Combining Intella Cases

[philrodo]

Is there a way to combine two or more Intella cases into one new case? We had an issue processing a number of PST files as Java kept on crashing, so we processed them in four batches and that seemed to have done the trick so that the processing completed. However, we now would like to combine the four separate Intella cases so that we don't have to run the same searches four different times (which also means that we'll probably end up with some (lots?) of duplicates).

 

I'm thinking that we can export the search hits from each case to four separate PSTs and then re-process the exported PSTs into a new Intella case. But that will be kind of awkward and time consuming. That's why I'm hoping there is a way to combine the four separate Intella cases into one. Is that even possible?

 

Please let me know. Thanks.

 

Best regards, Phil  

[AdamS]

There is no way to combine cases at this point Phil, I believe it's possibly on the road map for a future release, one of the Intella people will be able to confirm if that's the case.

 

Just out of curiosity were they PST or OST that appeared to be crashing? Did they originate from a Zimbra server or Exchange?

 

I ask because I had some major crashing issues a couple of months back dealing with OST archives from a client machine connected to a Zimbra mail client host. In the end I had to use a third party tool to convert the OST to PST, then run scan PST several times to clean up the archives.

[Chris]

Hello Phil and Adam,

 

Combining cases is certainly on the roadmap!

 

At the moment we are close to releasing a beta of the next major Intella version, which focuses on indexing speed and large case handling, among other things. The ability to merge cases is not present yet, but the architectural changes provide a much better basis for adding often-requested features such as merging cases, exporting items as a separate case, deleting items from a case, etc.

[philrodo]

Adam:  These were user mailboxes that were exported from Exchange in PST format. Now that we've loaded them into Intella in smaller batches, we are able to review them; we found a lot of SPAM messages that included malware attachments (ZIP Archives, EXEs, etc.). I suspect that some of these attachments were causing problems during the processing/indexing phase, although I have no idea why we were able to process the same PSTs in smaller batches, but couldn't process them all at once.

 

I'm familiar with Zimbra. I didn't realize that Zimbra uses PST and OST files on the user's workstations. A case I had about two years ago, the client's IT folks had exported the user's mailboxes into ZIP archives that contained a mix of EML and some HTML items. We attempted to process these in Intella, but found a lot of inconsistencies in the email headers, meaning that for a large percentage of emails the actual file path could not be determined so that Intella was dumping these in the root folder. After exchanging emails and calls with Peter Mercer, he advised attempting to convert the emails to a different format before importing into Intella. We used aid4mail and converted everything into Mbox format. We then were able to process the Mbox files. This left me wondering if aid4mail could process these emails and convert them to Mbox, why was Intella having such a hard time processing the original EML & HTML items exported from the Zimbra server; but at that point I was glad we were able to complete the job, so it really didn't make a difference any longer.

 

I should also mention that we had recovered a bunch of PST and OST files from the .e01 images of the custodians workstations. Since the organization was using Zimbra as it's mail server, I presume that the PST and OST files originated from the workstations connection to the Zimbra mail host. As I recall, we had no issues in processing these PST and OST files, which required no conversions or running scanPST. Strange, eh? 

[philrodo]

Hello Phil and Adam,

 

Combining cases is certainly on the roadmap!

 

At the moment we are close to releasing a beta of the next major Intella version, which focuses on indexing speed and large case handling, among other things. The ability to merge cases is not present yet, but the architectural changes provide a much better basis for adding often-requested features such as merging cases, exporting items as a separate case, deleting items from a case, etc.

 

Chris:

 

Sure would love to see the ability to combine cases, ASAP. We often find that on large data jobs, Java has a tendency to crash for some reason. When we break up the data into smaller chunks, Intella manages to complete processing of the data. However, we're then left with two or more separate Intella cases, meaning that we not only have to run the same searches two or more times, but there is no effective way to de-dupe the data contained in the different Intella cases, absent of exporting the search results from the different cases and reprocessing the exported data into a new Intella case--while keeping our fingers crossed that Intella will complete the processing without Java crashing. (Frankly, I hate the fact that Intella runs on Java but no one else seems to be conceded about that, but that's another story...)

 

While I have your attention, is there a difference in having Intella create a backup of a case than manually copying the Intella case folder? 

[ŁukaszBachman]

While I have your attention, is there a difference in having Intella create a backup of a case than manually copying the Intella case folder?

 

No, in reality there is no difference. You can create backups manually by storing whole case folder in a safe location.

This feature of Intella was developed for two reasons: to raise awareness of how important backups are; and to help to automate the backup process. Especially the latter was a common problem, as very often users were forgetting about creating copies of their cases. Sometimes it's just that one backup that you skipped when you had to rush out of the office that could save your day.

[philrodo]

 

No, in reality there is no difference. You can create backups manually by storing whole case folder in a safe location.

 

 

Like I said, I hadn't tried the backup option before, as I was copying the Intella data folder. I tried the backup option the other day on two different cases and Intella promptly crashed. You sure that backup option works? 

[AdamS]

Phil I've never had any issues with Intella crashing while backing up data. Was there anything else going on at the same time, another case indexing, other software processes running?

