[Case Sensitive Letters + Highlight Text exporting]

Hi,

You can do it like this. Since you know what you are looking for (the word 'date'), type it in as the regular expression. Then check the Case sensitive option.

I have created some test documents with the word 'date' using different case. When I run content analysis over these three documents, only the document with the keyword in lower case is found.

 

 

[Case Sensitive Letters + Highlight Text exporting]

Hi,

For (a), you can use a regular expression search. A regular expression search has an option to set case sensitivity.

For (b), OCR only runs over the entire document. There is no function to export only pages that contain search hit highlighting.

[Specific Keyword search (Uppercase and lowercase)]

Hi Sam,

Normal keyword searches are not cases sensitive and that can not be changed. You can be more specific with case when using a regular expression search as there is an option for case sensitivity.

[New feature in W4 - Colorized Tags]

New feature in W4:

We have added the ability to colorize tags in W4. This allows the user to easier identify tags by color. E.g. helping to distinguish different tags which are similarly named. The tags are shown, and can be edited in the Tags category on the left of the user interface.

 

When a tag is created, the user can select and assign the appropriate color for that tag. 

 

 

The colorization for the tags are shown In the Tags column of the Items view. Items which are tagged more than once, show the colors of all of its corresponding tags. 

 

The colorized tags are also shown in the Events view.

 

 

[New feature in W4 - W4 case ingestion in Intella]

New feature in W4:

We are adding the ability to ingest a W4 case into Intella. This work should be completed for the next release of Intella (version 2.3). This is actually an Intella feature, however, it is a way to expand on the W4 case, and identify more related artifacts that may be in the dataset. 

 

Use case:

W4 is designed to extract user and system created artifacts quickly, so that the user has these artifacts ready for review in the shortest time possible. We have had reports from beta testers that W4 has blistering fast indexing speeds, compared to similar products from other vendors. By default, W4 does not index every item in the source dataset like how it is done in Intella (although, there is an option which does allow this). When triaging evidence, the most pertinent artifacts are from user created/altered data/documents, and system artifacts. W4 is designed to take a quick look into the evidence to identify usage on a system. The results can help the investigator to decide whether further investigation is required. If further investigation is required, the evidence can be ingested into an Intella case where you have the full suite of tools and functionality to process and analyse the data.

During the ingestion process, Intella allows the user to choose a number of options for the ingestion of the W4 case. The user can expand the already tagged items which are in the W4 case using the Smart Search features. More evidence/artifacts can be identified that are similar to the items in the W4 tags. The new artifacts and data are reported when the ingestion process is complete.

 

[New feature in W4 - Reporting wizard]

New feature in W4:

We have added a reporting wizard that allows the user to create fully customizable reports in W4.

 

The report wizard includes these features:

• Custom fields can be added to the report so that information specific to the investigation (e.g. case name, case ID, dates, examiner, report author etc.) can be included in the report. 
  

 

• Sections can be added to the report. A Section is a configurable form which you use to report data and artifacts. This could include data that you have selected, data that you have tagged, or data from one of the categories on the left of W4. 
  

1. With each section, the user can set which metadata fields should be shown in the report for the artifacts being reported.
   
2. The original files can be exported with the report. The reported will contain hyperlinks to the exported files so they can be quickly reviewed in their native application from the report. 
3. The page orientation for each section can be configured independently. This is useful for setting the matching page orientation for the specific data being reported. E.g. a Landscape page orientation can be used when reporting wide table data. 
4. The display type for each section can be configured independently. This allows the data to be shown in Table view (useful for tabular data), Events view (useful for timeline), or  Image gallery view. With image view the number of image columns per page can be configured.
    

• Notes and tags can be added to the section data when shown in Events view.
  
  
  Notes are useful to add more information about artifacts.
  
  
   
• When creating link graphs of artifacts, these link graphs can be captured and use in reports.
  
  
   
• The report can be exported in useful formats - PDF or DOCX.
  

 

 

[Release Update - May 2019]

Hi all,

Here are some updates regarding the progress of W4.

Where are we at with the official release?
We are planning to have our first official release of W4 this week. The installer for the release will be available for download to our beta testers in the next few days. Beta testers will be able to test the new features which have been added since the beta version was released last year.

What new features have been included since the beta release?
There have been a number of new features added since the beta version. The new features can't all fit into one post, so over the next few days we will post some of the new features that have been added to W4. That said, here is a short list of what we have added:

• Reporting wizard which allows for a lot of flexibility when creating forensic reports
• Ingest a W4 case into Intella
• Colorized tags for easier tag identification
• Special Note function. This is useful for adding additional information to discovered artefacts
• New type of visualization in the Summary tab
• Thumbnail view for image files 
• Email headers tab

 

[hyperlink in excel for exported item]

Hi Frank,

As you know we currently don't support this. You can either export items to CSV or to original format, but not at the same time.

