admin

Hi Adam, This may not be the issue but worth mentioning. Windows update restarts - I have lost a lot of indexing time to restarts. I now run the following reg file with each new build to stop this. Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] "NoAutoRebootWithLoggedOnUsers"=dword:00000001

Hi Adam, I would like to look into the issue. I and many others I know do cases 10 times that size on a daily basis. Must be some reason that we can track down. Here are a few questions to get us started. I have filled out the answer from your post. Please note we really need the the answers to the questions marked Important 1. System Questions *. Intella Product you are using ? [Example - Intella 250]: TEAM/Connect *. Release number ? [Example -1.7.X]: 1.7.3 *. Operating system ? [Example - Windows 7/32 bit]: Windows 7 64bit *. RAM installed ? [Example - 8 gig]: 24 *. Have you adjusted the RAM as per section 4.3.7 Memory settings of the Intella User Manual to meet the capacity of your case ? [Example - Dintella.serviceMaxHeap=XXXXM]: Important 2. Case and Source Data *. Type of source data being indexed [Example - PST files only]: PST, NSF, Docs. *. Type of drive evidence is indexing from [Example - local drive (note using a USB2/3 hard drive or a network drive is not recommended)]: Important *. Type of drive case is stored on [Example - local drive (note using a USB2/3 hard drive or a network drive is not recommended)]: Important *. Is the evidence and case on the same disk? [ [Example - Yes | No (note you should be using 2 disks)]: Important *. If you are using a USB2/3 hard drive or a network drive for either of the above, how have you ruled out whether the issue is related to the drive ? [Example – we moved the case to a local drive and the issue persists]: Important *. Has the evidence or case been moved from where it was indexed ? [YES | NO]: Important

Repairing corrupted Lotus Notes files Problem: NSF files are corrupt and cannot be indexed by Intella. Solution: IMPORTANT: Please use this steps while working on a copy of your data as it will make some changes to the data. The following steps will check and possibly repair corrupted NSF files. Open a command prompt and change the directory to your Lotus Notes program directory. Enter the command: nfixup.exe X:/.nsf (+enter) This command initiates a general scan of the NSF file and tries to repair it when corrupted. After competion index the NSF file again with Intella. If you still have an issue indexing, continue with the following step. Enter the command: ncompact.exe X:/.nsf (+enter) This command compacts the NSF file. After competion index the NSF file again with Intella. If you still have an issue indexing, continue with the following step. Enter the command: nupdall –r X:/.nsf (+enter) This command rebuilds the entire NSF index. After competion index the NSF file again with Intella. The answers would help. Please note: If you have more than one NSF file, you can use the commands listed above on a directory of NSF files by entering the directory name and not the NSF file name. For example: nfixup.exe X:/

I agree Adam. "a shoemaker must stick to his last" Intella is a Forensic Search Tool. We are not trying to recreate EnCase or FTK like others are trying to do. Our goal is to make searching and understanding of user created data accessible to a wider range of people and professions. We have lots more to add to Intella but so fare we think we are on the right track. Should also be said that Internet Evidence Finder is an impressive piece of software and would be a hard act to follow.

Hi Dave, We have toyed with the idea of adding the internet history several times. The issue for us is how to display the results. Example: files like email and Word docs have metadata, body content and so on and are naturally listed as single items in intella. Index.dat (and the others) are more like a spreadsheet. How do we show that in Intella. To make the search useful we would need each line as a item. Potentially adding 1000's of items. If you have any suggestion on showing this please do share them. Something we could look at if we find the right balance in showing the results.

