# Forensics Search
1. [Overview](#overview)
2. [Quickstart: Investigate Potential Data Exfiltration](#quickstart-investigate-potential-data-exfiltration)
3. [When to Use Forensic Search](#when-to-use-forensic-search)
4. [Investigation Workflow](#when-to-use-forensic-search)
5. [Risk Scoring](#risk-scoring)
6. [Common Investigation Patterns](#common-investigation-patterns)
7. [Exporting Investigation Evidence](#exporting-investigation-evidence)
8. [Tutorials](#tutorials)
9. [FAQs](#faq)
## Overview
**Forensic Search** provides a searchable timeline of detected **data exfiltration events** across your employee base. The search events include all events for all supported exfiltration vectors — not only policy-triggered alerts.
Security teams use Forensic Search to investigate how organizational data moves to external destinations such as cloud storage platforms, SaaS applications, and external email systems.
The interface allows analysts to search, filter, and review exfiltration events to determine:
* which user moved data
* which device performed the action
* where the data was sent
* whether sensitive data was involved
This enables rapid investigation of **insider risk incidents and potential data exfiltration activity**.
*Forensic Search with Date Range and Actions filter applied.*
## Quickstart: Investigate Potential Data Exfiltration
Use the following steps to quickly investigate suspicious data movement.
1. Navigate to **Discovery → Forensic Search**.
2. Select the user of interest with **User filter**.
3. Set the **Time Range** to **Last 7 days**.
4. Add a **Risk filter** and select:
* **Critical**
* **High**
5. Sort the event table by **Timestamp** to review the most recent events first.
6. Scan the **Destination** column for external services such as:
* personal cloud sync
* personal accounts
* file-sharing sites
* unfamiliar SaaS domains
7. Click any event to open the **Event Detail Panel**.
8. Review the following fields:
* **User** – who performed the action
* **Asset** – what file or content was transferred
* **Destination** – where the data was sent
* **Device** – which device performed the action
9. If suspicious activity is confirmed, include all events by deleting the Risk Filter, and click **Export Events** to download a CSV for documentation or further investigation.
{% hint style="info" %}
Filtering to **Critical** and **High** risk events is the fastest way to identify suspicious data transfers.
{% endhint %}
## Investigating Data Exfiltration with Forensic Search
Security teams use Forensic Search to investigate how organizational data moves to external destinations and to identify potential data exfiltration activity.
Common investigation scenarios include:
* Investigating **departing employees**
* Reviewing **unusual data transfer alerts**
* Performing **threat hunting for data exfiltration**
* Auditing **data movement to external services**
* Identifying **early adopters of Gen AI and AI Agent tools**
* Investigating **suspicious cloud storage activity**
*Forensic Search tool zeroing in on a suspicious cloud sync activity.*
Forensic Search allows analysts to reconstruct how data moved outside the organization by examining **sequences of exfiltration events**.
Data exfiltration rarely occurs as a single action. Instead, it typically appears as a **pattern of related events** occurring over a short period of time.
Security analysts often look for the following behavioral patterns when investigating potential exfiltration.
| Pattern | Description | Why It Matters |
| ---------------------------------- | ----------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- |
| **Burst Uploads** | Large numbers of uploads occurring in a short time window. | May indicate bulk data staging prior to exfiltration. |
| **Off-Hours Activity** | Transfers occurring late at night or on weekends. | Unexpected activity outside normal working hours may indicate suspicious behavior. |
| **Multiple External Destinations** | Sequential uploads to several different services. | May indicate attempts to bypass security controls or distribute data across multiple locations. |
| **Personal Cloud Storage** | Uploads to personal accounts such as Google Drive (Personal) or Dropbox (Personal). | Personal accounts are outside corporate control and represent higher exfiltration risk. |
## Investigation Workflow
Most investigations follow this workflow:
1. Identify suspicious data movement or receive an alert.
2. Filter events by **user and/or time range**.
3. Review **event details and destinations**.
4. Identify patterns of data movement.
5. Export events for investigation documentation.
This workflow allows analysts to quickly determine whether activity represents **legitimate work or potential data exfiltration**.
***
## Risk Scoring
To assist in identifying potentially risky behavior, Nightfall assigns a risk score to individual exfiltration events observed in Forensic Search. Each event receives a risk level that helps analysts prioritize investigations and quickly surface higher-risk data transfers.
