File System Workflows
      Back to home
      1. Help Center
      2. CloudNine Discovery Portal
      3. File System Workflows

      CloudNine Discovery Portal - CloudNine Analyst: How do I load a Slack JSON File to CloudNine Analyst?

      Use CloudNine Discovery Portal to upload and process your Slack .JSON file into CloudNine Analyst.

      Introduction

      Slack is an instant message program often used in business as a means of communication. With the appropriate licensing, Slack data may be exported in the form of a JSON file that can be uploaded to CloudNine Analyst for investigations. 

      This article provides the workflow steps for uploading Slack JSON files into CloudNine Analyst. 

      DP_AnalystSlack

      Video: CloudNine Discovery Portal - CloudNine Analyst Slack .JSON Workflow

      Workflow Diagram

      Step 1: Welcome Screen

      Step 2: Selecting the CloudNine Analyst Project and Evidence Container

      Step 3: Select the Slack JSON zip file

      Step 4: Import Settings

      Step 5: Confirm & Update

      Workflow

      AnalysttoSlack2 - Copy

      Step 1: CloudNine Discovery Portal Welcome Screen

      The Welcome screen is where you choose your CloudNine Discovery Portal workflow. 

      1. Launch CloudNine Discovery Portal.
      2. The Welcome screen appears. On the Welcome screen, there are two sections: Select Data From and Review Data Using.
      3. Under Select Data From: choose File System (e.g. File Share, Hard Drive, Forensic Image, etc) option.
      4. Under Review Data Using: select CloudNine Analyst, and click Continue.

        FileSystemtoC9A_LF
      5. You are prompted to enter your login credentials for CloudNine Analyst. Enter your CloudNine Analyst Username, Password, and Domain, then click OK.

        LogintoAnalyst1
      6. The Login to CloudNine Analyst Duo authentication prompt appears. Select the authentication method you have set up in CloudNine Analyst.
        DuoAuthenticationLogin
      7. Once you have logged in and connected to CloudNine Analyst, the What Kind of Data are you Uploading? overlay displays. Select Slack JSON Export User & Channel Data, then click OK

        SlackJSONData

      Step 2: Selecting the CloudNine Analyst Project and Evidence Container

      The next step is to select the Client, Project, and Evidence Container the Slack JSON file will be uploaded to in CloudNine Analyst.  This section provides instructions on the following: 

      Select CloudNine Analyst Project Overview

      Loading to an Existing CloudNine Analyst Project and Evidence Container

      Creating a New Evidence Container

      Creating a New Project 

      Creating a New Client

      Select CloudNine Analyst Project Overview

      SelectClientEvidence-1

      1. Client: If you have more than one client, use the drop-down to select an existing Client. 
      2. Search Projects...: When you have multiple projects, you can use this option to quickly search for the project. Searches are fuzzy and begin returning results immediately. 
      3. + Create Client / Project: When you click the a drop-down becomes available. Here you can choose to Create Client or Create Project to create a new Client, Project, or both. New Clients and Projects are temporary and are not created in CloudNine Analyst until CloudNine Analyst receives the data.
      4. Project List: List of Projects you have access to in CloudNine Analyst. 
      5. Selected: Indicates the project chosen to load data to. 

        Select CloudNine Analyst Container
      6. Search Containers: Search for evidence containers in a project.  
      7. Create Evidence Container: Use to create a new evidence container for CloudNine Analyst. Note: You will not see the evidence container until data is received by CloudNine Analyst.
      8. Evidence Container: Lists all existing evidence containers for the selected project. 
      9. Selected: Indicates which evidence container is selected to import into.
      10. Next: Once the Project and Evidence Container are selected, the Next button becomes available and will advance you to the Select Data for Upload screen. 

      Loading to an Existing CloudNine Analyst Project and Evidence Container

      When you connect to CloudNine Analyst through CloudNine Discovery Portal, you can see the list of all clients, projects, and corresponding evidence containers in CloudNine Analyst you have permission to access.  

