llanowar

Hi Chris. I would like to produce just Type: "Chat Message" items (not entire conversations) - I have over 3,000 tagged. Many of the individually tagged messages contain attachments. I have difficulties with the attachments. It seems like these individual text/chat messages should be treated like an email - as far as exporting/producing options (left hand side of options picture above, rather than the "files" section on the right hand side of options picture above). i.e., "For every email include:" could be "For every email or chat message include:" <- this might allow me to use "Attachments content" rather than "Embedded images and attachments." I would rather not have to use the "embedded images" of attachments for the text message attachments (One PDF attachment in a text message lists all of its embedded pieces making the resulting PDF of the text message many many pages of unwanted items in the attachments listing section). Thanks.

I have continued trying various export options/settings (PDF, Load File) and I have been able to successfully export Chat Messages from the ingested Cellebrite UFDR report (iPhone) - just NOT with attachments as native. I have several thousand Chat Messages and many have XLSX spreadsheets as attachments. I can't get the Excel spreadsheet attachments to export as native. I wonder if Intella should merge chat messages into the email export options section - rather than treating them as "files" (for the export options pictured above). I believe Chat Messages fall under the "For every file include:" section <- but I do not want embedded images in the exported PDF/Native production (only the attachments). Either way, I still can't get the XLSX message attachments exported. I'll keep hammering/testing/learning ...

I processed a Cellebrite UFDR report and have numerous Chat Messages to produce. I would like to bulk export the responsive Chat Messages (with attachments) to individual PDFs. I believe I am close to seeing what I had hoped for - except the attachments section. The resulting export PDF includes the Chat Message and the attachment(s) = great, but also includes the attachment's children (many pieces/parts/children of the one parent attachment (a PDF attachment in this example)). The one PDF attachment has more than 20 child images. The 20+ child images are what I hope to suppress from the PDF report file. In the export wizard, PDF or image rendering options, I have selected "For every file include:" "Body" and "Embedded images and attachments." Is there a way to suppress the children of the Chat Message attachment - and only include the attachment itself?

Since processing, I have relocated my Intella sources to a new drive. Is there a way within the Intella case to point to the new new location ? or should I just copy the source files back to their original location until this case is complete?

Thank you very much.

I had not read the two linked help pages at the top of this topic before posting. Is the following the best work around: proximity search 1: "Wilson contact"~2 normal include search 2: "contact list" Thanks.

I would appreciate some help getting around a proximity search limitation involving a phrase and a term. An example (one I was provided to search) is: “contact list w/2 Wilson” They would like all items containing the phrase "contact list" within 2 words of the term Wilson. Seems simple enough, but I can not get my head around not being able to use nested double quotes < ""contact list" Wilson"~2 >. Suggestions? Thanks BTW: I am using Intella Pro 2.4.2

I have successfully added a few sources to an Intella Pro 2.3.1.2 case (E01s and folders). I am attempting to add one last E01 image and am receiving the following message in the "Select Folders" window: "Unable to retrieve folders." Note: I loaded this problematic image in another tool (XWays Forensics) and am able to see the partitions and folders tree. I tried re-imaging just the primary partition in the E01 using XWays and adding to a new Intella test case: same issue "Unable to retrieve folders." Any ideas on what may be causing this / how to fix? Thanks group.

I am poking around W4 1.0.3 for the first time - using the NIST CFReDS "Data Leakage Case" data set. I am really liking what I am seeing so far. One irregularity I just ran into: In the "USB Devices" Search section, the "Items" view correctly lists the connection timestamps (even after applying an EDT timezone offset in the "Sources" tab). The irregularity occurs when switching over to the "Events" view. The connection timestamps are all off by exactly 1 hr (likely a Standard/Daylight Savings issue). In the "Events" view, the right-side "Properties" preview section lists the timestamps correctly, however, the timestamps listed in the primary window area sorted chronologically are off by exactly 1 hr. I re-indexed the entire case and selected "rebuild links" with the Timezone offset already selected to Eastern Time to no avail. (My initial indexing was set for UTC time (-0)). Keep up the great work, this tool shows great promise.

I have processed a Cellebrite UFDR file (phone) with Intella v2.2.1. The manual makes it clear that instant message items will be bundled into "conversation items" if able, on a day-by-day basis (page 62). My question is: Is it possible to tag only one of the bundled message items listed in the bundled conversation? Tagging seems to only apply to the entire bundled conversation "SMS/MMS Conversation" file. One idea - perhaps I must redact all of the other/unwanted bundled text? Thanks

Thanks for the reply. When I have the next opportunity, I will check the item's Raw Data tab.

Dear community, I sent off a Cellebrite phone collection to be reviewed (along with the UFED Reader application). The reviewers tagged a bunch of items using Cellebrite Reader and then saved the results in a .pas (session) file. They now want me to create a load file of their tagged items. My thoughts: perhaps they can just email me their .pas session file containing their Cellebrite tags, I can load it up in Cellebrite (along with the original phone data), generate an XML report (which will hopefully contain their tagged items identified), use that XML report folder as a source in Intella, and create a load file for them. So far: They sent me the .pas file. It loaded fine and I see their tagged items in Cellebrite (all good so far). I created a Cellebrite XML report and searched the resulting XML file for their tag names - they exist in the XML file (still good). I created a new Intella v2.2.1 case, set the Cellebrite XML report folder as a source and indexed (still good and going to plan). Plan appears foiled: In Intella I do not see anything relating to their Cellebrite tags. I searched the case for their tag names = nothing. My plan seems like it won't work - Intella is not identifying the reviewers' tagged items as such after processing. Intella sees the data fine, just not the tags. <- as far as I can tell. Perhaps I will have to process the Cellebrite phone collection with Intella (ufdr as source) and have them tag from within Intella?? Is that my only / best option to get to the final goal of a load file of their items of interest? Thanks.

I did resolve my issue above (sort of). I exported as a load file (including PDF versions in the images export section). The contents of the PDFs folder is what I was wanting. I just deleted the rest of the load file pieces. I will experiment with the PDF export options some more to see how I can achieve what I wanted with just a PDF export (rather than load file).

I am using Intella Pro 2.2. I am attempting to export as PDF a few email messages with attachments. I selected the "Number pages" checkbox, but my resulting PDF files (3x, one per email) do not contain a page number. Each of the 3x exported PDF files' names increment correctly, based upon the number of pages within each. EX: 0001.pdf, 0006.pdf, and 0010.pdf. - But within each PDF, each page is not numbered. Is there perhaps an option I need to select on the "PDF rendering options" export page? or perhaps on the "Headers and footers" export page? Thank you.

Thanks for the reply. I am using default settings for Intella 2.2. The Wizard window1 settings are just pointing to the .DAT and .OPT files. The Wizard window2 settings are default and I double checked them with the specification in this matter: Condensed spec I received: 1. fields delimited with ANSI 20 2. String values within fields should be enclosed with ANSI 254 3. First line should contain metadata headers then one line per document 4. each row must contain the same number of fields as the header row 5. Each return or new line delimited by ANSI 174. 6. Multi-values separated by a semicolon (;) - It appears the default Intella settings with format: "Concordance/Relativity" selected match the above specs I received with the load file. I do not see an encoding listed in the spec. Perhaps this is the issue. Is the encoding method listed in the .dat file somewhere? I do see the .dat file layout in the "Text preview" tab (Load file preview tab is blank, however). Would the Date/time and number formats be a problem at this early importing stage ("error while validating load file. Input length =1")? Thanks for pointing me to the Intella video.