[Zip Families]

Hello Bryan,

At the moment there is no way to configure the family definition for "Family Date" column. We will add this feature in a future version.

I'm afraid the only option for now is to unzip the evidence.

[load file export still including native]

Hi ESIdisco,

Can you try to do the following?

1. On the "Load file options" page uncheck "Include natives".

2. Then on the "Rendering options" check "Export skipped item as native file".

 

[Question on Custom Columns]

Hi Adam,

 

Thanks for clarification. An option for setting a custom date format is certainly on our list. It will be added in one of the future versions.

[Question on Custom Columns]

Hi Adam,

 

As you can see from the exception report, the value Wed Sep 06 13:04:08 AWST 2017 does not correspond to the date format you specified in the custom column YYYYMMdd HH:mm:ss zzz. So Intella doesn't know how to parse it.

 

Please note that the Date Format option tells Intella how to parse the value, not how to display it. If you want to change the way how date values are formatted in the details table and previewer, then it can only be done via Preferences -> Display and Locale -> Date format -> Select regional standard.

 

Did you try to use load file export? As I said earlier it allows to set a custom date/time format. You can choose CSV format and uncheck natives, images and texts, so it will be just one CSV file in the end.

[Question on Custom Columns]

Hi Adam,

 

I'm curious as to the need for re-indexing when creating custom columns.

Is it possible within the framework of Intella to have custom columns run on some sort of background 'refresh' rather than a full index?

 

This is a limitation of the current version. In a future version it will be possible to refresh the custom columns only without re-indexing the entire case.

 

 

So my new question, presumably you (Intella) have one, but I'm also assuming this is IP which you painstakingly compiled yourselves. Is there a source somewhere you could point me which contains this data?

 

Intella uses the following fields:

1. PR_CREATION_TIME

2. PR_LAST_MODIFICATION_TIME

3. PR_CLIENT_SUBMIT_TIME - Sent

4. PR_MESSAGE_DELIVERY_TIME - Received

 

Additionally Intella uses date fields from email headers.

 

You can find more information about Outlook fields on MSDN web site: https://msdn.microsoft.com/en-us/library/. Just try searching for a specific field.

 

 

So I ran a re-index on a case with two custom columns and neither have worked as expected, xml data from one is below. Have I missed something? I did alter the way the date presented when compiling the settings but the preview was showing as expected.

 

I tried to repeat your test and it worked fine for me. I think you used incorrect date format settings. Here is what I used:

 

From: Raw Data

Field: PR_CLIENT_SUBMIT_TIME

Date Format: EEE MMM dd HH:mm:ss zzz yyyy

 

Can you try that?

 

If it still doesn't work, can you check the exception report? It should contain a detailed error message.

[Import load file - paths may not be correctly configured]

Hi llanowar,

 

Can you try to move both the DAT and OPT files one level up to the PROD004 folder?

[OCR Text for Redacted documents]

Hi Jason,

 

Can you try to do the following:

1) Export items to load file and use an export set. Skip the texts for redacted items.

2) Export all redacted items using the export set column, so they will get proper names like 000001.000001.0000034.

3) Now OCR the files exported in the step 2. And replace the place-holdered text files in the load file with the new OCRed files. (the names should match)

 

Do you think it would work?

[Cancelling indexing process]

Hi Adam,

 

"Index new data" will only pick up new top-level files and folders. It would not "refresh" existing items such as PSTs, even if they were partially indexed. Therefore it's not a proper solution for the "Pause indexing" and that explains the results you had.

 

We may improve how it works in a future version.

[Periodic 'Error response code 504']

Hi Adam,

 

504 error code indicates a connection timeout which happens when response is not ready in 3 minutes. Based on the description this might be caused by a long running complex search queries - but we would have to look at the logs in order to be sure.

[From/To/CC/BCC Fields doubling email addresses on export]

Hello ifinch001,

 

The second address (Bob Smith </O=Company...>) is an internal one which is used when an email is sent inside the company. Outlook will suppress such information, but Intella shows everything extracted from the email.

 

When exporting, Intella appends all types of email address, because it may be important for investigation.

[Certain Load files do not import documents.]

Hi Jason,

 

Intella can import a load file that has no type information at all. You should be able to view the imported documents, but some functions may not work correctly when the type information is not available.

 

If you can't view any of the documents at all, I think something went wrong during the import.

 

I have answered you question on the support portal. We would need to review our log file to check what went wrong.

 

Note that in Intella 2.0.0 we have a new option that allows to extract the document type from natives.

[Export without Cover Sheet]

Hi westerndigital,

 

Adam is correct. Please note that in the latest version it's possible to have different settings for emails and for documents. So you can disable the cover page for loose files, but still have email headers at the same time.

[Errors on export to PST]

Hi Adam,

 

It looks like it should work fine based on the process you described.

 

Can you take a look at one of the items that were failed with "no parent email found" error? Can you locate the item in the case (using View -> Preview Item...), switch to the Tree tab and make a screen shot of it? Can you also make a screen shot of your export to PST options page?

 

You may want to open a new support ticket and send the screen shots there.

[Errors on export to PST]

Hi Adam,

 

Please note that not all items are exportable to PST. Can you make sure that the batch doesn't include any loose files?

