Jump to content

Export Tags & Files into Folders/Import into EnCase?


garybrevans

Recommended Posts

Morning.

 

So here is what I am trying to achieve.

 

I want to export from Intella a set of folders, each named after the Tag and each containing the files that have been tagged. I can do this manually for each tag by creating a folder in Windows of the tag name, select the files in the tag and then export the files to the folder I've just made. This isn't much use if there are lots of tags.

 

If I right click on the Tags I can export the Tag names which does not help.

 

I note that with the Intella EnScript I can import a CSV via the 'tag importer'. However, how do you create a CSV that works? I've highlighted the files in Intella and exported to CSV but I keep getting an error message when I try and run the EnScript and point it at the CSV I have just created:

 

'Pleas export a valid CSV file. It has to include the fields "Name" and "MD5 Hash".

 

'Please' is misspelt and I cannot find a field called 'Name'.

 

Am I missing something?

 

There is nothing in the manual either.

 

Thanks.

post-491-0-25044100-1403508610_thumb.jpg

Link to comment
Share on other sites

Update to the above.

 

If you do an export to CSV from Intella from a file listing with the 'File Name', 'MD5 Hash' and 'Tags' checked, then copy the contents of the CSV to a new CSV, rename 'File Name' to 'Name' you can import into EnCase to a point.

 

Of 96 files in Intella less than a third were bookmarked in EnCase. Plus, it just gives you a single bookmark folder full of files in EnCase, so pretty pointless.

 

As an investigator, surely the most important thing I want to be able to do at the end of the process (outside of Intella) is identify files by tag. Can someone please tell me how to achieve this?

 

Thanks.

Link to comment
Share on other sites

It's been a long time since I used EnCase but can you take a slightly different approach and create hash lists from Intella, then use them to locate the duplicate files within EnCase?

 

If you export a CSV named after the tag from Intella and only populate the MD5 you should have several little hash lists. If EnCase can't use .csv hash lists then copy the values into a text file or what ever format you need for EnCase, then import that hash sets, and you can then tag within EnCase using the names of the hash sets as a guide for what the original keyword tag was within Intella.

 

This approach works with Xways forensics flawlessly, but not sure on the step by step for EnCase.

Link to comment
Share on other sites

How do I copy native files out of Intella into folders named after the tags in one go without manually creating the folders in Windows first then copying the tagged files, one set of tagged files at a time into the folders I have just made? It sounds like it should be simple.

Link to comment
Share on other sites

I don't think that can be done, to be honest I'm not aware of any software that could do that.

 

The only thing I can think of is exporting the files and use the advanced naming option with %tags% as the first option, then include any others you want (I like %num% for individual numbers and maybe %subject% for emails). Make sure you don't retain folder structure, dump them all in a single directory. After the export has finished sort by name and you can then copy the different files based on tags out into separate folders which you will have to manually create.

 

Generally viewing based by tags is something done by the reviewer/investigator so I've never considered the need to do what you are describing.

 

I'd be interested to see if perhaps the Intella native report creations could be made to include 'tags' at the top of the report in the same way they currently include 'sources'. If the tags were listed at the top of the page with a hotlink that when clicked would open a new tag.html file that basically showed the same information as a normal report.html, but only for the files with that tag.

 

This would obviously increase the time taken to export and create the reports as a new report would need to be generated for each tag, however if this was an option rather than the default position it would add a nice layer to the reporting functionality.

Link to comment
Share on other sites

×
×
  • Create New...