AdamS
-
Posts
601 -
Joined
-
Last visited
-
Days Won
23
Posts posted by AdamS
-
-
I love the timeline feature, this is a great way to show small data sets in a meaningful fashion, however I'm hoping you already have plans to take it further.
Currently exporting the graphic is a good first step, I'd love the ability to be able to create a report based on the timeline.
Ideal would be a HTML or some form of interactive report which visually appears very similar to the way the timeline looks within Intella, then have the abliity to click on the links and view the email as you can from within Intella.
Edit - Sorry, I'm working on a few jobs at the moment which are very email intensive so I'm coming up with lots of little things and rather than do one big post I'm posting as I come across them so I don't miss any. A small issue which should be easy to fix. When previewing an email it generally opens up center of screen which puts the top half in the screen where the coloured ball is, and the bottom half where the list is. When I've finished previewing I close by the red X top right. If i miss that red X and click out in blank space next to the coloured ball the focus shifts and I deselect the coloured ball which I happen to be viewing. So far not a major problem, but when I reselect the coloured ball I have gone back to the top of the list and effectively lost my place so to speak.
Could an option for "resume last view" or something similar be put in place? Either as a check box in the preferences or with a quick pop up yes/no option when you reselect the ball..
-
Thanks Chris, I realise that in the big picture small things like this can actually take a proportionately large amount of time to change so I appreciate the consideration.
-
I had seen that empty documents flag before but didn't think it applied to emails as it's under the documents and files section, but that's great works perfect.
And with the hot keys I do remember seeing that up there but for some reason the brain didn't send the messages to the fingers.
Can I ask if there is a specific reason why we have to use dual hot keys (alt+left arrow, alt+numpad 1 etc) purely from a usability perspective it's a process that forces you to stop, look at the keyboard and use two hands before you can continue with the review. Times that process by 1000 and you are talking a significant time added to some reviews.
If you remove the need to press alt then using the arrows with one hand and the other on the numpad keys you can review without needing to stop quite as much. And if the spacebar for flagging is implemented this is a nice big key that is easy to hit without looking at the keyboard.
-
Hey Chris good to hear.
One of the things I love about Intella and Vound in general is that our suggestions are actually listened to, and seem to be implemented more often than not (where possible and practical
)One more for you, is there a way to quickly determine emails which don't have any content/body?
At the moment I'm previewing emails as quickly as I can to cull out the emails with no content and I notice that Intella has a tab for each piece of data (Content, headers etc). Intella obviously already identifies these data sets, is there a way to take advantage of that and quickly sort or exclude emails which have no content?
More basic usability thoughts, when I have an email open in preview mode using the mouse to click next, flag/unflag or even tag is fairly labour intensive when you have 10000 emails to go through. Linking in the arrow keys would be fantastic, right arrow next, left arrow previous, space bar flag/unflag. This would link in nicely with the Tag hotkeys which are already there.
-
Hi thanks for coming back.
I'm assuming fast tag refers to when I am viewing the email in preview? Would it be possibly to extend this so the hot keys work when an email (or group) is highlighted in the normal table view?
The highlight and remove selected tags is perfect the way it is and I like that functionality (in fact am requesting that as a feature in Xways Forensics which I use heavily as well) but the ability to completely remove all applied tags on a highlighted data set would be fantastic if it's possible.
-
Also some hot keys would be great when working with tags. For example when triaging I will quite often do all my keyword searches and tagging in one go, then head back for review.
When reviewing emails sometims they have multiple tags and on review they are not relevant, it would be great if I could just press "del" when the email is highlighted and all tags with that email (or all highlighted emails) would be removed.
Following that vein hotkeys for tags would be great, this would have limited ability but using the numpad could give you up to 10 tags. By this I mean when we create new tags if the first 10 tags created were automatically assigned a numpad key (0 through to 9) then we could very quickly assign tags just by pressing the corresponding numpad key.
And lastly just a question on 'flagging'. Apart from the ability to reorder based on the flags I can't see any other use assocaiated with these. Is there something else we can do with the flags or is it purely a sorting assistant? If not I think it might be useful to add some right click options relating to flagged files, "highlight all flagged files" for example would then allow us to export the highlighted results. And logically following on having a hot key (spacebar?) to flag the highlighted file(s) would also make sense.