[philrodo]

No other processes were running, other than ProcessExplorer and system stuff. I'm dealing with more than100 PSTs that were exported from mailboxes running on the same Exchange server and everything about them is producing problems. I have to process them in small batches otherwise Intella crashes. Thousands of exception errors, very slow processing of PSTs, etc. And now the crashing of Intella backups. It seems to me that Intella is not very stable when encountering anomalies...

 

Perhaps that's due to the Java platform, which I really dislike--we can't get rid of Java and Flash fast enough. Thankfully, Oracle and Adobe are doing their share in killing these products. I wonder what Vound, Nuix, & others will do when Java is abandoned by Oracle? ... 

[admin]

What product exported the PST's from the EDB.

[philrodo]

I'm not 100% certain as the PSTs were provided by the client. But from the discussions that I had with them, I figured they used the tools provided by Exchange, like ExMerge or ExportMailbox. 

[admin]

 

 

Perhaps that's due to the Java platform, which I really dislike--we can't get rid of Java and Flash fast enough. Thankfully, Oracle and Adobe are doing their share in killing these products. I wonder what Vound, Nuix, & others will do when Java is abandoned by Oracle? ... 

 

 

Have you run Scanpst to see if there are errors? Can you let us know the config of your computer and what else is running while intella is indexing. 

 

Can you run http://www.piriform.com/speccy and let us see the specifications. I would like to see what drives types, CPU and RAM are used for 

 

1. Source

2. Case folder

 

Also are running any AV software. 

[philrodo]

There may be 3 billion devices that are running Java (although I'm sure that this number is marketing hype), but they're all going to be in the same boat when Oracle abandons its development. See:

http://www.infoworld.com/d/application-development/oracle-hasnt-killed-java-theres-still-time-247823

 

It's kind of hard to run scanpst when you're dealing with more than 100 PSTs. 

 

I'm not sure what you want to see from the speccy, but here's the hyperlink to the specifications generated by this app:

http://speccy.piriform.com/results/zVDhvdropEXoYoaAD0tfMk0

 

Anti-virus has been disabled. 

 

I'm not sure what you mean by 

1. Source
2. Case folder

 

Please let me know. Thanks. 

[philrodo]

Any feedback on this? 

 

PS. This is what I hate about this forum, the feedback from tech support is hit and miss... 

[admin]

Which drives are your?

 

Source = Evidence files

Case Folder = Where you save the case to. 

 

 

Are they on 2 different drives. 

[philrodo]

1. WDC WD1002FAEX-00Y9A0 ATA Device -- is the C:\ volume which is also used by Intella for Temp files

2. WDC WD5003AZEX-00MK2A0 ATA Device -- is the Source drive that contains the PSTs

3. WDC WD2002FAEX-007BA0 ATA Device -- Is the drive where the Intella case folder is stored at

 

So three drives are used in total. One to read, one for temp files, and one for the case file. All three drives are SATA III and are connected directly to the MB. 

 

Any other questions? 

[Chris]

I would suggest that you create a support ticket and share more specific info for which this forum is not the right place. Then we can look into what is causing the crashes on your system.

 

Information we would be interested in:

• The case log files of the case that crashed.
• All hs_err_pidXXX.log files in your temp folder (type %TEMP% in Windows Explorer), where XXX is an arbitrary number.

[philrodo]

Thanks. By now, I've set up a new Intella case and reprocessed some 70+ PSTs. I added them to the case in small batches and that seemed to have done the trick. I've seen this before, when you dump a larger number of PSTs to Intella it crashes. Yet, when you reprocess the same PSTs in small batches, everything works just fine. Obviously, this doesn't make much sense and there must be something wrong with the fault tolerance in the app (e.g., when the error threshold during the same processing session is exceeded, Intella crashes). 

 

I wish you could all pinpoint what causes some of these crashes during processing. 

[Chris]

Hello Philip,

 

Please send us the logs listed above, only that way we can effectively help you.

[Phillip Lazenby]

On 7/29/2014 at 3:28 PM, Chris said:

Combining cases is certainly on the roadmap!

Hi @Chris

How far down the road have the "combine"/"merge" cases facility gone?

I would like to combine two Intella Case : 1) Intella case containing Email depository and 2) Intella case containing Artefact post Digital Forensic imaging. Both cases have  were initially reviewed by independent (consultant) investigators. As Case Manager, I would like to combine/merge the two cases (currently on two different harddrives) in order to search/review once (not duplicate my search effort).

We have a subscription for Pro Dongle with three viewer Dongles.

Alternatively advise a work-around because reading the user manual and or the community forum comments, nothing jumps out at me.

Regards

Phillip Lazenby

 

 

[Chris]

Hello Phillip,

Yes, this is certainly possible.

The Intella 2.4.2 User Manual, section 26.5 ("Exporting to an Intella case"), explains how a set of items can be exported to another case. When you do this with all items in the source case, you are effectively merging the two cases.

For safety, you may want to create a copy of one of the cases and then export the other case to that copy. Should anything go wrong, your original cases will then not be affected by it.

Furthermore, we are currently working on compound case functionality. Whereas case merging/exporting actually merges the case databases (costing time and disk space), the new compound case functionality creates a light-weight case in which two or more cases are virtually and instantaneously merged. This functionality will become available later this summer.