Chris

Hello Jonas, Great to hear that the collection with two-factor authentication went smooth. I take it that you are referring to the iMessage items that are stored in the iCloud account, right? This is a recently added iOS feature that we do not support yet. It is on the roadmap though.

Hello Jason, Thank you for your kind words. As you have seen already, the Intella 2.2 release features improvements and sample scripts for enhancing the items in a case using Google Cloud's services, e.g. for text categorization, image classification, translation, entity extraction, etc. Similar scripts can also be made for other vendors; Google Cloud is merely used as a running example. See the attachment for an example of image classification in a case. I am also happy to say that several of the improvements that you mention are on the roadmap for the 2.2.1 and 2.2.2 releases, scheduled for later this year.

Vound is pleased to announce the official release of Intella and Intella Connect 2.2. Intella and Intella Connect 2.2 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a 2.1 license need to use the Dongle Manager to update their dongle to the 2.2 license. Please read the Release Notes before installing or upgrading, to ensure you do not affect any active cases. Highlights Added support for basic case merging. Items can now be exported to a new case. Case templates enable quick initialization of a new case. Added a GDPR Insight info panel, listing privacy-sensitive data found in the case. Added command-line options and samples for scripting and analysis purposes. Sample scripts are provided that enhance case data using Google Cloud AI services. Added support for indexing Windows 10 Mail. Added a Show Family search option.

For the moment that is indeed not possible. Please note that the Table does have a Message ID column. So you can show the Message IDs and sort on them. If you have a large amount of Message IDs to deal with, you can try the following: List all items in the table and add the Message ID column. Export all results as a CSV, using only the Item ID and Message ID columns. Use Excel or some batch script to filter the CSV so that it only contains the rows with a matching Message ID. Remove the Message ID column from the CSV, so leaving only the Item IDs. Import this file in the Item ID facet. This gives you the set of items with a matching Message ID.

