Intella User Manual. Version 2.0.1

Size: px

Start display at page:

Download "Intella User Manual. Version 2.0.1"

Gary Johnson
6 years ago
Views:

1 Intella User Manual Version 2.0.1

2 Contact To learn more about Intella, please contact us using the contact information below, or contact an Intella Channel Partner. Vound Office Phone Postal Address PO Box 308 Evergreen, Colorado U.S.A. Sales Contacts We will be pleased to provide additional information concerning Intella and schedule a demonstration at your convenience. To become an Intella reseller, please contact us! For user and technical support please visit our website: Page 2 Intella User Manual 2017 Vound

3 Vound Colorado ( Vound ) Vound. All rights reserved. The information in this User Manual is subject to change without notice. Every effort has been made to ensure that the information in this manual is accurate. Vound is not responsible for printing or clerical errors. VOUND PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED AND SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL. Other company and product names mentioned herein are trademarks of their respective companies. It is the responsibility of the user to comply with all applicable copyright laws. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Vound assumes no responsibility regarding the performance or use of these products. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Vound. Your rights to the software are governed by the accompanying software license agreement. The Vound logo is a trademark of Vound. Use of the Vound logo for commercial purposes without the prior written consent of Vound may constitute trademark infringement and unfair competition in violation of federal and state laws. All rights reserved by Vound. Intella is a trademark of Vound. Page 3 Intella User Manual 2017 Vound

4 Contents Contact Preface Training Document conventions An introduction to Intella Key benefits Intella editions Supported file formats Supported sources Supported languages Supported platforms Feedback Getting support Different ways to get support Standard technical support User support contract Certified Intella training courses Working with Vound support Upgrade contract Installation and configuration Installation Step 1: Check the hardware requirements Step 2: Check the software requirements Step 3: Learn about licenses and dongles Step 4: Install the software Step 5 (optional): Support for S/MIME- and PGP-encrypted s Storage considerations Installation troubleshooting Error code 7 (H0007) Error code 31 (H0031) Error code 33 (H0033) Error code 37 (H0037) Error code 41 (H0041) Error code 51 (H0051) Memory settings Where are Intella's data files located? Where can I find Intella s log files? Frequently asked questions Dongles Activation with the Dongle Manager Activation with haspupdate.exe Network dongles Client and server in single subnet Client and server in different subnets Page 4 Intella User Manual 2017 Vound

5 7 Products and workflow Feature overview Standalone use Sharing cases Sharing cases across a network Sharing cases offline Work reports Cross-case work reports Managing cases Adding cases Creating a new case Opening a shared case Opening an existing case not in the list Importing a case Opening a case Editing a case Deleting a case Exporting a case Sharing a case Overview of the Intella interface Insight view Search view Keywords view Previewer Sources Source types Adding sources Files and Folders Load files Hotmail Search Warrant Results Disk Images MS Exchange EDB Archives IMAP accounts Dropbox accounts Gmail accounts SharePoint Office Last steps in a source definition Indexing Automatic item decryption Supported formats Supplying access credentials Post-processing Tasks Custodians OCR Thumbnail generation Page 5 Intella User Manual 2017 Vound

6 Importing an overlay file Content analysis Editing sources Exceptions report Restoring annotations Optical Character Recognition (OCR) Starting OCR OCR methods Using an external OCR tool Using ABBYY Recognition Server Reviewing OCRed items Insight view Evidence Types Custodians Internet Artifacts Timeline Identities Notable Registry Artifacts Supported registry hives Operating system information Time zones User accounts Network interfaces Network connections USB mass storage devices Recent files Shellbags Typed URLs Devices Networks Significant Words Workflow Keyword search Search options Search query syntax Lowercase vs. uppercase Use of multiple terms (AND/OR operators) Minus sign (NOT operator) Phrase search Grouping Single and multiple character wildcard searches Fuzzy search Proximity search Field-specific search Special characters Regular expressions Page 6 Intella User Manual 2017 Vound

7 14 Using facets Available facets Saved Searches Features Tags Custodians Location Address Phone Number Chat Account Recipient Count Date Type Author Content Analysis Keyword Lists MD5 and Message Hash Item ID Lists Language Size Duration Device Identifier Export Sets Including and excluding facet values Including a facet value Excluding a facet value Cluster Map Understanding a Cluster Map Manipulating Cluster Maps Options Histogram Date attributes Selections Geolocation Basics Interaction Resources Tile server IP geolocation database Caveats GPS coordinates IP geolocation Tile servers Attribution Social Graph Basics Controls Page 7 Intella User Manual 2017 Vound

8 18.3 Limitations Details panel Table view Adding and removing columns Reorganizing table columns Sorting the list Showing a conversation Showing the child items Showing the parent items Showing native ID duplicates List view Thumbnails view Timeline view Deduplication and irrelevant items Previewing results Overview of the Previewer The Toolbar Tabs Contents Preview Headers Raw Data Properties Attachments Thumbnails Tree Entries Comments Words Actions Geolocation Redaction Reviewing results Tagging Tagging in the main window Adding tags Removing tags Tagging in the previewer Automatic tag inheritance Pin a tag to a button See all tagged items Searching with tags Deleting a tag Annotations History Keyword Statistics Configuration Calculation Page 8 Intella User Manual 2017 Vound

9 23.3 Results Redaction Workflow Redacting an item Exporting Mass redaction Redaction profiles Caveats Exporting Exporting a single result Exporting a list of results Export formats Destination folder Export templates Suppressing irrelevant items Export sets PDF file options File naming and numbering (original format, PDF, load files) PDF rendering options (PDF, load files) PST options ibase and Analyst s Notebook options Load file options Relativity options Headers and footers (PDF, load files) Redacted items Creating an export report Skipped items Exporting to a CSV file Exporting the result counts Exporting the social graph data Exporting the event log Command-line support Load file checklist Load file diagnostics Summation Concordance Preferences General Display and Locale Dates Irrelevant Items Search Results Tagging MS Outlook IBM Notes Geolocation Page 9 Intella User Manual 2017 Vound

10 29 Reading your log files List of known errors Background information Log levels Menu, mouse, and keyboard shortcuts Main Menu File Sources View Export Team Help Mouse actions Table and thumbnail view Timeline Cluster Map Social Graph Histogram Keyboard shortcuts Main window Previewer window HASP dongle problem resolution Problem flowchart Problems and solutions Installation problems HASP dongle drivers do not install HASP dongle not found Hardware problems No dongle detected Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Normal operation Installation flowchart Page 10 Intella User Manual 2017 Vound

11 1 Preface Intella is designed to be an investigation and e-discovery tool. It is ideally suited for use by enterprise, law enforcement, and regulatory agencies in civil, criminal, or policy-related investigations. Intella is an excellent tool to prepare electronically stored information for discovery. Intella s powerful indexing search engine and its unique visual presentation will let you quickly and easily search and review and electronically stored information to find critical evidence and visualize relevant relationships. With Intella, you can... Gain deeper insight through visualizations and statistics. Search , attachments, archives, headers, and metadata. Drill deeply using Intella s unique facets. Group and trace conversations. Reveal the social graph of a person or group of persons of interest. Preview, cull, and deduplicate and data. Export results in a variety of formats for reporting, follow-up investigation, e-discovery, or later use. Page 11 Intella User Manual 2017 Vound

12 1.1 Training This manual outlines the features incorporated in the Intella products. Its focus is to explain the rudimentary functions of each Intella feature. It should not be seen as explaining how to manage data or cases. While Intella is an easy and intuitive software package to use in the fields of forensic search, data analysis and ediscovery, the user is required to have a firm grasp of how Intella treats and manages certain information/data types as applicable to these fields. As with any software, the user must understand the issues and actions required that may arise prior to and while using Intella, particularly in the following areas: Different data types. s and attachments (parent-child relationships). Search parameters. Date formats. Inclusions and exclusions. Chain of custody. Legal and privacy issues. How to cross-verify results to ensure the accuracy of those results before they are relied upon. How to identify inconsistent results. The necessity to pre-process or convert certain data types prior to processing. The user should understand that his manual does not seek, nor can it be an exhaustive list of the usage of Intella. This manual is structured to explain the use of certain, but not all, features at a basic level. This manual does not consider specific user requirements when explaining those features. Furthermore, this manual does not outline the steps required to be undertaken prior to processing data to ensure the accuracy of all results. The user should always ensure that they are personally aware of any special circumstances or steps required with the data, prior to processing and searching that data. This is critical to being able to get the most out of Intella and undertake your investigation free from mistakes. This manual cannot and does not offer this information. We do however offer training that will help the user to have a better understanding of these issues. We highly recommend that the user takes advantage of this training on the correct use of Intella. This can be critical for any matter where the user will rely upon the results produced in Intella as part of an action or investigation. Failure to undertake adequate training may cause unreliable results. Please contact us for additional information at training@vound-software.com or visit us at Page 12 Intella User Manual 2017 Vound

13 1.2 Document conventions The following section introduces you to conventions used throughout the Intella documentation. Menu Functions For functions that can be reached through menus, the different menu levels are illustrated as follows: Menu > Menu entry Important Entries Some text will be shown as follows: Important: Important information on Intella. These entries discuss a key concept or technical information that should, or must, be followed or considered. Please pay special attention to these entries. Notes Some sections provide additional information that will assist your use of Intella. These are displayed as shown below: Note: Information on function or parameter. Keyboard Shortcuts Some Intella functions can be activated or accessed through keyboard shortcuts. They are shown as follows: CTRL+E Tips Several shortcuts, alternative methods, or general working tips are included throughout the documentation. These may help your workflow, or provide additional information on other uses of functions. Tips are shown as below: Tip: Information on Intella. Folder and file names Folder and file names are shown as below: C:\Program Files\Vound\Intella\ Page 13 Intella User Manual 2017 Vound

14 2 An introduction to Intella Intella is an instrument for data and investigation and ediscovery. It helps you search and explore information stored on your computer, network disks, in boxes and PST, OST and NSF files. Intella is being used by Law Enforcement, Legal and regulatory bodies to do all the above. Intella indexes all places where you expect valuable information and provides powerful means for retrieving that information. The important advantage over similar tools is that Intella presents the search results using facets, Cluster Maps and Social Graphs. Facets allow you to find items based on more than just keywords and the visualizations provided by the Cluster Maps and Social Graphs allow you to see how files and s are related to your query. The birds-eye view helps you gain insight in information that is available on combinations of keywords. In each step of your search it shows the number of s or files that match your search (and of course a link to the e- mails and files themselves) so that you can effectively zoom in to find what you are looking for. Setting up Intella on your computer takes little time. Install the software, define the sources to search and explore and let Intella index the sources. Searching with Intella is also easy. Start as if you are using a familiar search engine by entering a search term, or choose any value from the information facets. Let Intella help you to refine your question with a list of suggested refinements. 2.1 Key benefits Easy to use interface means cutting down on training expenses and time and allows a broad group of investigators to join in an investigation. Visualizations of search results provide you with deeper insight. See how files, s and cellphone items relate to parts of your query. Facets, like Type, Date, and Language, help you to drill down to the wanted information and to focus on the information you need. Search attachments and archives such as zip files. Searching is simple and requires very little training. Export the search results for later use and for creation of reports. Page 14 Intella User Manual 2017 Vound

15 2.2 Intella editions Intella comes in seven different product editions. The table below shows the most important features of these editions Professional Viewer TEAM P.I. GB GB GB Manager Preparation Evidence size limit 10 GB 100 GB 250 GB none none none 10 GB Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Cases Export Work Reports Import Work Reports License License type P P P P P P A License key D D D D D D S P = Perpetual license A = Annual license D = Dongle can be used on any PC, supports virtual machines. S = Software-based license locked to 1 PC, does not support virtual machines. Page 15 Intella User Manual 2017 Vound

16 2.3 Supported file formats Intella can extract contents and metadata of the following file formats: Mail formats: o Microsoft Outlook PST/OST. Versions: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013 and o Microsoft Outlook Express DBX, MBX. Versions: 4, 5 and 6. o Microsoft Exchange EDB files. Versions: 2003, 2007 and o IBM Notes NSF (formerly known as Lotus Notes or IBM Lotus Notes). Notes 8.5.x or higher needs to be installed on the computer running Intella to process the NSF files. Intella supports all NSF files that can be processed by the installed IBM Notes version. o Mbox (e.g. Thunderbird, Foxmail) o Saved s (.eml,.msg) o Apple Mail (.emlx) o TNEF-encoded files ( winmail.dat files). o Bloomberg XML dump Cellphone extraction formats: o Cellebrite UFED XML export o Micro Systemation XRY XML and Extended XML exports (Extended XML is strongly recommended) o Oxygen Forensic Suite XML export Disk image formats: o EnCase images (E01, Ex01, L01, Lx01 and S01 files) o FTK images (AD1 files), version 3 and 4 o DD images o ISO images (ISO 9660 and UDF formats) o VMware images (VMDK files). Supported types are RAW (flat), COWD version 1 (sparse) and VMDK version 1, 2 and 3 (sparse). Not supported are images that use a physical storage device. o VHD disk images. Supported type is VHD version 1. Document formats: o MS Office: Word, Excel, PowerPoint, Visio, Publisher, OneNote, both old (e.g.,.doc) and new (.docx) formats, up to MS Office MS OneNote 2007 is not supported. o OpenOffice: both OpenDocument and legacy OpenOffice/StarOffice formats o Hangul word processor (.hwp files) o Corel Office: WordPerfect, Quattro, Presentations o MS Works o Plain text o HTML o RTF o PDF (incl. entered form data) Archives: o Zip. Supported compression methods: deflate, deflate64, bzip2, lzma and ppmd. o 7-Zip. Supported compression methods: lzma, lzma2, bzip2 and ppmd. o Gzip o Bzip2 o ZipX Page 16 Intella User Manual 2017 Vound

