Jacques B

Hi, I know some have deployed Intella Connect in the cloud and used a dongle server (or dongle sharing software) to manage the license. Does Vound offer a server license instead that would be installed on Connect/Node servers instead? Our concern with using a dongle sharing solution is if connectivity is lost with the dongle, the application stops running. Thanks, Jacques

Thanks, I'll try that and see how it works. I'm constantly looking at what I can auto-tag for investigators to provide them with an overview of the type of data in the case. They can then use these tags to immediately start identifying content that is either not relevant, or potentially relevant. This is especially useful to tag emails from social media sites for example. An investigator may not think to look for that. But seeing it tagged will help them think of other types of emails as potentially containing relevant info (e.g., showing connection between parties by their interaction on social media generating a notification email). Jacques

This would certainly be one way to get a quick summary. In absence of that, when you select a facet (e.g., Type), you will see how many items there are of each type in your responsive list of items. Not a nice summary, but a work around pending something like you suggest. And of course, you could export the list to Excel and do that yourself in Excel. But I get that you are looking for a solution in Intella. Just a suggestion in case you had not thought of it and it's something you need for a case.

It would be great if Intella Connect implemented something like Faster Whisper (https://github.com/SYSTRAN/faster-whisper) to automatically transcribe audio from audio and video files and index the transcribed content within the case. A counterpart said they are using it with Nuix where Nuix uses its API to reach out to Faster Whisper they have set up to transcribe, and feed it back to Nuix. Intella could one up them by doing it all seamlessly by allowing us to point to a Whisper server similar to pointing to Node :). Or incorporate it directly into Intella so we don't have to set up our own instance of Whisper and make sure it's properly configured.

I think I found my answer here: https://vound-software.com/docs/intella/2.6/#_tokenization_and_special_characters I believe that's a change with 2.6.

I'm trying to create a task to search for emails from Expedia and tag it as Travel. If I search for expedia.com, it finds those (6 emails) as the name that appears in the from field is Expedia.com, and the sender is actually expediamail.com. If I search for "expedia.*" or "expedia." (field specific "from" or "sender"), it produces 131 responsive emails. But many of the hits are where the word "expedia" is in the from/sender field, but not "expedia.". It's producing responsive emails that do not have the period. If I escape the period, it doesn't change anything. I know the period is not a special character. But it seems to be behaving like a period in a GREP expression, as the highlighted hit seems to be "expedia" followed by a space. I was hoping to search for "expedia.*" so that it would find expedia.com, expedia.ca, expedia.co.uk, etc. But the fact that it's hitting no Expedia followed by a space, I'm presuming it wouldn't yield the expected results. Is there something I should be doing different?

OK, thanks @Marco de Moulin. That isn't very practical if it has to re-index everything. Or can you tell it to skip what's already been indexed? If not, that can add a lot of time to a case if you have 3 or 4 crawler scripts you want to run against a case with 500,000 items in it for example. If the above is the case, the approach for now will be to pick the crawler script that provides the most value for a specific case and only run that one unless the value of additional scripts outweights the additional processing time. Jacques

OK, thanks @Marco de Moulin. The script for blank subjects ran correctly. Thanks for having shared it. When you do that, does it re-run everything from processing (indexing, tasks)? Or are you able to only run a script? Jacques

Hi Marco, I finally was able to get Intella Connect upgraded from 2.5 to 2.6.1. I'm currently running your script to look for blank subjects (or single space) by reprocessing a small collection of emails. I do have a question about the scripts. Can you run more than one script against evidence being ingested? And are you able to have it in a template of a case much like tasks? As I shared earlier, I created a case template and have it run a bunch of tasks. But for scripts, so far I'm only seeing where you can select that when adding a source. And I'm getting the impression you can only run one script. Thanks, Jacques

I see this is an old topic, but I figured I'd chime in. If you are exporting the results in native format, then clearly that would not be something you'd be able to do as you'd be changing the file (and it may not be possible to highlight text in a particular file format). If it's exporting everything to PDF, I'm not sure. Are you thinking of the latter? I'm thinking at minimum you'd be able to produce a report that breaks it down by keyword. So a user would know what keyword triggered the inclusion of a file in a report and they could search for it themselves.

Thanks Marco, It would be great to incorporate even the part that counts the # of %%EOF in a PDF and displays that in a custom column. That would alert the reviewer to the fact that a PDF has prior versions (that may or may not be recoverable, but knowing is half the battle). That would be a very easy (and short) Python script. Jacques

Great, that works. Thanks!

Hi Marco, It's one of our investigators who mentioned that it's one of the methods they use, the premises being that someone sending something to themselves or someone else that is not work related (and thus possibly related to the misconduct being investigated) may skip putting in a subject. I don't know if it materialized into producing evidence. But I thought it was a good approach so I want to add that to my initial pre-processing and tag all such emails automatically for the investigators who want to avail of that approach. Jacques

Thanks. I'm looking forward to exploring the power of crawler scripts. I know you have a discussion on that specifically and I'm excited to see how I can make use of it. I am pleased that it supports Python as that's the language I am familiar with.

