Sources are one of the key concepts of Intella Investigator. They represent the locations where items such as emails, documents and images can be found.Sources are explicitly defined by the user, providing full control over what information is searched.
Sources can be added to a case, edited or removed from a case on the Sources page. This page can be accessed from Cases list, by selecting a case and then click on Sources button.
Sources view consists of three main components:
case operation panel
sources list
source details panel
The component on the top shows the current status of case sources operation being performed on Intella Node. As soon as the Sources view is loaded, it will connect to Intella Nodes defined in the system and check if any case operation is being performed there. If it is, then appropriate statistics of the current operations will be presented. If none of Intella Nodes report processing the case, then Ready to manage case sources message will be presented.This component also allows to Manage decryption Key Store. If your sources are password protected, then you can define encryption methods here.Here you can also Manage custom columns, which may enrich the items' model defined in the case.If there are any statistics for the last case operation available, then clicking on Last statistics button will allow you to browse them.
Beneath, on the left side, the list of your case sources is presented. Initially, it will be empty. The buttons in the top bar allow you to change the contents of this list. Usually the first thing to do on a clean case is to click on the Add new button to add the first source to a case.Once some sources are defined, you can select some to see additional actions being enabled. These are:
Edit - allowing to change certain source-specific settings
Exceptions - allowing to download items exceptions report for selected source(s)
Indexing > Re-index - allowing to completely rebuild case database for selected source(s)
Indexing > Index new data - allowing to scan existing, selected source(s) to determine if it contains new data requiring indexing
Remove - allowing to remove selected source(s) (along with items which they produced) from the case
To select multiple sources at once, click on them with CTRL button pressed.
As soon as a source is selected, the source details panel will show up on the right side. This panel shows you basic information about various details of the currently selected source.
Most of case sources operations (like Re-indexing) will require available, idle Intella Node to do the actual processing. Therefore Intella Investigator will show a modal dialog asking you to select one of idle Intella Nodes available in your system.
9.1. Source types
Intella Investigatordistinguishes between various types of sources. The Add New Source wizard organizes them in two rows: sources dealing with local evidence files on the topand sources dealing with cloud or server-based data on the bottom;
The supported types are:
File or Folder: A single file or folder with source files on a local hard drive or on a shared/network drive. Such source files could be:
Regular loose files like MS Word, Excel, and PDF files.
Email containers such as MS Outlook PST/OST, HCL/IBM Notes NSF files, Mbox files.
Cellphone XML and UFDR reports such as made by Cellebrite UFED, MicroSystemation’s XRY and Oxygen Software’s Forensic Suite.
Even large containers like EDB files and disk images can be indexed this way, together with many other files in one go. The downside of doing this is that any EDB- or disk image-specific configuration options are not available this way.
Load file: A Concordance, Relativity, or CSV load file.
Hotmail Search Warrant Result (experimental): a collection of files in HTML and other formats, provided by Microsoft pursuant to a search warrant.
Disk Image: One or more disk images in E01, Ex01, L01, Lx01, S01, AD1, AFF4, VHD, VHDX, AVHDX, VMDK, X-Ways or DD format.
MS Exchange EDB Archive: a single MS Exchange EDB file.
Vound W4 Case: A case created in the Vound W4 application.
IMAP account: An email account on an IMAP email server.
Dropbox: all files stored in a personal Dropbox or DropBox for Business account.
Google: A Google account: Gmail, Drive, Contacts, Calendars and Tasks.
Microsoft 365: The complete contents of a Microsoft 365 account, incl. the Outlook, OneDrive and SharePoint services of that account.
iCloud: The complete contents of an iCloud account, incl. iCloud Drive, Mail, Calendar, Contacts, and other services.
AWS S3: The complete contents of an Amazon AWS S3 bucket.
Notes on mail formats
Intella Investigator/Nodesupports PST and OST files created by the following versions of Microsoft Outlook: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013, 2016, 365. Make sure that Intella has exclusive access to the PST or OST file; it cannot be open in Outlook or other application at the same time.
Intella Investigator/Nodewill try to recover the deleted items from the file. Recovered items will be placed in a special folder named <RECOVERED>. Furthermore, Intella may encounter items outside the regular root folder. Any such items are placed in a special folder called <ORPHAN ITEMS>. Recovered emails may contain traces of other emails. This should be considered when reviewing such items.
| Orphan items may contain unreliable data. For example, some orphan items can contain pieces of the message body, and message metadata from different emails. This may be due to the way the email client caches message data in the email container. |
You should consider whether this information should be included in exports. Some clients may not want this information exported due to its unreliable nature.
To index NSF files, HCL/IBM Notes 8.5 or higher needs to be installed. For NSF files made with HCL/IBM Notes 9 it is recommended to install HCL/IBM Notes 9. Intella supports all NSF files that can be processed by the installed HCL/IBM Notes version. Make sure that Intella has exclusive access to the NSF file; it cannot be open in a Notes client or other application at the same time. Only NSF files containing emails are supported by Intella, all other types are not supported. Make sure to use a default Notes installation and user configuration. A "corporate" Notes installation is often problematic for indexing, e.g. because of installed plugins interfering with access to the NSF file, the installation being tied to the corporate identify management system, etc.
The HCL/IBM Notes tool nupdall.exe can be used to convert older NSF files to NSF files that can be processed by HCL/IBM Notes 8.5 and higher. |
Notes 9.0.1FP8 or higher needs to be installed to decrypt messages in a non-encrypted NSF.
Intella Investigator/Nodesupports Windows 10 Mail mailboxes, provided that the account uses the POP protocol. Accounts that use the IMAP protocol are not supported, as only POP accounts store mails locally. Furthermore, Windows 10 mails do not keep track of BCC-ed email addresses and of the email headers.
Intella Investigator/Nodesupports DBX files created by the following versions of Microsoft Outlook Express: 4.0, 5.0, 6.0.
Intella Investigator/Nodehas been tested on Thunderbird Mbox files.
Intella Investigator/Nodesupports MS Exchange EDB files of Exchange versions 2003, 2007, 2010, 2013 and 2016.
Some items may turn out to only contain email headers and are lacking an email body. Examples of such items are messages typically sent back by mail servers to indicate undeliverable mails, e.g. due to an unknown recipient or a mailbox quota that has been reached. Such items are typed as "Email Headers" rather than "Email Message".
Notes on cellphone formats
When indexing Cellebrite, MicroSystemation or Oxygen cellphone reports, each report should be in its own subfolder. Any additional files that were produced together with the XML report, such as audio, video, and image files, should have the same relative location to the XML file as the exporting application produced them. These two requirements are crucial for correctly linking the binary files with the XML report. Finally, no other evidence files should be placed in these folders, as they will be ignored.
The folder should reside in the local file system or in a disk image, i.e. not in a ZIP file or other type of archive, as quick random access is needed to be able to process the files linked from this report.
A folder with the XML report and its related files can in principle be indexed straight away. However, most XML reports will often only contain the external numbers related to the calls and messages, i.e. the number of the phone itself is not in the report. This has valid technical reasons (e.g. it cannot be guaranteed that the current SIM card was used for these calls and messages), but it makes analysis of the communication a lot harder. Also, Intella functionalities like message deduplication require this information. When the investigator knows the number, e.g. obtained from the network provider, it may be specified through a separate text file:
Create a text file named after the XML report. For example, if the report is called
report.xml, the text file should be namedreport.numbers.txt.Put it in the same folder as the XML report.
Store the phone’s own number in this file.
When the XML report holds information about multiple phones, enter the number of each phone on a separate line, like this:number1number2
…
The first line will be used for the first phone found in the report, the second line for the second phone, and so on.
When indexing XRY’s XML reports, we recommend using the Extended XML report introduced in XRY 6.4. This new format solves many issues with the encodings of dates and other fields. Furthermore, the older XML format did not support exporting binary items. To get binary items with the Extended XML report, you need to select the "Export media files and manifest" option.
| The XML formats used by these cellphone extraction vendors are often evolving over time and are not fully documented. While we strive to extract all information from these reports as completely and correctly as we can, we can only offer this functionality on a best-effort basis. We recommend that you verify any results that you may rely on in your report with the original cellphone extraction software. Please let us know if you find any issues with processing reports made with a certain version of a cellphone extraction suite, and we will add that version to our development roadmap. |
Notes on instant messages
When instant message items (SMS/MMS/iMessage/Skype/Jabber/etc.) have a timestamp and the sender and receiver(s) are all known, Intella will bundle all messages of that group of participants into "conversation items". A conversation item bundles the messages between a group of people on a day-by-day basis. All messages of a single day are now placed below each other in the Previewer’s Contents tab, rather than being presented as one message per item. Hyperlinks are provided to navigate to the previous and next day in the conversation.
Compared to emails, instant message texts are typically very short and do not contain the previous thread. Therefore, bundling messages in this way greatly improves reviewing of instant messages.
Other instant messages, which do not have enough metadata to be bundled into conversations, will be reported as conversations consisting of a single message.
