Kalin
-
Posts
27 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Kalin
-
-
In a few places, URLs are shown in single or as a list. It will be great to have an option to unescape them, like:
https://www.bing.com/search?q=%E6%97%A5%E6%9C%AC%E8%AA%9E -------> https://www.bing.com/search?q=日本語
(Funny enough this forum does that if I choose "paste as plain text" which is wrong interpretation!)
-
It will be a good idea to show the source of the location data (e.g. in Insight view). It can be from picture metadata, or may be IP address mapping, or something else (what). A small icon, or tooltip will be a good start.
-
I recently looked into Magent Axiom and the Artifact Exchange ( https://www.magnetforensics.com/blog/artifact-exchange-now-open/ ). Is there any way to be able to import an XML report from Axiom and use some of those artifacts?
-
1
-
-
It will be great to have the map display center on some configurable point and have some default zoom. Or is there any way to hack around that at the moment?
-
Some kind of API (RESTful is fine) would be great, to any "non-viewer" product of Vound!
BTW, it is getting a bit messy (marketing-wise so to say) on what is what, I am suspecting code-wise there are few components that get packaged in various combinations. For my own sake I call them:
- front-end (allows shared access to case): Connect/Connect+, TeamManager
- back-end (processes/indexes new data and makes a case): Node, Pro/250/100/10, TeamManager
- viewer (allows searching, tagging, comments, export when connected to a front-end or directly opening (single-user) a case on disk): Viewer, WebUI_for_conect
So, API for the front-/back-end may greatly simplify complex usage and repetitive (i.e. compliance-solid and auditable workflows). And I am sure there is already API, since viewers communicate with back-ends, it is just not exposed 😄
I thought a few times over the authorization with AD/LDAP and I think (maybe) it would not be that complicated to add it as it stands now. All that is needed is to define the LDAP query per case (and save that in case template). I am referring to https://www.vound-software.com/docs/connect/2.2.2/admin/04_03_02_ldap_guide.html#customized-ldap-queries
So, say for department_A cases, something along the lines of:
Query base DN:
OU=ConnectUsers,OU=Users,OU=MyBusiness,DC=site,DC=localQuery filter:
(&(&&USERNAME_ATTRIBUTE&&=&&USERNAME_VALUE&&)(memberOf=CN=department_A,CN=Builtin,DC=site,DC=local))In a way, demoting some of the LDAP config (or all if it's easier) from global to per-case-local and using the default global, if not overridden.
I'd be interested to know how other users deal with this (mapping Connect users to OUs) currently.
-
Going through the 2.2.2 Administrator manual, I've been thinking: Can Connect use LDAP/AD for authorization or only for authentication?
In other words, is there a (sane) way to map some attributes in an external directory to the permissions used in Connect? Anybody doing that?
https://www.vound-software.com/docs/connect/2.2.2/admin/04_01_user_management.html#permission-types
I can probably see a helpful "one-liner" script that queries AD and nudges the Connect setup, although that will be a hack I wouldn't be proud of.
The use case I am thinking is a large organisation (say 100 departments), each manager can create cases and each user within the department can by default view cases only in their department.
Can this be achieved so that when a user switches departments, s/he looses access to the cases in hte old department and gains access to the ones in the new department automagically (without messing with Connect settings)?
BTW, is CLI in Connect or coming (saw it in recent Pro/Team)?
-
Excel should not be abused for text processing 😄
AFAIR, Notepad++ supports PCRE, so it should be possible to filter URLs. For example of a full URI PCRE see https://stackoverflow.com/questions/161738/what-is-the-best-regular-expression-to-check-if-a-string-is-a-valid-url/190405#190405
You should also be able to run Content Analysis facet with some regex for URLs, then export values. Hopefully the facet will some day support full PCRE.
-
Of course a way to store/export/import all those UI settings and set by default or per project is also being taken care of?
-
The only project that comes to mind is OpenNMT and related and Systran products (that use it):
But it still requires training and human-translated samples and is not a simple DLL that one can use offline. If you know of any other products/projects, feel free to share.
-
"top 10/100 Web searched keywords", in Insight or as standard facet (under contents analysis)?
This may be a next-level extraction after browser artefacts are ready, e.g.:
https://www.google.com/search?source=hp&q=cat
https://www.facebook.com/search/top/?q=cat
...
=> cat [32] <-- "cat" was searched 32 times
NOTE: make sure you URLdecode parameters, there is more than English out there.
Of course the list of search providers can only grow and grow, so proper internal infrastructure is needed.
As an even more generic idea, things like file search in Windows (MRU, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery) and potentially other sources 😁(fgrep find /{root,home/*}/.bash_history on linux images)😁
-
APFS support for disk images!
It is getting closer to merging with sleuthkit (I hope) https://github.com/blackbagtech/sleuthkit-APFS
-
I recently got asked for a "thumbnail report", i.e. extract certain items and some of their metadata (e.g. ID, file_name) and print them in a grid (say 4x5 on A4)...
While it looked easy, I couldn't think of way to do it directly in Intella and resorted to exporting metadata and native format images, then abusing imagemagick to thumbnail them and "simple" Perl/bash "one-liners" for the final layout. Mess!
Is there another (internal) way? Are those thumbnails (in thumbnail pane) exportable?