You may be able to add hyperlinks (which open the native item) into the spreadsheet manually. Or, there may be a utility on the internet to help do this.

[Using Tasks for Automated Processes]

Hi Bryan,

You can add additional Tag criteria when creating tasks. So you could add tags for 2 or more custodians as a starting dataset for your task. E.g.

[Exchange 2013/2016 support?]

Hi

We are working on Exchange EDBs 2013 and 2016 now. These should be included in the next release. 

[Estimated time for processing]

Hi jmacedo, that is probably a near impossible number to get semi accurate. That type of calculation is not just based on the size of the evidence being indexed. There are many factors that determine the speed of processing, and how long a dataset will take to process. These include the following:

• Which hardware is being used? More CPUs/Cores and Memory will provide better performance
• Have the memory and crawlers be configured to maximise performance based on the hardware?
• Are you using local disks or network/USB drives? BTW, we do not recommend using  network/USB drives as performance can be poor, and case data can become corrupt if they are not reliable.
• What types of drives are being used? Traditional rotating drives, or SSD technology? What speeds are the drives?

[Size of Selected Items]

We list the sizes in this format so it is easier for human readability. Having large files reported in bytes can be hard to work out. 

[Size of Selected Items]

Hi PF1,

We have looked at this and although it seems easy to add, it is not a trivial task. We looked at adding a 'total size' of the selected items next to where the number of selected items is already shown at the top left corner of the Table view. The issues are: 1) the size column is mixed with bytes, KB, MB, GB etc, so the size data will need to be further processed to provide a reliable figure. 2) there would be an overhead calculating the size on every selection of items that the user selects. 

What has been proposed is to add a right click option that will calculate the size of the selected items. That way the size will be only calculated for the users who use this feature often.

[Wish list/suggestions V2]

Hi Kalin,

Re APFS support. This is high on our do to list. We are just waiting for the the functionality to become available.

Re thumbnails. We are looking to add a reporting wizard to Intella. This should include the mechanics to export images as thumbnails. Having thumbnails for other file types is a good idea, i will make a ticket for that.

 

[Audit Logs]

Hi jmacedo, have you looked at the Event log? That shows individual searches that users make.

[Case merge / Tag import]

Hi Lukasz, you can export a Work reports from cases A 1 & 2. Those work reports can be imported into case A. Please see the user manual for more details about Work reports.

[Tree structure for tagging in Review]

Hi Dean,

At this point you can only have 2 levels of tags when creating coding layouts. 

 

That means that this will work:

Objective 2: Harassment

                      - Email evidence

                      - Witnesses discussion incident

 

This will not work:

Objective 1: Vehicle Theft

                      - Vehicle Trackers

                              - (GPS disconnected)~3

                              - (deactivate tracking)~3

Changes may be available in a future version which will allow for more than 2 levels of tags.

[Auto-tag with Exclusions]

Hi Bryan,

I think the best way to do this is what you have already mentioned. First run list A, then run an 'Exclude' search on list B. Note that the items shown are items from list A, less the items returned from list B, so tagging what remains (shown in the table) will not tag everything from list A.

[Embedded Images in Emails]

Hi ifinch001,

If these are proper signature block images then these should normally be identified as embedded. There might be something in the email that makes it that these are not processed as such. We will reply to your support ticket as we will need a sample for testing.

[Proximity Search with Phrases]

Thanks for you example Jason!

 

If anyone wants to see the pinned post that Jason was talking about, you can see it here.

 

[Phone Instant Messaging Items - Conversation Items]

Hi Ilanowar, I don't think you can tag the single messages from a conversation. If you want to extract the info for a single message, you could search for the message body itself, then open the associated SQLite database. From there you can copy the table headers and the row which contains the message and paste the data into a new spreadsheet for reporting, e.g.

[Load files... Into Opus 2/Magnum]

Hi fuzed,

To do this you would need to:
1) make sure that everything is OCRed using the PDF option for the 'Output format'.
2) when exporting, you will need to select the 'OCRed content' option from the 'Preferred content type' screen in the export wizard.

[Running RegEx searches in properties]

Hi cayerpm, Alex is referring to the standard text search only for Metadata values. As he points out, regex searches work only for the full text of items (not the metadata). 

[Deduplication Ordering]

Hi Todd,

You can use the 'Has duplicates' category in the Features facet to show all of the duplicates. Then use the Deduplicate button to show the first instance of all duplicates.

[*.olk15Message - is there a way to include in Intella?]

Hi Fuzed,

Is this Apple mail or Outlook for Mac? If it is Apple mail then we may be able to provide a pre-release snapshot that you can try.