Notes on IBM Sametime dumps
IBM Sametime dumps must be located in the local file system or in a disk image, i.e. not in a ZIP file, as quick random access is needed to be able to process the files linked from this report.
Common file locations
MS Outlook PST and OST files are typically located in the following folder:
Windows Vista, Windows 7, Windows 8/8.1, and Windows 10:
C:\Users\<username>\AppData\Local\Microsoft\OutlookWindows 2000 and XP:
C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook
MS Outlook Express DBX files are typically located in the following folder:
Windows 2000 and XP:
C:\Documents & Settings\<username>\Local Settings\Application Data\Identities\\{<arbitrary string>}\Microsoft\Outlook Express
HCL/IBM Notes NSF files are typically found in the following folder:
Version 7.x:
C:\Program Files\Lotus\Notes\DataVersion 8.x:
C:\Program Files\IBM\Lotus\Notes\DataVersion 9.x and 10.x:
C:\Program Files\IBM\NotesVersion 11.x:
C:\Program Files\HCL\Notes
Notes on cloud sources
Each of the supported cloud services (Dropbox, Google, SharePoint, and Microsoft 365) provides a so-called REST API for data retrieval. Access to a cloud service via this API often requires an authorization token, rather than or in addition to a username and password. Each cloud service provides a web portal where users can register the client application (in this case: Intella) and obtain the authorization token.
Depending on what the REST API supports, Intella uses read-only data operations wherever possible, as to minimize changes to server-side data. Nevertheless, access may be visible to the cloud service and to the account holder, e.g. due to the presence of an authorization token in the server settings, access logging, altered metadata, etc.
Notes on document length
The indexing of a document text for keyword search can consume a considerable amount of RAM. With multiple documents being processed in parallel, this carries the risk of one of Intella’s processes running out of memory. To combat this, Intella imposes a maximum length to the document text. This way, typically problematic textual files such as large server logs and database dumps in CSV format can be processed without terminating the indexing abruptly.
By default, the maximum length is set to 50M (52,428,800) characters. Any text beyond that point is skipped. Consequently, the document will not be returned when using query terms that only occur after this point. Affected documents can be located using the "Exception Items" category, "Truncated text" branch in the Features facet.
The limit can be adjusted on a case-specific basis via the case.prefs file. Make sure to close the case before making this change in order for it to take affect. For example, alter or add the following line to set the limit to 100M characters:
ItemTextMaxCharCount=100M
Open the case and check the logs for the following message: Using X characters as text indexing limit as specified by the ItemTextMaxCharCount property.
A good indication that the new parameter was applied is this line in the logs.
Also, by default, the maximum length of the raw data is set to 5M (5,242,880) characters. Any raw data fields that exceed this limit will be skipped. Items with truncated raw data will be marked as "Exception Items / Truncated text". The raw data limit can be adjusted via the case.prefs file. For example, this will increase the limit to 10M:
MaxRawDataSizeMB=10
A future Intella Investigator/Nodeversion will make this configurable via the user interface. The limit can also be adjusted globally via the IntellaNode.l4j.inifile:
-Dintella.itemTextMaxCharCount=100M
9.2. Adding sources
Adding sources is done with the Add New Source wizard. It can be opened by clicking on the Add new button on the Sources page.The first page of the wizard allows selecting the type of the new source, which is illustrated below:
9.2.1. Note on source locations
When providing paths to evidence make sure to use locations which are accessible for both Intella Investigator as well as selected Intella Node on which indexing operation will be performed. |
9.2.2. Files and Folders
Follow these steps to add a File or Folder source to Intella Investigator:
Source type
Select "File or Folder" source type and click "Next". A folder tree willbe displayed next.
Specify file or folder
Select the folder or file from the tree that you want to index, or enterthe folder or file name in the text field above the tree. When selectinga folder, all files in the selected folder will be indexed. When the"Include subfolders" checkbox is selected, files in all subfolders (andsub-subfolders, etc.) will also be indexed. When the "Include hiddenfolders and files" checkbox is selected, hidden files and folders willbe indexed as well.
Folder trees containing many items may take some time to be displayed.Please be patient. |
Click "Next" to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in section Last steps in a source definition.
| Though disk images can be added and indexed via File or Folder source, there is a limitation on the maximum number of parts (files). For E01 format the maximum number of parts is 4,831 (e01-e99, eAA-eZZ, fAA-kZZ), for other EnCase formats (L01, Lx01, Ex01) the maximum number is 775 (L01-L99, LAA-LZZ). If the disk image contains more parts then it is strongly recommended to use Disk Image source type instead. |
| Multi-part archives (ZIP and RAR) are currently not supported. Such archives should first be extracted and then the native files can be added as a source and indexed. |
9.2.3. Load files
The built-in export and import templates "Intella Standard RelativityExport (All Columns)" and "Intella Standard Relativity Import" can beused to export items and re-import them in another case, effectivelycreating a subset of the original case. Please note that not allmetadata fields are supported. |
Follow these steps to add a load file to an Intella Investigator case:
Source type
Select "Load file" source type and click "Next".
Import load file
Select the import operation: New Data or Overlay. When New Data isselected, Intella Investigator will import new items to the case. An Overlayoperation is used to import tags, comments and tag columns into existingitems.
Add the file name and location of the load file that you wish toinvestigate; use the tree component to browse for the file. If the loadfile comes with an Opticon image file, then you should specify it in the"Opticon image file" field.
Specify the source name.
Specify the custodian. If the custodian information is stored in oneof the columns, then leave the text field empty and use the columnchooser on the "Map fields" page instead.
Specify the time zone. By entering the time zone, all datesassociated with items from this load file will be displayed in that timezone, rather than the time zone of the investigator’s system.
You can use a previously saved import template.
Click "Next" to continue.
Configure delimiters
On the "Configure delimiters" page you can set the file encoding anddelimiter settings for:
Column delimiter – the character that separates the columns in theload file.
Text qualifier – the character that marks the beginning and end ofeach field.
New line – the character that marks the end of a line inside a textfield.
Multi-value delimiter – the character that separates distinctvalues in a column.
Escape character – the character that is used for escaping aseparator or quote.
Strict quotes – sets if characters outside the quotes are ignored.
Use absolute path – select this option when the load file usesabsolute paths rather than relative paths.
You can click the Detect button when you are not sure about theencoding used in the load file.
You can specify date, time and number formats in the right part of thescreen. The Size unit option allows to change the way how the Size fieldis imported.
Intella Investigator will validate the load file using these settings anddisplay the validation result in the status line. When the file can bevalidated successfully, the number of columns found in the load filewill be displayed. When validation fails, a reason will be given in thisline.
The "Load file preview" table can be used to make sure that you havespecified the correct parameters for the load file. Additionally, the"Image preview" panel will show the first image associated with theselected table record. It can be used to ensure that the Opticon file iscorrectly loaded. The "Text preview" shows the raw text of the load fileand can be used to check the delimiters.
Click "Next".
Map fields
Overlay options: this is only used when Import operation is set toOverlay. See the "Importing an overlay file" section for details
External files:
Select the "Load native files" checkbox if you want to importoriginal format files associated with the load file into the case.Specify the column containing the paths to the native files. When thenative files are imported, you will be able to use functions such asPreview tab and Open in External Application.
If you select the "Extract type information from native files" checkbox, then Intella Investigator will analyze the native files and import thetype information into the Mime Type and Type columns. This option may beuseful in case the load file does not have any type information such asFile Extension.
Select "Load extracted text" when you want to import the extractedor OCRed text of the document. Select the "Extracted text column is alink to an external file" checkbox when the column contains a link tothe text file rather than the text itself. Select "Analyze paragraphs"to let Intella Investigator determine the paragraph boundaries and to let itbuild a database registering which paragraph occurs in which item andwhere (see section Last steps in a source definition for more details). When the extracted text isimported, it will be shown in the Contents tab of the Previewer.
Field mapping – You can see the Field chooser in the bottom part ofthe panel. The table on the left shows all fields in the load file("Load file field") and the Intella columns they are mapped to. In thetable on the right you can see the list of all Intella columns availablefor mapping. To map a column:
Select one of the load file fields on the left.
Select one of the columns on the right.
Click the left arrow button. That will move the selected column fromthe right to the left table.
Click the right arrow button to remove the selected mapping.
When the load file contains a field that cannot be mapped to anyexisting columns, then you can create a tag or custom column and map thefield to it. Click the "Add" button to add a new column to the righttable. Click the "Remove" button to remove the selected column. Notethat a tag or custom column can only be removed if there is no data inthe case associated with it. Tag columns should only be used forimporting tag-like data where the number of unique values is not high.In all other cases custom columns should be used instead.
Click the "Clear all" button to remove all the selected columns from theright table. Click the "Save template" button to save the currentsettings as an import template which can be reused later. Select the"Extract text and metadata from native files" checkbox when you want toextract the text and metadata from the native file. The button with agears icon can be used to adjust the processing options. SeeLast steps in a source definition section for more details about the processing options. Notethat Intella Investigator will replace any original metadata from the loadfile with the new metadata extracted from the native file. The option isturned off by default.