      1. Under Select CloudNine Analyst, use the Client drop-down to select your client.  A list of projects for that client appears in the Project list. 
      2. Under the Project list, locate and left-click your mouse to select your Project.
      3. When the Project is selected, a list of Evidence Containers for the project is displayed on the right under Select CloudNine Analyst Container; locate and left-click your mouse to pick the Evidence container that will receive the data. 
      4. Once the desired Project and Container are selected, click Next at the bottom-right to proceed to Step 3: Selecting the JSON file
      • For longer Project lists, type the project name into the Search projects... search bar to quickly locate the project. 
      • For longer Evidence Container lists, type the evidence name into the Search containers... search bar to quickly locate the desired evidence container.
      • If the Evidence Container, Project, or Client doesn't exist, it may be created directly in CloudNine Discovery Portal. 

      FS_C9A

       

      Creating a New Evidence Container

      If the evidence container does not exist in CloudNine Analyst, you can quickly create the Evidence Container through Discovery Portal.  The Evidence Container is temporary; once CloudNine Analyst receives the data the Evidence Container is created in CloudNine Analyst. 

      1. Select the CloudNine Analyst Client, then select the Project. If the client or project doesn't exist, see  Creating a Client, Creating a Project.
      2. Under Select CloudNine Analyst Container, click the Create Container button. 
        CreateContainer1
      3. The Create New Container overlay appears. Enter a Container Name, then Click OK
        CreateSlacks1
      4. The newly created evidence container appears in the Container list and is selected by default. Click Next to proceed to the next screen. 

      Creating a New Project

      If this is a new project that does not yet exist in CloudNine Analyst, you can create the project in CloudNine Discovery Portal. Projects are temporary; the project is created when CloudNine Analyst receives the data.

      • Before creating a new project, it is highly recommended that you verify the project does not already exist in CloudNine Analyst. You can do this in the CloudNine Discovery Portal by searching for the project, or browsing through the list. 
      • It is important to note that the list of Projects displayed in the CloudNine Discovery Portal are only those the user has permission to access. If you do not see the project in the list, the project may exist in CloudNine Analyst but you may not have access to it.
      • If you do not have permission to create projects in CloudNine Analyst, you will not be able to create the project through CloudNine Discovery Portal. 
      1. Select the Client from the client drop-down at the top left. 
        SelectC9A
      2. Click the Plus  PlusButton button, then select Create Project (enabled once a Client is selected). 
        CreateProject111
      3. The Create New Project overlay appears. Here you will enter: 
        1. Project Name (Required): Follow your CloudNine Analyst project naming policies to type the desired Project Name. 
        2. Project Code (Required): Type the desired Project Code; this is often your Matter ID or Internal Project ID. 
        3. Description (Optional): Enter information about the project.  
          CreateNEwProjectGood
      4. Once you are satisfied with the new project details, click OK to create the project. 
      5. Your new CloudNine Analyst project appears in the Project list and is selected. Since this is a new project created through CloudNine Discovery Portal, you will need to also create an Evidence Container to import to.

      C9A_Project

      Creating a New Client 

      Like Evidence Containers and Projects, it is possible to create a new Client for CloudNine Analyst through CloudNine Discovery Portal. The new client is temporary until data is received by CloudNine Analyst. Once data is received, the Client is created in CloudNine Analyst. 

      You must have the appropriate permissions in CloudNine Analyst to create a new client through CloudNine Discovery Portal. If you cannot create a new client in CloudNine Analyst, you will not be able to create a client through CloudNine Discovery Portal. 

      1. In the Select CloudNine Analyst Project section,  click the plus PlusButtonbutton, then select Create Client.
        C9A-CreateClient
      2. The Create New Client overlay appears. Enter the Client Name, then click OK.
        CreateNewClient
        The newly added client now appears in the Client drop-down list and is selected by default. 
        NewClientList1

      Once you have selected the Client, Project, and Evidence Container, Click OK to go to Step 3: Select the Slack ZIP File to Upload. 

      Step 3: Select the Slack Zip File to Upload 

      In this step, you will select the data to upload to CloudNine Analyst.

      1. Click the Browse option to browse and select the Slack JSON zip file to upload to CloudNine Analyst. 
        C9A_Slack
      2. Click Next to go to Step 4: Import Settings.