17 o Tar o Rar o RPM Package Manager (RPM) o Cpio o ARJ o Cabinet (CAB) o DEB o XZ Search Warrant Results: o Hotmail (uses a HTML-based collection of files) o Gmail and Yahoo (uses an Mbox variant) Instant Messaging o Skype SQLite databases o IBM Notes Sametime chats o Pidgin account stores o Note that cellphone extraction reports typically also contain instant messaging fragments that Intella may pick up during indexing. Databases o SQLite databases, version 3. Note that Skype SQLite databases get processed differently. o Mac OS property lists (.plist and.bplist files), in ASCII, XML or binary form. Cryptocurrency (detection only): o Bitcoin wallets and blockchains o Dogecoin wallets and blockchains o Litecoin wallets and blockchains o Multibit Classic wallets and blockchains o Multibit HD wallets and blockchains Miscellaneous formats: o ical o vcard o XML o IBM Notes deletion stubs The following types of encrypted files and items can be decrypted, if the required access keys (passwords, certificates, ID files) are provided in the Key Store: PST/OST NSF PDF DOC XLS OpenXML (.docx,.xlsx,.pptx) PDF ZIP RAR 7-Zip S-MIME-encrypted s PGP-encrypted s Page 17 Intella User Manual 2017 Vound

18 Note: To decrypt and index encrypted s and MS Office documents, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files need to be installed. See the Installation and Configuration chapter. When indexing plain text file formats, Intella can essentially handle all character encodings supported by the Java 7 platform. This relates to regular text files and to bodies encoded in plain text format. See for a complete listing. When the encoding is not specified, Intella will try to heuristically determine the encoding. The following encodings are then supported: UTF-8 UTF-16BE UTF-16LE UTF-32BE UTF-32LE Shift_JIS Japanese ISO-2022-JP Japanese ISO-2022-CN Simplified Chinese ISO-2022-KR Korean GB18030 Chinese Big5 Traditional Chinese EUC-JP Japanese EUC-KR Korean ISO Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish ISO Czech, Hungarian, Polish, Romanian ISO Russian ISO Arabic ISO Greek ISO Hebrew ISO Turkish windows-1250 Czech, Hungarian, Polish, Romanian windows-1251 Russian windows-1252 Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish windows-1253 Greek windows-1254 Turkish windows-1255 Hebrew windows-1256 Arabic KOI8-R Russian IBM420 Arabic IBM424 Hebrew Several file formats are processed by applying heuristic string extraction algorithms, rather than proper parsing and interpretation of the binary contents of the file. This is due to a lack of proper libraries for interpreting these file formats. Experiments with these heuristic algorithms have shown that their output is still useful for indexing and full-text search. It typically will produce a lot of extra gibberish data, visible in the Previewer, and there is no guarantee that the extracted text is complete and correct. The affected formats are: Corel Office: WordPerfect, Quattro, Presentations Harvard Graphics Presentation Page 18 Intella User Manual 2017 Vound

19 Microsoft Project Microsoft Publisher Microsoft Works StarOffice 2.4 Supported sources File or Folder Files on local and network file systems can be indexed by Intella. Please check the list of supported file formats. The use of external and network drives is not supported, both for stability and performance reasons. Load files Intella can index load files that are stored in Concordance, Relativity and CSV format. Hotmail Search Warrant Result Intella can index the mail packages delivered by Microsoft when responding to a search warrant. Disk images Intella can open disk image files in EnCase and DD formats and index their contents as if they were mounted and indexed as a regular Folder source. No recovery of items from unallocated or slack space is performed. MS Exchange EDB Archive Use this option to index an MS Exchange EDB files and restrict indexing to a specific set of mailboxes. Indexing an EDB file in its entirety can be done by using the File or Folder source type. IMAP account Intella can access an account on an IMAP server and index the s and attachments in that account. Dropbox Intella can access a personal Dropbox or DropBox for Business account and index all folders and files stored in that account. Gmail Intella can access a Gmail account and index the s and attachments in that account. SharePoint Intella can access a SharePoint instance and can index one or more of the sites in that instance. Office 365 Intella can index the complete contents of an Office 365 account, incl. the Outlook, OneDrive and SharePoint services of that account. Page 19 Intella User Manual 2017 Vound

20 2.5 Supported languages As Intella is entirely based on Unicode, it can index and provide keyword search for texts from any language. The Language facet supports detection of the following languages: af Afrikaans he Hebrew nl Dutch th Thai Ar Arabic hi Hindi no Norwegian tl Tagalog bg Bulgarian hr Croatian pa Punjabi tr Turkish bn Bengali hu Hungarian pl Polish uk Ukrainian cs Czech id Indonesian pt Portuguese ur Urdu da Danish it Italian ro Romanian vi Vietnamese de German ja Japanese ru Russian zh-cn Simplified Chinese el Greek kn Kannada sk Slovak zh-tw Traditional Chinese En English ko Korean sl Slovene es Spanish lt Lithuanian so Somali et Estonian Lv Latvian sq Albanian fa Persian mk Macedonian sv Swedish fi Finnish ml Malayalam sw Swahili fr French mr Marathi ta Tamil gu Gujarati ne Nepali te Telugu 2.6 Supported platforms Intella is currently only supported on Windows Vista, Windows 7, Windows 8/8.1 and Windows 10. Note that Intella is not supported on Windows Server 2003, Windows Server 2008 and Windows Server For detailed instructions about installation and running Intella, please read section 4: Installation and configuration. 2.7 Feedback We take great care in providing our customers with a pleasant experience, and therefore greatly value your feedback. You can contact us through the form on or by mailing to one of the addresses on the Contact page. Page 20 Intella User Manual 2017 Vound

21 3 Getting support 3.1 Different ways to get support Vound offers four support options designed to assist users that experience problems while working with Intella : 1. Standard technical support 2. User support contract 3. Vound User Support portal 4. Certified Intella training courses Standard technical support Standard technical support is offered free of charge to all Vound customers that have a current support and maintenance contract. Standard technical support can be requested at the Vound support page, Support is provided on business days, Monday through Friday. We attempt to give you a first answer within 2 business days. All communication will be remote , GoToMeeting, and other means and not in person unless otherwise arranged. Standard technical support will only be provided if your computer and operating system meet the minimum recommended specifications listed in the latest version of the Intella manual. Who is eligible for technical support? Our goal at Vound is to provide our customers high quality and timely technical support. To do this we limit technical support to the registered owners of Intella. Companies that allow a third party to use their Intella licenses must have that third-party channel all technical support through the original registered owner of the software. To ensure that we support our customers, Vound regrets it cannot support users who are not the original registered owner of Intella. What technical support is included? Installation and set-up support limited to one computer in your environment. Configuration technical support and user support on use for standard Intella options. Support for errors in the software (bugs). Please note that Vound will make reasonable efforts to correct identified software errors. However, this may not be achievable until a later date or version release. If this is the case, the user should make efforts and take responsibility to achieve the required outcomes via other methods. Where the errors relate to or are caused by corrupt data (within source files), Vound reserves the right to charge for the work needed to rectify the issue. No support can be provided When your computer does not meet the minimum or essential system requirements. Page 21 Intella User Manual 2017 Vound

22 When you made any kind of modifications to the installed software. When you are not using the software for its intended purpose. When 3rd party applications, like virus scanners, firewalls, and other forensic applications, interfere with Intella. Explaining the method needed to use each feature to achieve a set outcome. Note: At no time should Vound technical support be seen as legal or forensic advice. Our support is given with no knowledge of the specific case or matter Intella is being used on. Technical support is focused on the correct installation and usage of Intella features. We do not warrant that we are aware of all facts around the case that may be under investigation. As such, our replies should not be seen as advice or the only way to achieve the required outcome User support contract A paid user support contract is offered to those customers that want additional user support. The user support contract provides assistance that falls outside the standard support package (see Standard technical support). What can be included in the user support contract? Help with the case or setup configuration of Intella. Assistance in using the basic and advanced features of Intella such as searching, tagging, and exporting. Help with the installation of Intella, or help with the configuration and set-up of your computer that runs Intella. Detailed explanation of Intella case management and help with Intella case setup. Help with the export of search results found with Intella for use with other applications. Support for using Intella in combination with software from other vendors. Support for issues that a newer Intella release has addressed. How to buy to a user support contract? User support contracts are based on your specific needs. If you want to know more, please contact your nearest Vound representative or your local Intella reseller Certified Intella training courses Vound offers several paid training courses for its product. These courses are designed to expand your effectiveness and output when using Intella. It is recommended that all users take a minimum basic training course to ensure they are correctly using the product. Users who have taken a recent training course for their Intella product will be offered a discount on a paid user support contract. For more information on types of training and available dates please visit Page 22 Intella User Manual 2017 Vound

23 3.2 Working with Vound support It is highly recommended that customers and users take advantage of the Vound support page when seeking assistance. The support portal takes care of collecting all necessary information such as the Intella version, Windows version, source types used, etc. and will suggest relevant articles from the Intella knowledge base. 3.3 Upgrade contract Vound customers that purchased an Intella license are entitled to install free upgrades of the software for a period of one-year. In other words: an Intella license comes with a one-year upgrade contract. After this period purchasing an upgrade subscription will continue the upgrade contract. Please contact your nearest Vound representative for more information. Please know that you will only have access to standard technical support if you have an upgrade contract. Page 23 Intella User Manual 2017 Vound

24 4 Installation and configuration 4.1 Installation Step 1: Check the hardware requirements Intella is supported on Windows Vista, Windows 7, Windows 8/8.1 and Windows 10. CPU, memory and disk space requirements depend on how Intella is intended to be used: Indexing As a rule of thumb, the case folder requires between 150% and 200% of the size of the combined evidence data, depending on data complexity and amount of compression used on the evidence data. When caching of original evidence items is turned off, this reduces the amount of disk space. For better indexing performance, we suggest to store the case data folder on a physically different disk than the one with the evidence data. Disk access times for the case indexes are critical for performance. We therefore strongly suggest not using USB or network drives for the case data folder. See the section on Storage Recommendations for more storage-related tips. When indexing MS Exchange EDB files, the memory sizes in the table below should be doubled and the memory settings will need to be adjusted (see the Memory Settings section). Main memory and CPU requirements for indexing: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 4 GB 8 GB 2 10 to 100 GB 8 GB 16 GB to 500 GB 16 GB 32 GB or more 4 or more Case sharing (TEAM Manager) Memory requirements depend on the evidence size and number of concurrent reviewers. Recommended memory sizes (in GB, more is better) and CPU cores for the machine that is sharing the case depends on both the evidence size and the number of concurrent reviewers: Evidence size 1-4 Reviewers 5-10 Reviewers Reviewers Up to 10 GB 4 GB, 2 cores 8 GB, 4 cores 16 GB, 4 cores 10 to 100 GB 8 GB, 4 cores 16 GB, 4 cores 32 GB, 8 cores 100 to 500 GB 16 GB, 4 cores 32 GB, 6 cores To prevent bottlenecks, the storage system should scale with the size of the case and team. Larger teams are better served with a case folder stored on RAID arrays and/or fast solid state drives (SSD). Page 24 Intella User Manual 2017 Vound

25 Connecting to shared cases (Viewer) While technically Intella TEAM will work over slow network connections, a local and fast (gigabit) network is preferable, especially when working with large cases or with large reviewer teams. Main memory and CPU requirements for connecting to a shared case: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 2 GB 4 GB 2 10 to 100 GB 4 GB 8 GB to 500 GB 8 GB 16 GB or more Step 2: Check the software requirements The following external applications may also be necessary to use all of Intella s functionalities, see below for details: MS Office IBM Notes Microsoft.NET kcura Relativity SDK MS Office Microsoft Office is NOT required to index PST/OST files or any MS Office document formats or for exporting items to PDF (the latter was a requirement with earlier Intella versions). An Office installation is still required for exporting items to a PST. The PST export requires MS Office 2007 or higher or higher is recommended. The 32-bit Intella version requires 32-bit MS Outlook. The 64-bit Intella version can use both 32-bit and 64-bit MS Outlook. IBM Notes To index NSF files, IBM Notes 8.5 or higher is required. Only the application files are necessary, IBM Notes does not have to be fully setup to be used by Intella. In principle, all IBM Notes 8.5.x versions or later can be used, but the following versions will produce a warning: FP FP FP These versions contain a bug described here that cause s with multiple Received headers to be altered: all Received headers will get the value of the first header. At the time of writing IBM Notes was available, in which this bug has been fixed. To index files made with IBM Notes 9.x, we recommend installing IBM Notes 9.x. Note: Intella needs to know the location of IBM Notes to index NSF files. Please go to File > Preferences > IBM Notes to check if the location is validated. Microsoft.NET and kcura Relativity SDK To be able to export directly to a Relativity server, i.e. without having to handle Relativity load files, Microsoft.NET 4.5 and the kcura Relativity SDK need to be installed. Page 25 Intella User Manual 2017 Vound

