philrodo

OK, this has been going on for a while now with earlier versions of Intella. I had hoped that version 1.8+ would have fixed this by now. When adding a source file/folder to be processed in Intella, navigating the file path either results in error or produces a spinning wheel that takes for ever to show the path in Intella's Windows Explorer window. (See attached screen clipping.) The workaround we normally employ is to manually enter the file path on the "Selected Folder" line. But this is a pain and doesn't avail us the opportunity to navigate the path, using the Windows Explorer window. This is a rather basic flaw. I can't believe that this only happens on our computers and that no one else hasn't run into this problem before. Is there a fix for this and if not, when can we expect that it will be fixed? Please let me know. Thanks.

Thanks for following up. The problem with OneNote is that's included in Microsoft Office. So even though not many users of MS Office use OneNote (or don't even know about this app) you occasionally come across organizations where the entire company is using this app. I'm working such a matter right now, as a matter of fact. OneNote has been distributed by MS for years now, yet I have not been able to find one forensic tool that supports the OneNote format. How can any forensic tool be complete when they don't support the entire MS Office suite of apps, which is used by just about every business today?

Does Intella support MS OneNote Notebook files? Can they be indexed, searched and exported like other MS Office files? If not, how do we handle OneNote files? Please advise. Thanks.

What is the difference between the email addresses captured in the SENDER and the FROM fields? From what I've read in the user manual, the Sender field may be populated in cases where the message author used a mailing list for distribution of the message. Are there exceptions to this? I have run into a rather perplexing situation, as follows A number of messages were sent from User_A@domain.TLD to various addressees, all show a different email address in the Sender field, i.e., User_B@domain.TLD. Both User_A and User_B are members of the same organization and have mailboxes on the domain.TLD mail server. But User_B@domain.TLD was not included in the correspondence of these messages (i.e., was not a recipient of the messages). So how does "User_B@domain.TLD" email address gets captured as the Sender whereas in fact the messages in question all originated from "User_A@domain.TLD"? Please advise ASAP as I'm being asked this question by the client and I'm at a loss as to how to explain this.

Thanks, that makes some sense. However, I still think that my point is valid. That is there is no way of knowing exactly what was exported and how it relates to the items that are stored in the PST. We really need to be able to correlate the items exported as counted by Intella to the items found in the PST. Right now, I don't know of a way to do that and I don't believe it's possible. Also, the fact that we're talking about a 20,000+ difference in emails (i.e., emails as reported by Intella in the Communications Type facet) and the total emails and other items exported to the PST, I'm having a hard time assuming that some 20,000+ items involve forwarded messages. In other words, we have to assume that everything Intella does when exporting various items is done correctly, with no independent means of verifying what it did. Am I missing something?

Thanks for the replies, but the numbers still do NOT make sense. Here's a countdown (the default export to PST settings were used): 1. Total items in dataset: 300,000+ 2. Unique items in dataset: 109,000+ 3. Exported items (all unique items selected): 107,000+ 4. Total Communications in Type Facet: 62,000+ 5. Total Scheduling in Type Facet: 3,000+ 6. No tasks or notes reported in Type Facets 7. Reported Export Errors: 10 or 20 (I don't recall the exact number, as shown upon conclusion of export) 8. Reported Export Errors in export report: 900+ So if we assume that the difference is being caused because Intella counts all items exported from the dataset, the 2,000 item difference between items No. 2 and No. 3 above, doesn't make sense. As far as unique Outlook items go (e.g., emails, contacts, tasks, calendar and notes), the total exported should be about 65,000+ (i.e., the total between items No. 4 and No. 5 above). But worse, when I export all the 109,000+ items of which Intella reports there ought to be 62,000+ (emails/contacts) and 3,000 (scheduling) for a total of 65,000+, Intella only exports 38,000+ items as counted by Outlook (when exporting everything into the same folder). OK I understand that by dumping all items into one folder, I'm excluding folders which are counted by Intella, but these only comprise of about 2,000+ items, so we're only up to about 40,000+ Outlook items. Whereas Intella says I should be getting some 62,000+ in emails alone. Sure wish we got more explicit reports of exactly what takes place during export. For example table that gave all the relevant stats of what was exported would be a great start and how individual items relate to emails, calendars, etc. as counted by Outlook. The CSV, HTML, & PDF export reports report various items as counted by Intella but there is no way to match these to the items that are exported to the PST as seen by Outlook. Furthermore, when saving the export report to CSV, long email lists are not delimited property and mess up the CSV import into Excel, (e.g., two or three rows of emails show up under an export record). Bottom line is that I never feel comfortable with what Intella is exporting because when exporting large items counts, there is no way to easily verify the output. Am I missing something or are we to assume that everything works as designed and not worry about the validity of the exported counts?

