[locked] Wish list/suggestions V1

[AdamS]

I'm starting to come to terms with the change over to Intella and largely I'm impressed and becoming more comfortable with the interface.

 

I do have some suggestions/observations and it may be that Intella can do some of these things but maybe I'm just missing so any feedback or response would be welcome. I must stress most of these requests are specific to dealing with emails as this is what I mostly use Intella for, but the functionality would work when looking at complete data sets of documents, pictures etc...

• When working in the details pane selecting large sets of data it would be very handy to be able to 'reverse select' items. Example if I'm looking at 20,000 emails and I highlight and tag a selection of emails and I then want to tag the remainder it would be great to be able to reverse highlight so I don't have to go back through 20,000 emails and manually highlight the other emails I haven't already tagged.
  
• The ability to search for To, From, CC, BCC fields individually, currently in the options panel we can only select "all senders/email addresses" which is too broad. This is something I need to do in every single case so for me personally i can't stress it's importance enough.
  
• The ability to "hide" items from view in the details pane. In the above scenario where I was asking for reverse select this would do instead if it was enabled as I tag the items I want, then hide the already highlighted items and tag the rest, the unhide all and I'm back to where I started.
  
• The ability to filter in the details pane. For those who are familiar with Xways Forensics you will know what I mean here. The details colums can be displayed or hidden with the tick box menu and that is fantastic, how about extending that so that we can hide or display items based on those same criteria. For example to be able to display only emails with attachments.
  
• Tags appear to sometimes be faulty. I have a case I am working on how where I have used keywords then isolated emails based on where they were received or sent by a particular user. One keyword returned 2 emails, one sent and one received. These were tagged seperately as "keyword sent" and "keyword received". When I use the Facet filter to show me only "keyword sent" I see the sent email as you would expect, but the received email is also visible. This behaviour only displayed with this keyword and it was definitely only tagged once. I havne't spotted this behaviour anywhere else but thought i'd mention it.
  

Overall fantastic software, if I could just generalise and say the searching / filtering as it is right now could use some refinement.

[Chris]

Hello Adam,

 

Great piece of feedback! I'm replying to each item separately. There are indeed ways to do what you want, but in a slightly different way. We love to hear whether our approach works for you or if you still see room for improvement.

 

I'm starting to come to terms with the change over to Intella and largely I'm impressed and becoming more comfortable with the interface.

 

I do have some suggestions/observations and it may be that Intella can do some of these things but maybe I'm just missing so any feedback or response would be welcome. I must stress most of these requests are specific to dealing with emails as this is what I mostly use Intella for, but the functionality would work when looking at complete data sets of documents, pictures etc...

• When working in the details pane selecting large sets of data it would be very handy to be able to 'reverse select' items. Example if I'm looking at 20,000 emails and I highlight and tag a selection of emails and I then want to tag the remainder it would be great to be able to reverse highlight so I don't have to go back through 20,000 emails and manually highlight the other emails I haven't already tagged.
  

 

Adding a "Reverse selection" to the Details' context menu is certainly a possible refinement, I'll add that to our list.

 

Note that you can use the Cluster Map to your advantage here: search for all items, search for all tagged items, and you see the overlap and remaining items visualized. Also sorting on the Tags column will put all untagged items at the bottom, though that works less well when you are using multiple tags.

 

• The ability to search for To, From, CC, BCC fields individually, currently in the options panel we can only select "all senders/email addresses" which is too broad. This is something I need to do in every single case so for me personally i can't stress it's importance enough.
  

 

You are right, with keyword search all senders and receivers are put together in the same document field. We plan to add advanced search abilities to the Email Address facet, like sorting on name or email address, grouping by host, etc., that will help to some extent. Having that same capability in keyword search makes sense though.

 

• The ability to "hide" items from view in the details pane. In the above scenario where I was asking for reverse select this would do instead if it was enabled as I tag the items I want, then hide the already highlighted items and tag the rest, the unhide all and I'm back to where I started.
  

 

Besides using the Cluster Map, you can also use the Exclude option in the Tags facet: select the tag, click on the arrows in the Search button and choose Exclude. Any search results will then be filtered. Query results will be updated immediately, though you will have to click in the Cluster Map to force the Details table to update.

