Jump to content

llanowar

Members
  • Posts

    37
  • Joined

  • Last visited

Everything posted by llanowar

  1. Hi Chris. I would like to produce just Type: "Chat Message" items (not entire conversations) - I have over 3,000 tagged. Many of the individually tagged messages contain attachments. I have difficulties with the attachments. It seems like these individual text/chat messages should be treated like an email - as far as exporting/producing options (left hand side of options picture above, rather than the "files" section on the right hand side of options picture above). i.e., "For every email include:" could be "For every email or chat message include:" <- this might allow me to use "Attachments content" rather than "Embedded images and attachments." I would rather not have to use the "embedded images" of attachments for the text message attachments (One PDF attachment in a text message lists all of its embedded pieces making the resulting PDF of the text message many many pages of unwanted items in the attachments listing section). Thanks.
  2. I have continued trying various export options/settings (PDF, Load File) and I have been able to successfully export Chat Messages from the ingested Cellebrite UFDR report (iPhone) - just NOT with attachments as native. I have several thousand Chat Messages and many have XLSX spreadsheets as attachments. I can't get the Excel spreadsheet attachments to export as native. I wonder if Intella should merge chat messages into the email export options section - rather than treating them as "files" (for the export options pictured above). I believe Chat Messages fall under the "For every file include:" section <- but I do not want embedded images in the exported PDF/Native production (only the attachments). Either way, I still can't get the XLSX message attachments exported. I'll keep hammering/testing/learning ...
  3. I processed a Cellebrite UFDR report and have numerous Chat Messages to produce. I would like to bulk export the responsive Chat Messages (with attachments) to individual PDFs. I believe I am close to seeing what I had hoped for - except the attachments section. The resulting export PDF includes the Chat Message and the attachment(s) = great, but also includes the attachment's children (many pieces/parts/children of the one parent attachment (a PDF attachment in this example)). The one PDF attachment has more than 20 child images. The 20+ child images are what I hope to suppress from the PDF report file. In the export wizard, PDF or image rendering options, I have selected "For every file include:" "Body" and "Embedded images and attachments." Is there a way to suppress the children of the Chat Message attachment - and only include the attachment itself?
  4. Since processing, I have relocated my Intella sources to a new drive. Is there a way within the Intella case to point to the new new location ? or should I just copy the source files back to their original location until this case is complete?
  5. I had not read the two linked help pages at the top of this topic before posting. Is the following the best work around: proximity search 1: "Wilson contact"~2 normal include search 2: "contact list" Thanks.
  6. I would appreciate some help getting around a proximity search limitation involving a phrase and a term. An example (one I was provided to search) is: “contact list w/2 Wilson” They would like all items containing the phrase "contact list" within 2 words of the term Wilson. Seems simple enough, but I can not get my head around not being able to use nested double quotes < ""contact list" Wilson"~2 >. Suggestions? Thanks BTW: I am using Intella Pro 2.4.2
  7. I have successfully added a few sources to an Intella Pro 2.3.1.2 case (E01s and folders). I am attempting to add one last E01 image and am receiving the following message in the "Select Folders" window: "Unable to retrieve folders." Note: I loaded this problematic image in another tool (XWays Forensics) and am able to see the partitions and folders tree. I tried re-imaging just the primary partition in the E01 using XWays and adding to a new Intella test case: same issue "Unable to retrieve folders." Any ideas on what may be causing this / how to fix? Thanks group.
  8. llanowar

