Jump to content


  • Content Count

  • Joined

  • Last visited

  • Days Won


dale last won the day on August 24 2018

dale had the most liked content!

Community Reputation

5 Neutral

About dale

  • Rank
    Advanced Member

Profile Information

  • Gender
    Not Telling

Recent Profile Visitors

463 profile views
  1. We are seeing AFF4 adoption increasing (Blackbab MacQusition, BlackLight). Any chance to have AFF4 container support in Intella? See http://www2.aff4.org/ Thank you!
  2. Intella does paragraph-level deduplication. What we'd like to stipulate here is the identification of near-duplicate items (and paragraphs). This could be done using shingles, calculating the ratio of shared shingles amongst items (shingles from item A contained in item B and vice-versa). See also "Jaccard Similarity."
  3. We are glad to see this getting focus! Our strategy is OpenID Connect (OIDC). OIDC unifies OAuth functionality and is commonly seen as the strategic continuation of OAuth for SSO. So, rather than investing time and effort into OAuth, I'd recommend to go with OIDC right from the start. https://openid.net/connect/
  4. Intella 2.3 lets the user specify crawler resources to be used. This is good and bad. Our feature requests: - Add back the ability to configure the number of crawlers and crawler memory allocation to the inj config files. - Add the option / checkbox in the case config to specify that the Intella installation-specific limits should be used for processing this case. - Use the crawler and memory allocation specified in the config files as an upper limit to prevent over-allocation of resources. Background: In our team we have several people running Intella cases on system with differing HW specs. A crawler config that might be perfectly fine for one system will bring down another system to its knees, crashing not only the running Intella processing job, but also any other task that might have been running on this system.
  5. We are looking for features in Intella that allow for selective re-processing of items and families of items; and change in the behavoir of the 'export into case' function relating to items that previously resulted in processing exceptions, i.e., when a case containing a 'cleanly' processed version of an item is merged into a case where the same item perviously resulted in processing exceptions, the 'exception' item and associated meta data including exception flags will need be replaced by the 'cleanly' processed version of the item. Background: During processing Intella will eventually generate exceptions. This cannot be avoided. Depending on what the affected items contain and what the underlying issue is, you may find yourself in the situation where you have re-process that one item or its parent, e.g., after having made changes to Intella memory allocations or to the source container, having added credentials. The issue here is, that Intella offers all or nothing, i.e., the entire case will need to be re-processed or the source needs to be removed and re-added. Depending on case size such reprocessing can be very lenghty. Attempting to re-add the same source or subset of the source to the case will fail to be reprocessed as unless the item that previously failed has a different MD5, Intella will not actually process the item again and merely track it as a duplicate of item that was processed intialy and resulted an in exception. The duplicate will be shown as having the same exception as the 'first' copy of the item. We have examples where we created a new case with different settings / decryption credentials and managed to process the source data (with the same MD5 as the one that failed in another situation) without exceptions. Upon exporting this 'clean' case into the case where the processing of the item(s) being merged resulted in exceptions, we are facing the issue that the newly imported items will 'inherit' the exception from the initial case. This leaves no option other than to either alter the MD5 of the source item (!) or to reprocess the case (can be very lengthy).
  6. We raised this requirement before too. It would be critical for Intella use the SLACK API with Legal-Hold privileges to select and pull data from Slack. Slack has become very big. So, count our vote on this too please. For API reference see: https://api.slack.com/
  7. Just to follow-up on the point of FB, Google etc. Yes, using a standard such as SAML2 or OpenID Connect (which is based on OAuth2) will enable the use of Google or FB as identity providers to authenticate users that access Intella. When it comes to OAuth2, you may want to look at OpenID Connect instead. See https://developers.google.com/identity/protocols/OpenIDConnect
  8. Lukasz - Thanks for responding. We are using SAML2. OAuth might not actually be fit here (see also https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/). Looking at this here: https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile What Intella would have to implement is the 'Service Provider' side. Example scenario: Reference: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Happy chat off-line on the more practical aspects. Dominique
