Jump to content

Fabian

Members
  • Posts

    5
  • Joined

  • Last visited

Everything posted by Fabian

  1. Hi Jon, I'm not talking about caching the evidence within the case directory. However every native file (docx, eml, xlsx etc.) that is recognized and indexed by intella gets written to a huge binary database file. This accounts for most of disk space used in the case folder structure. That information is required for native view, exports etc. However that data is, at least in my opinion, not used when searching for text within the lucene index. It would be a cost saver to have that binary storage of the original contents of files moved to HDDs, and have Lucene among other indexes reside on SSDs. regards, Fabian
  2. Hi, thanks for fixing my forum permissions, now I can post in the W4 section 😀 We are using W4 in several data theft cases with good results. With a few changes to the product we also could use it with other cases like CP / sexual abuse type of cases. Also we noticed some features need a bit of polishing: The “export to csv” option is somewhat broken. If columns contain a comma no escaping of the separation character was used in previous W4 versions. The latest version adds a text-qualifier for values that contain a comma. Usually the “item id” is the first column if it exceeds 999 items it is displayed as “1,000” in W4 and also written as “1,000” to the csv-file. If numbers are exported to a csv-formatted-file it would be expected to omit any 1000-separation character and only have the decimal character present. When choosing the columns for a csv-export, the selection of columns is not retained between exports and has to be redone each time you choose to export data. Even remembering the last export settings would be somewhat flawed. Intella like presets would be much appreciated. A suggestion on that matter would be to add an Excel or CSV style report in the reporting section. That way the settings could be saved via the search profile (I guess). The processing of browser artifacts is very helpful. However our tests showed, that only information is extracted from the file system. It would be a nice feature to have browser artifacts from unallocated spaces and system files like hiberfil.sys, pagefile.sys and swapfile.sys. The reporting feature has been greatly improved. However we are missing an Intella Style original View of items within the reports. If this is a feature distinction between Intella and W4 I can understand that. However other disk forensic tools have at least some reporting capabilities for e-mail bodies etc. Usually when I work with disk forensic tools I have the view/previewpane detached from my main window and have it fill my 2nd monitor. That way the Preview is much better readable and it makes room for some more columns in the main window. Please consider a detachable (pre)viewpane. The Explore feature could be improved by adding an "industry standard" "green plating" feature, that recursively displays all contents of the selected folders. If greenplating would also work in a multi-select style way by using the ctrl+shift keys that would even be better (example: Select UserA and UserB within c:\users but not UserC and UserD I'm missing a flag like feature where I can just mark a bunch of pictures (thumbnial view) / table rows by hitting the space bar. Usually when hitting the space bar the tag menu comes up (because the tag button is active). However this does not work consistently and selecting a specific tag each time slows down the workflow. I was not able to navigate the thumbnail view by using the cursor-arrow keys. The cursor keys are either moving around in the search pane on the left or in the preview pane to the right. But I cannot move the highlighted image in the center view. The time-selection tool at the bottom should be hideable when not needed Best regards, Fabian
  3. Hi Jon, thanks for the input. So basically it's the same workflow as if I would process it with Pro/Team except that apart from the copy job everything is neatly manged through the Connect WebUI. I just remembered that Intella Pro/Team also have an Optimization folder. If Node uses the folder the same way then I don't need further explanations. In that scenario the crawlers would just dump temporary data into these folders. I was hoping that maybe the database that contains all the binary data of the evidence could be moved to a separate location. Regards, Fabian
  4. Hello, up until now I've been preparing cases for Intella Connect with Intella Team or Pro. With some additions to our hardware pool I've setup a shiny new processing Node. The setup was pleasently easy and configuration is done through Connect's WebUI. I was able to speed up the cumbersome SSL import by just copying the keystore over to the Node (maybe that should happen automatically when wildcard certs are used?). For the last years I've quite mastered how Intella Pro/Team use their resources and what type of storage to use. the largest Case I've put together with Team has about 30TB (Intella folder size) and ~200M items. With Intella Connect and Node the concept of shared folders is introduced: Case Evidence Optimization (configuration) Currently I have a large SSD-storage attached to my Connect VM and all the ready to share Cases go there. I also added some direct attached Evidence Storage to the Node for processing data. All folders are shared and accessible from Node and Connect. If I were to create a new Case within Connect and then add evidence to the case to process it, processing would be done on Intella Node, however the databases of the case would be located on the Case Share which is physically attached to the Connect server. So Node would use CIFS/SMB to access those files. In my experience CIFS/SMB is really really bad when it comes to IOPs heavy tasks (even with 10 or 40Gig ethernet) The manual suggests to add an Optimization folder to speed up processing. "Some" databases will get moved (temporarily?) to that Optimization folder. What is the recommended setup to most efficiently process large cases (>5 TB) with Connect and Node? Is it actually feasible to have Node access the Case-Directory via CIFS/SMB? Should there be another Case Directory on the Node and should I copy ready to use Cases manually to Connect's Case Share? What is the concept of the Optimization folder - what databases will get moved ot that folder? I probably could find this out by just watching it but an official answer would be very appreciated! Thanks + Regards, Fabian
  5. Hello, as we are using W4 more and more for early case assessments and other forensic work that doesn't require Intalla's extensive search feature I would like to provide some feedback. I didn't find a separate W4 forum section so I wanted to ask where to put my feedback. regards, Fabian
×
×
  • Create New...