Chris

Hello all, I am currently working on a new visualization showing the results of a large keyword list. See the attached image, which is based on an arbitrary list of words extracted from the Enron case. This visualization is meant to combat a scalability issue of the current Cluster Map, which can have difficulties showing large amounts of overlapping result sets. The graph can become too cluttered to be meaningful and computation times may slow down the user interface. In the new visualization each result set becomes its own visual entity. Once the queries have been calculated, the visualization updates instantly. In the end this visualization will become a "mode" of the Cluster Map: when it detects that the graph becomes too large to be meaningful, it will automatically switch to this visualization mode. In other cases the user is free to switch between "overlapping/clustering" and "independent sets" modes. Feedback is most welcome!

Suppose you want to find all emails that have a PDF attachment. How about this method: Find all PDFs using the Type facet. Use the Show Parents function to determine the parents of these PDFs. Remove the PDFs result set but leave the parents set. Find all emails using the Type facet. Use the Cluster Map to select the overlap of the outcomes of step 2 and 4. Like the tagging method, you exploit the item hierarchy here in an automated way, but without the need to tag anything, which would change your case and can be an expensive operation.

I would be surprised if the fact that they are OST files are any factor, as all access to those files runs in a separate, monitored child process. In case that child process freezes or crashes due to some illegal operation, the Intella parent process will detect that and know how to recover from it. It should not cause any system instability. The case logs may tell us more. Also have a look for any files starting with "hs_err" in your temp folder (type %TEMP%" in Windows Explorer). Furthermore it may be useful to take a look at the Windows Event Viewer. There may be information on the system crashes, incl. what application caused it. It may be something external to Intella, e.g. a faulty device driver.

Hello all, This feature is indeed high on our wishlist, you are certainly not the first to bring it up! Right now we are working on a new and much faster indexing engine. Once that reaches a mature state, this feature will likely be one of our top priorities. One workaround we can think of is to export all desired items into a load file, create a new case and import that load file as a new source. This approach is not perfect though, as our load files are not yet able to pass through all information in a case. That could be a design goal for the load file export and import: make it able to pass through 100% of the information in a case.

Hello Adam, Thank you again for this very useful feedback. To answer them one by one: We are considering several improvements for extending cases with new evidence data, e.g.: The ability to merge two cases: you index the new data into a new case and then use Intella's Case Manager to merge the two cases into a third case, or add one case to the other. Give Connect itself the ability to index data. As Connect is not a local, single-user application, it makes sense to be able to do this without having to shut down the server or even the case. I will ask one of my colleagues to come back on that issue with the history events. This should not happen, I believe. As for hiding tags and/or tagged items: I realize that there are multiple uses cases for hiding information, sometimes it's the item itself that is sensitive and sometimes it's the tag that it has received. Right now we only support one mode of hiding tagged information. We will likely support all others in a future release. It indeed makes sense to show a "public service announcement" system event, either for live cases ("going done in 30 minutes") or temporarily unavailable cases.

Note that I addressed that question here: http://community.vound-software.com/index.php?/topic/136-search-query-assistance/

Hi Adam, All good feedback, we're definitely making notes here!

Hello Adam, How about just searching for "total" and using the List view to see the context in which it appears? Since version 1.7.2 we show search snippets there (see the attached image). Unfortunately you can't copy or export them, but it may be a step closer towards what you need. From there you can easily flag them as well, and later export the flagged items.

Hello Adam, This is again a question that comes up more often, so I think we should do something with this feature request. The From and Sender headers always only contain a single address, so that's the easy part. The receivers can be many and spread across three different headers. One idea we have it to offer a table that shows the number of recipients of a mail. Once you have narrowed down the emails that have either John or David as sender (From or Sender header) and either John or David as one of the recipients, you can simply sort the results table on this column and select the ones that have only a single recipient. Clearly this is still not a trivial operation, so some dedicated search functionality may make sense, e.g. a checkbox in the Email Address facet that checks for an exclusive set of recipients. Would that work? Ideas are welcome.