  9. I had a first look at and I very much like what I am seeing here. Quite a number of the things that W4 addresses remind me feature requests that I raised for Intella in the past. The question is going to be if and if so how Intella and W4 will interact? Here first impressions after some (very) high-level testing: Ingestion times seem very reasonable. Support for compound file types (e.g. my favorite NSFs...) has room for growth (hence the question - how will this link up with Intella?) The Links Graph has a lot of promise. In particular when you start holding down the CTRL key when double-clicking Suggestions: Add a backwards and forward button so the investigator can 'navigate'. Consider adding a graphical view of the navigation history showing how the investigator jumped from one item to the next MacOS support is kind of limited still. I didn't test APFS. However, there are a lot of MacOS artifacts that are worth considering including FSevents (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf), Unified Logs (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf) Parsing of plists for event data, e.g., iMessages etc. On NTFS carve for MFT records in unallocated space and use record ID and record date field to build history of file modifications by combining older versions of MFT records based on record ID. Create a calendar view showing a month, a week, a day, (an hour, minute) with event data like we know it from our favorite calendaring tool Integrate external data sources. Example: The Code42 Security Center provides information about data ingress and egress via USB and Cloud storage including filenames, MD5(!), dates, media details etc. What I didn't test yet is the integration of calendar events, mobile device data and a lot more. I need to find more time for this... But what I'd want to look at are things such as locally synchronized cloud storage repositories etc. This looks promising ? Dominique
  10. Single Sign-On allows users to sign on to applications without providing their passwords to the application (or having to manage an application-specific password). Instead the user signs on to a SSO provider using SAML2 or oauth. The browser then uses the token provided by the authentication provider to logon to the application. This has numerous advantages, including support of two-factor authentication etc. There are public SSO providers such as Google and Facebook. Also many organizations use internal instances. As SAML2 user authentication is likely to become mandatory for any deployed applications on our network, I was wondering whether Intella Connect could / will include SAML2 in an upcoming release. Many thanks! Dominique
  11. When processing data from systems and mobile devices one very often finds file-based databases and data structures. Most popular is SQlite, but there exists others as well (Microsoft EDB, and one could probably even consider plist files to fall into this category). The (table-)structure of these files is application-specific, i.e., varies widely. My proposal would be to create a template format that allows for two things: Template-based specification of (SQL) queries. The query results would then be represented as items in Intella (either per line or by SQL 'GROUP') Definition of mappings of query result fields into custom columns (including type specification, e.g., date, GEO-location coordinates, String, Integer etc.) Allowing people to share their templates for the various applications (and versions thereof) that they have created templates / parser for, would enable the building of a library. The advantage would be that otherwise missed information can be added to event time lines and app-specific GEO-location data to be extracted and identified.
  12. I know the current setup doesn't allow for it, but then again, CONNECT is Java... so I figured I'd ask. Unless there are too many native non-Java libraries in use, it seem to be doable given enough interest. As for Wine, I considered it, but I am unsure it would be something suitable for production and also I am unsure whether the license management system would work under Wine. Worth a try though.
  13. We have recently considered a new deployment scenario for CONNECT. It turned out not to be viable as it would require purchase of many more Microsoft server CALs and other Microsoft licenses at significant cost. Hence I wanted to raise the question what it would take to have the CONNECT server run in Linux instead of Windows (excluding index creation)? As it is a Java application it would seem to be portable (possibly with loss of functionality such as PST creation). Any thoughts?
  14. I know that the team are working on increasing the flexibility of the way that sources can be added and removed and possibly cases being merged etc. However, as a thought-exercise, what about separating sources and cases? This would mean that any source that is processed is added to a pool. From this pool of processed sources are then used to build cases. Such an approach would have the advantage that the processing of sources could be distributed and that once processed, sources could be used in more than one case. Also the entire process of building a (large) case would become less prone to catastrophic failure in case a fatal errors occurs during the processing of one of the sources. Another suggestion: Ever created a case with 100+ sources? There is far too much clicking and menus involved. This takes a lot of time and is prone to errors. It would be real helpful if one could select processing options and then have them applied to a list of sources rather than individual sources only.
  15. Lukasz - We are increasingly receiving critical feedback on how Intella Connect displays calendar entries (in particular the ones from Lotus Notes). We'd appreciate it if there was a way to get the display of such entries cleaned up. Many thanks!
  • Create New...