Event-level risk scoring is currently **in beta** and is intended to provide **investigation guidance rather than definitive risk determinations**. Analysts should evaluate events within the broader context of user activity and look for **patterns of behavior across multiple events**, rather than relying on a single event score.
| Risk Level | Meaning |
| ----------- | ----------------------------------------------- |
| 🚨 Critical | Immediate investigation recommended |
| 🔴 High | Elevated risk signals detected |
| 🟡 Medium | Moderate risk indicators |
| 🟢 Low | Activity appears consistent with expected usage |
| ⚪ Unknown | Insufficient context to determine risk |
### Risk Signals
In the current release, event risk scores are calculated are based on two primary signals:
1. **Application Risk Level**
2. **User Session Context (Corporate vs Personal Account)**
These signals help determine whether data is being transferred to a **higher-risk application** or **outside corporate identity boundaries**.
### Application Risk Level
Every destination application detected in an exfiltration event inherits a **baseline risk level** from **App Intelligence**.
App Intelligence continuously discovers and classifies the web applications employees interact with. Each application is categorized based on its function and typical data exposure risk, such as:
* Cloud storage
* File sharing
* Developer tools
* GenAI and AI Agent tools
* Business SaaS
Applications that enable easy external data transfer or lack strong identity controls typically carry higher baseline risk.
{% hint style="info" %}
[App Intelligence](https://help.nightfall.ai/data-exfiltration-prevention/app-intelligence/app-intelligence) provides the discovery and classification layer used for application risk scoring.
{% endhint %}
### User Session Context
Risk scoring also considers whether the user is operating within a **corporate identity boundary**.
When available, Nightfall determines whether a user is authenticated to a **corporate account** or a **personal account** within the destination application.
Examples:
| Scenario | Risk Impact |
| ----------------------------------------------------------------------- | ------------- |
| Upload to corporate Google Drive | Low risk |
| Upload to personal Google Drive | Critical risk |
| Files uploaded or copy-pastes to a GenAI site using a corporate account | Low risk |
| Files uploaded or copy-pastes to a GenAI site using a personal account | High risk |
Transfers to **personal accounts** represent a significantly higher risk of data exfiltration because the organization does not control those accounts.
{% hint style="info" %}
**Session detection requires the Nightfall browser extension to be installed.**
{% endhint %}
***
## Exporting Investigation Evidence
Investigators can export results using **Export Events**.
Exports include:
* event fields
* timestamps
* risk scores
Exports are commonly used for:
* incident response documentation
* compliance reporting
* deeper analysis in SIEM platforms
Exports respect active filters, allowing analysts to export **specific investigation scopes**.
***
## Tutorials
### Investigating a Departing Employee
1. Open **Forensic Search**.
2. Set the time range to **Last 30 days**.
3. Filter by the employee's email.
4. Review the timeline histogram for activity spikes.
5. Filter to **Critical and High risk events**.
6. Review destinations and file metadata.
7. **Zoom in on suspicious events** by clicking on timeline.
8. Remove Risk filter and expand date range to **review surrounding behaviors.**
9. **Export relevant events** for documentation.
***
### Investigating Off-Hours Transfers
1. Set the time range to **Last 7 days**.
2. Review the timeline for late-night activity.
3. Zoom into suspicious time windows.
4. Filter by **High and Critical risk events**.
5. Review upload destinations.
***
### Investigating Unusual Data Movement
1. Filter by **Upload** or **Cloud Sync**.
2. Filter by **Critical and High risk events**.
3. Look for sequential transfers to external services.
4. Review event details to confirm file types and destinations.
5. Export events if escalation is required.
***
## FAQs
#### How far back can I search events?
Events can be searched for up to **180 days**. Currently, the earliest available events begin on **February 6, 2026**, so searches cannot return events earlier than that date.
***
#### How quickly do events appear?
Events typically appear within **30 minutes** of occurring.
***
#### Can events be exported?
Yes. Events matching current filters can be exported to **CSV**.
***
#### Can searches be saved?
Saved searches are planned for a future release.
***
#### Who can access Forensic Search?
Access is controlled through Nightfall **role-based permissions**.
.png?alt=media&token=4b7f1eb6-bdc9-49c1-a4b4-b0ab6f4acd61)
