Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by jon.pearse

  1. Hi dale, We have added support for indexing AFF4 images to W4. This will be available in the next release (or, you can get a beta version earlier if you are on the beta testers list). The format will likely be ported to Intella in a future release.
  2. Hi, You can split a PST export in to parts by size. More information is in Section 26.2.10 of the user manual.
  3. Hi, Are you using the latest version of Intella? If so, there may be something odd with the dataset. Please submit a support ticket for troubleshooting further.
  4. Hi, Can you provide more information on what you are trying to do please. Are you saying that some items that were exported in a previous production are being exported in a new production, and you want to use the original bates numbering for those items?
  5. Hi, You can try using a Saved search for the KW list and the tag as a filter.
  6. Hi Laura, If it is Intella Pro which you are using, then that product does not have any sharing capabilities. Intella Team has this functionality.
  7. Hi frankr20, Your screenshot shows the files that are produced. Within these files you will see incremental page numbering. E.g., the 00000001.pdf document has 15 pages, and those pages will numbered incrementally.
  8. We have received a few support tickets from users who have had issues with ingesting a load file into Intella. There are two common issues being reported by our users. These two common issues are discussed below, but we will add updates to this post if other issues come up in the future. Note: In this post we are discussing Relativity and Concordance type load files that use .dat and .opt files. Issues 1) The user says that either the 'Load file preview' tab, or the 'Image preview' tab is not working and they can't see their load file, or image entries (respectivley) in these tabs. Basically one tab is fine, while the other tab does not show the data in the load file. 2) The user says that Intella is reporting a 'File can not be read: Input length = 1' error when they click the 'Check for errors' button in the Map Fields window. Both of these issues have the same cause. It relates to an encoding mismatch between the .dat file, the .opt file and the extracted text files. Note: The 'Detect encoding' button in the Intella interface detects the encoding in the .dat file. That encoding setting is then used for the .opt file and the extracted text. Currently as of this writing (version 2.3.1) there is no way to ingest a load file where different encoding exists for these components. We will improve Intella to allow for more flexibility for this in a future release. Also note that the Detect encoding button may not work in some cases. In these cases the user will need to set the encoding manually from the list of options. For Issue 1 above, there is a coding mismatch between the .dat file and the .opt file. Note that the 'Load file preview', and the 'Image preview' tabs work independently. This is based on the information in the .dat and .opt files, and their respective encoding. Therefore, if you have different encoding for the .dat and .opt files, only the file that matches the file encoding which has been selected in the interface will display properly. In the example below, the encoding is set to UFT-16. The .dat file is encoded UTF-16, but the .opt file is encoded as UTF-8. You can see that the Load file preview works fine, but the Image preview does not display the images. To resolve this issue, the encoding for the .dat and .opt files need to be the same, and that encoding needs to be set in the 'File encoding' field. Issue 2 is also an encoding problem. This time there is a mismatch between the .dat file and the extract text files. It looks like there are a few possibilities why there could be a mismatch with these files. Either, a) some load file creation tools allow different encoding for the .dat file and the extracted text when a load file is created. b) the .dat file, or the extracted text files have been converted to another encoding after the load file had been created. In either case, there is an encoding mismatch, and this mismatch is shown by a 'File can not be read: Input length = 1' error when the user clicks the Check for errors button in the Map Fields window. To fix this issue, again the user needs to make sure that the encoding for the .dat file and the extracted text are the same. When looking at these issues through support, we have noticed that the extracted text is usually in UTF-8 encoding, but the .dat file is in a different encoding. In this case it would be a lot easier to change the encoding for the .dat file, than to change the encoding for all of the extracted text files. If you do change the encoding for the .dat file, make sure that you also change the encoding for the .opt file if that file needs to be changed.
  9. Hi Margaret, I have tested this and there is no issue with clicking on the button to toggle it. The button or the label name can be clicked to change the state. We have not had any reports regarding this control in ant previous versions either. Are you using Internet Explorer? if so, you could try using a different browser like Chrome.
  10. Recently we have had a few customers report that they can not download the Geolite2 database within Intella/Connect. It looks like the vendor for the database has changed the way the database can be accessed, and Intella/Connect can no longer download it. If you need to install the GeoLite2 database, you will now need to firstly download the database, and then install it manually. See the steps below. Sign up for a MaxMind account - https://www.maxmind.com/en/geolite2/signup Go to the downloads area - https://www.maxmind.com/en/accounts/current From the 'GeoIP2 / GeoLite2' section, select the 'Download files' link. Download the GeoLite2 City Binary database. Extract the GeoLite2-City.mmdb file into C:\Users\[USER]\AppData\Roaming\Intella\ip-2-geo-db. Note: You may not be able to see this folder as it is hidden by default. To go directly to the Roaming folder, type %appdata% into the Windows search box, then press the Enter key. Once done, navigate to the \Intella\ip-2-geo-db folder and put the GeoLite2-City.mmdb file in there. Open Intella or Connect and verify that the database is installed. Please see the following video on the above process:
  11. Vound occasionally issues "patch releases", to quickly address issues of a severe nature. Below is a list of the patch releases and a description of their changes. The following patch releases have been issued since the 1.0.5 release: Fixed an issue with W4 not being able to process certain raw (dd) disk images consisting of a single file. Fixed an issue where timezone settings may not be properly applied to network connection timestamps extracted from Windows registry files. The following patch releases have been issued since the 1.0.5 release: Fixed an issue where timezone settings may not be properly applied to file system items in an AD1 disk image. Fixed an issue where timezone settings may not be properly applied to certain items when the source time zone is different from the investigator machine's time zone. This affects Hangul version 3 documents, OpenOffice documents (creation dates only), deletion stubs in NSF, and certain dates in USB-related artifacts.
