Jump to content

dougee

Members
  • Posts

    21
  • Joined

  • Last visited

  • Days Won

    4

Posts posted by dougee

  1. We use HTTrack to capture websites for investigations and have been using the .MHT file format to capture the sites (we also use other tools including PDF). Intella will process and parse the MHT file and separate out the underlying files, but it treats the MHT file as an email message. Therefore when you preview the MHT you get an email view and not the web page view.

     

    Intella Email View

     

    post-27-0-84537300-1386700672_thumb.png

     

    Intella Attachment View

     

    post-27-0-28635100-1386700673_thumb.png

     

    The below image is a preview from another tool and represents the preview shown in the web browser if the MHT file is opened.

     

    post-27-0-23028000-1386700817_thumb.png

     

  2. Not sure if its the issue you are suffering, but it could be an issue with the SMB protocol between the devices and the way EnCase and Intella writes the data out. I have seen very similar numbers when imaging across the network to an SMB share in Linux. When I changed to using Netcat or iSCSI the speed difference was incredible, the SMB traffic overhead (in my case) was enormous.

     

    Maybe sniff the network traffic during the backup and see if you can spot any overhead or other issues.

  3. Chris, thanks for the followup. You could use custodian as the source location for identification, for example name of sub folder containing the users doc's and PST. Also it would be good to add the ability to tag evidence containers inside Intella with a custodian name. I would add this as another field rather than a standard tag so you can easily filter by custodian in the facet without having to use the standard tagging method.

     

    "Would you want to see the raw amount, the deduplicated amount, or perhaps both?" I would prefer both if possible.

     

    Cheers

     

    Andy J

  4. All your options sound good, could you also maybe consider adding the abilitiy to break down the file types, search results(keywords) by custodian. This would give an easy way to show which custodian was most active in the case.

     

    With the top ten file types could this be made user selectable so that we could chose the files types in the chart? It would be a good way to get past large numbers of irrelevant files like cookies, etc when listing text files.

  5. We are increasingly encountering documents in foreign languages that we have to currently send out to a translation service, this is expensive and slows down the investigation. I am wondering if anyone has any recommendations or experience using software to do the translation automatically? We are thinking this will be more of an intelligence review and would use the translation service for evidence for trial and hearing.

     

     

    Thanks.

  6. I have to say that I have been using USB3 drives for the storage of forensic images for a while now and have never had any issues. I use them to image to/from X-ways and run both Intella cases and X-ways cases on them with no apparent loss of speed. I know they are not as fast as my SSD or SATA drives, but the convienence has been worth the small loss of speed. I personally find them more reliable than eSATA drives as I have had issues with eSATA drives dropping the connections and other connection issues (could just be me, but I have found the same with different drive bays, docks and different computers). When eSATA has worked it was very good, but no faster IMHO for the tasks I needed it to do than USB3. Now that my MacBookPro has USB3 it is even better.

  7. Adding to AdamS great suggestions, one that I would like to add is the ability to remove items from Intella. I know I can exclude items from view, but we often come across items that are subject to privilege claims by opposing parties and the ability to remove privilege items would be great. Currently the only way around this is to remove the items from the evidence and re-index, this is not easy with mail containers. Maybe we could just remove the items from the database so investigators can't access them at all, leaving the items in the evidence store.

    • Like 1
  8. Kathleen, how do you check your the dataset before bringing it into Intella for OCR? I have been playing with trying to add to this my work flow along with identifying encrypted/password protected files. Currently I use X-Ways to identify the encrypted files and decrypt them before bringing them into Intella, but couldn't seem to get it work for OCR files.

     

    Like you I produce the OCR documents in my report and the original files in any production or discovery.

×
×
  • Create New...