AdamS

Okay some initial feedback. Firstly, I just want to acknowledge that I know this is a first release Beta so some of my thoughts below are likely already on the map, and some are likely far down that map. But my initial excitement about this software wasn't misplaced. I'm extremely impressed and can't wait to see how this develops. I can already see a place for this tool in my day to day work life. Testing Notes I threw in an image of a PC and an iMac just for giggles, I'm guessing at this early stage the concentration has been on support of Windows OS as much less types of artefacts for the Mac was identified, but I was kind of expecting that for such a new bit of gear. Test Machine Specs Core i7 with 64GB ram running Windows 7 x64 Installation Install went smoothly, however did take around 45 mins. I'm assuming that as a first beta release this is pretty low on the priority list and I would expect that to improve and change as the package develops. Case Setup Case setup extremely simple, just a couple of fields to fill in then point to the disc image to ingest. Processing 120 GB - Started at 1800 hrs 25/10/18 1 min – Identified user accounts and other artefacts started appearing after 1 min processing 48 min total processing time 1TB iMac image - Started at 1900 hrs Again within 1 minute I was seeing data and could triage results 1hr 13m total processing time Notes No video or audio ‘open in external application option’ possibly intentional at this stage. Other viewers seem to work for pic and docs Thoughts and Ruminations USB Logs Would be nice to see some other info here if it's possible to show any file movement or access at the same time as the devices are connected The links view shows the user account that was logged in, would be nice to see this in the events view as well, maybe far right side in the boxes for each item? Event log viewer Would be nice to see more information around the event types, maybe another tab next to the ‘properties’ tab when selecting a log. Filter ability to isolate specific types of event logs, possibly addition of auto filter for event logs that might be of common interest ( shutdown/startup, virus scan, windows update, windows restore, restore point creation) Notable Program Usage Expand notable program usage (likely already high on the list) maybe ability to filter here from a predefined list (check box), possibly the ability to add custom programs based on the .exe name. In my head I'm seeing something similar to what IEF use when determine which app artefacts to go looking for. Deleted file activity Would be great to add tab next to ‘properties’ tab to show more information such as which user was logged in at the time, can currently see in the links view only. User Profiles The ability to filter all events based on a user profile, ie build a full timeline of activity for a single user by session linkage. Geolocation Would be nice to have a map with GEO location items (for offline use) AND direct link from the Geolocation field to google maps for online use. Cosmetic Stuff Collapse/Expand all option in search window for facets Create thumbnail pics for video files Data Support Support for mobile phone artefacts like iPhone backups, also to identify those backups which can’t be parsed due to encryption (possibly out of scope but given Intella support already of UFDR files this would seem to be a natural progression) Can UFDR files be imported yet, on the roadmap? Virus scanner logs showing quarantine events, etc Firewall Logs I also noted the picture review is nice and fast, the thumbnail caching works fantastic. Great for onsite triage of pics for LEO. I will spend some quality time over the coming weeks to really dig into this, but this is my initial thoughts after a few hours of playing.

Just quietly I'm excited. Downloaded and started testing on a 120GB disk image, within 1 minute of processing starting I'm able to start triaging and seeing valuable data. I'll withhold any more comments until the indexing process finishes and I can spend a few hours coming up with some constructive testing, but what I've seen in the last 30 minutes or so has me massively impressed. Edit: sorry just one comment, I love the Events view. A good timeline tool has long been something missing and the way this presents the data is exceptional. I'll be watching closely to see how the reporting side of this tool develops, as traditionally this is where it can get tricky. Porting those timelines out into something useful for clients or third parties to use.

I'll check on that next time I'm at that particular clients as I don't have access at the moment.

Just wanting to revisit a wish I had from 2015 to bring it back to life. The timeline view for intella, currently we can't do anything except export to PNG graphic file. Adding the ability to export to HTML or Excel would be a huge benefit. I'm constantly asked for timeline graphs/presentations from clients and have to resort to looking at other Analytics tools which are not exactly built for simple timelining, although they do an admirable job it seems a pity to waste the perfect timeline already showing in Intella.

