Jacques B

It would be great if Intella processed prior versions of a PDF, and extracted images from each version. I've written a BASH script to run different processes on a PDF, including looking for prior versions within the PDF and extracting them. You can find the script here: https://github.com/jjrboucher/PDF-Processing I also provide a sample PDF in a subfolder for testing. And in a subfolder of that folder, a copy of the PDF at each edit step so you can compare what is extracted from the final PDF with what each version looked like. You will note the hashes will match. This won't work in every case. But when it does, it's great. Extracting images from only the latest version of the PDF will result in missing stuff. In the sample file I provided, you will note that the images from the current version of the PDF will not include an image that is extracted from a prior version. Hence why it's important to extract images from every version available. In Intella, the prior versions could maybe be children of the actual PDF, as would the images (children of their respective version). All associated metadata in each prior version is as it is for that version, so that is additional info you can get when extracting prior versions.

I've finally managed to get back to this task. I installed Node 2.5 (will deal with 2.6 later rather than having to upgrade Connect + install Node at the same time). Because we only had Connect initally, we have that server set up with plenty of storage along with case files and source files. In the admin manual, I see they have it that source files are on the Node server and that you later have to move them to Connect if you want them local (vs over the network). Is it possible to have it that the source files sit on the Connect server where I set up a shared folder, and Node accesses the files from there to process? I know that would have a performance issue. But otherwise will that work? If not, I'm going to have to hit up the boss to add storage to the Node server and move all my sources to there (and update that in each case after). Thanks

Hi Marco, Actually I was able to open it on 9999 on my Windows laptop. But couldn't get it to work on the server. We re-installed the OS on the server in the event there was an issue with it (new server). I'll be trying it again later next week. I'm currently copying all evidence files over to the server so that it's ready for reprocessing once we get Node installed and upgrade to 2.6.1 (currently on 2.5.1). Up until now, I wasn't copying the evidence files over after processing the case in Intella Pro. It was more for convenience (reduce the size of the case to faciliate copying it to the server). For new cases, the evidence will be on the server (even if I first process in Pro - although once Node is set up, I'll use the server as it will be much faster than my workstation). I'll post an update once I try it again. I do have a question. Is it possible to host both Intella Connect 2.5.1 and 2.6.1 on the same server, but different ports? If yes, I could opt to not upgrade existing cases that have little or no work left to be done on them and create new cases only in 2.6.1. Thanks.

All, We've been running Connect on a MS Server 2016 Standard with no issues. The installation was relatively painless. I've been doing my processing in Pro and then moving the case over to Connect. We procured a second server so that we could use Node (our license includes Node). The second server has the same standard image on it that is on the Connect server. The install of Node is also straight forward. We confirmed the service is running. But when trying to connect to localhost:9999 (default port, we didn't change anything), it fails. Using the same install file, I installed Node on a laptop (running Win 11 Pro), started the service, and connected to localhost:9999 no problem (got the error it couldn't find the license, but that's to be expected as our license is connected to the Connect server). Has anyone else had issues trying to get Node up and running on Server 2016? No other installed applications are running on our Node server. IIS is not set up on it. But we can't even get a response from localhost:9999 alerting us that it can't find the license. Without getting that, there is no point trying to get the next part set up - pointing Connect to Node. Any help is appreciated. Thanks, Jacques

If you are looking simply to exclude all @domain_not_wanted.xxx, you could drop the NOT from the query, show all items under Features facet, and then use the Exclude option with the query: agent:@domain_not_wanted.xxx It's not a single step as you may have been trying to do. But it will produce the results you want.

I've created a few spreadsheets to help with building queries. One is for bulk email addresses. Staff can add bulk email addresses they find during a review to the appropriate worksheet. Using a simple EXCEL formula, on the other worksheet I create a few queries for the user. The user can copy/paste the query into Intella Pro to run it and tag those items as bulk emails. The second Excel sheet I've attached I created to build queries relating to spoofed domains. It's easy to look for emails to/from a spoofed domain as part of an investigation. But what if you want to look for emails where they were sent to the real and spoofed domains at the same time, cross contaminating the communications? That's where this spreadsheet can help create a query for you. Even if you don't have a need for the above, they can provide ideas on how you can write a query if you are struggling with that. Do you have any queries that would benefit from being added to a query building spreadsheet? Jacques Bulk Email Addresses.xlsx Spoofed Domains Queries.xlsx

I don't know if you can use boolean operators in the search field the way you mentioned. To use a boolean operator in your query, you must write it in upper case. E.g., from:(@domain1 OR @domain2) NOT(from:(@domain3 OR @domain4)) I was just about to share a spreadsheet I created to build a few helpful queries. I"ll go do that now. Check out my posting on that here:

I second Marco's request. I use a forensic tool (X-Ways), but I could see instances where it could be convenient to be able to view a file in hex. Nothing fancy, just a simple hex view as one of the available views.

