Intella Connect 1.9 beta testers wanted!

[Chris]

Hello all,

 

We are getting close to the Intella and Intella Connect 1.9 releases, which feature a large list of improvements:

 

A selection of the improvements in Intella 1.9:

• Added indexing of MS Exchange EDB files, in their entirety or by mailbox.


• Added indexing of Skype databases.


• Added indexing of SQLite databases.


• Added custodian support.


• Added support for determining keyword statistics.


• Added the ability to refresh a case and pick up new evidence items.


• Several improvements to indexing IBM Notes NSF files.


• Added primary date and family date attributes.


• Added tag group columns, showing only tags from a specific part of the tag hierarchy.

Additionally, Intella Connect 1.9 will have the following improvements:

• Connect can now index new cases by itself or delegate indexing to a separate machine.


• Added support for LDAP providers.


• Added custodian support.


• Added primary date and family date attributes.


• Added export sets functionality.


• Added tag group columns.

We invite our users to try out a beta version of this release.

 

Should you be interested, just reply to this topic, send me a private message or open a support ticket. We will then provide you with the necessary information.

[AdamS]

Sign me up Christiaan!

[AdamS]

Okay having some issues getting the Server to detect the processing machine.

 

Everything installed no problems and processor is running, however it is detecting the host IP address in a different subnet that I expected (eg host IP is 192.168.5.xxx but Processor is detecing host IP of 192.168.30.x)

 

I have tried disabling firewalls when connecting and this has not made any difference, the Connect server reports connection errors when attempting to connect to the processor.

 

Server is running MS Server 2012, processor is Windows 7 Pro x64.

 

Also just first observation/suggestion, when adding a new shared folder from the server the lack of 'browse' button option is frustrating. I'm presuming this is something to do with the interaction between explorer.exe and Java but if it's possible to have a browse option this would always be smoother and faster than manually typing the path/UNC.

 

Edit: it's a firewall issue, disabling firewalls on both server and processor enables the connection striaght away. Will have to try and figure out the settings to let them through the firewall.

Edited September 22, 2015 by AdamS

[AdamS]

Possible bug here as the option to create a new case appears to be missing, I can only find 'add an existing case'. I have managed to find and add the remote processor successfully (firewall needed to be configured on both machines) and i have added the shared folders successfully.

[Andrej]

Hello Adam,

 

thank you for your feedback.

 

The IP address that is being detected by Processor can be just one of addresses on which that computer can be reached and it might not be always the best one to use. There are few examples that I can think of:

• your computer can have multiple networking interfaces, such as 1Gb/s TP (twisted-pair) ethernet network card and WI-FI network card. If you would connect both of those to different routers or switches, then your computer will be assigned two IP addresses and you can be reached by either of those. In this case you might want to use IP address assigned to the cable-connected network card rather than WI-FI as it might be faster. It could happen, however, that the IP address shown as detected is the one from your WI-FI network card.
• a router or switch to which your computer is connected can be configured to have multiple subnets. That means that the IP address and network mask will depend on the interface to which you are connected on that router or switch. Not much to do here unless you are also network administrator and you understand how the router was configured and how you are connected.
• your computer can be reachable on multiple IP addresses and ports even if you have just one network interface connected in your computer. For example: localhost:9999 or 127.0.0.1:9999 (also known as loop-back interface, which points to your own computer), 192.168.1.109:8082 (your local network on your directly connected router), 192.168.0.159:8081 (your company network on your second hop router), 85.74.198.115:80 (your public address). In this case you might want to use IP address which will make least hops on the route to server.

Please note that I have described only simple scenarios and there can be much more complex network topologies and configurations. It really depends on what network you have and how it is built and configured. The detected IP address is being read from system configuration, it is not an algorithm that would detect your network and perform speed and reliability measurements to determine what exact address to use. It is meant to be a hint rather than anything else. When in doubt about which IP address to use, please consult your IT/network administrator.