How to Test Keywords Queries Our Support Team is often asked by our users how to structure a search query (s) using the available Intella search options. Often the user will send in a long list of queries and ask us to help them understand which ones they can use, or ask us to come up with a list of search terms based on a description of what they are hoping for. Unfortunately we are unable to test queries for customers as part of support. We don't wish this to sound unhelpful however, there is usually not one single query but a range of queries and methods needed to get to the final goal. Experience tells us that trying to do a search in one string can often times be more time consuming (working out the query) and much less effective than doing it with a number of searches, filters and tags. This is also consistent with the approach of searches, filters and tags we teach in our training class. Secondly without access to the data it would take Vound support hours to try and recreate the customers scenario with no guarantee that we can supply the answer the customer is looking for. Hence we cannot justify the time and effort of trying to find one Über query. Whether you are looking for syntax advice, how to structure a query or what steps to take to find a set of results. Our suggestion is that you do the following tests. The tests only take a few minutes to do and will lead to much better results and understanding of Intella. Typical Support Question Dear Support, we need your advice on creating a search that will only find documents that contain all of the following: As a single phrase business analyst anywhere that the words business OR analyst are within 10 words distance of responsibilities We tried the query below but it failed as invalid! And we don’t understand why? (("business analyst" " analyst responsibility) /6 (response*)) OR business? AND analyst Suggested Test Method To begin with, we need to perform a test to check the validity of our search syntax. To start the test we create four or more text files. In three files we ensure that the single term appears amongst other text. We add extra text to each document because if you need to find car within 10 words of bus, “car bus”~10 you will need a document with 1 – 10 words between those terms to test effectively. It also makes the test more realistic and possibly shows false positives if you use similar terms in the test, eg car-port, bus stop. In a fourth text file we add all four terms, again amongst other text. We find the easiest way to generate text is to Google the term and select a Wikipedia article. Then copy and paste a paragraph that has the terms we want, eg for the term business analyst see http://en.wikipedia.org/wiki/Business_analyst Once we have all four text files we index the four files in a folder and test the best options. Then we can scroll through looking for the perfect search, and testing for validity of a term. Example: Result Total Count returned "business analyst" "business responsibilities" "analyst responsibilities" 0 "business analyst" (business OR Analyst responsibilities) 0 Fails as the OR in () is invalid "business analyst" business OR Analyst responsibilities 4 "business analyst" "business responsibilities"~10 "analyst responsibilities"~10 1 –Winner! Notes Using Correct Search Language Commonly users will send a list of queries that use search language other than that used in Intella. For example: ” /n, eg duty /5 care – This is a proximity search for a different tool. It will fail to work with Intella. Do use the manual to find and use the correct queries. The Words Tab Advantage Another useful keyword testing method is using the Words tab to see what specific words Intella has listed in its index. For example, if you review the 4 documents produced for our search above you can see that the Words tab lists the word ”BA” short for Business Analyst. Very useful to know as it now changes the search to something like BA "business analyst" "business responsibilities"~10 "analyst responsibilities"~10 Take advantage of the Words tab to help you understand how Intella has indexed specific words. The Words tab is also useful for looking for numbers, and to understand how punctuation and special characters are indexed. For example sarbanes–oxley act These tests can be used to test the validity of a search, find which words you can search for or find the best single query to use specific to your evidence. Attached are the four text files I used in the example above. Please feel free to test this method for yourself. It will also help you to learn the types of searches Intella can perform. Please do feel free to add your tips to this thread for other to use. ALL-TERMS.txtPART1-TERMS.txtPART2-TERMS.txtPART3-TERMS.txt

Hi you could look at the words tab for all items to see if a number like that was indexed.

I should also note that the site does not follow its own advice. The site relies heavily on Java-script and worse, they use 3rd-party JS libraries and WordPress. Wordpress is patched for security holes a lot more often than Java. Seems they can give advice but don't care to follow it..... Does your own site use Java-script ?

Phil, The website you list offers very poor advice on removing "Java". You will suffer no end of inconvenience an be no more secure. Java is first or second most used programming language, so expect to see more of it and not less. It will have bugs as do all other languages, platforms and devices. Again I stress the advice on that website is poorly explained (see links below) and on a whole bad advice. The mere fact that you have to run a second browser is proof of how inconvenient his advice is. If you are intent on doing this you should think of blocking PHP sites. Those can also do harm http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ . Please see this link... http://www.java.com/en/download/faq/java_javascript.xml http://stackoverflow.com/questions/245062/whats-the-difference-between-javascript-and-java

The framework that Connect is built on does not use openssl and is therefore is not affected by the Heart Bleed bug. More info at: http://blog.restlet.com/2014/04/09/openssl-security-update-heartbleed/

Vound is pleased to announce the official release of Intella, Intella TEAM and Intella Connect 1.7.3. Intella 1.7.3 is available for download from the Vound Support Portal after logging in with your email address and password. It is located in the downloads section of the support page. Highlights of the newly released Intella v.1.7.3. and Intella Connect v.1.7.3. include: Support for redaction of items, where reviewers can mark legally privileged or sensitive information within an item’s text, metadata or graphical content to black it out when exported to PDF or load file. (Intella and Intella Connect). Export sets allowing for better export management by letting the reviewer reuse export settings and continue item numbering from previous exports. (Intella). A new authorization engine enabling the creation of flexible authorization rules based on user roles and permissions. (Intella Connect). A fully featured export wizard allowing for the creation of highly customizable export packages directly from the web browser. (Intella Connect).

Hi Kiwibarrister. Have you looked at using the export to CSV feature? Would you be able to give a example of what you are looking for?

Hi FDR, It looks like your .nsf's are password protected. You will need to have or remove these before you can work with the .nsf files. The simplest thing to do would be to ask the Lotus Notes admin who supplied the .nsf files to remove the password before they give them to you. Or you can add the Notes ID and password to the key store. Section 4.1.4 and 9.4.2 of the 1.7.2 manual discuss how to do this. By default you will not be able to decrypt many S/MIME or PGP emails until you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policyfiles in Intella’s installed application files. Due to US export policies we are not allowed to distribute these files as part of Intella.

Hi FDR, Do you know if the files are password protected, encrypted or use a Notes ID file? What message do you get if you try and open the .nsf in Lotus Notes rather than Intella?

