Open Discussion

Expand all | Collapse all

Questions about Forensic File Search?

  • 1.  Questions about Forensic File Search?

    Posted 07-17-2018 08:25
    Hello there everyone,

    We always prefer to detect threats before they become big problems: hence the awesome tool that is Code42's Forensic File Search. On July 24th, @Nathan Hunstad (Director of Security Operations) and @Matthias Wollnik (Senior Product Manager) will be doing a live Q&A on the topic for customers in this very discussion thread from 10:30 - 11:30 CT.​​
    You will have the opportunity to talk with Nathan and Matthias directly next Tuesday, but if you aren't able to attend in real time, please share your questions in this thread and we'll ensure that they get answered.

    What are your questions about Forensic File Search?

    ------------------------------
    Lindsay Starke
    Community Manager
    Code42
    ------------------------------


  • 2.  RE: Questions about Forensic File Search?

    Posted 29 days ago
    is that going to be a webinar?

    ------------------------------
    sergio castaneda
    Abs administrator
    Austin
    ------------------------------



  • 3.  RE: Questions about Forensic File Search?

    Posted 27 days ago
    Any plans to integrate FFS with ClamAV or other similar databases?

    ------------------------------
    Charles Gruener
    System Administrator
    Rochester NY
    ------------------------------



  • 4.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi Charles. Since FFS can see all the file activity on an endpoint there is a great opportunity to tie it into various types of "known bad" databases. We're talking about ways we can make that integration happen for things like IOC feeds, TotalVirus subscriptions, etc. When we get to that, we'll make it possible for customers to connect their data sources to our infrastructure, since everyone will have slightly different needs.
    The thing to remember is that FFS will provide visibility that thing are happening and support investigations of what happened in the past, but it will not prevent specific files from appearing in your organization.

    We'll announce it broadly if/when we introduce tie-ins like that.

    ------------------------------
    Matthias Wollnik
    Senior Product Manager
    ------------------------------



  • 5.  RE: Questions about Forensic File Search?

    Posted 27 days ago
    Wondering where the best place is to start to put it into place simply. My company doesn't like change that much, or they are kind of slow to come around...

    ------------------------------
    Keith Kostman
    Tech Support Specialist
    Minneapolis MN
    ------------------------------



  • 6.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi Keith,

    FFS can be rolled out on a per-organization basis within the Code42 application. That allows for rolling it out to a small subset of users to begin with to demonstrate the value of FFS.

    ------------------------------
    Nathan Hunstad
    Manager, Security Operations
    Minneapolis MN
    ------------------------------



  • 7.  RE: Questions about Forensic File Search?

    Posted 26 days ago
    We will be moving to a new facility soon and this is something I would like to implement before we move, what would be a way that would be cost affective that something like this could be implemented.

    ------------------------------
    Eric Rapp
    Data Center Tech
    Lynchburg VA
    ------------------------------



  • 8.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi Eric. FFS utilizes the same Code42 agent as everything and requires your authority deployment to be part of the new SaaS Code42 Cloud. If your deployment is utilizes the SaaS Code42 cloud authority and you have agents deployed, deploying FFS on devices that already have our agent deployed is as simple as changing a configuration setting. It's right next to the Exfiltration Detection settings and labeled "Endpoint monitoring." You can enable FFS on a per org basis so that you can show value and understand how it will work in your environment with minimal impact.

    If you have a different deployment model, please talk to your CSM rep about the options to update your deployment so that you have access to FFS.

    ------------------------------
    Matthias Wollnik
    Senior Product Manager
    ------------------------------



  • 9.  RE: Questions about Forensic File Search?

    Posted 26 days ago
    How can this be automated?

    ------------------------------
    Leon Perrin
    Cloud Engineer
    Portland ME
    ------------------------------



  • 10.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi Leon,

    FFS has an API for conducting searches, which makes it very automatable. We've share a simple Python script on Github that you can leverage for querying via API, so you can build it into your existing automation processes: code42/ffs-tools

    In the future, we are taking a look at some of the security automation tools on the market to potentially develop additional integrations. I talk a bit about our Python tool and our future goals on our blog, including some use cases like searching for known bad MD5 hashes. Keep an eye on the blog for future updates!

    ------------------------------
    Nathan Hunstad
    Manager, Security Operations
    Minneapolis MN
    ------------------------------



  • 11.  RE: Questions about Forensic File Search?

    Posted 26 days ago
    ​What new features are on the roadmap for the FFS tool?

    ------------------------------
    Adam Satko
    Sim Tech Lead
    [CompanyName]
    ------------------------------



  • 12.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    FFS has seen a lot of small updates over the last 3 months
    • Search by Event Type (new file, modified, no longer observed)
    • Search by IP address (public)
    • Search by IP address (private)
    • Simple search queries are now encoded in the URL (this allows analysts to bookmark and share links to specific searches)
    • Export search results to CSV
    And coming in the near future, we'll be searching file events by SHA256 hash.
    Of course, that's just what we've pushed out. We have a very long list of features coming over the next 6 months. You'll see us add more data, more data sources, make the user interface easier to use, provide better insight into the data, make it even easier to integrate with your various other tools, and provide more security value on the data we gather.

    Stay tuned!

    P.S.: If you want a preview, under NDA, talk to your CSM reps :)

    ------------------------------
    Matthias Wollnik
    Senior Product Manager
    ------------------------------



  • 13.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Are there any plans to have FFS for file contents? Thinking along the lines of searchable PII strings (SSN, Credit Card, DOB, etc).

    ------------------------------
    Kendall Johnson
    Desktop Systems Administrator
    San Diego CA
    ------------------------------



  • 14.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    FFS for contents is something we've heard people ask for a few times ... and something that is a big question in our minds still. Let's talk about this offline so we can better understand your needs and how best we could address them.

    Please reach out to me directly (my email is in my profile) or via your CSM. We would love to chat about this.

    ------------------------------
    Matthias Wollnik
    Senior Product Manager
    ------------------------------



  • 15.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi everyone-- @Nathan Hunstad and @Matthias Wollnik are in the house, so if you haven't already put a question out there, now's the time! ​​

    ------------------------------
    Lindsay Starke
    Community Manager
    Code42
    ------------------------------



  • 16.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Can you pipe batches of files out to third party analyzers?

    ------------------------------
    scott aldinger
    sys admin
    Davis CA
    ------------------------------



  • 17.  RE: Questions about Forensic File Search?

    Posted 25 days ago
    Hi Scott. If you have our recovery product, you could script something together to pull data off an endpoint and pass it on to a 3rd party analyzer. However, I can't claim it will be trivially easy.

    We'll look at more options for integrations such as this in the future though. Please reach out to me directly and let's discuss what kind of 3rd party analyzers you are interested in.

    ------------------------------
    Matthias Wollnik
    Senior Product Manager
    ------------------------------