Manage cases

Overview

Cases helps you manage and respond to investigations with tools that collect, organize, and retain user file activity. This tutorial explains how to create, update, export, close, and archive cases.

Specifically, Cases enables you to:

  • Assemble evidence related to an investigation
  • Add file events from Forensic Search
  • Add notes to provide additional context
  • Summarize and share findings with others in your organization

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

  • Case data is secured in the Code42 cloud in accordance with the security data collection details in the Code42 architecture article. For Incydr Basic, Advanced, and Gov F1, file contents are stored separately from preservation (backup) data.

Create a new case

There are two ways to create a case: 

  • From the Cases screen in the Code42 console
  • While viewing file events in Forensic Search results

From Cases

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. Select Create case.
  4. Enter a name for the case. Optionally, enter a description and assignee. The name, description, and assignee can also be edited later (until the case is closed).
  5. Click Submit.
  6. To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also select the case you just created from the list of all cases.
    Case_Created_Confirmation-export.png

From Forensic Search

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in other sections of the Code42 console, click the Investigate in Forensic Search icon Investigate_in_Forensic_Search_icon-source.png.
      Forensic Search results appear.
  3. To add a single file event, click the Add to case icon Add_To_Case_Icon-source.png for the event you want to add to a new case.
  4. (Optional) To add multiple events at once, select each event, then click the Add to case icon Add_To_Case_Icon-source.png in the upper right.
  5. In the Add to case dialog, click Create case.
  6. Enter a name for the case.
  7. Click Save.
    Forensic_Search_Results_Add_To_Case-2021_02_23-export.png
  8. To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also navigate to Cases and select the case you just created.
    Event_added_to_case-export.png

Add file events to an existing case

  1. Sign in to the Code42 console.
  2. Perform a search in Forensic Search that returns the file events you want to add to a case. There are a variety of ways to generate search results. For example:
    • Enter search criteria directly in Forensic Search.
    • From event details in other sections of the Code42 console, click the Investigate in Forensic Search icon Investigate_in_Forensic_Search_icon-source.png.
      Forensic Search results appear.
  3. To add a single event, click the Add to case icon Add_To_Case_Icon-source.png for the event you want to add.
  4. (Optional) To add multiple events at once, select each event, then click the Add to case icon Add_To_Case_Icon-source.png in the upper right.
  5. In the Add to case dialog, select a case. Optionally, start typing the name of a case to filter the list of cases.
  6. To view the case, click View case in the confirmation message that appears at the bottom of the screen. You can also navigate to Cases and select the case you just added to.
    Event_added_to_case-export.png
File event limit
Each case is limited to 10,000 file events.

Edit a case 

To edit the case subject, details, and findings:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select a case. Optionally, click the filter icon Cases_Filter_Icon-source.png to search by case status, date created, case name, or case subject.
    The case details appear.
  4. From the detailed case view, click the edit icon Cases_edit_icon.png next to the section you want to update.
  5. Make your updates, then click Save.
  6. To remove a file event, click the Remove event Cases_remove_file_event_icon.png icon for the event you want to remove.

For steps to add file activity, see the Add file events to an existing case section above.

Export a case

To export a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to export.
    The case details appear.
  4. Click Export.
  5. Choose one or more components:
    • Case summary: A PDF with the case subject, details, and findings.
    • File activity: A CSV file with extensive file metadata details for all events in this case. For field definitions, see the File event metadata details.
    • Files: All file contents. 
      • Each file is exported in its own folder.
      • The folder naming convention is yyyymmdd-hhmmss - filename.ext, where the timestamp indicates the event's Date observed value.
      • The timestamp enables you to easily associate the exported file with a specific event.
      • Using a parent folder also preserves the original filename. For example, if there are two files in a case with the same name, the unique timestamp in the folder name prevents appending (1) to a filename during the export.
      • To export file contents, the total size of all files in the case must be less than 7 GB. If file contents are greater than 7 GB, download files individually from the event details.

    If you select Files, or select more than one component, the case is exported as a .zip file.

  6. Click Export.
    Your web browser downloads the case export.

Close a case

To close a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to close.
    The case details appear.
  4. Click Close case.

Once a case is closed, it cannot be reopened or edited in any way.

Archive a case

To archive a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to archive.
    The case details appear.
  4. Click Archive case.
Archival considerations
  • An archived case is no longer active and cannot be un-archived or modified.
  • Archiving a case permanently deletes the file events and file contents in the case. Only the case subject, details, and findings remain available.
  • To preserve the file events and file contents, Export the case before archiving it.
  • Cases can be manually archived at any time (see steps above).
  • Cases that are not manually archived are automatically archived on a pre-defined date, as shown in the Cases list. The automatic archival date varies based on your product plan and ranges from 90 to 365 days after the case's Created date.
Cases created before October 18, 2022
Automatic case archival was introduced on October 18, 2022. To allow you enough time to export older cases, cases created before October 18, 2022 use this date for the purposes of calculating the automatic archival date.

For example, if the Automatic cases archival value for your product plan is 180 days, cases created before October 18, 2022 will be automatically archived 180 days after October 18, 2022 (on April 16, 2023). 

Delete a case

To delete a case:

  1. Sign in to the Code42 console.
  2. Select Cases.
  3. From the list of cases, select the case you want to delete.
    The case details appear.
  4. Click Delete case.

Once a case is deleted, it cannot be recovered. Deleting a case:

  • Deletes case details and findings
  • Permanently deletes file activity older than the Event data retention value for your product plan (30, 90, or 180 days).