AdamS

Just a quick question about importing ICW files. I am looking at consolidating a few cases for archiving and this is my plan. Create ICW work files for each case Consolidate all the source data (.nsf archives in this case) into a single folder Re-index the entire source set with 1.8 Import the ICW files (2 created by 1.8 Beta 1 and the other created by 1.7.3) My questions are these: Will ICW files created with older and beta versions import cleanly to the latest build? Are the tags in these ICW fields dependent on the source locations being identical, ie do I have to maintain the original folder structure or can I simply dump all the NSF archives into a single folder and have the tags still relevent? I should point out that two of the cases were originally indexed in 1.8 Beta 1 and I can't view these case files correctly in any version other than the Beta. I can open the files in 1.8 but the locations don't populate and nor does the preview pane, it simply remains blank when I try to list tagged items or emails etc..

Could I have the link for 1.8 beta 2 please

Jonas this is something that I've grappled with before and this is my solution (until something better is developed). Something I have asked for an am eagerly awaiting is the ability to limit the search within the to single email addresses within the to/cc/bcc fields so we can eliminate the 'group emails' completely. There are a fair few steps here so hopefully I didn't miss anything.. Using the 'email addresses' facet first go through the email addresses using the dynamic search feature and confirm you have all the email addresses for the specific users (may not be necessary but is something I do to identify secondary unknown email addresses) Compile and import a short word list containing only those email addresses In the search options button select only Sender and From, then go to the keywords facet and select the keyword list you just imported and highlight the first email address in the list, then click on search. Select and highlight all the results and then tag them with "Sent by emailaddress". Repeat this process for all email addresses. Once you have finished that go to the search options and change the selection to 'To, CC and BCC' only, repeat the search and tag operation as above with the keyword list and tag "Received by emailaddress" At the end of this process you should have a 2 tags for each email address, one where they are the sender and one where they are a recipient. Now the manual part, select the tag for one of the Sent group and one of the Received group, highlight and select, now the little coloured balls above should show you any emails that intersect (ie appear in both sets of data) Ensure your details pane has the tabs for "All senders" and "All Receivers" selected Click on this central ball and then sort the details pane by sender and ignore any emails that are a different user than the one you are currently working with. Hold "cntrl" and then click on the All Receivers tab to double sort, this will maintain the previous 'Senders' sort but then sort within for receivers as well and make it easier to work with. Now you have to manually look through the emails to identify which emails were sent by User A ONLY to User B and apply new tags. Rinse and repeat for all users. If it doesn't matter about emails that are CC'd to other users then you can ignore a couple of those steps and just apply bulk tags. Hope that makes sense, I'm a bit rushed ..

Is it possible this is a PA sending emails on behalf of someone else via their account? I seem to recall seeing something similar to this with PA's who have access to the boss's email account and are able to send emails from that address but their own email address is listed in the 'From' field. I may be misremembering as this was some time ago... What are you seeing in the 'From' field and is this any different when you open the email itself?

I'm looking for a smarter or better way to search for bank BSB numbers on a case. Currently I have a list of some hundred or so BSB's in this format "123-123" note the hyphen. Now according to what I know and the documentation the '-' hyphen symbol should be ignored unless it is preceded by an escape symbol, or '\' However, in this case searching for 123-123 is showing up results with the hyphen, and NOT results without the hyphen, ie 123 123. So now I'm looking for a reliable way to search for BSB's that will include the following results 123-123 123123 123 123 Without me having to go and manually retype all the hundred odd BSB numbers on my keyword list to include the other possibilities.

I think I spoke too soon on this one. F-response method missed a huge chunk of the emails. I'm not really sure why/how things went wrong but several months worth of emails weren't included in the F-Response pull down. I'm attempting a local recovery by connecting Outlook to 365 and letting it sync, then I'll extract the local OST file and hopefully that will have the lot. Edit : appears the local sync was the best and fastest approach. Only took about an hour for Outlook to completely sync and download all the data, then simply copy out the resulting PST file that was created and indexed that in Intella. I'm not sure why F-Response missed so much data as there were no error messages at all and nothing in the logs to suggest a problem.

I looked at Maestro a while back too and was very impressed, I think from memory the unlimited single core package was either $7k or $12k for a 12 month license, not sure on what the renewal was but think it was SMS type rather than full cost. Next big job I get requiring OCR I will definitely be purchasing Maestro @admin - I fully understand and you are correct having it as standard within Intella would be expensive, and given the standard of OCR software that is out there not really needed. @Jasoncovey - I thought that myself until recently when I started looking closer at the pictures. My last few jobs I would estimate several hundred up to more than a thousand scanned pictures of documents are present. It's very common in the corporate world to scan important documents for archiving and scan to JPG or TIFF seems to be as common if not more so that scanning to PDF. So while it may have limited value for some people it's certainly something I would be interested in. Right now though all the software I can find is about OCR so rather than OCR thousands of pictures it's still a manual process to export out the genuine documents, but having the ability to rate pictures based on the amount of text content would be extremely useful.

