Jump to content

ShaunC

Members
 View Profile  See their activity

  • Posts

    33

  • Joined

  • Last visited

  • Days Won

    1

 Content Type 

Posts posted by ShaunC

  1. Variance in un-deduplicated numbers between keyword list auto-tag results and resulting Facet>Tags

    in Intella 10/100/250/Pro

    Posted

    Nope, scratch that. I remembered the "Export>Event log" feature and ran that and it clearly shows (in 2.4.2) one group of actions adding the tags and getting the wrong/higher number of results, and then me loading the case in 2.5, deleting the tags altogether and auto-tagging again and getting the "correct" number (the number that matches the keywords tab search.

  3. Variance in un-deduplicated numbers between keyword list auto-tag results and resulting Facet>Tags

    in Intella 10/100/250/Pro

    Posted

    For anyone looking at this post in the future, I installed v2.5 and re-ingested the case data and it all worked as expected.

    I was unsatisfied with still not properly understanding what the issue was, and I investigated further.

    While I don't understand exactly how I did it, especially as I had performed a very limited number of actions in the case before seeing the variance, I believe I invariably added extra items to all of the tag groups in the case.

  4. Variance in un-deduplicated numbers between keyword list auto-tag results and resulting Facet>Tags

    in Intella 10/100/250/Pro

    Posted

    Hi all,

    I'm using 2.4.2 Pro.

    I used the "Keyword Lists" facet to add a txt file with about 10 search terms. Nothing too hardcore; a mixture of single words, double-quoted strings and one double-quoted string with an asterisk in the middle, ie

    word

    "some words"

    "more* words"

     

    I noted the raw results in a spreadsheet to give to the investigator and then went to the Tags facet to load each keyword tag subset and deduplicate them to also get that number (not realising the Keywords tab also gives a deduplicated number at this stage).

     

    What I've found is that the numbers in the initial results/available in the Keyword tab are different to what the Tags facet shows, but the deduplicated number is the same in both views.

     

    When I did the initial auto-tag, I chose "Only tag the selected item" under tagging options. I get the same numbers whether I check or uncheck the "Tag all duplicates" box down the bottom of the tagging options.

     

    Some examples:

    [keyword 1] (via the Keywords tab, all options checked under "search In") Items: 22422, Deduplicated: 3759, Hits: 91674, Families: 1886, Family Items: 193709

    Under the Tags facet, it shows 25413 items, 3759 deduplicated

     

    [keyword 2] Items: 629, Deduplicated: 260, Hits: 3083, Families: 516, Family Items: 13607

    Under the Tags facet, it shows 1746 items, 260 deduplicated

     

    If I "search" all tags I get 194363 items, 31895 deduplicated. Keywords tab shows same deduplicated but 193605 items.

     

    So essentially, the un-deduplicated numbers in the Tags facet is higher than the Keywords auto-tag or Keywords tab search results.

     

    Any thoughts here - which is the "correct" number?

    Are they both correct and I just don't understand the variance?

    Is there a setting I need to check/change somewhere?

     

    Cheers!

    Shaun

  7. Setting the Memory allocation in advanced case settings

    in Intella 10/100/250/Pro

    Posted

    This might be a bit of a first world problem, but it has frustrated me a few times so I figured I may as well put my hand up.

    I run Intella on workstations with 64, 128 and 256 gigabytes of RAM.

    I find the slider to set the memory allocation for the application and for the crawlers is completely fine on the machine with 64, but for 128 and especially 256, I find each step of the slider is too "coarse" - for example I may want to set it to 8GB per crawler and the options I get are 7.77 or 8.25 (not exact examples but you get the idea).

    I say it's a first world problem because I'm sure ultimately it may not matter much, it's just not as precise as I would like.

    Similar to the manual crawler setting where there is an editable text box, I would appreciate an editable text box for the memory options, so I can set the exact amount of memory I want.

    I wouldn't get rid of the slider altogether, just let both be an option?

    I may be getting a "proper" server with 512GB (or even more memory!) in the future, so I anticipate the issue will compound further with more installed memory.

  8. NTFS - Alternate Data Stream support

    in Intella 10/100/250/Pro

    Posted

    Apologies if this was already requested/discussed elsewhere - I did a few searches and didn't find anything.

    Going by the user guide, Intella is already somewhat aware of ADS, as it is capable of grabbing the zone.identifier information to show the URL where a file was downloaded from

    Quote

    14.1.2. Features - Page 130

    Downloaded from Internet: Indicates items that may have been downloaded from the Internet. Intella determines such items by looking at the Zone.Identifier alternate stream in NTFS file systems. Where possible, Intella will extract the URL the file was downloaded from. This URL can hen be found in the Raw Data tab

    While not very common, people can still hide data in ADS, so it would be good if Intella could recognise such attempts at obfuscation.

×
×
  • Create New...