Vound occasionally issues "patch releases", to quickly address issues of a severe nature. Below is a list of the patch releases and a description of their changes. For patch releases for Intella Connect 2.6, see the replies below this post. The following patch release has been issued since the 2.5.1 release: 2.5.1.1 Improvements to the default case memory settings, reducing the risk of out of memory errors. Resolved an issue with certain Cellebrite UFDR reports failing to process correctly. Resolved an issue with disk images failing to process correctly when the number of disk image parts exceeded ~800 files. Improved handling of Notes NSF files, ensuring that document-level errors only affect that document. Resolved an issue where sources defined with Intella could not be edited when opened in Intella Connect. Improvements to the time-out mechanism to make it work better with large (multi-TB) disk images. Resolved an issue where user roles would fail to be added. Resolved an issue where setting the custodian field during indexing would result in the source failing to index. The following patch release has been issued since the 2.5 release: 2.5.0.1 While Intella is not affected by the Log4j vulnerability (CVE-2021-44228), we have released a patch to ensure that the latest versions of the SLF4J and Logback logging libraries are used. The following patch release has been issued since the 2.4.2 release: 2.4.2.1 While Intella is not affected by the Log4j vulnerability (CVE-2021-44228), we have released a patch to ensure that the latest versions of the SLF4J and Logback logging libraries are used. Back-ported a security improvement from the 2.5 release related to secure file uploads. The following patch release has been issued since the 2.4.1 release: 2.4.1.1 Fixed two security vulnerabilities. We recommend updating all existing instances to the newest version. The following patch releases have been issued since the 2.3.1 release: 2.3.1.1 Fixed an issue where timezone settings may not be properly applied to file system items in an AD1 disk image. Fixed an issue where timezone settings may not be properly applied to certain items when the source time zone is different from the investigator machine's time zone. This affects Hangul version 3 documents, OpenOffice documents (creation dates only), deletion stubs in NSF, and certain dates in USB-related artifacts. 2.3.1.2 Fixed an issue where a crawler crash that could result in corrupt text stores were not reported appropriately. Fixed an issue where email metadata in rich text NSF items was indexed in a way that made them non-responsive to certain field-specific keyword searches. Fixed an issue where indexing of certain calendar items could result in an endless loop, causing indexing to never complete. 2.3.1.3 Fixed an issue where tags could be lost if those tags were applied in 2.4 and the case was subsequently opened in 2.3.x. Fixed an issue where the dongle driver would not install on certain Windows installations. The following patch releases have been issued since the 2.3 release: 2.3.0.1 Fixed an error that might occur when using an export template that contains tags that are not present in this case (item report export type only). Fixed an issue when Intella doesn't index certain draft or deleted emails without body, senders and recipients in EDB containers. The following patch releases have been issued since the 2.2.2 release: 2.2.2.1 Fixes a backwards compatibility issue introduced in 2.2.2 that concerns items redacted with an older Intella Connect version. When a crawler process crashes, the item IDs of potentially incompletely indexed items are now logged. The following patch releases have been issued since the 2.2.1 release: 2.2.1.2 Fixes an issue with the Branding page not loading properly when navigating to it on a clean installation. 2.2.1.1 Fixes an issue with the Previewer not loading item metadata correctly when using quick tag buttons in combination with the "Go to next item after tagging" option. The following patch releases have been issued since the 2.1.1 release: 2.1.1.3 Improvements in persisting batch status and progress making it more fault tolerant. Improvements aimed to discover and present ORGANIZER and ATTENDEE properties as a part of PST and EDB calendar items. Improvements that prevent or reduce data loss and case corruption in case of system or network failure. 2.1.1.2 Improvements to make indexing and case conversion more fault tolerant. Fixes an issue with redactions on rotated PDF documents not exporting properly. Fixes an issue with the installer taking a long time to complete, blocking on the HASP driver installation. Fixes an issue with a new source failing to be added when the "Analyze Paragraphs" option was not set on. 2.1.1.1 Fixes an issue with item download when no original content was present, but load file Image was Improves the speed of I/O operations for certain case files stored on a Network Drive Improves and simplifies communication between Intella Connect and Intella Node which also allows to selectively switch SSL support ON and OFF for each individual Node Fixes an issue with old login URLs not working properly. They will now be redirected to an updated login URL. The following patch releases have been issued since the 2.1 release: 2.1.0.1 Fixes a fatal error (BufferUnderflowException) that affects the entire indexing of an EDB file. 2.1.0.2 Fixes a fatal error (UnsupportedOperationException) that affects the entire indexing of an EDB 2010 file. Fixes a case conversion issue, concerning cases made with 1.9.x that failed to migrate at all. 2.1.0.3 Fixes a case conversion issue, resulting in parts of the case data not being migrated to the new case. Fixes excessive use of non-deleted temporary files when processing an EDB file. The following patch releases have been issued since the 2.0.1 release: 2.0.1.1 Fixes a cryptic error that occurs when re-indexing a case without the evidence files present, obfuscating what is actually going wrong and making it hard for the end user to resolve the situation. Fixes an issue with natively previewing items that have a single quote character in their file name. Fixes an issue with "Index new data" failing to populate the Location and Family Date attributes for items added in a subsequent indexing run. Fixes an issue with broken PST files not indexing properly. Fixes an IBM Notes validation issue. The following patch releases have been issued since the 2.0 release: 2.0.0.1 Rolls back the haspdinst.exe driver from v7.51 to v7.41, because the former appears to cause system crashes on some Windows installations. The following patch releases have been issued since the 1.9 release: 1.9.0.1 Fixes an issue with the export to PST failing to export all items. Fixes an MS Outlook validation issue. Fixes an "Error 500" error when creating new redaction profiles. Fixes an issue with some items failing to show in the Previewer. 1.9.0.2 Fixes an issue with the preferences file becoming syntactically incorrect when storing certain values. The following patch releases have been issued since the 1.8.4 release: 1.8.4.1 Adds support for the Intella P.I. product. 1.8.4.2 Fixes an issue with cases failing to open. Fixes an encoding issue when exporting non-ASCII data to a load file using ASCII encoding. The following patch releases have been issued since the 1.8.3 release: 1.8.3.1 Fixed an issue with redaction marks staying in view when moving from one item to another in the Redaction tab. Fixed an issue with the "Redact all" button adding multiple redaction marks on the same spot. Fixes an issue with the flagging functionality in the Thumbnails view not working properly. The following patch releases have been issued since the 1.8.1 release: 1.8.1.1 Fixes an issue with emails getting incorrect created and last modified dates when there is another email with identical content but with different raw data present in the case.