 

> Are the items still exported or are they ignored for the export?

No, they are ignored. You can try to export those items to original format instead.

[Automatic Rename of Exported Files]

Hi gsnyder,

 

I've just sent you a private message with a link to an interim installer that should resolve the issue.

[Index new data]

Hi wmfiske,

 

It might be it takes too much time to recovery deleted items. Can you try to disable "Recovery deleted emails" option on the "Add new source" wizard?

 

Please note that the time needed to recover deleted items can vary widely depending on how heavily the file was used and how old it is.

[Custom MBOX splitter - free utility for 2703d Gmail dumps!]

Hello gcahlik,

 

Can you share the edited version of CustomMboxSplitter.bat file you used please? Can you double check that you specified the correct path to Intella on the first line?

 

 

I have the latest version of Java currently installed on this machine (Version 8, Update 66) -- has been restarted several times.

 

Please note that the tool uses the Java bundled with Intella, not a system one.

 

[Further Customisation of Export Options]

Hi Adam,

 

Intella 1.9 will have a new feature that would allow to import an overlay file (load file or CSV). That can theoretically help in your case:

 - Turn the Doc ID list into a CSV while adding a second column "Item Number". Use Excel to fill the column with numbers from 1 to N.

 - Now it should be possible to import the CSV into a case as an overlay file. Intella can match the items by Item ID from the first column and import the second one into a new tag column.

 - Sort items by the new column and export using the current table order.

[To and cc not shown]

FYI: The issue is currently being handled via the support system.

[IntellaCmd not working]

Hi Mark,

 

I've sent you an interim installer, please see PM.

 

So will I have this problem when the next release of Intella Pro comes out?

 

No, you'll be able to use IntellaCmd.exe with your PRO license in the next release.

[Possible Memory leak]

Hi Adam, Vanacker,

 

Can you try the following please (with Intella 1.8.3):

 

1. Navigate to "prefs" subfolder within your case folder and open "case.prefs" file with a text editor

2. Add a line UseExperimentalPstCrawler=True and save the file

3. Index the problematic PST file again

[IntellaCmd not working]

Hi Mark,

 

Can you try the following command (without the "-newCase" argument):

intellacmd.exe -case "J:\Intella Case Files\Test" -user Mark -evidence "I:\Custodian 1"

And please make sure that the following things are true:

1. The case folder doesn't exist (Intella will create one automatically).

2. Your dongle has "Intella Team Manager 1.8.x" license on it. You can check it using http://localhost:1947/_int_/products.html

 

[SCANPST vs Intella error correction]

Hello all,

 

First of all, I agree with my colleague Christiaan.

 

 

So I would like to ask the ADMIN's to explain what is done while Intella first ingests / crawls a pst file.

 

There are three steps in a process of ingesting a PST file:

1) The main tree.

This is a place where all regular items are located. Basically this is what Outlook shows.

If the main tree index can not be read then Intella will show an error. Using of ScanPST may help in this case.

 

2) Orhpan items. (<ORPHAN ITEMS>)

Apart from the main tree there are also other regular items, but they are not connected to any folder.

So they can not be seen in Outlook. We are not sure about its purpose, but we think that 

they might be left-overs from internal Outlook operations.

For example, when you edit/compose an email Outlook may save a temporary copy of this email.

 

3) Recovered items. (<RECOVERED> folder)

In 1 and 2 we talked about allocated space. But there are also unallocated data blocks.

When Outlook deletes an item, it's marked as unallocated and removed from the main tree, but the data is still there.

Intella scans all unallocated data block and tries to recover deleted items.

 

 

Now regarding using ScanPST. I think it would make sense to use it even if the PST is not corrupted. But that may not sound forensically as it modifies the original data.

As my colleague Christiaan said, it's written by Microsoft, so the tool might be able to recover some data that can't be recovered by Intella.

 

 

In our example using SCANPST, Intella reported 150k more emails

 

Are all those 150K items unique?

["Unread" Column]

Hi,

 

 

Will there also be any indicator for email that are previewed but not open?

I'm afraid it's not possible to say whether some email was previewed but not opened in Outlook. Intella uses PR_MESSAGE_FLAGS property to determine the "Unread" status of the message: http://msdn.microsoft.com/en-us/library/cc839733(v=office.15).aspx

 

Please let us know if you are aware of such a property that can be used to determine "Previewed" or "Opened" status.

[_to long paths]

When you then go to review material by 'Location' in Intella it becomes unresponsive for a bit whilst it refreshes all the relevant locations. Then it displays something like this::

 

This_is_my_evidence.L01\full path\

This_is_my_evidence.L02\full path\

This_is_my_evidence.L03\full path\

 

and so on for as many segments as you have. Of course, this is extremely unhelpful in determining the actual device where the data resides. As long as you have named the device something relevant, this name features much further down the path. One of the ways in which we use selective searching in Intella is to select the device in the Location view. Using this method, this can no longer be achieved this way.

 

Hello Gary,

 

How did you add an evidence to Intella? Did you use "Folder" or "Disk Image" source type? Actually only the first part of a disk image should be expandable in the Location panel. The rest files (L02, L02 and so on) should not contain any folders.

 

Could it be that you added each L01 part as a separate source?

 

See the attached screenshot.