All Activity
This stream auto-updates
- Last week
-
jmg1288 joined the community
-
Hello, I too have found this procedure to be very helpful, but I have run into some issues with Excel locking up due to the amount of data. I am working with a large volume of emails >20,000, looking for possible phishing attempts. Has anyone had any success extracting URL's from emails using any other method? I am using Intella Viewer 2.2.1. Thank you, Josh
-
McHale Smith joined the community
-
"top 10/100 Web searched keywords", in Insight or as standard facet (under contents analysis)? This may be a next-level extraction after browser artefacts are ready, e.g.: https://www.google.com/search?source=hp&q=cat https://www.facebook.com/search/top/?q=cat ... => cat [32] <-- "cat" was searched 32 times NOTE: make sure you URLdecode parameters, there is more than English out there. Of course the list of search providers can only grow and grow, so proper internal infrastructure is needed. As an even more generic idea, things like file search in Windows (MRU, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) and potentially other sources 😁(fgrep find /{root,home/*}/.bash_history on linux images)😁
-
APFS support for disk images! It is getting closer to merging with sleuthkit (I hope) https://github.com/blackbagtech/sleuthkit-APFS
-
I recently got asked for a "thumbnail report", i.e. extract certain items and some of their metadata (e.g. ID, file_name) and print them in a grid (say 4x5 on A4)... While it looked easy, I couldn't think of way to do it directly in Intella and resorted to exporting metadata and native format images, then abusing imagemagick to thumbnail them and "simple" Perl/bash "one-liners" for the final layout. Mess! Is there another (internal) way? Are those thumbnails (in thumbnail pane) exportable? Is there any way to have other thumbnails for non-image files? Video may be obvious, but things like PPTX, PDFs (title pages), etc. also come to mind. Finally being able to put that thumbnail in the PDF report somehow would be great! (this sounds more like a feature request, that is why I moved it here)
-
Thinking of a 0.5PB RAID5 evidence storage for a TEAM installation on Windows Server, is there anything for/against ReFS? Performance? Anybody tested/running with ReFS?
-
This is from the just released 2.2.2, release notes 🎉🍾🎊
-
This sounds a bit strange, may be have a look again at that identified item that triggers it. What is the structure as Intella sees it (e.g. the tree tab in the preview)? The closest I had to this (I was called to triage similar situation) was caused by some complex document, I think it was TXT (with the keyword), embedded in a DOCX, attached in e-mail. So while the keyword hit was indeed "in the Word document" and it looked right especially in the native view, there was one extra level involved. I usually told people to repeat the "Show Parent Email" command on the generated set and see if it behaves as they expected. I guess a TXT file attached within EML file attached to another e-mail (in a PST folder) might also produce expected, but not obvious results. Finally, make sure there are no filters involved (Exclude/Include) and deduplication is off. And if none of the above helps, open a ticket 😄
-
Kalin changed their profile photo
-
Well, nothing beats (human) reviewers that know the language in question 😄 in speed-performance and quality; budget-wise it may not be the best option, if at all available (e.g. time-space constraints, confidentiality, etc.) I'd always try to find somebody with good command of the language and train them in Intella (1 hour training + 3-4 hours sitting in the same room), let them sift through the material and tag what might be important. Filter out, deduplicate, etc. something (based on budget) and have it translated by professional. Then add as new source and index (and make sure you get the same filenames/types). You may need to repeat the process a few times. And if you are still looking for someone fluent in Japanese and Intella, just ping me directly.
-
The release is out:
-
Vound is pleased to announce the official release of Intella and Intella Connect 2.2.2. Intella and Intella Connect 2.2.2 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a 2.1.x license need to use the Dongle Manager to update their dongle to the 2.2.x license. Please read the Release Notes before installing or upgrading, to ensure you do not affect any active cases. Highlights Indexing improvements, including support for Outlook for Mac OLM files. Configurable message hashing algorithm, letting the user control the degree of deduplication on email messages. Extended command-line arguments, allowing for better automation. Various redaction improvements, including setting the redaction rectangle’s color. The redaction functionalities added in the 2.2.1 version are now also available in remote cases.
- Earlier
-
No until I see this advice. Just checked and it worked like a charm. Thanks, Jon!
-
Hi jmacedo, have you looked at the Event log? That shows individual searches that users make.
-
Hello, everyone, Just rising up this question, I'm looking to audit what keywords and expressions the reviewers has used or are freely using (terms not included in the previously created and authorized wordlist). I could not find it on the case log folder/files or even looking at other direction suggested by section 31 from the Intella 2.2.1 version. Did I miss any point looking at this? Is it even possible? Thank you!
-
Case merge / Tag import
jon.pearse replied to Lukasz M's topic in Intella 10, 100, 250, Pro and TEAM
Hi Lukasz, you can export a Work reports from cases A 1 & 2. Those work reports can be imported into case A. Please see the user manual for more details about Work reports. -
Hey, As several members in my team are reviewing the same case, we are usually importing cases to 2+ external harddrives (still, same case). So, we have user 1 and user 2, we have case A, and we have case instance A.1 and case instance A.2, right. Is there an easy way to import all the tags from A.1 to A.2? Thanks for support.
