AdamS

fuzed usually you will see an STM and EDB file as a pair from an exchange server, generally you will only need to work with the EDB The link below has an explanation of sorts about the relationship between the files, but I've never processed an STM without the matching EDB and I generally use Systools Exchange or Kernel for Exchange.

It's also worth trying to extract the mail boxes to PST from the EDB with something like Systools or Kernel for exchange, then indexing the PST's within Intella. I haven't tried parsing any EDB files with 1.9.1 yet as I know they have improved support for EDB, but historically it was problematic.

The ability to export encrypted files then import them in the same fashion as OCR would be handy. Currently I have to add them as a new source after encryption.

You could try isolating and exporting the deleted emails with EnCase as PDF or some other document type, then index those new files with Intella to make them available. It's been a few years since I used EnCase so not sure on the process you could use, but I can tell you how to do it with Xways

My process for this matter has been as follows: Index PST archives with Intella Apply keyword tags for relevant keywords and email addresses limited to email addresses and body of emails Run separate keyword/email address search over attachments Any resulting attachments with keyword hits are isolated then using the 'show direct parent's' option the parent emails of these attachments are then tagged End results show only emails tagged (presumably attachments will go with the parent email but I can confirm that tags did not replicate down to child items) Highlight and then export relevant tagged emails to PST archives. If my process worked as I was hoping it would then no lone files should have been tagged and only emails are being exported to PST. Interestingly it appears that there may be other factors in play such as 'long file name' considerations. On watching the process unfold on the target drive it looks like Intella re-creates the directory structure temporarily in order to create the PST archive, I noted that in one case where thousands of errors were being thrown up I had the target directory buried several layers deep. On restarting the process in the root of a drive it seemed to go with only a few errors. I have also seen cases where the same data extracted for a second time with no changes will result in a cleaner PST build with less errors. I put it down to some of the complexities and difficulties of trying to build a PST that Outlook will be able to use.

I've been looking at the activity logs and thinking about ways we could use them to assist our clients for things like this, and the obvious problem is actual active review time compared to logged in time. Also there is time reading documents etc where they are not actually interacting with the software but are still technically 'active'. My thoughts are that it's far simpler to have some basic information for each user able to be collated from the logs, such as: Log on and log off times to give total time logged on Have these times available to be broken down by date and the ability to show multiple time spans for a single day (when relevant) Total documents previewed/viewed/printed/saved etc also ability to break down by day List of Doc ID's to match to the above List of tags applied/deleted/edited by any given user Break down by day etc Those would be my main hopes and given that most of that information is already captured in the logs hopefully not too complicated to extract.

I'm creating some new PST archives for a client and on a particular batch I get a large amount of 'failed to export' errors, around 70k and from the warning logs it appears to be 'no parent email found' is the issue. Are the items still exported or are they ignored for the export?

Looks great Jon, I've been waiting for this one One question, when a reviewer is working and there are no compulsory options does the 'review document later' option still get enforced?

I'm working on a job at the moment where I have to prepare quite a few separate PST archives for my client, about 15 all told. As each PST takes considerable time to create it would be great if we could queue up jobs to run, then press 'go' and then walk away for a few days to let it do it's thing.

Thanks Jon, I got your email as well so please consider this a closed issue.

Just to add some further thoughts as a quick test is not behaving as one would expect. I managed to find 2 emails in a data set which contain the same attachment, a small zip file (hash on both attachments is identical). Email 1 - Item ID 265884 Parent ID 269424 Child ID 498375 Email 2 - Item ID 267109 Parent ID 269424 Child ID 498439 So far so good, these are what I would expect to see as both emails came from the same PST archive (which I assumed would be the parent) and the child ID's are different which is also good because although the zip files are identical we still want both emails to retain their respective attachments on extraction, so deduping shouldn't affect that. However if I highlight these emails and 'show parents' the result is not Item ID 269424 as I expected, rather it's showing Email 2 (Item ID 267109) as the parent, doesn't matter what I select, top level or direct only, it's not showing 269424 as the parent item. Item 269424 is the 'inbox' folder from the PST archive which is also not what I was expecting. I'm not sure if this directly relates to the above question from my colleague but thought I'd add it to this post in an effort to better understand how Intella treats the relationships between items. Edit : I located the search preferences which were suppressing the results so now when I show top level parents I see the PST as expected, however what is confusing is the fact that the folder is listed as the Parent ID rather than the PST archive.

This is a query that has come to me from a colleague out of country and without access to the same data I'm having issues trying to recreate what they are asking and was hoping someone here might shed some light on it. I have also emailed support so I apologise for doubling up but thought that would be the best way to get a speedy answer The text below is a direct quote from the email I received, further the data they are working with came to them as plain text files from another person who created a load file for Relativity so they don't have direct access to Intella to test/change results. Edit: actually on reading this carefully again I can see that what they are seeing is correct rather that what they were expecting. If it appeared as they expected then there would be no way to link the attachment to it's email. You can probably disregard

My IT guys have set my Connect server (and entire forensic network) up on it's own subnet in the first instance so I'm completely separate from the corporate network, that's the first instance. I would say this would be the most important factor as if my network becomes compromised it doesn't leave an open door to the rest of the firm. Any production data is produced within my network anyway and if they needed access to data housed on the corporate network I just copy it across via a USB drive. My Connect server is using the HTTPS ability inbuilt which meant we had to register a domain and get security certificates issued, beyond that I have antivirus and firewall software running on the machine. The machine only has the ports it needs for Connect and web browsing open, all other ports are closed. The Intella people would be able to comment on other security features, but my understanding is that Connect only allows access to the data that you are actively sharing from the case data and there is no other way to clients to accidentally or on purpose suddenly have access to network shares or any data outside the intella case folder that is actively shared with them. I've been running a Connect server in this fashion for a few years now and have had no issues.

