Jump to content

dale

Members
  • Posts

    36
  • Joined

  • Last visited

  • Days Won

    2

Everything posted by dale

  1. Running a larger environment we at times have the situation multiple Intella instances or other tools are competing for the same resources. If then, for instance, the case folder or the optimization drive runs out of space whilst processing, Intella will fill the log with errors (no space left on device) and report a generic error condition. We also had situations where the case folder location had run out of space, but this remained undetected resulting in a case that was corrupt without us realizing this to be the case. Suggestion: Ensure clear and transparent alerting on filesystem errors that have occurred during processing Spawn monitoring threads that monitor (e.g. sample free capacity every x seconds) available free space on case folder locations and optimization folder locations. If free capacity drops below a configurable threshold, the monitoring threads can pause the running processing and display an alert (send an email?) allowing for the processing to be resumed (assuming space was never actually exhausted). Just an idea...
  2. Agreed, this would be hugely valuable!
  3. We are seeing AFF4 adoption increasing (Blackbab MacQusition, BlackLight). Any chance to have AFF4 container support in Intella? See http://www2.aff4.org/ Thank you!
  4. Intella does paragraph-level deduplication. What we'd like to stipulate here is the identification of near-duplicate items (and paragraphs). This could be done using shingles, calculating the ratio of shared shingles amongst items (shingles from item A contained in item B and vice-versa). See also "Jaccard Similarity."
  5. We are glad to see this getting focus! Our strategy is OpenID Connect (OIDC). OIDC unifies OAuth functionality and is commonly seen as the strategic continuation of OAuth for SSO. So, rather than investing time and effort into OAuth, I'd recommend to go with OIDC right from the start. https://openid.net/connect/
  6. Intella 2.3 lets the user specify crawler resources to be used. This is good and bad. Our feature requests: - Add back the ability to configure the number of crawlers and crawler memory allocation to the inj config files. - Add the option / checkbox in the case config to specify that the Intella installation-specific limits should be used for processing this case. - Use the crawler and memory allocation specified in the config files as an upper limit to prevent over-allocation of resources. Background: In our team we have several people running Intella cases on system with differing HW specs. A crawler config that might be perfectly fine for one system will bring down another system to its knees, crashing not only the running Intella processing job, but also any other task that might have been running on this system.
  7. We are looking for features in Intella that allow for selective re-processing of items and families of items; and change in the behavoir of the 'export into case' function relating to items that previously resulted in processing exceptions, i.e., when a case containing a 'cleanly' processed version of an item is merged into a case where the same item perviously resulted in processing exceptions, the 'exception' item and associated meta data including exception flags will need be replaced by the 'cleanly' processed version of the item. Background: During processing Intella will eventually generate exceptions. This cannot be avoided. Depending on what the affected items contain and what the underlying issue is, you may find yourself in the situation where you have re-process that one item or its parent, e.g., after having made changes to Intella memory allocations or to the source container, having added credentials. The issue here is, that Intella offers all or nothing, i.e., the entire case will need to be re-processed or the source needs to be removed and re-added. Depending on case size such reprocessing can be very lenghty. Attempting to re-add the same source or subset of the source to the case will fail to be reprocessed as unless the item that previously failed has a different MD5, Intella will not actually process the item again and merely track it as a duplicate of item that was processed intialy and resulted an in exception. The duplicate will be shown as having the same exception as the 'first' copy of the item. We have examples where we created a new case with different settings / decryption credentials and managed to process the source data (with the same MD5 as the one that failed in another situation) without exceptions. Upon exporting this 'clean' case into the case where the processing of the item(s) being merged resulted in exceptions, we are facing the issue that the newly imported items will 'inherit' the exception from the initial case. This leaves no option other than to either alter the MD5 of the source item (!) or to reprocess the case (can be very lengthy).
  8. We raised this requirement before too. It would be critical for Intella use the SLACK API with Legal-Hold privileges to select and pull data from Slack. Slack has become very big. So, count our vote on this too please. For API reference see: https://api.slack.com/
  9. Just to follow-up on the point of FB, Google etc. Yes, using a standard such as SAML2 or OpenID Connect (which is based on OAuth2) will enable the use of Google or FB as identity providers to authenticate users that access Intella. When it comes to OAuth2, you may want to look at OpenID Connect instead. See https://developers.google.com/identity/protocols/OpenIDConnect
  10. Lukasz - Thanks for responding. We are using SAML2. OAuth might not actually be fit here (see also https://www.ubisecure.com/uncategorized/difference-between-saml-and-oauth/). Looking at this here: https://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile What Intella would have to implement is the 'Service Provider' side. Example scenario: Reference: https://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf Happy chat off-line on the more practical aspects. Dominique
  11. dale

