Jump to content

dale

Members
  • Content Count

    30
  • Joined

  • Last visited

  • Days Won

    2

dale last won the day on August 24 2018

dale had the most liked content!

Community Reputation

5 Neutral

About dale

  • Rank
    Advanced Member

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

295 profile views
  1. We are looking for features in Intella that allow for selective re-processing of items and families of items; and change in the behavoir of the 'export into case' function relating to items that previously resulted in processing exceptions, i.e., when a case containing a 'cleanly' processed version of an item is merged into a case where the same item perviously resulted in processing exceptions, the 'exception' item and associated meta data including exception flags will need be replaced by the 'cleanly' processed version of the item. Background: During processing Intella will eventually generate exceptions. This cannot be avoided. Depending on what the affected items contain and what the underlying issue is, you may find yourself in the situation where you have re-process that one item or its parent, e.g., after having made changes to Intella memory allocations or to the source container, having added credentials. The issue here is, that Intella offers all or nothing, i.e., the entire case will need to be re-processed or the source needs to be removed and re-added. Depending on case size such reprocessing can be very lenghty. Attempting to re-add the same source or subset of the source to the case will fail to be reprocessed as unless the item that previously failed has a different MD5, Intella will not actually process the item again and merely track it as a duplicate of item that was processed intialy and resulted an in exception. The duplicate will be shown as having the same exception as the 'first' copy of the item. We have examples where we created a new case with different settings / decryption credentials and managed to process the source data (with the same MD5 as the one that failed in another situation) without exceptions. Upon exporting this 'clean' case into the case where the processing of the item(s) being merged resulted in exceptions, we are facing the issue that the newly imported items will 'inherit' the exception from the initial case. This leaves no option other than to either alter the MD5 of the source item (!) or to reprocess the case (can be very lengthy).
  2. We raised this requirement before too. It would be critical for Intella use the SLACK API with Legal-Hold privileges to select and pull data from Slack. Slack has become very big. So, count our vote on this too please. For API reference see: https://api.slack.com/
  3. Just to follow-up on the point of FB, Google etc. Yes, using a standard such as SAML2 or OpenID Connect (which is based on OAuth2) will enable the use of Google or FB as identity providers to authenticate users that access Intella. When it comes to OAuth2, you may want to look at OpenID Connect instead. See https://developers.google.com/identity/protocols/OpenIDConnect
  4. Lukasz - Thanks for responding. We are using SAML2. OAuth might not actually be fit here (see also https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/). Looking at this here: https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile What Intella would have to implement is the 'Service Provider' side. Example scenario: Reference: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Happy chat off-line on the more practical aspects. Dominique
  5. dale

