Chris

Hello Adam, It is slightly different - if I understand you correctly. The checkboxes indeed have no impact on processing speed and case contents when the item type mentioned by a checkbox is not present in the evidence data in the first place. However, when an item of that type is present and the corresponding checkbox is not checked, then the recursive processing stops at that level in the item tree. Any potential child items will not be processed, regardless of their type and the rest of the selected checkboxes. Does this answer your question?

Hello Adam, That sounds like a good idea. We will make a note of this.

Hi Adam, We fully agree. We have this on our roadmap, but it's still too early to tell when this will be available.

Vound is pleased to announce the official release of Intella and Intella Connect 1.9.1. Intella and Intella Connect 1.9.1 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Please read the release notes before installing or upgrading to ensure you do not affect any active cases. Users with a 1.8 license need to use the Dongle Manager to update their dongle to the 1.9 license. See the highlights in action on YouTube: http://www.youtube.com/watch?v=uzOCccDEXfg Highlights Added an Insight view, giving a concise overview of suspect behavior gathered from browser histories, Windows registries and other sources. Examples are most often visited sites, connected USB storage devices, connected networks, system and service accounts, social media usage (e.g. Facebook, LinkedIn), webmail usage (e.g. Gmail), cloud storage usage (e.g. DropBox, OneDrive), online productivity sites (e.g. Google Docs, Office 365), etc. Added support for FTK’s AD1 disk image format. Added indexing of the Windows registry. Added indexing of browser histories of all major browsers. Added support for MS OneNote files. Added text extraction from unsupported binary files. Improved Type facet tree structure. Extended keyword list statistics with user-defined columns. Greatly tagging speed, often 1-2 orders of magnitude. Indexing speed improvements.

For the sake of historic completeness: this problem was resolved via customer support. The issue was that the same documents were part of a different source that did have the "Index content embedded in documents" setting turned on.

Hello Jason, These steps will let you move a number of cases: Shut down the server. Move the case folders in Windows Explorer. Edit the C:\Users\[uSERNAME]\AppData\Roaming\Intella\cases.xml file in a text editor to reflect the changed paths. Start the server. Unfortunately this means some (limited) down-time for the entire server.

Hello Adam, Yes, that should indeed work fine.

Vound is pleased to announce the official release of Intella, Intella TEAM and Intella Connect 1.9. Intella and Intella Connect 1.9 are available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Please read the release notes before installing or upgrading to ensure you do not affect any active cases. Users with a 1.8 license need to use the Dongle Manager to update their dongle to the 1.9 license. Highlights Added indexing of MS Exchange EDB files, in their entirety or by mailbox. Added indexing of Skype databases. Added indexing of SQLite databases. Added custodian support. Added an Irrelevant Items classification, for suppressing items that have no intrinsic value to the case. Added support for determining advanced keyword statistics. Added the ability to refresh a case and pick up new evidence items. Several improvements to indexing IBM Notes NSF files. Added Primary Date and Family Date attributes. Added tag group columns. ... and many more. For full details and upgrade notes see the Intella and Intella Connect release notes.

At the moment this is not possible. This is planned for a future version.

Regarding the master plan, I see what you did there... I'm making a note of this. I can't predict if and when we will implement this, but I sure do get the workflow that is possible when all these ideas are implemented.

Hello Adam, Are you able to share an example mail with us via a support ticket? That will help greatly in finding out what's going on here.

Intella's focus is on the active data. We do not display this field at the moment. We may add this in a future version.

Hello Phil, You say that the hashes are different: are you looking at the MD5 hash or the message hash? There were no changes regarding message hashing in the last versions.

Hello Phil, It is indeed shown at the top of the page instead. However, when you do a Print Tab from the Previewer, you get the subject both as the title and in the headers part. I will consult with the developers why this is not done consistently.

Hello Adam, The more prominent use of tags in the export output is something that we hear more often. Applying this to the CSV export makes sense to me, so I'm making a note of this.

Hello all, We are getting close to the Intella and Intella Connect 1.9 releases, which feature a large list of improvements: A selection of the improvements in Intella 1.9: Added indexing of MS Exchange EDB files, in their entirety or by mailbox. Added indexing of Skype databases. Added indexing of SQLite databases. Added custodian support. Added support for determining keyword statistics. Added the ability to refresh a case and pick up new evidence items. Several improvements to indexing IBM Notes NSF files. Added primary date and family date attributes. Added tag group columns, showing only tags from a specific part of the tag hierarchy. Additionally, Intella Connect 1.9 will have the following improvements: Connect can now index new cases by itself or delegate indexing to a separate machine. Added support for LDAP providers. Added custodian support. Added primary date and family date attributes. Added export sets functionality. Added tag group columns. We invite our users to try out a beta version of this release. Should you be interested, just reply to this topic, send me a private message or open a support ticket. We will then provide you with the necessary information.

