Jump to content

llanowar

Members
  • Posts

    34
  • Joined

  • Last visited

Profile Information

  • Gender
    Male
  • Location
    Louisiana

Recent Profile Visitors

1,421 profile views

llanowar's Achievements

Newbie

Newbie (1/14)

  • Conversation Starter Rare
  • First Post Rare
  • Collaborator Rare
  • Week One Done
  • One Month Later

Recent Badges

0

Reputation

  1. Since processing, I have relocated my Intella sources to a new drive. Is there a way within the Intella case to point to the new new location ? or should I just copy the source files back to their original location until this case is complete?
  2. I had not read the two linked help pages at the top of this topic before posting. Is the following the best work around: proximity search 1: "Wilson contact"~2 normal include search 2: "contact list" Thanks.
  3. I would appreciate some help getting around a proximity search limitation involving a phrase and a term. An example (one I was provided to search) is: “contact list w/2 Wilson” They would like all items containing the phrase "contact list" within 2 words of the term Wilson. Seems simple enough, but I can not get my head around not being able to use nested double quotes < ""contact list" Wilson"~2 >. Suggestions? Thanks BTW: I am using Intella Pro 2.4.2
  4. I have successfully added a few sources to an Intella Pro 2.3.1.2 case (E01s and folders). I am attempting to add one last E01 image and am receiving the following message in the "Select Folders" window: "Unable to retrieve folders." Note: I loaded this problematic image in another tool (XWays Forensics) and am able to see the partitions and folders tree. I tried re-imaging just the primary partition in the E01 using XWays and adding to a new Intella test case: same issue "Unable to retrieve folders." Any ideas on what may be causing this / how to fix? Thanks group.
  5. I am poking around W4 1.0.3 for the first time - using the NIST CFReDS "Data Leakage Case" data set. I am really liking what I am seeing so far. One irregularity I just ran into: In the "USB Devices" Search section, the "Items" view correctly lists the connection timestamps (even after applying an EDT timezone offset in the "Sources" tab). The irregularity occurs when switching over to the "Events" view. The connection timestamps are all off by exactly 1 hr (likely a Standard/Daylight Savings issue). In the "Events" view, the right-side "Properties" preview section lists the timestamps correctly, however, the timestamps listed in the primary window area sorted chronologically are off by exactly 1 hr. I re-indexed the entire case and selected "rebuild links" with the Timezone offset already selected to Eastern Time to no avail. (My initial indexing was set for UTC time (-0)). Keep up the great work, this tool shows great promise.
  6. I have processed a Cellebrite UFDR file (phone) with Intella v2.2.1. The manual makes it clear that instant message items will be bundled into "conversation items" if able, on a day-by-day basis (page 62). My question is: Is it possible to tag only one of the bundled message items listed in the bundled conversation? Tagging seems to only apply to the entire bundled conversation "SMS/MMS Conversation" file. One idea - perhaps I must redact all of the other/unwanted bundled text? Thanks
  7. Thanks for the reply. When I have the next opportunity, I will check the item's Raw Data tab.
  8. Dear community, I sent off a Cellebrite phone collection to be reviewed (along with the UFED Reader application). The reviewers tagged a bunch of items using Cellebrite Reader and then saved the results in a .pas (session) file. They now want me to create a load file of their tagged items. My thoughts: perhaps they can just email me their .pas session file containing their Cellebrite tags, I can load it up in Cellebrite (along with the original phone data), generate an XML report (which will hopefully contain their tagged items identified), use that XML report folder as a source in Intella, and create a load file for them. So far: They sent me the .pas file. It loaded fine and I see their tagged items in Cellebrite (all good so far). I created a Cellebrite XML report and searched the resulting XML file for their tag names - they exist in the XML file (still good). I created a new Intella v2.2.1 case, set the Cellebrite XML report folder as a source and indexed (still good and going to plan). Plan appears foiled: In Intella I do not see anything relating to their Cellebrite tags. I searched the case for their tag names = nothing. My plan seems like it won't work - Intella is not identifying the reviewers' tagged items as such after processing. Intella sees the data fine, just not the tags. <- as far as I can tell. Perhaps I will have to process the Cellebrite phone collection with Intella (ufdr as source) and have them tag from within Intella?? Is that my only / best option to get to the final goal of a load file of their items of interest? Thanks.
