dale

Running a larger environment we at times have the situation multiple Intella instances or other tools are competing for the same resources. If then, for instance, the case folder or the optimization drive runs out of space whilst processing, Intella will fill the log with errors (no space left on device) and report a generic error condition. We also had situations where the case folder location had run out of space, but this remained undetected resulting in a case that was corrupt without us realizing this to be the case. Suggestion: Ensure clear and transparent alerting on filesystem errors that have occurred during processing Spawn monitoring threads that monitor (e.g. sample free capacity every x seconds) available free space on case folder locations and optimization folder locations. If free capacity drops below a configurable threshold, the monitoring threads can pause the running processing and display an alert (send an email?) allowing for the processing to be resumed (assuming space was never actually exhausted). Just an idea...

Agreed, this would be hugely valuable!

We are seeing AFF4 adoption increasing (Blackbab MacQusition, BlackLight). Any chance to have AFF4 container support in Intella? See http://www2.aff4.org/ Thank you!

Intella does paragraph-level deduplication. What we'd like to stipulate here is the identification of near-duplicate items (and paragraphs). This could be done using shingles, calculating the ratio of shared shingles amongst items (shingles from item A contained in item B and vice-versa). See also "Jaccard Similarity."

We are glad to see this getting focus! Our strategy is OpenID Connect (OIDC). OIDC unifies OAuth functionality and is commonly seen as the strategic continuation of OAuth for SSO. So, rather than investing time and effort into OAuth, I'd recommend to go with OIDC right from the start. https://openid.net/connect/

Intella 2.3 lets the user specify crawler resources to be used. This is good and bad. Our feature requests: - Add back the ability to configure the number of crawlers and crawler memory allocation to the inj config files. - Add the option / checkbox in the case config to specify that the Intella installation-specific limits should be used for processing this case. - Use the crawler and memory allocation specified in the config files as an upper limit to prevent over-allocation of resources. Background: In our team we have several people running Intella cases on system with differing HW specs. A crawler config that might be perfectly fine for one system will bring down another system to its knees, crashing not only the running Intella processing job, but also any other task that might have been running on this system.

We are looking for features in Intella that allow for selective re-processing of items and families of items; and change in the behavoir of the 'export into case' function relating to items that previously resulted in processing exceptions, i.e., when a case containing a 'cleanly' processed version of an item is merged into a case where the same item perviously resulted in processing exceptions, the 'exception' item and associated meta data including exception flags will need be replaced by the 'cleanly' processed version of the item. Background: During processing Intella will eventually generate exceptions. This cannot be avoided. Depending on what the affected items contain and what the underlying issue is, you may find yourself in the situation where you have re-process that one item or its parent, e.g., after having made changes to Intella memory allocations or to the source container, having added credentials. The issue here is, that Intella offers all or nothing, i.e., the entire case will need to be re-processed or the source needs to be removed and re-added. Depending on case size such reprocessing can be very lenghty. Attempting to re-add the same source or subset of the source to the case will fail to be reprocessed as unless the item that previously failed has a different MD5, Intella will not actually process the item again and merely track it as a duplicate of item that was processed intialy and resulted an in exception. The duplicate will be shown as having the same exception as the 'first' copy of the item. We have examples where we created a new case with different settings / decryption credentials and managed to process the source data (with the same MD5 as the one that failed in another situation) without exceptions. Upon exporting this 'clean' case into the case where the processing of the item(s) being merged resulted in exceptions, we are facing the issue that the newly imported items will 'inherit' the exception from the initial case. This leaves no option other than to either alter the MD5 of the source item (!) or to reprocess the case (can be very lengthy).