I understand this type of functionality would be low priority but I think it would improve the speed and usability of the tagging system which is already in place.
-
Another suggestion for functionality, specifically with the report creating.
It would be very useful if we could create a report and have live clickable links to expose the body of the email within the report (html only, like NUIX does) only take it one step further and have a "expand all" and "minimise all" link at the top.
The reason for this is searchability. If we can produce a report like that where a single HTML document can include all email information (headers, body, email addresses etc) then non technical people (ie my clients) can have the ability to use the easy windows search functionality to search across all available information from a single place.
Edit - I should point out that I'm aware I can do this at the moment with PDF by exporting all the emails as a single PDF file and ensuring 'body of email' is ticked. I am using this right now however I find PDF to be an inelegant way of viewing emails and visually it's quite hard on the eyes when you are trying to triage and read lots of information. HTML reports tend to be far better formatted and easier to read, plus the added bonus of being able to open them in Excel gives you the flexibility to create sub data sets for charts etc.
-
I would suggest locking the latest version thread so only administrators can post. That way we don't have to trawl through user posts to locate the download links or relevant information you want us to know about
We can always start our own thread elswhere if we have a question that arises from that sticky thread
-
Assuming it's okay to ask about that here as it's not listed in the title.
I note on the website Intella TEAM comes with 3 Intella reviewers. Is this a limiation of the software or can more reviewer licenses be purchased?
-
So if all the emails I'm examining come from a single PST archive then my report should be in chronological order?
or is it within each parent folder withing that PST archive (inbox, sent, outbox, deleted etc..)?
-
Just one more wish/suggestion
The ability to dictate the sort order for emails when creating a report (ie chronological)
I understand the reasons why this is not avialable as I had a long telephone conversation with my local Intella person when I was bemoaning the fact that NUIX didn't do this, but I also am led to believe that at one point in time Intella did give you the ability to have a report order the emails chronologically but this was dropped to save time.
I would love to see this functionality returned, it could be implemented by way of a checkbox with a warning that it will greatly impact on the report creation time. I see this as absolutely essential, when creating reports the client always needs to see things in a way which makes sense, oldest to newest is the most logical way and it's also what people are used to dealing with. I know there are work arounds by creating a seperate CSV file which they can order until their hearts content, but the CSV file only contains a small amount of the data so you end up having to chop and change from CSV to report to get the information needed.
-
I should be able to send the log files, I'm away from my lab computer for the next week so I will see what I can do on my return. And in answer to the other question the original behaviour with the tagging glitch happened on 1.6.0 and was replicated in 1.6.1 (this is the version with the screenshot).
Thanks for the prompt replies Chris, I look forward to 1.6.2
-
Another functionality request which should be very easy
When working with data in the Details pane it would be very handy if when we highlight a number of items the exact number and data size was instantly and dynamically displayed next to the filter options or even within the searches window top right.
Quite often I just need a quick answer on how many files I have highlighted, right now the only way to get this answer is to tag the files. I then have to go and remove the tag to ensure my tag field doens't become cluttered.
-
With regards the weird tag behaviour I have a screenshot which I think will display what I'm talking about.
I set the facet to Tags then selected "keywords Sent" within the tags list and then clicked search to bring up the blue ball, then clicked on the blue ball to see all 266 tagged emails, so far so good.
However you can see the two highlighted emails with the Tags exposed clearly showing that neither have the "Keywords Sent" tag, they both have the "Keywords Received" tag which is not selected.
This result is duplicated even if I click on the "Keywords Received" tag, then exclude that from the results, those two emails will still be visible.
When I previously mentioned this it was actually a different email that was being shown so it would appear there is definitely something glitchy happening here, but whether it's my machine or the software I can't tell.
-
Thanks Chris, when my work deadlines aren't quite so crippling I'll have a bit of a play
In the mean time I have a pressing issue that I need to try and sort. I have 12,680 unique emails to and from numerous addresses as you can imagine. My client wants me to isolate and remove all internal emails from the equation.
Is there are way to quickly isolate emails which only contain a particular domain within the send/receive fields?