It is highly recommended to resolve all errors by clicking the "Checkfor errors" button before importing the load file. That will let Intella Investigatorvalidate the load file using the entered settings. Among otherthings, it will check each row and ensure that:
The Document ID is unique and not empty.
The Parent ID refers to an existing record.
Native and extracted text paths are correct.
Date and time fields can be parsed using the selected date and timeformats.
The MD5 field contains a valid MD5 hash.
Number fields such as File Size and Page Count contain a validnumber.
Boolean fields such as Encrypted and Decrypted contain either "true"or "false".
The Source IP field contains a valid IP address.
Type information is present for all records. Either directly via columns such as Mime Type and File Extension or via other mechanisms such as "Detect type from native".
Select the "Skip error records" checkbox to instruct Intella Investigator toskip items with errors during import.
Date and time values (separate columns) will be merged into one column. |
Important notes on load file importing
There are several aspects to be aware of when importing a load file intoan Intella Investigator case:
All paths in the load file to external resources should be relative tothe load file, unless the "Use absolute paths" checkbox is selected.
The original load file record identifiers will be imported into the"Document ID", "BegAttach / Parent ID" and "EndAttach" columns and can beused in a subsequent load file export.
Imported images can be viewed in the "Image" tab in the Previewer.
You can save the specified load file import options as a template forlater usage on the last page using the button Save Template. All importtemplates are stored as XML files in the "<Intella HomeFolder>import-templates" folder.
9.2.4. Hotmail Search Warrant Results
This source type is still in an experimental stage. We welcome anyfeedback; please visit our support portal athttp://support.vound-software.com/. |
Follow these steps to add a Hotmail Search Warrant Result to Intella Investigator:
Prepare evidence files
The evidence files you have received may consist of a folder containinga "Click Here.html" file and some legal files related to the searchwarrant, with a subfolder for each account involved. It may also be thatyou have only one of those account subfolders, recognizable by a"Folders.html" and "Messages" file in this folder. In case you havereceived a ZIP file or some other type of archive file, please unpackthis archive file first.
Source type
Select "Hotmail Search Warrant Result" source type and click "Next".
Specify file
Select the folder holding the Hotmail Search Warrant Result files thatyou wish to investigate in the folder tree. Make sure to select thetop-level folder of the provided file collection. Click "Next" tocontinue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.5. Disk Images
Follow these steps to add a Disk Image source to Intella Investigator:
Source type
Select "Disk image" source type and click "Next".
Select disk image file
Click on the
Browsebutton to navigate the folder tree in order to selectthe disk image file. You can also paste the location to the input field.Once an image is specified Intella Investigator will automatically detect otherparts of this image, if there are any. You will see basic information aboutdiscovered paths and total disk image size.
Select "Verify hashes for AFF4 images" to verify hashes in AFF4 physical disk images during the disk image validation. If a hash mismatch is detected in a physical image, the disk image validation will fail and an error message will be shown. Please note that AFF4 physical image hash verification may take some extra time.
Note that the hashes for AFF4-L logical images are always verified during indexing. If a hash mismatch is detected in a logical image, it will be reported as an indexing error and can be found in the Exception report or Exception items facet.
Select "Carve unallocated space" to enable file carving. File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata. Intella Investigator uses Testdisk and Photorec to recover deleted files from unallocated areas of the disk image. See https://www.cgsecurity.org/wiki/PhotoRec for more details.
These are some important details about file carving in Intella Investigator:
Testdisk and Photorec are not included and need to be downloaded either manually or automatically.See the Node configuration section for how to validate and configure File Carving.
File carving is supported with a Disk Image source only.
Only E01 and Raw (DD) images are supported.
Photorec will be run with "freespace" option. That means only the unallocated areas of the disk image will be processed.
A photorec state file (
photorec.ses) may be created in the folder with the original disk image. It is required by the Photorec software. The file can be safely deleted when the indexing is finished.The carved files will be placed in the top-level folder called
<CARVED_FILES>. Also, these files will be marked as "Recovered / Carved from unallocated space" in the Features facet.
After you click Next button in the wizard footer, Intella Investigator willvalidate selected disk image. This process may take long time dependingon the complexity of the data.
If the disk image contains encrypted volumes, such as BitLocker or APFS,a notification will be shown instructing to update Keystore of this casewith matching passwords or recovery keys to access the image. |
Select folders to process
Specify folders that need to be processed. Initially Intella Investigator will only show the first three levels of the folders. If you wish to load all folders in the disk image, press the "Load all" button. Note that scanning all folders in the disk image might take a while.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
A single disk image source should only contain the files relating to asingle conceptual image. Files relating to a different image should beentered as a separate source. |
Filtering disk image content
A disk image often contains a lot irrelevant files, such as executables,DLLs. These files add to the processing time and disk space that thecase will consume. It is possible to define a set of rules to filter outunnecessary files and folders, to save processing time and disk space.
Filtering disk image content is not possible for DMG images. |
Note that search results can also be filtered after indexing, using theHide Irrelevant filter option in the Details tab.
Supported disk image formats
The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01files. Password-protected files are supported and indexed without manualinteraction, except for FTK-encrypted files.
DD images are supported, but when a Folder source is used, they need touse the .dd file extension to be detected and processed as DD images.Because of potential issues with DD image detection, we recommend usingthe Disk Image source directly. This is also required when you want toindex a multi-volume DD image
Supported file systems and partition types
The following file systems have been tested: FAT16, FAT32, ExFAT, NTFS, Ext2, Ext3, Ext4, HFS, HFS+, APFS and ISO 9660. Other file systems such as YAFFS2, ISO 13346 (UDF), UFS 1 and UFS 2 may work but have not been tested yet.
MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When an image cannot be indexed, we recommend mounting it manually and indexing the mounted drive using a “File or Folder” source.
APFS and BitLocker encrypted volumes are supported. When an encrypted volume is detected, a dialog will be shown where it’s possible to enter a password or recovery key. BitLocker volumes with suspended protection (also known as "clear key") will be indexed automatically without a password prompt. If a BitLocker volume is protected with multiple keys, you can enter any key.
Multi-volume files
When using a Folder source to index multiple image files, Intella Investigatorwill rely on the following file name convention to determinewhich files together make up a single image:
image1.e01 (first volume of image 1)image1.e02 (second volume of image 1)image1.e03 (third volume of image 1)…image2.e01 (first volume of image 2)image2.e02 (second volume of image 2)image2.e03 (third volume of image 2)…image2.e99 (99th volume of image 2)image2.eaa (100th volume of image 2)image2.eab (101st volume of image 2)…
Volume shadow copies
| Enabling volume shadow copies processing might considerably slow down the indexing process. |
| Volume shadow copies can only be processed when using the Disk Image source. If disk image is added via File or Folder source, volume shadow copies will not be processed. |
Volume shadow copies (VCS) is a mechanism in Windows OS that preserves previous versions of files in a special hidden area on the disk. A new VSC snapshot is often created automatically by Windows when installing major system updates or drivers.
When Intella Investigator detects that the disk image contains VCS, the Specify Volume Shadow Copies page will be shown. On this page you can select specific snapshots that need to be processed.
By default, Intella Investigator will only extract the files that were changed between snapshots. That allows to save a lot of processing time and disk space by not indexing the same file several times:
Select the "Prefer oldest files" option to extract all files from the oldest snapshot and only the changed files from the newer snapshots.
Select the "Prefer newest files" option to extract all files from the current file system and only the changed files from the older snapshots.
Intella Investigator uses the last modified date of the file to determine whether it has changed. It is also possible to take the last access date into account.
The "Has Shadow Copies" option in the Features facet can be used to see all items that have other versions in shadow copy volumes.
To see all items extracted from all volume shadow copies, use the "Recovered → Recovered from volume shadow copy" option in the Features facet.
9.2.6. MS Exchange EDB Archives
Processing an EDB archive may require to adjust memory settings. Pleasesee the "Memory settings" section for detailed instructions. |
The currently supported MS Exchange versions are 2003, 2007, 2010, 2013and 2016.
Follow these steps to add a MS Exchange EDB Archive source to Intella Investigator:
Source type
Select "MS Exchange EDB Archive" source type and click "Next".
Specify EDB file
Specify the location of the EDB file you wish to investigate either bytyping it’s location or by selecting it in the folder tree. Click "Next"to continue.
Select mailboxes
Check all mailboxes that you wish to process. Click "Next" to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
When an EDB source has been added and not all mailboxes were selected,it is still possible to index additional mailboxes in that EDB file at alater stage. To do that, the following steps should be performed: 1.Click on the "Edit" button for the respective source on Sources page.2. Indicate which mailboxes should be processed. Note that you cannotunselect or remove already processed mailboxes. Click OK. 4. Use the"Index new data" button option to index the new mailboxes.
9.2.7. Vound W4 Case
This source type lets one import an entire case created with the Vound W4 application into the current Intella Investigator case.
