garybrevans

We have processed a number of PST files. There is nothing remarkable about them, standard email with attachments etc. We have identified a number of issues that are causing us some concern. Some indexed emails come up with an error when we try to export them, even though the evidence paths are correct, the email has indexed correctly and the email opens fine if you browse to it manually. Some emails have been flagged as exception items, even though there’s no obvious reason why, the original emails open up fine. These exception items have not been indexed and are not keyword searchable. There’s an issue in that some attachments are not loading up correctly. Any thoughts or comments welcome. Thanks.

Try to install into an existing folder and the 'Next' button is 'greyed out' no matter what you do. Browse to a newly created or existing folder and the 'Next' button stays greyed out.

I do appreciate the responses but is there any point in creating a backup file if you have to re-index the case to fix this issue?

I've had this a few times now and it seems particularly prevalent when reverting to a backup case file. For some reason the 'Location' view shows blank i.e. no items present despite their being data in the case. I've tried opening and closing the case, adding new items and so on but once it happens, there doesn't seem to be any way in which the Location entries are refreshed to normal.

Add a .L01 to Intella for indexing and in every case, as well as the files within the .L01 you also get a load of chuff in the root when viewing 'Location'. What is it and how do you get rid of it? Second question, is it possible to remove items from a case once indexed?

Thanks, I will check up on that but as you can see you still have a potentially long list of segments which is just 'noise'.

So, we went ahead and started exporting from EnCase image files to LEF using the EnScript. This introduces a number of issues. 1. There is no apparent way of setting the LEF segment size. 2. There is no apparent way of selecting individual devices. So in a multiple device case what you end up with is one huge LEF containing dozens (or hundreds) of segments containing the output from a number of devices. When you then go to review material by 'Location' in Intella it becomes unresponsive for a bit whilst it refreshes all the relevant locations. Then it displays something like this:: This_is_my_evidence.L01\full path\ This_is_my_evidence.L02\full path\ This_is_my_evidence.L03\full path\ and so on for as many segments as you have. Of course, this is extremely unhelpful in determining the actual device where the data resides. As long as you have named the device something relevant, this name features much further down the path. One of the ways in which we use selective searching in Intella is to select the device in the Location view. Using this method, this can no longer be achieved this way. It would be very useful if the Intella EnCase EnScript had options for 'LEF Segment Size' and 'Selected Files Only'. If anyone has any other ideas or comments I would be glad to hear them. Thanks.

Thanks, we are using the v0.5 EnScript so we will give the logical evidence files a go.

Scenario. Index data from several data sources. Review data. Some files are indexed and the location is reported as '_to long paths'. First, it should be '_too long paths' if anything. My question is this. It seems that once Intella decides that the path to the file is too long, it gives up completely and just reports exactly that. If that file is indexed and relevant to the case, how do you then work out from what original data source the file came from?

How do I copy native files out of Intella into folders named after the tags in one go without manually creating the folders in Windows first then copying the tagged files, one set of tagged files at a time into the folders I have just made? It sounds like it should be simple.

Update to the above. If you do an export to CSV from Intella from a file listing with the 'File Name', 'MD5 Hash' and 'Tags' checked, then copy the contents of the CSV to a new CSV, rename 'File Name' to 'Name' you can import into EnCase to a point. Of 96 files in Intella less than a third were bookmarked in EnCase. Plus, it just gives you a single bookmark folder full of files in EnCase, so pretty pointless. As an investigator, surely the most important thing I want to be able to do at the end of the process (outside of Intella) is identify files by tag. Can someone please tell me how to achieve this? Thanks.

Morning. So here is what I am trying to achieve. I want to export from Intella a set of folders, each named after the Tag and each containing the files that have been tagged. I can do this manually for each tag by creating a folder in Windows of the tag name, select the files in the tag and then export the files to the folder I've just made. This isn't much use if there are lots of tags. If I right click on the Tags I can export the Tag names which does not help. I note that with the Intella EnScript I can import a CSV via the 'tag importer'. However, how do you create a CSV that works? I've highlighted the files in Intella and exported to CSV but I keep getting an error message when I try and run the EnScript and point it at the CSV I have just created: 'Pleas export a valid CSV file. It has to include the fields "Name" and "MD5 Hash". 'Please' is misspelt and I cannot find a field called 'Name'. Am I missing something? There is nothing in the manual either. Thanks.