Jump to content

philrodo

Members
  • Posts

    64
  • Joined

  • Last visited

Everything posted by philrodo

  1. Thanks for the feedback, Adam. X-Ways is a GREAT tool, but I shy away from using it to process emails. But in this case I guess I have no choice, which means I'm going to end up having to process the EML/EMLX files in X-Ways too, to be consistent. Best regards, Phil
  2. Adam Thanks for the feedback. I'm familiar with Emailchemy, a tool I used to use more than 10 years ago, but I haven't had the occasion or need to use recently. I didn't realize that it now handles entourage databases, though.... My predicament is a bit different. I"m not dealing with the database. Everything was deleted on the MacBook. However, X-Ways recovered a bunch of files via file carving out of UA. In addition to the EML/EMLx files, it also recovered a bunch of olk14message, olk14msgsource, and olk14attachments files. My understanding is that the mlk14message are the message headers and the olk14msgsource are the actual messages. The X-Ways viewer displays the full olk14msgsource files in email format. My question is whether I can dump all the olk14* files into Intella and whether Intella can recognize and process them. If anyone knows the answer to this question, please let me know. Thanks.
  3. I have recovered via file carving from an HSF+ volume, a large number of olk14message and olk14msgsource files (emails from Outlook or Entourage for the MAC). Can Intella process and index these? Please let me know.
  4. I thought this had been reported previously, but I can't find a post here. When exporting emails to PDF the subject line is missing from the page that prints the message contents. It only shows up on the cover sheet. Is that because the "subject" shows up as a Title on the page? Reviewers that may not be familiar with this, would be looking for the Subject line as part of the standard header. Perhaps, the word "Subject:" could be added to the title? Please see attached screen clipping
  5. Adam: It works on my end. I just loaded up all the items in the case and clicked on the Type column and everything sorted by Type right away. Good luck.
  6. So was the de-duplicating feature discussed here added in 1.8.4? If so, how does it work? When I use the regular de-duplication option in Intella, it apparently still de-dups on hash. I have two identical emails, on in the OST and one in the PST containers that came off the same laptop. The message IDs are the same for both messages but the hashes are different. The messages look identical to the naked eye. If in fact they are identical, what causes different MD5 hashes? Is the file path part of the hash? If so, what's the rationale for including the file path in calculating the hash? Please let me know. Thanks. Best regards, Phil
  7. One other thought. In Adam's attempt to replicate the issue, the "_files" string was appended to the OST level, which in the case of an OST is the container file. Since my case dealt with Mboxes and each folder created by the user was treated as a separate Mbox container, perhaps this explains why the "_files" string is appended to the name of each folder (i.e., each Mbox file). In my case, the "_files" string was also being added to certain file attachments, like Zip files. In other words the file path for the contents of a Zip file attachment was expressed as "...\FolderName_files\email.msg\ZipFileName_files\file1" This is from memory, but I'm pretty sure this is close and I'm pretty certain that the Zip files had the "_files" text added to the Zip file name. This reinforces the notion that whenever Intella encounters a "container" (e.g., OST/PST, Mbox, Zip, etc.) it appears to append the "_files" text to the container name. Regardless, I don't see why the "_files" string should be appended anywhere, particularly as it alters the original file path that must be preserved as it was collected.