      Step 4: Import Settings

      On this screen, you will determine your Import Settings and Control Number Settings for the selected Slack file. 

      C9A_Slack1

              Control Number Settings

      1. Prefix: An alphanumerical string of characters (20 max) to use at the beginning of each item. The prefix is the same for all data items imported from the selected Slack JSON file. 
      2. Start No: A numeric value that will be used as the starting number for the dataset. All items are incremented by one. 
      3. Length: The character length (numerical) of each item number, with a minimum of 4 and a maximum of 24 characters.  Leading zeros are used to pad the number to the length of characters selected. 
      4. Separator: Non-alphanumeric character that separates the Prefix, Item Type, and Item Number. 
      5. Example Control No: Shows results of the Control Number scheme you can expect. 

        Import Settings
      6. Filter Slack Users (Required): Lists all users found within the slack JSON file. At least one user or slack channel must be selected to import. 
      7. Filter Slack Channels (Required): Lists of channels found in the slack JSON file. At least one slack user or channel must be selected to import. 
      8. Processing Options - Date Filter Import: Imports only the items that fall within the specified start and end date range (Date filtering done in UTC). 
      9. DeDuplication: Determines the scope for deduplication. Selecting None will import all items in the Slack JSON file. If you select By Evidence Container, duplicate items found within the evidence container will be omitted from import. If Globally Within Project is selected, then any item found to be a duplicate will not be imported.   
      10. Download Files Sent in Slack: Enabled by default, this option includes any files sent in slack.
      11. Next: Advances you to the Confirmation and Upload screen. 

      Select Control Number and Import Settings

      1. On the Import Settings screen, under the Control Number settings section, enter a Prefix, Start No, and Length.
        1. Prefix: It is best practice to implement a prefix in your numbering. The prefix can be used to help maintain unique control numbers as well as locate items in the database. 
        2. Start No:  If using the same prefix throughout the project, the Start No will need to be the next sequential number in the database to prevent duplicate numbering. 
        3. Length: Industry Standard is 8-10 characters.
      2. Under the Import settings section:
        1. Slack User: Select user(s) to import to CloudNine Analyst. Choose All Users to select All Users for import or use Search users... to locate specific users quickly. 
        2. Channels: Select the Channels you wish to import. Search to filter specific channels. 
        3. Processing Options: If desired, enable the Date Filter Import and enter a Start and End date range. 
        4. Deduplication: Choose the method of deduplication based on the scope of the project. 
        5. Download Files Sent in Slack: Enabled by default, files sent in Slack will be included. If disabled, these files will not be imported. 
      3. Click Next, to move to Step 5: Confirm & Upload

      Step 5: Confirm & Upload

      The Confirm & Upload screen is your chance to review the selections you made before starting the upload process. 

      Confirm & Upload Overview

      c9A_SlackConfirm

      1. Uploading From: Verifies where the data is coming from. File System is used to import Slack data. 
      2. Uploading To: Identifies the CloudNine Application, Client Name, Project Name, and Evidence Container name into which the data will be imported.
      3. Notes & Comments: Optionally, add information about the upload.
      4. Control Number Settings: Summarizes the Control Number Settings you established.
      5. Import Settings: Displays the settings for the import, including a list of Slack Users and Channels. The View More option is available to view all of the selected Slack Users and Channels. View Less returns to the default display. 
      6. Back: Moves to the previous screen. 
      7. Start Upload: Starts the upload process.

      Review Your Data

      Take the time to review the information on this screen; this is your last chance to go Back to previous screens and make any necessary changes. 

      1. Verify you are Uploading To the correct Client Name, Project Name, and Evidence Container. 
      2. Add optional Notes & Comments about the upload.
      3. Verify Control Number Settings and that the numbering scheme will not cause duplicate numbering in the database. 
      4. Verify the Import Settings are aligned with your project scope. 
      5. Once you are satisfied with the confirmation details displayed, you are ready to begin the upload. Click Start Upload
      6. Once the upload begins, you are automatically brought to the Global Monitoring Console. From there, you can monitor the upload progress.