Yes sorry, that's the option, and I should have clarified this is being seen on Intella Reviewer only.

I'm seeing some unusual behaviour and wanted to check if anyone else has seen this. When previewing an email we go to "print report" option, we then have two "yes/no" questions to answer (Include Attachments AND print preview view) which we select yes on both. When the print preview appears the second page of text containing the bulk of the email body is blank. This only occurs when selecting the "print preview view" option, if we select no for that option then the print window renders the 'content' view and there are no issues. My first thought was that this was an HTML rendering issue as the computer in question had IE as the only browser, so I installed Chrome, made sure that was the default browser and the issue appeard to go away. However it has no reared it's head again and the second page is always blank.

Hi John, I'm sure there is a way to acheive what you want using various AND / OR functions and the inlcude/exclude options, however I've found that building complex searches with simple steps gives a good result and some comfort that you are getting the results you wanted. To accomplish this I would use the following method: In the Facet Search windows select Type then in the window below select Communication-->Email and click search Click on the big ball to select emails then go to the keyword search window (top left), click Options then put tick in the boxes From and Sender Click on Search again to close this little window and type the email address in the Keyword search window then click search You should now have 3 balls in the Results window, click on the middle intersecting ball which should be all the emails sent From the email address In the Details window select all these itmes and tag them all "Emails AND From Address" or something that makes sense to you Clear everything Repeat step 1 and 2 only this time at step 2 tick the boxes for To, Cc and Bcc You should have 3 balls again, select the intersecting ball and tag those results "Emails AND To Address" or similar You now have 2 working tags with all your emails TO and FROM the relevant email address. To isolate those with attachments simply bring the tag up by highlighting the tag and clicking search. Ensure the "has attachments" box is ticked in the Column selector (small box with green tick directly under the word timeline, middle right side of screen). You can then sort the emails based on that filter and highlight the ones with attachments and tag those accordingly. It seems like a lot of steps, but trust me the more you use the software the quicker things move, that process would generally only take a minute or so.

Hi Jon, just thought I'd check in on this question to see if there is any update.

Thanks John, I'll delve into that and see how we go

Intella has pretty strong inbuilt support for detecting and identifying different languages, however I'm in a position where I have a large number of Japanese documents/emails etc and wondering what my options are here. Does anyone have any experience with translating documents of this nature in such a way that I can still make use of Intella for review?

Jon is this specific to Intella TEAM when importing the work product from viewer licenses? I know there has been talk in the past (and it was hinted that it was not far away) of full case merging rather than just importing the work product from Viewers. By that I mean two completely independant cases with different custodians etc..

Hi John, I can't see an email thread tab in the preview window, there is however the email thread listing under the facet search window. It could be that I'm misunderstanding how the "hide non-inclusive" function is meant to operate, I just took it literally. Even when I go to the "email thread" facet option and pick one of those items with multiple emails listed in the thread, selecting or unselecting the "hide non-inclusive" option has no effect. Edit: There may be something deeper going on with this data set as I looked in the "non-inclusive" field for the Details window and no emails are showing under this field, so that makes perfect sense that the hide non inclusive would have no effect. I will re-run the email threading process and tick discard previous threading data to see if perhaps something went awry with the original threading process.

I'm concerned that I'm setting something incorrectly when attempting to use this feature as I'm not seeing any emails hidden after running the process and selecting 'hide non inclusive' Picking a simple chain where there are 3 or 4 emails with only 2 participants and I can clearly see the back and forth, but all emails in the chain are still visible after threading and hiding. Is there something I'm missing in the process?

I'm assuming not as I can't find any mention in the user manual, but thought I'd confirm/check here. Does Intella support the NSRL list from NIST?

