Jump to content

Wish list/suggestions V2


PF1
 Share

Recommended Posts

Certainly it would be great to have that in Connect as well, but I'm talking about creating a timeline report that can be exported as a stand alone thing to give to a client.

 

Currently after review there is usually a select amount of relevant emails, it could be 20 or it could be 200. They are given copies of these emails either individually or as part of a HTML/PDF report depending on their preferences. If we could add to that list a timeline report which shows them all the relevant emails with that lovely graphic and live clickable links....that's what I'm hoping for.

 

Most of my clients are lawyers and the visual impact of them being able to present something like that in court cannot be understated, not to mention for me to show clients when I am pitching our services.

Link to comment
Share on other sites

Once again, wondering if we are ever going to be able to calcualte the total size of a data set based on selections within Intella?

 

This has been a request since 2012, and I was told a few years ago that this was being bumped up in the request process, but this is still (IMO) a key feature that is not present.  I don't even neccessarily need "on the fly" calculations, just the ability to either highlight or checkmark a group of items and then calculate the total output size of the selected items.

 

I am willing to beg or grovel if needed!  This would make my life SO much easier....

Link to comment
Share on other sites

Just on PF1's request above, wouldn't it be very simple to just have the figures in the size column tallied automatically and display that figure next to the 'selected items' number already displayed top left of the preview pane?

 

I realise that after export due to weird things happening the actual size may differ, but at least this would be a very quick and easy way to give a good indication of possible data set size and would require nothing more than a simple formula to tally up a column with data already displayed. 

 

PF1 until something like this is implemented the easiest way I can figure out is to have the set you are interested in highlighted, right click and export table as CSV. You can then use the normal formula methods within Excel to tally up the size column. 

 

Not ideal I know but it's fairly quick and will give a good indication of what final size of export may be like.

  • Like 1
Link to comment
Share on other sites

AdamS, agreed, that is currently how I am doing this but with the larger scale cases, this becomes very tedious.

 

 

 

Also, another feature request that would be nice would be the ability to import a set of tag names from a text/csv file.

 

I find myself making the same tags over and over on different matters, and it would be great to be able to simply import them rather that re-create them over and over again.

Link to comment
Share on other sites

Hello all,

 

Above are two feature improvements that make a lot of sense to me: showing the cumulative size of selected items in the table and exporting the timeline to something that can be viewed and manipulated in a web browser. Both ideas made it into the ticket system (where we keep track of our development tasks) a long time ago. The only reason they are not there yet is time: we simply have a very long list of great additions we could make and we need to make hard choices.

 

We apologize for the long wait. Please know that chances of ideas getting implemented increase considerably when more people ask for it.

 

The cumulative size procedure has been asked for by several users and has now been planned for the 1.9 release, which is scheduled for early summer. Note though that that is an expectation, not a promise! :)

 

For the exported timeline we don't have any concrete plans yet, but as said that can change when more people ask for this.

Link to comment
Share on other sites

  • 2 weeks later...

Small functional wish for a scroll bar for the left hand side of the preview window when opening up an item.

 

I'll attempt to explain, if you enable the option to have the num keys used for tags with the maximum number (9) then double click on an email it opens in a smaller window with all 9 tags visible on the left hand side of this preview window. What this does is force some of the other options out of view (print, save, open in native application etc) and unless you maximize the window you can't see/access these options. If there was a scroll bar available when this happens it would enable us to scroll up to access these options, or better yet have the default view keep these options visible and the option to scroll down if we want to as the option to redact etc which are at the bottom are far less likely to be used.

 

Does this make sense?

Link to comment
Share on other sites

  • 2 weeks later...

I've got a suggestion:

 

When performing a 'date search', there are a number of metadata attributes available to select (but only two are selected by default - date sent/received). These default attributes can limit the results which would otherwise be returned by the search, and an operator without this specific knowledge may inadvertently exclude records from a search.

 

No notification is provided to the operator that records might be omitted via the default 'date search' options. We found this default setting is also not clearly documented within the manual.

 

We'd suggest/request for the wishlist that a change be made such that in the future, either:

 - The default behaviour of the date range search function will be changed to select all metadata attributes; and/or:

 - A user interface change be made to identify (i.e. alert the operator to) implicit restrictions with this default date search behaviour.

 

We also suggest/request that the documentation be edited, to specifically call out the impact these functions will have on search results.

 

 

Link to comment
Share on other sites

Hello Tyson,

 

Thank you for your suggestion, we always welcome those.