Hi Brad, One last update - I tested it in Intella Pro with the autotag option, and it works as expected. Of course if you have 5 email addresses in both TO and FROM, it makes for a long query and that's the name used for the tag it creates. But I believe it does achieve what you are trying to do. Jacques

Hi Brad, I just tested it in Intella Connect, and it does allow you to use scope as part of your keywords in the keywords file (same as you would in the regular text search field). As you may or may not know, using a field specific search (https://www.vound-software.com/docs/connect/2.5/Intella Connect Reviewer Manual.html#_field_specific_search) negates the need to select the scope via the gear icon. I tested the below query and it worked. The caveat being this will not limit it to only those only between the two parties. You will have to then apply the recipient count facet filter on top of the results if you want only emails between the two parties (with the potential risk that if they CC/BCC themselves, your recipient count is now 2 and it will be missed if you use a recipent count of 1): (from:person1@email.com AND to:person2@email.com) OR (to:person1@email.com AND from:person2@email.com) Or let's say you have 5 people and you are looking for any emails where any of those five are a sender, and at least one of those five are recipients. With the same caveat as above regards recipient count, you could use this: (from:(person1@email.com OR person2@email.com OR person3@email.com OR person4@email.com OR person5@email.com) AND to:(person1@email.com OR person2@email.com OR person3@email.com OR person4@email.com OR person5@email.com)) Alternatively, if you are looking for any email where any of the 5 are either a sender or recipient (even if with someone outside of the 5), you'd change the middle AND to an OR as follows: (from:(person1@email.com OR person2@email.com OR person3@email.com OR person4@email.com OR person5@email.com) OR to:(person1@email.com OR person2@email.com OR person3@email.com OR person4@email.com OR person5@email.com)) As with the other two, the caveat being that there could be other recipients in addition to at least one of the 5 you are filtering on (either in the from, cc, or bcc fields). The other caveat with all of the above is it's looking in the TO and FROM field as you are seeking to do. If the filtered addresses are only in CC or BCC (not in TO or FROM), they will not be responsive. You'd have to add cc: and/or bcc: to expand to include those. If the above is not something you are familiar with, don't hesitate to post a follow-up question. Jacques

Thanks Marco. From a UI/UX perspective, one option would be to have a "pin" next to the various search criteria. Allowing you to click on the pin icon for any of them to pin them. You could still click on the X to remove a single criteria (pinned or not). And to remove all of them, maybe either an option to unpin all after which you hit on clear searches, or a second button ("reset search"?) that would clear all including pinned items. Not sure which would work best so that it doesn't clutter the UI too much and provides the most intuitive UX. Jacques

OK, that rings a bell now. I don't use the keywords option very often. Is it possible to use a scope (e.g, to:, from:, author:, etc. in a keywords file - https://www.vound-software.com/docs/connect/2.5/Intella Connect Reviewer Manual.html#_field_specific_search)? I'll test it if I get a chance this week. If you can use a scope, that should yield the results you want.

It would be great if there was a way to PIN a REQUIRE or EXCLUDE. Case in point, we tag items that are "Not Relevant" for example. It would be helpful if we could PIN that exclude so that you don't have to select that tag every time you run a different search and choose to exclude it. There are different tags we use (e.g., 6+ recipients, bulk email addresses, etc.). The ideal option would be to be able to select tags and PIN them as a REQUIRED or EXCLUDE until you unpin them. That way you can run a bunch of queries and not have to select the tags you want as REQUIRE or EXCLUDE for each search.