We raised this requirement before too. It would be critical for Intella use the SLACK API with Legal-Hold privileges to select and pull data from Slack. Slack has become very big. So, count our vote on this too please. For API reference see: https://api.slack.com/

Just to follow-up on the point of FB, Google etc. Yes, using a standard such as SAML2 or OpenID Connect (which is based on OAuth2) will enable the use of Google or FB as identity providers to authenticate users that access Intella. When it comes to OAuth2, you may want to look at OpenID Connect instead. See https://developers.google.com/identity/protocols/OpenIDConnect

Lukasz - Thanks for responding. We are using SAML2. OAuth might not actually be fit here (see also https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/). Looking at this here: https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile What Intella would have to implement is the 'Service Provider' side. Example scenario: Reference: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Happy chat off-line on the more practical aspects. Dominique

I had a first look at and I very much like what I am seeing here. Quite a number of the things that W4 addresses remind me feature requests that I raised for Intella in the past. The question is going to be if and if so how Intella and W4 will interact? Here first impressions after some (very) high-level testing: Ingestion times seem very reasonable. Support for compound file types (e.g. my favorite NSFs...) has room for growth (hence the question - how will this link up with Intella?) The Links Graph has a lot of promise. In particular when you start holding down the CTRL key when double-clicking Suggestions: Add a backwards and forward button so the investigator can 'navigate'. Consider adding a graphical view of the navigation history showing how the investigator jumped from one item to the next MacOS support is kind of limited still. I didn't test APFS. However, there are a lot of MacOS artifacts that are worth considering including FSevents (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf), Unified Logs (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf) Parsing of plists for event data, e.g., iMessages etc. On NTFS carve for MFT records in unallocated space and use record ID and record date field to build history of file modifications by combining older versions of MFT records based on record ID. Create a calendar view showing a month, a week, a day, (an hour, minute) with event data like we know it from our favorite calendaring tool Integrate external data sources. Example: The Code42 Security Center provides information about data ingress and egress via USB and Cloud storage including filenames, MD5(!), dates, media details etc. What I didn't test yet is the integration of calendar events, mobile device data and a lot more. I need to find more time for this... But what I'd want to look at are things such as locally synchronized cloud storage repositories etc. This looks promising ? Dominique

Single Sign-On allows users to sign on to applications without providing their passwords to the application (or having to manage an application-specific password). Instead the user signs on to a SSO provider using SAML2 or oauth. The browser then uses the token provided by the authentication provider to logon to the application. This has numerous advantages, including support of two-factor authentication etc. There are public SSO providers such as Google and Facebook. Also many organizations use internal instances. As SAML2 user authentication is likely to become mandatory for any deployed applications on our network, I was wondering whether Intella Connect could / will include SAML2 in an upcoming release. Many thanks! Dominique

When processing data from systems and mobile devices one very often finds file-based databases and data structures. Most popular is SQlite, but there exists others as well (Microsoft EDB, and one could probably even consider plist files to fall into this category). The (table-)structure of these files is application-specific, i.e., varies widely. My proposal would be to create a template format that allows for two things: Template-based specification of (SQL) queries. The query results would then be represented as items in Intella (either per line or by SQL 'GROUP') Definition of mappings of query result fields into custom columns (including type specification, e.g., date, GEO-location coordinates, String, Integer etc.) Allowing people to share their templates for the various applications (and versions thereof) that they have created templates / parser for, would enable the building of a library. The advantage would be that otherwise missed information can be added to event time lines and app-specific GEO-location data to be extracted and identified.

I know the current setup doesn't allow for it, but then again, CONNECT is Java... so I figured I'd ask. Unless there are too many native non-Java libraries in use, it seem to be doable given enough interest. As for Wine, I considered it, but I am unsure it would be something suitable for production and also I am unsure whether the license management system would work under Wine. Worth a try though.

We have recently considered a new deployment scenario for CONNECT. It turned out not to be viable as it would require purchase of many more Microsoft server CALs and other Microsoft licenses at significant cost. Hence I wanted to raise the question what it would take to have the CONNECT server run in Linux instead of Windows (excluding index creation)? As it is a Java application it would seem to be portable (possibly with loss of functionality such as PST creation). Any thoughts?