 

• The ability to filter in the details pane. For those who are familiar with Xways Forensics you will know what I mean here. The details colums can be displayed or hidden with the tick box menu and that is fantastic, how about extending that so that we can hide or display items based on those same criteria. For example to be able to display only emails with attachments.
  

 

I see your point. The closest you can get now is by clicking on the column header(s) to sort on those columns. The items that you are interested in are then adjacent at the top or bottom of the list.

 

• Tags appear to sometimes be faulty. I have a case I am working on how where I have used keywords then isolated emails based on where they were received or sent by a particular user. One keyword returned 2 emails, one sent and one received. These were tagged seperately as "keyword sent" and "keyword received". When I use the Facet filter to show me only "keyword sent" I see the sent email as you would expect, but the received email is also visible. This behaviour only displayed with this keyword and it was definitely only tagged once. I havne't spotted this behaviour anywhere else but thought i'd mention it.
  

 

This is indeed surprising. Are you able to show us a (redacted) screenshot that shows this? Perhaps we can then see how this happened.

 

Overall fantastic software, if I could just generalise and say the searching / filtering as it is right now could use some refinement.

 

Many thanks for your feedback, we greatly appreciate it!

[dougee]

Adding to AdamS great suggestions, one that I would like to add is the ability to remove items from Intella. I know I can exclude items from view, but we often come across items that are subject to privilege claims by opposing parties and the ability to remove privilege items would be great. Currently the only way around this is to remove the items from the evidence and re-index, this is not easy with mail containers. Maybe we could just remove the items from the database so investigators can't access them at all, leaving the items in the evidence store.

[Chris]

Hi Dougee,

 

This question has come up several times already. We understand the use case. It's something that we plan to add to a future release.

 

Whether that will be a permanent removal operation or just a method to hide certain information remains to be seen. Permanent removal is preferred when you want to be able to hand over entire cases to other parties, especially opposing parties, but it has some technical database implications. Just hiding items is a lot easier to realize and also lets the user unhide items, which may be a good thing in some other cases.

[dougee]

_{Thanks Chris, I look forward to seeing what magic you guys can bring.}

[AdamS]

Thanks Chris, when my work deadlines aren't quite so crippling I'll have a bit of a play

 

In the mean time I have a pressing issue that I need to try and sort. I have 12,680 unique emails to and from numerous addresses as you can imagine. My client wants me to isolate and remove all internal emails from the equation.

 

Is there are way to quickly isolate emails which only contain a particular domain within the send/receive fields?

 

I'm working with the type facets, have isolated all emails only, then searched on the domain I want to exclude, and now I have my data set of 12,680 emails and I need to somehow isolate the emails which don't include any addresses outside the domain in question.

 

Any help appreciated

 

Edit : I was able to reduce the data set to 350 email by reducing the date range so I manually inspected the sender/receiver details to knock out all the emails which were purely internal, but going through this process on a small data set showed me how difficult it is. You can imagine after a while the email addresses start to blur in and look similar, it becomes very easy to make a mistake. I'm not sure how hard these search refinements I'm suggesting are but hopefully this is something that could be included for 1.6.2.

[AdamS]

With regards the weird tag behaviour I have a screenshot which I think will display what I'm talking about.

 

I set the facet to Tags then selected "keywords Sent" within the tags list and then clicked search to bring up the blue ball, then clicked on the blue ball to see all 266 tagged emails, so far so good.

However you can see the two highlighted emails with the Tags exposed clearly showing that neither have the "Keywords Sent" tag, they both have the "Keywords Received" tag which is not selected.

This result is duplicated even if I click on the "Keywords Received" tag, then exclude that from the results, those two emails will still be visible.

 

When I previously mentioned this it was actually a different email that was being shown so it would appear there is definitely something glitchy happening here, but whether it's my machine or the software I can't tell.

[AdamS]

Another functionality request which should be very easy

When working with data in the Details pane it would be very handy if when we highlight a number of items the exact number and data size was instantly and dynamically displayed next to the filter options or even within the searches window top right.

 

Quite often I just need a quick answer on how many files I have highlighted, right now the only way to get this answer is to tag the files. I then have to go and remove the tag to ensure my tag field doens't become cluttered.

[Chris]

Hello Adam,

 

Is there are way to quickly isolate emails which only contain a particular domain within the send/receive fields?

