Jacques B

Thanks Jon, That's good to know. But where do I get the logs for the main login page where your cases are listed? And if I want to do a security audit of logins and attempted logins, is there an aggregated log? Or do I have to check each individual log via the GUI? If not available, it would be especially helpful in a future release to have a way to see all logins (and attempts) across all cases, as well as the main page with the list of cases. And being able to set alerts/notifications of logins or failed logins would be helpful from a audit/security perspective. Either the functionality within Intella Connect, or in absence of that (or in addition to), a way to query the logs via an API using PowerShell to incorporate checking Intella Connect logs in a custom script that audits various logs on a server. Also, where do I find the web server logs in case I need to review those as part of a security audit? Thanks, Jacques

Where does Intella Connect store logins? As part of our security review I want to check the logs regularly for failed logins for evidence of possible malicious attempts. I am hoping to be able to attribute that back to a network user. For that, I'll probably have to get logs from IT. Intella Connect is being deployed such that it will be accessible by anyone who authenticates to our corporate network (whether in the office or home). Only select people will be granted access to Intella Connect via username/password and 2FA. The IP of the server won't be published, so stumbling across it is unlikely. Despite those layers of security (must authenticate to our network with 2FA if not in the office, must know the address of the server, and must log in to Intella Connect with proper credentials and 2FA), I also want to monitor failed attempts and if appropriate attribute that to a user for an investigation into a possible unauthorized attempt to access a resource. Thanks.

Thanks, That's very likely what happened. The service didn't start automatically, so the IT person launched it. When we rebooted the server later as part of our troubleshooting, it did start automatically. I'm confiriming with the IT person what user profile it uses when starting automatically vs when he launched it manually. Regards the path, I also see .\Roaming\Intella Connect. What is the difference between the two folders? We are only running Intella Connect on this server.

Well, that seems to have fixed the problem. I was successful this time in adding an existing case. So something was causing the server to misbehave. So the issue was not with anything I was doing, nor with Intella Connect.

Update on this. We finally had to reboot our server. When it eventually came back up, the user accounts I had created were gone, and I was back to the default admin user. And the above cases I tried to add were gone. Not sure why that happened. On the server I was seeing the service as not running, yet I could connect to it. Looks like there is more hardware troubleshooting to be done. Has anyone had a similar experience?

I'm trying to import a case into our new installation of Intella Connect. I tried adding an ICF file from an Intella Pro case (both are v.2.5), but that failed (stayed at 0%, even though it was a very, very small case - 30 MB). I then tried adding it by copying the case folder over and pointing to the folder with the case.xml file. Intella connect recognized it as having case.xml, but the option to "Add Case" remains greyed out. The drive is a locally drive, and Intella Connect was able to create a new case at that location no problem. But I can't get the import to work, either ICF or a case folder. Any thoughts on what I'm doing wrong, or what could be wrong? The user I'm logged in as is set up with global authorization as an admin. Note in the screenshot the three attempts to import the ICF file. How do I remove that? And you see in the screenshot that it recognizes that there is a case.xml in the folder I'm pointing to when trying to export as a case folder instead of ICF. Thanks, Jacques

Forgot to post an update. We resolved the issue. It was a firewall issue (static IPs). Jacques

Anyone have experience installing Connect on Windows Server 2016 R2? We have it installed, and can get to the sign in screen from the server (localhost). But when trying to connect to it from the outside, it is not working. I know there are many possible variables from OS firewall to hardware firewall upstream among other things I'm sure. But beyond the obvious I just listed, anyone encounter some other issue that you figured out that you could share how you resolved it? Or point to other possible issues? The server has a publicly routable IP. Users are being given static IPs and the upstream firewall service provider looks after setting up the rules to allow the traffic through. I'm able to RDP to the public IP which would suggest the firewall rules upstream is allowing me through. I'm checking now to make sure that they are allowing incoming traffic on 9999 in case that's the issue. Any suggestions you can share is appreciated. Jacques

When you run two (or more) searches, you are seeing hits that are unique to each (outer edges) and overlapping hits. If you add the two (an outer count with the overlapping count), you get your total.