    What is W4

    I had a first look at and I very much like what I am seeing here. Quite a number of the things that W4 addresses remind me feature requests that I raised for Intella in the past. The question is going to be if and if so how Intella and W4 will interact? Here first impressions after some (very) high-level testing: Ingestion times seem very reasonable. Support for compound file types (e.g. my favorite NSFs...) has room for growth (hence the question - how will this link up with Intella?) The Links Graph has a lot of promise. In particular when you start holding down the CTRL key when double-clicking Suggestions: Add a backwards and forward button so the investigator can 'navigate'. Consider adding a graphical view of the navigation history showing how the investigator jumped from one item to the next MacOS support is kind of limited still. I didn't test APFS. However, there are a lot of MacOS artifacts that are worth considering including FSevents (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf), Unified Logs (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf) Parsing of plists for event data, e.g., iMessages etc. On NTFS carve for MFT records in unallocated space and use record ID and record date field to build history of file modifications by combining older versions of MFT records based on record ID. Create a calendar view showing a month, a week, a day, (an hour, minute) with event data like we know it from our favorite calendaring tool Integrate external data sources. Example: The Code42 Security Center provides information about data ingress and egress via USB and Cloud storage including filenames, MD5(!), dates, media details etc. What I didn't test yet is the integration of calendar events, mobile device data and a lot more. I need to find more time for this... But what I'd want to look at are things such as locally synchronized cloud storage repositories etc. This looks promising ? Dominique
  6. Single Sign-On allows users to sign on to applications without providing their passwords to the application (or having to manage an application-specific password). Instead the user signs on to a SSO provider using SAML2 or oauth. The browser then uses the token provided by the authentication provider to logon to the application. This has numerous advantages, including support of two-factor authentication etc. There are public SSO providers such as Google and Facebook. Also many organizations use internal instances. As SAML2 user authentication is likely to become mandatory for any deployed applications on our network, I was wondering whether Intella Connect could / will include SAML2 in an upcoming release. Many thanks! Dominique
  7. When processing data from systems and mobile devices one very often finds file-based databases and data structures. Most popular is SQlite, but there exists others as well (Microsoft EDB, and one could probably even consider plist files to fall into this category). The (table-)structure of these files is application-specific, i.e., varies widely. My proposal would be to create a template format that allows for two things: Template-based specification of (SQL) queries. The query results would then be represented as items in Intella (either per line or by SQL 'GROUP') Definition of mappings of query result fields into custom columns (including type specification, e.g., date, GEO-location coordinates, String, Integer etc.) Allowing people to share their templates for the various applications (and versions thereof) that they have created templates / parser for, would enable the building of a library. The advantage would be that otherwise missed information can be added to event time lines and app-specific GEO-location data to be extracted and identified.
  8. I know the current setup doesn't allow for it, but then again, CONNECT is Java... so I figured I'd ask. Unless there are too many native non-Java libraries in use, it seem to be doable given enough interest. As for Wine, I considered it, but I am unsure it would be something suitable for production and also I am unsure whether the license management system would work under Wine. Worth a try though.
  9. We have recently considered a new deployment scenario for CONNECT. It turned out not to be viable as it would require purchase of many more Microsoft server CALs and other Microsoft licenses at significant cost. Hence I wanted to raise the question what it would take to have the CONNECT server run in Linux instead of Windows (excluding index creation)? As it is a Java application it would seem to be portable (possibly with loss of functionality such as PST creation). Any thoughts?
  10. I know that the team are working on increasing the flexibility of the way that sources can be added and removed and possibly cases being merged etc. However, as a thought-exercise, what about separating sources and cases? This would mean that any source that is processed is added to a pool. From this pool of processed sources are then used to build cases. Such an approach would have the advantage that the processing of sources could be distributed and that once processed, sources could be used in more than one case. Also the entire process of building a (large) case would become less prone to catastrophic failure in case a fatal errors occurs during the processing of one of the sources. Another suggestion: Ever created a case with 100+ sources? There is far too much clicking and menus involved. This takes a lot of time and is prone to errors. It would be real helpful if one could select processing options and then have them applied to a list of sources rather than individual sources only.
  11. Lukasz - We are increasingly receiving critical feedback on how Intella Connect displays calendar entries (in particular the ones from Lotus Notes). We'd appreciate it if there was a way to get the display of such entries cleaned up. Many thanks!
  12. Lukasz - I'd like to revive this one. The Auto-cooling function would not so much be needed because of memory shortage. The reason is more that over time we build up a seriously long list of cases on Intella Connect. Then at some point matters enter a different stage where access to the data on Intella is no longer required. However, we may receive notification of this until the matter is truly closed and will keep the case live. So, during a Intella Connect service restart or system reboot we'll be experiencing significant delays as there is a seriously large list of cases that needs to be shutdown and then restarted. If a case hasn't seen activity for 3 months, we'd want to take it offline automatically. If it is needed again, we could re-share it with the flick of a button.
  13. On a busy Connect server one ends up a large number of shared cases quickly. It would be useful to be able to set a number of days (e.g. 90 days) after which cases will be taken offline automatically and the 'auto-sharing' flag removed if no access has occurred.
  14. Intella is now able to include Lotus Notes Deletion Stubs during processing allowing for tracking of Notes document movements and deletion activities (very useful!!). Would it be possible to add a checkbox in the 'Add Sources' dialogue (similiar to the 'Cache evidence' checkbox) for this feature rather than having to edit the preferences file? Many thanks! Dominique
  15. We often have the scenario that searches can be limited to a specific time-frame. This is where the Date facet comes in. The problem is then often that we have a lot of items where Intella was not able to populate any of the meta data date fields. For these items we cannot tell when they were created, last modified, sent etc. and hence we would have to include them in the searches/review to ensure we are not missing anything relevant. In essence I am asking for a simple way to easily identify all these 'date free' items. It could also be an entry in the 'Feature' facet rather than a checkbox in the 'Date' facet. This may in fact be the cleaner solution.
×
×
  • Create New...