 

The default set of date attributes that are being searched have been chosen so that it matches best with the most common use cases that we witness with our customers - which can vary wildly. To educate users that not all fields are searched by default, we decided to show the full list of date fields in the Date facet, rather than in a more hidden place.

 

Changing the defaults may upset users who have grown accustomed to how it works now. An indicator for the number of date fields that are being searched (e.g. a line reading "using 2 out of 12 fields") could be an option though.

Link to comment
Share on other sites

I for one would not like to see all fields selected by default, this would throw up a lot of extra information that wouldn't be needed in many cases. This seems more like an awareness issue than anything, if you have 'pop ups' and 'warnings' every time we do something it's going to start to look like a dodgy web site  :P

Link to comment
Share on other sites

The ability to isolate emails involving specific users, sort of like this thread but a bit more refined.

 

http://community.vound-software.com/index.php?/topic/235-email-between-individuals/?hl=address&do=findComment&comment=1175

 

Using the search fields 'to' 'from' etc I can find emails between users, but lets say I want to find all emails that only involve 3 different users. Currently I have to conduct several different searches to first isolate all emails sent by A, then by B then by C, then all emails received by A, B and C, then find the intersecting emails, then sort by email addresses and manually find the ones that only involve the email addresses of interest. While this process works it's a little clumsy and considering Intella already has all the information stored away for us I was hoping there was a way we could put that to work.

 

The simplist way I could see this being implemented would be a simple tickbox option next to the 'from' 'to' 'cc' 'bcc' etc under the search 'Options' button that says 'ONLY'. If we tick that box next to one of the fields, then enter a name/email address to search by, Intella would then return emails which ONLY contained that one specific name/address.

 

Then it would be very simple and quick to find all the emails sent by a specific user to a specific user that didn't involve any other email addresses!

  • Like 1
Link to comment
Share on other sites

I wanted to add something that kind of expands on what Adam said by addressing a larger issue, but would also solve this challenge and others.  Like other users, I'm constantly asked to find all the email between X individuals.  Such an instruction is always provided by someone who can only think within the context of their own Outlook inbox, and can't grasp the steps required in Intella to achieve this.  By the same token, like Adam said, the data is already there - we just need an easier way to recall it.

 

What I think would make it easier is adapting Intella to be able to more easily build multi-criteria searches.  Please forgive me for invoking Relativity, but I think applying a general concept from its search dialogue would make Intella even more powerful and more efficient. In Relativity you can "build" searched with AND or OR connectors, across multiple criteria.  In doing so, you can also add groupings via parenthesis.  Ironically, this is a concept that the people that can't grasp the steps required in Intella actually CAN understand.  However, I can't execute it as envisioned, to which I'm subjected to, "I don't understand why everything is always so difficult..."

 

So let's say you start with a query for all email sent by a particular name(s) or email email address(es) via the From and Sender fields.  Then, rather than execute the search like you would have to now, you select a new AND/OR connector dropdown.  When you chose this, either a second Intella search criteria dialogue would appear, or the previous one would clear out, with the information saved, and the new information to be added.  In this step, you would search for the names or email addresses in the recipient fields, etc., then run the search.  You would then be left with the results you're after, with no additional effort required.  

 

Although I'm a big fan of the visualizations and seeing where document sets overlap, when you're doing a search like this, I think it's currently too complicated, takes too long, and is subject to human error.  In my mind, this approach would make Intella more flexible in that, it would retain its ability to excel in the needle in a haystack type search, but vastly improve it's ability to handle broader searches.  I suppose that's a concept that varies depending on the context in which you're using it, but I'm almost always using it in the latter context in e-discovery.  

 

This is hardly a criticism, but over time, I've found that Intella can be TOO precise for my purposes!  By the same token, in making these adjustments, I would want to see it retain its unique simplicity and NOT end up with Relativity's clumsy dialogue.  I just want the added functionality/flexibility, but within the confines of Intella's speed and simplicity.  

 

Hopefully that made at least a little sense!       

Link to comment
Share on other sites

I second Jasons request for the ability to expand the search parameters, I really like the idea, but I would point out that the 'only' option would still be required when selecting the 'from', 'cc' or 'bcc' fields to have the option of selecting those with only a specific recipient.

 

Presumably you would then have the ability to add numerous search criteria with that 'drop down connector' method?

 

So emails FROM --> Sent BEFORE -->WITH attachments --> Containing the keyword?

 

Something like that which we currently need to use the 'include' 'exclude' filters for could be build as a specific search?

 

I should point out that on odd ocassions (not frequently but it does happen), intella's include/exclude options don't do what they should.

