PF1 Posted May 3, 2016 Report Share Posted May 3, 2016 I am really liking the direction Intella is moving toward in 1.9.1. I am wondering, though, if some end user configuration is possible? Particularly, I am finding that every new source I process requires me to UN-select the "Items" I rarely, if ever, will need. These include Chat messages, databases, registry, and browser history. it would be great to have Intella remember my last choices and apply them, rather than forcing me to uncheck the ones I don't want every single time. Link to comment Share on other sites More sharing options...
AdamS Posted May 4, 2016 Report Share Posted May 4, 2016 I'm in the habit of selecting everything regardless of my data source for the simple reason that "I don't know what I don't know!" By that I mean what if an email contains an attachment that is a zipped chat log file, or registry file? I know it's not common but I tend to err on the side of caution. Also I had always assumed (possibly wrongly) that having an item selected that isn't ultimately needed won't add any extra time to the indexing process. My assumption was that part of the indexing process was first identifying all the types of files in the data set, then running the selected and applicable search filters as selected on the screen, if there is no internet history files identified in the first stage then the fact that I have ticked internet history on this screen is neither here nor there as there is nothing to run it against. Maybe one of the Intella people could clarify this for us? Link to comment Share on other sites More sharing options...
PF1 Posted May 4, 2016 Author Report Share Posted May 4, 2016 Adam, I hope you are right, (and I have not tested with and without all options to see if it affects my processing times) but my experience with other forensics/indexing tools is that the more it's looking for, the longer it takes even if it does not find anything. I hope someone form Vound can let us know. Being an EnCase user, It's instinctive for me to reduce ALL indexing tasks as much as possible for speed! Link to comment Share on other sites More sharing options...
Chris Posted May 4, 2016 Report Share Posted May 4, 2016 Hello Adam, It is slightly different - if I understand you correctly. The checkboxes indeed have no impact on processing speed and case contents when the item type mentioned by a checkbox is not present in the evidence data in the first place. However, when an item of that type is present and the corresponding checkbox is not checked, then the recursive processing stops at that level in the item tree. Any potential child items will not be processed, regardless of their type and the rest of the selected checkboxes. Does this answer your question? Link to comment Share on other sites More sharing options...
AdamS Posted May 5, 2016 Report Share Posted May 5, 2016 So if emails are selected but chat logs are not selected you could potentially have the following scenario: An email has a chat log attachment, and the chat log has an embedded zip file which was sent between parties. Intella will index the email, but as chat logs are not selected it will not index the embedded zip file and any of it's contents? So to avoid missing any embedded/nested files it's probably a good idea to select all items at this screen where there is any doubt about possible hidden files, unless you are indexing files which you are sure have no embedded content of any kind. Link to comment Share on other sites More sharing options...
PF1 Posted May 5, 2016 Author Report Share Posted May 5, 2016 I feel like this begs the question "if none of these selections have an impact on performance, why are they UNselectable?" I mean, I have no way to know if an email has an attached chat log and the log that in turn has an embedded zip file. That's WHY I am using a tool like Intella to process the email! I just don't see the point of having this configurable if the best course of action is always to run it with all items selected. Link to comment Share on other sites More sharing options...
AdamS Posted May 5, 2016 Report Share Posted May 5, 2016 Possibly so you can ingest a data source which contains multiple file types (ie a disc image) and be selective about what you want to index. If you only want to index registry artifacts for example having this choice means you don't have to first use a different tool to locate and extract the registry files to be indexed. You could then go back an index for different file types as required and if needed. That's probably a bad example but I'm thinking that may be the reasoning behind. Link to comment Share on other sites More sharing options...
Primoz Posted May 5, 2016 Report Share Posted May 5, 2016 So if emails are selected but chat logs are not selected you could potentially have the following scenario: An email has a chat log attachment, and the chat log has an embedded zip file which was sent between parties. Intella will index the email, but as chat logs are not selected it will not index the embedded zip file and any of it's contents? So to avoid missing any embedded/nested files it's probably a good idea to select all items at this screen where there is any doubt about possible hidden files, unless you are indexing files which you are sure have no embedded content of any kind. Adam, you're right. If chat messages were not selected Intella would skip them - that means that also embedded zip files would be skipped. I feel like this begs the question "if none of these selections have an impact on performance, why are they UNselectable?" I mean, I have no way to know if an email has an attached chat log and the log that in turn has an embedded zip file. That's WHY I am using a tool like Intella to process the email! I just don't see the point of having this configurable if the best course of action is always to run it with all items selected. The performance gain can be observed when un-selected data types are present in the source data (as those are not indexed in this case). For example: If we know that a data set contains registry files (which are time-consuming from indexing perspective, and give no information), we deselect Registry indexing and gain better performance. Link to comment Share on other sites More sharing options...
PF1 Posted May 5, 2016 Author Report Share Posted May 5, 2016 OK, I understand the reasoning behind the inclusion of the various items, but since I use Intella exclusively (for now) for email and use other programs to handle registry and internet history and others, is there a configuration file that I can edit to set the default checked and unchecked boxes? When I am adding 15-20 different sources to a case, it's 15-20 more steps to un-check/check the ones I want, and I can't seem to get my selections to 'stick' between sources, even in the same case (ie I un-check 'registry' items for source #1, but upon adding source #2 'registry' is checked again). Link to comment Share on other sites More sharing options...
jon.pearse Posted May 6, 2016 Report Share Posted May 6, 2016 Hi, Unfortunately in the current version there is no configuration file that can be edited to change the default settings. However, on our road map we do have additional functionality in this area scheduled. This will include the ability to define a case template, containing settings for all sorts of user preferences which will include adding sources. Link to comment Share on other sites More sharing options...
Recommended Posts