  9. I did resolve my issue above (sort of). I exported as a load file (including PDF versions in the images export section). The contents of the PDFs folder is what I was wanting. I just deleted the rest of the load file pieces. I will experiment with the PDF export options some more to see how I can achieve what I wanted with just a PDF export (rather than load file).
  10. I am using Intella Pro 2.2. I am attempting to export as PDF a few email messages with attachments. I selected the "Number pages" checkbox, but my resulting PDF files (3x, one per email) do not contain a page number. Each of the 3x exported PDF files' names increment correctly, based upon the number of pages within each. EX: 0001.pdf, 0006.pdf, and 0010.pdf. - But within each PDF, each page is not numbered. Is there perhaps an option I need to select on the "PDF rendering options" export page? or perhaps on the "Headers and footers" export page? Thank you.
  11. Thanks for the reply. I am using default settings for Intella 2.2. The Wizard window1 settings are just pointing to the .DAT and .OPT files. The Wizard window2 settings are default and I double checked them with the specification in this matter: Condensed spec I received: 1. fields delimited with ANSI 20 2. String values within fields should be enclosed with ANSI 254 3. First line should contain metadata headers then one line per document 4. each row must contain the same number of fields as the header row 5. Each return or new line delimited by ANSI 174. 6. Multi-values separated by a semicolon (;) - It appears the default Intella settings with format: "Concordance/Relativity" selected match the above specs I received with the load file. I do not see an encoding listed in the spec. Perhaps this is the issue. Is the encoding method listed in the .dat file somewhere? I do see the .dat file layout in the "Text preview" tab (Load file preview tab is blank, however). Would the Date/time and number formats be a problem at this early importing stage ("error while validating load file. Input length =1")? Thanks for pointing me to the Intella video.
  12. Hi group. I am attempting to import a load file source (Concordance). After step 1: pointing to the .DAT and .OPT files, and hitting step 2 (Configure Delimiters) I see at the bottom, "Error while validating load file: Input length = 1. I am not very savvy with load files and this may be beyond my capabilities to resolve - but I thought I would at least see if this particular error message may have an easy fix. I clicked "Detect encoding" and receive: "Could not detect encoding". The "Load file preview" tab is blank. The "Image preview" tab shows a page name, a image path beginning with a "." and the preview saying "Image file cannot be read: ... Paths may not be correctly configured." (same problem using absolute paths). Example: Y:\<...>\DATA\. \<load file folder name>\Images\00001.jpg I did look at the .DAT file contents briefly and the fields/delimiters look OK. Thanks.
  13. Hi group. I am performing my fist exports of tagged data with Intella and am wondering if you have any pointers/suggestions for a good naming/numbering scheme. The protocol does not specify any specifics for naming/bates stamp conventions. - just that each tiff/page needs a unique number with no gaps. One party wants a load file (with TIFFs), another party wants just PDF renderings of everything (they don't use a review platform). I suppose I could perform the export as a load file "type" (export screen 1). On the "Load file options" screen I can check both the "Include image files" (with format TIFF) and the "Also include PDF versions of images" option (for the party who only wants PDF). "File naming and numbering" screen: After some testing (and following along with the Intella Load File Ceation youtube video) I am not sure I am selecting the ideal naming/numbering scheme. Any suggestions here? Would a good scheme that works for both parties (one with a review tool/load file and one without a review tool - just looking through PDF renderings) be something like: <Unique number for each file starting at 00001>.<page number of that file> ? So, for example, a Word doc with 2 pages followed by a Word doc with 1 page would be something like: 00001.001, 00001.002, 00002.001 - not sure how this would play out with email messages and attachments. Any guidance would be welcome (favorite naming/numbering options, etc) - Thank you.
  14. Amazing! Thanks - I'll give it a whirl later today. As always, thanks for the assistance.
×
×
  • Create New...