Jump to content

[locked] Wish list/suggestions V1


AdamS
 Share

Recommended Posts

Thanks Chris

 

For the moment my work around (for small amounts of emails) has been to open it with my lab computer (patched to deal with .eml) then using 'save as' from within Outlook to resave the email as .msg.

 

For any large amounts of emails thus far I have been talking to the IT guys on the receiving end and getting them to patch the users computer with the MS patch to fix the issue. I could use the method you describe above and that will be my third fall back option until the change is made for Intella.

Link to comment
Share on other sites

  • 1 month later...
  • 2 weeks later...

Morning

 

There were no replies to my post regarding the indexing of internet history so maybe Intella is a tool that hasn't had a big take up from LE yet. Is there any interest from elsewhere in having that available?

 

Hi Dave,

 

We have toyed with the idea of adding the internet history several times. The issue for us is how to display the results.  

 

Example: files like email and Word docs have metadata, body content and so on and are naturally listed as single items in intella.

 

Index.dat (and the others) are more like a spreadsheet.  How do we show that in Intella.  

 

index.dat.jpg

 

To make the search useful we would need each line as a item. Potentially adding 1000's of items. 

 

If you have any suggestion on showing this please do share them.  Something we could look at if we find the right balance in showing the results.

Link to comment
Share on other sites

Is this an area that Intella is thinking of delving into seriously? By that I mean to compete with tools like IEF?

 

The only reason I ask is that there are tools already that are specifically designed for internet usage type work and it would be a shame if Intella was to throw it's hat in that ring possibly to the detriment of it's core strengths. The best example I can give is EnCase's efforts to move into the smart phone and internet history world. Neither was successful and then end result was V7 with Guidance software are still in damage control years after it's release.

 

However if it's something that Intella has hired staff for with a view to a serious incursion into that part of the world, well then I would suggest that IEF is probably the leader at the moment so that's the type of functionality that I'd be hoping for :)

Link to comment
Share on other sites

I agree Adam. "a shoemaker must stick to his last"

 

Intella is a Forensic Search Tool. We are not trying to recreate EnCase or FTK like others are trying to do.  Our goal is to make searching and understanding of user created data accessible to a wider range of people and professions. We have lots more to add to Intella but so fare we think we are on the right track. 

 

Should also be said that Internet Evidence Finder is an impressive piece of software and would be a hard act to follow. 

Link to comment
Share on other sites

Definitely on the right track ladies and gentlemen it's been fantastic to work with Intella and watch it grow and evolve.

 

Small wish for a slight change when adding source files. Currently if I want to add multiple source files from different locations I have to add one, tick a couple of boxes, untick 'index now' then go back and repeat the whole process.

 

It would be great if after the initial 'add folder/file/' screen, after selecting the first folder we would automatically be taken back to the first screen to add another source. Then when we are finished selecting all the source files we want there would be a 'finished adding sources' button down the bottom and that could take us to the next screen to choose the location of the data file etc..

 

It would just be a little smoother than each source file needing the entire process completed prior to indexing.

Link to comment
Share on other sites

Some functionality wishes

 

Tags - When applying tags to documents many times I will be re-using existing tags, when that tag list starts to climb in number I find myself scrolling through hundreds of tags trying to find that special tag. It would be great if rather than scroll through existing tags we could simply start typing in the 'new tag' field, and have that auto search as we type and then produce a drop down box of possible choices based on the text we have already entered. ie as you type 'a' all the tags starting with 'a' appear in the drop down box, then when you have 'app' only tags that start with 'app' appear. That would be an extremely fast way to reuse tags without having to scroll through the existing lot.

 

In addition if this same behaviour could be implemented in the 'facets' section for the tags, exacly how it works for the email addresses so you can quickly find and display previously tagged data without having to scroll through hundreds of tags.

 

Details window - When working with data in the details window it would be fantastic to have some very quick filter and hide options to assist with isolating data. It would be great if we could highlight data, right click and 'hide from view'. It just helps quickly isolate data of interest in that view witout having to utilise the facet filters which sometimes don't give the result you are wanting (usually because of other filters applied).

 

Also to revisit something I mentioned a while back that is a source of continual frustration for me. If I double click and open an email to preview the preview window sits directly above the main Intella windows. When I finish previewing the email and click the red X at the top right corner the document closes and I continue with my review, however if I accidently just miss the red x and instead click in the top window of the main Intella screen (where the coloured balls are), the main Intella window immediately depopulates the details window with all my emails below. To get back to my review I have to click on the coloured ball again to bring back the results and my position has been lost and I have to manually scroll down to try and find where I'm up to. Highly frustrating when you are working with hundreds of thousands of emails. Can this please be fixed so that clicking in the top window of Intella next to the balls has no effect on the data below (unless of course you click directly on one of the balls.