26 Microsoft.NET can be obtained from the Microsoft website. The Relativity SDK can be obtained here. This functionality was tested with version 8.2 of the SDK. After running the SDK installer, copy all 20 DLLs from this folder: C:\Program Files\kCura Corporation\Relativity SDK\ImportAPI\Client\x64 to this folder (assuming the default installation path): C:\Program Files\Vound\Intella 2.0\bin\relativity\ Step 3: Learn about licenses and dongles Notes on the trial license that is bundled with the software that you have downloaded: 14-Day evaluation period. The trial version runs under a HASP Software License, which gives you the ability to use Intella for 14 days. The 14-day evaluation period cannot be extended. The only way to continue using Intella is to purchase a dongle. Trial restrictions. Besides the 14 days of usage, the trial only allows 10 GB of evidence files per case. Also, exporting is limited to maximally 1000 items per export. Continue working with a USB dongle. If you would like to continue using Intella after this 14-day period, you will need to buy a license. After buying the license you will receive a USB dongle that will allow you to continue using the version you already installed. A dongle provides a perpetual license without export restrictions. Evidence size restrictions may still apply, based on the licensed product. An exception is the Intella P.I. product, which is licensed using a software-based license locked to a single machine. System clock. Changing the clock on your system will cause the trial to automatically expire. When this occurs, the only way to continue using Intella will be to purchase a license. Virtual Machines, VMware. The evaluation version and Intella P.I. will not work in VMware without a dongle. RDP (Remote Desktop Protocol) connection. When using RDP, the dongle or trial license must be in/on the computer running the Intella software, not in the computer running the RDP viewer. Note that versions < 1.7 do not support use of the trial license over RDP. Other dongle-protected software must be closed All other HASP protected software, like EnCase (Guidance), Smart Mount (ASR Data), HBGary and i2 products, must be closed when installing Intella Step 4: Install the software 1. Download Intella through the download page on the Vound support website: Page 26 Intella User Manual 2017 Vound

27 2. Double-click on the downloaded.exe file to launch the installer. Accept the license. 3. Enter the location to store the application files and shortcuts or accept the default settings. All files will be extracted to the location of your choosing and an Intella shortcut is (optionally) placed on your desktop and in your Start menu. The application folder contains an executable called "Intella.exe" that can be used to launch the application. The desktop and menu shortcuts also start this executable. The program will start with the Case Manager window. Important: Intella will not install in an installation folder of an earlier version. Install a new version of Intella in a folder with a new name, for example: C:\Program Files\Vound\Intella 2.0\ It is possible to install multiple Intella versions side by side Step 5 (optional): Support for S/MIME- and PGP-encrypted s By default, you will not be able to decrypt many S/MIME s, PGP s and MS Office documents until you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files in Intella s installed application files. Due to US export policies, we are not allowed to distribute these files as part of Intella. When these files are not installed, you will see a warning message when you open the "Key Store" dialog. Follow these steps to install the JCE files: Close Intella. Download "JCE Unlimited Strength Jurisdiction Policy Files for Java 7" from Unpack the archive. Copy the two extracted JAR files into the following folders (replacing any existing files): o <Intella Folder>\jre\lib\security\ o <Intella Folder>\jre-x86\lib\security\ (only applies to Intella 64-bit edition) Note: Intella bundles its own Java JRE(s). The JCE files should be installed in these JRE(s). Installing it in the system s Java installation has no effect. 4.2 Storage considerations Besides the memory and CPU requirements above, there are other hardware considerations that impact performance. Use of USB drives Our testing shows that USB drives are generally slower than internal hard drives or esata drives. Please note that Windows allows you to use USB drives in two performance modes: the default Quick Removal mode and the Better Performance mode. Using the latter helps a lot to achieve better performance, but you will have to make sure to properly remove the drive in Windows before unplugging the drive. Not doing so means you risk damaging your case files beyond repair. Page 27 Intella User Manual 2017 Vound

28 Evidence on external drives Many users like to keep their evidence data on an external drive, for a variety of reasons. A common question is whether they can still use the case when this drive is disconnected after indexing. This is certainly possible. Access to the original evidence files is only necessary when you want to export the original evidence files themselves and have disabled the Cache original evidence files option when you added the source. For the rest the case folder is completely self-contained as all extracted items are stored in the case folder and can be exported without access to the original evidence files. For example, when you index a folder with PST files, any and other embedded items extracted from those PST files are stored in the case folder and can always be exported. The PST files themselves are not copied into the case folder, unless the Cache original evidence files setting is selected. Selection and configuration of hard drives Because Intella is an intensive user of a system's hard drive, we recommend careful selection and configuration of the hard drives to optimize performance. Generally, newer hard drives will outperform older drives in that they benefit from design improvements and new technology. Consider the following when using Intella: Separate disks for evidence and case indexes. During indexing, Intella accesses the database continually performing read and write functions. To more efficiently use the resources, it is recommended that the evidence data and the case data be allocated to separate hard drives. For example, put the case data on the "C" Drive and the evidence data on the "E" Drive. See the hardware requirements section for appropriate drive sizes given the case at hand. Optimization folder. Since Intella 1.8 the case creator can specify a third folder for optimization purposes in the case details. Currently this folder is used for storing temporary indexing data that else would be stored in the case folder. When the optimization folder resides on a different drive than the case folder or evidence folder(s), this can further improve indexing performance. Proper connection. To realize maximum benefit from Intella's multi-disk optimization architecture, ensure that the hard drives are appropriately connected to the computer's motherboard to benefit from the higher available bandwidth. For example, connect the drives to the SATA-300 or SATA-600 connector rather than the smaller bandwidth carrying SATA-150. Configure the system's BIOS correctly. Typically, the computer's BIOS defaults to the lowest common denominator to facilitate compatibility for connected hardware components. As a result, performance and speed can suffer. To address this possibility, check the BIOS to: o Ensure the hard drive supports Native Command Queuing it should! o Confirm that the SATA control mode is set to either AHCI or RAID. Note: if the setting is at IDE (typically the default), Intella's performance will suffer with slower indexing and searching as a result. Use of external and/or network drives. Internal drives are always the preferred option for Intella. Intella's indexing and search performance can deteriorate significantly when used with external or network drives. o If required, external drives such as a USB can be used to hold the evidence data. However, it is recommended that the fastest available connection option be used. USB 3.0 or esata should offer acceptable performance. Avoid USB 2.0 drives as they are significantly slower for any evidence or case file greater than 2-5 GB. o Network drives may be acceptable for holding evidence files if on a fast network. When using network drives, it is imperative that no other users access the files at the same time. You should also ensure that no network antivirus or filtering software blocks the indexing processes. Page 28 Intella User Manual 2017 Vound

29 When processing a large case (> 100 GB of evidence files), it is advisable to format the NTFS disk with a cluster size that is larger than the default (usually 4 KB). This reduces the chance of defragmentation issues during indexing. Furthermore, it is recommended to turn off disk compression. 4.3 Installation troubleshooting Error code 7 (H0007) "HASP key not found (H0007)" This error code might be caused by other HASP dongle protected programs. Please close all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella Error code 31 (H0031) Could not find a valid Intella license, please insert a dongle This error message is shown when your trial license has expired, or when you unplug your dongle while Intella is running and it cannot fall back to a non-expired trial license. You can only continue using Intella by inserting a dongle Error code 33 (H0033) "Unable to access HASP SRM Run-Time Environment (H0033)" This error code may be triggered if you run antivirus software. It is probably due to the antivirus software incorrectly blocking access to the HASP install. Please update your antivirus software to the latest virus definition file. If this problem persists, reboot your computer, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella Error code 37 (H0037) Other HASP dongle protected software may cause this error. Please close all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella. If this problem persists, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella. If problem persists after running this command, please open a Command Prompt as administrator and run net start hasplms Tip: To open a Command Prompt and run as administrator (in Vista and Windows 7), please select Start > Accessories > Command Prompt. Right click and select "Run as administrator. Page 29 Intella User Manual 2017 Vound

30 4.3.5 Error code 41 (H0041) "Your Intella (trial) license has expired (H0041)" This error will be triggered if Intella is run and your trial license has expired. Once the trial has expired, you can only continue using Intella by inserting a dongle Error code 51 (H0051) "Virtual machine detected, cannot run without a dongle (H0051)" To protect our intellectual property, the evaluation version of Intella WILL NOT run in a virtual machine (VM) environment. A stand-alone machine is required. This is only true for the evaluation version; Intella will run in a VM environment using a dongle. Solution 1: Reconnect the USB dongle to your computer Solution 2: Install the Intella evaluation version outside a virtual machine Memory settings The Intella process and its child processes (one for each case that you open + additional processes during indexing and exporting) are limited by the amount of RAM that the process can maximally use, despite how much memory is installed in the machine. On some data sets this limitation can cause issues when indexing or reviewing the data. These issues can be recognized by errors in the log files containing the text OutOfMemoryError or java heap space. When such errors occur, a workaround may be to increase the automatically managed memory settings, especially when the machine meets the recommended hardware settings (at least 8 GB of RAM). To increase these limits, select the case in the Case Manager and click Edit button. Change the Memory allocation setting from Auto to Manual and increase the value. Note that you can never specify more than half of the available system RAM. This is to make sure that Intella s child processes and the OS still have sufficient memory available to them. When the memory issue relates to the processing of evidence files (you may need to contact tech support for that diagnosis) or to exporting, then locate the Intella.l4j.ini file in Intella s program files folder and open it in a text editor. You will typically need administrative privileges to edit this file. Locate the following line: # -Dintella.serviceMaxHeap=600M When the # is removed, this instructs Intella to use maximally 600 MB of memory for these child processes. Remove the # and increase this number to the higher value suggested to you by tech support. Make sure that you do not go beyond 1300M for the 32-bit Intella version. With the 64-bit version of Intella you can use larger values, but never more than your machine and OS supports. For processing of EDB files, a minimum of 3 GB will be necessary, e.g.: -Dintella.serviceMaxHeap=3G Where are Intella's data files located? There is an Intella data folder in your home folder. Typically, it is in C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella Page 30 Intella User Manual 2017 Vound

31 4.3.9 Where can I find Intella s log files? Intella has two types of log files: Case-specific log files. These will contain any messages (errors, warnings, status messages) relating to your activities in the case, such as indexing, searching and exporting. They are in \Intella\cases\<CASE FOLDER>\logs Log files of operations performed in the Case Manager, such as exporting or importing a case. These are in \Intella\logs The log files can be opened in any text editor like TextPad or Notepad++. Be aware that Windows default text editor Notepad may have issues opening large files. Tip: Click Help > Open Log Folder to open the log folder of the current case. Page 31 Intella User Manual 2017 Vound

32 5 Frequently asked questions How is a file type determined? Intella looks for certain binary markers (so-called magic numbers) that identify certain file types regardless of the file extension (e.g.,.pst,.doc, etc.). When this detection process fails to produce a detected file type, Intella uses a list of known file types by file extensions. Intella may not be able to determine the file type of files with non-standard (unknown) file extensions. Should I re-index a case when I want to add a new source? No, to add a new source to case you do not need to re-index the whole case. When you add the source, make sure that the option "Yes, I want to index this source now (recommended)" is selected on the last page of the "Add new source" wizard. Intella will index only the new source when you click Finish. When you define the new source without the "Yes, I want to index this source now" option selected, you can use the Index new data menu item in the Sources menu. This will scan all sources for new evidence items, including sources that have not been indexed at all. Can I re-index a single source in my case? No, you can only re-index the entire case. When the information in one of the sources has changed, and re-indexing the entire case is undesirable (e.g. because of the time needed), you can work around this by adding a new source and masking the old one. For example, when you have a source named "Evidence 1", which is one of several evidence folders in the case, and only the files in Evidence 1 have changed, you can do the following: 1. Rename the source folder "Evidence 1", e.g. to "Evidence 1 (updated)". 2. Add it as a new source to the case and keep the "Yes, I want to index this source now selected when you click Finish. 3. Exclude the old source "Evidence 1" using the "Location" facet: select the node, click on the arrows in the Search button and click Exclude. Even though the old data is still in the case, all search operations will filter out the results from the old Evidence 1 source. Important note: when the items in the old source have any annotations (tags, comments, etc.), these will not be copied to the items obtained from the new source. You will need to transfer them manually, e.g. using MD5 and message hash lists. When there is a substantial amount of such annotations, you may want to reconsider re-indexing the entire case, as this is a fully automatic operation. Page 32 Intella User Manual 2017 Vound

33 Will I lose my tags and comments after re-indexing my case? No, all your existing tags and comments will remain in the case after re-indexing. Will the item IDs be the same after re-indexing? Item IDs may be the same after re-indexing, but this cannot be guaranteed. Especially the use of multiple extractor pipelines can cause evidence items to get slightly different IDs during re-indexing. As the item IDs are NOT used for storing annotations (tags, comments, etc.), the annotations will not suffer from changes to the IDs. The changed IDs have only consequences for exported item ID lists. Why are some characters ignored in search queries? This is caused by what is called the analyzer: before an item can be indexed, the analyzer breaks down the text to determine the individual words used in it. This analyzer discards white space, punctuation characters, etc. The same analyzer is also used to break down your query into individual terms. As non-letters and non-digits are ignored, for example, the queries searchterm, searchterm/ and searchterm (with an extra space at the end) all end up being equivalent. Why does the number of messages in the ($All) folder in my case not match the number of messages in the All Documents folder in IBM Notes? Intella collects all items from all folders and lists them in the Location facet. The only exception is "($All)" folder. This is a special folder that usually contains all items from all folders the other folders are essentially a selection of items from the ($All) folder. Intella won't attribute a copy found in the ($All) folder when it is already present in another folder, to prevent duplication. Can Intella perform live indexing? Some cases may require you to index files while the computer is being used, or across a network. For such cases, we have made Intella to work with the best-of-breed application F-Response, by Matt Shannon. This combination provides you with a live forensic solution for under $300. You can obtain F-Response at Does Intella index attachments? Intella will search both the and the attachment for the keyword(s) and metadata. Can Intella deduplicate results? Yes, Intella can deduplicate search results. During indexing, the checksum (hash) of every item is stored. Intella can be set to show or hide duplicates while you use it. Intella uses the MD5 hash to calculate checksums of binary items. For s and SMS messages a more specialized algorithm is used that can deduplicate across sources and source types. Are there any EnCase EnScripts for use with disk images? In collaboration with several users Vound has created an Export to Intella EnScript. The EnScript is freely available for Intella users. Please contact our support department for a download link. Page 33 Intella User Manual 2017 Vound

