jon.pearse

Hi, You could try Tag Groups.This is from the user manual. "These columns are created for every top-level tag with sub-tags. When selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag. For example, when a tag named “Relevancy” has been created with subtags “Relevant”, “Non-Relevant” and “Privileged”, the tag group in the column chooser would be called “Relevancy”. Enabling it would add a column named “Relevancy” to the table, with the “Relevant”, “Non-Relevant” and “Privileged” tags as possible values for those items that have been tagged as such".

Hi Todd, Thanks for the explanation. You could try the following which may help before the overlay feature is added. When you create the second export set, you could use the Export ID column from the first export set as a document ID. That way the second export set will get exactly the same document IDs.

Hi Todd, Thanks for your detailed explanation. Re your suggestions: - give users the ability to overlay data into custom columns post-indexing; This is on our 'to do' list. It is not going to be in the November release, but we are aiming to add it to the following release. - give us the ability to adjust Export Set configurations for subsequent exports; and Can you provide more details regarding this. You can currently add to an existing Export set. - enable the option to use current table sort order for load file exports. We will investigate the issue where you can't export in the order of the Review tab. But in regards to load file exports, this order is currently fixed. Attachments to emails are always exported directly after their parent email. This keeps these document families together, and allows for sequential review of parent items and attachments.

In this screenshot we see that the Links view (for a .LNK file) shows a clear picture of which other elements/artefacts are involved. Here we can see the following items linked to the .LNK file. The user account. The USB device. The location of the .LNK file. The document which the .LNK file points to. The parent directory for the document. This provides the investigator with additional information, and other pathways for investigation.

The Events view is useful for showing the events that have occured with USB devices on the system. In this screenshot the Events view shows the following: Plugging in a USB device. Entries 3 and 4. Creating a folder on that device. Entries 5 and 6. Creating a file, or moving a file onto that device. Entries 7 and 8. Modifying the file on the device. Entries 10-12 and 14. Disconnecting the USB device. The last entry. We also show where information has potentially been overwritten. The first two entries show the file was created on the USB device. However, these time stamp entries were originally created when the file was created on the C drive. Windows has updated the location information from C to the USB device when the link file was used on the USB device. Because these entries exist before the USB device was connected to the computer, this provides a clue that the file was created on some other device before the USB device was connected. Further investigation and carving may discover additional artifacts. Such artefacts could include the original information of the lnk file when the file was created on the C drive.

Hi, I used the settings shown in my last screenshot, and the pages for the email and attachment are individually, and sequentially numbered as expected. The numbering for the next item being exported starts from the next number where the last exported document finished. 00000001.pdf

Hi Adam, the team are working on Outlook for Mac and the new Apple mail format now. They should be complete either in the next release (November), or the release following that.

Hi, During indexing we identify the first instance of a file, then when we come across duplicates, these are marked as duplicates. We don't select which item (based on location) should be the primary file, then all other are duplicates. You may have a situation where someone may want Outlook to be the primary file for deduplication, then someone else may want Exchange mail to be the primary file etc.

Hi Todd, A configurable message hash algorithm is on its way. We plan to add this in the next few months. If you don't mind me asking, how would you use this feature? What issues do you have currently?

Hi Todd, When you say 'unique hits', do you mean unique documents that have hits? E.g. if a document contains 5 different keywords from the KW list, the document is counted only once.

Hi, It is best to move this query to our support system as we require some data from you. Can you submit a support ticket in the support portal and attach the main and warning log files from the case. Also, we need samples of the problematic files for testing.

Hi, If I understand your question correctly, you want to index all the data so that Intella recognizes it as proper emails instead of just text, is that correct? If so, there may be two solutions to that: 1. Convert all the data to an email format which is supported by Intella (e.g. EML files, MBOX, PST and so on). That will need to be done with a 3rd party tool. 2. If certain data can't be converted to email format, you could convert it to a CSV and then import it as a load file. That should also work, but we recommend that you try it out first on a small dataset to make sure it works fine. If you choose this second option, you should understand how load files work, including the parent-child relationships, and links to texts and natives files. This might not be a trivial task if you have never worked with load files before.

Hi, Can you check that the encoding of the DAT file matches with the encoding of the extracted text files. We have seen issues in the past where the encoding is different and the load file will not load. You could try making a copy of the LF and editing it so that you have only a few records for testing. Then check the encoding of the text file and the DAT. If the text files are different, these will need to be converted to the same encoding. You can use Notepad++ to check, and convert the encoding of the text files.

Hi Adam, this is not related to related to Team/Viewer work product (which is based on annotations). This feature involves exporting actual items (e.g. mail and documents) and their associated metadata and annotations to a new, or an existing case. Yes, in other words, it is full case merging.

Hi, Could you post some screenshots of the settings that you have selected? Also, we have this video which shows how to ingest a load file into Intella which may be useful.

Hi, You can do this by using Tag Groups. 1) Create a tag called CONFIDENTIAL, then create two sub tags under this tag for Y and N. 2) Tag the documents to be exported using the Y and N tags. 3) When you create a load file, on the 'Load file field chooser' window, create a new field and select the CONFIDENTIAL tag from the 'Intella column' list. 4) When the load file is created, you will have a column in the load file for CONFIDENTIAL, and the values will be Y or N.

Hi uscheerbaum, This is detailed in the user manual under the 'Exporting to an Intella case' section.

Hi Charles, Currently only the document that you are redacting is redacted. We have a few other redactions features on our road map to add to Intella. Redacting duplicate items is one of those features and it will be available in a future version.

Hi PH1, You can't search over the message ID field specifically in Intella. You can only narrow your search over the message headers or Raw data.

Hi Fuzed, you won't be missing anything that you have searched for. I think the confusion is more related to the way that you are searching. To find out what the difference is you could try this: 1) Run an exclude search for restructure 2) Run an exclude search for restructuring 3) Run a normal search for restructur* The results will be everything that starts with restructur* but is not restructure or restructuring.

Hi Fuzed, you could first identify the items that have attachments. Look in the Features facet for Attachments. Then you can search for the top level parent items and family for the attachments. Those items can be tagged and you can run a search across that tag.

Hi Jonas, Currently Intella does not support Outlook for Mac. This is on our road map to add, and it will be available in a future version. The only work around is that you convert the mail to a supported format using a 3rd party tool before indexing it.

Hi rodrigoalmeida, No, there is no 'soft license' available. Intella/Connect can only be used with a USB license dongle.

Hi llanowar, Ultimately, which files to OCR depends on the customer's requirements. This should be discussed with the customer, and agreed prior to running the OCR process. From experience I have had different settings from different customers. E.g. some customers want just empty PDFs and top level Tiff file. Others want those types, plus other image formats. When you know which files to search for, you can search manually, e.g. search for PDFs and Empty files etc., then tag those item and run then through OCR. Or, you can use the Tasks feature (File - Tasks) to select the OCR candidates, and automatically OCR the items.

I do apologize. I tested this the other day but I did not notice a new setting that was added in version 2.1. You can actually set incremental numbering for each page of a document when exporting to PDF format now. This setting is in the File Naming and Numbering screen. Under the File numbering section, there is a new check box which allows for numbering of pages.