Jump to content

philrodo

Members
  • Posts

    64
  • Joined

  • Last visited

Profile Information

  • Gender
    Male

philrodo's Achievements

Newbie

Newbie (1/14)

0

Reputation

  1. Thanks for the feedback, Adam. X-Ways is a GREAT tool, but I shy away from using it to process emails. But in this case I guess I have no choice, which means I'm going to end up having to process the EML/EMLX files in X-Ways too, to be consistent. Best regards, Phil
  2. Adam Thanks for the feedback. I'm familiar with Emailchemy, a tool I used to use more than 10 years ago, but I haven't had the occasion or need to use recently. I didn't realize that it now handles entourage databases, though.... My predicament is a bit different. I"m not dealing with the database. Everything was deleted on the MacBook. However, X-Ways recovered a bunch of files via file carving out of UA. In addition to the EML/EMLx files, it also recovered a bunch of olk14message, olk14msgsource, and olk14attachments files. My understanding is that the mlk14message are the message headers and the olk14msgsource are the actual messages. The X-Ways viewer displays the full olk14msgsource files in email format. My question is whether I can dump all the olk14* files into Intella and whether Intella can recognize and process them. If anyone knows the answer to this question, please let me know. Thanks.
  3. I have recovered via file carving from an HSF+ volume, a large number of olk14message and olk14msgsource files (emails from Outlook or Entourage for the MAC). Can Intella process and index these? Please let me know.
  4. I thought this had been reported previously, but I can't find a post here. When exporting emails to PDF the subject line is missing from the page that prints the message contents. It only shows up on the cover sheet. Is that because the "subject" shows up as a Title on the page? Reviewers that may not be familiar with this, would be looking for the Subject line as part of the standard header. Perhaps, the word "Subject:" could be added to the title? Please see attached screen clipping
  5. Adam: It works on my end. I just loaded up all the items in the case and clicked on the Type column and everything sorted by Type right away. Good luck.
  6. So was the de-duplicating feature discussed here added in 1.8.4? If so, how does it work? When I use the regular de-duplication option in Intella, it apparently still de-dups on hash. I have two identical emails, on in the OST and one in the PST containers that came off the same laptop. The message IDs are the same for both messages but the hashes are different. The messages look identical to the naked eye. If in fact they are identical, what causes different MD5 hashes? Is the file path part of the hash? If so, what's the rationale for including the file path in calculating the hash? Please let me know. Thanks. Best regards, Phil
  7. One other thought. In Adam's attempt to replicate the issue, the "_files" string was appended to the OST level, which in the case of an OST is the container file. Since my case dealt with Mboxes and each folder created by the user was treated as a separate Mbox container, perhaps this explains why the "_files" string is appended to the name of each folder (i.e., each Mbox file). In my case, the "_files" string was also being added to certain file attachments, like Zip files. In other words the file path for the contents of a Zip file attachment was expressed as "...\FolderName_files\email.msg\ZipFileName_files\file1" This is from memory, but I'm pretty sure this is close and I'm pretty certain that the Zip files had the "_files" text added to the Zip file name. This reinforces the notion that whenever Intella encounters a "container" (e.g., OST/PST, Mbox, Zip, etc.) it appears to append the "_files" text to the container name. Regardless, I don't see why the "_files" string should be appended anywhere, particularly as it alters the original file path that must be preserved as it was collected.
  8. Adam Thanks for following up and for trying to replicate the issue. I used Outlook to open the PST. The emails were collected from Yahoo using Thunderbird which saved them to Mbox format. All the folders that had the "_files" string appended to the folder name had been created by the user (i.e., they were not the standard Inbox and Sent folders that come with a Yahoo webmail account). I checked the Thunderbird file structure and the "_files" string does not appear in the saved files. Actually, each folder that the user created to organize his files was downloaded as a separate Mbox file. So only when I used Intella to export the responsive emails to PST was the "_files" string added to the folders, which indicates that Intella must be adding that text. The question is why is this text added and could this be a bug? I can see no justification for changing the file metadata and altering the file path when we're trying to preserve the evidence in the same way we received it. I hope someone from Vound looks into this and responds. Thanks again. Best regards, Phil
