Jump to content

Kalin

Members
  • Content Count

    22
  • Joined

  • Last visited

Community Reputation

0 Neutral

About Kalin

  • Rank
    Member

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

227 profile views
  1. Some kind of API (RESTful is fine) would be great, to any "non-viewer" product of Vound! BTW, it is getting a bit messy (marketing-wise so to say) on what is what, I am suspecting code-wise there are few components that get packaged in various combinations. For my own sake I call them: front-end (allows shared access to case): Connect/Connect+, TeamManager back-end (processes/indexes new data and makes a case): Node, Pro/250/100/10, TeamManager viewer (allows searching, tagging, comments, export when connected to a front-end or directly opening (single-user) a case on disk): Viewer, WebUI_for_conect So, API for the front-/back-end may greatly simplify complex usage and repetitive (i.e. compliance-solid and auditable workflows). And I am sure there is already API, since viewers communicate with back-ends, it is just not exposed πŸ˜„ I thought a few times over the authorization with AD/LDAP and I think (maybe) it would not be that complicated to add it as it stands now. All that is needed is to define the LDAP query per case (and save that in case template). I am referring to https://www.vound-software.com/docs/connect/2.2.2/admin/04_03_02_ldap_guide.html#customized-ldap-queries So, say for department_A cases, something along the lines of: Query base DN: OU=ConnectUsers,OU=Users,OU=MyBusiness,DC=site,DC=local Query filter: (&(&&USERNAME_ATTRIBUTE&&=&&USERNAME_VALUE&&)(memberOf=CN=department_A,CN=Builtin,DC=site,DC=local)) In a way, demoting some of the LDAP config (or all if it's easier) from global to per-case-local and using the default global, if not overridden. I'd be interested to know how other users deal with this (mapping Connect users to OUs) currently.
  2. Going through the 2.2.2 Administrator manual, I've been thinking: Can Connect use LDAP/AD for authorization or only for authentication? In other words, is there a (sane) way to map some attributes in an external directory to the permissions used in Connect? Anybody doing that? https://www.vound-software.com/docs/connect/2.2.2/admin/04_01_user_management.html#permission-types I can probably see a helpful "one-liner" script that queries AD and nudges the Connect setup, although that will be a hack I wouldn't be proud of. The use case I am thinking is a large organisation (say 100 departments), each manager can create cases and each user within the department can by default view cases only in their department. Can this be achieved so that when a user switches departments, s/he looses access to the cases in hte old department and gains access to the ones in the new department automagically (without messing with Connect settings)? BTW, is CLI in Connect or coming (saw it in recent Pro/Team)?
  3. Excel should not be abused for text processing πŸ˜„ AFAIR, Notepad++ supports PCRE, so it should be possible to filter URLs. For example of a full URI PCRE see https://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url/190405#190405 You should also be able to run Content Analysis facet with some regex for URLs, then export values. Hopefully the facet will some day support full PCRE.
  4. Of course a way to store/export/import all those UI settings and set by default or per project is also being taken care of?
  5. The only project that comes to mind is OpenNMT and related and Systran products (that use it): https://github.com/OpenNMT But it still requires training and human-translated samples and is not a simple DLL that one can use offline. If you know of any other products/projects, feel free to share.
  6. "top 10/100 Web searched keywords", in Insight or as standard facet (under contents analysis)? This may be a next-level extraction after browser artefacts are ready, e.g.: https://www.google.com/search?source=hp&q=cat https://www.facebook.com/search/top/?q=cat ... => cat [32] <-- "cat" was searched 32 times NOTE: make sure you URLdecode parameters, there is more than English out there. Of course the list of search providers can only grow and grow, so proper internal infrastructure is needed. As an even more generic idea, things like file search in Windows (MRU, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) and potentially other sources 😁(fgrep find /{root,home/*}/.bash_history on linux images)😁
  7. APFS support for disk images! It is getting closer to merging with sleuthkit (I hope) https://github.com/blackbagtech/sleuthkit-APFS
  8. I recently got asked for a "thumbnail report", i.e. extract certain items and some of their metadata (e.g. ID, file_name) and print them in a grid (say 4x5 on A4)... While it looked easy, I couldn't think of way to do it directly in Intella and resorted to exporting metadata and native format images, then abusing imagemagick to thumbnail them and "simple" Perl/bash "one-liners" for the final layout. Mess! Is there another (internal) way? Are those thumbnails (in thumbnail pane) exportable? Is there any way to have other thumbnails for non-image files? Video may be obvious, but things like PPTX, PDFs (title pages), etc. also come to mind. Finally being able to put that thumbnail in the PDF report somehow would be great! (this sounds more like a feature request, that is why I moved it here)
  9. Thinking of a 0.5PB RAID5 evidence storage for a TEAM installation on Windows Server, is there anything for/against ReFS? Performance? Anybody tested/running with ReFS?
  10. This is from the just released 2.2.2, release notes πŸŽ‰πŸΎπŸŽŠ
  11. This sounds a bit strange, may be have a look again at that identified item that triggers it. What is the structure as Intella sees it (e.g. the tree tab in the preview)? The closest I had to this (I was called to triage similar situation) was caused by some complex document, I think it was TXT (with the keyword), embedded in a DOCX, attached in e-mail. So while the keyword hit was indeed "in the Word document" and it looked right especially in the native view, there was one extra level involved. I usually told people to repeat the "Show Parent Email" command on the generated set and see if it behaves as they expected. I guess a TXT file attached within EML file attached to another e-mail (in a PST folder) might also produce expected, but not obvious results. Finally, make sure there are no filters involved (Exclude/Include) and deduplication is off. And if none of the above helps, open a ticket πŸ˜„
  12. Well, nothing beats (human) reviewers that know the language in question πŸ˜„ in speed-performance and quality; budget-wise it may not be the best option, if at all available (e.g. time-space constraints, confidentiality, etc.) I'd always try to find somebody with good command of the language and train them in Intella (1 hour training + 3-4 hours sitting in the same room), let them sift through the material and tag what might be important. Filter out, deduplicate, etc. something (based on budget) and have it translated by professional. Then add as new source and index (and make sure you get the same filenames/types). You may need to repeat the process a few times. And if you are still looking for someone fluent in Japanese and Intella, just ping me directly.
  13. From the 2.2 release notes: β€’ Added a Show Family search option. This new operation effectively combines the Show Parents and Show Children operations into a one-click operation, by determining for the selected item(s) the top-level parents and all their nested items. This also relates to the Families column in the Keywords tab and the Family Date field. β€’ The functionality for determining the top-level items now takes databases into account, so that these will not be the top-level items anymore. The Load File and Cellphone items are now captured into a single Forensic Containers category. β€’ Added a Features facet category that returns all top-level items. Will that somehow ease gsnyder's task, or ZIP needs to be extracted as suggested?
  14. I know this is not a ticket system, but can topics be merged somehow? e.g. this topic can be merged with http://community.vound-software.com/index.php?/topic/472-pause-indexing/
  15. Yes, we need really a "Pause/Stop Indexing of this source" button and "Abort Immediately indexing of this source" button. The first should only stop at proper "borders" and complete the indexing of the "current items". The second - I would say abort immediately, leaving the source being indexed in a consistent state (before this round of indexing was started, i.e. throw out all new data since it hasn't been merged yet). If many sources were re-/indexed, this should only affect the current source. The "Pause" may take a long time, e.g. indexing 20GB PST file, but... this can be improved, depending on how granular is the re-index function (e.g. will it stop at folders in PST, despite the PST file having same MD5 (due to being interrupted)) I guess, introducing partially_indexed flag for each item can be a saver.
×
×
  • Create New...