    What is W4

    I had a first look at and I very much like what I am seeing here. Quite a number of the things that W4 addresses remind me feature requests that I raised for Intella in the past. The question is going to be if and if so how Intella and W4 will interact? Here first impressions after some (very) high-level testing: Ingestion times seem very reasonable. Support for compound file types (e.g. my favorite NSFs...) has room for growth (hence the question - how will this link up with Intella?) The Links Graph has a lot of promise. In particular when you start holding down the CTRL key when double-clicking Suggestions: Add a backwards and forward button so the investigator can 'navigate'. Consider adding a graphical view of the navigation history showing how the investigator jumped from one item to the next MacOS support is kind of limited still. I didn't test APFS. However, there are a lot of MacOS artifacts that are worth considering including FSevents (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498158287.pdf), Unified Logs (https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498146226.pdf) Parsing of plists for event data, e.g., iMessages etc. On NTFS carve for MFT records in unallocated space and use record ID and record date field to build history of file modifications by combining older versions of MFT records based on record ID. Create a calendar view showing a month, a week, a day, (an hour, minute) with event data like we know it from our favorite calendaring tool Integrate external data sources. Example: The Code42 Security Center provides information about data ingress and egress via USB and Cloud storage including filenames, MD5(!), dates, media details etc. What I didn't test yet is the integration of calendar events, mobile device data and a lot more. I need to find more time for this... But what I'd want to look at are things such as locally synchronized cloud storage repositories etc. This looks promising ? Dominique
  12. Single Sign-On allows users to sign on to applications without providing their passwords to the application (or having to manage an application-specific password). Instead the user signs on to a SSO provider using SAML2 or oauth. The browser then uses the token provided by the authentication provider to logon to the application. This has numerous advantages, including support of two-factor authentication etc. There are public SSO providers such as Google and Facebook. Also many organizations use internal instances. As SAML2 user authentication is likely to become mandatory for any deployed applications on our network, I was wondering whether Intella Connect could / will include SAML2 in an upcoming release. Many thanks! Dominique
  13. When processing data from systems and mobile devices one very often finds file-based databases and data structures. Most popular is SQlite, but there exists others as well (Microsoft EDB, and one could probably even consider plist files to fall into this category). The (table-)structure of these files is application-specific, i.e., varies widely. My proposal would be to create a template format that allows for two things: Template-based specification of (SQL) queries. The query results would then be represented as items in Intella (either per line or by SQL 'GROUP') Definition of mappings of query result fields into custom columns (including type specification, e.g., date, GEO-location coordinates, String, Integer etc.) Allowing people to share their templates for the various applications (and versions thereof) that they have created templates / parser for, would enable the building of a library. The advantage would be that otherwise missed information can be added to event time lines and app-specific GEO-location data to be extracted and identified.
  14. I know the current setup doesn't allow for it, but then again, CONNECT is Java... so I figured I'd ask. Unless there are too many native non-Java libraries in use, it seem to be doable given enough interest. As for Wine, I considered it, but I am unsure it would be something suitable for production and also I am unsure whether the license management system would work under Wine. Worth a try though.
  15. We have recently considered a new deployment scenario for CONNECT. It turned out not to be viable as it would require purchase of many more Microsoft server CALs and other Microsoft licenses at significant cost. Hence I wanted to raise the question what it would take to have the CONNECT server run in Linux instead of Windows (excluding index creation)? As it is a Java application it would seem to be portable (possibly with loss of functionality such as PST creation). Any thoughts?
  16. I know that the team are working on increasing the flexibility of the way that sources can be added and removed and possibly cases being merged etc. However, as a thought-exercise, what about separating sources and cases? This would mean that any source that is processed is added to a pool. From this pool of processed sources are then used to build cases. Such an approach would have the advantage that the processing of sources could be distributed and that once processed, sources could be used in more than one case. Also the entire process of building a (large) case would become less prone to catastrophic failure in case a fatal errors occurs during the processing of one of the sources. Another suggestion: Ever created a case with 100+ sources? There is far too much clicking and menus involved. This takes a lot of time and is prone to errors. It would be real helpful if one could select processing options and then have them applied to a list of sources rather than individual sources only.
