Jump to content

AdamS

Members
  • Content Count

    589
  • Joined

  • Last visited

  • Days Won

    22

AdamS last won the day on March 27

AdamS had the most liked content!

Community Reputation

30 Excellent

About AdamS

  • Rank
    Advanced Member

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

894 profile views
  1. The parent_tab/child_tag syntax will assist in the short term, however to avoid the need having the ability to simply tick a box and type a 'Parent' name as part of the AutoTag process would be ideal. The changes I'm thinking of are giving the ability to apply parameters to keyword lists for searching and auto tagging. So for comparison, if I want to search across the subject lines ONLY of all emails I do the following steps: Highlight emails in the type-->communications facet, right click and select 'include' select the 'options' button next to the free text search field (top left) and untick all options except 'subject' enter search term in the free text search field and press enter results display matches across emails only in the subject field I can then highlight and tag those results before moving on to the next search term Using that as a basis for what I'm looking for imagine how to make that possible using a keyword list so we can avoid typing in hundreds of individual search terms. When we add a keyword list and then select 'AutoTag' the only option we can change is the tagging rules (item only, including child items or including all family tree items). There will be many uses I think where having the ability to apply the following filters to keyword lists AND have them auto tag would be great: Dedupe/ignore irrelevant Specify fields to search across (subject, text/body, email addresses etc) One tag only per keyword per item/document First occurrence applies within single item (single item has multiple keywords which are responsive, only the first responsive keyword tag is recorded) Highest number of hits on single document (single item has multiple keywords responsive, keyword with the highest number of occurrences is recorded) Just a few thoughts but I'm sure there are other ways we could give some granular control over keyword list auto tagging.
  2. The autotag feature when undertaking keyword list searches is something I use quite a bit, but it would be great to see some further control over how those tags are applied. Lets say I already have a dozen or so tags applied, and a structure built up, if I import a new keyword list and want to auto tag those new tags are going to be interspersed between my existing tags and basically make a mess and trigger my neatness OCD bug To whit, currently we can set the tagging preference only (ie tag the selected item only, tag it's children as well etc..) I would be great to simply have a check box and be able to put that list of new tags into it's own nested parent tag, for example all these new keyword tags would be under a parent tag 'KWS 2' or what ever we want to call it. That way once the search and subsequent tag operation has completed it is very easy to work with that new set of tags. Secondly we can't influence what those new keywords are searching across, it would be another good addition if we could apply exceptions/inclusions or the options filter to the autotag/search process to limit the false positives and the cleanup that we have to undertake after the operation.
  3. This might seem a little trivial considering all we need to do is copy the .xml file to the correct folder in the Appdata location, however once we do that we need to reload the case for it to be visible. If an 'import export template/profile' button existed then this may negate the need to reload the case...?
  4. Expanding on the above query. I'm attempting to have an all encompassing field like the Primary Date, but them manipulating the way the data displays so instead of the full date and time it will just display the UTC offset, say 1000 or AEST for Sydney. In my testing I tried creating a custom field which looked for the email sent record ( PR_CLIENT_SUBMIT_TIME ) field in RAW DATA and also in the Headers field, then changed the date/time format using z(Z) or just z or Z and a few other variations. After re-indexing I cannot get this field to populate with any data at all. I have tried about 10 different date/time formats and even reverted back to the default. I have tried being specific to emails only or 'ANY' in the setup options. I have all the other custom fields setup and working correctly (email importance, sensitivity, read receipt request etc), this is the only one that is causing me problems. Any advice appreciated.
  5. I'm running some load file testing attempting to duplicate load files created with other software and I have a question. Essentially what I'd like to do is have the ability to duplicate the Primary Date column, but have the date format display in a couple of different ways. My thought was to create a custom field, then duplicate the fields which are listed in the Preferences section for Primary Date, however there is not enough information in the Preferences section for me to duplicate the Primary Date field. Is there a file somewhere that shows precisely which fields within Raw Data (or elsewhere) that are being parsed for the Primary Date field?
  6. I'm trying to find out if I can customise the numbering used by Intella when creating load files. currently I get something like below where 'EXPORT' is the prefix which is manually set. EXPORT.00000001.00000001 OR EXPORT.00000001.00000001.00000001 What I would like to do is restrict the amount (currently 8 characters per set) to something like below EXPORT.001.000001 Is there a config file I can edit or somewhere I can customise this? Edit: sorry , re-read the user manual and found the instructions there on how to do this....disregard
  7. AdamS

