dougee
-
Posts
21 -
Joined
-
Last visited
-
Days Won
4
Posts posted by dougee
-
-
I am using Intellla 1.72 and the 'Preview' tab is blank. The MHT file is identified in the table as type 'email'. I can send you the MHT file if you need it? Thanks.
-
We use HTTrack to capture websites for investigations and have been using the .MHT file format to capture the sites (we also use other tools including PDF). Intella will process and parse the MHT file and separate out the underlying files, but it treats the MHT file as an email message. Therefore when you preview the MHT you get an email view and not the web page view.
Intella Email View
Intella Attachment View
The below image is a preview from another tool and represents the preview shown in the web browser if the MHT file is opened.
-
Thats sounds exactly like the SMB issue I was having with imaging to SMB shares. The TCP overhead was huge. Hopefully Intella can look at the network issue with backups and make improvements.
-
Not sure if its the issue you are suffering, but it could be an issue with the SMB protocol between the devices and the way EnCase and Intella writes the data out. I have seen very similar numbers when imaging across the network to an SMB share in Linux. When I changed to using Netcat or iSCSI the speed difference was incredible, the SMB traffic overhead (in my case) was enormous.
Maybe sniff the network traffic during the backup and see if you can spot any overhead or other issues.
-
Chris, thanks for the followup. You could use custodian as the source location for identification, for example name of sub folder containing the users doc's and PST. Also it would be good to add the ability to tag evidence containers inside Intella with a custodian name. I would add this as another field rather than a standard tag so you can easily filter by custodian in the facet without having to use the standard tagging method.
"Would you want to see the raw amount, the deduplicated amount, or perhaps both?" I would prefer both if possible.
Cheers
Andy J
-
All your options sound good, could you also maybe consider adding the abilitiy to break down the file types, search results(keywords) by custodian. This would give an easy way to show which custodian was most active in the case.
With the top ten file types could this be made user selectable so that we could chose the files types in the chart? It would be a good way to get past large numbers of irrelevant files like cookies, etc when listing text files.
-
Same here, I would love to be a beta tester.
-
Thanks Lukasz, that makes perfect sense, I currently have a custom build, I will reinstall with the latest version, thanks again.
-
I am running 1.6.3 and my title bar informs me of an update for the language pack and when I click the link and log in to the website, I cannot find any download links for language packs! Am I missing something!
-
1
-
-
We are increasingly encountering documents in foreign languages that we have to currently send out to a translation service, this is expensive and slows down the investigation. I am wondering if anyone has any recommendations or experience using software to do the translation automatically? We are thinking this will be more of an intelligence review and would use the translation service for evidence for trial and hearing.
Thanks.
-
I think we have just found the problems with computers and forensics in general, nothing ever works the same. At least we have options. I was hoping for more thunderbolt support by now for external drives, but nothing really of a reasonable price has come out. I just bough a network Drobo and connect using iSCSI, it is working really well and less than $5,000 for 16TB.
-
I have to say that I have been using USB3 drives for the storage of forensic images for a while now and have never had any issues. I use them to image to/from X-ways and run both Intella cases and X-ways cases on them with no apparent loss of speed. I know they are not as fast as my SSD or SATA drives, but the convienence has been worth the small loss of speed. I personally find them more reliable than eSATA drives as I have had issues with eSATA drives dropping the connections and other connection issues (could just be me, but I have found the same with different drive bays, docks and different computers). When eSATA has worked it was very good, but no faster IMHO for the tasks I needed it to do than USB3. Now that my MacBookPro has USB3 it is even better.
-
Saw this link on another forum and thought it was worth sharing here as someone might find it useful.
-
Very imformative video where the presenter does a great job of explaining why we may never have a "Find Evidence Button".
http://www.ted.com/talks/shyam_sankar_the_rise_of_human_computer_cooperation.html
-
1
-
-
Thanks Chris, I look forward to seeing what magic you guys can bring.
-
Adding to AdamS great suggestions, one that I would like to add is the ability to remove items from Intella. I know I can exclude items from view, but we often come across items that are subject to privilege claims by opposing parties and the ability to remove privilege items would be great. Currently the only way around this is to remove the items from the evidence and re-index, this is not easy with mail containers. Maybe we could just remove the items from the database so investigators can't access them at all, leaving the items in the evidence store.
-
1
-
-
Kathleen, how do you check your the dataset before bringing it into Intella for OCR? I have been playing with trying to add to this my work flow along with identifying encrypted/password protected files. Currently I use X-Ways to identify the encrypted files and decrypt them before bringing them into Intella, but couldn't seem to get it work for OCR files.
Like you I produce the OCR documents in my report and the original files in any production or discovery.
-
When I de-dupe the picture files in the table view, the de-duplication is applied successfully, however, when I then change to the picture thumbnail view the de-dupe is lost and I am shown all the pictures. I know as a work around that I can tag the de-duped pictures and then view only the tagged photos, but this is more steps than necessary.
-
1
-
-
Thanks Kathleen, we ar ehappy with Adobe, but I wanted to see what others were using, good to know you use it. Do you use any add-ons, I was looking at a plugin for hot folder support, but didn't find anything that seemed robust enough, thanks.
-
We are looking at implementing an OCR solution for the scanned documents that cannot be indexed, we currently are using Adobe Acrobat Professionnal, but I wanted to see what others are doing and would recommend, thanks.
Cheers
Andy J
New feature - Paragraph level deduplication a.k.a. "Shingles"
in Archived threads
Posted
Thanks for the information on the upcoming features it looks really good, I have one question, can you use this expanded analysis to maybe provide a summary tab of the contents of the documents/emails? Can the shingles be used to create a seperate metadata field or tab to create the summary or theme of the document contents, thanks.