Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Kalin last won the day on September 24 2020

Kalin had the most liked content!

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

632 profile views

Kalin's Achievements


Newbie (1/14)

  • Week One Done
  • One Month Later
  • One Year In Rare

Recent Badges



  1. In a few places, URLs are shown in single or as a list. It will be great to have an option to unescape them, like: https://www.bing.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E -------> https://www.bing.com/search?q=ζ—₯本θͺž (Funny enough this forum does that if I choose "paste as plain text" which is wrong interpretation!)
  2. It will be a good idea to show the source of the location data (e.g. in Insight view). It can be from picture metadata, or may be IP address mapping, or something else (what). A small icon, or tooltip will be a good start.
  3. I recently looked into Magent Axiom and the Artifact Exchange ( https://www.magnetforensics.com/blog/artifact-exchange-now-open/ ). Is there any way to be able to import an XML report from Axiom and use some of those artifacts?
  4. It will be great to have the map display center on some configurable point and have some default zoom. Or is there any way to hack around that at the moment?
  5. Some kind of API (RESTful is fine) would be great, to any "non-viewer" product of Vound! BTW, it is getting a bit messy (marketing-wise so to say) on what is what, I am suspecting code-wise there are few components that get packaged in various combinations. For my own sake I call them: front-end (allows shared access to case): Connect/Connect+, TeamManager back-end (processes/indexes new data and makes a case): Node, Pro/250/100/10, TeamManager viewer (allows searching, tagging, comments, export when connected to a front-end or directly opening (single-user) a case on disk): Viewer, WebUI_for_conect So, API for the front-/back-end may greatly simplify complex usage and repetitive (i.e. compliance-solid and auditable workflows). And I am sure there is already API, since viewers communicate with back-ends, it is just not exposed πŸ˜„ I thought a few times over the authorization with AD/LDAP and I think (maybe) it would not be that complicated to add it as it stands now. All that is needed is to define the LDAP query per case (and save that in case template). I am referring to https://www.vound-software.com/docs/connect/2.2.2/admin/04_03_02_ldap_guide.html#customized-ldap-queries So, say for department_A cases, something along the lines of: Query base DN: OU=ConnectUsers,OU=Users,OU=MyBusiness,DC=site,DC=local Query filter: (&(&&USERNAME_ATTRIBUTE&&=&&USERNAME_VALUE&&)(memberOf=CN=department_A,CN=Builtin,DC=site,DC=local)) In a way, demoting some of the LDAP config (or all if it's easier) from global to per-case-local and using the default global, if not overridden. I'd be interested to know how other users deal with this (mapping Connect users to OUs) currently.
  6. Going through the 2.2.2 Administrator manual, I've been thinking: Can Connect use LDAP/AD for authorization or only for authentication? In other words, is there a (sane) way to map some attributes in an external directory to the permissions used in Connect? Anybody doing that? https://www.vound-software.com/docs/connect/2.2.2/admin/04_01_user_management.html#permission-types I can probably see a helpful "one-liner" script that queries AD and nudges the Connect setup, although that will be a hack I wouldn't be proud of. The use case I am thinking is a large organisation (say 100 departments), each manager can create cases and each user within the department can by default view cases only in their department. Can this be achieved so that when a user switches departments, s/he looses access to the cases in hte old department and gains access to the ones in the new department automagically (without messing with Connect settings)? BTW, is CLI in Connect or coming (saw it in recent Pro/Team)?
  7. Excel should not be abused for text processing πŸ˜„ AFAIR, Notepad++ supports PCRE, so it should be possible to filter URLs. For example of a full URI PCRE see https://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url/190405#190405 You should also be able to run Content Analysis facet with some regex for URLs, then export values. Hopefully the facet will some day support full PCRE.
  8. Of course a way to store/export/import all those UI settings and set by default or per project is also being taken care of?
  9. The only project that comes to mind is OpenNMT and related and Systran products (that use it): https://github.com/OpenNMT But it still requires training and human-translated samples and is not a simple DLL that one can use offline. If you know of any other products/projects, feel free to share.
  10. "top 10/100 Web searched keywords", in Insight or as standard facet (under contents analysis)? This may be a next-level extraction after browser artefacts are ready, e.g.: https://www.google.com/search?source=hp&q=cat https://www.facebook.com/search/top/?q=cat ... => cat [32] <-- "cat" was searched 32 times NOTE: make sure you URLdecode parameters, there is more than English out there. Of course the list of search providers can only grow and grow, so proper internal infrastructure is needed. As an even more generic idea, things like file search in Windows (MRU, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) and potentially other sources 😁(fgrep find /{root,home/*}/.bash_history on linux images)😁
  11. APFS support for disk images! It is getting closer to merging with sleuthkit (I hope) https://github.com/blackbagtech/sleuthkit-APFS
  12. I recently got asked for a "thumbnail report", i.e. extract certain items and some of their metadata (e.g. ID, file_name) and print them in a grid (say 4x5 on A4)... While it looked easy, I couldn't think of way to do it directly in Intella and resorted to exporting metadata and native format images, then abusing imagemagick to thumbnail them and "simple" Perl/bash "one-liners" for the final layout. Mess! Is there another (internal) way? Are those thumbnails (in thumbnail pane) exportable? Is there any way to have other thumbnails for non-image files? Video may be obvious, but things like PPTX, PDFs (title pages), etc. also come to mind. Finally being able to put that thumbnail in the PDF report somehow would be great! (this sounds more like a feature request, that is why I moved it here)
  13. Thinking of a 0.5PB RAID5 evidence storage for a TEAM installation on Windows Server, is there anything for/against ReFS? Performance? Anybody tested/running with ReFS?
  14. This is from the just released 2.2.2, release notes πŸŽ‰πŸΎπŸŽŠ
  15. This sounds a bit strange, may be have a look again at that identified item that triggers it. What is the structure as Intella sees it (e.g. the tree tab in the preview)? The closest I had to this (I was called to triage similar situation) was caused by some complex document, I think it was TXT (with the keyword), embedded in a DOCX, attached in e-mail. So while the keyword hit was indeed "in the Word document" and it looked right especially in the native view, there was one extra level involved. I usually told people to repeat the "Show Parent Email" command on the generated set and see if it behaves as they expected. I guess a TXT file attached within EML file attached to another e-mail (in a PST folder) might also produce expected, but not obvious results. Finally, make sure there are no filters involved (Exclude/Include) and deduplication is off. And if none of the above helps, open a ticket πŸ˜„
  • Create New...