 

It would be good if simply double clicking on a tag would work as if 'enter' had been pressed and display the resutls, again this is pure simplicity as highlight tags and scrolling down to click enter becomes laborious after the first few hundred times ;)

Link to comment
Share on other sites

Isolating emails that only involve specific users is something that I need to do regularly. 

 

Currently I can search the to/from/cc etc fields for the email addresses but it would be great if there was an 'exact' tickbox, and when that box was ticked Intella would only return results for the applicable field (to/from/cc etc) where the email address was the ONLY email address in that field.

 

This would be a very quick way to isolate emails between users that contain no other persons in any of the fields.

 

At the moment I have to sort by senders / receivers to see which fields contain other addresses and I can't find an easy way to isolate the emails I'm interested in..unless I'm being too left brained and am missing something.

 

Also there is a bit of a hitch with the 'show current hits' filter under the email facets. If I enable the show current hits filter this appears to only show email addresses that are currently linked to my search (ie what the big coloured balls are displaying) but as soon as I click one of those email addresses the filter is taken off and the email address view reverts back to the total. Would it be possible to have the filter stay active until it's deactivated? That way I can apply the email filter to 'current view' highlight all the addresses that are not of interest (or are) and use the 'include' 'exclude' filters to find relevant emails.

 

Along the same lines if I search for a particular email address using the 'all addresses' area there will be a number of email addresses that are highlighted due to being part of the current data displaying, however clicking on any one of those will instantly change the view and you can no longer see which other addresses are highlighted until you click on the big ball again. Having those emails stay highlighted after you click on one would allow me to select all those highlighted email addresses and view only them, or include/exclude.

Link to comment
Share on other sites

When viewing pictures in thumbnail mode it would be nice if we could see at a glance if a picture (or parent file) has already been tagged. Perhaps a green outline to the picture to quickly tell, and possibly a little tick or something immediately below the file to show if it's already been previewed.

 

Also when we highlight a file having the full name and path of that file auto show at the bottom of the screen would be hand as well, I realise this info is displayed if I hover the mouse but the resulting pop up covers up quite a bit of screen real estate and also can't be 'copy and pasted' out for extra functionality when compiling reports etc.

 

:)

 

Just a thought, would it be possible to have a 'pre render' option for thumbnails? I know the render time per screen is only a few seconds but I'd love to be able to press 'pre render' then walk away for an hour and come back and be able to zip through the pictures much faster.

Link to comment
Share on other sites

When indexing fails due to corrupt or problem files, or even power failure it would be absolutely fantastic on restart there was a notice to say that indexing failed on "item ID and name here" and offer the choice of resuming the indexing process excluding that file, and pick up where it left off.

 

Would this be possible? I'm working on several cases at the moment and I've had this issue a few times where adding a new source of a small amount to a case, indexing the new source, it crashes and now I have to re-index the entire case causing massive down time for my connect clients waiting to preview the new content. The merge feature would probably negate the need for this but it's become a real issue for me this week as it's impossible to identify what file may be causing the crash and I just have to keep re-indexing and crossing my fingers.

Link to comment
Share on other sites

I think there is room for improvement on the backup functionality of Intella generally. Currentlyi we have to close the case to back it up.

 

I'd love to see the ability to manually backup while you are working with the case so we don't have to exit the case, and to extend that I'd love to see an auto backup feature that you can set to say backup the case every 10 mins or so, that way in the event of a crash/powerout etc you only lose 10 mins work.

 

It would require some sort of auto numbering system so Intella can differentiate between the backups.

 

If you are familiar with Xways forensics then you know what I'm talking about, if not have a look at how that backup system works and you will see what I'm getting at.

Link to comment
Share on other sites

  • 2 weeks later...

Some more granular search ability would be very high on my wish list gentlemen.

 

For example, the ability to isolate only emails with a specific attachment type.

 

To accomplish this now I search the emails, make sure the 'attachments' field is ticked for the details pane, sort by attachments and manually scroll through to find the attachment types I want.

 

If we had a new option under the 'type' facet called 'attachment type' or something like that, we could instantly highlight emails that contain only PDF attachments, or emails that contain PDF and Word attachments only.

 

Or maybe under the details 'columns to show' have the option under the attachments field to further specify the attachment types to display. This option might actually be far easier to change as the attachments types are all displayed under the attachments column by default, if this was changed slightly so it would only display the selected attachment types sorting that column after this has been selected becomes a very fast and efficient way to isolate attachments of specific types.