 

The detected port is the port to which Processor's server is bound to and is listening for packets on. For example, on Processor's web page or about dialog it shows port 8081, then you might want to open port 8081 on firewall, which is on connection link between Connect and Processor. If your Connect server is bound to port 80, then you might want to open port 80 on firewall, which is on connection link between Connect and browser. Please note that when I mention connection link between two computers, it again depends on your network layout and computer configuration. A firewall can be placed directly on the same computer as is computer running Processor or Connect, but it can also be a dedicated computer or router connected to computer running Connect on one side and computer running Processor on the other side via network. In the former case, you might want to think about whether to open incoming or outgoing traffic. Again, when in doubt, please consult your IT/network administrator.

 

If you would like to change the port on which Processor is running, you can do so by editing C:\Users\<user>\AppData\Roaming\Intella Connect\prefs\user.prefs and adding/changing these lines:

ServerPort=8081
NodePort=8082

Processor server first tries to read NodePort property and set port accordingly. If that property is not found, it will then try to read ServerPort property and if even that is not found, then the default port 9999 will be used.

 

With regards to the browse button, I'm afraid it's a bit more complicated than that. There are certain browser restrictions which don't allow such simple implementation.

The idea behind "shared folders" was that you can just set it up once. It does not have to be direct path to the evidence folder or any other location, it can also be just computer name or IP address and if valid, you will be able to see tree-like browsing component in create case pop-up window or add new source wizard, which will allow you to see the file system in a manner similar to browse button.

 

As about the missing Create case button, I'm suspecting browser cache. Could you try to open the cases list page in incognito mode or clear the browser cache and reload the page? The button should be located below cases list, next to Add case button.

[AdamS]

I think the IP address it was detecting was one tied in with VMware, entering the actual IP address of the machine was all I needed to do here.

 

Understood about the shared folders.

 

Opening the browswer incognito worked, so clearly a cache issue.

 

I'm attempting to index a new case using a remote processor and having a minor issue with an error field being blank, makes it hard to know what I messed up

 

I have the evidence on the Processor and have set the case folder and optimization folder both to the Connect server, everything goes fine and I select all the indexing options I want, then when it comes time to index the data and I have the choice of selecting the Connect Server or remote processor to index the data, if I select the remote machine I get a blank red error window pop up. Indexing with the Connect server works just fine.

 

On checking the warning log the last entries are all 

 

 

[WARN ] 2015-09-23 08:37:32,767 [qtp130860983-1286] Challenge scheme HTTP_Cookie not supported by the Restlet engine

 

[Andrej]

Adam,

 

I have created support ticket for this issue with an error field being blank. Please take a look if you have received the ticket.

[AdamS]

Okay the updated 1.9 installer did the trick and I can now index with remote processors, very smooth easy to follow and nice and fast. Also fantastic to see the addition of Item ID and MD5 list imports, thank you muchly!!

 

I have some comments/suggestions/questions and knowing me there will be more but just some initial thoughts.

 

• What is 'irrelevant' according to the option to hide irrelevant next to the new dedupe button? By that I mean what are the criteria and can we manually add files to this ourselves?

• Custodian's are a great addition, it would be great if we could 'edit' the custodian names just like tags in case of a spelling error.

• Adding the custodian is very fast, takes a few seconds, but deleting a custodian is very slow, takes around 10 mins.

• What are: 'Import ID', 'Native ID' and 'Export ID'?

• What is the Family Date and Primary Date, and what is their relationship?

• The Dashboard has some warnings about encrypted or exception items, would be fantastic if they also acted as a direct link to go to the items in question.

• I notice double click has been added to Intella, is this possible to implement in Connect as well?

Thats all for now, I'm sure I'll have more.

[AdamS]

Regarding the use of the remote processors, it would seem that the Evidence, Case and Optimization folders must all reside on the remote processing machine (which makes sense), however one of the things I was hoping/looking for with this client/server type relationship was that once the processing has finished, the remote machine is no longer needed and can be turned off/rebooted etc as needed for other processes.

 

If the case data file resides on the remote machine then it's necessary to have this machine accessible while the Connect case is being reviewed.