    What is W4

    I am poking around W4 1.0.3 for the first time - using the NIST CFReDS "Data Leakage Case" data set. I am really liking what I am seeing so far. One irregularity I just ran into: In the "USB Devices" Search section, the "Items" view correctly lists the connection timestamps (even after applying an EDT timezone offset in the "Sources" tab). The irregularity occurs when switching over to the "Events" view. The connection timestamps are all off by exactly 1 hr (likely a Standard/Daylight Savings issue). In the "Events" view, the right-side "Properties" preview section lists the timestamps correctly, however, the timestamps listed in the primary window area sorted chronologically are off by exactly 1 hr. I re-indexed the entire case and selected "rebuild links" with the Timezone offset already selected to Eastern Time to no avail. (My initial indexing was set for UTC time (-0)). Keep up the great work, this tool shows great promise.
  9. I have processed a Cellebrite UFDR file (phone) with Intella v2.2.1. The manual makes it clear that instant message items will be bundled into "conversation items" if able, on a day-by-day basis (page 62). My question is: Is it possible to tag only one of the bundled message items listed in the bundled conversation? Tagging seems to only apply to the entire bundled conversation "SMS/MMS Conversation" file. One idea - perhaps I must redact all of the other/unwanted bundled text? Thanks
  10. Thanks for the reply. When I have the next opportunity, I will check the item's Raw Data tab.
  11. Dear community, I sent off a Cellebrite phone collection to be reviewed (along with the UFED Reader application). The reviewers tagged a bunch of items using Cellebrite Reader and then saved the results in a .pas (session) file. They now want me to create a load file of their tagged items. My thoughts: perhaps they can just email me their .pas session file containing their Cellebrite tags, I can load it up in Cellebrite (along with the original phone data), generate an XML report (which will hopefully contain their tagged items identified), use that XML report folder as a source in Intella, and create a load file for them. So far: They sent me the .pas file. It loaded fine and I see their tagged items in Cellebrite (all good so far). I created a Cellebrite XML report and searched the resulting XML file for their tag names - they exist in the XML file (still good). I created a new Intella v2.2.1 case, set the Cellebrite XML report folder as a source and indexed (still good and going to plan). Plan appears foiled: In Intella I do not see anything relating to their Cellebrite tags. I searched the case for their tag names = nothing. My plan seems like it won't work - Intella is not identifying the reviewers' tagged items as such after processing. Intella sees the data fine, just not the tags. <- as far as I can tell. Perhaps I will have to process the Cellebrite phone collection with Intella (ufdr as source) and have them tag from within Intella?? Is that my only / best option to get to the final goal of a load file of their items of interest? Thanks.
  12. I did resolve my issue above (sort of). I exported as a load file (including PDF versions in the images export section). The contents of the PDFs folder is what I was wanting. I just deleted the rest of the load file pieces. I will experiment with the PDF export options some more to see how I can achieve what I wanted with just a PDF export (rather than load file).
  13. I am using Intella Pro 2.2. I am attempting to export as PDF a few email messages with attachments. I selected the "Number pages" checkbox, but my resulting PDF files (3x, one per email) do not contain a page number. Each of the 3x exported PDF files' names increment correctly, based upon the number of pages within each. EX: 0001.pdf, 0006.pdf, and 0010.pdf. - But within each PDF, each page is not numbered. Is there perhaps an option I need to select on the "PDF rendering options" export page? or perhaps on the "Headers and footers" export page? Thank you.
  14. Thanks for the reply. I am using default settings for Intella 2.2. The Wizard window1 settings are just pointing to the .DAT and .OPT files. The Wizard window2 settings are default and I double checked them with the specification in this matter: Condensed spec I received: 1. fields delimited with ANSI 20 2. String values within fields should be enclosed with ANSI 254 3. First line should contain metadata headers then one line per document 4. each row must contain the same number of fields as the header row 5. Each return or new line delimited by ANSI 174. 6. Multi-values separated by a semicolon (;) - It appears the default Intella settings with format: "Concordance/Relativity" selected match the above specs I received with the load file. I do not see an encoding listed in the spec. Perhaps this is the issue. Is the encoding method listed in the .dat file somewhere? I do see the .dat file layout in the "Text preview" tab (Load file preview tab is blank, however). Would the Date/time and number formats be a problem at this early importing stage ("error while validating load file. Input length =1")? Thanks for pointing me to the Intella video.
