Jump to content

Fabian

Members
  • Posts

    11
  • Joined

  • Last visited

  • Days Won

    1

Everything posted by Fabian

  1. Dear Marco, thanks for taking my feedback back to the development team. Technically this is true for Intella Connect, however if you have Connect Plus one of the two instances won't get the Plus license. Best regards, Fabian
  2. Hi, The recent upgrade from 2.5 to 2.6 requires to convert the cases. This is the first time since we use Connect a case conversion is required. However, we have done several conversion with Intella Team / Pro since we use the product since version 1.8 or so. Cases can get quite large (several TB), when you have container based evidence every item is also cached in the "data" database within the case directory. This makes handling the case directory difficult (e.g. backups, etc.). Converting a case makes a copy of the whole case directory, then it rewrites some of the indices. The data directory was not touched by the conversion prcoess (as far as I can tell - I did a couple of test conversions and checked timestamps and file access logs). I'd like to see the conversion process improved: 1) add an option for an in place conversion. Add a warning message that this might corrupt the case, so the user is responsible for making a backup previous to conversion. Backups should be created on a nightly basis anyways. 2) rework the process so all changed db-directories get copied / renamed to *.old or *.2-5 or sth. like that. If the conversion fails, the old databases can be restored very easily, no data should be lost. 3) Please consider an option to have an external location for the data-db directory. As far as I can tell the data-db is only changed upon processing and I'd like to have it sit on a separate storage volume. Finally, I already created a support ticket for this, when your Connect setup needs to convert several large cases to upgrade from 2.5 to 2.6 the whole process falls apart, since you can't (effortless) run 2.5 and 2.6 in parallel. So either the not yet converted 2.5 cases stay offline for several days or the already converted 2.6 cases are offline until converting all cases has finished. This is not an option in a production environment. regards, Fabian
  3. Hi, I think this mostly used for content that has multiple "redundant" original views, like e-Mails that are stored in text and html within the same message. Sometimes HTML view generates beautiful reports, sometimes the HTML format of the mails are so broken that it is better to use the text only variant. regards, Fabian
  4. Hi, Intella Connect inherited the template management from Intella PRO/Team, where Templates are stored in %appdata% for the individual local user. Unfortunately all Intella Connect Users share the server's %appdata% directory and thus all templates are available accross all cases. This is described in the manual, however not all Reviewers / Examiners will keep track of this all the time. So it might happen that Export-Templates with Case-Names / Numbers or Custodian Names [...] are created. Within a template there is also some room for potential confidential data, e.g. when designing headers and footers etc. Providing a basic set of templates to Connect Users seems like a good idea, however templates created by certain users should either be stored "per Case" or "per User". Also I think that when templates are added to the %appdata%-directory (externally, via another case) and the case is already shared it does not update the template list. Regards, Fabian
  5. Hi Primoz, sorry for my late reply, and thanks for putting some of my suggestions to the roadmap. 6. So the idea there is to show all folders/files in the selected folder instead of direct children (like it's working now)? Well it was more aimed at the general representation of the evidence's folder structure. In traditional disk forensic tools (e.g. EnCase), your starting point for an investigation usually is a directory tree. The location view of W4 (and Intella) tries to give the user an idea of the folder structure, but I personally find it a bit cumbersome to work with, when I want to view the contents of a certain disk, directory or a combination of directories. I understand that W4 has a different approach, however if a more versatile disk view was to be implemented it would make the tool more versatile. 7. Would possibility to assign shortcuts to tags work for you? Or are you strictly after "flagging" functionality? A shortcut to tags would be sufficient. Another feature of flags is, that check-marks are displayed within the current view. So it easy to see if an item has been flagged or not. That kind of representation is currently missing for tags (I think). 9. So you mean to make it collapsible - similar to how previewer can be hidden? Yes regards, Fabian
  6. Hi Jon, I'm not talking about caching the evidence within the case directory. However every native file (docx, eml, xlsx etc.) that is recognized and indexed by intella gets written to a huge binary database file. This accounts for most of disk space used in the case folder structure. That information is required for native view, exports etc. However that data is, at least in my opinion, not used when searching for text within the lucene index. It would be a cost saver to have that binary storage of the original contents of files moved to HDDs, and have Lucene among other indexes reside on SSDs. regards, Fabian
