A new user's notes / questions / ramblings

[llanowar]

I have really enjoyed using Intella the past few weeks and have been keeping a running list of notes concerning feature requests, questions, etc I would like to share.

Some, if not all, of my notes' line items may be simply attributed to my lack of experience using Intella.

(I recently signed up for the online class offered June 20th).

 

NOTES - RAMBLINGS:

 

- What are some uses for the "Flagged" column? How are others using this feature vs. tagging?

 

- How does one flag an entire list (or just highlighted items) in the "Details" pane quickly? (perhaps add the "shift-click" mechanism)

 

- After adding sources and processing is finished, how do you see the total size of all items / files in case?

 

- When searching with a keyword list: could you add an additional option (checkbox perhaps) to automatically add the exact keyword / phrase as a tag to each responsive file / item (following the user's tagging preference settings-parents, children, duplicates, etc.).

 

- When selecting the "Location" facet, could you allow organizing / moving the root source folders up and down the list to suit.

 

- Maybe - Add an option for an alert sound when a processing job completes (indexing, exporting, etc) - to alert a user away from computer.

 

- When highlighting files in the "Details" pane, indicate somewhere on the window the number of items highlighted.

 

- The option, when exporting e-mail messages as PDF files, to have attachments (perhaps only certain attachment types not well suited as pdf, such as .xls, .ppt, etc) saved as native (perhaps in a folder similarly named as the exported parent email msg).

 

- For e-mail messages, is the Message Hash an MD5? Also, what is used to generate the hash? header + subject + body + attachments, etc ?

 

- For the "Details" pane, allow shift-clicking mechanism to quickly sort by additional columns, like EnCase v6. E.g., click on a column header to sort, then a shift-click on a different column will second-sort by that column, etc. Shift-clicking the same column will simply toggle the reverse / eliminate sorting of that column without affecting the sorts already in place in other columns.

 

- For Office documents, etc., are the file properties / metadata, such as author, last printed, etc. listed as a line item in the report? (If converted to PDF or exported as native?)

 

- When dealing with "Empty Documents" (image-based PDFs, TIFFs, etc), I will export them out as native, run them through an OCR process and then add them back in as a new source. I am wondering if there is a "best" way to deal with this. I am finding it difficult to find a good way to bring the new OCR version(s) back in and keep them associated with the "Empty" original version (file path / location) for reporting (if it turns out to be responsive to the investigation). Especially if the "Empty" item was, say, an attachment in an e-mail. Once brought back in, it would nice (though seems difficult programmatically) to have the new OCR version (copy) somehow accompany (attach to) the original empty version.

 

 

Love the app and the cluster maps! Keep up the great work.

[Guest KathleenK]

Flagging: This is mostly used in the TEAM environment where multiple reviewers are reviewing the same data. As Flagging is just a checkbox, it allows reviewers to "flag" certain items for the main case coordinator to review. I have also seen flagging used when the case investigator is going to review the data after it has been initially reviewed by the examiner. For instance, I may flag some items for the case investigator to look at to make sure I am finding and reporting information pertinent to their investigation.

 

Flagging (or Tagging) from the Details Pane: To accomplish this, single click on any item in the Details Pane. Press "Control" and the "A" buttons (the Windows command for Select All) or highlight the first item in the list, scroll to the bottom and press "Shift" and click on the last item. Both functions will highlight and select all of the items in the window. Right-click and a menu will appear. Flagging and Tagging are both options in this menu, as well as a number of other Intella functions.

 

Seeing the total size/all items of a case: In the Case Manager (where all of your Cases are displayed), the size is listed for each case. To view all items in a case, choose the Location Facet, then search for all root nodes.

 

Message Hash and MD5 Hash: The MD5 Hash and Message Hash are not the same. MD5 Hash is an industry standard algorithm used to apply the hash value to a file. An email is more like an entry in a database, hence the MD5 hash algorithm cannot be applied to an individual email. For emails, we created the Message Hash, which is a hash that is based on particular aspects of an email, specifically:

 

- the From/Sender/To/Cc/Bcc header

- the Subject header

- the Date of the mail

- the body and attachments of the mail, decoded with some smart filtering

 

This has been designed with the goal of finding duplicates across mail boxes, regardless of the mail or mail container format (PST, NSF, EML, MSG, etc.) and also with the goal that the copy that the sender has is deduplicated against the copies that the receivers get, even though a lot of mail headers will have been added to the receiver's copy. So when a person sends a mail to three receivers (there are four copies), these should be deduplicated to a single mail. The only exception is when people are bcc-ed, as the hashes will then differ, but that is by design.

 

Sorting: Intella provides for the sorting of multiple columns. On the Details Pane Menu Bar, there is an icon with AZ on it. Click on this icon to sort by multiple columns.

 

Exporting metadata for files such as Office or PDF files: When you export an item to PDF, it will list all document properties (author, last printed, etc), if the "Properties" checkbox is selected (this is checked by default).

 

Bringing decrypted, OCR'd or other items back into Intella: Currently there is no way to associate the new text files with the original items. As a user, I have had to bring decrypted items back. I have used either a Tag or the Comments field with each item to reference the items to its original email. This can be cumbersome if you have a large number of files. This type of feature is on the roadmap for a future version of Intella.

 

Your other feature requests are excellent and will be added to the feature request queue. Thank you for your feedback.

[llanowar]

I was just moving through items using the preview window and thought of a possibly cool useful feature (which I use all the time doing a similar thing in EnCase Forensic). Think about adding a "lock" checkbox somewhere around the tabs ("Contents", "Properties", "Tree", etc.) which will "lock" the currently selected tab, e.g., "Tree". This way when I am mostly interested in seeing the "Tree" structure of items, I can select that "Tree" tab, enable the "Lock" checkbox and the "Tree" tab will default open on all future previews, until I disable the "Lock" checkbox.

- instead of "Next", "Tree" tab, "Next", "Tree" tab, ...

[Guest KathleenK]

Thanks - I will pass that on. I agree - I think it would be useful

[Guest KathleenK]

In 1.6 version, we introduced a feature called "Default tab", which keeps track of last open tab in Previewer while browsing to next/previous item. It will also be remembered if you will close Previewer completely and then reopen it.

[llanowar]

Excellent feature - better even than a lock checkbox! - App just remembers.

You use the past tense, "introduced". Is 1.6 currently in testing? Looking forward to it.