Hi Adam, Good question! Eudora can be a trap for new players. Eudora uses a MBOX file format that is different to other MBOX files. You will need to do some pre processing to be able to index them. We also suggest reviewing the headers and contents to ensure you have not missed anything after the convert. Two links for you that will point you in the right direction. http://qwerky.50webs.com/eudorarescue/ Eudora Rescue - is a Windows command-line utility designed to convert Eudora mailbox files to standard mbox format. The current version is 0.7. http://en.wikipedia.org/wiki/Mbox Modified mbox- Eudora uses an mbox variation where a sender's e-mail address is replaced by the constant string "???@???". Most mbox clients store incoming messages as received. Eudora separates out attachments embedded in the message, storing the attachments as separate individual files in one folder.

Hi Kalin, Are you able to supply some sample data. We may be able to add support.

Hi Glenn, Extracting embedded URL's to a CSV. This will need some work between Intella and Excel or Notepad ++ type tool. 1. Export > Words > All Words in case 2. Open in Excel > Filter on the Text Field > select all and copy to new table 3. Search for @ select all and clear contents > This will get rid of email addresses... 4. Search for www select all and copy to new table 5. Search for .com select all and copy to new table - sure you could do a .net, .org, .co.uk all that the same time... 6. ......... This process does need some work to perfect. You could probably write a small perl script or Notepad ++ macro to do this for you... If you do please share the results here so others can benefit along with you..

Hi Glenn, I am sure there is more than one way to do this. Here is 2 rough process that should get you most of the way there... 1. Use the Location facet to load all sources 2. Use the Type facet to Include Email messages 3. Open the Column Chooser, Select, "Attachments" and "Type" 4. In the results view sort by "Attachments" 5. Highlight the items that have attachments of interest and tag. 6. Export items in that tag. 7. Optional based on need - Use Parent options to export only Top-Level parents. A. Create a Keyword list with the extensions you are looking for *.exe *.scr *.msi *.html *.htm *.XXX B. Run the Keyword List C. Use the Type facet to load all emails D. Review the overlap Cluster between the KW list and the email Clusters using the "Attachments" Column.. E. Tag and export. F. Save results as a saved search for reuse. You will need to do some tweaking of these approaches to get it right. It will also require some visual review to select the attachment types of interest. Hope this helps.

HI - Some work was done on the previewing of HTML in the 1.7.2 version. Are you able to try the same in that version... When you do look at the Preview Tab (now moved next to the Content Tab) ... Please let us know your results and we will see if we can improve if need be....

PF1, I would use the Keyword list as such. "red orange"~10 "red pink"~10 "red yellow"~10 "blue orange"~10 "blue pink"~10 "blue yellow"~10 "yellow orange"~10 "yellow pink"~10 "yellow yellow"~10 Then use the clusters and tags to sort...

Here's what I would like to do: Select custodians Location facet and chose the custodian files you wish to search and use the Include search Add date parameter In the Date facet select the range you want and search. Build a search string (this AND that) OR (this OR that) etc In the main search field create your seach. Or use a keyword list to search a number of terms at one time. Note you can use search opperators in our keyword lists. Example ------------Keyword list------------- Look See Find Ne?t Tim* (desktop OR server) AND application "John goes home" "desktop application"~10 _______________________ Exclude the email footer This is not possible in the current version but will be soon.

Hi Phil, You can add a header or footer in the load file section. Export Highlighted Results > Load Files > 5th screen Headers and footers...

Hi Daniel, Strange indeed. I would expect no more than 3 hours for that case. The slow indexing speed point to a problem somewhere. Would you have the time to try the following: 1. Try the case on 2 drives. One for the case file and one for the evidence. 2. Try the case on a non SSD drive - I know this sound silly but worth ruling out. 3. Send us the logs Can I ask if you are using the 64 bit version or the 32 bit? Are you using 1.7.1?

Vound is pleased to announce the official release of Intella and Intella TEAM 1.7.1 Intella 1.7.1 is available for download from the Vound Support Portal after logging in with your email address and password. It is located in the downloads section of the support page. Highlights A new Social Graph visualization shows the communication flow between email addresses. Added support for OCR-ing items in the case. The Email Address facet now lets the user group contacts by host name, sort contacts by name or address, and filter the list of contacts by filtering with user-entered text. Added access control facilities to TEAM case sharing. Release Notes: https://www.vound-software.com/docs/1.7.1/Intella-1.7.1-Release-Notes.pdf Special Offer to Intella Clients Vound recently launched Intella® Connect, a Web-Enabled Platform for eDiscovery and Forensic Search. To enable our valued customers to better understand how Intella® Connect can streamline eDiscovery and investigations tasks, we are proud to announce that existing customers owning a current copy of Intella 250 or above can apply for a three month Intella® Connect license at no cost. Please see this link for full details: https://www.vound-software.com/connect-trial Note: Users with 1.6 activated dongles need to use Dongle Manager.exe to update their dongle to 1.7. [Dongle Manager.exe instructions here] For additional information, please contact our support department by submitting a support ticket on our website. Please consider joining our community forum to meet and exchange usage tips with other Intella users: http://community.vound-software.com.

Hi Jerry, Could you let us know what version you are using. It will help with the answer.