  9. I recently sent a bunch of PSTs to a law firm that included emails that returned search hits. The PSTs were uploaded to a review platform and reviewed by the attorneys. They marked a few emails that had to be returned to the other party. Eventually, I got some of the logs from the review platform that included the emails that were returned and had to be deleted from the servers where they were stored. The only way I could track down these messages on the mail server, was to follow the file path. I noticed that the file path included the "_files" after each folder. For example, the user had created a "Save" folder which was exported to the PST as "Save_files." I thought that the "_files" string was added by the review platform, but when I opened the PSTs I found that Intella had added that string to the actual folder name for every folder that was exported. This is something I had not noticed before in all the years I've used Intella, as I usually don't open the PSTs after I create them with Intella. What is the rationale for adding the "_files" string after each folder name? This is basically altering the file metadata and could cause some issues with the preservation of the evidence if the production is challenged by the opposing party. I'm attaching a screen clipping of the folder structure inside the PST that was created after exporting the emails from Intella (I've blurred out some of the identifying information). Please let me know. Thanks. Best regards, Phil
  10. Thank you both for the informative responses. Have you had any experience in trying to match MD5 in Intella using an MD5 list that was generated by another platform (e.g., Logikcull, specifically)? Best regards, Phil
  11. One other question. While exporting certain emails from Intella, I generated a cvs report. In looking at the report, I see two columns pertaining to MD5 hashes. One is labeled "MD5 Hash" and the other is labeled "Message Hash." What is the difference, since both MD5 values ostensibly pertain to the same message?
  12. Is there a way to import a table containing various MD5 hash values and use it to match messages or attachments in an Intella case? If not, how do you suggest one go about doing that? Your feedback is appreciated. Best regards, Phil
  13. Christiaan: One other thought I should have included in my previous message. I realize that the table view depicts the documents. I was wandering whether another view could be added that would depict the hit counts. In other words, if a particular document contained multiple keywords, each search hit would be listed in a separate row, so that the same document would generate multiple rows, one for each search hit. The table views (e.g., document or hit view) would be user selectable, so a user could switch back and forth from a listing of documents to a listing of search hits. Adding this functionality would greatly enhance Intella's robust search capabilities. Best regards, Phil
  14. Christiaan I'm attaching a screen clipping that shows the search view from X-Ways displaying certain columns. Obviously, more columns can be added or removed at the user's discretion. One of the biggest problems I have with Intella is that it provides no hit counts. The only counts we get and can report on are item counts. This is not very useful in identifying keywords that generate false positive hits. And in some instances, clients want to see the actual hit count, not just the document count per keyword. Furthermore, when using multiple keywords, the only way to get an idea of what keywords return hits in a particular document is to open the document in the viewer and look at the search hits. You get no reports that can be generated in a table format that provide feedback by document indicating which keywords were found in the document. The ability to report the terms that return search hits for each document in a table report is sorely lacking. I realize that the hits are highlighted inside the viewer, but we have to report hit counts to the attorneys and they don't have access to the viewer--also the viewer is limited at examining one document at a time, which is not very helpful when dealing with a large data set. I think the attached screen clipping should give you some ideas of what I'm trying to describe. Please review and let me know if you have any questions or if I can provide some additional feedback. Thanks. Best regards, Phil
  15. Christiaan Sorry, I just saw this. I thought I had enabled the "follow the topic" option but apparently I had not, so I did not receive any notifications. I will generate a sample report using X-Ways and send you a copy. This should give you a better idea of what I was describing. I can't do this right now, but I should be able to get it done in a day or so.
×
×
  • Create New...