 

Edit : Found a slightly different approach which is not precisely what I want but should make it more workable. I change the tagging behavior to include all nested items to the top level, then view all spreadsheets and apply a tag, thus tagging the top level email. Then view by tags and include only emails to see the emails with spread sheet attachments. This seems to give me what I need but it will of course tag a lot of other items I don't necessarily want tagged.

Link to comment
Share on other sites

Suppose you want to find all emails that have a PDF attachment. How about this method:

  1. Find all PDFs using the Type facet.
  2. Use the Show Parents function to determine the parents of these PDFs.
  3. Remove the PDFs result set but leave the parents set.
  4. Find all emails using the Type facet.
  5. Use the Cluster Map to select the overlap of the outcomes of step 2 and 4.

Like the tagging method, you exploit the item hierarchy here in an automated way, but without the need to tag anything, which would change your case and can be an expensive operation.

Link to comment
Share on other sites

This is going to sound silly but I get asked this question so often and I can never give my clients the answer.

 

Would it be possible to include a progress bar with percentage processed indicator when indexing sources?

 

I understand this won't give a time estimate, but my thinking is that Intella knows it has say '50 GB' of data to process, it will also know how much of that data has been processed at any given point, so it would be very handy to be able to say what percentage of the data has been processed thus far.

 

Of course this isn't an indicator of time, but it would at least be some sort of indicator for us to work from and stop me feeling like I'm watching the pot waiting for it to boil :P

Link to comment
Share on other sites

In some instances I will be exporting email sets into PST archives to be loaded onto clients own e-discovery or just because they like to import into Outlook and conduct more searches/reviews after any initial work I've done.

 

The attachment is a screenshot of the resulting file structure of a PST file (only 2 actual emails in this one) from a PST export.

 

This file structure while very logical and it's easy to see how it's come about, it is none the less very cluttered.

 

If we could be given some control over this as part of the export procedure it would allow us to simplify the resulting PST file to make it easier to work with, maybe a preview of what the resulting structure would look like with tickboxes for us to include/exclude empty folders (such as IPM_Common_Views, IPM_VIEWS and Search Root in the attached image).

 

Secondly the way Intella creates this structure seems a little odd, we have 'Top of Outlook data file' with the subfolders:

  • Deleted Items
  • Inbox
  • Intella
  • Outbox
  • Sent Items

Deleted, Inbox, Outbox and Sent Items are all empty folders, it's within the Intella folder that the data resides with a somewhat cluttered structure (which again is logical however busy it looks).

 

This structure is:

Intella

  • Source name (based on my own naming conventions)
  • Top of Outlook data file
  • IPMRoot
  • Root Mailbox
  • IPM_SUBTREE
  • Sync Issues
  • Conflicts (email is here)

Then the second email was from a different mailbox so the whole structure is repeated.

 

Imagine you are a non technical person and look at the attached picture and imagine how confusing that would be.

 

The structure I would like to be able to create for this would look something like this:

 

  • Source A
  • email@address.com (name of the actual PST/OST etc)
  • Sync Issues
  • Conflicts (sub folder of the Sync Issues folder which contains the actual email)
  • Source B
  • email@address.com
  • Inbox
  • Alliance Parters (sub folder in the Inbox)
  • Subfolder (the subfolder that contains the actual email)

 

For a normal export you would expect to see inbox, outbox, sent items etc, but only the folders with actual email data need be created and getting rid of all the extra layers of folders and sub folders will make the result so much cleaner and easier to work with.

post-25-0-15990700-1401937578_thumb.jpg

Link to comment
Share on other sites

Would love to see a process to import tag results from case to case.

 

I have a case that we have been working on for some months, but due to some complications with the data that had been provided to us we had to reacquire the entire data set and I am in the process of reindexing the new data now.

 

However many months of work had already been done and I'm trying to find the best way to reproduce that, specifically all the tags. At the moment I am having to go to each tag, highlight all the tagged data, export to .csv populating ONLY the hash value, then saving the resulting .csv with the same name as the tag. Then I will be able to import those lists under the 'md5 hash' facet, search and retag.

 

This process for a few tags is excellent, this process for a few hundred or a thousand tags is very time consuming.

 

My thoughts are the ability to right click directly on the tag(s) and have the ability to export information about the tagged files directly to .csv from there and have it automatically name the resulting .csv the same as the tag name. So hopefully we could then, highlight all the tags, right click "export data to .csv", populate the fields we want (tags, hash, sender etc) and then click go and have a .csv file exported for each individual tag already named the same as the tag which contains the desired information about all the files for that tag.

 

This method would also avoid having to first highlight and search to view all the tagged files as when I attempt this due to the many nodes Intella locks up trying to display all the data.