  8. Adam Thanks for following up and for trying to replicate the issue. I used Outlook to open the PST. The emails were collected from Yahoo using Thunderbird which saved them to Mbox format. All the folders that had the "_files" string appended to the folder name had been created by the user (i.e., they were not the standard Inbox and Sent folders that come with a Yahoo webmail account). I checked the Thunderbird file structure and the "_files" string does not appear in the saved files. Actually, each folder that the user created to organize his files was downloaded as a separate Mbox file. So only when I used Intella to export the responsive emails to PST was the "_files" string added to the folders, which indicates that Intella must be adding that text. The question is why is this text added and could this be a bug? I can see no justification for changing the file metadata and altering the file path when we're trying to preserve the evidence in the same way we received it. I hope someone from Vound looks into this and responds. Thanks again. Best regards, Phil
  9. I recently sent a bunch of PSTs to a law firm that included emails that returned search hits. The PSTs were uploaded to a review platform and reviewed by the attorneys. They marked a few emails that had to be returned to the other party. Eventually, I got some of the logs from the review platform that included the emails that were returned and had to be deleted from the servers where they were stored. The only way I could track down these messages on the mail server, was to follow the file path. I noticed that the file path included the "_files" after each folder. For example, the user had created a "Save" folder which was exported to the PST as "Save_files." I thought that the "_files" string was added by the review platform, but when I opened the PSTs I found that Intella had added that string to the actual folder name for every folder that was exported. This is something I had not noticed before in all the years I've used Intella, as I usually don't open the PSTs after I create them with Intella. What is the rationale for adding the "_files" string after each folder name? This is basically altering the file metadata and could cause some issues with the preservation of the evidence if the production is challenged by the opposing party. I'm attaching a screen clipping of the folder structure inside the PST that was created after exporting the emails from Intella (I've blurred out some of the identifying information). Please let me know. Thanks. Best regards, Phil
  10. Thank you both for the informative responses. Have you had any experience in trying to match MD5 in Intella using an MD5 list that was generated by another platform (e.g., Logikcull, specifically)? Best regards, Phil
  11. One other question. While exporting certain emails from Intella, I generated a cvs report. In looking at the report, I see two columns pertaining to MD5 hashes. One is labeled "MD5 Hash" and the other is labeled "Message Hash." What is the difference, since both MD5 values ostensibly pertain to the same message?
  12. Is there a way to import a table containing various MD5 hash values and use it to match messages or attachments in an Intella case? If not, how do you suggest one go about doing that? Your feedback is appreciated. Best regards, Phil
  13. Christiaan: One other thought I should have included in my previous message. I realize that the table view depicts the documents. I was wandering whether another view could be added that would depict the hit counts. In other words, if a particular document contained multiple keywords, each search hit would be listed in a separate row, so that the same document would generate multiple rows, one for each search hit. The table views (e.g., document or hit view) would be user selectable, so a user could switch back and forth from a listing of documents to a listing of search hits. Adding this functionality would greatly enhance Intella's robust search capabilities. Best regards, Phil
  14. Christiaan I'm attaching a screen clipping that shows the search view from X-Ways displaying certain columns. Obviously, more columns can be added or removed at the user's discretion. One of the biggest problems I have with Intella is that it provides no hit counts. The only counts we get and can report on are item counts. This is not very useful in identifying keywords that generate false positive hits. And in some instances, clients want to see the actual hit count, not just the document count per keyword. Furthermore, when using multiple keywords, the only way to get an idea of what keywords return hits in a particular document is to open the document in the viewer and look at the search hits. You get no reports that can be generated in a table format that provide feedback by document indicating which keywords were found in the document. The ability to report the terms that return search hits for each document in a table report is sorely lacking. I realize that the hits are highlighted inside the viewer, but we have to report hit counts to the attorneys and they don't have access to the viewer--also the viewer is limited at examining one document at a time, which is not very helpful when dealing with a large data set. I think the attached screen clipping should give you some ideas of what I'm trying to describe. Please review and let me know if you have any questions or if I can provide some additional feedback. Thanks. Best regards, Phil
  15. Christiaan Sorry, I just saw this. I thought I had enabled the "follow the topic" option but apparently I had not, so I did not receive any notifications. I will generate a sample report using X-Ways and send you a copy. This should give you a better idea of what I was describing. I can't do this right now, but I should be able to get it done in a day or so.