Vound occasionally issues "patch releases", to quickly address issues of a severe nature. Below is a list of the patch releases and a description of their changes. For patch releases for Intella 2.6, see the replies below this post. The following patch release has been issued since the 2.5.1 release: 2.5.1.1 Improvements to the default case memory settings, reducing the risk of out of memory errors. Resolved an issue with certain Cellebrite UFDR reports failing to process correctly. Resolved an issue with disk images failing to process correctly when the number of disk image parts exceeded ~800 files. Improved handling of Notes NSF files, ensuring that document-level errors only affect that document. Resolved an issue where sources defined with Intella could not be edited when opened in Intella Connect. Resolved an issue where adding of an AFF4 image holding an encrypted APFS file system would fail to show the "Encrypted volume detected" dialog. Resolved an issue where using File > Close Case and selecting a second case would result in that case being opened with incorrect case settings. This could result in various indexing and exporting errors. Resolved an issue where Intella would crash when the user attempted to close the application during loading of the Insight tab. The following patch release has been issued since the 2.5 release: 2.5.0.1 While Intella is not affected by the Log4j vulnerability (CVE-2021-44228), we have released a patch to ensure that the latest versions of the SLF4J and Logback logging libraries are used. The following patch release has been issued since the 2.4.2 release: 2.4.2.1 While Intella is not affected by the Log4j vulnerability (CVE-2021-44228), we have released a patch to ensure that the latest versions of the SLF4J and Logback logging libraries are used. The following patch releases have been issued since the 2.3.1 release: 2.3.1.3 Fixed an issue where tags could be lost if those tags were applied in 2.4 and the case was subsequently opened in 2.3.x. Fixed an issue where the dongle driver would not install on certain Windows installations. 2.3.1.2 Fixed an issue where a crawler crash that could result in corrupt text stores were not reported in the Errors tab. Fixed an issue where email metadata in rich text NSF items was indexed in a way that made them non-responsive to certain field-specific keyword searches. Fixed an issue where indexing of certain calendar items could result in an endless loop, causing indexing to never complete. 2.3.1.1 Fixed an issue where timezone settings may not be properly applied to file system items in an AD1 disk image. Fixed an issue where timezone settings may not be properly applied to certain items when the source time zone is different from the investigator machine's time zone. This affects Hangul version 3 documents, OpenOffice documents (creation dates only), deletion stubs in NSF, and certain dates in USB-related artifacts. The following patch releases have been issued since the 2.3 release: 2.3.0.1 Fixed an error that might occur when using an export template that contains tags that are not present in this case (item report export type only). Fixed an issue when Intella doesn't index certain draft or deleted emails without body, senders and recipients in EDB containers. The following patch releases have been issued since the 2.2.2 release: 2.2.2.1 Fixes a backwards compatibility issue introduced in 2.2.2 that concerns items redacted with an older Intella version. When a crawler process crashes, the item IDs of potentially incompletely indexed items are now logged. The following patch releases have been issued since the 2.1.1 release: 2.1.1.3 Improvements aimed to discover and present ORGANIZER and ATTENDEE properties as a part of PST and EDB calendar items. Improvements that prevent or reduce data loss and case corruption in case of system or network failure. 2.1.1.2 Improvements to make indexing and case conversion more fault tolerant. Fixes an issue with the installer taking a long time to complete, blocking on the HASP driver installation. Fixes an issue with the CSV export and table column chooser not working correctly when tag groups or content analysis columns were deleted. Fixes an issue with the "Restore Annotations" function not working correctly. 2.1.1.1 Fixes an issue with version update notifications not working properly Fixes an issue with an occasionally error being thrown in Previewer Improves the speed of I/O operations for certain case files stored on a Network Drive The following patch releases have been issued since the 2.1 release: 2.1.0.1 Fixes a fatal error (BufferUnderflowException) that affects the entire indexing of an EDB file. 2.1.0.2 Fixes a fatal error (UnsupportedOperationException) that affects the entire indexing of an EDB 2010 file. Fixes a case conversion issue, concerning cases made with 1.9.x that failed to migrate at all. 2.1.0.3 Fixes a case conversion issue, resulting in parts of the case data not being migrated to the new case. Fixes excessive use of non-deleted temporary files when processing an EDB file. The following patch releases have been issued since the 2.0.1 release: 2.0.1.1 Fixes a cryptic error that occurs when re-indexing a case without the evidence files present, obfuscating what is actually going wrong and making it hard for the end user to resolve the situation. Fixes an issue with "Index new data" failing to populate the Location and Family Date attributes for items added in a subsequent indexing run. Fixes an issue with broken PST files not indexing properly. Fixes an IBM Notes validation issue. The following patch releases have been issued since the 2.0 release: 2.0.0.1 Rolls back the haspdinst.exe driver from v7.51 to v7.41, because the former appears to cause system crashes on some Windows installations. The following patch releases have been issued since the 1.9 release: 1.9.0.1 Fixes an issue with the export to PST failing to export all items. Fixes an issue with the "Open in native application" option not working on some item types. 1.9.0.2 Fixes an issue with the preferences file becoming syntactically incorrect when storing certain values. The following patch releases have been issued since the 1.8.4 release: 1.8.4.1 Adds support for the Intella P.I. product. 1.8.4.2 Fixes an issue with cases failing to open. Fixes an encoding issue when exporting non-ASCII data to a load file using ASCII encoding. The following patch releases have been issued since the 1.8.3 release: 1.8.3.1 This releases uses the same baseline code as Intella Connect 1.8.3.1. There are no fixes in here that affect the desktop product. The following patch releases have been issued since the 1.8.1 release: 1.8.1.1 Fixes an issue with emails getting incorrect created and last modified dates when there is another email with identical content but with different raw data present in the case.