Thanks Marco, I'm currently running 2.5 (waiting for license renewal to go through to upgrade to 2.6). Are Python scripts supported in 2.5 as well? Jacques

Is there a way to search for all emails where the subject is blank? I know you can display all emails and then reverse sort on subject to group them together. But I'd like to be able to identify them using a search term, and then tag them. I run several tasks after processing to tag stuff for the investigator. See attached listing the processes that I run on a PST (we are a MS shop). Intella Tasks and Tagging Overview_Redacted.pdf

Hi Chris, The offline option sounds great. I clicked on the link to learn more about it, but it's a dead link. Do you have an updated link?

This is really interesting, and I can think of other use cases where you call upon a Python script to enrich the ouput from Intella. e.g., a script to search for "%%EOF" in a PDF and add a custom column denoting the count. That would alert the reviewer of the existence of prior versions of the PDF. They could copy it out and run the BASH script I've shared in this section to parse that out. What I'm not clear from the above is do I write a Python script and somehow call that script within a crawler script? Or are crawler scripts written in Python and added to Intella Connect?

All, I wrote a Python script to parse various artifacts from a MS Word document and dump it to 4 different worksheets in an Excel file. Myself and a few colleagues are using the script to help us with some testing of scenarios in MS Word to see how artifacts are impacted by different actions. https://github.com/jjrboucher/MS-Word-Parser For example, did you know that if you upload a DOCx to Google Docs, and later download it back to your computer, Google Docs strips out core.xml and app.xml, thus you lose the author and created date among other metadata? And if you subsequently edit that newly downloaded document with MS Word, MS Word will add core.xml and app.xml, and set the created date as the date it edited the newly download document, as it adds core.xml and app.xml at that point. I know of someone dealing with a situation where a LNK file shows a created date in June for a DOCx on a USB drive. The document was no longer on it, but they were able to recover it. The metadata of the document shows a created date in July. After I explained the above scenario to them, they said it made perfect sense based on their knowledge of the case. Best, Jacques

Here's my GitHub repository of a BASH script I wrote to parse PDFs. https://github.com/jjrboucher/PDF-Processing It runs several different commands against it, plus I added my own processing to it, looking for previous versions of a PDF within a PDF (explained in the ReadMe on GitHub). Best, Jacques

Hi Chris, Sorry for the late reply, I hadn't logged into the forum in a while. Most definitely, please share it with whomever. It's public on GitHub. I've since also shared a Python script that I use to extract info from DOCx files as I do some research on them. https://github.com/jjrboucher/MS-Word-Parser That is also a public repository you can freely share. I actually went ahead and posted both to that forum. Great to see others contributing as well! Best, Jacques

Hi Chris, Up until recently, we didn't know about this availability. I had heard about it some years back, but at that time was working in a law enforcement environment so document forensics was not the main focus. In my current role, it's more prevelant. I already had the script to process PDFs to automate my process. I added the feature to carve prior versions recently. An investigator in another agency successfullly used it on a PDF they collected as part of their investigation relating to a fraudulent expense claim by a staff member. They were able to recover two prior versions of the document, showing how the user edited the document, and the date/time of those edits (because each version contains the metadata from that version, including the modified date/time). For images, I know of a case where images were extracted from a PDF. A reverse image search (OSINT) of the signature on a medical invoice revealed that it had been copied from a children's website. It wasn't a doctor's signature. As a workflow, extracting prior versions of a PDF and all embedded images from each version would allow an investigator to see (and search) across these prior versions, and see the images in the gallery. If you are looking at a PDF in Intella, it would be nice to have a tab with prior versions, or a link on the left to apply a filter to see prior versions much like you can see a parent item. So when the investigator is reviewing relevant PDF in an email attachment, or from a computer forensic image, they would have a visual indicator of existence of prior versions of the document. Those prior versions (if available) become compelling evidence of tampering/fraud. Jacques

Disregard - The issue is one of permission on the share. I just tested it by giving "Everyone" permission and it works. Now I need to remove that and put the proper network user.

Actually it looks like it might be a permissions issue on the case folder. If I try to create a new case, I get an error. It can't create the folder.

Hi Marco, I was able to get Node properly installed (2.5.1). Because we had Connect initlally without Node, the case and evidence is on a storaage array connected locally to the Connect server. I created a network share on the Connect server for the case folder, and one for the evidence. I added both to the Shared File System (one for cases, one for evidence). When I try to process evidence, it says Node can't access the case on the E: drive (which is the local path on Connect). I stopped sharing a case, removed it from the list, stopped auto discovery and changed it to monitor the network share thinking it would find that case and then work. But it's not finding it. If I disable auto discovery and try to manually add the case on the network share, the option to add it is not clickable. Only if I navigate to it via the local drive option. I've tried restarting the server once after making the change intially without luck. Is the above correct for configuration given our setup? All evidence and cases on the Connect server. Share set up for each in both the OS and in Intella Connect under Servers. It's not auto discovering the a case after changing the path to the network share path. And it's not allowing me to manually import case (with auto discovery off) if I navigate to the network share on Connect. Only if I navigate to the local drive. But clearly Connect must be designed to watch a network share if the recommended setup is that both cases and evidence sit locally on Node. And Node must be able to process content on a network share given you can have several Nodes, so it wont' be local to all of them. The only other thing that comes to mind is that HTTPS is configured on Connect for users connecting to it. But it's not set up on Node (so not enabled). I'll worry about that after I get the above to work unless it's needed to work (which I don't get the impression that's the case). Based on the above, what is the likely issue I'm encountering?