igor_r

Hello Bryan, At the moment there is no way to configure the family definition for "Family Date" column. We will add this feature in a future version. I'm afraid the only option for now is to unzip the evidence.

Hi ESIdisco, Can you try to do the following? 1. On the "Load file options" page uncheck "Include natives". 2. Then on the "Rendering options" check "Export skipped item as native file".

Hi Adam, Thanks for clarification. An option for setting a custom date format is certainly on our list. It will be added in one of the future versions.

Hi Adam, As you can see from the exception report, the value Wed Sep 06 13:04:08 AWST 2017 does not correspond to the date format you specified in the custom column YYYYMMdd HH:mm:ss zzz. So Intella doesn't know how to parse it. Please note that the Date Format option tells Intella how to parse the value, not how to display it. If you want to change the way how date values are formatted in the details table and previewer, then it can only be done via Preferences -> Display and Locale -> Date format -> Select regional standard. Did you try to use load file export? As I said earlier it allows to set a custom date/time format. You can choose CSV format and uncheck natives, images and texts, so it will be just one CSV file in the end.

Hi Adam, This is a limitation of the current version. In a future version it will be possible to refresh the custom columns only without re-indexing the entire case. Intella uses the following fields: 1. PR_CREATION_TIME 2. PR_LAST_MODIFICATION_TIME 3. PR_CLIENT_SUBMIT_TIME - Sent 4. PR_MESSAGE_DELIVERY_TIME - Received Additionally Intella uses date fields from email headers. You can find more information about Outlook fields on MSDN web site: https://msdn.microsoft.com/en-us/library/. Just try searching for a specific field. I tried to repeat your test and it worked fine for me. I think you used incorrect date format settings. Here is what I used: From: Raw Data Field: PR_CLIENT_SUBMIT_TIME Date Format: EEE MMM dd HH:mm:ss zzz yyyy Can you try that? If it still doesn't work, can you check the exception report? It should contain a detailed error message.

Hi llanowar, Can you try to move both the DAT and OPT files one level up to the PROD004 folder?

Hi Jason, Can you try to do the following: 1) Export items to load file and use an export set. Skip the texts for redacted items. 2) Export all redacted items using the export set column, so they will get proper names like 000001.000001.0000034. 3) Now OCR the files exported in the step 2. And replace the place-holdered text files in the load file with the new OCRed files. (the names should match) Do you think it would work?

Hi Adam, "Index new data" will only pick up new top-level files and folders. It would not "refresh" existing items such as PSTs, even if they were partially indexed. Therefore it's not a proper solution for the "Pause indexing" and that explains the results you had. We may improve how it works in a future version.

Hi Adam, 504 error code indicates a connection timeout which happens when response is not ready in 3 minutes. Based on the description this might be caused by a long running complex search queries - but we would have to look at the logs in order to be sure.

Hello ifinch001, The second address (Bob Smith </O=Company...>) is an internal one which is used when an email is sent inside the company. Outlook will suppress such information, but Intella shows everything extracted from the email. When exporting, Intella appends all types of email address, because it may be important for investigation.

Hi Jason, Intella can import a load file that has no type information at all. You should be able to view the imported documents, but some functions may not work correctly when the type information is not available. If you can't view any of the documents at all, I think something went wrong during the import. I have answered you question on the support portal. We would need to review our log file to check what went wrong. Note that in Intella 2.0.0 we have a new option that allows to extract the document type from natives.

Hi westerndigital, Adam is correct. Please note that in the latest version it's possible to have different settings for emails and for documents. So you can disable the cover page for loose files, but still have email headers at the same time.

Hi Adam, It looks like it should work fine based on the process you described. Can you take a look at one of the items that were failed with "no parent email found" error? Can you locate the item in the case (using View -> Preview Item...), switch to the Tree tab and make a screen shot of it? Can you also make a screen shot of your export to PST options page? You may want to open a new support ticket and send the screen shots there.

