|
METADATA FIELD DESCRIPTION
|
DEFINITION |
| DEFAULT EXPORT FIELDS (NO OPTIONS SELECTED) |
These fields are provided with every export regardless of options, types, and fields selected. |
| ESIA_ID |
The unique value assigned by CloudNine Analyst. This is a default field and is included with every export regardless of type. |
| ESIA_CONTROL_NUMBER |
The unique value provided during the import. The unique that exists t in a load file import or is provided at the time of import. This field is included with every export. |
| BEG_CONTROL |
Default field populated at the time of export. If renumber items option is not selected the ESIA_CONTROL_NUMBER value is used. If renumber items are selected this will be the renumbered Control Number. |
| END_CONTROL |
Default field populated at the time of export. Records with attachments are appended with the number of attachments padded to 5 digits IE: ACO1-EM-00000051.00003. If renumber items option is not selected the ESIA_CONTROL_NUMBER value is used. If renumber items are selected this will be the renumbered Control Number. |
| MASTER_DATE_TIME_STAMP |
The original date and timestamp extracted during the import process. |
| MASTER_TIME_STAMP |
The original timestamp extracted during the import process. |
| ORIGINAL_TIMEZONE |
The original time zone of the item. |
| MASTER_UTC_DATE_TIME_STAMP |
The original timestamp adjusted to UTC. |
| ADJUSTED_DATE_TIME_STAMP |
The MASTER_UTC_DATE_TIME_STAMP adjusted to the selected time zone provided by the end-user during export. |
| ADJUSTED_TIMEZONE |
The time zone selected by the end-user during export. |
| TYPE |
This is the Item Type, which can be Geolocation, Transaction, Communication, Social, or Computer. |
| EVIDENCE_SOURCES_ALL |
A concatenation of evidence sources from which the item was extracted, including the original and any sources where duplicates were identified. |
| CUSTODIAN |
The custodian is populated when an evidence source is assigned to an Actor, making them the "source" custodian of that device, extract, or data set. |
| FAMILY_GROUP |
The beginning control number of the "family" to a set of linked items, such items may be made up of multiple images or files, similar to an email with attachments. |
| ATTACHMENT_PATH |
Path to the location of the attachments with an updated attachment name that matches the exported Control Number. |
| ATTACHMENT_NAMES |
Identifies the original file name of the attachment. |
| DEFAULT FIELDS INCLUDED THAT REQUIRE SPECIFIC OPTIONS TO BE SELECTED |
These fields will be included in the export by default, provided the appropriate export options are selected. |
| CONTROL NUMBER |
Populated during the export if the renumber items option is selected. |
| TEXT |
The relative path to the extracted text file that represents the "content" of the item's data (e.g. the message, post, or other metadata mapped to this field during ingestion). |
| HTML |
The relative path to the HTML rendering of the individual item contained in the export ZIP. The Export METADATA ITEMS to HTML option must be selected. |
| NATIVE PATH |
Relative path to the Native file. |
| FILE_EXT |
The extension indicates a characteristic of the file contents or its intended use. |
| MASTER_THREADS |
The beginning control number of a master thread. Requires the selection of Master Thread and 24HR Threads. |
| FIELD SELECTION FOR SHARED FIELDS |
These fields are available under the Shared Fields section. |
| ACTORS |
Actors are persons of interest in the project and assigned to items. In the case of communication and social media item types, multiple Actors may exist. When exported, Actors are separated by a semicolon for any item linked to multiple Actors. |
| HASH KEY |
The MD5 Hash of the items metadata fields, which is defined based on the TYPE. As an example, for "communication" this may be a combination of the item's subject line, sent date time (UTC), participants, message content, and other associated metadata, such as any file attachments. |
| XREF LINK |
An arbitrary field that can be imported with a load file. This allows for an external link to be added to an item, such as a link to a public-facing website such as the actual "tweet" from Twitter. |
| DUPLICATE SOURCES |
Evidence container(s) to which duplicates of this item were identified. |
| TAGS |
These are the tag values that have been applied to an item during review and analysis. When exported, multiple tags for an item are separated by a semicolon. |
| EVIDENCE SOURCE CONTAINER |
This is the evidence container the item has been associated with at the time of import. |
| TRANSLATED TEXT |
Relative path to the translated text. This requires both the Translated Text Field from Shared Metadata and the include Translated text option to be selected at the time of export. |
| ACTOR_ID |
The Actor ID value is listed in the Actor's list. |
| FIELD SELECTION FOR TRANSACTIONS |
These fields are available under the Transactions Section. If selected, they may populate other Types. |
| ACCOUNT IDENTIFIER |
The account name, number, or unique value of an account that is recorded as part of a financial transaction. It is used to relate transaction history to an Actor. |
| DATE TIME TRANSACTED |
The original date and time the transaction took place. |
| LOCATION |
