Jump to content

Statistics view


Recommended Posts

Hello all,


In the next Intella version we want to add a new view called "Statistics" or "Overview". This view is intended to give investigators a quick, dashboard-like overview of "what's inside the case", giving him or her a feel for the type of data, its volume, its quality, ideally leading to inspiration on how to tackle the case. My question to you all is:


What type of statistics would be useful to you?


Ideas we have are:

  • Show a histogram of all items (using Sent/Creation/Last Modified dates), giving an overview of what time interval the items span, if there are any peaks or unusual gaps, etc.

  • Show a bar chart for the seven days of the week: which days are "most active"? Same can be done for hours of the day.

  • Show a pie chart of item types, e.g. is the case email-centric, document-centric, or are lots of items even unclassified?

  • Top ten file types.

  • Top ten most often occurring email addresses.

  • Top ten most often occurring mail host names.

  • Simple stats like:
    • Number of items in the case, both the raw and the deduplicated amounts.

    • Number of encrypted, empty, broken items.

  • Top ten items with the most copies throughout the case, or that have been linked with lots of custodians.

  • Review-related stats:
    • How many items have been tagged, flagged, opened, etc.

    • In total or per reviewer.

  • Personally identifiable information such as detected credit card numbers, social security numbers, etc.

Which of these appeal to you, and what other statistics can you think of?

  • Like 1
Link to comment
Share on other sites

All your options sound good, could you also maybe consider adding the abilitiy to break down the file types, search results(keywords) by custodian. This would give an easy way to show which custodian was most active in the case.


With the top ten file types could this be made user selectable so that we could chose the files types in the chart? It would be a good way to get past large numbers of irrelevant files like cookies, etc when listing text files.

Link to comment
Share on other sites

The list looks great, I would add under the simple stats area total number of emails (deduped and non).


I would also agree with dougee and add that the more customization can be worked in the better, as our needs are going to change depending on the focus of each job.


When you say 'reviewer' related stats are you talking about the reviewer users that make up part of the TEAM license usage, or is this based on the user account of the computer? I only ask as when I open a case there is no way to really tell who is working on the case as all changes are written against the name that was used when the case was set up.


If you are looking at including some of these auditing type capabilities then it might be a good idea to have a window prompt at every Intella start up, simply asking for a user name. This needn't be an authorized user situation (although it could be expanded to that later if needed) but just to give us a chance to quickly type in our name so the audit trail will accurately reflect who is doing what.

Link to comment
Share on other sites

Thanks, some very useful suggestions in here!


The keyword hits by custodian is something we've been asked for several times. It indeed fits well in the Statistics theme. A challenge here is that we don't really have the concept of "custodian" in Intella. We could use a source for this, so every PST/NSF/... is tested against all keywords. Alternatively, a cross-matrix of tags x keywords makes that you get full control against what aspects the keywords are tested against, though it requires a bit more preparation work.


Would you want to see the raw amount, the deduplicated amount, or perhaps both?


Adam: I was indeed referring to the Reviewer-related stats, and soon Connect stats, but we can look into other collaboration modes as well.


BTW, I do have to lookup how this works with local cases, but I believe every Intella user installation (essentially the %APPDATA%\Intella folder) corresponds with an automatically created and unique user identifier. Therefore, if you move the case to a different machine and the user there browses to the case, I believe his/her actions are logged as being performed by a different user. Since 1.7 the name of that reviewer is shown in the Case Manager screen. However, it has been some time since I last looked into that type of user management, so I could be wrong...


Many thanks for your comments, this is really helpful!

Link to comment
Share on other sites

Chris, thanks for the followup. You could use custodian as the source location for identification, for example name of sub folder containing the users doc's and PST. Also it would be good to add the ability to tag evidence containers inside Intella with a custodian name. I would add this as another field rather than a standard tag so you can easily filter by custodian in the facet without having to use the standard tagging method.


"Would you want to see the raw amount, the deduplicated amount, or perhaps both?" I would prefer both if possible.




Andy J

Link to comment
Share on other sites

Perhaps a solution to the custodian issue vs. location would be to allow the user to apply a custodian name to any source during the initial import of data.  Then any item derived from that data would be assigned the given custodian name in the database and would be sortable/searchable.

Link to comment
Share on other sites

  • Create New...