    What is W4

    Any known issues with report creation? I started a report for all known artifacts (around 300k) and left it running overnight, check on a short time ago and still says it's running but no actual files appearing in the target location. Is this designed to be more targeted using a smaller number of items perhaps?
  8. AdamS

    What is W4

    Ahh I possibly did Igor, I'll revisit that when I get a chance to confirm but I suspect that's what I did
  9. AdamS

    What is W4

    Just loaded up the new version (1.0.2) and wanted to confirm if this is expected behaviour. I tried to add two different E01 images to index, however indexing completed after a few seconds with no data found and no errors. I removed the sources and just added a single image and all is working as expected.
  10. Alternatively you could produce a report of the messages to CSV, then copy out the relevant message you are interested in.
  11. Sorry Vince the issue didn't occur again so didn't chase it any further
  12. AdamS

    What is W4

    Okay some initial feedback. Firstly, I just want to acknowledge that I know this is a first release Beta so some of my thoughts below are likely already on the map, and some are likely far down that map. But my initial excitement about this software wasn't misplaced. I'm extremely impressed and can't wait to see how this develops. I can already see a place for this tool in my day to day work life. Testing Notes I threw in an image of a PC and an iMac just for giggles, I'm guessing at this early stage the concentration has been on support of Windows OS as much less types of artefacts for the Mac was identified, but I was kind of expecting that for such a new bit of gear. Test Machine Specs Core i7 with 64GB ram running Windows 7 x64 Installation Install went smoothly, however did take around 45 mins. I'm assuming that as a first beta release this is pretty low on the priority list and I would expect that to improve and change as the package develops. Case Setup Case setup extremely simple, just a couple of fields to fill in then point to the disc image to ingest. Processing 120 GB - Started at 1800 hrs 25/10/18 1 min – Identified user accounts and other artefacts started appearing after 1 min processing 48 min total processing time 1TB iMac image - Started at 1900 hrs Again within 1 minute I was seeing data and could triage results 1hr 13m total processing time Notes No video or audio ‘open in external application option’ possibly intentional at this stage. Other viewers seem to work for pic and docs Thoughts and Ruminations USB Logs Would be nice to see some other info here if it's possible to show any file movement or access at the same time as the devices are connected The links view shows the user account that was logged in, would be nice to see this in the events view as well, maybe far right side in the boxes for each item? Event log viewer Would be nice to see more information around the event types, maybe another tab next to the ‘properties’ tab when selecting a log. Filter ability to isolate specific types of event logs, possibly addition of auto filter for event logs that might be of common interest ( shutdown/startup, virus scan, windows update, windows restore, restore point creation) Notable Program Usage Expand notable program usage (likely already high on the list) maybe ability to filter here from a predefined list (check box), possibly the ability to add custom programs based on the .exe name. In my head I'm seeing something similar to what IEF use when determine which app artefacts to go looking for. Deleted file activity Would be great to add tab next to ‘properties’ tab to show more information such as which user was logged in at the time, can currently see in the links view only. User Profiles The ability to filter all events based on a user profile, ie build a full timeline of activity for a single user by session linkage. Geolocation Would be nice to have a map with GEO location items (for offline use) AND direct link from the Geolocation field to google maps for online use. Cosmetic Stuff Collapse/Expand all option in search window for facets Create thumbnail pics for video files Data Support Support for mobile phone artefacts like iPhone backups, also to identify those backups which can’t be parsed due to encryption (possibly out of scope but given Intella support already of UFDR files this would seem to be a natural progression) Can UFDR files be imported yet, on the roadmap? Virus scanner logs showing quarantine events, etc Firewall Logs I also noted the picture review is nice and fast, the thumbnail caching works fantastic. Great for onsite triage of pics for LEO. I will spend some quality time over the coming weeks to really dig into this, but this is my initial thoughts after a few hours of playing.
  13. AdamS

    What is W4

    Just quietly I'm excited. Downloaded and started testing on a 120GB disk image, within 1 minute of processing starting I'm able to start triaging and seeing valuable data. I'll withhold any more comments until the indexing process finishes and I can spend a few hours coming up with some constructive testing, but what I've seen in the last 30 minutes or so has me massively impressed. Edit: sorry just one comment, I love the Events view. A good timeline tool has long been something missing and the way this presents the data is exceptional. I'll be watching closely to see how the reporting side of this tool develops, as traditionally this is where it can get tricky. Porting those timelines out into something useful for clients or third parties to use.
×
×
  • Create New...