I have F-Response Consultant. As far as "better" from a forensic soundness point of view I'd view F-Response as probably the safest option, purely because F-Response is designed from the ground up for forensic data collection where as Thunderbird is simply a mail client. I don't have an understanding of precisely what Thunderbird may or may not do to the data when it downloads it from the server (any header updates etc). That's not to say using Thunderbird (or any other mail client) isn't something I would do, however I'll always use purpose made forensic tools where ever possible as it's much easier to find documentation on exactly what is happening to the data during the collection process. For this particular matter I tried several times using Outlook to sync this mailbox and then export to PST and wasn't successfully able to do so, Outlook kept having issues at the export stage and I'm not positive it even synced the entire contents of the mailbox. Admittedly I didn't try Thunderbird as by that point I had recalled that I had F-Response and was using that, however F-Response method did allow me to retrieve everything from the mailbox.

It would certainly be a great addition if there was a way to reliably scan for these types of pictures, maybe some sort of reduced OCR functionality that simply scans for a large percentage of 'text' within pictures much the same way skin tone analysis works. The results are then graded by percentage and a final manual review is required to select the documents for full OCR.

Yep F-Response worked well, all be it fairly slowly but I suspect that is not the fault of the tool, rather bandwidth restrictions by the email provider.

Okay that would make sense. I'm using F-Response now (forgot I had it) to pull down the emails for indexing with Intella. Hopefully that gets the lot for me.

Any info specific to Office365?...assuming it's not the same as hotmail/outlook.com.. I'm trying one presently and it timed out after about 2hours, got a reasonable amount of data but not the lot.

Test ran and performed well, there was one tag that didn't import correctly, however I suspect that may have more to do with the source image and the way I created the original case as I can't recall if I used Xways to recover deleted data before indexing with Intella, or if I indexed directly from the image. All in all though the resulting IWR file is very small so this will accomplish what I need.

I'll have a look at the IWR approach (once I figure out what that stands for ) and see if that does the job. Christian the reason i was thinking MD5 hash only is because I was under the impression that when I import ID item lists it will only work if it's just the MD5 value. Have I got that wrong? Edit : I just had a look at the IWR method, can't believe that didn't occur to me before. That looks like it will accomplish exactly what I need. I'll run a test later today on a small case and confirm that. Thanks Peter

Hi all, just another wish to throw in the mix. I have a long running case that is about to come to an end (8 months) and it will end up in lengthy legal proceedings which could run for years. There are over 50 custodians and close to a terabyte of indexed data along with hundreds of tags etc. Once our part of the work concludes I want to capture the work we've done in a format that won't require me to save everything 'as is'. To that end the obvious thought is to export the hash values of the tags which would enable me to very quickly 're-tag' the work at a later stage. Presently to accomplish this I would have to create a separate export to .csv for each tag, with several hundred tags this is not ideal. I would simply love to be able to highlight all tags, right click and export to .csv in one go, but have separate .csv files automatically created and named for each tag. If I select only the MD5 value to be populated for the .csv files I would then very quickly capture the work and be able to replicate (or send to third parties) the work undertaken to identify that data. My thought then is that all I need to retain is the original data and these .csv files, I would take a time hit having to re-index the original data at a later date, but this would save me having to store double the amount of physical data somewhere safe, and while hard drives are cheap I physically don't have the space to retain every single drive that is used for these jobs to archive.

Has the beta been locked from opening cases that were produced with 1.7.3 and vice versa?

embedded items perhaps? If you have a power point presentation with 20 pictures I imagine Intella will identify that as 21 unique items, but when it comes time to export it only needs to export 1 item to encompass them all...? Not sure if that's the way it works but it could be something like that.

PM Sent

Phil I've never had any issues with Intella crashing while backing up data. Was there anything else going on at the same time, another case indexing, other software processes running?

On the same path but slightly different if I can add this to Jason's request..isolating emails with attachments. Currently the only way is to show all emails and ensure the 'attachments' field is showing, then sort by that field. Then it's a matter of highlighting all the emails with ticks in the 'attachment' field. If you have many thousands of emails it can be time consuming to scroll and scroll until you find the last email with the tick. For my time and effort I think having the ability to show only email with attachments would be extremely useful. An option for 'emails with attachments' under the "Features" facet would seem to be logical.

At a guess I'd say the complexity and break down of the data contained in the PST's probably caused the slower indexing rate. The fact that there are so many exception items also makes me think there could be data corruption or other issues that may slow Intella down.

There is another way to approach this but it only works when you are first setting up a case. After you add the first PST/OST archive to the case don't let Intella start indexing. Then you can simply go back and add one at a time as many PST/OST archives you want each time ensuring you don't start the indexing process. Once you have all the archives you want you then select 're-index sources' from the menu and it will index everything. This only works the first time though as if you try that later you will end up re-indexing everything not just what you have added. I think I've asked this before but the approach I'd like to see is the ability to select multiple files/folders or any combination for indexing, and taking that a step further the flexibility to re-index any individual source should we choose to (for what ever reason). This would be useful in cases where we have added multiple sources only to find corrupt files or archives. We can repair these archives and then simply re-index the affected source rather than the entire set.

michiel just to point out, if you are talking about the parent email (or any email) then the content created is the date the email was created as stated above, however if you are looking at the attachment to an email, or a stand alone document, then the content created timestamp refers to the creation of the document itself which will not necessarily correspond to the email content created date. Documents have their own meta data which Intella indexes and can report on.

Okay, but if you unshare the case, remove the tags, then reshare should only be limited downtime for your shared case.....just a work around fix until the issue is solved I was thinking.

Ah okay I see what you mean....and I'd love to do something to help but I don't work for Intella I'm just a malingerer who posts here a lot.