Jump to content

Hiding Content of Tags

Recommended Posts

I have a forthcoming piece of work where the data set will initially be reviewed by an independent legal team to ascertain if any of the content is legal professional privileged (LPP). When that is finished the data set will be reviewed by the investigation team.


Is there any way that the investigation team can be physically prevented from viewing the tagged LPP material inside Intella, which is the point of the exercise? I can' t see any way at the moment, other than producing a report and physically removing the material from the original data set.


Any suggestions gratefully received.




Jerry W

Link to comment
Share on other sites

Not as it stands at the moment.


The only way I could think of doing this would involve another piece of software, namely Xways forensics.


For example:

  • Obtain disc image in normal fashion, import data into Intella for LLP review, have all the LLP data tagged
  • Create hash set with Intella of LLP material only and export hash set
  • Import hash set into Xways forensics, load up original disc image
  • Run has comparison to locate all identified LLP material, exclude and completely remove these items from the snapshot (if you are unfamiliar with Xways then this will make no sense to you)
  • Then you can create a new data set from the resulting files for setting up a new Intella case, basically export exactly what you did initially and exclude the LLP data which you have hidden and removed already.

Xways also has the ability to make 'skeleton' disc images which would also work but there are some complications you will come across particularly if some of the LLP files reside inside archives such as PST's. In those cases you may have to create new PST's after the LLP material has been removed. Forensically that will be a nightmare but as long as all the individual files are hashed you will be able to show they are true copies.....but either way it's a headache.


You could achieve the same thing with EnCase or FTK, I don't know the steps as I haven't used them in some time but I'm sure you can import the hash set, ID the LLP files, and then simply extract out all the other files for your "Intella data set" which should now be LLP free.

Link to comment
Share on other sites

Thanks Adam,


I have used that method with EnCase on a previous case. It was fairly successful but there were some issues with items coming back in that should have been filtered out. I think the files at issue were mostly emails which had a message hash but not an MD5 hash.


As long as I know there isn't a single button that I am missing I can continue to try and come up with a work-round.


Jerry W

Link to comment
Share on other sites

Jerry I think that would be a great feature to add to the wishlist


The ability to load up a case, exclude certain items, then create a new case which can be saved off and that contains all the relevant data so that it can be loaded up into Intella and then be examined as if it's a complete case.


This would satisfy any forensic soundness questions and be a much better method than what we currently have to do when excluding LLP material.


Is this on the roadmap for Intella?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...