Here's an interesting question. I have a case where Intella tells me it contains some 300,000+ items (several PSTs and OSTs from the same custodian were added to this case). So I select all the items and de-dupe them. Intella reports that there are 109,000+ unique items. So I select all the unique items and I export them to one PST file. Intella exports 107,000 items (it reported a few errors but no more than 10 or 20 errors). So the question is, what happened to the 2,000 or so files that were not exported? If there are 109,000+ unique items, shouldn't I expect that Intella would export a similar number, minus any items that generated errors? Sometimes I feel like I'm dealing with black magic... <sad smile>

Thanks. By now, I've set up a new Intella case and reprocessed some 70+ PSTs. I added them to the case in small batches and that seemed to have done the trick. I've seen this before, when you dump a larger number of PSTs to Intella it crashes. Yet, when you reprocess the same PSTs in small batches, everything works just fine. Obviously, this doesn't make much sense and there must be something wrong with the fault tolerance in the app (e.g., when the error threshold during the same processing session is exceeded, Intella crashes). I wish you could all pinpoint what causes some of these crashes during processing.

1. WDC WD1002FAEX-00Y9A0 ATA Device -- is the C:\ volume which is also used by Intella for Temp files 2. WDC WD5003AZEX-00MK2A0 ATA Device -- is the Source drive that contains the PSTs 3. WDC WD2002FAEX-007BA0 ATA Device -- Is the drive where the Intella case folder is stored at So three drives are used in total. One to read, one for temp files, and one for the case file. All three drives are SATA III and are connected directly to the MB. Any other questions?

Any feedback on this? PS. This is what I hate about this forum, the feedback from tech support is hit and miss...

There may be 3 billion devices that are running Java (although I'm sure that this number is marketing hype), but they're all going to be in the same boat when Oracle abandons its development. See: http://www.infoworld.com/d/application-development/oracle-hasnt-killed-java-theres-still-time-247823 It's kind of hard to run scanpst when you're dealing with more than 100 PSTs. I'm not sure what you want to see from the speccy, but here's the hyperlink to the specifications generated by this app: http://speccy.piriform.com/results/zVDhvdropEXoYoaAD0tfMk0 Anti-virus has been disabled. I'm not sure what you mean by 1. Source 2. Case folder Please let me know. Thanks.

I'm not 100% certain as the PSTs were provided by the client. But from the discussions that I had with them, I figured they used the tools provided by Exchange, like ExMerge or ExportMailbox.

Interesting. Thanks. PS. I'm getting more than 4,000 encrypted files as reported by Intella of which more than 1,700 were decrypted. Hard to believe that so many files are using a blank password. Go figure...

No other processes were running, other than ProcessExplorer and system stuff. I'm dealing with more than100 PSTs that were exported from mailboxes running on the same Exchange server and everything about them is producing problems. I have to process them in small batches otherwise Intella crashes. Thousands of exception errors, very slow processing of PSTs, etc. And now the crashing of Intella backups. It seems to me that Intella is not very stable when encountering anomalies... Perhaps that's due to the Java platform, which I really dislike--we can't get rid of Java and Flash fast enough. Thankfully, Oracle and Adobe are doing their share in killing these products. I wonder what Vound, Nuix, & others will do when Java is abandoned by Oracle? ...

Intella keeps on reporting that it found encrypted items some of which it was able to decrypt while others it was not. I'm dumbfounded as to where this information is coming from. I have provided no passwords to Intella to decrypt anything. So if these files are indeed encrypted, how is Intella decrypting them?

Like I said, I hadn't tried the backup option before, as I was copying the Intella data folder. I tried the backup option the other day on two different cases and Intella promptly crashed. You sure that backup option works?

Adam: Thanks for the feedback. But I keep on processing more and more PSTs (all from the same server) and I keep on getting the same slow speeds. And frankly, in our experience processing speed with Intella is a hit or miss proposition--sometimes, it's relatively fast, other times it's painfully slow. And sometimes, it keeps on crashing and won't process large number of files, which then have to be broken down into bunches to feed into Intella... Although we're a long way from the early days of Intella where it was painfully slow, processing still remains a hit and miss proposition. Yeah, we can blame it on corrupt data, but that's the data we have to process... Best regards, Phil

I started a new case in Intella yesterday and had it process and index 14 PSTs totaling 43 GB. It took Intella more than 10 hours to process at an average speed of 853 items per minute. Isn't this awfully slow? It also produced some 69K+ exception errors, which I haven't looked at yet. This is on a pretty fast machine, i7 eight-core, 16 GB of RAM (which I Intella never used more than 5-6 GB when I checked it and CPU usage was hardly maxed, although at most times all eight cores were being used by Java). We also used three drives on the machine, one to read the PSTs from, the C:\ volume to temporarily write/read the items to, and another drive to write the Intella case to. All three drives were SATA drives directly connected to the computer. So what will cause this slow processing speed? Is there a way to improve on the processing speed?

Yes, it does break the workflow, at times. For example, we have processed a bunch of PSTs into another Intella case right now. Now they're asking us to reprocess some of the same PSTs. If I move them from the folder into a new folder, than the old case will lose its link to the PSTs (yes, I know I can re-establish the link, but it gets messy particularly if you're dealing with large numbers of PSTs). That's another reason why it would be so useful if we could add and remove PSTs and other files from Intella cases and also have the option to combine Intella cases. I know we can add new PSTs and other files to an existing Intella case, but as far as I know, there is no way to remove a PST or other files once it's been added to the case. If we were able to remove PSTs, that would have saved me countless of hours of re-processing. (Yes, I know I can exclude PSTs from being searched inside Intella, but when you have to exclude large numbers of PSTs it becomes messy and prone to errors.) Thank you for following up.

