Forensic Search use cases

Overview

Forensic Search is a powerful search interface for monitoring and investigating file activity and risk exposure on endpoints, removable media, and in cloud services. This article provides example use cases to illustrate the types of things you can do with Forensic Search, such as:

  • Identify files shared with external users or synced to personal cloud services
  • Find files uploaded via a web browser and identify where they were sent
  • Monitor activity of departing employees before and after they give notice

These are only examples and are not intended to be an exhaustive list. If you have questions about how to best leverage Forensic Search in your Code42 environment, contact your Customer Success Manager (CSM). If you do not know your CSM, please contact our Technical Support Engineers.

Considerations

Search basics

For all use cases below, follow these steps to start your search and review the results. Additional search criteria varies by use case.

Perform a search
  1. Sign in to the Code42 console.
  2. Select Forensic Search > Search.
  3. Select a date range.
  4. Select the FilterOperator, and Value for the first search criteria of your use case.
  5. Click the plus icon as needed to add more search criteria.
  6. Click Search.
Review results
  1. Explore file event details:
    • Review the search results to determine which file events require further investigation. Click View details Expand file event details icon to show the details for any file event. For in-depth descriptions of all file event details, see the File event metadata reference.
    • All metadata is included in the expanded file event details, but you can also click Modify columns to add or remove columns from the search results.
  2. Download files from the Filename section:
    • Endpoint events: Click Download file to save the file to your local device. 
      • Insider risk agent: All exfiltrated files are available to download.
      • Backup agent: Files backed up by Code42 may also be available to download.
    • Cloud and email events: Click the filename to open the file.
  3. Save and export
    • Click Export Results to download the results as a CSV file for additional analysis.
    • Click Save As to add this to your list of Saved Searches. This is helpful if you plan to perform this search again later.
  4. (Optional) Add file events to a Case to help you manage and respond to security investigations.
    • To add a single file event, click Add to case Add to case icon for the event you want to add.
    • To add multiple events at once:
      1. Close the Event details.
      2. Select the checkbox for each event you want to add.
      3. Click the Add to case Add to case icon icon in the upper right.

Forensic search results with expanded file event details

Use cases

Files synced to personal cloud services

Search for files on an endpoint synced with a personal cloud service account via an installed app. For example, files synced via a personal Google Drive account instead of your corporate Google Workspace (formerly G Suite).

Search criteria:

Filter Operator Value Notes
Trusted activity Exclude -- Excludes file activity from users on your list of trusted domains.
Destination category includes any Cloud storage

Returns results for files sent to cloud storage by either:

  • A web browser upload
  • Synced via installed cloud service agent (for example, Dropbox, iCloud)
Event action includes any Deleted Optional
Returns files that were synced but no longer exist on the device. This may indicate the user deleted the file after syncing it to their personal cloud service.
View the account owner
To see who is signed in to an installed cloud agent, click Modify columns and add Destination > User. You can also expand the file event details and review the Destination > User metadata.

Files shared publicly via Google Drive

Search for files in your Google Drive environment shared with users outside your domain or with publicly-accessible links. Requires you to configure Google Drive as a data source.

Search criteria:

Filter Operator Value Notes
Event observer includes any Google Drive  
Trusted activity -- Exclude Excludes files shared with users on your list of trusted domains.
Share type includes any

Anyone with the link

Shared with specific people

Returns results for files:

  • Available to anyone who accesses the link. Users do not need to be signed in to Google Drive to see the file.
  • Shared with a domain not included in your list of trusted domains.
Username is *@yourdomain.com

Optional

Restricts results to sharing activity performed by users on your domain.

 

To return all publicly accessible files, do not include this criteria.

Sensitive file access in cloud services

Search for activity related to a specific file in a cloud service. For example, a financial forecast shared with unauthorized users. Requires configuration of at least one cloud data source.

Search criteria:

Filter Operator Value Notes
Event observer includes none Endpoint Excludes file activity on user devices.
Filename is

Q4_earnings.xlsx

(for example)

Enter a complete filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*.
Username includes none <list of email addresses> Optional
If you know specific users are allowed to access the file, you can exclude them from search results by adding a list of their email addresses.

Cloud files shared with outside users

Search for any file in a cloud service shared by a user on your domain to a user not on your domain and not on your listed of trusted domains. Requires configuration of at least one cloud data source.

Search criteria:

Filter Operator Value Notes
Trusted activity -- Exclude Excludes file activity on your list of trusted domains from the search results.
Username is not *@yourdomain.com Excludes files shared with users on your domain. (If your domain is included in your list of trusted domains, this filter is is not necessary.)
Username is *@*

Only required for the OneDrive data source

 

Restricts results to files shared with an email address. In some circumstances, your OneDrive users may display only a first and last name instead of an email address. Outside users always display an email address.

User is *@yourdomain.com Only returns events performed by users on your domain.
Share type includes any

Shared with specific people

Returns results for files shared with a domain not included in your list of trusted domains.

Cloud files with public links

Search for files in cloud services that were configured to be shared publicly or outside of trusted domains by a user outside of your company. Requires configuration of at least one cloud data source.

Search criteria:

Filter Operator Value Notes
Trusted activity -- Exclude Excludes file activity on your list of trusted domains from the search results.
User is not *@yourdomain.com Only returns events performed by users outside your domain.
Event observer includes any

Google Drive

OneDrive

Box

 
Share type includes any

Anyone with the link

Shared with specific people

Returns results for files:

  • Available to anyone who accesses the link. Users do not need to be signed in to the cloud service to see the file.
  • Shared with a domain not included in your list of trusted domains.