Hi Marco, Providing an update on this. I am currently working a case where I have 5 PSTs in it. Intella identified 89 items that it could not decrypt. In looking at them, many are in a few ZIP files, so I gather it's the ZIP that needs to be cracked, not each file within it. At any rate, for some of the other encrypted items, the user sent the password in a separate message (email or Teams message) which is common. My workflow when I have encrypted items from an Exchange mailbox is to look at the parent email of the encrypted item to see if the person shared the password, or references that it will be sent in another email. I was able to find a few passwords and added them to the key store. I could see from Location facet that the encrypted items were spread across 3 of the 5 PSTs. This meant I had to reprocess those 3 PSTs to have Intella use the passwords in the key store to decrypte the items and then index them. This is a prime example of where the current workflow used by Intella to deal with encrypted items is inefficient. We are not likely going to know which items are encrypted, much less the password for the items, until after it's in Intella and processed. In addition to being able to selectively re-process files rather than an entire source, it would be really helpful if Intella noted what processing was already done on that source (e.g., OCR, content analysis) and prompted the user if it wants those additional processes to be run as well on the decrypted items. I do see email threading as an exception here. You can't run email threading on only decrypted items. It has to be run against all emails in the case to get email threading across all your data. Thanks, Jacques

I'm not understanding what you mean by auto tagging. I have both Intella Pro and Intella Connect, but I'm not familiar with that feature and can't seem to find anything about it. As you suggested, a task would do that very nicely. I have several tasks that I run at ingestion that tags items. We are a MS Exchange shop, so I apply a tag to messages relating to their "Importance" and "Sensitivity" flags. This way a user can quickly select the tag to see all messages flagged as High importance, or sensitivity set to Private for example. How does auto tagging work? Does it offer an advantage? Jacques

Thanks Marco for that follow-up. To be honest, I had not considered using the keystore as a cracking dictionary :). I've only ever put in passwords I obtained from emails or that I've cracked. Thanks, Jacques

OK, thanks Marco. The selective reprocessing would be the ideal solution. Adding the ability to try and crack it during processing is nice. But it would be very difficult to use a one size fits all decryption approach if using a third party such as John the Ripper. As it will depend on the document type, and if you have a mask for the password. And as you also know, password cracking can take a long time. You wouldn't want processing of the rest of the source to be held up by the attempt to crack a password. It would be important for processing to complete and make everything available to the investigator for review while password cracking goes on in the background. If it will be implemented in a manner that processing stops while password cracking is attempted, that will have an undesirable delay and make it impractical to use. If that's the only option, I would suggest putting that time into the selective reprocessing instead, as that will be far more useful. But if the script simply passes on the encyprted password to an external process and then carries on, then that's fine. But that also means at some point, it has to reprocess those files once the password is cracked. I do have some programming skills (scripting skills - BASH, Python, and some light PowerShell). So I don't mind that. Thanks, Jacques

Thanks Marco! Does this mean you'll be able to enter passwords in the keystore and then run it against specific files and process only those rather than having to re-process all items in a source? Fortunately, it's not something I encouter frequently. But when I do and manage to crack a password (or get it from the email itself - people can be lazy sometimes ), I will add that to the keystore and then re-process so that it's available to the investigator. Being able to selectively reprocess would be a huge time saver in those cases. Jacques

I’m not sure if Intella supports that type of scripting. In my case I’ve been using John the Ripper in a Linux VM to crack PDF docs typically. So I don’t think there would be any way to call upon it from Windows. The other challenge is that in the case of PDF bank statements for example, the accompanying email from the bank usually provides the mask for the password (e.g., the middle six characters of the bank account number) which I use as a parameter for cracking the password. In other cases, I’ve found the password right in the email. “Hey John, here’s the encrypted spreadsheet for your review. The password is “abc123”. i wouldn’t want to delay Intella processing while it tries to brute force each time it finds an encrypted file it can’t automatically decrypt. I appreciate your suggestions as possible alternative options. The ideal solution rests with Vound adding the ability to process/re-process selected files. You would think you could choose only docs that it couldn’t decrypt and reprocess those with the keystore rather than hanving to reprocess every item in the data set. Thanks again for taking the time to offer suggestions.

Thanks. I’ve done that in the past. But the down side of that approach is the decrypted item is not at the original path within the evidence. For example, if the original is an attachement in an email, the decrypted version won’t be if imported as a new source. It would be great if Intella had the ability to index filtered files instead of needing to index all of them.