Hello all, We are getting close to the Intella and Intella Connect 1.9 releases, which feature a large list of improvements: A selection of the improvements in Intella 1.9: Added indexing of MS Exchange EDB files, in their entirety or by mailbox. Added indexing of Skype databases. Added indexing of SQLite databases. Added custodian support. Added support for determining keyword statistics. Added the ability to refresh a case and pick up new evidence items. Several improvements to indexing IBM Notes NSF files. Added primary date and family date attributes. Added tag group columns, showing only tags from a specific part of the tag hierarchy. Additionally, Intella Connect 1.9 will have the following improvements: Connect can now index new cases by itself or delegate indexing to a separate machine. Added support for LDAP providers. Added custodian support. Added primary date and family date attributes. Added export sets functionality. Added tag group columns. We invite our users to try out a beta version of this release. Should you be interested, just reply to this topic, send me a private message or open a support ticket. We will then provide you with the necessary information.

Hello Adam, That is correct: the calculation of an MD5 hash of a given binary is mathematically defined (see https://en.wikipedia.org/wiki/MD5 for more details) and should work across applications - that's even one of its intended purposes. What you should take care of is how each tool expects the MD5 to be encoded in the hash file. For Intella a simple text file with one MD5 per line in hexadecimal notation (e.g. d41d8cd98f00b204e9800998ecf8427e) is best. You can also use the CSV that Intella creates when you export out the MD5 and Message Hash columns, as it splits each line on commas and checks each value for being a valid MD5 hash (so headers in the CSV are filtered out). I have seen other tools that wrap hashes in quotes, mix MD5 hashes with other types of hashes in the same file, etc. Those are better removed.

Hi Adam, I'm sorry to hear about the information loss. The export of the events.log to a CSV file is not there yet, we plan to add that in the future.

Hello Adam, This strongly relates to your other post that you made here: http://community.vound-software.com/index.php?/topic/292-audit-logs/ Power outages, disk failures etc. indeed are often lethal to the case. While there are databases that offer protection against that, it is not trivial to apply those without considerably hurting indexing speed, disk space usage, etc. As you say, this hurts tagging more than indexing (and exporting). That is all the more reason to implement exporting of the events.log file to e.g. CSV format, as described in the other ticket.

Hello Adam, At the moment there are the following types of log files: The files in the logs sub-folder. These by nature mostly reflect what the application is doing and not so much what the user did to trigger it. These logs are typically used to combat support issues related to indexing and exporting. Tagging actions are logged in it, but lacking most of the information you want such as the items that were tagged. The audits/local-user.csv can be used as an audit trail of the user's actions. Here the tag name, tagging settings and item counts are included, but still not the item(s) itself. The events.log captures all necessary information about who tagged what item(s) with which tag(s). This file forms the basis of the Activities tab. So the events.log file is the only log that captures all information. The one remaining problem with this file is that it's a binary format file. It can be used to recover lost tags using a case backup (see section 10.8 of the user manual), but it is not in a human-readable format. We plan to make the events.log file viewable and exportable to other formats in a future release.

Noted!

In the Search view, open the Tags facet, right-click on the tag and select "Pin tag..." It would make sense to make these tags pinnable from the Previewer as well though... All your other requests are great feedback!

Hello Adam, About your request on setting the default settings of a new case: I could see that being added in a future release. Default settings can be mimicked by simply copying the [case folder]/prefs/case.prefs file from one case to the next, but clearly this can be made a lot more userfriendly, especially for Connect where file system access on the server may be non-trivial. Locking certain settings using permissions would be a logical next step. The deduplication setting is tricky though: deduplication takes one item out of the set of duplicates, but it is not defined which one is taken. If tagging is not set to "tag duplicates", this may sometimes give the appearance that tags are lost. Resetting the stats sounds like a useful feature too, I'm making a note of this.

I believe this request comes down to the following: The ability to add a constraint to the tag model that makes certain tags mutually exclusive, i.e. only one tag out of the group can be applied, not multiple tags. A user interface that lets you select a tag using a group of radio buttons (not check boxes). Radio buttons let you select at most one out of a group of values. For an example see https://en.wikipedia.org/wiki/Radio_button#/media/File:Radio_button.png.