Important files sent to Dropbox

Search for a specific file or any file within a specific directory that is synced to Dropbox.

Search criteria:

Filter Operator Value Notes

Filename or

File path

includes any

Q4_earnings.xlsx

(for example)

Enter a complete file path or filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*.

Event action includes none Deleted Excludes deleted file events.
Destination name includes any Dropbox

Returns results for files sent to Dropbox by either:

  • A web browser upload
  • Synced via installed Dropbox agent

Web browser upload to Dropbox

Search for any file uploaded to a URL containing "dropbox.com." Searching for a specific URL is especially helpful if searching by Destination Name or Destination Category does not return results for the domain.

Search criteria:

Filter Operator Value Notes
Destination: Active tab URL (browser) is *dropbox.com*  
Trusted activity -- Exclude Optional
You only need to exclude trusted activity if you include another Dropbox URL in your list of trusted domains (for example, yourcompany.dropbox.com).

Web browser upload to Slack

Search for any files attached to Slack messages in a web browser. Searching for a specific URL is especially helpful if searching by Destination Name or Destination Category does not return results for the domain.

Search criteria:

Filter Operator Value Notes
Destination: Active tab URL (browser) is *app.slack.com*  

Files shared via the Slack desktop application

Search for any files attached to messages via the Slack desktop app. Searching for a specific executable name is especially helpful if searching by Destination Name or Destination Category does not return results for that application.

Search criteria:

Filter Operator Value Notes
Executable name is *slack*  

Browser upload to alternative cloud storage

Search for any files uploaded via web browser to a defined list of less common cloud storage providers.

Search criteria:

Filter Operator Value Notes
Event action includes any Browser or app read The file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
Destination: Active tab URL (browser) includes any

*pcloud.com
*mega.nz
*sync.com

*idrive.com

Use a wildcard (*) before the domain name to include all subdomains.

This example lists only a few possible cloud storage options. Customize this list for your environment.

File extension mismatch

Search for files with potential exposure where the file extension does not match the file contents (for example, a file with the .jpg extension that contains source code content). This may indicate an attempt to disguise and exfiltrate data.

Search criteria:

Filter Operator Value Notes
Risk indicator includes any File mismatch Returns file activity where the file extension does not match the file contents.
Event action includes any

Browser or app read

Created on removable media

Created in sync folder

Shared

Optional

Only returns results for file activity with exposure risk (for example, sharing, uploading, moving to removable media, and so on).

 

Do not include this criteria if you want to find all instances of file extension mismatches.

Track critical files

Scenario: There are many scenarios where you may need to quickly locate all copies of a confidential file. For example:

  • A sensitive file was accidentally emailed to the wrong distribution list or saved to a shared drive accessible to anyone in the company. You need to determine if any unauthorized users saved a copy.
  • Your organization has a few critical financial files that need to be tightly controlled. You want to know if these files exist in unexpected places and/or if they are being stored on devices that belong to unauthorized users.

Search criteria:

Filter Operator Value Notes

Filename or

File path

is Q4_Earnings.xlsx
(for example)
Enter a complete file path or filename, including the file extension. If you only know part of the name, use the * wildcard character in your search string. For example, *earnings*.
Username includes none <list of email addresses>

Optional
If you know specific users are allowed to access these files, you can exclude them from search results by adding a list of their email addresses.

Event action includes any

Browser or app read

Created on removable media

Created in sync folder

Shared

Optional

Only returns results for file activity with an exposure risk (for example, sharing, uploading, moving to removable media, and so on).

 

Do not include this criteria if you want to find all instances of the file.

Detecting a filename change
Searching by filename is useful if you're sure the file's name has not changed. However, if a user changes a filename in an attempt to disguise it, you can still track the file's existence based on its MD5 or SHA256 hash value. In most cases, Incydr detects the initial file creation event on a user's device with the original filename, so you should find at least one result with that name. The file event data includes the MD5 and SHA256 hashes, which you can then use to perform a second search to look for additional copies of the file with the same content but a different name.

Watch the short video tutorials below for additional examples of how to locate confidential files in unauthorized locations, monitor the location of critical files, and save the search criteria for future use.

 

Monitor a honeypot for data exfiltration

Scenario: You want to know if internal users are maliciously searching for valuable data. A common way to identify this behavior is by creating a honeypot. A honeypot is essentially a decoy system (for example, a network, device, or specific file) that looks like it contains valuable data, but has no real business value and only exists so it can be monitored for suspicious activity.

This search can help you determine if copies of files in the honeypot exist anywhere else in your environment. (This likely indicates a user found a honeypot file and copied it.)

Search criteria:

Filter Operator Value Notes

MD5 hash or

SHA256 hash

is <MD5 or SHA256 value> Use the MD5 or SHA256 hash of the honeypot file.

Watch the short video tutorial below for another example of how to identify users who may have fallen for a honeypot trap.

Search for executables in unusual locations

Scenario: Applications or other executable files outside the standard Program Files or Applications folders may be an indication of malware or other unwanted activity. Use this search to find applications that exist in non-standard locations.

Search criteria:

Filter Operator Value Notes

Filename

includes any

*.exe

*.app

Optionally, include additional extensions such as msi, cmd, bat, vbs (Windows) or sh, pkg (Mac)
File path includes none

C:/Program Files/*

*/Applications*

Excludes results for applications in expected locations (Program Files for Windows and Applications for Mac)

External resources