I occasionally encounter encrypted PDFs that Intella was unable to decrypt. Naturally, I only know this after processing is done. I've had success cracking passwords of PDFs of bank statements where the password is numeric (part of the account number). Once cracked, I know I can add it to the keystore. But as far as I can tell, I then have to re-index the entire evidence item(s) with content that needs to be decrypted. I don't see any option to simply decrypt and index the 10, 20 or 30 files that are encrypted. I have to re-index tens or hundreds of thousands of files in the evidence source(s). Is there a way to have Intella only re-index select items instead of all items in a source?

If you are looking for emails between specific parties, say 1@gmail.com, 2@yahoo.com, and 3@hotmail.com, you could use something like this in the search term: (from:1@gmail.com OR from:2@yahoo.com OR from:3@hotmail.com) AND (to:1@gmail.com OR to:2@yahoo.com OR to:3@hotmail.com) Combine the above with recipient count will get you as close as I can come up with. The above assumes you are not looking for cc or bcc addresses. I do see the shortcoming you are hoping to address. If you have recipient count of 2, it could be from 1@gmail.com to 2@yahoo.com and to (or cc, or bcc) 4@example.com and that would still be responsive to your query. I'm not sure if there is a way to say from or to (or cc or bcc) must contain ONLY one or more of the addresses you've listed. The approach I've seen an investigator use in that scenario is after the initial query, if they see any obvious non-relevant responsive items, they expand their query by adding those criteria in parenthesis with a NOT preceding it (e.g., NOT (to:4@example.com) ; or NOT ("table tennis"~2) if looking for tennis but not table tennis for example). It's more tedious. But the goal is to get the responsive itesm down to a manageable volume for review. If you can accomplish that by adding a few NOT statements to tweak your original query, it's the next best thing to having a query that does exactly what you want. I do agree that it would be great to have a ONLY type of statement. Also useful would be an IN statement similar to in Python where you could say something like "to: IN (1@gmail.com, 2@yahoo.com, 3@hotmail.com)", or "(1@gmail.com, 2@yahoo.com, 3@hotmail.com) IN to:".

When searching for browser activity, I wanted to search for google searches (e.g., https://www.google.com/search?q=frustration+psychology+definition) in field scope "title/subject". Searching for "search\?q=" yielded negative results. I had to search for "search \? q=". Note the gratuitous spaces before and after escaping the special character. The same happens in either Intella Connect or Intella Pro. A further test to look for https://www.google.com yieled the same issue. I had to escape the colon (:), but had to put a space before and after it as well. "https \: //" worked. But not "https \: //www". I had to escape the two "/" as well even though they are not listed as special characters. And I had to put a gratuitous space before and after each of the two escaped characters same as for the \?. Is anyone else encountering similar issues? Am I doing something wrong in my search? Luckily I noticed this anomally. Otherwise it would have yielded a false negative and I would have thought there were no matching hits.

Hi Larisa, I'm not sure I understand what you are trying to do. There is the option to hide non-inclusive emails. Not sure if that's what you mean. Can you provide an example so that I can better understand what you are trying to do? Jacques

As part of my pre-processing, I do some tagging. One of things I automatically tag (using tasks in a template case) is for MS Exchange/Outlook email flags as per the screenshot. This creates a long path for these tags (although I see that I should remove "Importance:" and "Sensitivity:" in the children tags and just keep the second part to shorten the paths). As much as these tags can be useful in some cases, in other cases they are not as relevant. I see them as information tags. When displaying the Tag column in the table view, you will have one Importance tag and one Sensitivity tag, each having a long path. I also automatically tag "Orphan from PST", "Emails with 6 or more recipients", "Draft Messages (Not Sent)". These information tags can create a lot of noise in the tag column in table view. They are useful if you want to display all emails tagged as Urgent. And it's useful to see those tags when viewing an individual item. But in table view, some of those tags are not as important to see. It would be helpful if you had the option to choose if a tag will show up in the tag column in table view. That way you can have a bunch of these information tags but exclude them from that column. I do use yellow for these information tags. So optionally, I know we could display the colour tag column instead to help declutter the view. If nobody else chimes in agreeing that this would be useful, I appreciate that it won't get any priority. I do see value for use where we use a number of these information tags in the automatic tagging during initial processing. Thanks.