Computer forensic artifacts, proprietary platforms and structured data are a part of many investigations and growing in eDiscovery projects. With Computer Activity, you can use this category for many different types of data. This article will help you understand how you can use Computer Activity for your standard or unique data types.
When importing computer activity data like registry file data, event logs data, electronic files, calendar items etc. you will have a list of fields that are available for your import. Generally, it is easiest to match closely the titles in ESI Analyst to your load file. Your load file can be in CSV, DAT, Pipe or Tab delimited.
Note: The Required Fields are Control Number. Date Time Created and Timezone. The Optional Fields are outlined below.
Here is an example screen that has the available fields based off of what you may have already filled out on the first page like Control ID
To further understand these fields, here are some helpful descriptions
You have three options to attribute Control Numbers to your data.
1. Control Number Included in Your Load File - You can have a column that has your Control Number that you ESI Analyst to that field
2. Control Numbers Keyed off of a Unique ID in the Load File - You can have a separate column that will have your numbers in order and supply the Control Prefix and Zero Padding on the field mapping page.
3. Provide the Control Number Formats and Value - You can input all Control Numbering options on the field mapping page.
Date Time Created
Note: All imports containing attachments NEED to have those attachments loaded through ESI Sync first!
If you have multiple files nested in subfolders with the same name, it will associate the FIRST attachment name found that matches the file name. This is why the relative path (“Attachment Path”) is important should your files not be 100% uniquely named.
Note: This path has to match exactly to what you loaded through ESI Sync
See these articles on properly mapping attachments to your data:
This field is fully customizable to the type of data that is loaded to ESI Analyst and the field "Action" will render that metadata item as a field to filter in the interface.
Example: In the main Project Insights dashboard these items were added based off of the loaded data in the "Action" field.
Coordinates - Latitude and Longitude
These coordinates need to be separated into their two fields and mapped properly to ensure geolocation map lookups. Mapping these fields will make sure these data points have a map lookup associated to that data point.
Date Time - Last Accessed and Modified
These can be mapped to those fields when available.
Note: All dates displayed in the analysis tools, chronological order, dashboards etc. are based off of Date Time Created
This field is typically mapped if the deleted field is available in your collection.
This is the Serial Number for the device and is used in the system to attribute the uploaded data to the actor.
For example: If the data loaded needs to be attributed to an actor/custodian, include the SN or custom information you can tie to the actor using Actor Profiles
This is a text value field to map to a specific folder name or important information for your upload.
For Example: "Inbox", "outbox", "personal folder", "pictures", "applications". "label"
If you have already hashed the files, you can provide your hash file for those files.
When provided, ESI Analyst will do a geolocation lookup off of the provided IP address.
Original Path - Artifact
This can be the full path location of the artifact, file or item found on the computer or device.
This can be used to note what evidence or source the data came from. This could also be the custodian device or internal identifier
If you use a 3rd party to translate the text, this will show in the system as a secondary Extracted Text field where you will have "Original" and "Extracted Text" to show the translation.
Note: ESI Analyst offers project level, thread level and item level translation
This is a text value field reserved for the same item being linked in another platform, or can be a hyperlink to any outside application or domain.
How to Filter Computer Activity
When in Review Project Metadata, you can filter by Computer Activity and the sub-categories: Attachment Name Artifact Path Computer Action Last Accessed Last Modified Source Computer Folder Address Lookup IP Address Once you select the Computer ...
How to Import Electronic Files of Any Type into ESI Analyst
Electronic files of any type are always an important part of any investigation. You can easily load any type of electronic file or media through ESI Analyst's import system. To import files and media you will want to select Computer Activity under ...
Using the Computer Activity Analysis Tool
Computer forensics, proprietary platforms and structured data are a part of many investigations and growing in eDiscovery projects. This report helps you quickly understand the actions that have taken place on a forensically imaged computer or data ...
Viewing a Computer Activity Item View With Geolocation
In your project dashboard, click on "Review Project Metadata." On your left, you will see a list of filters. Select the "Type" filter to display a list of sub-categories. From that list, click on "Computer Activity." After you hit APPLY, you will see ...
Understanding the Available Fields for Communications
When importing communications data like text messages, chat messages, emails etc. you will have a list of fields that are available for your import. Generally, it is easiest to match closely the titles in ESI Analyst to your load file. Your load file ...