Finding Files in the Wild: From Months to Hours

Every day, your organization faces a variety of data security challenges. Many come from outside your organization, but a significant number also come from within. There are countless reasons why someone may take sensitive data from your organization, many of which are purely opportunistic. For example, what if a file with sensitive financial information is mistakenly emailed to an entire company? That may prove too tempting an opportunity for some. How can your organization respond when this happens? In this post, I’ll discuss how the response process often works today—and how it can be streamlined with Code42 Forensic File Search.

A true story

Here’s a true story of an IT team working through just such a challenge: At this organization, the HR team used Microsoft Excel for management of financial information such as bonus structures and payout schedules. By mistake, a member of the team sent an email containing an Excel file with compensation information for the entire staff to the whole company, instead of the select few who were supposed to receive it. Over 6,000 employees worldwide received the email.

Fortunately, the most sensitive information was contained on a hidden tab in the Excel file, and most employees never even opened the file. The IT team was able to recall the email, but the legal team needed to know who in the company had downloaded and opened it, in case the information within was ever used in a lawsuit. The IT and Security teams were tasked with finding every copy of the file in the organization.

A painful two-month process

While recalling the email cut the number of potential endpoints to search to around 1,000, the IT team still had to search all those devices—many of which belonged to individuals at the organization’s international offices. The IT team used a Windows file searching utility to crawl the user endpoints in question, searching for the name of the file. However, Outlook’s email client can scramble names of files, so the IT team also had to scan for any Excel file in the Temp folder of each machine, and open those files to visually confirm that it wasn’t the file in question.

Each scan would take between one and eight hours, depending on the size of the drive—and the scan could only be run when the target endpoint was online. If a laptop was closed during the scan, the process would have to be restarted. If a device was located in an international office, the IT team would have to work nights in order to run the scan during that office’s working hours.

The process was a tremendous hit to productivity. The IT team tasked fully half its staff to running the scans. Two of the organization’s five security team members were tasked with overseeing the process. Even the legal team’s productivity was affected. Since the IT team had to open every version of the file to verify the sensitive financial data within, the legal team had to draw up non-disclosure agreements for every person working on the project.

All told, the search for the mistakenly distributed financial file took the organization two months, and the IT team estimated that they had only recovered 80 percent of the instances of the file.

“ With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. ”

A better way: Code42 Forensic File Search

Fortunately, there is a better method for locating critical files in an organization. With Code42 Forensic File Search, administrators can search and investigate file activity and events across all endpoints in an organization in seconds. In the case of this Excel file, the IT team could have used Code42 Forensic File Search to search for the MD5 hash of the file. By searching for the MD5 instead of the file name, Code42 Forensic File Search would locate all instances of the file across all endpoints, including versions that had been renamed in the Temp folder or renamed to intentionally disguise the file. This single search would find all copies of the file, even on endpoints that are offline.

The feature video demonstrates Code42 Forensic File Search in action. The IT team member that shared this story is confident that it would have played out very differently with Code42 Forensic File Search. “Had we had Code42 Forensic File Search deployed, that project was probably done in a couple hours,” he said. “We would have cut two months to a couple hours.”