Jerry_W Posted September 1, 2013 Report Share Posted September 1, 2013 I have a forthcoming piece of work where the data set will initially be reviewed by an independent legal team to ascertain if any of the content is legal professional privileged (LPP). When that is finished the data set will be reviewed by the investigation team. Is there any way that the investigation team can be physically prevented from viewing the tagged LPP material inside Intella, which is the point of the exercise? I can' t see any way at the moment, other than producing a report and physically removing the material from the original data set. Any suggestions gratefully received. Thanks Jerry W Link to comment Share on other sites More sharing options...
AdamS Posted September 3, 2013 Report Share Posted September 3, 2013 Not as it stands at the moment. The only way I could think of doing this would involve another piece of software, namely Xways forensics. For example: Obtain disc image in normal fashion, import data into Intella for LLP review, have all the LLP data tagged Create hash set with Intella of LLP material only and export hash set Import hash set into Xways forensics, load up original disc image Run has comparison to locate all identified LLP material, exclude and completely remove these items from the snapshot (if you are unfamiliar with Xways then this will make no sense to you) Then you can create a new data set from the resulting files for setting up a new Intella case, basically export exactly what you did initially and exclude the LLP data which you have hidden and removed already. Xways also has the ability to make 'skeleton' disc images which would also work but there are some complications you will come across particularly if some of the LLP files reside inside archives such as PST's. In those cases you may have to create new PST's after the LLP material has been removed. Forensically that will be a nightmare but as long as all the individual files are hashed you will be able to show they are true copies.....but either way it's a headache. You could achieve the same thing with EnCase or FTK, I don't know the steps as I haven't used them in some time but I'm sure you can import the hash set, ID the LLP files, and then simply extract out all the other files for your "Intella data set" which should now be LLP free. Link to comment Share on other sites More sharing options...
Jerry_W Posted September 3, 2013 Author Report Share Posted September 3, 2013 Thanks Adam, I have used that method with EnCase on a previous case. It was fairly successful but there were some issues with items coming back in that should have been filtered out. I think the files at issue were mostly emails which had a message hash but not an MD5 hash. As long as I know there isn't a single button that I am missing I can continue to try and come up with a work-round. Jerry W Link to comment Share on other sites More sharing options...
AdamS Posted September 5, 2013 Report Share Posted September 5, 2013 Jerry I think that would be a great feature to add to the wishlist The ability to load up a case, exclude certain items, then create a new case which can be saved off and that contains all the relevant data so that it can be loaded up into Intella and then be examined as if it's a complete case. This would satisfy any forensic soundness questions and be a much better method than what we currently have to do when excluding LLP material. Is this on the roadmap for Intella? Link to comment Share on other sites More sharing options...
Andrej Posted September 5, 2013 Report Share Posted September 5, 2013 Hello Jerry and Adam, Thank you for your feedback! Exporting items into a new case is indeed on the roadmap for Intella. Link to comment Share on other sites More sharing options...
Recommended Posts