Follow these steps to add and process a W4 case source:
Source Type
Start the Add New Source wizard from the Sources view. Select "Vound W4 Case" and click Next.Select W4 Case
Click the Browse button to specify the location of the "case.json" file in the root folder of the W4 case that you wish to add. After the file is selected, Intella Investigator will validate the W4 case and check its availability. Once it has validated successfully, click Next to continue.
Note that the case cannot be imported while it is still open in W4. If case validation fails with a "W4 case is currently in use" message, close W4, click Back to return to the Source Type selection page, then click Next and Browse… to select the "case.json" file again.W4 Case Options
On this page, you can specify which parts of the W4 case data should be imported. Furthermore, you can configure post-processing tasks to enhance the original W4 data in Intella Investigator.Tags
Import the tags assigned to the items in W4 case.Item notes as comments
Import the notes assigned to the items in W4 case and represent them as Intella Investigator comments.Keyword Lists
Import all keyword lists from the W4 case.Auto-tag items using imported keyword lists
When keyword lists are imported from the W4 case, this option performs auto-tagging of all items with these keyword lists (see the "Keyword Lists" section for details).
The last steps in the definition of a source are almost the same for all types. They are described in the section "Last steps in a source definition".
| W4 cases that contain a local disk source cannot be imported by Intella Investigator. Such functionality may be added in a future version. |
9.2.8. IMAP accounts
The IMAP standard is implemented in many ways. Furthermore, some mailservers may throttle the network connection during mass downloads. Wetested Intella Investigator on several IMAP servers with good response.However, we cannot guarantee that Intella Investigator can create IMAPaccount sources for every IMAP server. |
We recommend using a mail client to download the entire mailbox andindexing the resulting PST or Mbox file instead, rather than usingIntella Investigator to download the mailbox. This way a copy of the mailboxis created outside of the case. This results in a cleaner andbetter auditable workflow, allowing e.g. cross-validation of theinvestigation results with other forensic tools or indexing with futureIntella Investigator versions. |
Follow these steps to add an IMAP Account source to Intella Investigator:
Source type
Select "IMAP account" source type and click "Next".
Specify account
Enter the settings for the target email account, e.g., "mail.my-isp.com"with the username and password. Select the "use secure connection (SSL)"checkbox if you want or need a secure connection to the mail server.This is recommended, because without a secure connection your passwordwill be sent as plain text. Click "Next" to continue.
Select folders
In the next step, Intella Investigator will contact the specified emailserver to retrieve the folder tree of the target mail account. You canthen select the folders that you want to make searchable by placing acheck in the box next to the desired folders. When you want to indexsubfolders, you will need to select them; otherwise they will beignored. The wizard has two convenient buttons for selecting anddeselecting all folders. Click Next to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.9. Dropbox accounts
A Dropbox source reconstructs the entire folder tree in a Dropboxaccount and downloads current and past revisions of the files in theaccount.
The official Dropbox REST API used by Intella Investigator limits this to amaximum of 10 revisions per file. All revisions except for the last onehave their file names decorated with the revision identifier.Furthermore, additional Dropbox-specific metadata is retrieved for bothfiles and folders. These are displayed in the Previewer’s Raw Data taband are subject to full-text indexing.
Intella Investigator uses the OAuth2 (Open Authorization) protocol to accessthe account. Prior to defining the source, the investigator needs toobtain an OAuth2 token for the account.
This process is described in detail in the following Knowledge Base Article: Collecting data from a DropBox source.
Next, follow these steps to add a Dropbox source to Intella Investigator:
Source type
Select "Dropbox" source type and click "Next".
Connect to Dropbox
Follow steps from the knowledge base article to fill required fields.
Click Next to continue.
Select files or folders
Besides indexing of the entire account, it is also possible to indexspecific files or folders only. The next wizard sheet shows the foldertree of the account. Nested folders are loaded on demand when the parentfolder is expanded. Click the checkboxes of the desired files orfolders. Selecting a folder automatically marks all nested elements asselected.
Click Next to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.10. Google accounts
A Google source allows to download items from the following Google services:
Gmail
Drive
Contacts
Calendars (including tasks)
Chat
Meet
More Google services will be added in the next versions.
Different services require different APIs to be enabled:
Gmail - Gmail API
Drive - Google Drive API
Contacts - People API
Calendars - Calendar and Tasks API
Chat - Google Chat API
Meet - Google Meet REST API
Optionally, the set of retrieved items can be restricted to a certaindate range.
Benefits of using the Google/Gmail source over the generic IMAP source are:faster performance, more accurate data representation (e.g. folders vs.Gmail’s Labels, threads), and a read-only data connection ensuring thatno data is altered on the server.
Intella Investigator uses the OAuth2 (Open Authorization) protocol to accessthe account. Prior to defining the source, the investigator needs toobtain an OAuth2 token for the account. The token will be downloaded asa JSON file, which Intella Investigator can use to access the account.This process is described in detail in the following Knowledge Base Article: Collecting data from a Google source.
Next, follow these steps to add a Google source to Intella Investigator:
Source type
Select "Google" source type and click "Next".
Select Google services
Select "Google" services and click "Next".
Connect to Google
Click the Select button and select the JSON file saved above in the filechooser that opens. Alternatively you can also drag and drop this filedirectly to the file upload box. Click Connect to Google.
A connection will be established and the token will be validated. Abrowser window will automatically open, through which Google will requestpermission to continue. If the token validation is successful, basicinformation about the account such as the account owner’s email addressand the total number of emails will be shown beneath the OAuth2 Filefield.
Note the Help button below the upload box. Clicking it will display thesteps required to create the OAuth2 file.
Click Next to continue.
Select folders
If the selected services support folder selection, you can select specific folders to download. At the moment two services support folder selection: Drive and Chat.
Select items to index (date range)
Select whether all items are to be downloaded or whether a datefilter is to be applied. If so, enter the desired date range.
The end date is included, so that items on that day are also retrieved.Both the start and end dates are optional, making it possible to enter ahalf-open date range, e.g. "all emails since May 1st, 2015".
Click Next to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.11. Microsoft 365
The Microsoft 365 source types allows for retrieving both user account anduser groups. For each user account, used to access Microsoft 365, thesource can retrieve data from Outlook, OneDrive and SharePoint. For eachuser group, the source retrieves titled conversations containing emails.
Before a source can be added, the Microsoft 365 account must be properly configured.This process is described in detail in the following Knowledge Base Article: Collecting data from a Microsoft 365 or a SharePoint Source.
Once the credentials are established, follow these steps to add a Microsoft 365 source to Intella Investigator:
Source type
Select "Microsoft 365" source type and click "Next".
Connect to Microsoft 365
Enter the username, password and client ID obtained above. Click Connectto Microsoft 365.
A connection will be established and the credentials will be validated.If credentials validation is successful, basic information about theaccount such as the tenant name and location will be shown beneath theconfiguration fields.
Note the Help button at the top of the screen. Clicking it will displaythe steps required to create the client ID.
Click Next to continue.
Select items
The next screen shows the available accounts. Select the accounts thatyou wish to retrieve.
Selective indexing of part of the account data is not possible at thismoment.
Click Next to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.12. iCloud
The iCloud source type is used for indexing the contents of an iCloudaccount, such as emails, photos and notes.
Prior to defining an iCloud source, the investigator must obtain theApple ID and password used by the account owner. When the account hasbeen configured to use two-factor authentication (2FA), iCloudadditionally sends a verification token. The verification token is sentonly if a valid phone number is set for the Apple ID. Hence, theinvestigator needs to have access to one of the physical device (aniPhone or an iPad) associated with the account, including the passcodeto unlock the device.
Intella Investigator supports the retrieval of the following data from an iCloudaccount:
Contacts
Emails
iCloud Drive
Reminders
Calendar
Event notifications
Photos
Account settings
“Find my phone” data
Notes
Follow these steps to add an iCloud source to Intella Investigator:
Source Type
Select "iCloud" source type and click "Next".
Connect to iCloud
Enter the Apple ID and password of the account. Click Connect to iCloud.
When this account requires two-factor authentication, Intella Investigator willextend the form with an option to choose the verification deliverymethod: SMS or Idmsa.
Both methods are equally capable of providing access to the account’sdata. When the account is linked to an iPhone and/or iPad, the Idmsamethod is recommended. When the account is linked to a non-Apple device(e.g. a cellphone or tablet from a different vendor), SMS is the onlyway to obtain the verification code. Even when using an Apple device,SMS can be selected as the preferred method for delivering theverification code. In that case, the registered device may receivemultiple notifications from Apple’s identify management service (IDMSA).Such notifications should then be ignored and the code from the SMSmessage should be used.
Choose the desired delivery method and click Get Verification Code. Asix-digit verification code will be either sent as an SMS or show up asa native iOS notification on the Apple device. The controls for choosingthe delivery method will be replaced by a Verification Code field. Enterthe received verification code in this field. Click Connect to iCloud.
When the credentials and the verification code are all valid, Intella Investigatorwill list some account info such as the Full Name of the account owner.Click Next to continue.