Hello Adam, Thank you for your suggestions. We occasionally get the request for case sensitive searching in one form or another, so it's something that we definitely keep in mind. Any indexing options will most likely incur some overhead, but I like your alternative of doing it in the Previewer! I think what you have in mind is very similar to the results list that you see when using MS Word's Find option? E.g. like this: http://www1.pcmag.com/media/images/306875-browse-search-results-in-word.jpg?thumb=y

Hello Paolo, Unfortunately it is not possible to search for specific casing, as during indexing all keywords are lowercased before they are added to the index.

Hello David, This is best done by exporting to CSV, see the section called "Exporting to a CSV file" in the user manual: 1. Select the results in the table that you want to export to a CSV file. You can use the Select All option in the right-click menu to easily select all rows. 2. Right click on the selected files and click “Export table as CSV…”. 3. Mark the names of all columns that you want to include in the CSV file. 4. Give the CSV file a name and select Export.

Hello Jerry, I would recommend the following: Export the deduplicated set as a CSV, as you already do. Set the table back to non-deduplicating mode. Add the Duplicates column and sort by it. Tag all items that have two or more duplicates. Let the table show all these items (i.e. equal to your original set but with the unique items removed). Add the MD5 and Message Hash columns. Sort by these columns (use CTRL-clicking). Export the table to CSV. You then have a second CSV file containing all items with duplicates, with their locations adjacent. Would that work?

I can see why it can be useful, so it remains strongly on our wishlist (though with many other items). If in a specific task exporting to MSG is a must, would exporting to a PST and then extracting the individual MSG files with a third party tool be an option?

This is part of the 1.7.2 release, both desktop variant and Connect. Note that the Preview tab will only be shown for emails that have a body in HTML format.

Hello Jenny, The easiest and most reliable way to query for all items is to query for the root node(s) in the Location facet. If you added all evidence as a single folder, there will be a single root node and searching for it produces a single result set. Else you need to use CTRL-clicking or SHIFT-clicking to select all root nodes. Next, click Search. This produces a Cluster Map with one or more clusters. Select them to show them in the Details table below. Tip: when you have multiple result sets, select one of them in the Searches list and then type CTRL+A to select all of them. The Details table now contains all items. Make sure the table is in deduplication mode to get to the set of items that you want.

Hi, Having a sample MHT file would be very helpful indeed! You can attach it to a reply or create a support ticket at http://support.vound-software.com. Thank you for your help!

Vound is pleased to announce the official release of Intella and Intella TEAM 1.7.2. Intella 1.7.2 is available for download from the Vound Support Portal after logging in with your email address and password. It is located in the downloads section of the support page. Highlights Added detection of entities such as credit card numbers,social security numbers, person names, phone numbers, organization names and locations in document texts. Added a new Statistics view, giving the user a statistical and graphical overview of the case’s content. Extended facet filtering and sorting options. Added indexing of load files, e.g. import information from a legal case application such as Concordance. Added filtering of disk images. Rendering of HTML-formatted emails. Improved List view, showing e.g. the context of keyword searches. Release Notes: https://www.vound-software.com/docs/1.7.2/Intella-1.7.2-Release-Notes.pdf. Special Offer to Intella Clients Vound recently launched Intella® Connect, a Web-Enabled Platform for eDiscovery and Forensic Search. To enable our valued customers to better understand how Intella® Connect can streamline eDiscovery and investigations tasks, we are proud to announce that existing customers owning a current copy of Intella 250 or above can apply for a three month Intella® Connect license at no cost. Please see this link for full details: https://www.vound-software.com/connect-trial. Note: Users with 1.6 activated dongles need to use Dongle Manager.exe to update their dongle to 1.7. [Dongle Manager.exe instructions here] For additional information, please contact our support department by submitting a support ticket on our website. Please consider joining our community forum to meet and exchange usage tips with other Intella users: http://community.vound-software.com.