Is there any way to have other thumbnails for non-image files? Video may be obvious, but things like PPTX, PDFs (title pages), etc. also come to mind.
Finally being able to put that thumbnail in the PDF report somehow would be great!
(this sounds more like a feature request, that is why I moved it here)
-
Thinking of a 0.5PB RAID5 evidence storage for a TEAM installation on Windows Server, is there anything for/against ReFS?
Performance? Anybody tested/running with ReFS?
-
Quote
• Configurable message hashing algorithm, letting the user control the degree of deduplication on email messages.
This is from the just released 2.2.2, release notes 🎉🍾🎊
-
This sounds a bit strange, may be have a look again at that identified item that triggers it.
What is the structure as Intella sees it (e.g. the tree tab in the preview)?
The closest I had to this (I was called to triage similar situation) was caused by some complex document, I think it was TXT (with the keyword), embedded in a DOCX, attached in e-mail. So while the keyword hit was indeed "in the Word document" and it looked right especially in the native view, there was one extra level involved.
I usually told people to repeat the "Show Parent Email" command on the generated set and see if it behaves as they expected.
I guess a TXT file attached within EML file attached to another e-mail (in a PST folder) might also produce expected, but not obvious results.
Finally, make sure there are no filters involved (Exclude/Include) and deduplication is off.
And if none of the above helps, open a ticket 😄
-
Well, nothing beats (human) reviewers that know the language in question 😄 in speed-performance and quality; budget-wise it may not be the best option, if at all available (e.g. time-space constraints, confidentiality, etc.)
I'd always try to find somebody with good command of the language and train them in Intella (1 hour training + 3-4 hours sitting in the same room), let them sift through the material and tag what might be important. Filter out, deduplicate, etc. something (based on budget) and have it translated by professional. Then add as new source and index (and make sure you get the same filenames/types). You may need to repeat the process a few times.
And if you are still looking for someone fluent in Japanese and Intella, just ping me directly.
-
From the 2.2 release notes:
• Added a Show Family search option. This new operation effectively combines the Show Parents and Show Children operations into a one-click operation, by determining for the selected item(s) the top-level parents and all their nested items. This also relates to the Families column in the Keywords tab and the Family Date field.
• The functionality for determining the top-level items now takes databases into account, so that these will not be the top-level items anymore. The Load File and Cellphone items are now captured into a single Forensic Containers category.
• Added a Features facet category that returns all top-level items.
Will that somehow ease gsnyder's task, or ZIP needs to be extracted as suggested?
-
I know this is not a ticket system, but can topics be merged somehow? e.g. this topic can be merged with http://community.vound-software.com/index.php?/topic/472-pause-indexing/
-
Yes, we need really a "Pause/Stop Indexing of this source" button and "Abort Immediately indexing of this source" button.
The first should only stop at proper "borders" and complete the indexing of the "current items".
The second - I would say abort immediately, leaving the source being indexed in a consistent state (before this round of indexing was started, i.e. throw out all new data since it hasn't been merged yet). If many sources were re-/indexed, this should only affect the current source.
The "Pause" may take a long time, e.g. indexing 20GB PST file, but... this can be improved, depending on how granular is the re-index function (e.g. will it stop at folders in PST, despite the PST file having same MD5 (due to being interrupted)) I guess, introducing partially_indexed flag for each item can be a saver.
-
Looks great!
But now that we have yet another visualization, may I add a RFI from circa 2009: -)
Multiple windows (on multiple monitors of course) and sticky windows (e.g. pin the visualization window on one of the monitors maximized, another item preview say on the right one and keep the rest in the middle). 4K displays are coming, but running 3x FullHD (or 2) is way more common.
-
Yep, let me try it, probably next week.
-
And if/when you decide to add real scripting, PLEASE don't invent a language (VoundScript?), use any of the available ones, just provide API. Even native Java will be a good start (although I don't speak it lately).
-
Is non-English interface supported somehow in Connect?
I tried a few tricks with browser settings and even editing some prefs files, but could't switch the UI language...
Is this supposed to work and how?
If not, when is it expected?
Kalin.
-
Yes, redaction has been requested previously, will be good to have.
Further developing on AdamS idea, there should be two separate features with similar interface: highliting and redacting.
So for workflow:
Do some kw search with optional facet filtering, select all (or some documents), right click ->higlight results.
this will create the PDFs linked to originals with say 50% transparent yellow and add them to the (new) special property "highlighted" selectable from the facet list.
Clear all kw searches, lists, etc. (required!), select some documents from the highlighted facet, right click -> redact the highlited parts
that will change the 50% yellow to 100% black (asuming B/W documents, it will not work on colorfull html), then cut the text, replace it with say * (including spaces) and save the PDF, add to the new special property "redacted".
Add "Export only redacted data" checkbox in the appropriate dialogue box or put some other safenet on exporting.
Crate a landing page for on-line docs
in Wishlist
Posted
It is very helpful to have all products manuals on-line (versioned), I find it very useful to be able to point people at specific parts (of course with xkcd:293, when appropriate 🤣).
There is just one thing missing: the landing page for all docs, obliviously on https://www.vound-software.com/docs/ Also having https://docs.vound-software.com/ point there as well.
It is enough to link to the top Pro, Investigator, Connect... page and probably also to the latest in the series. Also having URLs like https://www.vound-software.com/docs/intella/latest/ redirect to the latest will be cool.