I realize that when processing multiple PSTs we can process them all together by telling Intella to process the contents of a folder. But quite frequently, we get a bunch of PSTs from a client and they then tell us to only process a few of them (they may later come back and ask us to process some more). Unfortunately, when you add a PST/OST to Intella for processing, you can only add one file at a time. It would be great if Intella would allow us to select multiple PST/OSTs from the same folder, by selecting multiple files, either when holding the Ctrl key to select different files one at a time that that not in order or by holding the Shift key to select the first and the last file in a given order. This is a standard Windows API, so I'm not sure why Intella doesn't behave accordingly. Can you please consider adding this feature soon? I've been meaning to post this request many a time before, but keep on forgetting about it. Please let me know.

Chris: Sure would love to see the ability to combine cases, ASAP. We often find that on large data jobs, Java has a tendency to crash for some reason. When we break up the data into smaller chunks, Intella manages to complete processing of the data. However, we're then left with two or more separate Intella cases, meaning that we not only have to run the same searches two or more times, but there is no effective way to de-dupe the data contained in the different Intella cases, absent of exporting the search results from the different cases and reprocessing the exported data into a new Intella case--while keeping our fingers crossed that Intella will complete the processing without Java crashing. (Frankly, I hate the fact that Intella runs on Java but no one else seems to be conceded about that, but that's another story...) While I have your attention, is there a difference in having Intella create a backup of a case than manually copying the Intella case folder?

Adam: These were user mailboxes that were exported from Exchange in PST format. Now that we've loaded them into Intella in smaller batches, we are able to review them; we found a lot of SPAM messages that included malware attachments (ZIP Archives, EXEs, etc.). I suspect that some of these attachments were causing problems during the processing/indexing phase, although I have no idea why we were able to process the same PSTs in smaller batches, but couldn't process them all at once. I'm familiar with Zimbra. I didn't realize that Zimbra uses PST and OST files on the user's workstations. A case I had about two years ago, the client's IT folks had exported the user's mailboxes into ZIP archives that contained a mix of EML and some HTML items. We attempted to process these in Intella, but found a lot of inconsistencies in the email headers, meaning that for a large percentage of emails the actual file path could not be determined so that Intella was dumping these in the root folder. After exchanging emails and calls with Peter Mercer, he advised attempting to convert the emails to a different format before importing into Intella. We used aid4mail and converted everything into Mbox format. We then were able to process the Mbox files. This left me wondering if aid4mail could process these emails and convert them to Mbox, why was Intella having such a hard time processing the original EML & HTML items exported from the Zimbra server; but at that point I was glad we were able to complete the job, so it really didn't make a difference any longer. I should also mention that we had recovered a bunch of PST and OST files from the .e01 images of the custodians workstations. Since the organization was using Zimbra as it's mail server, I presume that the PST and OST files originated from the workstations connection to the Zimbra mail host. As I recall, we had no issues in processing these PST and OST files, which required no conversions or running scanPST. Strange, eh?

aid4mail does a very good job with IMAP collections. I haven't tested Thunderbolt. But we tested Outlook and found that it was consistently only downloading anywhere between 60% to 80% of all the messages we were getting through aid4mail from the same mailbox. Incidentally, every time we tried using Intella to do an IMAP collection it failed or timed out. So I'm not sure this feature even works, does it?

Is there a way to combine two or more Intella cases into one new case? We had an issue processing a number of PST files as Java kept on crashing, so we processed them in four batches and that seemed to have done the trick so that the processing completed. However, we now would like to combine the four separate Intella cases so that we don't have to run the same searches four different times (which also means that we'll probably end up with some (lots?) of duplicates). I'm thinking that we can export the search hits from each case to four separate PSTs and then re-process the exported PSTs into a new Intella case. But that will be kind of awkward and time consuming. That's why I'm hoping there is a way to combine the four separate Intella cases into one. Is that even possible? Please let me know. Thanks. Best regards, Phil

I'm using a keyword that is using a proximity search. Basically, I want to see the first name within so many words of the last name. The search syntax I use is: "firstname lastname"~5 Intella correctly highlights instances where the text is depicted as: "Ms firstname lastname" However, Intella also highlights the first and last names shown in an email address, i.e., the entire email address is highlighted as a search hit: "firstname.lastname@abc.com" Actually, the email addresses get highlighted as a search hit irrespective of the proximity search. In other words the search phrase "firstname lastname" returns a search hit on the email address shown above. Why is Intella highlighting the email address as a separate hit under these conditions? Is there anyway to exclude the emails from appearing as search hits when using proximity or phrase searches? Please advise. This is critical in a project I'm currently working on. Thanks. Best regards, Phil