Select items
In the next step, the available iCloud services for this account arelisted. The user can choose whether to retrieve one or more specificservices, or whether to retrieve all account data.
The last steps in the definition of a source are almost the same for alltypes. They are described in the section Last steps in a source definition.
When Intella Investigator establishes a connection to iCloud using the accountcredentials, it will obtain a trust token. This token allows Intella Investigator toconnect to iCloud at a later point in time without requiring the user tore-enter the credentials and perform any two-factor authenticationsteps. The trust token has a limited validity period. iCloud sources canbe indexed and re-indexed during the validity period of the token. Oncethe token has expired, the source must be re-created; there is no way torefresh the token of an existing source.
Documents in Keynote, Pages and Numbers format are converted by theiCloud web service to MS Word, MS PowerPoint, and MS Excel formatrespectively when they are retrieved by Intella Investigator. Processing of thedocuments in their native format may be added in a future release. |
The Notes branch currently lists Note items in a flat list; folders arenot reported. This may be addressed in a future release. |
9.2.13. AWS S3
An AWS S3 source reconstructs the entire folder tree in the selected S3 buckets and downloads current and past revisions of the files.
All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional S3-specific metadata is retrieved for both files and folders. These are displayed in the Previewer’s Raw Data tab and are subject to full-text indexing.
Prior to defining the source, the investigator needs to obtain an access key for the account. This process is described in detail in the following Knowledge Base Article: Creating AWS access keys.
Next, follow these steps to add an S3 source to Intella Investigator:
Source type
Select "AWS S3" source type and click "Next".
Connect to AWS
Follow steps from the knowledge base article to fill required fields.
Click Next to continue.
Select buckets
Besides indexing of the entire account, it is also possible to indexspecific buckets or folders only. The next wizard sheet shows the folder tree. Click the checkboxes of the desired buckets or folders.
Click Next to continue.
The last steps in the definition of a source type are almost the samefor all types. They are described in the section Last steps in a source definition.
9.2.14. Additional options
In version 2.7 of Intella Investigator, some new source wizard sheets have been moved to "Additional options" section. This change streamlines new source creation as only some required options are necessary for source creation.Additional options will have defaults set and can be changed by simply clicking on the sheet and changing the option.Additional options will appear once completed source definition sheet is reached, by settings required options and clicking on next button.
9.2.15. Last steps in a source definition
The following final steps are the same for all source types.
Source name and time zone
In the Source Name and Time Zone sheet you are asked to enter a name for the source. The name will be shown in the list of sources in the Sources panel and functions purely as a label for your reference.
Furthermore a suspected system base time zone can be entered. This setting indicates the time zone of the system from which the evidence file(s) were obtained. By entering this time zone, all dates associatedwith items from this source will be displayed in that time zone, rather than the time zone of the investigator’s system. This often makes it easier to correctly interpret those dates, e.g. determine whether agiven timestamp falls inside regular business hours. By default, the local time zone is used for new sources. Time zones supporting Daylight Savings Time (DST) are marked with an asterisk (*).
File type settings
In the File type settings sheet you can specify which item types need to be included in the case. Leave the checkboxes selected for those types or categories that you want to include in the case, and deselect the checkboxes for those you want to be excluded.
Excluded items will be added as stub items that only contain the item’s type and file name (if available).
| Items embedded in excluded items will still be processed and included. An example: if there is an email with a PDF attachment and the email item type is not included, the attachment will be processed as usual. The parent email will be added as a stub item. |
| For technical reasons it is not possible to select the following types: Exchange EDB, Internet Explorer History File (ESE DB) and Windows Search Database. Instead, you can select their parent type: Microsoft ESE database. |
9.2.16. File name filters
In the file name filters you can specify file name patterns that need to be excluded from processing. File name filter can include ? or * characters to represent a single or multiple wildcard characters. Examples: .exe, case-main-.log.Excluded items will be added as stub items that only contain the item’s type and file name (if available). Note: items embedded in excluded items will still be processed and included. You can also choose whether filtering applies either to all items or unknown items only.
MD5 Hash Filters
MD5 hash filters can be used to exclude items that have a specific known MD5 hash from a case. The so-called "De-NISTing" of evidence data is the most well known application of such hash lists:it excludes many files that belong to the operating system or common software applications from your case. But you can also add other types of MD5 hash lists, or create your own.
When selecting one or more of the hash filters for the source, Intella Node will ignore any items that have an MD5 hash that is in at least one of the filters. After the source has been indexed, such items will not be visible in your case.A future Intella Node release will add the ability to add "stubs" for such items.
The list of MD5 hash filters shown in add new source wizard is shown as detected by Intella Investigator. This allows adding a source without indexing it right away.That means, however, that in order to index such source, Intella Node will need access to MD5 hash filters that were selected when adding that source.It is therefore recommended that the path in which Intella Investigator and Intella Node look for MD5 hash filters is via a shared folder.The shared folder type required when setting path to MD5 hash filters is Configuration type. See sectionIntella Investigator Dashboard > Shared folders for more information.
Intella Investigator can only view list of MD5 hash filters. The list that Intella Investigator detected can be seen in menu → Settings → MD5 Hash Filters view.The path in which Intella Investigator looks for MD5 hash filters can be seen in Hash filters folder, which is by default a local disk path. This can be changed to a shared filter as mentioned above.
Likewise, the list of MD5 hash filters that Intella Investigator detects can be seen in menu → Servers → Nodes → click Configure button on a node panel → MD5 Hash Filters view. The same applies to Hash filters folder of Intella Node as mentioned above.
After configuring both Intella Investigator and Intella Node to use shared folder, which points to MD5 hash filters location, the list of MD5 hash filters will be the same.Alternatively, if shared folder will not be used, then the hash filters will need to be copied manually between Intella Investigator and Intella Node in order to be able to use MD5 hash filters during adding or re/indexing source.
Intella Node can create an MD5 hash filter from a CSV file, where the MD5 hash is encoded as a hexadecimal value. To do so, navigate to menu → Servers → Nodes → click Configure button on a node panel → MD5 Hash Filters view.Click "Create" button to open the "Create MD5 hash filter" dialog.After specifying the path to the CSV file, Intella Node will analyze the CSV file and show you the values for the first few lines. If there’s a single column that contains MD5 hash values then that column will be automatically selected.After specifying an appropriate name for the hash filter you can start the filter creation by clicking "Create hash filter".
Intella Node can process plain CSV files, but also CSV files that are compressed using ZIP or GZIP. Processing the files in compressed form is often preferable as the uncompressed files can be very large (multiple gigabytes).
The Reference Data Set (RDS) that is made available by the National Institute of Standards and Technology (NIST) comes in the form of an ISO file. You will need to extract the NSRLFile.txt.zip file that is stored in this ISO.This NSRLFile.txt.zip file is a ZIP-compressed CSV file that can be processed by Intella Node.You can find the most recent versions of the RDS at https://www.nist.gov/itl/ssd/software-quality-group/national-software-reference-library-nsrl/nsrl-download/current-rds.For the "Modern RDS" set the "minimal" version is the smallest download that still contains the complete set of hashes.
Any MD5 hash filters that you create will also be available for use in other Intella cases.They are stored in the folder C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella\hash-filters (click Open folder to open this folder in Windows Explorer).The files in this folder can be copied to/from other computers to make them available there as well. Clicking Rescan folder will update the list of available filters. |
| Deleting MD5 hash filter files will affect the ability to re-index other cases that use the same hash filter. |
Items
Intella Investigator makes the indexing of certain complex file types optional. You can disable this to improve indexing performance at the cost of fewer results.
Select Index mail archives if you want to extract all emails and attachments from mail archives like PST and NSF files. Subsequent processing of documents,archives and other items found in the attachments are still subject to the other options.
Select Index chat message if you want to index chat messages inside Skype SQLite databases, Pidgin accounts and Bloomberg XML dumps. This also controls what happens with Skype, WhatsApp messages etc. in cellphone reports.
Select Index archives if you want Intella Investigator to index files inside archives such as ZIP and RAR files.
Select Index content embedded in documents if you want to extract images embedded in emails, MS Office, OpenOffice, XPS and PDF documents. This will make these images separately searchable and viewable.
Select Index databases to enable the indexing of all tables in SQLite databases.
Select Index Windows registry to make all keys and values in a Windows registry file searchable by full-text keyword search.When turned off, a limited amount of registry indexing necessary for populating the Insight tab will still take place. The overhead for this is negligible.
Select Index Windows event log to let Intella Investigator process the contents of Windows event log files (evtx).
Select Index browser history to let Intella Investigator process the contents of web browser histories.
Select Recover deleted emails, files and Notes deletion stubs to enable the processing of deleted emails from MS Outlook (PST, OST) and MS Exchange (EDB) files,deleted files and folders from disk images and deletion stubs in HCL/IBM Notes files (NSF).
Select Extract text fragments from unsupported and unrecognized file types to enable heuristic string processing on all items whose type is not recognized by Intella Investigator (they are binary blobs)or whose type is not supported apart from type detection (e.g., executable files).
Select Do not store binaries for items larger than to avoid storing binary data larger than certain size.
