Import
      Back to home
      1. Help Center
      2. CloudNine Analyst
      3. Import

      CloudNine Analyst: Understanding the Available Fields for Computer Activity

      Understanding the Available Fields for Computer Activity

      Overview
      Computer forensic artifacts, proprietary platforms, and structured data are a part of many investigations and growing in eDiscovery projects. With Computer Activity, you can use this category for many different types of data. This article will help you understand how you can use Computer Activity for your standard or unique data types. 
       
      When importing computer activity data like registry file data, event logs data, electronic files, calendar items, etc. you will have a list of fields that are available for your import. Generally, it is easiest to match closely the titles in ESI Analyst to your load file. Your load file can be in CSV, DAT, Pipe or Tab-delimited. 
       
      Note: The Required Fields are  Control number. Date Time Created and Timezone. The Optional Fields are outlined below. 
       
       
      Here is an example screen that has the available fields based on what you may have already filled out on the first page like Control ID and Timezone:
       
       
       
      Field Definitions
      To further understand these fields, here are some helpful descriptions
       

      Control Number

      You have three options to attribute Control Numbers to your data.
      1. Control Number Included in Your Load File - You can have a column that has your Control Number that you CloudNine Analyst to that field
      2. Control Numbers Keyed off of a Unique ID in the Load File - You can have a separate column that will have your numbers in order and supply the Control Prefix and Zero Padding on the field mapping page.  


      3. Provide the Control Number Formats and Value - You can input all Control Numbering options on the field mapping page. 
       

      Date Time Created 

      Date fields must have proper formatting  Please see full article here
       

      Timezone 

      Note: Proper input information for the time zone is required, Please see full article here
       
       

      Attachment Names

      Note: All imports containing attachments NEED to have those attachments loaded through ESI Sync first!  

      Please see the ESI Sync help articles for more information
       
       
      If you have multiple files nested in subfolders with the same name, it will associate the FIRST attachment name found that matches the file name. This is why the relative path (“Attachment Path”) is important should your files not be 100% uniquely named.
       
       

      Attachment Path 

      Note: This path has to match exactly what you loaded through ESI Sync
       
      See these articles on properly mapping attachments to your data:

      Computer Action

      This field is fully customizable to the type of data that is loaded to CloudNine Analyst and the field "Action" will render that metadata item as a field to filter in the interface. 
       
       
      Example: In the main Project Insights dashboard these items were added based on the loaded data in the "Action" field
      Example: In the main Project Insights dashboard these items were added based on the loaded data in the "Action" field.
       

      Coordinates - Latitude and Longitude 

      These coordinates need to be separated into their two fields and mapped properly to ensure geolocation map lookups. Mapping these fields will make sure these data points have a map lookup associated to that data point.
       

      Date Time - Last Accessed and Modified

      These can be mapped to those fields when available. 
       
      Note: All dates displayed in the analysis tools, chronological order, dashboards, etc. are based on Date Time Created
       
       
      Alert: Ensure you follow the same date format for all of your date fields
       
       

      Deleted

      This field is typically mapped if the deleted field is available in your collection. 
       

      Device SN

      This is the Serial Number for the device and is used in the system to attribute the uploaded data to the actor. 
      For example: If the data loaded needs to be attributed to an actor/custodian, include the SN or custom information you can tie to the actor using Actor Profiles
       
       

      Extracted Text - Data 

      This is a text value field that is typically the body of a file, OCR'd text, long descriptions of the file, etc. Please review the complete article on this field selection
       

      Folder 

      This is a text value field to map to a specific folder name or important information for your upload. 
      For Example: "Inbox", "outbox", "personal folder", "pictures", "applications". "label"
       

      Hash Key 

      If you have already hashed the files, you can provide your hash file for those files.  
       

      IP Address 

      When provided, CloudNine Analyst will do a geolocation lookup off of the provided IP address. 
       

      Original Path - Artifact 

      This can be the full path location of the artifact, file or item found on the computer or device.
       

      Source 

      This can be used to note what evidence or source the data came from. This could also be the custodian device or internal identifier
       

      Translated Text

      If you use a 3rd party to translate the text, this will show in the system as a secondary Extracted Text field where you will have "Original" and "Extracted Text" to show the translation. 
      Note: CloudNine Analyst offers project-level, thread-level, and item-level translation
       
       

      XREF Link

      This is a text value field reserved for the same item being linked in another platform or can be a hyperlink to an outside application or domain.