  7. Hi, thanks for fixing my forum permissions, now I can post in the W4 section 😀 We are using W4 in several data theft cases with good results. With a few changes to the product we also could use it with other cases like CP / sexual abuse type of cases. Also we noticed some features need a bit of polishing: The “export to csv” option is somewhat broken. If columns contain a comma no escaping of the separation character was used in previous W4 versions. The latest version adds a text-qualifier for values that contain a comma. Usually the “item id” is the first column if it exceeds 999 items it is displayed as “1,000” in W4 and also written as “1,000” to the csv-file. If numbers are exported to a csv-formatted-file it would be expected to omit any 1000-separation character and only have the decimal character present. When choosing the columns for a csv-export, the selection of columns is not retained between exports and has to be redone each time you choose to export data. Even remembering the last export settings would be somewhat flawed. Intella like presets would be much appreciated. A suggestion on that matter would be to add an Excel or CSV style report in the reporting section. That way the settings could be saved via the search profile (I guess). The processing of browser artifacts is very helpful. However our tests showed, that only information is extracted from the file system. It would be a nice feature to have browser artifacts from unallocated spaces and system files like hiberfil.sys, pagefile.sys and swapfile.sys. The reporting feature has been greatly improved. However we are missing an Intella Style original View of items within the reports. If this is a feature distinction between Intella and W4 I can understand that. However other disk forensic tools have at least some reporting capabilities for e-mail bodies etc. Usually when I work with disk forensic tools I have the view/previewpane detached from my main window and have it fill my 2nd monitor. That way the Preview is much better readable and it makes room for some more columns in the main window. Please consider a detachable (pre)viewpane. The Explore feature could be improved by adding an "industry standard" "green plating" feature, that recursively displays all contents of the selected folders. If greenplating would also work in a multi-select style way by using the ctrl+shift keys that would even be better (example: Select UserA and UserB within c:\users but not UserC and UserD I'm missing a flag like feature where I can just mark a bunch of pictures (thumbnial view) / table rows by hitting the space bar. Usually when hitting the space bar the tag menu comes up (because the tag button is active). However this does not work consistently and selecting a specific tag each time slows down the workflow. I was not able to navigate the thumbnail view by using the cursor-arrow keys. The cursor keys are either moving around in the search pane on the left or in the preview pane to the right. But I cannot move the highlighted image in the center view. The time-selection tool at the bottom should be hideable when not needed Best regards, Fabian
  8. Hi Jon, thanks for the input. So basically it's the same workflow as if I would process it with Pro/Team except that apart from the copy job everything is neatly manged through the Connect WebUI. I just remembered that Intella Pro/Team also have an Optimization folder. If Node uses the folder the same way then I don't need further explanations. In that scenario the crawlers would just dump temporary data into these folders. I was hoping that maybe the database that contains all the binary data of the evidence could be moved to a separate location. Regards, Fabian
  9. Hello, up until now I've been preparing cases for Intella Connect with Intella Team or Pro. With some additions to our hardware pool I've setup a shiny new processing Node. The setup was pleasently easy and configuration is done through Connect's WebUI. I was able to speed up the cumbersome SSL import by just copying the keystore over to the Node (maybe that should happen automatically when wildcard certs are used?). For the last years I've quite mastered how Intella Pro/Team use their resources and what type of storage to use. the largest Case I've put together with Team has about 30TB (Intella folder size) and ~200M items. With Intella Connect and Node the concept of shared folders is introduced: Case Evidence Optimization (configuration) Currently I have a large SSD-storage attached to my Connect VM and all the ready to share Cases go there. I also added some direct attached Evidence Storage to the Node for processing data. All folders are shared and accessible from Node and Connect. If I were to create a new Case within Connect and then add evidence to the case to process it, processing would be done on Intella Node, however the databases of the case would be located on the Case Share which is physically attached to the Connect server. So Node would use CIFS/SMB to access those files. In my experience CIFS/SMB is really really bad when it comes to IOPs heavy tasks (even with 10 or 40Gig ethernet) The manual suggests to add an Optimization folder to speed up processing. "Some" databases will get moved (temporarily?) to that Optimization folder. What is the recommended setup to most efficiently process large cases (>5 TB) with Connect and Node? Is it actually feasible to have Node access the Case-Directory via CIFS/SMB? Should there be another Case Directory on the Node and should I copy ready to use Cases manually to Connect's Case Share? What is the concept of the Optimization folder - what databases will get moved ot that folder? I probably could find this out by just watching it but an official answer would be very appreciated! Thanks + Regards, Fabian
  10. Fabian

    W4 forum section

    Hello, as we are using W4 more and more for early case assessments and other forensic work that doesn't require Intalla's extensive search feature I would like to provide some feedback. I didn't find a separate W4 forum section so I wanted to ask where to put my feedback. regards, Fabian
×
×
  • Create New...