One row per source. For every collection source you're likely to see, this reference lists the metadata fields the tool outputs, what each field actually means, and how it maps to the review environment downstream. Use it when a vendor's SOW is vague, when a custodian asks what you're taking, or when opposing counsel wants to know what you have.
How to use this reference
For each source in scope on your matter, confirm the vendor's proposed toolset appears in the "Common Tools" column, and that the required fields appear in their deliverable. Missing fields aren't automatically a problem — but they should be a conscious decision, not an accident.
1. Corporate Email — Microsoft 365 & Exchange
Common tools: Purview eDiscovery (Premium), Veritas EV, Nuix, X1 Distributed Discovery, Reveal Collect.
Container: .PST, .OST, .MBOX, or direct API export (.MSG or .EML per item).
| Field | Type | Plain-English meaning & note |
| MessageID | String | Immutable identifier assigned by the mail server. Do not use as the review-tool DocID — assign your own UID (see DLC-M01-002). |
| ConversationID | String | Groups messages in a thread. Feeds inclusive-email threading downstream. If missing, threading gets expensive. |
| DateSent | DateTime | Client-side send time. Normalize to UTC. Watch DST edges. |
| DateReceived | DateTime | Server-side receive time. Often differs from DateSent; the delta matters in some matters. |
| From / To / Cc / Bcc | String[] | Address lists. Include display name AND SMTP address — vendors sometimes drop one. |
| Subject | String | Verbatim subject line. Extract without normalization; "RE:" and "FW:" carry meaning. |
| HasAttachments | Boolean | Flag only. Actual attachment count/names come from family fields. |
| AttachmentCount | Int | Counted post-processing after container extraction. Watch for zip-in-zip. |
| MD5Hash / SHA256Hash | String | Deduplication key. Insist on SHA-256; MD5 collisions are rare but real. |
| Custodian | String | Assigned by collection tool, verified against interview record. |
| CustodianSource | String | Which mailbox/folder within the custodian's account. |
| FolderPath | String | Full path within the mailbox — Inbox, Sent, Deleted Items, custom folders. |
| ReadStatus | Boolean | Rarely material but occasionally decisive on constructive-knowledge questions. |
| Importance / Sensitivity | String | Header flags (Normal, High, Confidential). Sometimes evidentially significant. |
| DlpMatches | String[] | Purview DLP labels. If present, valuable for privilege pre-triage. |
2. Endpoints — Windows & macOS Workstations
Common tools: EnCase, Cellebrite Endpoint Inspector, X-Ways, Magnet AXIOM, F-Response, KAPE.
Container: Forensic image (E01 / DD / AFF4) or targeted logical collection.
| Field | Type | Plain-English meaning & note |
| FullPath | String | Complete on-disk path at time of collection. Contains user context (e.g. C:\Users\jsmith\...). |
| FileName | String | Leaf filename with extension. Match against extension-vs-content sniffing. |
| Extension | String | Stated extension. Compare to content-derived type — mismatch is a signal. |
| MimeType | String | Content-sniffed MIME. Preferred over Extension for routing. |
| FileSize | Int (bytes) | Logical size. Note: sparse files can lie. |
| CreatedTime / ModifiedTime / AccessedTime | DateTime | MACtimes. Reliability varies — modification is the most trusted, access the least. |
| EntryModifiedTime | DateTime | NTFS-specific ($MFT entry time). Useful when Access has been touched by AV. |
| Owner / SID | String | Windows security identifier of the owning user. |
| SHA256Hash | String | Cryptographic hash. Required for chain-of-custody and dedup. |
| DeletedFlag | Boolean | Whether the item was recovered from unallocated space or $Recycle.Bin. |
| EncryptedFlag | Boolean | Whether the file was encrypted at collection. Ask the vendor for their crack/re-ask strategy. |
| DriveLabel / Volume | String | Where on the device the file lived (C:, D:, external, network mount). |
3. Mobile Devices — iOS & Android
Common tools: Cellebrite UFED, Oxygen Detective, Magnet AXIOM, MSAB XRY, GrayKey (LE only).