  17. Lukasz - We are increasingly receiving critical feedback on how Intella Connect displays calendar entries (in particular the ones from Lotus Notes). We'd appreciate it if there was a way to get the display of such entries cleaned up. Many thanks!
  18. Lukasz - I'd like to revive this one. The Auto-cooling function would not so much be needed because of memory shortage. The reason is more that over time we build up a seriously long list of cases on Intella Connect. Then at some point matters enter a different stage where access to the data on Intella is no longer required. However, we may receive notification of this until the matter is truly closed and will keep the case live. So, during a Intella Connect service restart or system reboot we'll be experiencing significant delays as there is a seriously large list of cases that needs to be shutdown and then restarted. If a case hasn't seen activity for 3 months, we'd want to take it offline automatically. If it is needed again, we could re-share it with the flick of a button.
  19. On a busy Connect server one ends up a large number of shared cases quickly. It would be useful to be able to set a number of days (e.g. 90 days) after which cases will be taken offline automatically and the 'auto-sharing' flag removed if no access has occurred.
  20. Intella is now able to include Lotus Notes Deletion Stubs during processing allowing for tracking of Notes document movements and deletion activities (very useful!!). Would it be possible to add a checkbox in the 'Add Sources' dialogue (similiar to the 'Cache evidence' checkbox) for this feature rather than having to edit the preferences file? Many thanks! Dominique
  21. We often have the scenario that searches can be limited to a specific time-frame. This is where the Date facet comes in. The problem is then often that we have a lot of items where Intella was not able to populate any of the meta data date fields. For these items we cannot tell when they were created, last modified, sent etc. and hence we would have to include them in the searches/review to ensure we are not missing anything relevant. In essence I am asking for a simple way to easily identify all these 'date free' items. It could also be an entry in the 'Feature' facet rather than a checkbox in the 'Date' facet. This may in fact be the cleaner solution.
  22. I am with you there Lukasz. The cluster map is highly valuable and does offer this functionality. However, recent experience has brought up a few occasions where users were using keyword lists that already themselves contained more complex queries. Then these queries were to be combined with filters such as (custodian A OR custodian AND year=2014. This then goes beyond what can be reasonably done with the cluster map. Just as a thought... what about creating the option of being able to run (several) searches as usual, but then to be able to right-click a bubble / object or a selection of objects in the resulting cluster map. The context menu would then include the options 'Add as EXCLUDE filter' and 'Add as INCLUDE filter'? This would allow for the creation of fairly complex filters even by novice users. It would enable the creation of the filter used as an example above as part of a first step that could then be followed by the step of running the keyword queries.
  23. ... or have permissions that allow to specify the custodians that a user can / cannot see.
  24. in particular when we have cases with multiple custodians we sometimes get questions like: How can I limit my searches to custodian A's items from 2014? Currently Connect combines the inclusion and exclusion filters with 'OR' logic. So, applying the filters 'include custodian A' and 'include year 2014' will not yield the desired result. There are several approaches to this. Examples: Introduce simple switches that change the logic of the include and exclude filters from OR to AND and vice versa Introduce an expert-mode 'advanced' button where the logic of the applied filters can be changed. Specifically it should be able to group conditions and to use/change operators such as AND, OR, NOT. Personally I feel both might be useful. The simple logic-switch for the less experienced and then the advanced logic 'editor' for the experienced. Many thanks! Dominique
  25. What about adding a checkbox in the date facet that causes the search to include all items that do not have any of the date fields populated? Say you want to create a filter that limits your view to items that were created, sent, modified etc. in 2014. The checkbox would allow for the easy inclusion of any items that do not have any date/time meta data. Many thanks! Dominique
×
×
  • Create New...