Hi Adam, The Previewer close operation and the suggested Timeline improvements have not been addressed yet. We may still do that in a future release - the problem is definitely not a lack of good ideas You did ask "could we have an option for the email address facet filter to have "no filter"? ". This is now possible, the Email Address facet recently received a couple of new branches: The "All Senders and Receivers" branch combines all addresses found in the From, Sender, To, Cc and Bcc headers, i.e. all addresses regardless of their sender or recipient role. The "All Addresses" branch merges this list with all addresses found in the document and email texts. The latter are also listed separately in the "Addresses in Text" branch.

Hello Walt, Great feedback, we really appreciate this! The filtering of edges (and perhaps nodes as well?) based on the number of emails is indeed high on our wishlist, as is every other improvement that makes the graph more manageable, both visually and computationally. Another idea I had is the option to collapse all nodes from the same domain (e.g. gmail.com, enron.com, ...) into a single node. You'll get a different type of graph, showing the communication patterns between hosts, that can be useful as well and that can scale to much larger sets of items. I plan to add an option that instructs Intella to automatically merge all nodes (= email addresses) that share the same contact name. Manual merging is indeed another way, but my expectation is that it's only practical for smaller graphs; in large graphs you may overlook that a single person is represented by multiple nodes. That's why "CTRL+F" is also on the wishlist The last idea I want to mention is to "do something with time". I'm not sure what this will result in, but these social networks change over time, perhaps related to certain events. It would be great if we could visualize that. Thanks again, and more input is welcome!

Thanks, some very useful suggestions in here! The keyword hits by custodian is something we've been asked for several times. It indeed fits well in the Statistics theme. A challenge here is that we don't really have the concept of "custodian" in Intella. We could use a source for this, so every PST/NSF/... is tested against all keywords. Alternatively, a cross-matrix of tags x keywords makes that you get full control against what aspects the keywords are tested against, though it requires a bit more preparation work. Would you want to see the raw amount, the deduplicated amount, or perhaps both? Adam: I was indeed referring to the Reviewer-related stats, and soon Connect stats, but we can look into other collaboration modes as well. BTW, I do have to lookup how this works with local cases, but I believe every Intella user installation (essentially the %APPDATA%\Intella folder) corresponds with an automatically created and unique user identifier. Therefore, if you move the case to a different machine and the user there browses to the case, I believe his/her actions are logged as being performed by a different user. Since 1.7 the name of that reviewer is shown in the Case Manager screen. However, it has been some time since I last looked into that type of user management, so I could be wrong... Many thanks for your comments, this is really helpful!

Hello all, In the next Intella version we want to add a new view called "Statistics" or "Overview". This view is intended to give investigators a quick, dashboard-like overview of "what's inside the case", giving him or her a feel for the type of data, its volume, its quality, ideally leading to inspiration on how to tackle the case. My question to you all is: What type of statistics would be useful to you? Ideas we have are: Show a histogram of all items (using Sent/Creation/Last Modified dates), giving an overview of what time interval the items span, if there are any peaks or unusual gaps, etc. Show a bar chart for the seven days of the week: which days are "most active"? Same can be done for hours of the day. Show a pie chart of item types, e.g. is the case email-centric, document-centric, or are lots of items even unclassified? Top ten file types. Top ten most often occurring email addresses. Top ten most often occurring mail host names. Simple stats like: Number of items in the case, both the raw and the deduplicated amounts. Number of encrypted, empty, broken items. Top ten items with the most copies throughout the case, or that have been linked with lots of custodians. Review-related stats: How many items have been tagged, flagged, opened, etc. In total or per reviewer. Personally identifiable information such as detected credit card numbers, social security numbers, etc. Which of these appeal to you, and what other statistics can you think of?

At the moment the contents of the reports is not configurable. That is actually why we made the CSV report, so that you'd at least have one report format that you can easily edit afterwards, e.g. by deleting or processing entire columns at once, or writing a script that converts it into something else. Making the report configurable is on our wishlist though. We will look into that CSV link issue.

Thanks for the feedback, we will look into those Excel reports. I haven't myself, but some of my colleagues may have.

Hi Adam, You are referring to the export reports (in PDF, RTF, HTML and CSV formats), right? How about using the PDF export type and using the concatenation option, does that not achieve the same?