When running a large keyword list search the results screen at the top will eventually switch to "sets" view as the balls become too interconnected to be of any visual use. If I want to view only a particular keyword result I select this from the "searches" box and they are displayed in the Details box, so far so good, now I want to select 2 keywords and as expected the results for both keywords are displayed in the Details box. What I'd love to see is they ability to switch back to the 'cluster map' view to get the venn diagram back for selected items, specifically the intersecting ball with emails common to both keywords. Currently I'd have to run the search with just those keywords to get the balls back, but frequently we are playing with a very large list of keywords so having the ability to dynamically switch back would allow us to quickly isolate common emails.

Just to add to this I have tested on 3 different machines, all running Windos 7 x64, all with identical hardware and the issue only happens with 2 of the 3. I've updated graphics drivers and played around with all the resolution settings that I can find but no difference. I can't see any difference between the 3 machines to explain why one doesn't have the issue. Jon are you or any of the team able to tell me what software Intells uses to render the print preview from the tabs of a previewed item? My assumption was that Intella has it's own software to render the items, but I would be interested to know the mechanism it uses. I need to solve this issue as soon as possible as this involves operational work for a government client so I can't just leave it alone and hope it fixes itself. Edit: an interesting point is that when I open the print preivew screen if I click 'save' from there and save to the desktop to PDF, the formatting issue disappears. This leads me to believe that the issue is being caused by whatever Intella uses to render the print preview, this then carries through to the actual hard copy print.

I'm seeing something similar to this (but not quite the same) with all tabs (except preview), and only when it comes to printing the tabs. All the text on the screen is fine, no display issues, but when you go to print the text in thos tabs in the print preview screen is all messed up, and this spacing issue follows through with the hard copy print as well. The text spacing is off and some letters overlap, but only on those tabs, the preview tab prints just fine. Also if I save the doucment to PDF on the desktop the spacing issue dissappears. I have looked at all the resolutions settings etc, however the issue is limited to the mentioned tabs when attempting to print so I don't think that's what's going on here. Am just aobut to update to 2.2 so possibly the issue will go away, but curious if anyone has seen this behavour before?

I could be wrong but I understood the MD5 to be for the parent email and all its children as a contained file (think of a .msg) file which you export out of a PST. As part of the indexing process the children are all pulled out and the message component itself gets the message hash. I'm sure I've over simplified and got a few things wrong, but in essence that's the way I've always thought of it.

Great news Jon, this has been a sticking point for some time and one of the hurdles we've had with our lawyer clients. Having the ability to have the DocID numbering and bates numbering on each page independent of each other will be a fantastic capability.

If you talk to any analytics guy he'll always tell you the biggest time factor is data cleansing. It's the same with keyword lists that clients provide. I generally take the keyword list and fix the issues, it's far easier than trying to convince them of the need.

Could there have been an issue with the upgrade from 1.8.4 to 2.0.1.1? Are you able to maybe take the original 1.8.4 case, first upgrade it with 1.9, then upgrade that case with 2.0? I've never encountered that before myself, but I assume when you open the original case in 1.8.4 they searching works as normal?

Intella pro now comes with ABBY embedded so you can OCR directly without the need to export and use a third party tool.

jmacedo I've never had any issue with large cases or keyword lists. Have a good look through the keyword list as jon suggested, possibly there are some extra special characters that are out of place.

In hindsight I thought I'd better edit my original reply, so in a nutshell what I was trying to say is below. In terms of the review process there is little difference in a head to head with the other tools. For me I've found Connect to be much faster for the remote review and the interface is much simpler and more intuitive for the end user to use.

A small cosmetic request. When using the 'tasks' feature to setup and run tasks such as OCR, Email threading etc, this isn't picked up by the insights tab. After running all these via tasks the insights tab still shows that they have not been conducted. I'm not sure what would happen if I run the task again from the insight tab, but it would be nice if this was reflected there in the check boxes.