34 This EnScript Package is designed to provide a simple, yet powerful, method to export relevant electronic files, including , documents, and images, from EnCase to Intella for efficient investigatory review prior to full forensic analysis. Note that since the time this EnScript was published, Intella has been extended with support for direct indexing and filtering of disk images. Why do Chinese/Japanese/Korean queries give imprecise search results? Documents written in Chinese, Japanese and Korean (often referred to as the CJK languages ) differ from western languages in that the use of whitespace characters in CJK texts is optional. This makes it harder to create indexing software, as it typically uses whitespace, punctuation and other character classes to determine the words in a text that need to be stored in the index. Proper segmentation of CJK texts into words is still an open research issue and every method has its drawbacks. A solution could for example be to index all characters from the CJK character sets as independent words. This would be trivial to implement, but has as a drawback that words that do consist of multiple characters will be much harder to find due to the large number of false positives that this method generates. The solution used in Intella is to index the texts using bi-grams: every combination of two adjacent CJK characters in the text is seen and indexed as a word. In practice this method gives reasonable performance: It is simple to create and does not rely on e.g. expensive word dictionaries and perfect document language identification. It is quick to process and produces a small text index. The resulting index will find all occurrences of the entered terms, but with some number of false positives; this method favors recall over precision. Note: A way to find out how a certain piece of text is processed by Intella s indexing engine is to create a short document with this text, index it, open the item in the Previewer and look at the Words tab. This tab shows a table with all terms extracted from the document and stored in the full-text index. Sort the table by the Field column and look for the words in all rows that have text as value in the Field column. How can I print and export PDF reports with characters of my language? By default, Intella supports printing and PDF generation for basic Latin character set only. To enable printing and PDF export for a language with another character set, you need to install an additional Unicode font that supports your language. 1. Download the font file and install it in your system 2. Copy the font file to the font subfolder of your Intella installation: C:\Program Files\Vound\Intella 2.0\font 3. Restart Intella The font must be a Unicode TrueType font with ".ttf" file name extension. It is recommended that the Intella font folder contains only one font file. Recommendations for font selection: For Chinese, Japanese or Korean languages it is recommended to install a language-specific font. A large list of fonts for different languages and writing systems is available at Page 34 Intella User Manual 2017 Vound

35 you already have the native font installed on your Windows system, you can copy it from "C:\Windows\fonts" to the Intella "font" folder. For languages than Chinese, Japanese or Korean, it is possible to install a single universal font supporting a broad range of character sets. You can try the GNU FreeFont font collection at Page 35 Intella User Manual 2017 Vound

6 Dongles Intella licenses are typically delivered in the form of a dongle. The only exception is Intella P.I., whose timebased licenses are delivered using a hardware-bound, software-based license key.

36 6 Dongles Intella licenses are typically delivered in the form of a dongle. The only exception is Intella P.I., whose timebased licenses are delivered using a hardware-bound, software-based license key. Dongles have several benefits over software-based license keys. For example, users can easily move software licenses from one machine to another by simply plugging the dongle into the other machine, there is no loss of license when the operating system is reinstalled or reverted from an image, changes to the hardware (new motherboard etc.) do not lock the license, hard drive failures do not result in the loss of licenses, etc. To protect our intellectual property, dongles may not be activated when shipped by Vound or one of its resellers. In that case, it is necessary to activate your Intella dongle to use Intella. By default, users are supplied with a single user dongle for every ordered copy of Intella. Optionally, a network dongle can be delivered instead. This type of dongle allows for consolidating the licenses of multiple users on a single dongle, which then is typically installed on a physically secured, always-on machine. See the section on network dongles below for how to configure your systems to use a network dongle. 6.1 Activation with the Dongle Manager Intella ships with a Dongle Manager application. The Dongle Manager will list all connected Vound dongles and the products they currently contain. When the PC running the Dongle Manager is connected to the Internet, it can also contact the Vound license server to check for any updates for a dongle. These updates are then downloaded and applied automatically. Page 36 Intella User Manual 2017 Vound

$The Dongle Manager is in the Intella program folder: C:\Program Files\Vound\Intella 2.0): A shortcut to the Dongle Manager can also be found in the Start menu.$

37 The Dongle Manager is in the Intella program folder: C:\Program Files\Vound\Intella 2.0): A shortcut to the Dongle Manager can also be found in the Start menu. After starting the Dongle Manager, the following screen will appear: This screenshot shows a typical setup where only one Vound dongle is connected. When multiple dongles are present, they will each be listed separately in this list. Click on Blink to see to which physical dongle an entry in the list corresponds. This will cause the LED in the represented dongle to blink rapidly. This can be useful when you have multiple Vound dongles plugged in or are using HASP dongles from a different Vendor. Show Products will list the licensed products on that dongle. All products typically have a perpetual license; hence no license restrictions are displayed by the Dongle Manager. Show Products also shows a list of expiration dates. These reflect the end date after which you will not be able to receive technical product support and license updates. These end dates do not affect the ability to use the existing licenses on your dongle. To update your dongle, click on Check for Updates. This will contact the Vound license server and download and apply any updates. When the process has finished, the Dongle Manager will show which products, if any, have been added to the dongle. The update procedure will only add new licenses to the dongle; it will leave your existing licenses untouched. When you are on a network using a proxy, Intella will automatically try to detect and use it. If this fails, the proxy settings can still be set using the Configure proxy settings. Consult your IT admin for further instructions. Page 37 Intella User Manual 2017 Vound

6.2 Activation with haspupdate.exe If the dongle cannot be updated in this fashion, e.g. because external network connections are not allowed, please follow the steps below.

$You will find haspupdate.exe in the bin folder in the installation folder of Intella. The default installation folder is: C:\Program Files\Vound\Intella 2.0 3.$

38 6.2 Activation with haspupdate.exe If the dongle cannot be updated in this fashion, e.g. because external network connections are not allowed, please follow the steps below. Step 1: Collect your dongle and license information and send it to Vound Support at: 1. Plug your dongle into an available USB port. 2. Start haspupdate.exe. You will find haspupdate.exe in the bin folder in the installation folder of Intella. The default installation folder is: C:\Program Files\Vound\Intella Select the Collect Key Status Information tab. Click Collect information. 4. In the next dialog, you will be asked to Save key status as. Please save the file with your company name. If you are activating more than one dongle, please number the files. The file(s) you create will have a c2v file extension. Example: ACME_Forensics_1.c2v ACME_Forensics_2.c2v 5. After you clicked Save, you will see the Select HASP dialog. Please select the HASP HL key, not the HASP SL key 6. Record the dongle ID numbers for each dongle. This will help when applying the update files. Page 38 Intella User Manual 2017 Vound

7. Send the created c2v files to support@vound-software.com. Please ensure you include the following details in the email when sending the c2v files: a. Organization Name b. Address c. Zip code d.

Intella Viewer vi. Intella TEAM Manager Step 2: Apply the license update file(s) you receive from Vound Support. 1. Make sure your dongle is connected to the computer that runs Intella. 2. Vound Support will send a dongle activation file.

39 7. Send the created c2v files to Please ensure you include the following details in the when sending the c2v files: a. Organization Name b. Address c. Zip code d. Country e. Contact Name f. Phone Number g. Address h. Vound Product type select only one per dongle: i. Intella 10 GB ii. Intella 100 GB iii. Intella 250 GB iv. Intella Professional v. Intella Viewer vi. Intella TEAM Manager Step 2: Apply the license update file(s) you receive from Vound Support. 1. Make sure your dongle is connected to the computer that runs Intella. 2. Vound Support will send a dongle activation file. The activation files are dongle-specific. The file will end with a.v2c file extension and the name of the file contains the dongle ID. Example: HaspUpdate_68_ v2c (the dongle ID in this case is ) Save the.v2c file on your computer. Be sure to remember where it is stored! 3. Start "haspupdate.exe" as before. 4. Click the Apply License Update tab. Then click the Browse button labeled next to the Update File field. This opens a file selector dialog. 5. Select the.v2c file in the file selector and click Open. 6. Click Apply update button. This will activate the dongle. Your Intella dongle is now activated! In case of questions or problems, please contact Vound Support at Page 39 Intella User Manual 2017 Vound

40 6.3 Network dongles A prerequisite for using network dongles is that the so-called HASP driver is installed on both the client and the server. This driver is in fact known under several different names due to historic reasons. When it is installed, it is typically visible as Sentinel LDK License Manager in the Windows Services application and under that same name or as hasplms.exe in the Windows Task Manager and Windows Resource Monitor. On a standalone PC, the driver provides a bridge between the licensed application (Intella) and the dongle holding the license. Furthermore, it handles software-based licenses such as the bundled trial license and the software-based Intella P.I. license. In case of a network dongle, the drivers on the machines stretch that bridge across the network, making the products on the network dongle available to other PCs in the network. Getting this driver installed is best achieved by simply running the Intella installer on both machines, as it includes the installation of the HASP driver. Once the HASP driver is up and running on both machines, the drivers will communicate with each other automatically, or after a bit of network configuration (see below). When Intella starts on the client and requests a license from its local driver, the driver will communicate with the server s driver and exchange information about the network-enabled licenses on the server s dongle, making the licenses also available to the client. The server s driver will register that one more user is using Intella, or refuse the operation (and block the client machine from starting Intella) when the allotted maximum number of concurrent users has been reached. Network dongles often work out-of-the-box, but may in some cases require a small amount of network configuration. This depends mostly on the locality of the client running the Intella server and the server holding the network dongle Client and server in single subnet When the client and server are within the same subnet, no network setup is usually necessary. The drivers on both machines will usually find each other automatically and the client will be able to use the licenses on the network dongle. For example, in the following setup: Server IP address: Client IP address: Subnet Mask (Class-C): the drivers will be able to communicate directly, if port 1947 is not blocked. If Intella is not able to use the network dongle s licenses, please follow the steps below for setting up usage with different subnets. This may resolve the issue Client and server in different subnets Given the following setup: Server IP address: Client IP address: Subnet Mask (Class-C): Page 40 Intella User Manual 2017 Vound

the drivers will require some configuration for the client and the server to be able to find each other. Step 1: Make sure that port 1947 (used by the drivers) is not blocked by any firewall.

41 the drivers will require some configuration for the client and the server to be able to find each other. Step 1: Make sure that port 1947 (used by the drivers) is not blocked by any firewall. The drivers use this port to communicate with each other and with the Intella application. Step 2: Ensure that the server and client machines can ping each other. Step 3: Plug the network dongle into the server. Make sure that the key is detected when viewing the Admin Control Center on on the server, like this: All network dongles show up as HASP HL Net dongles in the Key Type column, with the number at the end varying (typically 10 or 50). Step 4: On both the server and the client, do the following: On click on Configuration. Select the Basic Settings tab, if that tab is not already selected. Make sure that the Allow Remote Access to ACC checkbox is selected. Click Submit if a change was made. Step 5: On the server, do the following: On click on Configuration. Select the Access from Remote Clients tab. Page 41 Intella User Manual 2017 Vound

42 Make sure that the Allow access from Remote Clients checkbox is selected. Click Submit if a change was made. Step 6a: When client and server are on the same subnet, then on the client: On click on Configuration. Select the Access to Remote License Managers tab. Make sure that the Allow Access to Remote Licenses checkbox is selected. Make sure that the Broadcast Search for Remote Licenses checkbox is selected. Click Submit if a change was made. Step 6b: When client and server are on different subnets, then on the client: On click on Configuration. Select the Access to Remote License Managers tab. Make sure that the Allow Access to Remote Licenses checkbox is selected. Make sure that the Broadcast Search for Remote Licenses is deselected. Make sure that the Aggressive Search for Remote Licenses is selected. Enter the IP address of the server in the Remote License Search Parameters box. Click Submit if a change was made. Page 42 Intella User Manual 2017 Vound

43 Step 7: Start a web browser on the client machine and open the following URL: IP address/host name>:1947 In the example scenario that would be: Verify that you can see the Admin Control Center and that the network dongle is listed. This verifies that the client and server can communicate properly. You should now be able to start Intella on the client, using a license from the network dongle. You can verify this by checking the Case Manager window; it should list the network dongle s ID: Page 43 Intella User Manual 2017 Vound

44 7 Products and workflow 7.1 Feature overview The following table lists the seven different Intella desktop applications and their features: Professional Viewer TEAM P.I. GB GB GB Manager Preparation Evidence size limit GB 250 GB none none none 10 GB Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Cases Export Work Reports Import Work Reports Page 44 Intella User Manual 2017 Vound

45 7.2 Standalone use The following Intella products can be used for standalone use: Intella 10 Intella 100 Intella 250 GB Intella Professional Intella TEAM Manager Intella P.I. They allow a user to create cases, index evidence files, search, filter, flag, tag or otherwise annotate and export items. The number in the 10/100/250 products indicates the number of gigabytes of evidence files that each case can hold in a case. Intella Professional and Intella TEAM Manager have no such limit. Intella P.I. equals Intella 10 in all its abilities; the only difference is in how the product is licensed (perpetual, dongle-based license vs. annual, software-based license). The cases created by these products can also be reviewed by the following products: Intella Viewer: a desktop product with reduced functionality. Intella Connect: a separate, server-based product accessed via a web browser. The workflow for standalone use is as follows: 1. The investigator creates a case in the case manager of Intella and indexes evidence files. 2. The investigator flags and tags items, and gives comments to items of interest. 3. The investigator exports the results for further processing of the case. In principle, it is possible cooperate on a case by giving other investigators a copy of the case folder. While technically this will work (a case is in no way tied to a specific end user license or machine), the main challenge will be to coordinate that joint investigation. A case copy essentially starts a life on its own, meaning that tags and other annotations exist only within that copy. Ideally the tags are visible to all other investigators, perhaps filtered based on a permissions model. This is where Intella TEAM comes into the picture. 7.3 Sharing cases The Intella TEAM product makes it possible to work with multiple investigators on the same case in a way that goes beyond simply giving each reviewer a copy of the case folder. To do so, you need Intella TEAM Manager for the case administrator and Intella Viewer for the investigators in your team. Intella TEAM as mentioned in Vound s marketing documents is merely the default bundle of one Intella TEAM Manager and three Intella Viewer licenses, as it is typically sold. Note: Previous Intella releases also featured an Intella TEAM Reviewer product. In the 1.8 release the Intella Viewer and Intella TEAM Reviewer products have been merged. The new product is called Intella Viewer but has all the functionality of the TEAM Reviewer product (which was a superset of the Viewer functionality). This means that the new Viewer can open both local and remote/shared cases and export work reports. A dongle license for either Intella Viewer or Intella TEAM Reviewer can be used to start the new Viewer product. Page 45 Intella User Manual 2017 Vound

