Searching for blank Subject in an email

[Jacques B]

Is there a way to search for all emails where the subject is blank? I know you can display all emails and then reverse sort on subject to group them together. But I'd like to be able to identify them using a search term, and then tag them.

I run several tasks after processing to tag stuff for the investigator. See attached listing the processes that I run on a PST (we are a MS shop).

Intella Tasks and Tagging Overview_Redacted.pdf

[Guest Marco de Moulin]

Hello Jacques,

I created a crawler script which you can run when indexing a source. It looks for empty subject lines (or just a space) and tags those with 'crawlerscript/No Subject' or 'crawlerscript/Single Space Subject'.

https://github.com/vound-software/intella-crawler-scripts/blob/main/samples/basic/tag_no_subject.py

The tasks from your document, are you doing these manually?

Regards,

Marco

 

[Jacques B]

Thanks Marco,

I'm currently running 2.5 (waiting for license renewal to go through to upgrade to 2.6). Are Python scripts supported in 2.5 as well?

 

Jacques

[Guest Marco de Moulin]

Hi Jacques,

Crawler scripts were introduced in 2.6. Unfortunately, it is not going to work in version 2.5. 

Marco

[Jacques B]

Thanks. I'm looking forward to exploring the power of crawler scripts. I know you have a discussion on that specifically and I'm excited to see how I can make use of it. I am pleased that it supports Python as that's the language I am familiar with.

[Guest Marco de Moulin]

Hi @Jacques B

You mentioned that searching for emails with empty subject lines helped in a previous case. I'm curious to learn more about how that specific search strategy assisted your investigation. Could you provide some additional details? 

Regards,

Marco

[Jacques B]

Hi Marco,

It's one of our investigators who mentioned that it's one of the methods they use, the premises being that someone sending something to themselves or someone else that is not work related (and thus possibly related to the misconduct being investigated) may skip putting in a subject. I don't know if it materialized into producing evidence. But I thought it was a good approach so I want to add that to my initial pre-processing and tag all such emails automatically for the investigators who want to avail of that approach.

 

Jacques

[Guest Marco de Moulin]

Thank you for the clarification. That makes sense! I will run it on some cases to see if I get interesting results. 

Marco

[Jacques B]

Hi Marco,

I finally was able to get Intella Connect upgraded from 2.5 to 2.6.1. I'm currently running your script to look for blank subjects (or single space) by reprocessing a small collection of emails.

I do have a question about the scripts. Can you run more than one script against evidence being ingested? And are you able to have it in a template of a case much like tasks? As I shared earlier, I created a case template and have it run a bunch of tasks. But for scripts, so far I'm only seeing where you can select that when adding a source. And I'm getting the impression you can only run one script.

Thanks,

Jacques

[Guest Marco de Moulin]

Hello @Jacques B,

I am glad to know that you have upgraded to version 2.6.1. Right now, you can only run one script at a time, and it is important to make sure that script's logic does not interfere with each other. Currently, scripts are not part of a template, but we are thinking about adding this feature in a future version. If you use the command line version (IntellaCmd), you can define a script, offering a way to automate script execution.

Marco

[Jacques B]

OK, thanks @Marco de Moulin.

The script for blank subjects ran correctly. Thanks for having shared it. When you do that, does it re-run everything from processing (indexing, tasks)? Or are you able to only run a script?

Jacques

[Guest Marco de Moulin]

Hi @Jacques B,

The script is linked to a source in a case. It runs when Intella indexes the data. The only way to run the crawler script again is when you re-index the data. 

Marco

[Jacques B]

OK, thanks @Marco de Moulin. That isn't very practical if it has to re-index everything. Or can you tell it to skip what's already been indexed? If not, that can add a lot of time to a case if you have 3 or 4 crawler scripts you want to run against a case with 500,000 items in it for example.

If the above is the case, the approach for now will be to pick the crawler script that provides the most value for a specific case and only run that one unless the value of additional scripts outweights the additional processing time.

Jacques

[Guest Marco de Moulin]

Hi @Jacques B,

Crawler scripts are specifically engineered to operate during the indexing phase. Regrettably, the capability to sequentially execute multiple scripts is not presently available. Although tags and custom columns remain persistent, I would not recommend relying on this as a strategy in relation to Crawler Scripts. Furthermore, it is not an efficient practice to restart the indexing process merely to run a new crawler script. The optimal solution would be a script that initiates once a case is populated. We are diligently working towards this enhancement. The main objective of the crawler script functionality is to either decrease the volume of data ingested or to enrich the data immediately from the beginning.

Marco