I'm working with the type facets, have isolated all emails only, then searched on the domain I want to exclude, and now I have my data set of 12,680 emails and I need to somehow isolate the emails which don't include any addresses outside the domain in question.
Any help appreciated
Edit : I was able to reduce the data set to 350 email by reducing the date range so I manually inspected the sender/receiver details to knock out all the emails which were purely internal, but going through this process on a small data set showed me how difficult it is. You can imagine after a while the email addresses start to blur in and look similar, it becomes very easy to make a mistake. I'm not sure how hard these search refinements I'm suggesting are but hopefully this is something that could be included for 1.6.2.
-
I'm starting to come to terms with the change over to Intella and largely I'm impressed and becoming more comfortable with the interface.
I do have some suggestions/observations and it may be that Intella can do some of these things but maybe I'm just missing so any feedback or response would be welcome. I must stress most of these requests are specific to dealing with emails as this is what I mostly use Intella for, but the functionality would work when looking at complete data sets of documents, pictures etc...
- When working in the details pane selecting large sets of data it would be very handy to be able to 'reverse select' items. Example if I'm looking at 20,000 emails and I highlight and tag a selection of emails and I then want to tag the remainder it would be great to be able to reverse highlight so I don't have to go back through 20,000 emails and manually highlight the other emails I haven't already tagged.
- The ability to search for To, From, CC, BCC fields individually, currently in the options panel we can only select "all senders/email addresses" which is too broad. This is something I need to do in every single case so for me personally i can't stress it's importance enough.
- The ability to "hide" items from view in the details pane. In the above scenario where I was asking for reverse select this would do instead if it was enabled as I tag the items I want, then hide the already highlighted items and tag the rest, the unhide all and I'm back to where I started.
- The ability to filter in the details pane. For those who are familiar with Xways Forensics you will know what I mean here. The details colums can be displayed or hidden with the tick box menu and that is fantastic, how about extending that so that we can hide or display items based on those same criteria. For example to be able to display only emails with attachments.
- Tags appear to sometimes be faulty. I have a case I am working on how where I have used keywords then isolated emails based on where they were received or sent by a particular user. One keyword returned 2 emails, one sent and one received. These were tagged seperately as "keyword sent" and "keyword received". When I use the Facet filter to show me only "keyword sent" I see the sent email as you would expect, but the received email is also visible. This behaviour only displayed with this keyword and it was definitely only tagged once. I havne't spotted this behaviour anywhere else but thought i'd mention it.
Overall fantastic software, if I could just generalise and say the searching / filtering as it is right now could use some refinement.
- When working in the details pane selecting large sets of data it would be very handy to be able to 'reverse select' items. Example if I'm looking at 20,000 emails and I highlight and tag a selection of emails and I then want to tag the remainder it would be great to be able to reverse highlight so I don't have to go back through 20,000 emails and manually highlight the other emails I haven't already tagged.
-
Thanks for the reply
I had tried this method, however the issue here is that this search picks up every email with 'adam' in it, To, From, CC, BCC...so it's not really assisting me in isolating only email sent by a particular user.
Can I request this feature be added? As Intella already identifies these fields in the colum filter it shouldn't be too hard to enable the separation of these fields in the options tickboxes.
I can say with no exageration that this is something I am required to do on every single analysis job I do involving email.
The only way I can currently do this with Intella is to use the search as you've suggested above, then sort the results by the sender field and manually select all the ones with 'adam' in the sender field. Okay if there are only a couple of hundred emails, slightly painful if there are a couple of hundred thousand emails.....
-
I'm hoping someone can help me figure out how to isolate all emails sent by a particular user.
Is there a simple way to search only wihtin the "all senders" within the 'email address' facet?
Lets say I just wanted to quickly see all the emails that had the word "adam" in the from field, regardless of the remainder of the email address. How can I do that?
I know it will be there but I'm missing something obvious and now am starting to get frustrated so not being overly productive
Thanks for any help.
Edit : on a side note when I go into the Email Addresses facet, then select the From field to display all the email addresses, these are not in alphabetical order which makes scrolling through manually a major headache. To explain the one I'm looking at now the vast majority of the email addresses have "From:" appended in front of the user name followed by the email address, the user name is sorted alphabetically. However some email addresses are displayed without the "From" appended, and others yet will display only the user name or email address which throws the alaphabetical listing all out of whack.
