Understanding the Available Fields for Computer ActivityOverview
Computer forensic artifacts, proprietary platforms, and structured data are a part of many investigations and growing in eDiscovery projects. With Computer Activity, you can use this category for many different types of data. This article will help you understand how you can use Computer Activity for your standard or unique data types.
When importing computer activity data like registry file data, event logs data, electronic files, calendar items, etc. you will have a list of fields that are available for your import. Generally, it is easiest to match closely the titles in ESI Analyst to your load file. Your load file can be in CSV, DAT, Pipe or Tab-delimited.
Here is an example screen that has the available fields based on what you may have already filled out on the first page like Control ID and Timezone:
To further understand these fields, here are some helpful descriptions
You have three options to attribute Control Numbers to your data.
1. Control Number Included in Your Load File - You can have a column that has your Control Number that you CloudNine Analyst to that field
2. Control Numbers Keyed off of a Unique ID in the Load File - You can have a separate column that will have your numbers in order and supply the Control Prefix and Zero Padding on the field mapping page.
3. Provide the Control Number Formats and Value - You can input all Control Numbering options on the field mapping page.
Date Time Created
Date fields must have proper formatting Please see full article here
See these articles on properly mapping attachments to your data:
This field is fully customizable to the type of data that is loaded to CloudNine Analyst and the field "Action" will render that metadata item as a field to filter in the interface.
Example: In the main Project Insights dashboard these items were added based on the loaded data in the "Action" field.
Coordinates - Latitude and Longitude
These coordinates need to be separated into their two fields and mapped properly to ensure geolocation map lookups. Mapping these fields will make sure these data points have a map lookup associated to that data point.
Date Time - Last Accessed and Modified
These can be mapped to those fields when available.
This field is typically mapped if the deleted field is available in your collection.
This is the Serial Number for the device and is used in the system to attribute the uploaded data to the actor.
Extracted Text - Data
This is a text value field that is typically the body of a file, OCR'd text, long descriptions of the file, etc. Please review the complete article on this field selection
This is a text value field to map to a specific folder name or important information for your upload.
If you have already hashed the files, you can provide your hash file for those files.
When provided, CloudNine Analyst will do a geolocation lookup off of the provided IP address.
Original Path - Artifact
This can be the full path location of the artifact, file or item found on the computer or device.
This can be used to note what evidence or source the data came from. This could also be the custodian device or internal identifier
If you use a 3rd party to translate the text, this will show in the system as a secondary Extracted Text field where you will have "Original" and "Extracted Text" to show the translation.
This is a text value field reserved for the same item being linked in another platform or can be a hyperlink to an outside application or domain.