Options
This sheet provides additional options affecting the time needed for indexing.
Select Cache original evidence files to copy all evidence files into the case folder. Use this option if you want to create a self-contained case where the evidence files can be openedor exported even when they are not found in their original locations, for instance when the case is moved to another system).
When this option is turned on, additional processing time (especially for compression) and disk space is needed.
This setting has no effect on storing of the items extracted from these evidence files (e.g. the mails, attachments and other embedded items extracted from a PST file), as these are always stored in the case folder after extraction.
Select Analyze paragraphs to let Intella Investigator determine the paragraph boundaries and to let it build a database registering which paragraph occurs in which item and where.This enables various search and review options at the expense of additional processing time. The required storage space is negligible. For subsequent sources this setting is forced to be same as what has been used for the first source.
Present chat messages as option controls how chat messages will be represented - i.e. what kind of items will be produced: Conversations and Message, Only Conversations, Only Messages
Split chat conversations option controls how messages inside chat conversations will be bundled. Possible values are: Per day, Per week, Per month and Per year.
Limit number of messages per conversation controls the maximum number of messages that will be contained in each conversation. If this limit is reached, the conversation is split independently of Split chat conversations option.
| Last two options will be visible only when Index chat messages option is turned on at the Items step. |
| Intella Investigator creates artificial Conversations items for easier review of conversations based on the two options above. Another reason for such approach is to make it possible to use AND, OR search operators when searching for multiple terms across the messages bundled inside conversation. Note also, that for each message contained in the conversation also separate Chat Message item is created. That makes it possible to annotate or export a particular message in isolation. |
Select Enable execution of a crawler script to assign a custom script that will be executed for each processed item. Crawler scripts can be used for filtering out irrelevant items, data enrichment and integration with external systems. Supported languages: Java, Groovy and Python. See documentation and samples on GitHub page: https://github.com/vound-software/intella-crawler-scripts
Tasks
This sheet lets the user define post-processing steps that need to takeplace once all evidence files have been crawled and all indices havebeen build. See the Tasks section for more details.
Completed source definition
Finally you will be presented with a dialog to inform you that you havesuccessfully defined a new source. You may optionally start indexing thesource. Indexing is required to be able to search and explore the itemsin this source, but can be only performed on Intella Node. Once youclick the Finish button, the indexing process will proceed according tothe options you have selected.
If selected Intella Node instance detects that the case memory settings might not be adequate to perform the indexing process, a message similar to the one presented below will appear:
In case this validation process reports any issues it is highly advised to adjust the case memory and crawler settings before continuing. Indexing the case with wrong settings could cause the Intella Node to run out of memory which could have negative consequences on the case consistency.
Because the active indexing process prevents you from defining more newsources, you may wish to skip this part now (e.g., to define more newsources) and index the sources later by clicking the Re-index menu itemin the Sources page. |
At any time except before the step "Completed Source Definition," youcan click the Cancel button to return to the Intella Investigator interfacewithout having added a new source to the case. |
Error message "Server response timed out" after adding a source to beindexed could be related to the network issues as Intella Investigator tries to addthe source to the case, but does not complete this operation within atime frame. This time limit can be adjusted via the |
9.3. Indexing
After defining a source Intella Node can index it. During indexing itwill inspect all items (emails, files etc.) that it can find in thesource file(s), enabling Intella Investigator to return instantaneous resultsduring your investigation for relevant evidence.
Having anti-virus software active during indexing can lead to certainitems not being indexed. This will usually be restricted to the filesthat are blocked by the anti-virus software, but this cannot beguaranteed. Running anti-virus software may also affect indexingperformance. |
During indexing, Sources page will show you a panel displaying varioustypes of information:
Statistics on indexing speed.
Statistics on encountered file types.
The amount of data that is being indexed and how much has been indexedalready.
The number of indexing steps to perform, which current step is beingperformed and (for some steps) a progress percentage.
You can stop the index process at any time by clicking the Stop button.Intella Investigator/Intella Node will finish processing the current item and thencomplete its case databases with the information that has been extractedthus far.
For remote indexing example please take a look at theUsing Intella Nodesection. |
9.3.1. Note on finishing indexing operations
While an indexing operation takes place, the case remains opened and locked by Intella Node. During that time, running a different indexing operation is not possible. The case also cannot be opened for sharing.After the indexing operation is completed, the case will be automatically unlocked and can be shared by case administrators.
9.3.2. Re-indexing a case
There may be circ*mstances when you want to re-index individual sources or the entire case, e.g. to use extraction features offered by a newer Intella Investigator/Intella Node version or fix a broken index.
To rebuild the case index from scratch, choose one or more sources in the Sources view, click on "Indexing" button and use the Re-index option either for selected sources or entire case. Intella Investigator/Intella Node will remove all indices it has previously created and create new ones.
In order for this to work, all evidence files have to be present at the location they had during the initial indexing.
Re-indexing a case will cause Content Analysis and Email Threading results to be removed. These operations need to be re-run after re-indexing finished in order to make use of them. |
9.3.3. Updating a case
Alternatively, there may be times when you want to update an index, e.g. in the following scenarios:
Files and/or folders have been added to folders that have already been indexed.
New sources have been defined but were not indexed immediately.
The set of mailboxes to index in an EDB source has been extended.
You interrupted indexing using the Stop button. See note below for caveat.
In these cases the "Index new data" option, shown when clicking on "Indexing" button in the Sources view will scan either the selected sources or all sources for new evidence items depending on what is chosen. Items that have already been indexed are not changed, also when their original evidence items are no longer available.
| In a scenario when container file (e.g. PST file, ZIP file, or disk image) is being processed, and you interrupted indexing using the Stop button it may interrupt processing of that file, leaving it partially indexed.The "Index New Data" operation will not pick that up, it will only index new files, or files that have not been indexed at all yet. The partially indexed files will stay in that state.Re-indexing is required to fully index containers in this situation. |
9.4. Automatic item decryption
Intella Node can automatically decrypt several file formats, if the required credentials are supplied before indexing starts. Therefore, you may want to uncheck the checkbox in the Add Source wizard that starts indexing and use the Re-index option (see above) after these credentials have been entered.
Intella Node will store decrypted versions of emails and documents in the case. For more details about exporting decrypted data seesubsection "Preferred content type options" of sectionExportingin the Reviewer’s manual.
9.4.1. Supported formats
The following file formats can be decrypted by Intella when the credentials are specified before indexing:
HCL/IBM Notes NSF files, including encrypted messages in non-encrypted NSF.
S/MIME- and PGP-encrypted emails, regardless of the container type they reside in (e.g. EML, MSG, PST, OST, NSF, Mbox, DBX).
PDF documents.
Old format MS Word documents (.doc), MS Excel spreadsheets (.xls) and MS PowerPoint presentations (.ppt).
MS Office 2007 formats (OpenXML): .docx, .xlsx, .pptx, …
ZIP, RAR and 7-Zip archives.
Partial support for ZipX.
BitLocker volumes.
APFS file systems.
Furthermore, password-protected PST files can be automatically decrypted without specifying any passwords.
9.4.2. Supplying access credentials
To let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first.Navigate to Sources page and click on Key Store button and follow the instructions below.Afterwards you can (re)index your data and let the items be decrypted automatically.
All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type.
After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such.
Password-protected files
Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives.
You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file.
HCL/IBM Notes NSF files
To decrypt HCL/IBM Notes NSF files, so-called ID files need to be added to the key store. Go to the "HCL/IBM Notes ID Files" tab and click "Add…". Enter the location of an ID file and the password associated with the file. Click OK to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files.
Intella will also try to decrypt encrypted messages in non-encrypted NSF files using the provided ID files.
S/MIME-encrypted emails
To decrypt emails with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click Import, then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys.
Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the emails.
PGP-encrypted emails
To index PGP-encrypted emails you will need to import the PGP private keys. Go to the "PGP Keys" tab and click Import. Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format.
An ASCII armored PGP private key usually starts with the following text:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Importing multiple .p12 files
At the moment it is not possible to enter multiple .p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development.
Please note that .p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single .p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once.
Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well.
Encrypted volumes in disk images
To decrypt BitLocker and APFS volumes in disk images, a correct password, recovery key, or recovery file needs to be added. Passwords can be added via the "Passwords" tab. "BitLocker Recovery Keys" and "BitLocker Recovery File" tabs should be used to add BitLocker-specific credentials.
Note that BitLocker images protected with other methods, such as a Smart Card or TPM, are not supported.
9.5. Custom columns
There may be a need to extract specific metadata fields and put them into separate columns. This is what the custom columns functionality can be used for. An example is extracting the "X-Mailer" header and putting it into a dedicated column "Email Client" column.
Custom columns are populated during indexing. Therefore, they need to be set up prior to indexing. If the custom column is added after indexing, re-indexing will be required to populate the custom columns.
To add Custom columns, navigate to Sources page and click on Custom columns button.
Click on the Addbutton to add a new custom column. Specify the name, description, and type of the column. The following column types are supported:
Text — The column can hold arbitrary text of any length.