Hi Adam, Please note that not all items are exportable to PST. Can you make sure that the batch doesn't include any loose files? > Are the items still exported or are they ignored for the export? No, they are ignored. You can try to export those items to original format instead.

Hi gsnyder, I've just sent you a private message with a link to an interim installer that should resolve the issue.

Hi wmfiske, It might be it takes too much time to recovery deleted items. Can you try to disable "Recovery deleted emails" option on the "Add new source" wizard? Please note that the time needed to recover deleted items can vary widely depending on how heavily the file was used and how old it is.

Hello gcahlik, Can you share the edited version of CustomMboxSplitter.bat file you used please? Can you double check that you specified the correct path to Intella on the first line? Please note that the tool uses the Java bundled with Intella, not a system one.

Hi Adam, Intella 1.9 will have a new feature that would allow to import an overlay file (load file or CSV). That can theoretically help in your case: - Turn the Doc ID list into a CSV while adding a second column "Item Number". Use Excel to fill the column with numbers from 1 to N. - Now it should be possible to import the CSV into a case as an overlay file. Intella can match the items by Item ID from the first column and import the second one into a new tag column. - Sort items by the new column and export using the current table order.

FYI: The issue is currently being handled via the support system.

Hi Mark, I've sent you an interim installer, please see PM. No, you'll be able to use IntellaCmd.exe with your PRO license in the next release.

Hi Adam, Vanacker, Can you try the following please (with Intella 1.8.3): 1. Navigate to "prefs" subfolder within your case folder and open "case.prefs" file with a text editor 2. Add a line UseExperimentalPstCrawler=True and save the file 3. Index the problematic PST file again

Hi Mark, Can you try the following command (without the "-newCase" argument): intellacmd.exe -case "J:\Intella Case Files\Test" -user Mark -evidence "I:\Custodian 1" And please make sure that the following things are true: 1. The case folder doesn't exist (Intella will create one automatically). 2. Your dongle has "Intella Team Manager 1.8.x" license on it. You can check it using http://localhost:1947/_int_/products.html

Hello all, First of all, I agree with my colleague Christiaan. There are three steps in a process of ingesting a PST file: 1) The main tree. This is a place where all regular items are located. Basically this is what Outlook shows. If the main tree index can not be read then Intella will show an error. Using of ScanPST may help in this case. 2) Orhpan items. (<ORPHAN ITEMS>) Apart from the main tree there are also other regular items, but they are not connected to any folder. So they can not be seen in Outlook. We are not sure about its purpose, but we think that they might be left-overs from internal Outlook operations. For example, when you edit/compose an email Outlook may save a temporary copy of this email. 3) Recovered items. (<RECOVERED> folder) In 1 and 2 we talked about allocated space. But there are also unallocated data blocks. When Outlook deletes an item, it's marked as unallocated and removed from the main tree, but the data is still there. Intella scans all unallocated data block and tries to recover deleted items. Now regarding using ScanPST. I think it would make sense to use it even if the PST is not corrupted. But that may not sound forensically as it modifies the original data. As my colleague Christiaan said, it's written by Microsoft, so the tool might be able to recover some data that can't be recovered by Intella. Are all those 150K items unique?

Hi, Will there also be any indicator for email that are previewed but not open? I'm afraid it's not possible to say whether some email was previewed but not opened in Outlook. Intella uses PR_MESSAGE_FLAGS property to determine the "Unread" status of the message: http://msdn.microsoft.com/en-us/library/cc839733(v=office.15).aspx Please let us know if you are aware of such a property that can be used to determine "Previewed" or "Opened" status.

Hello Gary, How did you add an evidence to Intella? Did you use "Folder" or "Disk Image" source type? Actually only the first part of a disk image should be expandable in the Location panel. The rest files (L02, L02 and so on) should not contain any folders. Could it be that you added each L01 part as a separate source? See the attached screenshot.