The backup process is somewhat restrictive I agree and I suspect they are looking at improving this, but in the mean time there are other options which are effective. You can use third party software to backup the active database without having to shut anything down. I use Bvckup2 which mirrors the data directory to a network share every hour (only mirrors updated/changed files) and in addition I have Veeam endpoint backup software (free) running on the server. If a new source causes an issue I can go to the backup software and restore the files/folders from any point in time, in addition if need be I can grab the entire database from an hour ago. Bvckup2 pro was only $40 so very cheap and perfect for what I needed. This may not work for you but thought I'd share as an alternative.

SamW, I don't know the answers to the technical questions around the histogram issues, however you can achieve what you need with the facet filters for dates. My approach would be to first view via the locations facet and apply custodians to each of the mailboxes (or data files) if you haven't already. Then for each custodian display the entire data set, then include the yearly date range and tag that set, then unfortunately you are going to need to repeat this process for each month over the 3 year period to get the monthly numbers. You can exclude/include duplicates in the normal fashion depending on your needs. It could be a time consuming process depending on how many custodians you have, but I don't think there is any easy way around this unless there is a way to get the histogram to be custodian specific.....which would be a nice addition for the Intella people listening

I'm the same Phil, love Xways but not a fan of how it handles emails

Morning Phil, I had some recovered olk14 data from my case so I indexed that in Intella and it doesn't appear to recognise or deal with that format. They were all indexed as 'unknown binary files' and nothing was really presenting properly. Might have to just process via Xways in this instance and use it's own search/index capability.

Hey Phil, as luck would have it I just finished a job on a Mac image with almost exactly that situation. Intella did process the individual olk14 emails, however without the entourage database file being processed/converted there were no attachments or folder structure. I found (and purchased) a tool called 'Emailchemy' for $30 which converted the entourage database file, which I then processed with Intella, all attachments and folder structure intact. Fantastic little tool, couldn't recommend it highly enough! Below link has some info on where to find the database file which needs to be converted. http://www.office.mvps.org/path/index.html

well this is embarrassing....

I have a case which I'm wanting to duplicate so our clients will have access to our tags etc and the ability to add their own, then keep the original as we have tagged it for our own internal use. So I copied the data folder over and gave it a new home and name by editing the Case.xml file, however when I attempted to add I got a 'duplicate Case ID' error. Looking in the Case.xml file I noted the case ID and simply changed the last digit from a 4 to a 5, the case then added successfully. Now that I've leaped before looking, are there any possible side effects to manually renaming the case ID in this fashion? The tags and all other work product appear to be there and I can see nothing obvious, but can't help but feel like I just put diesel fuel into a petrol car

And one more sort of related to this hiding of tags etc, it occurred to me that another very useful feature would be the ability to have a permission that was 'user X can only view items tagged with ?' That way we could create a parent tag and then have all items we want visible to a restricted user visible and fully searchable, however all other items would be hidden.

This would be a wish for Intella as well as Connect. When using numbers for tags from 1-12 Intella/Connect will both number in the following fashion: 1 10 11 12 2 3 4 5 6 7 8 9 Normally this is not a major issue as I will just change the tag to be 01, 02, 03 etc and then they will appear in order, however in a current matter we are working on I am setting up a predefined list of tags for a client which need to directly respond to a report which is using numbered paragraphs. So now the tags will appear out of order on Connect. Only a small issue but I don't imagine it would be too difficult to get Intella/Connect to treat 1 as if it were 01 when applying tag names etc..

This one I have been discussing with my client as there are issues here that go beyond what we as users may understand about the capability or possibilty. I had previously mentioned that it would be great if documents could retain their keyword hits even after tags have been applied, however this makes me think it could get confusing as a document could be found with a keyword search of 'test' but the tag name applied could be 'goat', with no clear relationship between the two. I think the simplest way to apply something which sould be easy(ish) would be to have the option to highlight the tag name within document sets, this way we train our users to be in the habit of making tags which reflect the keywords they are interested in. I would then like to see this capability exapnded to we are able to select any keyword to be highlighted, some sort of tick box menu which would work exactly the same way as the tag capability, only instead of applying tags we are applying keywords that will be highlighted in any document that is previewed. This 'highlight' menu could also have any manually entered search terms in the list as well which would have the flexibilty to view tag sets yet highlight different search terms within for cross checking etc.

Feedback from a client who is conducting a review at the moment. Currently the characters displayed in the To/From etc fields at the top of the screen are limited, clearly to keep the size of this data uniform to a degree, but what happens is the data is truncated with an elipses (....) at the end of the line of text, then in order to view the entire set the user has to either move to a different tab or hover the mouse over the text and a small box appears with the data. In the case where the keyword hits appear in these lines the highlighting is not visible and there is obviously the extra time required to make that text fully visible. The request is that this full text be visible in the initial window regardless of size.

I don't know the answer to your question but just as a point of interest I moved away from having Connect as a service as the server would on the odd occasion become unresponsive and freeze up requiring a reboot (Server 2012 OS). I put the connect.exe in the startup folder the old school way and since switching back have had no freezing issues. It may be purely something that happened on my server but thought I'd mention it here in case you get some issues with the service.