Integer — The column can hold a whole number in range between -2,147,483,648 and 2,147,483,647.
Long Integer — The column can hold a whole number in range between -9,223,372,036,854,775,808 and 9,223,372,036,854,775,807.
Floating Point — The column can hold a 64-bit floating point number.
Boolean — The column can hold either True or False.
Date — The column can hold a date-time value.
The Extract Data section below shows which metadata fields will be used to populate the column. Click the plus sign button to add a new rule:
The Type option allows to restrict the rule to a specific file type or type category. By default, the type is set to "Any" which means that the rule applies to any item.
The From option defines where the metadata field comes from: Raw Data or Headers.
The Field option defines the name of the metadata field that should be extracted.
The Date Format option allows to specify a date format if this is a date column. The Language option can be used to tell which language should be used when parsing certain date elements, like day of the week or month names.
The Case Sensitive option can be used to specify whether the Field name is case sensitive.
It is possible to add more than one rule to a custom column. In this case the option below the table defines the way in which the extracted values should be merged. By default, the first non-empty value will be used. For text columns the values can also be joined together.
Once added, the new custom columns will appear in the column chooser of the Details table, in the Custom Columns section. The date columns will also appear in the Date facet panel, Histogram and Timeline views and can be used when defining Primary Date rules. Custom columns will also be shown in the Properties tab of the Previewer.
Custom columns are "locked" once any data is added to them. In other words, there is data in the case associated with these columns. Those columns can’t be edited or removed. |
Examples of using custom columns:
Extract the email client information into an "Email Client" column:
Name: Email Client.
Type: Text.
Extract data from:
Type: Email Message
From: Headers
Field: X-Mailer
Extract the camera model information from JPEG photos into a "Camera Model" column:
Name: Camera Model.
Type: Text.
Extract data from:
Type: JPEG Image
From: Raw Data
Field: Model
9.6. Post-processing
After indexing has completed, the case owner can opt to refine theindexing results in a number of ways. These steps are kept separate fromindexing as they typically contribute considerably to the processingtime and disk space usage and, depending on the case at hand, may not beneeded.
9.6.1. Tasks
Intella Investigator/Intella Node allows for the definition of "tasks". These areessentially compound processing steps such as searching for all itemsthat match a certain keyword or keyword list and tag or export theresults. These tasks can be defined and selected during source creation,which will run these tasks right after indexing. Tasks panel can be opened by clicking on the Tasks icon (three vertical progress bars) inside the Secondary Navigation Bar,which allows for defining and running the tasks at any point in time after index creation. See thetaskssection for more details.
Each task consists of conditions, post-conditions and actions. A taskmust have at least one condition and one action.
A condition (Step 1 in the task dialog) defines a search query thatselect items from the case. Currently the following conditions can bedefined:
A keyword search.
A keyword list search.
An MD5 list search.
An arbitrary Saved Search, which can combine all of Intella Investigator’s searchfacets.
A tag, possibly assigned by one of the tasks executed earlier.
A date range search on all date fields.
An OCR Candidates search. It allows to select various categories ofimages and documents that are usually subject to OCR.
All items search
A task may combine any number of conditions. The match option controlsif the items should match all specified criteria or at least one ofthem, i.e. a Boolean AND or OR of the specified conditions.
An optional list of post-conditions (Step 2) specify how to transformthe item set retrieved in the previous step. Possible post-conditionsteps are:
It is possible to define multiple post-conditions for a single task. Thefirst post-condition is applied on the set of items resulting from theconditions in Step 1. Subsequent post-conditions are applied on theoutcome of the preceding post-condition.
Finally, task actions (Step 3) define the operations that will beapplied to the items resulting from the previous steps. The followingactions can be defined:
Tag all found items with one or more tags. The tag(s) can optionallybe inherited by items in the same family hierarchy and/or by duplicatesof the found items.
Set custodian attributes.
Flag all found items.
Add a comment to all found items.
Export all found items using an export template.
Export the metadata of all found items to a CSV file. Click theConfigure button to set the CSV file name and path and to select themetadata fields that are to be included.
Start an OCR process on the found items using the embedded ABBY FineReader, by connecting to an ABBYY Recognition Server or by running anexternal OCR tool.
Start a Content Analysis process on the found items for the selectedentity types.
Start the email threading process on the found items.
Generate custom IDs for the found items.
Every task may define multiple actions that will be applied sequentiallyto the determined item set.
Tasks can be exported to a file so that they can be reused in othercases. These files are self-contained, i.e. when the task involves MD5hash lists or keyword lists, these lists are embedded in the task file.
Tasks are executed in the order they have in the task list. This makesit possible to "pipeline" tasks, e.g. use one task to assign specifictags to a subset of the items and use a subsequent task that is based onthose tags. The order can be changed by selecting a task and using the"Move Up" and "Move Down" buttons.
9.6.2. Custodians
The Custodian attribute can be assigned to items after indexing. Thiscan be used to represent the custodian of the evidence items. To enableautomated assigning of multiple custodians in a folder source, the rootfolder should organize the evidence in subfolders, one subfolder forevery custodian. If the evidence folder is structured in this way, the"Indexing Tasks" step in the Source Wizard will contain a "Custodians"tab that opens the settings panel for automated assigning of multiplecustodians. By default the custodian names are set to equal thesubfolder names. It is possible to alter the used custodian names in thetable. This Custodian value will be assigned to all items obtained fromthe evidence files within the respective subfolder. For other types ofsources, the "Indexing Tasks" tab contains a text field for setting asingle custodian name. Besides the above method, the Custodianattributes can also be set or changed using the "Set Custodian" indexingtask with an arbitrary condition, or edited manually in the Details’right-click menu.
9.6.3. Thumbnail generation
To improve the images loading speed you can pre-generate thumbnailsafter processing case sources. You can learn more about this inReviewer’s manual > Preferences > Thumbnails Pre Generation.
9.6.4. Importing an overlay file
An overlay file is a file that contains additional information about thecurrent items in a case. By importing the overlay file, the metadata ofthese items can be extended.
Intella Investigator currently only supports the importing of tags, tag columns,comments and metadata columns (both regular and custom). Importingoverlay images, texts, and natives may be added in a future release.
The following file formats are supported for overlay files:
Concordance/Relativity load file (.DAT)
Comma Separated Values file (.CSV)
To import an overlay file you need to add another Load filesource. Set the Import operation to Overlay and specify thelocation of the file. You can optionally use a previously savedtemplate.
On the "Configure delimiters" page you can set the file encoding,delimiter settings and date formats. Please see theLoad files section for a descriptionof these options.
On the "Map fields" page you need to specify the identifier field andtype. This is how Intella Investigator will match items in the overlay filewith the existing items in the case. There are four options for matchingitems:
By Document ID, also known as DocID. This is the most common way toimport new tags and comments into previously imported load file.
The Item ID is the internal item identifier used by Intella Investigator.This is the simplest way to process your data using an external tool andthen import the result back into Intella Investigator.
By MD5 Hash. This is the most flexible way of matching items. Usingthe MD5 hash it is possible to transfer tags from one case to another.Note that the imported tags will be applied to all copies.
The Item URI is an internal item identifier that is not changed afterre-indexing the case, but it may be changed when re-indexed with a newerIntella Investigator/Intella Node version due to changes in the crawling software.This method can be used to transfer tags when other options are notsuitable, e.g. when migrating tags from a case backup to a live casethat has been re-indexed in the meantime.
The “Also overlay metadata shared with duplicates” option is used tocontrol whether the imported metadata will be applied to all duplicatesas well (see the limitations below for this setting).
Current limitations:
Overlaying images, texts and natives is not supported.
Location and MD5 columns cannot be overlaid.
It is not always possible to overlay metadata for regular items, notimported from a load file. For example, if an item from a non-load filesource has duplicates, then the overlaid metadata should be applied toall duplicates as well using the “Also overlay metadata shared withduplicates” option. Otherwise, the overlaid metadata might not beapplied. There is no such limitation when overlaying data to items froma load file source. In this case, each record in the overlay is uniqueand the “Also overlay metadata shared with duplicates” option should beunchecked.
Metadata imported into regular and custom columns will be lost afterre-indexing the case.
Please see the Adding sources > Load file section fora description of the remaining options on this page.
9.6.5. Content analysis
Content analysis can be scheduled to run either as an indexing Task orby a reviewer directly from a shared case. The later procedure isdescribed inReviewer’s manual > Details panel > Content analysis.
9.6.6. Email threading
Email threading can be scheduled to run either as an indexing Task or bya reviewer directly from a shared case. The latter procedure is described inReviewer’s manual > Email threading.
9.6.7. Near-duplicates Analysis
A technique to reduce the reviewing time is Near-duplicates Analysis. It splits a selected set of items into groups based on the similarity of their text content. Every group is centered around a "master item" which is the most common near-duplicate for other items in the group (usually, an item with the largest text size). Other items are included in the group if they are determined to have an appropriately high similarity score to the master item. The similarity score is based on an amount of co-occurrent text fragments and is a number between 0.0 and 1.0. The master item and its exact duplicates are assigned a score of 1.0. The rest of the group items have scores between 1.0 and a threshold value specified by the user before the analysis.