 

I have had the situation where I search a keyword, then include only communications but still have PDF and other document types showing up in the results. Perhaps the options to build custom searches in this manner would alleviate these issues?

  • Like 2
Link to comment
Share on other sites

While I'm here, I had a thought last night which may help everyone with regards to our wishlist/requests etc.

 

This is more of a functional request for the forums here to assist the Intella people with gauging the popularity of our requests, and also an organisational change to the layout of the forums to make it easier to see.  

 

Create a new sub forum under the two main forum headers for Functionality Requests (ie one under 'Intella' and another under 'Intella Connect'. Have each function request made by us the users as a new topic, and most importantly add a "yes please" button (or similar) to the bottom of the first post. This button would allow other users to simply vote "yes" to any of the changes requested, without the need to actually post anything and the' button may help you prioritise our requests based on popularity. Of course discussion about a request can still carry on but that little button conveys instantly the popularity of the request. 

 

The advantage here is that by simply viewing the first post the Admin's can see how many of Intella's users think the request is a good idea, and also rather than having to scroll through several Wishlist threads to try and find the posts that are actually relevant, you only have to look at the first post of each new thread to get the relevant information. It would also make it much easier for you and us to scroll back through feature requests and hopefully avoid any duplication.

 

And lastly when/if you do implement a change based on a request you could go back and change the colour of that thread to red or blue, some quick visual clue so that as we look at the threads we can very quickly see which changes have been implemented. This is purely a warm fuzzy so we know you are listening to us  :P

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...
  • 10 months later...

With the implementation of so many awesome features released in 1.9.1, specifically those pertaining to the registry and other forensicy stuff, it has me wishing for more!  I thought I would enquire as to the possibility of including the decoding and indexing of Volume Shadow Copies.  Has this idea been kicked around before?

 

Thanks! 

Link to comment
Share on other sites

  • 7 months later...

Automated pre-processing for OCR output

I don’t know if something like this is already possible, but I think it would be nice to have an automated export of files that should be ocr-red, if the user sets this feature to ‘yes’.

 

  • Filtering the right PDF files    (filter:type = pdf document --> features = empty documents  --> auto tagging: OCR-export-pdf  -->  export tot \case\OCR-export-pdf)
  • Filtering the right tif(f) files     (path:*.tif OR *.tiff     -->  search     --> filter: type = images   --> auto tagging: OCR-export-tif  -->  export tot \case\OCR-export-tif)

 

When this is done during case indexing/processing it will speed up the total processing time needed.

 

Regards,

Hans

Link to comment
Share on other sites

Hi Hans,

 

The Tasks feature (the last screen before indexing) should allow you to do what you are asking. Tasks and Saved searches can be imported into a case and these can be used to filter and export these file types you require.

 

You can use a Saved search to filter by PDF type and empty documents. You can also use a Saved search to filter by Tiff type, which are not embedded items. This should give you the items for OCR processing. The results can be automatically tagged and exported with the Tasks feature.

 

Regards

 

Jon 

Link to comment
Share on other sites

  • 3 months later...

DICTIONARY Feature Request

 

Two examples of dictionary capabilities are associated with Proofpoint Regulatory Compliance and Forcepoint Data Loss Prevention.

The primary difference between the "Keyword List" functionality and a dictionary is "match unique" or "single instance".

If you define a key word list of:

A
B
C
D
E
F
G

Example: True positive requires a score of 5.

Any combination of "unique" matches would generate a match.

ABDEG
ADEFG

but the following would not generate a match.

AAAAG

or

CCDDG


The key is that the dictionary is defined by the relationship of one feature with other features and not the mere existence of a single feature multiple times. The is the key difference between a keyword list and a dictionary.


The better model used by Proofpoint and Forcepoint is not only the above but the ability to configure a more robust weighted dictionary. Proofpoint also allows regex to be included as a feature within a dictionary.

Forcepoint uses regex similarly as Intella.

The following is an example of a weighted dictionary.

A 10/1
B 1/10
C~1/10
D -10/1
E 10/1
F 1/1
G 1/10

A scores 10 but only count a single match.
B scores 1 but only count a single match
C is a regular expression, scores 1, count up to 10 matches
D scores negative 10, only count 1 match
E scores 10 but only count a single match.
F scores 1, only count one match
G scores 1 count up to 10 matches.

In the above example a score of 23 might be the perfect score to identify a true positive.

We use negative weighting in dictionaries and that way we do not have to use a Boolean NOT or exclusions.