46 As with standalone use, the case administrator creates the case in Intella TEAM Manager and indexes the evidence files. The case administrator then has two options for giving other investigators access to the case: Share the case across a network. The investigators use their Viewers to connect to the running TEAM Manager instance and will instantly see changes such as tags, flags and comments made by other investigators working on the same case. Export the case as an.icf file for use by the investigator. In this case, no network access between the Viewer and TEAM Manager is necessary, but setting up the investigator s machine and sharing the work product such as tags and comments will take more time and effort Sharing cases across a network 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The administrator closes the case and returns to the Case Manager screen. The administrator selects the case and clicks Share In the screen that follows, the administrator enters a free network port number, configures the authorization rules and clicks Share case. 3. The case administrator informs the investigators of the Case URL that they can use to access the case. 4. The investigators start Intella Viewer, choose to add a new shared case, and enter the Case URL and their username and password. After checking the connection to the shared case and specifying a local data folder, the Viewer opens the case. 5. Investigators start reviewing the case. Any flags, tags and comments that they add are immediately stored in the central case and will be visible to the other investigators Sharing cases offline 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The case administrator exports the case to an Intella case file (.icf file) and informs the investigators where they can find the case file. Page 46 Intella User Manual 2017 Vound

47 3. The investigators use Intella Viewer to import the Intella case file. 4. The investigators can then locally open their copy of the case. 5. Investigators flag, tag items and comment on items of interest. They export an Intella work report (.iwr file) that holds these annotations. 6. The case administrator opens the case in Intella TEAM Manager and imports all the Intella work reports created by the investigators. The administrator exports the combined results for further processing of the case Work reports When sharing cases offline, work reports are essential in merging the work product of all investigators working on the same case into the master copy of the case. Exporting work reports Exporting an Intella work report means that an *.iwr file is created (Team> Export Work Report ). This file contains all tags, flags and comments given to items by an investigator. We refer to these types of information as item updates as they extend the stored item metadata. Furthermore, it contains the user actions on items that can be found in the Features facet (Previewed, Opened and Exported). In the Export Work Report dialog, you can set the file name of the work report that is to be created. When you select the option Create CSV report, a CSV file will be created that contains a list of all the items that are flagged, tagged or commented. This CSV file lets the investigator double-check the tags, flags and comments that are contained in the work report. It is not necessary to give this CSV to the case administrator, only the.iwr file will suffice. In the second section, you can choose what type of updates will be reported: tags, flags, comments, action statistics and saved searches. You can further specify what tags should be in the report by clicking the Select button. In the third section, you can (optionally) further restrict the item updates included in the work report. By selecting Also include updates from these reviewers and by selecting one or more names after clicking the Select button, the work report will also contain annotations made by the selected investigators. This option is disabled when your case does not contain updates made by other reviewers. Only include updates made between and allows you to restrict the work report to updates that were made in a specified date interval. Only include updates in these sources allows you to limit the report to selected sources only. Only include updates from items selected in the Details view allows you to filter the report to the items that are currently selected in the Details panel. Page 47 Intella User Manual 2017 Vound

48 The creation of the work report may take some time, depending on the case size and the number of updates. Afterwards a dialog is shown that lists the created files and statistics on how many tags/flags/etc. are stored in the work report. Importing work reports Importing work reports means that work report files (*.iwr files) created by investigators are added to the original case managed by the case administrator. Flags, tags and comments, audit logs and statistics generated by an investigator are imported into the case. In this way, the results of a team of investigators can be combined. Use Team > Import Work Report menu entry will show the Open dialog. Select a work report and click Open. The Work Report History dialog shows a list of imported work reports. Use to Team > Work Report History to open this dialog Cross-case work reports The work report mechanism can also be used to transfer the annotations between different cases that contain copies of the same items, e.g. one original case and a newer case that is partially based on the same evidence files. When Intella detects that the work report that is being imported comes from a different case, it starts a heuristic procedure to match the items in the work report with the items in the current case. The results of this procedure are presented in a dialog that shows: The number of annotations (tags, flags, comments and actions) whose items are identified and verified in the target case. The number of annotations whose items are identified but not with full certainty (potential matches). For instance, if an identified item has duplicates in the target case, they are included into this category. The number of annotations belonging to items that could not be found in the target case. When the number of potential matches is non-zero, the dialog contains a checkbox controlling whether these annotations should be imported into the target case. When this option is not selected, only annotations for verified matches will be imported. To start importing, press the OK button. It is possible to generate a CSV report listing the details of annotations contained in this work report and their matching items. The CSV file contains: Basic item metadata: MD5 hash, item ID, file name or message subject, item size, type and source name Type of annotation: tag, flag, comment or action. Status of the item matching algorithm: Verified, "Potential match" or "Missing". To generate this report, click the "Generate detailed report" button, then select the file location and categories of matches to include into the report. Page 48 Intella User Manual 2017 Vound

8 Managing cases A case is a collection of evidence sources that can be searched by Intella as a single collection. You use cases to organize your investigations.

49 8 Managing cases A case is a collection of evidence sources that can be searched by Intella as a single collection. You use cases to organize your investigations. When you start Intella, the Intella Case Manager will first show up. Here you can define new cases, open and edit existing cases, remove old ones, and share and export cases. The icons represent local cases (folder icon), remote cases (TEAM icon) and old cases (grayed-out folder icon). If the case is made with Intella 1.7.x or older, it cannot be opened. Above the case list is a field for entering the Investigator name. This name will be used as the default user name when creating new cases and connecting to remote cases. Also, when opening a local case made by someone else, all user actions like previewing, tagging and exporting will be associated with this user name. The initial value used here is your Windows user name. Below the cases list you can see the ID of your dongle. This can be relevant in conversations with Vound s support department. When you are using a trial license, this line will reflect that. When your dongle is inserted but you still see a line indicating that you are using a trial license message, this could indicate technical problems with accessing the dongle, but also that your dongle needs to be updated to run with this Intella version. Page 49 Intella User Manual 2017 Vound

8.1 Adding cases To create a new case, select Add in the Case Manager window. The Add Case options will appear. It shows the four ways of adding a new case to Intella: 1.

With this option, you can connect to a case that is shared by a TEAM Manager user. This option is only available when running Intella with a TEAM Manager or Viewer license. 3. Add an existing case.

50 8.1 Adding cases To create a new case, select Add in the Case Manager window. The Add Case options will appear. It shows the four ways of adding a new case to Intella: 1. Create a new, local case from scratch. Use this to index a new set of evidence files on your machine. 2. Open a shared case. With this option, you can connect to a case that is shared by a TEAM Manager user. This option is only available when running Intella with a TEAM Manager or Viewer license. 3. Add an existing case. Use this when you have a case folder already on your system but it is not yet in the list of cases shown by the Case Manager. 4. Import a case. Use this when you have received a copy of a case from another investigator as an ICF file. Importing the ICF file will extract its contents into a local case folder and add the case to the Case Manager s list Creating a new case Choose Create a new case to create a new local case from scratch. When the Create New Case dialog is displayed, give the case a name, enter an optional description, enter the name of the investigator creating the case and select a location where you want to store the data that belongs to this case. Note: The default location for data storage, visible when you click the Suggest button, is C:\Users\<username>\AppData\Roaming\Intella\cases When you use a different parent folder, subsequent cases will default to a subfolder in that parent folder. Page 50 Intella User Manual 2017 Vound

51 The selected case folder will be checked for being a hard disk formatted with the NTFS file system. A warning is displayed when this is not the case, e.g. when a FAT file system is used, which has file size limitations unusable for Intella, or when a USB flash drive is detected, which is not recommended for various reasons. Note: When processing a large case (> 100 GB of evidence files), it is advisable to format the NTFS disk with a cluster size that is larger than the default (usually 4 KB). This reduces the chance of defragmentation issues during indexing. Furthermore, it is recommended to turn off disk compression. Clicking on the Advanced button adds more options that normally are only necessary when dealing with very large cases (hundreds or GBs or more): The optimization folder can be used to speed up indexing by distributing certain database files during indexing across the case folder drive and the optimization folder drive. See the Storage considerations section for more details. The memory allocation settings can normally stay at Auto. See the Memory Settings section for instructions on how to use this Opening a shared case In the Add Case dialog, select Open a shared case to open a case on another machine that has been shared by a TEAM Manager user. A Create new case dialog will open that asks for a Case URL, investigator name and passphrase. This information should be provided to you by the case administrator (typically the TEAM Manager user). Check the Remember passphrase checkbox if you want to store the password locally, so that you don t have to re-enter it each time you select the case in the Case Manager and click Open. Click Check connection to test the URL and passphrase. If the credentials successfully give you access to the case, a Connection OK status message will display and the case name and description will be loaded from the server. Click Suggest or enter a custom data folder for local storage. This folder will hold local log files, user preferences, etc. The memory allocation settings can typically be left to their default value. See the Memory Settings section for more information on this. Now the case will be added to the Case Manager list and will open instantly when you keep the Open case immediately checkbox selected Opening an existing case not in the list In the Add Case dialog, select Add an existing case. This will open a dialog prompting you to choose a case file (case.xml). This file is in the top-level case folder. Choose the case file and click on Open. The case will now be added to the Case Manager s list and can be opened by selecting the case and clicking the Open button. Page 51 Intella User Manual 2017 Vound

52 8.1.4 Importing a case In the Add Case dialog, select Import a case. This will open a dialog prompting you to choose an Intella case file (.icf file). Choose the case file and click on Import. Once importing has completed, the case will be added to your Case Manager s case list. 8.2 Opening a case Opening a case is merely a matter of selecting the case in the Case Manager s list and clicking the Open button. The Case Manager window will disappear and Intella s main screen will be opened. This may take some time, depending on factors like disk speed, case size and concurrent tasks performed by the PC. In some scenarios, a case may be grayed out: There may be a lock icon next to the case name, with the text Case in use. This indicates that there is already a process running that is accessing this case. Access to the case is blocked for other processes to prevent damage to the case databases. This locked status will disappear as soon as the other process has ended. If there is no other Intella window visible, it may be that an earlier Intella session did not exit correctly and completely, still holding the lock. A reboot of the machine is the simplest solution to fix this situation. If the case folder is on a shared network drive, then it may also mean that an Intella process on another machine is accessing the case. In that scenario rebooting the local machine will not help; the process on the other machine must be ended first before other processes can open the case again. The case data folder that the cases.xml file points to cannot be found or does not contain a case.xml file. In that scenario, the case will be listed as Unnamed case. All other grayed out and disabled cases are cases made with Intella 1.6.x or older. These are not supported by Intella 2.0. See the Release Notes for details. 8.3 Editing a case In the Case Manager, use Edit to open the Edit case dialog to change the name, description, and the investigator s name. You cannot change the Data folder. For remote cases the case name and case description cannot be changed. Page 52 Intella User Manual 2017 Vound

8.4 Deleting a case In the Case Manager, use Delete to remove the selected case(s) from the Case Manager s cases list. You will be asked to confirm the deletion.

53 8.4 Deleting a case In the Case Manager, use Delete to remove the selected case(s) from the Case Manager s cases list. You will be asked to confirm the deletion. By default, only the reference to the case is removed, the case folder is left intact. By checking Also remove the related case folders from disk, the case folder will be permanently removed as well. Warning: removal of the case folder cannot be undone. Also, all files that you may have placed manually in the case folder will also be removed. 8.5 Exporting a case In the Case Manager, use Export to export the selected case. Choose a name and folder for the ICF file in the Choose file to export the case dialog and click Save. Once the case file has been created, a dialog is shown that lists the location of the created ICF file. This file is to be handed out to the investigators that need to work on this case. The dialog also lists the location(s) of the evidence file(s) used in the case. These only need to be distributed when the receiver of the ICF file needs to be able to re-index the case. For all other tasks, including exporting, the case is fully self-contained. 8.6 Sharing a case In the Case Manager, use Share to share the case for other TEAM Manager and Viewer users. The TEAM sharing functionality requires a free network port on your computer for communicating with the reviewers. By default, port 8080 will be used, but you can specify a different port number before starting the case sharing. In case the port is already used by another application Intella will be unable to share the case and report an error. This also means that, when sharing multiple cases on one machine, each case needs to be assigned a different port. Also, the port(s) needs to be reachable for other machines, which may involve setting some firewall rules. When sharing a case for the first time, you will need to authorize the reviewers. You can add, enable and disable user accounts for the shared case by clicking the Authorizations button. This can also be done when the case is already being shared. To start the case sharing, click the Share case button. When this process has completed, you will see two new buttons: one for unsharing the case and a Copy button. The latter button can be used to copy an invitation text to the Windows clipboard, which you can then paste into, for example, an to the reviewers. This invitation text contains one or more case links that indicate the network address and port for the shared case. These addresses are based on the configuration of the computer s network adapters and should work fine in most local networks. In more advanced network setups, for example when using Network Address Translation (NAT), you may need to change the case links for the reviewers. Your network administrator should be able to assist you with this. Page 53 Intella User Manual 2017 Vound

54 When investigators connect to the case their usernames will be shown in the Users view on the top-right. The Event Log on the bottom of the screen will show the user activities like item reviews and exports. All tags, flags and comments will be stored in the central, shared case and will immediately be visible to other investigators connected to the case. To stop the case sharing, click the Unshare case button. Page 54 Intella User Manual 2017 Vound