 

Al alternative which may be easier but wouldn't avoid the locking issue would be to allow a bit more detail when importing the MD5 has list so we can view the fields (to a degree). I'm thinking like the keyword lists where we can see each keyword and chose what to search on. When I import a MD5 hash list to search on I don't get that option, I have to search on the entire list. If this list has 10,000 hash values then it's just going to become non responsive.

 

Which reminds me of another point, would it be possible to have any exported .csv files use separate columns where an item has multiple tags? So assume the file in question is tagged with 3 different keywords, the resulting .csv currently has a single column for tags and lists each tag

Tag1, Tag2, Tag3

If there was a separate column for each tag this would give some flexibility for sorting and isolating individual tags as it not possible to order based on tag 2 or tag 3 currently.

 

My head is all over the place so please ask me to clarify if any (or all) of this is unclear :P

Link to comment
Share on other sites

Have used Intella on a live investigation, and must say am impressed with the tool. I have a couple of suggestions for some proposed changes:

 

  1. When I add a new source evidence, it would be good if I can associate that evidence with a custodian. So for example, if I am adding 5 or 6 pst files to my case, I need a way to identifying the relevant custodian for that file. Maybe another text box on the source name dialogue box, and an additional field added to the details pane.
  2. From being able to associate a custodian with a source file, it would be good if under the location facet I could organise evidence by custodian, and not just the name of the file.
  3. To extend the search query syntax to add in commands for facets and included/exclude commands. So for example "john -Johnson AND facet-type:email AND exclude facet-tag:privilege". Extending the search query syntax would allow the sharing of search strings with other colleagues without having to explain type this, click that, in order to get the same results.
  4. Add an export to csv check box option to allow for the inclusion of message body data. At the moment I can get the usual to, Cc, bcc, subject etc. fields from emails when exporting table as a csv but it would be nice to include the body of the message as well.
  5. The ability to export a full listing of the statistics. The stats provide a very useful early case assessment of what's in my case file, and it would be nice to share this information with our colleagues and legal review teams.
Link to comment
Share on other sites

Hi Mark, until the Intella guys get back to you with probably a more elegant solution :P I thought I'd offer my 2 cents.

 

If you want to have custodians allocated to the source data this can be accomplished by created a directory structure before you index. My normal practice is to have a folder called 'Raw Email' or 'Raw Data', then within that folder create sub folders with the custodian names, then dump the relevant data in each named custodian file. Point Intella at the 'Raw Data' folder and when Intella indexes it maintains that folder structure under the 'locations' facet and you have your linkage for custodian ownership.

 

With point 5 there is another option, which is not exactly what you are asking for but would at least give you something to work with.

 

In the top right hand corner you will see 'Cluster Map, Social Graph and Statistics'. If you click on the statistics tab it will give you some graphical and textual statistics, there are three lots of tabs within that 'Overview, HIstogram and Emails' you could grab screen shots of each of those and include them as a picture break down of the stats.

 

On point 3 could I add that if the syntax can support those type of queries, that it would also be good if when we save a search that as part of that process Intella could also automatically generate a text file and save it as part of the case data, maybe under a new folder called 'saved searches', and in that text file is the exact syntax that would be needed to replicate that search. This would give us a single text file with any saved search and the syntax to replicate it with the current data set.

Link to comment
Share on other sites

Hi AdamS,  thanks for this.

 

I had original thought of having my datasets within custodian named folders, it's just that it would be easier to issolate a particular custodian's data if there was a option to select only the custodian I want within Intella through a facet.  Your suggestion seems like a good work around though.  I'll try your suggestion.

 

I had thought about taken screen shots of the statistics screen but it only gives the top 10 items.  In my experience, if I have got x number of documents/items in my case, legal review teams will want to know how x exactly breaks down. I have found this to be especially true when we receive native data from the client, and before we produce to the regulator we need to ensure we have received everything the client says we should have.

 

The saved search is a very good idea, and a key feature, especially when you share a case with other colleagues.

Link to comment
Share on other sites

*slaps forehead

 

I can't believe I missed this yesterday, I didn't read the post properly.

 

Open the case you are interested in then select the 'types' facet. Highlight all the folders that are visible in the bottom left pane, right click and select 'export values'. You will now have a .csv file which details a breakdown of all the file types and the numbers of each one. Be patient if you are exporting this for a full data set as it can take some time for the .csv file to be generated and there is no progress dialog or any pop up windows to let you know the process is happening.

 

You can also use this functionality to export subsets of tagged data, or data that is visible on the preview pane at a given point.

Link to comment
Share on other sites

When adding hash lists or keyword lists it would be helpful to be able to add multiple files at once.

 

Currently we are limited to adding one file at a time.

 

The case I'm working on now I will need to add around 70 hash set files and keyword list files. While not a huge issue anywhere we can save time is useful, and I imagine not that hard to implement in this case :)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

×
×
  • Create New...