CloudNine Analyst: Understanding the Available Fields for Computer Activity

Understanding the Available Fields for Computer Activity

Overview
Computer forensic artifacts, proprietary platforms, and structured data are a part of many investigations and growing in eDiscovery projects. With Computer Activity, you can use this category for many different types of data. This article will help you understand how you can use Computer Activity for your standard or unique data types. 
 
When importing computer activity data like registry file data, event logs data, electronic files, calendar items, etc. you will have a list of fields that are available for your import. Generally, it is easiest to match closely the titles in ESI Analyst to your load file. Your load file can be in CSV, DAT, Pipe or Tab-delimited. 
 
Note: The Required Fields are  Control number. Date Time Created and Timezone. The Optional Fields are outlined below. 
 
 
Here is an example screen that has the available fields based on what you may have already filled out on the first page like Control ID and Timezone:
 
 
 
Field Definitions
To further understand these fields, here are some helpful descriptions
 

Control Number

You have three options to attribute Control Numbers to your data.
1. Control Number Included in Your Load File - You can have a column that has your Control Number that you CloudNine Analyst to that field
2. Control Numbers Keyed off of a Unique ID in the Load File - You can have a separate column that will have your numbers in order and supply the Control Prefix and Zero Padding on the field mapping page.  


3. Provide the Control Number Formats and Value - You can input all Control Numbering options on the field mapping page. 
 

Date Time Created 

Date fields must have proper formatting  Please see full article here
 

Timezone 

Note: Proper input information for the time zone is required, Please see full article here
 
 

Attachment Names

Note: All imports containing attachments NEED to have those attachments loaded through ESI Sync first!  

Please see the ESI Sync help articles for more information
 
 
If you have multiple files nested in subfolders with the same name, it will associate the FIRST attachment name found that matches the file name. This is why the relative path (“Attachment Path”) is important should your files not be 100% uniquely named.
 
 

Attachment Path 

Note: This path has to match exactly what you loaded through ESI Sync
 
See these articles on properly mapping attachments to your data:

Computer Action

This field is fully customizable to the type of data that is loaded to CloudNine Analyst and the field "Action" will render that metadata item as a field to filter in the interface. 
 
 
Example: In the main Project Insights dashboard these items were added based on the loaded data in the "Action" field
Example: In the main Project Insights dashboard these items were added based on the loaded data in the "Action" field.
 

Coordinates - Latitude and Longitude 

These coordinates need to be separated into their two fields and mapped properly to ensure geolocation map lookups. Mapping these fields will make sure these data points have a map lookup associated to that data point.
 

Date Time - Last Accessed and Modified

These can be mapped to those fields when available. 
 
Note: All dates displayed in the analysis tools, chronological order, dashboards, etc. are based on Date Time Created
 
 
Alert: Ensure you follow the same date format for all of your date fields
 
 

Deleted

This field is typically mapped if the deleted field is available in your collection. 
 

Device SN

This is the Serial Number for the device and is used in the system to attribute the uploaded data to the actor. 
For example: If the data loaded needs to be attributed to an actor/custodian, include the SN or custom information you can tie to the actor using Actor Profiles
 
 

Extracted Text - Data 

This is a text value field that is typically the body of a file, OCR'd text, long descriptions of the file, etc. Please review the complete article on this field selection
 

Folder 

This is a text value field to map to a specific folder name or important information for your upload. 
For Example: "Inbox", "outbox", "personal folder", "pictures", "applications". "label"
 

Hash Key 

If you have already hashed the files, you can provide your hash file for those files.  
 

IP Address 

When provided, CloudNine Analyst will do a geolocation lookup off of the provided IP address. 
 

Original Path - Artifact 

This can be the full path location of the artifact, file or item found on the computer or device.
 

Source 

This can be used to note what evidence or source the data came from. This could also be the custodian device or internal identifier
 

Translated Text

If you use a 3rd party to translate the text, this will show in the system as a secondary Extracted Text field where you will have "Original" and "Extracted Text" to show the translation. 
Note: CloudNine Analyst offers project-level, thread-level, and item-level translation
 
 

XREF Link

This is a text value field reserved for the same item being linked in another platform or can be a hyperlink to an outside application or domain.