55 9 Overview of the Intella interface Intella s main window consists of (minimally) three tabs: the Insight tab, the Search tab and the Keywords Tab. Optionally, one or more Review tabs can be present. Together they give access to all information stored in an Intella case. Another prominent window is the Previewer, showing detailed information about an item. The Previewer can be opened by clicking or double-clicking on certain elements within the Insight or Search tabs. This chapter gives a brief overview of these user interface parts. More detailed information is provided in later chapters. 9.1 Insight view The Insight view shows notable aspects of the indexed evidence files and possible next steps to take. The overview given here can help an investigator get a grasp of the case s contents, such as the encountered item types and their volumes, date ranges, web browser activity, etc. This will help formulating follow-up questions for further research. Most elements in this view can be clicked or double-clicked, which starts a search in the Search tab or opens a corresponding item in the Previewer. Page 55 Intella User Manual 2017 Vound

56 9.2 Search view The Search view allows for arbitrary searches in the case data using keywords or one of the navigation facets such as date, location, item type, etc The Keyword Search panel is the place to enter search terms or phrases. 2. The Facet Search panel shows a list of facets for searching and filtering results. Each facet represents a different dimension in which the items can be discerned. Select a facet from the list to see the navigation options offered by that facet, shown beneath the list. 3. The Searches panel shows the user s keyword and facet queries, together with their result count. 4. The Results panel shows the search result sets of these queries in various ways, by grouping the items in a certain way. 5. The Details panel shows a table, list, thumbnail view or timeline view of the results in a selected element in the Results view. It is populated by selecting elements in the Cluster Map, Geolocation view, Histogram, Social Graph or Searches list. Click or double-click (depending on the chosen view) on an item to view in in full detail in the Previewer. Page 56 Intella User Manual 2017 Vound

57 9.3 Keywords view The Keywords view allows the user to gather statistics on the keywords in a keyword list. After selecting or adding a new keyword list, the user can choose on what document fields the keywords need to be evaluated, e.g. the document text, headers, authors, etc. Furthermore, the user can choose what statistics need to be calculated: the number of items matching the query, the number of hits (occurrences) of each query, the item count per custodian, etc. Once all options are configured as desired, the user can click the Calculate button. This will populate the table row by row. Page 57 Intella User Manual 2017 Vound

9.4 Previewer The Previewer is typically opened by clicking on elements in the Insight or Search tab, but it can also be opened by clicking on hyperlinks in the Previewer s own Tree tab, or by using

58 9.4 Previewer The Previewer is typically opened by clicking on elements in the Insight or Search tab, but it can also be opened by clicking on hyperlinks in the Previewer s own Tree tab, or by using the Preview item option in the Sources menu and entering the item s ID Use the tabs at the top to inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted terms, comments and performed user actions. The tabs shown for a specific item depends on the item type and its data. Bold tab names indicate the presence of a keyword search hit in the text inside that tab. 2. The Contents tab always starts with a summary of important information of the item, followed by a document or message body, image content, etc. 3. When the Search view shows the results of one or more keyword queries, the status bar at the bottom will show the keywords found in the current item and offer buttons to navigate from hit to hit. 4. The toolbar on the left lets one navigate to and search for related items, annotate the current item in various ways and produce the current item in several formats. Page 58 Intella User Manual 2017 Vound

10 Sources Sources are one of the key concepts of Intella. They represent the locations where items such as emails, documents and images can be found.

59 10 Sources Sources are one of the key concepts of Intella. They represent the locations where items such as s, documents and images can be found. Sources are explicitly defined by the user, providing full control over what information is searched Source types Intella distinguishes between various types of sources. The Add New Source wizard organizes them in two columns: sources dealing with local evidence files on the left and sources dealing with cloud or server-based data on the right; Their meaning is as follows: File or Folder: A single file or folder with source files on a local hard drive or on a shared/network drive. Such source files could be: o Regular loose files like MS Word, Excel and PDF files. o containers such as MS Outlook PST/OST and IBM Notes NSF files. o Cellphone XML reports such as made by Cellebrite XRY, MicroSystemation s XRY and Oxygen Software s Forensic Suite. Page 59 Intella User Manual 2017 Vound

60 o Even large containers like EDB files and disk images can be indexed this way, together with many other files in one go. The downside of doing this is that any EDB- or disk image-specific configuration options are not available this way. Load file: A Concordance, Relativity or CSV load file. Hotmail Search Warrant Result (experimental): a collection of files in HTML and other formats, provided by Microsoft pursuant to a search warrant. Disk Image: One or more disk images in E01, Ex01, L01, Lx01, S01 or DD format. MS Exchange EDB Archive: a single MS Exchange EDB file. IMAP account: An account on an IMAP server. Dropbox: all files stored in a personal Dropbox or DropBox for Business account. Gmail: A Gmail account. SharePoint: The complete contents of a SharePoint instance. Office 365: The complete contents of an Office 365 account, incl. the Outlook, OneDrive and SharePoint services of that account. Notes on mail formats Intella supports PST and OST files created by the following versions of Microsoft Outlook: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013 and Make sure that Intella has exclusive access to the PST or OST file; it cannot be open in Outlook or other application at the same time. Intella will try to recover the deleted items from the file. Recovered items will be placed in a special folder named <RECOVERED>. Furthermore, Intella may encounter items outside the regular root folder. Any such items are placed in a special folder called <ORPHAN ITEMS>. There is limited ability to recover deleted s from OST 2013 files, this is being worked on. To index NSF files, IBM Notes 8.5 or higher needs to be installed. For NSF files made with IBM Notes 9 it is recommended to install IBM Notes 9. Intella supports all NSF files that can be processed by the installed IBM Notes version. Make sure that Intella has exclusive access to the NSF file; it cannot be open in a Notes client or other application at the same time. Only NSF files containing s are supported by Intella, all other types are not supported. Make sure to use a default Notes installation and user configuration. A corporate Notes installation is often problematic for indexing, e.g. because of installed plugins interfering with access to the NSF file, the installation being tied to the corporate identify management system, etc. Intella 2.0 contains experimental support for indexing Notes deletion stubs. Extraction of deletion stubs is disabled by default. To enable it, add the following line to the case.prefs file: NotesIndexDeletionStubs=True Tip: The IBM Notes tool nupdall.exe can be used to convert older NSF files to NSF files that can be processed by IBM Notes 8.5 and higher. Intella supports DBX files created by the following versions of Microsoft Outlook Express: 4.0, 5.0, 6.0. Page 60 Intella User Manual 2017 Vound

61 Intella has been tested on Thunderbird Mbox files. Intella supports MS Exchange EDB files of Exchange versions 2003, 2007 and Notes on cellphone formats When indexing Cellebrite, MicroSystemation or Oxygen cellphone reports, each report should be in its own subfolder. Any additional files that were produced together with the XML report, such as audio, video and image files, should have the same relative location to the XML file as the exporting application produced them. These two requirements are crucial for correctly linking the binary files with the XML report. Finally, no other evidence files should be placed in these folders, as they will be ignored. The folder should reside in the file system, i.e. not in a ZIP file or disk image, as quick random access is needed to be able to process the files linked from this report. A folder with the XML report and its related files can in principle be indexed straight away. However, most XML reports will often only contain the external numbers related to the calls and messages, i.e. the number of the phone itself is not in the report. This has valid technical reasons (e.g. it cannot be guaranteed that the current SIM card was used for these calls and messages), but it makes analysis of the communication a lot harder. Also, Intella functionalities like message deduplication require this information. When the number is known by the investigator, e.g. obtained from the network provider, it may be specified through a separate text file: 1. Create a text file named after the XML report. For example, if the report is called report.xml, the text file should be named report.numbers.txt. 2. Put it in the same folder as the XML report. 3. Store the phone s own number in this file. When the XML report holds information about multiple phones, enter the number of each phone on a separate line, like this: number1 number2 < > The first line will be used for the first phone found in the report, the second line for the second phone, and so on. When indexing XRY s XML reports, we recommend using the Extended XML report introduced in XRY 6.4. This new format solves many issues with the encodings of dates and other fields. Furthermore, the older XML format did not support exporting binary items. To get binary items with the Extended XML report, you need to select the Export media files and manifest option. Important: The XML formats used by these cellphone extraction vendors are often evolving over time and are not fully documented. While we strive to extract all information from these reports as completely and correctly as we can, we can only offer this functionality on a best-effort basis. We recommend that you verify any results that you may rely on in your report with the original cellphone extraction software. Notes on IBM Sametime dumps When indexing an IBM Sametime dump, each dump and its related files should be in its own subfolder. This should be file system folder, i.e. not a ZIP file or disk image, as quick random access is needed to be able to process the files linked from this report. Common file locations MS Outlook PST and OST files are typically located in the following folder: Page 61 Intella User Manual 2017 Vound

62 Windows Vista, Windows 7, Windows 8/8.1 and Windows 10: C:\Users\<username>\AppData\Local\Microsoft\Outlook Windows 2000 and XP: C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook MS Outlook Express DBX files are typically located in the following folder: Windows 2000 and XP: C:\Documents & Settings\<username>\Local Settings\Application Data\Identities\{<arbitrary string>}\microsoft\outlook Express IBM Notes NSF files are typically found in the following folder: Version 7.x: C:\Program Files\Lotus\Notes\Data Version 8.x: C:\Program Files\IBM\Lotus\Notes\Data Version 9.x: C:\Program Files\IBM\Notes\Data Notes on cloud sources Each of the supported cloud services (Dropbox, Gmail, SharePoint and Office 365) provides a so-called REST API for data retrieval. Access to a cloud service via this API often requires an authorization token, rather than or in addition to a username and password. Each cloud service provides a web portal where users can register the client application (in this case: Intella) and obtain the authorization token. Depending on what the REST API supports, Intella uses read-only data operations wherever possible, as to minimize changes to server-side data. Nevertheless, access may be visible to the cloud service and to the account holder, e.g. due to the presence of an authorization token in the server settings, access logging, altered metadata, etc. Notes on document length The indexing of a document text for keyword search can consume a considerable amount of RAM. With multiple documents being processed in parallel, this carries the risk of one of Intella s processes running out of memory. To combat this, Intella imposes a maximum length to the document text. This way, typically problematic textual files such as large server logs and database dumps in CSV format can be processed without terminating the indexing abruptly. The maximum length is set to 50M (52,428,800) characters in the 64-bit version and 10M (10,485,760) characters in the 32-bit version. Any text beyond that point is skipped. Consequently, the document will not be returned when using query terms that only occur after this point. Affected documents can be located using the Exception Items category, Truncated text branch in the Features facet. The limit can be adjusted on a case-specific basis via the case.prefs file. For example, alter or add the following line to set the limit to 100M characters: ItemTextMaxCharCount=100M A future Intella version will make this configurable via the user interface. The limit can also be adjusted globally via the Intella.l4j.ini file: -Dintella.itemTextMaxCharCount=100M Page 62 Intella User Manual 2017 Vound

63 10.2 Adding sources Adding sources to Intella is done with the Add New Source wizard. You can start this wizard by selecting Add New from the Sources menu or by typing CTRL+N Files and Folders Follow these steps to add a File or Folder source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select File or Folder and click Next. A folder tree will be displayed next. 2. Specify File or Folder Select the folder or file from the tree that you want to index, or enter the folder or file name in the text field above the tree. When selecting a folder, all files in the selected folder will be indexed. When the Include subfolders checkbox is selected, files in all subfolders (and sub-subfolders, etc.) will also be indexed. When the Include hidden folders and files checkbox is selected, hidden files and folders will be indexed as well. Note: Folder trees containing many items may take some time to be displayed. Please be patient. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Load files Tip: The built-in export and import templates "Intella Standard Relativity Export (All Columns)" and "Intella Standard Relativity Import" can be used to export items and re-import them in another case, effectively creating a subset of the original case. Please note that not all metadata fields are supported. Follow these steps to add a load file to an Intella case: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Load file" and click Next. 2. Import Load File Select the import operation: New Data or Overlay. When New Data is selected, Intella will import new items to the case. An Overlay operation is used to import tags, comments and tag columns into existing items. Add the file name and location of the load file that you wish to investigate; click the Browse button to browse for the file. If the load file comes with an Opticon image file, then you should specify it in the "Opticon image file" field. Specify the source name. Specify the custodian. If the custodian information is stored in one of the columns, then leave the text field empty and use the column chooser on the Map Fields page instead. Page 63 Intella User Manual 2017 Vound

64 Specify the time zone. By entering the time zone, all dates associated with items from this load file will be displayed in that time zone, rather than the time zone of the investigator s system. You can use a previously saved import template. Click the Default button to clear the selected template. Click Next to continue. 3. Configure Delimiters On the "Configure Delimiters" page you can set the file encoding and delimiter settings for: Column delimiter the character that separates the columns in the load file. Text qualifier the character that marks the beginning and end of each field. New line the character that marks the end of a line inside a text field. Multi-value delimiter the character that separates distinct values in a column. Currently it can be used with the "Tags" column only. Escape character the character that is used for escaping a separator or quote. Strict quotes sets if characters outside the quotes are ignored. Use absolute path select this option when the load file uses absolute paths rather than relative paths. You can click the "Detect Encoding" button when you are not sure about the encoding used in the load file. You can specify date and time formats in the right part of the screen. You can click on the "Date format quick reference" to show the syntax details. Intella will validate the load file using these settings and display the validation result in the status line. When the file can be validated successfully, the number of columns found in the load file will be displayed. When validation fails, a reason will be given in this line. The Load file preview table can be used to make sure that you have specified the correct parameters for the load file. Additionally, the "Image preview" panel will show the first image associated with the selected table record. It can be used to ensure that the Opticon file is correctly loaded. The "Text preview" shows the raw text of the load file and can be used to check the delimiters. 4. Map Fields Overlay options: this is only used when Import operation is set to Overlay. See the "Importing an overlay file" section for details. External files: i. Select the "Load native files" checkbox if you want to import original format files associated with the load file into the case. Specify the column containing the paths to the native files. When the native files are imported, you will be able to use functions such as Preview tab and Open in External Application. ii. If you select the "Extract type information from native files" check box, then Intella will analyze the native files and import the type information into the Mime Type and Type columns. This option may be useful in case the load file does not have any type information such as File Extension. Page 64 Intella User Manual 2017 Vound