  16. Adam Thanks for the feedback. As you say, the workarounds have their issues. And I'm not sure that I'll end up with what I think I should end up. Like I said, I ended up exporting all the emails that fall within the time period of interest and set up a new Intella case that contains these emails only. I'm now running the keywords and don't have to worry where the search hits are coming from, since my data set only includes the emails within the given time period. I really like your suggestion about a tick box option to include the email children when using a filter that only filters out emails. I wholeheartedly second that suggestion as an enhancement in a future release. Best regards, Phil
  17. I have to search the emails and attachments using a long list of keywords. However, I also have to restrict the hits I get to emails sent after a certain date. When I use a date filter, only the emails are searched, not the attachments. If I search the entire case for the keywords first and then apply the date filter on the emails, I'm not sure whether anything I export will include any hits in the attachments, and if so, whether the attachments are only those that were attached to emails after the date in question. I figured that the cleanest way to run this search is filter the emails on the date and export them to a PST. I can then set up a new Intella case to process only the emails exported to PST. That should work, but I would have thought that there has got to be a way to do this in the original Intella case I'm working with, without first having to export the emails. I'm probably missing something, but I'm not sure what. Any ideas or suggestions would be appreciated. Thanks.
  18. Thanks for the feedback, Adam. I thought it might have to do something with the fact that we keep on moving our examination drives, but the screen clipping I posted is from a drive that has not been moved since the case was created. And why this only happens to one case of the various cases listed in the case manager, is another mystery. I hope the Vound folks can track this down, because it's a bit annoying.
  19. One of the biggest weaknesses of Intella IMHO, is the fact that Intella cannot count the number of actual search hits and only counts the number of items that return search hits (e.g., if one document contains one or more search hits, it's only listed as one item in the hit count window. Furthermore, in order to review the individual hits, each document has to be opened, so that the search hits can only be reviewed one at a time and one document at a time. A table view that lists all the hits would be a lot easier to work with. If you're familiar with X-Ways you know what I mean. All search hits can be listed individually (one hit per row, irrespective how many hits in the same file); the user than has the option of listing one hit per file if desired. But more importantly, X-Ways adds a column that allows us to view the hits in context (e.g., surrounded by a number of bytes before and after the hit--they number of bytes preceding and following the hit can be readily adjusted). And nice, crisp HTML reports can be generated that not only show the hit in context showing X-number of characters before and after the hit, but can be customized to show all kind of data about the file, including any internal file metadata found in MS Office files, etc. I was going to attach a sample report, but I don't see a way to attach a file to this post; I'd be glad to provide some samples as I'm not sure if I'm explaining it adequately in this post. Furthermore, I know I can generate reports in Intella but the output fields are rather limited. One blaring omission is a field that lists the search keywords that returned search hits in a particular file. (I know how to generate the Hit Count reports, but these don't tell me what search keywords can be found in a particular file.) So here's a short synopsis of what I would like to see in Intella: 1. A table that lists each search hit per row (this table would provide a switch that would allow switching to one row per file as in the current table listing) 2. A column in the table that lists each search hit that's preceded and followed by a number of characters (the number of characters should be adjustable). This column should be exportable to CSV, HTML, etc. 3. More comprehensive options for generating reports, such as including all available internal file metadata in MS Office files, PDFs, JPGs, etc. 4. A column that lists the keywords that return hits per file or per hit. 5. The ability to generate columnar reports in HTML format (in addition to the HTML reports that are currently available) I'd be glad to discuss some of these enhancement requests in more detail and provide samples. Please let me know. Thanks.
  20. Any idea why I get the same case listed in the case manager more than once? Sometimes it's two or three times, but other times the same case is listed a large number of times as shown in the attached screen clipping. What's weird about this, is that usually more than one case are listed in the case manager, but only one of these cases is listed multiple times. The other cases are only listed once. This is very strange and a bit annoying, as it can get confusing. Please let me know. Thanks.
  21. Yeah, we use TeamViewer but usually from outside the lab. Inside the lab we normally use RDP because it usually works nicely and on the 27" iMac or external MAC monitors for the MacBooks, just blows up the Window to take advantage of the full 27" monitor with automatic scaling and no need to set up anything else. TeamViewer, doesn't scale nicely and I have yet to figure out, some of the PCs simply will not scale up to take advantage of the full 27" monitors. In computers, nothing works they way it's supposed to work. We've built a horrendous house of cards...