Vound is pleased to announce the official release of Intella and Intella Connect 2.1. Intella and Intella Connect 2.1 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a 2.0 license need to use the Dongle Manager to update their dongle to the 2.1 license. Please read the Release Notes before installing or upgrading to ensure you do not affect any active cases. Highlights Email threads are now detected and visualized. This includes the determination of the inclusive emails: together these cover all the content in the thread. This can reduce review time and effort. Missing emails are highlighted in the thread. Identities modeling lets one build an “address book” of the persons of interest, bundling their aliases such as email addresses, phone numbers and chat accounts into a single unit. Various facets and displays use this to improve their content. Added an integrated OCR option. All Intella users can now OCR documents and images without requiring additional software, licenses, or systems. Added recovery of deleted files in NTFS disk images using the MFT. Added functionality for removing sources from a case. Custom columns let one extend Intella’s data model with new columns, populated by selected headers, raw data fields or load file columns. Added support for the Ext4 file system. Added support for indexing non-encrypted iTunes backups. Improved the presentation of instant messages by bundling them in day-to-day conversation items. The Social Graph now also shows phone calls and instant messages. When any of the aliases are found in an Identity, these nodes are merged. This presents a unified view of the communication between people, regardless of the communication medium used.

The latest version can now be found here: https://www.vound-software.com/whitepapers-studies-resources#resources. See "Export to Intella". Note that Intella's indexing abilities have grown significantly since this script was made, so most users don't need it anymore.

Hello Jason, I doubt that this will be the same technical issue. Back then the problem was that Intella would not start on any Windows 8.1 machine whatsoever. We have not seen this issue pop up on Windows 10 before - I double-checked it with the latest Windows updates. I think this is best handled through a support ticket, so that we can have a look at your log files. Can you open a support ticket for this?

Vound is pleased to announce the official release of Intella and Intella Connect 2.0.1. Intella and Intella Connect 2.0.1 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a 1.9 license need to use the Dongle Manager to update their dongle to the 2.0 license. Please read the Release Notes before installing or upgrading to ensure you do not affect any active cases. Highlights Added support for custom designations to exported PDFs and load file images. Added support for multi-page TIFFs. Improved indexing error reporting. Various performance and stability improvements.