-
Auto-tag with Exclusions
Bryan La Rock replied to Bryan La Rock's topic in Intella 10, 100, 250, Pro and TEAM
Thanks, Jon. I appreciate the response. Bryan -
Tree structure for tagging in Review
jon.pearse replied to dgilbert002's topic in Intella Connect Feedback
Hi Dean, At this point you can only have 2 levels of tags when creating coding layouts. That means that this will work: Objective 2: Harassment - Email evidence - Witnesses discussion incident This will not work: Objective 1: Vehicle Theft - Vehicle Trackers - (GPS disconnected)~3 - (deactivate tracking)~3 Changes may be available in a future version which will allow for more than 2 levels of tags. -
Auto-tag with Exclusions
jon.pearse replied to Bryan La Rock's topic in Intella 10, 100, 250, Pro and TEAM
Hi Bryan, I think the best way to do this is what you have already mentioned. First run list A, then run an 'Exclude' search on list B. Note that the items shown are items from list A, less the items returned from list B, so tagging what remains (shown in the table) will not tag everything from list A. -
jinhopark7793 joined the community
-
Hi there Was wondering if there's a way to use the same Tagging structure that is set up - in a Review (coding) layout. Presently we see all the tags in a dropdown list during coding/review, but often it gets complicated to understand which tag to use in respect of it's parent. For example, during an investigation, we set up objectives, each with keywords run to prove/disprove the allegations per objective. Each objective may have a number of categories and then tags. When pushing these search terms, per category, per objective - we then need the tag for that structure to be accessible as a tree? i.e. the tagging layout would look like the below, and would be good if we could tag the documents as "Vehicle Theft->Vehicle Trackers->Hot" and this then combines the first level review to the respective tag? Objective 1: Vehicle Theft - Vehicle Trackers - (GPS disconnected)~3 - (deactivate tracking)~3 - Guards at Gate Objective 2: Harassment - Email evidence - Witnesses discussion incident First Level Review - Hot - Not relevant - Follow up Any advice would be greatly appreciated.
-
dgilbert002 joined the community
-
Hi! I would like to auto-tag items via a keyword list--but only if those items do not contain exclusionary keywords. In other words, I want to tag all the items that contain the keywords from List A but *do not* contain the keywords from List B. I know that I can run List B and exclude the results. If I then auto-tag List A, however, all items from List A are tagged, ignoring the exclusion of List B. Does anyone know of a good way get this task done efficiently? I can do this manually by auto-tagging List A, then running List B, and removing the tags of items contained in both lists. The extra steps of this process invite human error, though, so I'd prefer not to have to do it this way. Any advice would be greatly appreciated. Thank you very much! Bryan
-
Embedded Images in Emails
jon.pearse replied to ifinch001's topic in Intella 10, 100, 250, Pro and TEAM
Hi ifinch001, If these are proper signature block images then these should normally be identified as embedded. There might be something in the email that makes it that these are not processed as such. We will reply to your support ticket as we will need a sample for testing. -
sindhu joined the community
-
I had a question regarding embedded images on emails and if someone has a workaround, it would be appreciated. Test Environment: Intella 2.2.1 and a single email with 0 attachments, but multiple embedded images. Specifically, the embedded images are signature block pictures, a image that was copy-pasted to the email, and another of unknown origin. My goal is to be able to index that email and get a result saying that there is only a single item in the index. More specifically, I want to PREVENT Intella from peeling out the images found in an email unless they are explicitly attached to the message. If an image was a traditional attachment to the email, of course I would want that separated into its own item. Here are my tests. First, using default settings, the index resulted in 5 family items - not what I need. Second, unchecking the option in the "Add New Source" prompt under "Items" for "Index images embedded in emails and documents," the index resulted in 5 family items - again, not what I need. Based on the "?" explanation on the same page for the indexing embedded images option, I would expect this to solve my problem, but it does not. Based on what I am seeing in the metadata from the indexed email, it appears that Intella is interpreting the embedded images as attachments, which I would consider to be fundamentally incorrect. As for my question, is there any way for me as a user to manipulate the Intella indexing process in a way that prevents the split of embedded images (sig blocks are generally the biggest issue) as separate items in the index? In other words, is there something I can do in the above test that results in only a single email in the index as opposed to an email and 4 embedded images? I will say that an E-Discovery tool that we use for specific situations classifies all 4 embedded images as such and has a toggle to prevent the images from being separated as individual files from the parent email. Please let me know if this needs further clarification.
-
Hi! I have two questions regarding OCR. First, is there any easy way to keep track of progress and see how many docs remain to be OCRed? I am usually OCRing via a command-line script immediately after processing (using a Task file). The command output simply says "Post-processing", so I don't know how many OCR candidates were identified. I see that files are being created in the following folder in my current case: .\tmp\ocr-service9057841158103284728. It looks like the final OCR results are being placed in the "ocr-results" folder here, so that seems to be a good number as to how many files have been OCRed thus far. I just don't know how many files are still going to be processed. Also, I notice that when OCR finishes, this "ocr-results" folder is immediately deleted. Is there any way to prevent this? I like to keep keep OCR results for future use. Sometimes, we need to ingest new data that contains a lot of duplicates of files already OCRed. It would be fantastic to just be able to import the OCR results for these rather than need to OCR them all over again. I'd appreciate any ideas for the above. Thank you! Bryan
-
Okay, so about that - I decided to RTFM and it just isn't in the spot that I was looking for, could have saved a few hours yesterday by starting with the manual. Disregard.
-
In Intella, there is the ability to choose which columns are listed for sorting - but I don't see that option in the version of Intella Connect that we are currently using (2.0.1.1). Is that something that updating to the latest version adds, or is it something in the pipeline?