A specific example is to ignore all invoices or purchase orders, so in the above example I might do a negative -100. That way it is never possible to trigger the dictionary.

My experience in the use of Intella is that I have to convert my Proofpoint or Forcepoint to Intella keyword lists. Since it is not one for one there is a lot of subjective work still needed.

It would be nice to determine if keyword lists or content analysis (regex) could be used in all cases. Perhaps Global Keyword Lists.

Global keyword lists (dictionaries preferred of course). It is frustrating to always have to load these items into every case.

Last but not least is to use standard TF/IDF and when necessary stopwords to create the TagCloud, and then select items to go into the dictionaries.

Hopefully this describes to some detail what sort of features would be useful, useful at least to someone who has been doing information security a long time.

We are using Intella both before and after we define policies/rules in our other environments. It is difficult sometimes to convert search criteria or detection methods because certain regex's can't be used in one platform that is used in another, or case sensitivity is not supported which is a major issue for us (confidential vs CONFIDENTIAL).

Intella is a great solution that can be made better, and all of the recommendations above I think will make for a Killer App. I'd sell it to Symantec or Forcepoint as the tool to build rules and policies.

Comments desired.

Link to comment
Share on other sites

  • 3 weeks later...

GMail API based collection request

 

Please consider having the API based method of GMail collection maintain the gmail tag/folder structure of the collected items.

 

Currently, this method, while VERY fast as compared to a Thunderbird IMAP client collection, strips all directory stricture of the mail.  It is often important to know if a message is in Sent, Inbox, Starred, or some custom folder.

Link to comment
Share on other sites

  • 5 months later...

Finally able to get back here and contribute again.

 

Loving the latest version 2.1 so far, great to see some customization and the addition of identities I think is fantastic.

 

Just a couple of functional wishes specific to processing UFDR files, which it does admirably I might add. It appears Intella is parsing all the available information, but some items are not being detailed seperately despite the fact they are indeed present. The below is not exhaustive just some initial idea's:

  • Bluetooth Devices
  • URL for web history
  • Voicemail

All the data is there and I can create the custom columns for the URL's with no problem, I just feel that it would make sense that Intella should parse that info automatically given it's web history. The other info for Bluetooth and Voicemail is there, but you have to manually dig down into the file system to locate them.

 

I think it would make sense to have UFDR files be identified at the source indexing stage so you add them specifically rather than just a file, and at that point you could have a number of check boxes to create those custom columns from the outset. Would that be workable? It would save us having to create these custom columns after the fact and reindexing.

Link to comment
Share on other sites

A long standing wish (and to be honest the only thing that irks me about this great tool), the ability to add multiple source items when setting up the case.

 

Adding 10 source items from different locations is laborious and it should be a very simple process.

 

I can see one of two ways that would work:

  1. At the source selection screen have a box or screen where you can add the source items or locations one at a time, buttons at the bottom that say 'add more' or 'finished' allow easy navigation. Once you click 'finished' then you go through and select all the processing options you want.
  2. Other way is have the ability to select multiple source locations by holding cntrl down and clicking, same way you can in windows explorer.

Having the complete the entire processing selection for each item, then selecting 'no' for indexing now and then starting again makes my head hurt :(

  • Like 2
Link to comment
Share on other sites

  • 2 months later...

Just had my first play with building identities in the new tab, very nice.

 

Small request in that regard, an "Identities" check box in the column display selector so we can see which items correspond to the created Identity. I suspect this would need a re-index if I understand correctly, but I was thinking there must be a way to do this without indexing by using Document ID's perhaps?

 

Also any comments on simplifying ways of isolating emails which only involve specific users? This is something that I have to do on every single job without exception and the current process is quite laborious. What I mean here is that if I want emails which ONLY involve person A and person B, I have to manually search then scroll through and identify emails which contain other recipients. On a large case this can add many hours to what should be a simple process in my mind.

 

I first requested this back in 2015 and periodically since, but haven't really had any indication if it's possible or likely to be implemented. If not let me know and I'll stop asking :)

Link to comment
Share on other sites

Hi Adam,

 

I will forward your requests to the development team.

 

Re searching for emails which ONLY involve person A and person B. As you know, this is a bit of a manual process currently. Just thinking of ideas (and please chip in as well), would a window where you can manually type in the known email addresses work? When the addresses are entered, you click a search button and Intella shows the emails where these people must be senders and receivers. It could be expanded to allow for multiple email addresses for each person. 

 

Just an idea. I would have to check with the development team whether this could actually be done. Any other ideas?

 

Jon

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...