Vound is pleased to announce the official release of Intella and Intella Connect 2.0. Intella and Intella Connect 2.0 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a 1.9 license need to use the Dongle Manager to update their dongle to the 2.0 license. Please read the Release Notes before installing or upgrading to ensure you do not affect any active cases. You can see some of the new features in this video. Highlights Updated and modernized the user interface. Added a Geolocation results view, showing the geographic locations of search results, e.g. based on GPS data and IP addresses. Added a Histogram results view, showing the date distribution of search results. Added a Review tab, for convenient viewing of all items in a set. Added new cloud sources: Dropbox, Office 365 (incl. OneDrive), SharePoint, Gmail. Added indexing of virtual machine images (VMDK and VHD formats). Completely redesigned user interface for importing load files. Added detection of Bitcoin cryptocurrency files. Indexing performance improvements, both raw indexing time and when adding additional data to a case. Added regular expression-based detection of text patterns, e.g. bank account numbers. A Regular Expression Assistant is included for constructing the expressions, together with a library of example expressions. Added skin tone analysis of images. Added several table columns, e.g. covering the number of recipients of emails and other communications, passwords and certificates of decrypted items, and others. Added a Recipient Count facet. Refined the classification of embedded items, and consequently improved the suppression of irrelevant items using this improved classification.

Hi Adam, It's a nice idea. I know that there are various AV companies that offer an SDK. I don't know if there is a standardized way to simply use the local virus scanner, regardless of the vendor.

A configurable message hash algorithm is still indeed on our wishlist. It's not going to make it in the 1.9.2 release, which is weeks away, but I'll see what I can do for the release after that.

Hi Jason, We expect that Connect 1.9.2 is 3-4 weeks away.

Hello Jason, The counts in the Tags facet show the "explicit counts", i.e. the tags made by the user by selecting those tags in the Add Tags dialog. There is no automatic inheritance in these counts. However, when you query for a parent tag, you will notice that it does include the items from the child tags. This is by design. It works this way in both products. I recall we had some discussion about it during development. One thing we're considering adding in the future is the possibility to rearrange the tag tree structure, in which case automatically inherited taggings could become a pain. Does this also work for you? If not, can you explain why? It would help us understand how to improve on this.

Hello Dale, I made a note of this functionality request. I understand the use case and think it makes sense to add this. No promises though, we have a long list of good ideas...

Hi Adam, I'm making a note of this. The Features facet in Connect has a Batched category. The desktop variant does not. We may consider adding it there too, perhaps even extended with functionality to create those batches as well.

For the record, this issue is currently handled via a support ticket.

Hello Dave, I was not able to reproduce this issue. By the way, I take it that you meant the "Previewed" table column and Features facet category? When you open the Features facet, what do you see beneath "Previewed"? When you open the case in 1.8.3 again, does the information reappear?

FYI, I tried creating a case in a folder to which I don't have write permission, and creating a case in a folder that already holds data. In both cases I get an error dialog, so this does not explain what you are seeing. You may want to take a look at the Case Manager's logs. These are separate from the individual case logs. They are located in C:\Users\[uSERNAME]\AppData\Roaming\Intella\logs. Perhaps there is a clue in there.

Hello Adam, Sounds reasonable. I'll pass this on and see if this can be improved.

Can you try replacing the back-slashes with a double pair of back-slashes? I would have to consult the load file experts in our team, but from the output that you are giving I presume these are being used to escape certain special characters. As "0" is not a special character, "\0" then simply becomes "0". If this fails, can you show a screenshot of the complete settings?

Hello Adam, It is slightly different - if I understand you correctly. The checkboxes indeed have no impact on processing speed and case contents when the item type mentioned by a checkbox is not present in the evidence data in the first place. However, when an item of that type is present and the corresponding checkbox is not checked, then the recursive processing stops at that level in the item tree. Any potential child items will not be processed, regardless of their type and the rest of the selected checkboxes. Does this answer your question?

Hello Adam, That sounds like a good idea. We will make a note of this.

Hi Adam, We fully agree. We have this on our roadmap, but it's still too early to tell when this will be available.