Search file activity with Forensic Search

Overview

Forensic Search is a powerful tool for investigating file activity across your organization. With a wide range of search filters covering both endpoint and cloud activity, you can easily create custom queries to gain visibility into all activity monitored by Incydr. For example:

  • Browser uploads and downloads
  • Cloud sharing
  • Removable media usage
  • Git clone, pull, and push activity
  • Print activity
  • File created, modified, and renamed events
  • Paste activity from clipboard to browser

This article describes how to perform a search. For in-depth details about the search interface, see Forensic Search reference. For details about the metadata included in search results, see the File event metadata reference.

Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

Perform a search

Forensic Search reports on file events detected by Incydr. A file event is any activity observed for a file. For example, creating, modifying, uploading, sharing, or deleting a file generates an event for that file.

To search file events:

  1. Sign in to the Code42 console.
    You must have a role with permissions that allow access to Forensic Search.
  2. Select Forensic Search > Search.
  3. Choose a date range. 
  4. Select a search filter, operator, and search value.
    For details about all possible search options and required syntax for each type of search criteria, see the File event metadata reference.
Avoid starting a search term with a wildcard
Do not enter a search string that begins with a wildcard or contains only wildcards (for example, filename is * or file path is *documents). These searches may either timeout and never complete, or take a long time to complete and return many millions of results, which are not practical to review or export.
  1. (Optional) Click the + icon to add additional search criteria, then repeat steps 4-6. Click the icon to remove search criteria.
    Search results only return events that match all selected criteria.
  2. Click Search. If search results are already displayed, click Update Search.

Forensic Search criteria

Review search results

  1. From the list of search results, click View details FS_expand_event_details_icon.png to show all details for a file event. See the File event metadata reference for specific details about each piece of metadata.
  2. Click Download file to download the file contents.
  3. Click the menu icon 3 dot menu icon next to any field for available actions.
    For a detailed description of each action, see the Forensic Search reference.

Forensic Search results with expanded file event details

Optional additional actions 
  1. Add an event to a case.
    • To add a single event, click Add to case Add_To_Case_Icon-source.png for the event you want to add.
    • To add multiple events at once:
      1. Close the Event details.
      2. Select the checkbox for each event you want to add.
      3. Click the Add to case icon Add_To_Case_Icon-source.png in the upper right.
  2. Select Modify columns to select which columns appear in the results.
  3. Click Save As to save the current search filters and criteria (search results are not saved). This is useful if you plan to perform the search again later. 
  4. Select the Charts tab to create custom charts based on the current search results. Use the drop down menus to select a chart type and define the chart parameters. Select Export chart to download an image of the chart.
  5. Click Export Results to download the current search results as a CSV file for additional analysis.

Video

Watch the video below to learn how to use Forensic Search to perform a search for file activity. 

Updated search filters and field names
Some search filters and field names shown in the video above have changed. For complete details, see File event metadata changes.

Additional considerations

Search results
  • Search results return file events for all organizations in your Code42 environment.
  • File event details are retained and searchable according to the event data retention period specified in your product plan. For example, if your retention period is 90 days, events are available for 90 days after the Date Observed
  • Searches allow up to 1,024 values per request.
  • Observed times for file events are reported in Coordinated Universal Time (UTC). Similarly, when conducting a search for a specific time range, user-entered times are evaluated as UTC, not local time.
  • When paging through search results, each page load refreshes the search results. If your search query includes the current date, search results may change as you change pages.
  • Events appear in search results within 75 minutes of being detected on a device. For more details on timing, see Expected time ranges for events to appear.
  • The Code42 agent on each user device is configured to send file events to the Code42 cloud every five minutes. This has several implications for search results:
    • If a file is modified more than once during the five-minute window, the search results only display a single modification event.
    • If a file is created and then deleted within five minutes, the Created and Deleted events are captured and do appear in search results, but some file metadata may not be collected. If the same file is created and deleted multiple times in five minutes, a maximum of 25 events are captured for the file.
    • Device metadata, such as IP Address and Hostname, is collected once per five-minute interval for each batch of file events. File events reported in the same batch always report the same device metadata.
  • Changes to filenames are reported in the search results as a Deleted event (for the old file name), immediately followed by a Created event (for the new file name).
  • File changes that occur within one second of each other may not be detected. For example, if a file is created and then deleted in less than a second, these events may not appear in search results. This varies somewhat by operating system: Windows devices are more likely to capture events in quick succession (within milliseconds) than Mac devices.
  • Updating a user's Code42 username does not update search results for existing events (events created prior to the change report the old username).
  • In some rare scenarios, the Username may be blank or may display NAME_NOT_AVAILABLE.
  • Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. MD5 and SHA256 hashes are not calculated for these shortcut files since they have no content. However, if your product plan includes one or more cloud service data sources (for example, Google Drive or Microsoft OneDrive), hashes are available for the actual files stored in the cloud service.
  • Google Drive cloud file events do not immediately appear when sharing with Google domains that are not configured with Code42.
File exclusions
To reduce file event search results for unimportant files, some file locations are excluded from monitoring. In addition, file activity is only monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.

If you have specific questions about exclusions, contact our Technical Support Engineers.

To add your own custom exclusions via the Code42 console, see File event exclusions.
User devices
  • File metadata collection is not supported for per user installations. A single instance of the Code42 agent must be installed for all user accounts on the device. (Not applicable to Incydr Professional, Enterprise, Horizon, and Gov F2; per user installations are not available in these product plans.)
  • File activity is monitored on the C: drive on Windows devices and the root of the file system on Mac and Linux devices, but /Volumes is not monitored on Macs.
  • Linux devices have a default limit for the number of files and directories applications are allowed to monitor. This can impact the Code42 agent's ability to capture file events for all locations on the device. To increase this default limit, follow the steps in Linux real-time file watching errors.
  • The File Created Date is not available for file events on Linux devices.
  • If a device is offline, file events are collected and stored locally on the device. Offline devices can store up to 1 GB of file events locally, which is approximately one million events. For normal device use, this is enough to capture up to 100 days of offline file events. Once a network connection is available, these events are sent to the Code42 cloud. If a device is offline long enough to generate more than 1 GB of file events, some events may not be reported.