philrodo Posted April 27, 2015 Report Share Posted April 27, 2015 I have to search the emails and attachments using a long list of keywords. However, I also have to restrict the hits I get to emails sent after a certain date. When I use a date filter, only the emails are searched, not the attachments. If I search the entire case for the keywords first and then apply the date filter on the emails, I'm not sure whether anything I export will include any hits in the attachments, and if so, whether the attachments are only those that were attached to emails after the date in question. I figured that the cleanest way to run this search is filter the emails on the date and export them to a PST. I can then set up a new Intella case to process only the emails exported to PST. That should work, but I would have thought that there has got to be a way to do this in the original Intella case I'm working with, without first having to export the emails. I'm probably missing something, but I'm not sure what. Any ideas or suggestions would be appreciated. Thanks. Link to comment Share on other sites More sharing options...
AdamS Posted April 28, 2015 Report Share Posted April 28, 2015 There are a couple of different ways you can do this Phil, both have their issues but should give you what you need. The easiest way is to run the date filter and keyword search as normal, then go to the type facet, highlight everything and use the include option. The downside to this is that you will get any attachment with the keywords listed and the date range filter won't really have any effect due to the many different dates contained in most documents (edited, created, printed, last save etc). This way you will likely have many false positives. A more accurate way I think, and this is assuming you are only interested in attachments to emails sent/received within the proscribed date range. Use the include option to select the date range then select emails only and click search to show all emails from the proscribed date range. Now you have to tag the results then clear all the searches and settings, this will clear the email only issue you are having. Now select the tag you just created and click search to show all results, highlight all the results and select 'show children'. You should now have a ball for the emails from the date range and ball with all the children. Highlight both and run your keyword list. You should now have a search that encompasses both emails and their attachments from the required date range. Edit: on reflection it would be a worthy update if the search functionality had the option to 'include email children' in a search where the filter has been set to show only emails, maybe a simple tickbox option somewhere? Link to comment Share on other sites More sharing options...
philrodo Posted April 28, 2015 Author Report Share Posted April 28, 2015 Adam Thanks for the feedback. As you say, the workarounds have their issues. And I'm not sure that I'll end up with what I think I should end up. Like I said, I ended up exporting all the emails that fall within the time period of interest and set up a new Intella case that contains these emails only. I'm now running the keywords and don't have to worry where the search hits are coming from, since my data set only includes the emails within the given time period. I really like your suggestion about a tick box option to include the email children when using a filter that only filters out emails. I wholeheartedly second that suggestion as an enhancement in a future release. Best regards, Phil Link to comment Share on other sites More sharing options...
AdamS Posted April 29, 2015 Report Share Posted April 29, 2015 Option 2 will give you the correct result Phil, I tested that on a small subset of data before posting it. I understand that as a forensic practitioner we need to be somewhat 'mistrustful' of software in order to verify the findings, but I would encourage you to test the second method listed with the method you used to see if/how the results vary. It could shed some valuable light on the process for myself and other users if we are getting different results. Link to comment Share on other sites More sharing options...
ŁukaszBachman Posted May 26, 2015 Report Share Posted May 26, 2015 I agree with Adam that Option 2 should give you what you need, Phil. As for the proposed "include email children" option - were you thinking about adding it to the keyword searches? It feels to me a bit more natural to do it in a standard way: first select some results, then apply "Show children" action and then further cull down your results. Link to comment Share on other sites More sharing options...
AdamS Posted May 29, 2015 Report Share Posted May 29, 2015 Lukasz I was thinking more along the lines of giving some control over when and if to search children items when filters are applied. Obviously if no filters are applied everything will be searched, but having that option would give some control over how the search is applied. While the standard way will give you want you want it requires a firstly the awareness of how the search is behaving, as I suspect many people would just assume that the search will encompass the children of seleted items, and secondly it requires and extra few steps. Current process to search for children items of emails as described above in my option 2. However much faster and simpler would be: Set filter for applicable date range Set type to include emails Search keywords/list (tick box to apply to children) Finsihed!! search results encompass emails and their children. What that should give us is search hits where emails or their attachments (from within the applicable date range only) are shown. Link to comment Share on other sites More sharing options...
Recommended Posts