 

We are working on new functionality that would make this a lot easier. For now, I would advise to try to reduce the set as much as possible, as you did with a date search, and then sort on the Senders and Receivers columns (use CTRL-clicking). That way the emails with the same sender and receiver setup will be adjacent in the table, which helps with the manual filtering.

 

With regards the weird tag behaviour I have a screenshot which I think will display what I'm talking about.

 

I see what you mean now. I will consult our developers for feedback. What Intella version are you using?

 

When working with data in the Details pane it would be very handy if when we highlight a number of items the exact number and data size was instantly and dynamically displayed next to the filter options or even within the searches window top right.

 

Makes sense. I will file a feature request for this.

 

Thanks for your feedback!

[Chris]

Hi Adam, are you able to create a support ticket and send us the log files of the case with the tagging issue? Perhaps there is an error message that explains what you are seeing.

[AdamS]

I should be able to send the log files, I'm away from my lab computer for the next week so I will see what I can do on my return. And in answer to the other question the original behaviour with the tagging glitch happened on 1.6.0 and was replicated in 1.6.1 (this is the version with the screenshot).

 

Thanks for the prompt replies Chris, I look forward to 1.6.2

[AdamS]

Just one more wish/suggestion

 

The ability to dictate the sort order for emails when creating a report (ie chronological)

I understand the reasons why this is not avialable as I had a long telephone conversation with my local Intella person when I was bemoaning the fact that NUIX didn't do this, but I also am led to believe that at one point in time Intella did give you the ability to have a report order the emails chronologically but this was dropped to save time.

 

I would love to see this functionality returned, it could be implemented by way of a checkbox with a warning that it will greatly impact on the report creation time. I see this as absolutely essential, when creating reports the client always needs to see things in a way which makes sense, oldest to newest is the most logical way and it's also what people are used to dealing with. I know there are work arounds by creating a seperate CSV file which they can order until their hearts content, but the CSV file only contains a small amount of the data so you end up having to chop and change from CSV to report to get the information needed.

[Chris]

Hi Adam,

 

The current sorting works like this:

• First sort on hierarchy (basically the value in the Location column)
  
• Then sort by Sent date.
  
• Then sort by file name.
  

So there is a chronological order, but only within a mail folder.

 

Making the sorting configurable is on our task list for a later release.

[AdamS]

So if all the emails I'm examining come from a single PST archive then my report should be in chronological order?

or is it within each parent folder withing that PST archive (inbox, sent, outbox, deleted etc..)?

[Chris]

It is the latter. Overall all items will be sorted by source file and then by folder within that source file. Within the folder all emails will be sorted by Sent date, with each mail immediately followed by its attachment/nested items.

[tufelkinder]

The ability to search for To, From, CC, BCC fields individually, currently in the options panel we can only select "all senders/email addresses" which is too broad. This is something I need to do in every single case so for me personally i can't stress it's importance enough.

 

If you wanted to avoid adding more overhead to the interface, just having the ability to specify more precision in the search keywords text field would be great. For example, instead of expanding Options and deselecting all but Author, simply allow users to search for (in gmail fashion):

 

to:email@host.com

from:email@another.host.com

bcc:email@address

 

This way the features would be there for advanced users, documented in help, but without adding to the GUI and requiring additional mouse clicks, not to mention further confusing or complicating the interface for Intella newbies.

 

Just a thought!

Walt

 

-~

[admin]

Hi WaltS

 

We are working on the ability to have TO: FROM: CC: BCC: searches. I agree is wil be a useful feature.I would expect it to be done in 1.6.4.

[kevinma]

In my case, I click on the Facet Panel, select Email Address and then expand the From list, its contains more than 5000 items. Pick up those names from the list take me around 15 minutes.

If there is a filter function like SQL Management Studio, this would definately save me a lot of time.

 

Filter screenshot: http://www.dbdigger....sql-srever.html

[AdamS]

Another suggestion for functionality, specifically with the report creating.

 

It would be very useful if we could create a report and have live clickable links to expose the body of the email within the report (html only, like NUIX does) only take it one step further and have a "expand all" and "minimise all" link at the top.

 

The reason for this is searchability. If we can produce a report like that where a single HTML document can include all email information (headers, body, email addresses etc) then non technical people (ie my clients) can have the ability to use the easy windows search functionality to search across all available information from a single place.