65 iii. Select "Load extracted text" when you want to import the extracted or OCRed text of the document. Select the "Extracted text column is a link to an external file" checkbox when the column contains a link to the text file rather than the text itself. Select "Analyze paragraphs" to let Intella determine the paragraph boundaries and to let it build a database registering which paragraph occurs in which item and where (see section " Last steps in a source definition" for more details). When the extracted text is imported, it will be shown in the Contents tab of the Previewer. Field mapping You can see the Field chooser in the bottom part of the panel. The table on the left shows all fields in the load file ("Load file field") and the Intella columns they are mapped to. In the table on the right you can see the list of all Intella columns available for mapping. To map a column: i. Select one of the load file fields on the left. ii. Select one of the columns on the right. iii. Click the left arrow button. That will move the selected column from the right to the left table. Click the right arrow button to remove the selected mapping. When the load file contains a field that cannot be mapped to any existing columns, then you can create a tag column and map the field to it. Click the "Add tag column" button to add a new tag column to the right table. Click "Remove tag column" button to remove the selected tag column. Click the "Clear all" button to remove all the selected columns from the right table. Click the "Save template" button to save the current settings as an import template which can be reused later. Select the "Extract text and metadata from native files" checkbox when you want to extract the text and metadata from the native file. Note that Intella will replace any original metadata from the load file with the new metadata extracted from the native file. The option is turned off by default. It is highly recommended to resolve all errors by clicking the "Check for errors" button before importing the load file. That will let Intella validate the load file using the entered settings. Among other things, it will check each row and ensure that: The Document ID is unique and not empty. The Parent ID refers to an existing record. Native and extracted text paths are correct. Date and time fields can be parsed using the selected date and time formats. The MD5 field contains a valid MD5 hash. Number fields such as File Size and Page Count contain a valid number. Boolean fields such as Encrypted and Decrypted contain either true or false. The Source IP field contains a valid IP address. Select the "Skip error records" checkbox to instruct Intella to skip items with errors during import. Note: Date and time values (separate columns) will be merged into one column. Important notes on load file importing There are several aspects to be aware of when importing a load file into an Intella case: Page 65 Intella User Manual 2017 Vound

66 All paths in the load file to external resources should be relative to the load file, unless the "Use absolute paths" checkbox is selected. The original load file record identifiers will be imported into the "Document ID" and "Parent Document ID" columns and can be used in a subsequent load file export. Imported images can be viewed in the "Image" tab in the Previewer. Custom fields that are not supported by Intella s data model can be imported using Tag Columns. Note however that tag columns are designed to hold tag-like data where the number of unique values is not high. It is not suitable for importing columns where each item contains a unique value, like an external identifier. This functionality may be added in a future release. You can save the specified load file import options as a template for later usage on the last page using the button Save Template. All import templates are stored as XML files in the "<Intella System Folder>\importtemplates" folder Hotmail Search Warrant Results Important: This source type is still in an experimental stage. We welcome any feedback; please visit our support portal at Follow these steps to add a Hotmail Search Warrant Result to Intella: 1. Prepare evidence files The evidence files you have received may consist of a folder containing a Click Here.html file and some legal files related to the search warrant, with a subfolder for each account involved. It may also be that you have only one of those account subfolders, recognizable by a Folders.html and Messages file in this folder. In case you have received a ZIP file or some other type of archive file, please unpack this archive file first. 2. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select Hotmail Search Warrant Result and click Next. 3. Specify File Select the folder holding the Hotmail Search Warrant Result files that you wish to investigate: click Open to browse for folders. Select the top-level folder of the provided file collection and click Open. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Disk Images Follow these steps to add a Disk Image source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Disk Image" and click Next. 2. Specify Files Specify the location of one or more image files: click Add to browse for image files. Select the Page 66 Intella User Manual 2017 Vound

67 image file and all its parts and click Add. All selected files will be listed in the disk image list. Alternatively, one can select a single image part and then click Find Parts. Intella will then try to find the related image parts that belong to that same multi-volume image (see below) and add them to the list. Files of a multi-volume image should be listed in the correct order. Select rows and use the Move Up and Move Down buttons to put files in the correct order. 3. Select files and folders to process Indicate which files and folders should be processed by selecting a pre-defined profile or creating a custom one. See below for detailed instructions. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition. Important: A single disk image source should only contain the files relating to a single conceptual image. Files relating to a different image should be entered as a separate source. Important: Due to limitations in the indexing framework it is not possible to include or exclude compound file types such as the newer MS Office file formats (based on ZIP) or the older MS Office file formats (based on OLE). Please use filtering by file extension instead. This shortcoming will be addressed in a future Intella version. Filtering disk image content A disk image often contains a lot irrelevant files, such as executables, DLLs. These files add to the processing time and disk space that the case will consume. It is possible to define a set of rules to filter out unnecessary files and folders, to save processing time and disk space. On the File types and locations page you can choose either to index all the data by selecting "Index all files and folders" check box, or use a specific disk image indexing profile. There are several built-in profiles: All supported files. Index all file types supported by Intella. Supported means that Intella can do something meaningful with it besides detecting the file type, i.e. it can extract text, metadata and/or embedded items from the file, or display it as an image. All executables for example are not hashed and cached with this profile. All supported files, exclude system files. Index all file types supported by Intella and exclude three system folders: "Windows", "Program Files" and "Program Files (x86)". Mail stores. Index only mail store files: PST, OST, NSF, Mbox, etc. Mail stores, exclude system files. Index only mail store files. Also, exclude the three system folders listed above. You can also adjust any index profile to your needs. To create a new profile, type a new name in the "Use index profile" box and click the Save button. You can delete any profile by selecting it first and clicking the Remove button. The first section on this page defines the rules on which files should be included or excluded. You can filter files by type and by file name. If you select "Include selected entries", then only the listed files and file types will be indexed. Otherwise, the listed entries will be excluded. Note that you use wildcard names such as "*.txt" to filter all files that end with ".txt". A single "File name" entry can contain only a single file name definition; you cannot enter several file names in a row such as "*.txt, *.exe". You should add two separate entries to the list in this case. Page 67 Intella User Manual 2017 Vound

68 The second section on this page defines a list of locations that should be included or excluded. If you select "Include selected entries" then only the listed locations will be indexed. Otherwise, the listed locations will be excluded from indexing. You can adjust the folder selection on the next screen called "Select Folders". All index profiles are stored in XML format in the "<Intella System Folder>\index-profiles" folder and can be used in all local cases. Note that search results can also be filtered after indexing, using the Hide Irrelevant filter option in the Details tab. Supported disk image formats The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01 files. Password-protected files are supported and indexed without manual interaction, except for FTK-encrypted files. DD images are supported, but when a Folder source is used, they need to use the.dd file extension to be detected and processed as DD images. Because of potential issues with DD image detection, we recommend using the Disk Image source directly. This is also required when you want to index a multi-volume DD image. Supported file systems and partition types The following file systems have been tested: FAT16, FAT32, NTFS, Ext2/Ext3, HFS/HFS+ and ISO Other file systems such as EXT4, ExFAT, YAFFS2 and ISO (UDF) may work but have not been tested yet. MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When Intella fails to index such an image, we recommend mounting it manually and indexing the mounted drive using a File or Folder source. Multi-volume files When using a Folder source to index multiple image files, Intella will rely on the following file name convention to determine which files together make up a single image: image1.e01 (first volume of image 1) image1.e02 (second volume of image 1) image1.e03 (third volume of image 1) image2.e01 (first volume of image 2) image2.e02 (second volume of image 2) image2.e03 (third volume of image 2) image2.e99 (99 th volume of image 2) image2.eaa (100 th volume of image 2) image2.eab (101 st volume of image 2) MS Exchange EDB Archives Important: The 64-bit version of Intella is required to process EDB files. Important: Processing an EDB archive may require to adjust memory settings. Please see the Memory settings" section for detailed instructions. The currently supported MS Exchange versions are 2003, 2007 and Follow these steps to add a MS Exchange EDB Archive source to Intella: Page 68 Intella User Manual 2017 Vound

69 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "MS Exchange EDB Archive" and click Next. 2. Specify EDB File Specify the location of the EDB file you wish to investigate: click Add to browse for the file. Select the file. Click Next to continue. 3. Select Mailboxes Indicate which mailboxes should be processed. You can click the Select All button in order to process the entire archive. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition. When an EDB source has been added and not all mailboxes were selected, it is still possible to index additional mailboxes in that EDB file at a later stage. To do that, the following steps should be performed: 1. Start the Edit Sources dialog from the Sources menu (Sources > Edit Sources). 2. Select the source from the list in the left panel and click "Select mailboxes...". 3. Indicate which mailboxes should be processed. Note that you cannot unselect or remove already processed mailboxes. Click OK. 4. Close the Edit Sources dialog, saving the changes. 5. You will see a message dialog asking "Some of the sources have been modified to include new data. Would you like to index new data now?". Click Yes to index the new mailboxes. 6. When you clicked No in the previous step, you can index the new mailboxes at a later point in time by selecting Index new data in the Sources menu IMAP accounts Important: The IMAP standard is implemented in many ways. Furthermore, some mail servers may throttle the network connection during mass downloads. We tested Intella on several IMAP servers with good response. However, we cannot guarantee that Intella can create IMAP account sources for every IMAP server. Tip: We recommend using a mail client to download the entire mailbox and indexing the resulting PST or Mbox file instead, rather than using Intella to download the mailbox. This way a copy of the mailbox is created outside of the Intella case. This results in a cleaner and better auditable workflow, allowing e.g. cross-validation of the investigation results with other forensic tools or indexing with future Intella versions. Follow these steps to add an IMAP Account source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "IMAP account" and click Next. 2. Specify Account Enter the settings for the target account, e.g., mail.my-isp.com with the username and password. Select the use secure connection (SSL) checkbox if you want or need a secure connection to the mail server. This is recommended, because without a secure connection your Page 69 Intella User Manual 2017 Vound

70 password will be sent as plain text. Click Next to continue. 3. Select Folders In the next step, Intella will contact the specified server to retrieve the mail folder tree. If you selected a secure connection and the server uses a certificate that cannot be validated automatically, a dialog will appear that asks you whether the certificate should be accepted. Once connected, after you accept the certificate if applicable, Intella will display the folder tree of the target mail account. You can then select the folders that you want to make searchable by placing a check in the box next to the desired folders. When you want to index subfolders, you will need to select them; otherwise they will be ignored. The wizard has two convenient buttons for selecting and deselecting all folders. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Dropbox accounts A Dropbox source reconstructs the entire folder tree in a Dropbox account and downloads current and past revisions of the files in the account. The official Dropbox REST API used by Intella limits this to a maximum of 10 revisions per file. All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional Dropbox-specific metadata is retrieved for both files and folders. These are displayed in the Previewer s Raw Data tab and are subject to full-text indexing. Intella uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account. Follow these steps to obtain a Dropbox OAuth2 token for a given account: 1. Login to Dropbox with the account owner s credentials. 2. Go to 3. Click Create app to register Intella on Dropbox. 4. Choose between Dropbox API and Dropbox Business API. 5. Select the requested access permissions: For the Dropbox API choose Full Dropbox. For the Dropbox Business API choose Team auditing. 6. Name your application. Through trial and error, you need to find a name that is globally unique, i.e. not used elsewhere on the Dropbox site. 7. Click Create app. The application is now ready. Note: If no more than 500 users will access the application, it is not necessary to Apply for production. 8. Upon creation of the application, a details page is displayed. In the OAuth2 section on the details page, make sure that you select Allow implicit grant and click the Generate button to generate an Page 70 Intella User Manual 2017 Vound

71 OAuth2 token. 9. Copy the generated token and save it to a file on your computer, so Intella can import it later. Next, follow these steps to add a Dropbox source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Dropbox" and click Next. 2. Connect to Dropbox Open the OAuth2 token in a text editor. Copy the file s textual content into the Oath2 Token field in the wizard. Click Connect to Dropbox. A connection will be established and the token will be validated. If the token validation is successful, basic information about the account such as the account owner s name and address will be shown beneath the token field. Note the Help button above the token field. Clicking it will display the steps required to create the OAuth2 token. Click Next to continue. 3. Select Files or Folders Besides indexing of the entire account, it is also possible to index specific files or folders only. The next wizard sheet shows the folder tree of the account. Nested folders are loaded on demand when the parent folder is expanded. Click the checkboxes of the desired files or folders. Selecting a folder automatically marks all nested elements as selected. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Gmail accounts A Gmail source reconstructs the mail collection in a Gmail account. Optionally, the set of retrieved s can be restricted to a certain date range. Benefits of using the Gmail source over the generic IMAP source are: faster performance, more accurate data representation (e.g. folders vs. Gmail s Labels, threads), and a read-only data connection ensuring that no data is altered on the server. Intella uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account. The token will be downloaded as a JSON file, which Intella can use to access the account. Follow these steps to obtain a Gmail OAuth2 token for a given account: 1. Login to Gmail with the account owner s credentials. Page 71 Intella User Manual 2017 Vound