Container: Filesystem image, .UFDX, .OFB, .UFDR.
| Field | Type | Plain-English meaning & note |
| DeviceModel | String | Make, model, IMEI/serial. Match against the custodian's declared devices. |
| OSVersion | String | Determines extraction depth (iOS 17.x file-system access differs from iOS 16.x). |
| ExtractionMethod | String | Logical / File System / Full File System / Advanced Logical. Affects what you have. |
| MessageThreadID | String | SMS / iMessage / RCS thread grouping. |
| SenderNumber / ReceiverNumber | String | E.164 phone numbers. Normalize to +country format. |
| Timestamp | DateTime | Device local time at time of send/receive. Include TZ offset. |
| DeletedFlag | Boolean | Recovered from device unallocated / SQLite journal. |
| Application | String | Messages / WhatsApp / Signal / iMessage / Telegram / Wickr / Snap. |
| AttachmentPath | String | On-device path to media. Preserve family relationship. |
| LocationLat / LocationLon | Float | Geotag from EXIF or app data. Rarely on messages; occasionally on photos. |
4. Ephemeral & Modern Messaging — WhatsApp, Signal, iMessage
Common tools: Cellebrite UFED, iOS Backup Extractor, Signal Desktop (with custodian password), WhatsApp Business API export.
Note: Auto-delete features may render data unavailable if preservation was not timely; document the timeline.
| Field | Type | Plain-English meaning & note |
| Platform | String | WhatsApp / Signal / iMessage / Wickr / Telegram. |
| ChatType | String | 1:1 / Group / Broadcast / Channel. |
| Participants | String[] | All members at extraction time. Historical membership may not be recoverable. |
| MessageID | String | Platform-assigned. Signal is ephemeral by nature — verify persistence. |
| EncryptionKey | String | Required for WhatsApp .crypt14. Handle per firm cryptography policy. |
| DisappearingFlag | Boolean | Was the message set to auto-delete? Affects the log's completeness caveat. |
| DisappearingSeconds | Int | Auto-delete window (e.g. 604800 = 7 days). |
| EditedFlag | Boolean | Some platforms surface edits. Preserve prior-version text if available. |
| ReactionData | JSON | Emoji reactions, who and when. Often material. |
5. Collaboration — Slack, Teams, Zoom Chat, Webex
Common tools: Reveal, Nuix Discover, Onna, Hanzo, native admin exports (Slack Discovery API, Purview for Teams).
Container: JSON export per channel + attachments folder.
| Field | Type | Plain-English meaning & note |
| WorkspaceID | String | Slack workspace / Teams tenant. |
| ChannelID / ChannelName | String | Public / private / DM / MPIM. |
| ChannelPrivacy | String | Determines whether search covered it. |
| ThreadTS | String | Parent-message timestamp used as thread root. |
| MessageTS | String | Unix-epoch send timestamp. Convert to ISO 8601 for review. |
| UserID / UserName | String | Sender. Reconcile against Employee Directory. |
| MessageText | String | Verbatim, including markdown. |
| EditsHistory | JSON[] | Prior versions if platform records them. |
| ReactionData | JSON | Reactions + reactor identities. |
| FileAttachments | JSON[] | Family relationship. Watch for external file links (Google Drive, Dropbox). |
6. Cloud Storage — OneDrive, Google Drive, SharePoint, Box, Dropbox, S3
| Field | Type | Plain-English meaning & note |
| CloudPath | String | Full path within the tenant. Owner-relative for personal drives. |
| SharedWith | String[] | Explicit shares — often overlooked; occasionally decisive on privilege. |
| LinkAccess | String | Anyone-with-link / Domain / Restricted. Affects preservation scope. |
| VersionCount | Int | How many prior versions the platform retained. |
| LastEditor | String | User who most recently touched the file. |
| FileID | String | Platform-immutable ID. Survives renames. |
| GoogleDocsID | String | Native Google-format ID (Docs / Sheets / Slides). Export handling differs from binary files. |
7. Social & Public — LinkedIn, X, Facebook, Instagram DMs
| Field | Type | Plain-English meaning & note |
| Platform | String | Which service. |
| AccountHandle | String | Verify handle-to-custodian mapping in interview. |
| PostID / MessageID | String | Platform-specific identifier. |
| PostType | String | Post / Story / Reel / DM / Comment. |
| PublishedTime / EditedTime | DateTime | Watch for edits between initial post and collection. |
| Visibility | String | Public / Connections / Private list. |
| MediaURL | String | Where the platform hosted the media at collection. |
| EngagementMetrics | JSON | Likes / reshares / comments. Rarely evidentially useful, occasionally revealing on reach. |
8. Network Shares & File Servers
| Field | Type | Plain-English meaning & note |
| UNCPath | String | \\\\server\\share\\path. |
| ShareName | String | Departmental share designation. |
| ACL / Permissions | String[] | Who could access. Feeds constructive-knowledge analysis. |
| LastAccessedBy | String | If server logging captured it. |
Practitioner note
Not every field will appear in every vendor's deliverable — and not every field is needed for every matter. The purpose of this reference is to make the absence of a field a conscious decision. If a vendor says "we don't provide that," ask why, and whether it's a tool limitation or a workflow shortcut.