-
Thanks Chris, I think my first step is to go and get a couple of SSD drives and possibly a WD Black for the OS, I can mirror the OS drive across using a forensic tool to avoid the need for a reinstall. The memory I have is running in dual mode but is only medium quality, however my experience gaming and building rigs over the years leads me to believe the improvement for upgrading to high quality ram is usually quite small and not really cost effective.
If I can get the indexing of that data set down to under 10 hours I'll be happy, and the boss will be happy.
I'll report back after with the results from changing the HDD's.
-
Indexing on the data set finished overnight, with the AV disabled completely I am down to 14.5 hours so another decent improvement.
Any comments on my previous post?
-
Hi Admin, I'm running an i7 CPU with 12gb Ram, there are 4 SATA HDD on the system, 1 for the OS and 3 for data storage.
What you are saying about the disks being the most likely bottleneck makes me think it may be the type of HDD I'm using. Out of habit I've put WD Green hard drives in the system, not thinking about performance but more about saving a few dollars for the boss
I know the green drives are quite notorious for performance issues so I think I'll go and grab some performance drives and run the test again.
With regards to the AV I put the source and target folders in the ignore list for the AV, but I will run the scan again with AV completely disabled just to check.
A question regarding the HDD configuration. If I attach some faster drives to the exsisting system, one for the evidence data and one for the case data, will it matter that the OS is installed on a slower WD green drive? I'm trying to avoid a full reinstall if I can.
-
Okay, indexing finished overnight, down to 16 hours for the same data set.
A significant improvement but still about 10 hours slower than another tool indexing the same type of data set.
Kathleen beyond the steps mentioned in the document are there any other ways to force Intella to use more memory? I will look at some raided SSD drives as another possible solution but if there is a switch I can add to the executable or something like that...or am I grasping at straws?
Other than the slow indexing time I'm incredibly happy with the switch to Intella
-
Thanks Kathleen I will look at some of the issues that I can address easily, such as hard disk configuration and BIOS, however the flyer mentions RAM of 2GB minimum and 4GB recommended. I have 12GB and Intella is only using 550MB. So RAM would not really seem to be an issue in the indexing stage is that correct?
Edit : I have enable AHCI, ensured source and data files reside on seperate hard drives and have put the source and target folders into an 'ignore' list for the AV. I'm running indexing on the same 50GB archive now and will come back and see what the time difference is after these small changes.
-
Not sure if this is possible with Intella but I was hoping there might be a way to optimize Intella to make better use of the RAM and CPU.
I indexed 50gb of email archives yesterday and it took 20 hours all up, but checking system resources Intella was using less than 1% CPU and only 550mb of an available 12GB RAM.
Being a 32 application obviously it can't utilise all that RAM, but is there a way to tell it to use more RAM/CPU to speed the indexing up?
)
[locked] Wish list/suggestions V1
in Intella 10/100/250/Pro
Posted
Walt I just noticed that you can quickly move among the tags by pressing the letter which corresponds to the first letter in the tag name (ie pressing 'Q' will take you to the first tag starting with 'Q') not exactly what you are asking but it at least gives you a way to move that is faster than manually scrolling.
Unrelated but the main reason for my visit today
Keyword searching, having the ability to enter a list and then click 'search' would be fantastic. At the moment as my investigation progresses my keyword list grows, it's great that I have the option of remembering previous searches so I can reapply those searches to new sources that may be added, but when you have 100 keywords it's labor intensive to go and apply them one at a time.
Bulk search or something similar would be fantastic, that way I can add sources or using the 'include/exclude' options I can change what the search is applied to, and have a fast an easy way of conducting large searches without having to manually enter each one.
Edit - and while I'm on search at the moment the previous searches that are remembered change dynamically to always show the last term used on the top. This makes reapplying searches tricky as the order constantly changes. Having a choice of the list remaining static (ie new searches are added to the bottom of the list, and when reapplying the searches the order stays the same) would be very helpful. Maybe simply a tick box somewhere in the preferences which changes the way the 'search history' behaves.