The coordinates of where the transaction took place. |
| STOCK SYMBOL |
The unique series of letters is assigned to publicly-traded security. |
| TRANSACTION NAME |
Name of transaction such as Banking Record, Credit Card, etc. |
| ADDRESS LOOKUP |
The value returned by the geolocation lookup. This may be the same as the actual address provided or an augmented value as returned by the geolocation API process. |
| HAS TIMESTAMP |
Indicates if the transaction has a timestamp. By default, this is set to a True value. If no timestamp, it will be false and a value of 12:00:00 PM is used. |
| PHYSICAL ADDRESS |
The physical address is extracted during import to return a specific latitude and longitude point on a map as part of a geolocation lookup. |
| SYSTEM MESSAGE |
The message returned by the API during geolocation lookups as to the precision (accuracy) of the lookup. |
| NOTES (TRANSACTION NOTES) |
Note added about the transaction when the transaction occurred. |
| CHECK - PO NUMBER |
The reference number linked to reference the transaction. |
| IP ADDRESS |
The IPv4 or IPv6 address extracted during import. This can then be geolocated if it is a public-facing IP. |
| ROUTING NUMBER |
The unique nine-digit number functions as an address for a bank. It is used for electronic transactions such as direct deposits. |
| TRANSACTION AMOUNT |
The monetary amount of the transaction. |
| TRANSACTION TYPE |
The type of transaction that occurred. Values may be: Deposit or Withdrawl of Funds, Wages Paid or Earned, Gifts Given or Received (Value), Interest Paid or Earned, Loans Made or Received (Monies, Assets) Payments Made or Received, Purchase Or Sale (Goods, Services, Assets), Transfer in Or Out (Monies, Assets), and Other. |
| FIELD SELECTION FOR COMPUTER |
These fields are available for selection under Computer, if selected other Types may also be populated. |
| ADDRESS LOOKUP |
The value returned by the geolocation lookup. This may be the same as the actual address provided or an augmented value as returned by the geolocation API process. |
| COMPUTER ACTION |
The activity that was performed on the computer. |
| DATE TIME LAST ACCESSED |
Date and time stamp an item type was last accessed. |
| DEVICE SN |
Serial Number of the device. |
| IP_ADDRESS |
The IPv4 or IPv6 address provided during import. This can then be geolocated if it is a public-facing IP. |
| SYSTEM MESSAGE |
The message returned by the API during geolocation lookups as to the precision (accuracy) of the lookup. |
| ATTACHMENT NAME(S) |
Identifies the names of attachments linked to the activity. |
| COORDINATES |
The geolocation of items is based on the coordinates represented by longitude and latitude. |
| DATE TIME LAST MODIFIED |
Date and time stamp an item type was last modified. |
| EXTRACTED TEXT - DATA |
|
| ORIGINAL PATH - ARTIFACT |
The original location, link, or file to which the computer activity was performed. A footprint of activity the Actor performed on the computer. |
| ATTACHMENT PATH |
The relative path of the stored attachment file as contained within the uploaded evidence. |
| DATE TIME CREATED |
Date and time the action took place. |
| DELETED |
A boolean indicator if a particular item was noted as deleted. The flag must be present in the data set or application from which it is being extracted. |
| FOLDER |
Text value or path of the internal folder structure of an application in which a message or item was found (e.g. "Inbox") or can be used as an arbitrary text value based on your upload/import of data. |
| SOURCE |
The title and name of the computer activity. |
| FIELD SELECTION FOR SOCIAL |
Fields are available for selection under Social Media. If selected, other Types may have data populated also. |
| ADDRESS LOOKUP |
The value returned by the geolocation lookup. This may be the same as the actual address provided or an augmented value as returned by the geolocation API process. |
| COORDINATES |
The geolocation of items is based on the coordinates represented by longitude and latitude. |
| IP ADDRESS |
The IPv4 or IPv6 address provided during import. This can then be geolocated if it is a public-facing IP. |
| POST TITLE |
Title of a Social Media post. |
| SOCIAL NETWORK |
The Social Network the post was made in. Values are: Instagram, Google+, GroupMe, LinkedIn, Facebook, Telegram, Twitter, Snapchat, WhatsApp, and Others. |
| USER ID |
User ID associated with the Social account. |
| ATTACHMENT NAME(S) |
In Social Media, this is the date and time the post was added. |
| POST |
The content of a social media post. |
| POST TYPE |
The type of post, values are: Comment, Post, Reply, or Other. |
| SYSTEM MESSAGE |
The message returned by the API during geolocation lookups as to the precision (accuracy) of the lookup. |
| ATTACHMENT PATH |
Path to the location of the attachments. |
| HASHTAGS |
Any hashtags that are associated with the social post. |
| POST SUBJECT OR ID |
Subject or ID of the post. |
| POST URL |
URL link to the post. |
| THREAD ID |
This is the lowest value control number contained within a 24-hr thread, representing all messages within a 24-hr period associated between a specific set of participants. |
| FIELD SELECTION FOR GEOLOCATION |
Fields available for selection under Geolocation. If selected other types may be selected. |
| ADDRESS LOOKUP |