 

Edit - I should point out that I'm aware I can do this at the moment with PDF by exporting all the emails as a single PDF file and ensuring 'body of email' is ticked. I am using this right now however I find PDF to be an inelegant way of viewing emails and visually it's quite hard on the eyes when you are trying to triage and read lots of information. HTML reports tend to be far better formatted and easier to read, plus the added bonus of being able to open them in Excel gives you the flexibility to create sub data sets for charts etc.

[AdamS]

Also some hot keys would be great when working with tags. For example when triaging I will quite often do all my keyword searches and tagging in one go, then head back for review.

 

When reviewing emails sometims they have multiple tags and on review they are not relevant, it would be great if I could just press "del" when the email is highlighted and all tags with that email (or all highlighted emails) would be removed.

Following that vein hotkeys for tags would be great, this would have limited ability but using the numpad could give you up to 10 tags. By this I mean when we create new tags if the first 10 tags created were automatically assigned a numpad key (0 through to 9) then we could very quickly assign tags just by pressing the corresponding numpad key.

 

And lastly just a question on 'flagging'. Apart from the ability to reorder based on the flags I can't see any other use assocaiated with these. Is there something else we can do with the flags or is it purely a sorting assistant? If not I think it might be useful to add some right click options relating to flagged files, "highlight all flagged files" for example would then allow us to export the highlighted results. And logically following on having a hot key (spacebar?) to flag the highlighted file(s) would also make sense.

 

I understand this type of functionality would be low priority but I think it would improve the speed and usability of the tagging system which is already in place.

 

[admin]

Hi Adams,

 

Thanks for your post. We really enjoy the feedback and discussion you have added/created on the forum.

 

When you create a tag it automatically creates a hot-key. The first tags hot-key will be CTRL+1 the second will be CTRL+2 and so on. Hovering over the fast tags will show a tool tip with that tags hot-key.

 

You can reorder tags by right-clicking on tag facet value and us the "Pin tag" option.

 

The flags are a "light tag". They were the request of a number of folks who used other software. In fact when we first brought them out they work slightly differently but we were asked to change them to mirror other types of software as people were getting confused.

 

If you highlight a number of items and right-click you can remove selected tags. Not exactly what you are asking for but does get the result.

 

 

Please keep the feedback coming.

[AdamS]

Hi thanks for coming back.

 

I'm assuming fast tag refers to when I am viewing the email in preview? Would it be possibly to extend this so the hot keys work when an email (or group) is highlighted in the normal table view?

 

The highlight and remove selected tags is perfect the way it is and I like that functionality (in fact am requesting that as a feature in Xways Forensics which I use heavily as well) but the ability to completely remove all applied tags on a highlighted data set would be fantastic if it's possible.

[Chris]

Hello Adam,

 

The hotkeys are indeed available in the Previewer only at the moment.

 

I like the idea of having more hotkeys available in other places. The challenge we then need to work on is how to make it clear that this functionality is available (who reads user manuals?). Perhaps a few fast tag buttons can be placed somewhere in the Details table with tool tips mentioning the hot keys. Ideas more than welcome!

 

As for your earlier suggestion on an extended HTML report: I made a note of that as well!

[AdamS]

Hey Chris good to hear.

One of the things I love about Intella and Vound in general is that our suggestions are actually listened to, and seem to be implemented more often than not (where possible and practical )

 

One more for you, is there a way to quickly determine emails which don't have any content/body?

 

At the moment I'm previewing emails as quickly as I can to cull out the emails with no content and I notice that Intella has a tab for each piece of data (Content, headers etc). Intella obviously already identifies these data sets, is there a way to take advantage of that and quickly sort or exclude emails which have no content?

 

More basic usability thoughts, when I have an email open in preview mode using the mouse to click next, flag/unflag or even tag is fairly labour intensive when you have 10000 emails to go through. Linking in the arrow keys would be fantastic, right arrow next, left arrow previous, space bar flag/unflag. This would link in nicely with the Tag hotkeys which are already there.

[Chris]

Hello Adam,

 

You can use the Empty Documents category in the Features facet to find all "document-like items" that have no document body. You can intersect this with the Email category if necessary, or just sort on the Type column.

 

Note that you can use Alt+Left and Alt+Right in the Previewer to go back and forth one item. The button tooltips tell you what the hotkeys are. A hotkey for flagging makes sense though.