Deleting a case:
- Deletes case details and findings
- Permanently deletes file activity older than the Event data retention value for your product plan (30, 90, or 180 days).