  15. Hi group. I am attempting to import a load file source (Concordance). After step 1: pointing to the .DAT and .OPT files, and hitting step 2 (Configure Delimiters) I see at the bottom, "Error while validating load file: Input length = 1. I am not very savvy with load files and this may be beyond my capabilities to resolve - but I thought I would at least see if this particular error message may have an easy fix. I clicked "Detect encoding" and receive: "Could not detect encoding". The "Load file preview" tab is blank. The "Image preview" tab shows a page name, a image path beginning with a "." and the preview saying "Image file cannot be read: ... Paths may not be correctly configured." (same problem using absolute paths). Example: Y:\<...>\DATA\. \<load file folder name>\Images\00001.jpg I did look at the .DAT file contents briefly and the fields/delimiters look OK. Thanks.
  16. Hi group. I am performing my fist exports of tagged data with Intella and am wondering if you have any pointers/suggestions for a good naming/numbering scheme. The protocol does not specify any specifics for naming/bates stamp conventions. - just that each tiff/page needs a unique number with no gaps. One party wants a load file (with TIFFs), another party wants just PDF renderings of everything (they don't use a review platform). I suppose I could perform the export as a load file "type" (export screen 1). On the "Load file options" screen I can check both the "Include image files" (with format TIFF) and the "Also include PDF versions of images" option (for the party who only wants PDF). "File naming and numbering" screen: After some testing (and following along with the Intella Load File Ceation youtube video) I am not sure I am selecting the ideal naming/numbering scheme. Any suggestions here? Would a good scheme that works for both parties (one with a review tool/load file and one without a review tool - just looking through PDF renderings) be something like: <Unique number for each file starting at 00001>.<page number of that file> ? So, for example, a Word doc with 2 pages followed by a Word doc with 1 page would be something like: 00001.001, 00001.002, 00002.001 - not sure how this would play out with email messages and attachments. Any guidance would be welcome (favorite naming/numbering options, etc) - Thank you.
  17. Amazing! Thanks - I'll give it a whirl later today. As always, thanks for the assistance.
  18. Hi group. I am using Intella Pro 2.2. I have been asked to produce some tagged files in load file format. The protocol states a field should be included, "CONFIDENTIAL", "Y or N will be noted in this field. This field defines whether or not a document has ben designated as "Confidential."" I have researched the load file creation screens and do not see how to include this field. On the "Load file options" screen, I checked "Exclude content" with the confidential tag applied and the Placeholder text "CONFIDENTIAL." On the "Load file field chooser" screen I see no way to create a field as described in the protocol (Name: CONFIDENTIAL, Type: ??, Value: ??) <- Y if a file is tagged confidential, N if not tagged confidential. Any ideas? Thank you in advance.
  19. I have a question about creating a load file. One of the load file metadata fields I was instructed to incorporate is (per the ESI protocol doc): ATTACH_RANGE Description: Beginning and Ending Attachment numbers for parent and children. The number should be BEG_NO of the parent and END_NO for the last Child. Looking at page 190/191 of Intella manual, this seems they want RECORD_ID_GROUP_BEGIN and then RECORD_ID_GROUP_END. If so, then how would I associate two Intella types to one new custom field "ATTACH_RANGE"? Thanks.
  20. I searched for an OCR candidate procedure and ran across this older conversation (as well as the "Sample checklist for users" post). I still am wondering ... Using Intella, how best to identify the files I should OCR? Perhaps, use the Images "Type" facet and preview all of them? Preview all of the "Empty Documents" in the "Features" facet? Are the above 2 steps alone satisfactory? Any guidance on a procedure(s) to locate files needing OCR would be very welcome
  21. Thank you kindly - Adam and Alex. Makes perfect sense now.
  22. I notice that an email message has both an MD5 hash value and a message hash value. I understand, from the manual (14.1.17), the derivation of the Message Hash for email - but I am not sure why I am also seeing an MD5 hash value. I thought MD5 was only calculated for binary/loose files - how is MD5 calculated for email messages? Is the MD5 value for email messages just as valuable for email messages in determining uniqueness? Thanks.
  23. I am curious - has the feature for bates page numbering in PDF exports been added? Thanks.
×
×
  • Create New...