Tornado Terminology

Core Terms

Collection

The process of gathering digital evidence from cloud platforms. A collection refers to a single operation that retrieves specific data types from selected accounts.

Case

A logical container that holds one or more collections and their associated evidence. Cases help organize investigations systematically.

Evidence

Digital data collected from cloud platforms, stored in an SQLite database format for analysis and export.

Platform Terms

Google Workspace (GWS)

• Mail Data: Emails, attachments, and settings.

• Drive Activities: File sharing and access logs.

• Reports: Administrative and security logs.

• Admin Data: System configurations and policies.

Microsoft 365 (O365)

• Mail Data: Exchange emails and metadata.

• Entra Data: Sign-in and audit logs (formerly Azure AD).

• Admin Actions: System changes and configurations.

Interface Elements

Collectors

Components designed to gather specific types of data:

• Mail Collector

• Drive Activity Collector

• Reports Collector

• Admin Collector

Collection Modes

• Normal User: Collection using standard user credentials.

• Admin/Service: Collection using administrative or service account access.

Progress States

• Pending: Collection is awaiting start.

• Running: Collection is in progress.

• Completed: Collection finished successfully.

• Failed: Collection encountered errors.

Technical Terms

HTTP Trace

Detailed logging of API communications, used for troubleshooting and debugging.

SQLite Database

The storage format is used for organizing and exporting collected evidence.

OAuth 2.0

A secure authentication protocol is used to access cloud platforms during collection.

Common Actions

Authentication

The process of logging into cloud platforms to enable data collection.

Export

Saving collected evidence in an SQLite database format for use outside the system.

Collection Configuration

Customizable settings and parameters that define the scope and type of data to be collected.