  22. I said that turning it off solves the issue. But being able to share a folder on the MAC makes it easy to transfer files back and forth--so that's not really a good workaround. Furthermore, this still doesn't explain why this is only an issue with Intella. I sure hope this can be fixed since this problem only happens with Intella.
  23. I have no idea how to turn off remote resource mapping (no feature or setting by that name exists under the RDP client app, either the app for Windows or the one for MAC OS X). I did some additional testing and found that this error occurs when we're using RDP from a MAC computer (using RDP from another Windows PC did not generate this error). The RDP client app we're using on MACs is the app that has been released by Microsoft for MAC OS X. In the RDP app's settings there is an option to make available to the Windows computer, Mac Disk drives or folders. We use a designated folder on the MACs to be able to quickly to copy files back and forth between the two computers. Apparently, this is what's causing Intella to choke when it tries to read the computer tree on the Windows host. Disabling the shared folder for the RDP file on the MAC does not cause Intella to choke and generate the fatal exception error. Is this something that can be fixed from your end? Like I said, Intella is the only product that's causing this exception error when using the RDP app on our MACs to access our Windows-based examination stations. All the other forensic apps we use (EnCase, X-Ways, IEF, etc.) have no problems opening up a Windows Explorer window within the forensic app and displaying the computer tree. I can send you the complete logs if you wish. But I think this is the relevant log entries: [ERROR] 2015-01-21 16:42:13,904 [FileNodeExpander] Uncaught exception java.lang.InternalError: Unable to bind C:\Program Files\Vound\Intella 1.8.2\ShellFolder to parent at sun.awt.shell.Win32ShellFolder2$4.call(Win32ShellFolder2.java:413) at sun.awt.shell.Win32ShellFolder2$4.call(Win32ShellFolder2.java:398) at sun.awt.shell.Win32ShellFolderManager2$ComInvoker.invoke(Win32ShellFolderManager2.java:540) at sun.awt.shell.ShellFolder.invoke(ShellFolder.java:514) at sun.awt.shell.Win32ShellFolder2.getIShellFolder(Win32ShellFolder2.java:398) at sun.awt.shell.Win32ShellFolder2.access$200(Win32ShellFolder2.java:72) at sun.awt.shell.Win32ShellFolder2$9.call(Win32ShellFolder2.java:698) at sun.awt.shell.Win32ShellFolder2$9.call(Win32ShellFolder2.java:680) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at sun.awt.shell.Win32ShellFolderManager2$ComInvoker$3.run(Win32ShellFolderManager2.java:513) at java.lang.Thread.run(Thread.java:745) I hope that this can be somehow fixed. Please let me know.
  24. Thanks for the feedback. But I don't understand why RDP would cause this problem. I presume that Intella uses the same Windows Explorer API that every other app uses and we don't have any problems running Windows Explorer through Windows or any other app while in RDP mode. Furthermore, this is not a matter of Intella being slow to display the computer tree. We get a fatal exception error (see screen clipping that was attached to my original post at the top of this thread). In other words, this sounds like a bug to me in Intella rather than anything else. You are correct that RDP seems to be causing this error as it's not happening when running Intella on the host PC directly. However, this still does NOT explain why this fatal exception error should be happening when accessing the host machine in RDP mode. I sure think that this is an Intella bug, since this problem does not happen with all our other software. We run everything in RDP mode as all our examination stations are located in the server room and we access them via RDP from other computers either inside or outside our local network. I sure hope that this can be fixed as it presents us with quite a dilemma, given the set up in our lab. Please advise.
  25. Thanks for the replies. Yes, I'm on RDP. There should only be one mapped drive on the host machine to the file server. And I don't believe that it takes an unusually long time to shut down the system, although we have several examination stations in the lab, so it's hard to keep track of how each one behaves. Why would RDP make a difference? I have no issues accessing the Windows Browser MAPI through other apps or Windows. Why should this make a difference for Intella?
×
×
  • Create New...