When selecting the time zone for a source, it would be very practical to be able to search/filter rather than having to scroll through to find what you are looking for. If I am looking for the time zone for Budapest for example, it would be convenient to be able to start typing the name of the location and have it filter the list in real time rather than having to know it's GMT +0100 and scroll down to find it.

OK. I didn't want to jump the gun in case it was just me. I'll get something submitted hopefully later this week.

I deal with BitLocker regularly as we deploy it on our corporate computers. My workflow has typically been to use Arsenal Image Mounter (free version) to mount the image, and enter the BitLocker recovery key in Windows to decrypt the mounted volume. I then image the volume using FTK Imager and bring that image into Intella. Yesterday I had a case where I decided to use Intella Pro to decrypt the volume. It seemed to work, but there wasn't a lot of data in the user's Windows folder (and several PDFs were showing as binary files). I mounted the original image in Arsenal Image Mounter, entered the BL recovery key and viewed the content with FTK Imager. I noted that the user folder that I was interested in had a whole lot more files and folders in it than I was seeing in Intella. I'm about to upgrade it to 2.5, but in skimming the release note I didn't see mention of fixing a bug with BL so I'm not expecting it would result in anything different. Has anyone else experienced this issue when using Intella to process a BL image? Before I file a bug report, I want to confirm that it's not just me.

Further to the above, I did find a work around. I have a text file with all bulk email addresses (one per line). Where I don't care if they are all one identity, I create an identity and add all those addresses to that identity, Bulk Emails. On that note, probably the easiest experience for an end user would be the ability to export/import identities. In a corporate environment, you may have identities that you would like to have added to all cases you work. Being able to import identities that you exported from another case would be helpful. Ideally, being able to do multiple imports in case you have identities from a few different cases you want to bring in. Or where you export identities to different export files based on the organizational structure of your organization e.g., accounting, IT, payroll, etc. Whatever name you want to give to the files when you export so that you can selectively import what you want in a case.

It would be convenient to be able to import identities from a JSON/XML. In a corporate environment for example, you may have numerous bulk email addresses (i.e. All-Staff type of emails). I'd like to be able to keep a JSON/XML of identities of all bulk addresses (could also be for lawyers or any other special categories) that I could import into Intella rather than having to enter all those manually. It could also be used to create a list of identities you are interested in for a specific case, although I appreciate that in this latter example, it might be just as easy to do that from the Identities interface in Intella rather than creating an XML to import into Intella. But for cases where you have identities that will cross cases (such as email addresses for bulk emails such as All-Staff and such), it would be very practical to be able to keep a living document of such identities that you can easily import into any case.

Thanks to both of you for your response. I was speaking with a colleague of mine who deployed it in a similar environment that I will be deploying it, and he was able to deploy it on his older digital forensics tower PC. So that's encouraging that it can run without needing a server.

Our shop currently uses Intella Pro + Review, but are looking to move to Intella Connect in order to have connectivity from remote office or when on the go (or working from home as many are doing currently). I know that two options are host it yourself or host it in the cloud (Azure, AWS). Personally I'd prefer to host in the cloud rather than have to worry about maintaining a system. I'm already busy and adding infrastructure support (security, backups, availability, patch management) would be quite taxing. By hosting in the cloud, some of that would be handled by the cloud provider. And I see that we could use a network dongle that would have to be hosted locally and available to Connect in the cloud, which is fine. Does anyone have experience hosting it in the cloud? If yes, what provider do you recommend? What setup (# of servers, RAM, cores, storage setup) do you recommend? As for hosting in-house, what hardware would you need to do that (if that's the route I'm required to go)? Do you need a few servers with a hardware RAID stored in a server rack in a proper server room (with adequate cooling)? Or are most hosting it on a powerful PC sitting in your office?