  12. Hi Margaret, I can't actually see a permission specifically for uploading keyword lists. Maybe it is best to discuss this issue with your case admin, then ask them to submit a support ticket. The support ticket should have a full description of the issue including screenshots.
  13. Hi Neil, I don't think you can search only within a custom column. What you could do is sort the new custom column, then select and tag the entries that have 'yes'. That will effectively give you the same result as if you were searching the custom column for 'yes'.
  14. Hi Fuzed, You could try using an overlay to add date information for the documents.
  15. Hi P. Smith, You could try enabling this setting when exporting. That should include the embedded item. The only issue with that approach is that it won't include the 'metadata' of the embedded items. If you need a full report on embedded items, the embedded items will need to be included separately, then maybe merge the PDFs as you say.
  16. Vound is pleased to announce the official release of W4 1.0.5. W4 1.0.5 is available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a W4 1.0.x license can use this version. Please read the Release Notes before installing or upgrading, to ensure you do not affect any active cases. Highlights Various indexing and exporting stability improvements. Added type detection for HEIF/HEIC image files. Added metadata extraction for HEIF image files. Added detection of AMR audio files. These are often used to record voice mails. Added support for indexing NSF files with IBM Notes 10. Release Notes W4-1.0.5-Release-Notes.pdf For additional information, please visit our W4 website website.
  17. Hi fuzed, It's most likely a limitation of the hotmail server. Those usually don't allow to download everything in one ago. We usually recommend to download such data with a mail client first (or ome 3rd party app), and then index the result (mbox, pst, etc) with Intella. Also, some mail servers such as gmail allow you to download data separately into a file. We are not sure if such feature exists for hotmail though, so you may need to look into that.
  18. Introduction: We have had a number of customers asking us - How do I upgrade to the latest version of Connect, and keep all of my settings? This post will look into how this can be done, and what to look out for when upgrading Connect to the latest version. Why upgrade to the latest version: It is always best to install and use the latest version of our products. With any software development, it is near impossible to test every scenario in which the software will be used, and what type of data is indexed with the tool. Although we have a vigorous testing regime for our products, some customers find issues which they report back to support. These issues are generally fixed, and added to the next release. Therefore, using the latest version will give you all of the fixes from all previous versions. Another good reason to upgrade is because the latest version has a number of new features that are not in previous versions. These features can make processing faster, can make analysis of the data easier, and can add better functionality to the tool. Upgrading Connect: There is no problem with installing the latest version of Intella Connect on the same server. Note that this will need to be installed next to the current version. E.g. as long as the new version is installed in a different folder, the existing version should not interfere with new version. In addition, there is no need to uninstall the previous version. When installing a new version of Connect, we make sure that any configurations from the previous version are also migrated over. We often keep old configuration as backup as well, so your previous configurations are not lost. Installing the latest version of Connect is quite straight forward, but you should be aware of these aspects: Make sure that you are always using the same Windows Account when installing different versions of Intella Connect. The configuration and settings for your current version are stored in user-sensitive location, and those locations will not be available to other user accounts. E.g., we have seen cases when users were installing version 2.0 with the "John" user account, then later installed version 2.1 with the "Administrator" user account. They were surprised to see that they ended up with a clean instance of Connect, with all default configurations and settings. You need to be careful when installing Connect as a Windows Service. There is only ONE Intella Connect Windows Service allowed on the system. Installing a newer version of Connect as a service should overwrite the paths to executables in Windows Services. Once the install process is complete, and the service is restarted, there should be no issues. However, we have seen a number of cases when this did not work as it should have. The outcome is that the service was still pointing to the old version of Connect. In those situations, you should refer to this section of the Administrator's manual on how to manually update the service. https://www.vound-software.com/docs/connect/2.3.0/admin/03_01_connect_as_service.html#manual-un-installation-intella-connect-windows-service Note: From version 2.3.1 we will have an extra check during the installation process that will prevent the installation process from continuing if you have not shutdown the service manually. It is always best to run the latest version of all of our tools. This also applies to Intella Node. Having both Connect and Node on the same version will help when troubleshooting any issues. The risk of any incompatibility issues between Connect and Node are reduced when both products are on the same version. Before you start the upgrade: You should consider the following before you start the Connect upgrade process: With every release of Intella and Connect we provide Release Notes. The very last section of the release notes is the 'Upgrade Notes' section. In that section we list information regarding backwards compatibility with earlier case versions. This