To start the Near-duplicates Analysis process, select multiple items in the Detailstableand select"Near-Duplicate Detection"in the right-click menu. In the dialog window, move the "Similarity threshold" slider to set the desired minimum similarity score for items to be included in near-duplicate groups. Select the "Ignore excluded paragraph" option if you don’t want the content of excluded paragraphs to be considered by the similarity calculation algorithm.
The dialog window allows the user to select a text analysis method. We recommend choosing the "Word-based" option for documents written in languages in which the representation of meanings is contained in words. The “Character-based” option is intended for languages in which the semantic representation is represented by morphemes (Chinese, Japanese, Vietnamese, Korean). Typically, these are languages in which the use of white space characters is optional. Choosing the appropriate algorithm for a data set will improve the quality of the analysis results.
Upon completion, near-duplicate groups are available for search in the "Near-duplicates" facet (seeReviewer’s manual > Near-duplicatessection for details). Additionally, "Near-Duplicate Group", "Near-Duplicate Master Item" and "Near-Duplicate Score" columns can be made visible in the Details table to show the group names, master item IDs and similarity scores of items included in near-duplicate groups.
To query for Near-Duplicates of specific items that are subject to Near-duplicates Analysis, select the item in the Detailstable, right-click, and choose "Show Near-Duplicates". This option will be enabled only when the selected item has at least one Near-Duplicate.
The total set of analyzed items and items included in near-duplicate groups can be retrieved via the "Analyzed for Near-Duplicates" and "Has Near-Duplicates" nodes in the Features facet.
9.6.8. Custom IDs
“Generate Custom IDs” task allows to assign each item a unique custom IDtaking families into account. Such IDs can often then be used in loadfile exports. Or it can help to easier identify item position or role inits family.
Items are processed in hierarchical order starting from the roots andexploring as far as possible along each branch before backtracking(Depth-first search). Items that are on the same level of hierarchy areprocessed in the order defined by Sort Order setting. If the selecteditems don’t contain complete families, the task will add the remainingitems automatically.
Click Configure button on the task action panel to configure thenumbering settings:
Prefix defines the prefix for custom ID.
Start at defines the starting number. If the Auto option is selected,Intella Investigator will use the next available number for this prefix or 1 if theprefix has not been used before. The Manual option allows to set acustom starting number.
Number of digits defines the number of leading zeroes that will beused in the number.
Child numbering defines the way how child documents are numbered relatively to their parents:
Add suffix. Child document ID is derived from its direct parent IDby adding Child Suffix Delimiter (see below) and the child numberstarting with 1. For example, if the parent item is ABC123, then itschildren will be numbered as ABC123.001, ABC123.002 and so on.
Use sequential number after parent. Child document ID will use thenext consecutive number after its parent. For example, if the parentitem is ABC123, then its children will be numbered as ABC124, ABC125and so on.
Child Suffix Delimiter defines the delimiter that is used to separateparent and child IDs when Add Suffix option is selected.
Sort Order defines the column by which items located on the samehierarchy level will be sorted by.
Family defines how Custom Family ID column is constructed:::
Use Parent ID. Custom Family ID is the custom ID of the top-levelparent in this family.
Use Family Range (Start-End). Custom Family ID is the custom IDs ofthe first and last items in this family separated by hyphen.
If Overwrite Existing option is selected, Intella Investigator will overwrite anyexisting custom and custom family IDs.
Generated custom IDs can be used in load file export and can be importedfrom a load file.
Custom IDs don’t change when the case is re-indexed, provided that thecase is re-indexed using the same version.
9.7. Showing Source Details
To see the configuration of a source, go to Sources page. When you click on a source from the list of sources, its details will be shown on the right side.The name, type and time zone are shown as well as source type-specific details such as files or folders to index, indexing options, etc.See the section on adding sources above for the precise meaning of these settings per source type. Presented properties are not editable.
9.8. Editing Sources
To edit the configuration of a source, go to Sources page. Select a source from list of sources. When you click on the "Edit" button, its editable fields will be shown in a modal window.The name and time zone are editable for every source. The rest of editable fields depends on the source type.
To save your changes click on the Apply button. If click the Cancel button then any changes you’ve made will be discarded.
9.9. Exceptions report
An indexing exceptions report can be produced by choosing one or more sources in the Sources view and clicking the Exceptions Report button. This produces a XLSX or CSV file that lists all items that had issues during indexing. This can range from minor issues such as date parsing problems to file corruptions that affect the entire item and all nested items.
For every item, the following information is listed:
The item ID. This can be used to quickly locate the item using View > Preview Item… The Previewer will also show a warning icon when displaying such an exception item.
The MD5 hash. This can be used to locate duplicates of the item within the case or in other cases.
The source to which this item belongs.
The file name, file size and detected file type of the problematic item.
The name of the source in which the item was found.
The location of the problematic item. This includes both the path to the containing evidence file (e.g. a PST file) as well as the path within that file (e.g. the mail folder and parent email, when the exception occurred on an attachment).
Information on the parent email if there is any: its item ID, the sender, sent date and subject.
A warning scope, warning code and warning description. The scope and code are the most useful for end users and are documented below. The description provides a low-level error message that is also contained in the log file and can be used for error diagnosis by Vound’s technical support team.
The warning scope indicates the type of data that is affected by the exception. Possible values are:
Item — the entire item is affected.
Text — the extracted text is affected.
Metadata — the extracted metadata is affected.
Embedded — embedded items such as attachments and archive entries are affected. An example is a document that internally references an embedded image but the image is not present in the file, resulting in an error when processing the embedded items of the document. In that case the document gets an error with "Embedded items" as the Warning Scope.
The warning code indicates the nature of the issue. Possible values are:
Unprocessable data — The data cannot be processed because it is corrupt, malformed, or not understood by the processor. Retrying will most likely result in the same result.
I/O errors — The processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. There can be a lot of reasons for such errors, e.g. a drive that fails to respond, or permissions blocking Intella from accessing it. The indexing logs will have the full error. The difference with the other errors is that the reason is typically external to Intella, which is why retrying indexing may sometimes resolve the issue.
Decryption failed — The data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied.
Timeout — The processing took too long and was aborted. See more details on how to configure crawler timeout in "Memory, crawler count and timeout settings" chapter.
Out of memory — The processing failed due to a lack of memory.
Processing error — The processing failed due to a problem in the processor. The description should contain the stack trace.
Truncated text — The item text was not fully processed due to one of the following reasons:
The item text was larger than the imposed item text limit and any additional text was ignored. See the Sources section for a description of this limit and how to alter it.
Binary content was removed from the item text. Intella will try to detect and remove so-called binary content from all processed text to reduce memory usage when processing corrupt or recovered files. It includes any control and non-printable characters that are not normally present in regular texts. Items with binary content removed will have an error description: "Binary content detected".
The item text could not be extracted because the format is not fully supported yet.
Crawler crash — The processing failed due to a crawler crash. This is a more severe error compared to the Processing Error type. When it occurs, Intella will also reject all items that are related to crashed item (e.g. PST file and all of the emails that it contains). More details about why the crawler crashed can usually be found in a hs_err_pid_XYZ.log file which is located in the case logs folder (one file per crash). Crawler crashes will not affect other items and the case integrity.
When an item has multiple exceptions, it will occupy several rows in the table.
During indexing Intella Node tries to prevent processing of duplicate items (detected by their MD5 hash), as their contents will also be the same. Therefore, an item may occur only once in the exceptions report, even though there can be many copies throughout the case.
All items that produced an exception during indexing can easily be found using the Exception Items category in the Features facet, with subcategories for the warning codes.
The XLSX variant of the exception report additionally holds the following information:
Number of exceptions per source, subdivided by the warning codes.
Overall statistics for the warning codes.
Source-level errors, e.g. broken PST files.
Besides holding more information, the XLSX variant is also better able to handle non-ASCII characters.
9.10. Removing Sources
To remove one or more sources, choose them in the sources list and click the Remove button abovethe list.
Source removal is an expensive operation. When multiple sources are to be removed, it is recommended to remove them all at the same time, as the total time required will be less than when the sources are removed one-by-one.
Sources can be added again after removal, by following the normal "Add Source" procedure.
Removing a source will remove:
The data, metadata, OCR results and (load file) images associated with the removed items, except for those that are still associated with item duplicates originating from other sources.
Any redactions and comments associated with the removed items.
All references to the removed items in tags, flags, batches, export sets, custodian sets and near-duplicate groups.
What remains after source removal are:
Refences to the source and the evidence items contained in the logs files.
References to the numeric item IDs in the event log.
MD5 hashes of item locations.
Metadata extracted by the email threading procedure, such as Message-ID headers and Conversation Index properties.
These artifacts are typically not visible to the end user but could be obtained by reverse engineering of the case files. Please consider this when handing over a case with removed sources to an opposing party.