The value returned by the geolocation lookup. This may be the same as the actual address provided or an augmented value as returned by the geolocation API process. |
| COUNTRY |
The Country identified during import (associated with geolocation items) allows for more exact lookups of geolocation based on a physical address. |
| LOCATION NAME |
Name of Location captured from a device with GPS and location enabled. A user can save items with a specific name like "Home" as an example. Sometimes this may be a shortened version of the address and is arbitrary to a user's device or app installed on their device. |
| PHYSICAL ADDRESS |
The physical address is extracted during import to return a specific latitude and longitude point on a map as part of a geolocation lookup. |
| ASSOCIATED ACTOR ID |
The Actor ID value listed in the Actor's list. |
| DATE TIME LOCATED |
Date and time captured of a specific location from a device with GPS and location enabled. |
| NOTES |
A free-form text field that can be added during import or overlay to specific metadata such as geolocation. |
| SYSTEM MESSAGE |
The message returned by the API during geolocation lookups as to the precision (accuracy) of the lookup. |
| COORDINATES |
The geolocation of items is based on the coordinates represented by longitude and latitude. |
| IMEI |
The International Mobile Equipment Identifier (if present and extracted during import). Used to relate geolocation to a device and Actor. |
| ORIGINATING DATA SOURCE |
This is specific to geolocation data type only and can be one of four values: "smartphone", "GPS device", "location history", or "other". |
| FIELD SELECTION FOR COMMUNICATION |
Fields available for selection under media. If selected other types may be selected. |
| ATTACHMENT NAME(S) |
Names of attachments are identified during the import of metadata or data parsed from phone data. |
| ATTACHMENT PATH |
The relative path of the stored attachment file is contained within the uploaded evidence. |
| BCC |
A Blind Carbon Copy of a communication (usually email). |
| CC |
A Carbon Copy recipient of a communication (usually email). |
| CALL DURATION |
The amount of time elapsed in a given call. |
| COMMUNICATION TYPE |
Identifies the specific type of communication. Communication Types are Email, Chat, SMS, MMS, Call, and Group. The field types are used to filter data in ESI Analyst. If importing a load file that contains mixed types it is important to ensure the data properly reflects the communication type. |
| DATE TIME LAST ACCESSED |
Date and time stamp an item type was last accessed. |
| DATE TIME LAST MODIFIED |
Date and time stamp an item type was last modified. |
| DATE TIME SENT |
Date and time stamp an item type was sent. |
| DELETED |
A boolean indicator if a particular item was noted as deleted. The flag must be present in the data set or application from which it is being extracted. |
| FOLDER |
Text value or path of the internal folder structure of an application in which a message or item was found (e.g. "Inbox") or can be used as an arbitrary text value based on your upload/import of data. |
| IMEI |
The International Mobile Equipment Identifier (if present and extracted during import). Used to relate geolocation to a device and Actor. |
| MESSAGE |
The text content of a message, chat, wall post, email, or other communication types. |
| RECIPIENTS |
The phone number, email, or username as defined in the message that was the direct recipient of the communication. |
| SENDER |
The phone number, email, or username as defined in the message that sent the communication. |
| STATUS |
The status of the message is typically "read", "unread", and "draft" and is defined at the application level. Status may or may not be present or reliable metadata. |
| SUBJECT OR CHAT ID |
For email, this is the subject of the email or chat, or the group identifier of a conversation spanning the lifetime of the conversation (e.g. in Slack this would be the "channel" name). If none is present, ESI Analyst dynamically generates this ID based on the participants of the communication, representing the conversation history spanning the entire timespan present on the device or contained within the archive. |
| THREAD ID |
This is the lowest value control number contained within a 24-hr thread, representing all messages within a 24-hr period associated between a specific set of participants. |
| ALL_PARTICIPANTS |
All entities involved in the conversation. |
| MASTER_THREAD_START_DATE |
The very last date and time stamp of a message in the master thread. (e.g. the last date of the conversation among the participants based on all data sources with that Master Thread ID). |
| MASTER_THREAD_END_DATE |
The very last date and time stamp of a message in the master thread. (e.g. the last date of the conversation among the participants based on all data sources with that Master Thread ID). |
| TIME_LAST_ACCESSED |
The last time the item was accessed. |
| TIME_SENT |
The time sent of a given item type. |
| TIME_LOCATED |
The timestamp of the specific location. |
| TIME_CREATED |
Time the item type was created. |
| TIME_POSTED |
Time the item type was posted. |
| TIME_TRANSACTED |
Time the item type was transacted. |
| THREADS |
The relative path to the 24-hr Thread (communication and social types only). |