section also points out any features which may be limited due to the version upgrade etc. We always suggest backing up your Connect/Node systems before undertaking any upgrades. This minimises the risk of downtime, as you have an avenue to go back should you have any issues with the upgrade process. You should make a backup of these folders (which contain entire configurations) prior to proceeding with the upgrade. "C:\Users\CONNECT_USER\AppData\Roaming\Intella" and "C:\Users\CONNECT_USER\AppData\Roaming\Intella Connect" After the upgrade is complete: Once the upgrade process is complete, start Connect and check that Connect is reporting the correct version. You can do this by clicking on the Admin tab and selecting the 'About Intella Connect' option from the dropdown list. If the latest version is not running, there may be old version of Connect still running. Migrating keystores and self-signed SSL certificates: Once the new version of Connect is running, you may need to reconfigure some advanced setting like SSL. This should be straight forward if you have purchased your SSL certificate from a well known provider like Go Daddy etc. That said, we do see a number of issues with SSL certificates coming through support. But, these issues are mostly related to when the user/company manages their own certificates. In these cases the users report that the upgrade went well, but they cant get SSL to work. In the SSL wizard they get errors like this: "Unable to activate the keystore because it's not valid. Details: Keystore contains multiple certificates, but they were not imported to the private key chain". The issue is that unlike self managed certificates, certificates from a well known providers are generally added to Java's trusted keystore. That means that certificates from a well known provider will work 'out of the box' when setting up SSL in Connect or Node. When users/companies create their own self-signed certificates, they usually create two Certification Authorities (ROOT & Intermediate), and then let the Intermediate CA issue the certificates. But, Java doesn't know anything about ROOT & Intermediate certificates for that company, and these certificates are not automatically trusted. Therefore, the self-signed certificates do not work when a new version of Connect or Node are installed. Note: When you are upgrading Connect or Node, the existing (trusted) Java store is wiped out, and replaced with a clean one. For our products (Connect & Node) to trust the self-signed certificates, you have to add the certificates to the trusted CA store of the JAVA RUNTIME that we shipped with the installer used for the upgrade. This process is described in the Connect administrator's manual at the link below. https://www.vound-software.com/docs/connect/2.3.0/admin/04_03_01_ssl_guide.html#advanced-using-self-signed-certificates So in short, if you are generating your own SSL self-signed certificates, then you will need to update Java's trusted CA store (for both, the Connect and Node systems) after each upgrade.
  19. Vound is pleased to announce the official release of W4 1.0.4. W4 1.0.4 is available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a W4 1.0.x license can use this version. Please read the Release Notes before installing or upgrading, to ensure you do not affect any active cases. Highlights Added Geolocation view, showing the geographic locations of search results, e.g. based on GPS data and IP addresses. Better support for Windows 10 artifacts (BAM Cache, RecentApps). Added support for BitLocker and APFS disk images. Added support for Skype 14.x chat messages. Release Notes W4-1.0.4-Release-Notes.pdf For additional information, please visit our W4 website website.
  20. Hi Neil, The user manual has more details about using the CLI feature. You could try some of the follow options mentioned in the manual. That would allow you to use any facets including the language facet: > 27.2 Command-line arguments > -et, -exportText – Export the extracted texts to a folder. The options -matchQuery, -savedSearch, -deduplicate and -exportDir can be used to control this operation. The resulting files will be named based on their item ID, e.g. 123.txt. > -ss, -savedSearch [File] – Can be used to limit the exported items to those that match the specified saved search. The argument is the path to an XML file holding the saved search. Such a file can be exported from the Saved Searches facet. This allows for using other facets, such as the Date and Type facets, and to combine queries.
  21. Hi Qasim, You may be using an older version of Intella Desktop and that is why you are seeing the additional metadata. We have tested this in version 2.3 and only the preview is printed and nothing else (unless there are attachments and you choose to report those as well).
  22. Hi Qasim, No, this feature has not been added to Intella/Connect yet. To work around it, you will need to export the item, open it in its native application, then print it from there.
  23. Vound is pleased to announce the official release of W4 1.0.3. W4 1.0.3 is available from the Downloads section in the Vound Support Portal, after logging in with your email address and password. Users with a W4 1.0.x license can use this version. Please read the Release Notes before installing or upgrading, to ensure you do not affect any active cases. Highlights Added support for cellphone extractions (Cellebrite, XRY and Oxygen) Added an option to extract Raw data Added a license manager where you can choose with license to use when starting W4 Added version update notification The Dongle Manager is now included in the W4 installer Release Notes W4-1.0.3-Release-Notes.pdf For additional information, please visit our W4 website website.
  24. Information can be found under: https://support.vound-software.com/#knowledge_base/1/locale/en-us/answer/74
  25. Here is an article from one of our Partners - Spyder Forensics. In this article we discuss the four main keys for building a successful load file. The Four Keys to Generating a Successful Load File Export
  • Create New...