 

What about the ability to have the case data folder remain local on the Server, with the evidence and optimization folder on the processor (or optimize folder local if that is more effective)?

 

I know there would be a time hit here as the files would need to be pushed across the network, but the end result would be all case data on the Server hosting Connect, that way the other machines aren't tied up for the duration of the review.

 

Currently I generally manually transfer the case data folder to the Connect machine and then edit the source paths to point back to the original machine just in case a reindex is needed.

[Andrej]

Adam,

 

having Evidence, Case and Optimization folders reside on Connect is already possible. You will need to use network path instead of local path to be able to index evidence which does not reside on local disk with Processor. To be precise, you will need to use network path when creating case (Case folder field and Optimization folder field are the ones, which will need network path), but also when adding new source and choosing path to evidence (when adding File or folder source, Select file or folder field is the one, which will need network path).

 

You can either use UNC (Uniform Naming Convention) path (for example \\192.168.0.150\cases\case1 or \\computer1\cases\case1) or path using mapped disk (x:\cases\case1). I personally prefer UNC path, because then I don't have to worry about mapping network path to disk and making sure it stays mapped after reboot, but if configured properly both will work.

 

Assuming that computer1 is name (if you don't know the name of your computer, you can also use IP address instead of name) of computer on which Connect is running, Shared folders functionality can help out here, because you could create shared folders as:

Cases location - \\computer1\cases

Evidence location - \\computer1\evidence

 

When creating new case, you should be able to see cases folder in Shared folders section of the file system browsing UI component.

 

When adding new folder source, you should be able to see evidence folder in Shared folders section of the file system browsing UI component.

 

Please note that Processor will lock the case before indexing starts, but as soon as the Processor has indexed the case and user clicks on Finish sources management button, it releases it so Connect can share it.

[AdamS]

I have noticed that the auto case monitor folder does not function as you would expect.

 

Connect is not picking up cases in this folder automatically, they still have to be manually added, however if I try to remove the case from the active list in the case window I get an error message saying that I can't remove it because it's in the monitored folder.

[ŁukaszBachman]

Adam, I've noticed that you have created a ticket in our support system about the case auto discovery, but I'll also reply here.

This mechanism uses file system pooling with a time frame set to 15 minutes. Therefore you should wait at least 15 minutes for changes in the list to be applied (relevant information will be present in the logs).

[AdamS]

Thanks Lukasz, the ones that were causing me issues were actually caused by the actual case data being one directory further down. Once I moved the case data up a level they were detected.

[AdamS]

Okay, now I'm going to have to call myself a liar because auto detect hasn't detected a case that I put on to the server last night. Is there a way to refresh or change the detect interval?

 

FYI deleting and retyping the path to the shared folder in the settings forced a refresh and the case was detected, so it's clearly something different here. 

[AdamS]

Not sure if this is something that has always happened or if a default setting has changed somewhere.

 

Using 1.9 connect search is not picking up parts of a word, ie the search term of 'help' will not pick up the text 'helpmerhonda'

[ŁukaszBachman]

Okay, now I'm going to have to call myself a liar because auto detect hasn't detected a case that I put on to the server last night. Is there a way to refresh or change the detect interval?

 

FYI deleting and retyping the path to the shared folder in the settings forced a refresh and the case was detected, so it's clearly something different here. 

 

Adam changing the path will always cause the mechanism to "reset". So the rule to remember: if you modify the path, we will re-scan for new cases (up to 3 levels of folders deep) and do that every 15 minutes.

There is no way to change the interval I'm afraid. Please keep in mind that this mechanism is meant to work in background. If you want to have the case available right away, then simply add it from the Cases list panel.

[ŁukaszBachman]

Not sure if this is something that has always happened or if a default setting has changed somewhere.

 

Using 1.9 connect search is not picking up parts of a word, ie the search term of 'help' will not pick up the text 'helpmerhonda'

 

Adam, I think you are mixing things here with wildcard queries. Try searching for 'help*'.