72 2. Go to API Manager: 3. Choose the Library option and then select Google Apps APIs > Gmail API. 4. Click Create project. 5. The Create Project page shows up. Name your project, answer the remaining questions and click Create. 6. Upon creation of the project, you are redirected back to the Library. Click Enable to allow connecting to Gmail through the created API project. 7. Choose the Credentials option in the API Manager. 8. Next, the Credentials page shows up. Select Create credentials and choose OAuth Client ID. 9. To create your OAuth client ID, first click Configure consent screen. Name your product (e.g. Intella) and click Save. There is no need to fill in the remaining options. 10. Once the consent screen has been configured, you are redirected back to Create Client ID page. Select Other as application type and enter a client name (e.g. Intella). Click Create. 11. On the Credentials page, you can see the created OAuth client ID. Click the Download JSON button on the right to save your client ID on your computer, so Intella can import it later. Next, follow these steps to add a Gmail source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Gmail" and click Next. 2. Connect to Gmail Click the Browse button and select the JSON file saved above in the file chooser that opens. Click Connect to Gmail. A connection will be established and the token will be validated. A browser window will automatically open, through which Gmail will request permission to continue. If the token validation is successful, basic information about the account such as the account owner s address and the total number of s will be shown beneath the OAuth2 File field. Note the Help button above the OAuth2 File field. Clicking it will display the steps required to create the OAuth2 token. Click Next to continue. 3. Configure Download Select whether all messages are to be downloaded or whether a date filter is to be applied. If so, enter the desired date range. Page 72 Intella User Manual 2017 Vound

73 The end date is included, so that s on that day are also retrieved. Both the start and end dates are optional, making it possible to enter a half-open date range, e.g. all s since May 1 st, Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition SharePoint SharePoint is organized as a recursive hierarchical tree of sites. A SharePoint source will reflect all subsites, document libraries, discussion boards containing posts and Microfeed posts. Furthermore, a SharePoint source extract all user accounts, including both system accounts and regular user accounts. What information is required to retrieve information from a SharePoint instance depends on whether it is an on-premise instance or an instance hosted in the Azure Cloud (as a separate Office 365 service). For both types, a server URL, username and password are required. For SharePoint instances in the Azure Cloud, a client ID token is additionally required. See the section on Office 365 for information on how to obtain such a client ID token. follow these steps to add a SharePoint source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "SharePoint" and click Next. 2. Connect to SharePoint Enter the server URL, username and password of the SharePoint account. For Azure Cloud-hosted SharePoint instances, click the Hosted in Azure Cloud checkbox and enter the Client ID in the field that appears. Click Connect to SharePoint. A connection will be established and the token will be validated. If the token validation is successful, basic information about the account will be shown in the wizard. The following authentication methods are supported: OAuth2 (for cloud instances), Kerberos, NTLM and basic authentication. Click Next to continue. 3. Select Files or Folders The next wizard sheet shows the site and folder tree of the account. Nested folders are loaded on demand when the parent folder is expanded. Click the checkboxes of the desired sites. In this version, only entire sites can be retrieved. A future version may add retrieval of parts of a site. Click Next to continue. Page 73 Intella User Manual 2017 Vound

74 The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Office 365 The Office 365 source types allows for retrieving both user account and user groups. For each user account, used to access Office 365, the source can retrieve data from Outlook, OneDrive and SharePoint. For each user group, the source retrieves titled conversations containing s. For Outlook, the source retrieves all folders (both standard and user-defined) and all s therein. For OneDrive, the source retrieves all folders and all files. Prior to defining an Office 365 source, the investigator needs to obtain a client ID token for the account. Follow these steps to obtain an Office 365 client ID for a given account: 1. Go to and login using the Office 365 admin credentials. 2. Click the Active Directory tab and click the active directory created for the Office 365 tenant. 3. On the tenant configuration dashboard, choose the Applications tab. 4. On the bottom toolbar, click the Add button. 5. A modal dialog opens. Click Add an application my organization is developing. 6. Enter the name of the application, select Native client application and click Next. 7. Enter a valid (non-physical) Redirect URI for the application, e.g. Click the Complete button and the application will be ready in a couple of seconds. 8. The welcome screen is opened. Select the Configure tab. 9. The Client ID key will be used by Intella to connect to Office 365, so save it somewhere on your PC. 10. Now, the created application must be granted read permissions. Click Add application. 11. Select the Microsoft Graph application and add it to the Selected list on the right. Click the Complete button. 12. You are redirected back to the Configure tab and Microsoft Graph in the table of applications. Click the Delegated permissions drop-down list and tick all Read and Sign in permissions. To ensure absolute source data protection, ensure all write permissions are unchecked. 13. Finally, do not forget to Save your changes, otherwise Azure AD will ignore them. Next, follow these steps to add an Office 365 source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Office Page 74 Intella User Manual 2017 Vound

75 365" and click Next. 2. Connect to Office 365 Enter the username, password and client ID obtained above. Click Connect to Office 365. A connection will be established and the credentials will be validated. If credentials validation is successful, basic information about the account such as the tenant name and location will be shown beneath the configuration fields. Note the Help button at the top of the screen. Clicking it will display the steps required to create the client ID. Click Next to continue. 3. Select Items The next screen shows the available accounts. Select the accounts that you wish to retrieve. Selective indexing of part of the account data is not possible at this moment. Click Next to continue. The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition Last steps in a source definition The following final steps are the same for all source types. 1. Source Name and Time Zone In the Source Name and Time Zone sheet you are asked to enter a name for the source. The name will be shown in the list of sources in the Sources panel and functions purely as a label for your reference. Furthermore a suspected system base time zone can be entered. This setting indicates the time zone of the system from which the evidence file(s) were obtained. By entering this time zone, all dates associated with items from this source will be displayed in that time zone, rather than the time zone of the investigator s system. This often makes it easier to correctly interpret those dates, e.g. determine whether a given timestamp falls inside regular business hours. By default, the local time zone is used f7or new sources. Time zones supporting Daylight Savings Time (DST) are marked with an asterisk (*). Click Next to continue. 2. Items Intella makes the indexing of certain complex file types optional. You can disable this to improve indexing performance at the cost of fewer results. Select Index mail archives if you want to extract all s and attachments from mail archives like PST and NSF files. Subsequent processing of documents, archives and other items found in the attachments are still subject to the other options. Page 75 Intella User Manual 2017 Vound

76 Select index chat messages if you want to index chat messages inside Skype SQLite databases, Pidgin accounts and Bloomberg XML dumps. This also controls what happens with Skype, WhatsApp messages etc. in cellphone reports. Select Index archives if you want Intella to index files inside archives such as ZIP and RAR files. Select Index images embedded in s and documents if you want to extract images embedded in s, MS Office, OpenOffice and PDF documents. This will make these images separately searchable and viewable. Select Index databases to enable the indexing of all tables in SQLite databases. Select Windows registry to make all keys and values in a Windows registry file searchable by full-text keyword search. When turned off, a limited amount of registry indexing necessary for populating the Insight tab will still take place. The overhead for this is negligible. Select Index browser history to let Intella process the contents of web browser histories. Select recovered deleted s and Notes deletion stubs to enable the processing of deleted s from MS Outlook files (PST, OST) and deletion stubs in IBM Notes files (NSF). Select Extract text fragments from unsupported and unrecognized file types to enable heuristic string processing on all items whose type is not recognized by Intella (they are binary blobs) or whose type is not supported apart from type detection (e.g., executable files). 3. Options This sheet provides additional options affecting the time needed for indexing. Select Cache original evidence files to copy all evidence files into the case folder. Use this option if you want to create a self-contained case where the evidence files can be opened or exported even when they are not found in their original locations, for instance when the case is moved to another system). When this option is turned on, additional processing time (especially for compression) and disk space is needed. This setting has no effect on storing of the items extracted from these evidence files (e.g. the mails, attachments and other embedded items extracted from a PST file), as these are always stored in the case folder after extraction. Select Analyze paragraphs to let Intella determine the paragraph boundaries and to let it build a database registering which paragraph occurs in which item and where. This enables various search and review options at the expense of additional processing time. The required storage space is negligible. For subsequent sources this setting is forced to be same as what has been used for the first source. Select Determine the geographic location of an sender's IP address to let Intella estimate the geographic location of an senders IP address, using a lookup table. To be able to use this feature, a GeoIP2 or GeoLite2 database needs to be present. See the Preferences section for how to properly set up a GeoIP2/GeoLite2 database. Click Next to continue. 4. Tasks This sheet lets the user define post-processing steps that need to take place once all evidence files have been crawled and all indices have been build. See the Tasks section for more details. Page 76 Intella User Manual 2017 Vound

77 5. Completed Source Definition Finally you will be presented with a dialog to inform you that you have successfully defined a new source. You may optionally start indexing the source. Indexing is required to be able to search and explore the items in this source. Once you click the Finish button, the indexing process will proceed per the options you have selected. Tip: Because the active indexing process prevents you from interacting with the rest of the program until finished, you may wish to skip this part now (e.g., to define more new sources) and index the sources later by clicking the Re-index menu item in the Sources menu. Note: At any time except before the step "Completed Source Definition, you can click the Cancel button to return to the Intella interface without having added a new source to the case Indexing After defining a source, Intella will index it. During indexing it will inspect all items ( s, files etc.) that it can find in the source file(s), enabling Intella to return instantaneous results during your investigation for relevant evidence. Warning: Having anti-virus software active during indexing can lead to certain items not being indexed. This will usually be restricted to the files that are blocked by the anti-virus software, but this cannot be guaranteed. Running anti-virus software may also affect indexing performance. During indexing, you will see an overlay displaying various types of information: Statistics on indexing speed. Statistics on encountered file types. The amount of data that is being indexed and how much has been indexed already. The number of indexing steps to perform, which current step is being performed and (for some steps) a progress percentage. You will not be able to interact with the rest of the program while this dialog is shown. Resizing and minimizing the main window remains possible though, as is stopping the index process. You can stop the index process at any time by clicking the Stop button. Intella will finish processing the current item and then complete its case databases with the information that has been extracted thus far. Afterwards it will let you close the dialog. Re-indexing a case There may be circumstances when you want to re-index the entire case, e.g. to use extraction features offered by a newer Intella version or fix a broken index. To rebuild the case index from scratch, use the Re-index option in the Sources menu. Intella will remove all indices it has previously created and create new ones. For this to work, all evidence files must be present at the location they had during the initial indexing. Warning: The result of any OCR-ing (see the OCR chapter) will be deleted during re-indexing; all OCR processing must be redone after re-indexing. Page 77 Intella User Manual 2017 Vound

78 Any tags, tag columns, flags and comments will be retained during re-indexing. This includes annotations obtained via an overlay file or through import of an Intella work report (.iwr file). Updating a case Alternatively, there may be times when you want to update an index, e.g. in the following scenarios: Files and/or folders have been added to folders that have already been indexed. New sources have been defined but were not indexed immediately. The set of mailboxes to index in an EDB source has been extended. You interrupted indexing using the Stop button. In these cases, the Index new data option in the source menu will scan all sources for new evidence items. Items that have already been indexed are not changed, also when their original evidence items are no longer available Automatic item decryption Intella can automatically decrypt several file formats, if the required credentials are supplied before indexing starts. Therefore, you may want to uncheck the checkbox in the Add Source wizard that starts indexing and use the Re-index option (see above) after these credentials have been entered Supported formats The following file formats can be decrypted by Intella when the credentials are specified before indexing: IBM Notes NSF files. S/MIME- and PGP-encrypted s, regardless of the container type they reside in (e.g. EML, MSG, PST, OST, NSF, Mbox, DBX). PDF documents. Old format MS Word documents (.doc) and MS Excel spreadsheets (.xls). MS PowerPoint (.ppt) is still being worked on. MS Office 2007 formats (OpenXML):.docx,.xlsx,.pptx, ZIP, RAR and 7-Zip archives. Partial support for ZipX. Furthermore, password-protected PST files can be automatically decrypted without specifying any passwords Supplying access credentials To let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first. Click File -> Key Store and follow the instructions below. Afterwards you can (re)index your data and let the items be decrypted automatically. All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type. After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such. Page 78 Intella User Manual 2017 Vound

79 Password-protected files Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives. You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file. IBM Notes NSF files To decrypt IBM Notes NSF files, so-called ID files need to be added to the key store. Go to the "IBM Notes ID Files" tab and click "Add...". Enter the location of an ID file and the password associated with the file. Click "OK" to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files. S/MIME-encrypted s To decrypt s with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click "Import", then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys. Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the s. PGP-encrypted s To index PGP-encrypted s you will need to import the PGP private keys. Go to the "PGP Keys" tab and click "Import". Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format. An ASCII armored PGP private key usually starts with the following text: -----BEGIN PGP PRIVATE KEY BLOCK----- Note: For complete support for S/MIME- and PGP-encrypted s and encrypted MS Office files, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files need to be installed. See the Installation chapter for more details. Importing multiple.p12 files At the moment it is not possible to enter multiple.p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development. Please note that.p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single.p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once. Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well Post-processing Once indexing completes, the case owner can opt to refine the indexing results in several ways. These steps are kept separate from indexing as they typically contribute considerably to the processing time and disk space usage and, depending on the case at hand, may not be needed. Page 79 Intella User Manual 2017 Vound

80 Tasks Intella allows for the definition of tasks. These are essentially compound processing steps such as searching for all items that match a certain keyword or keyword list and tag or export the results. These tasks can be defined and selected during source creation, which will run these tasks right after indexing. The tasks editor can also be reached by selecting Tasks from the File menu, which allows for defining and running the tasks at any point in time after index creation. Each task consists of conditions, post-conditions and actions. A task must have at least one condition and one action. A condition (Step 1 in the task dialog) defines a search query that select items from the case. Currently the following conditions can be defined: A keyword search. A keyword list search. An MD5 list search. An arbitrary Saved Search, which can combine all of Intella s search facets. A tag, possibly assigned by one of the tasks executed earlier. Page 80 Intella User Manual 2017 Vound

A date range search on all date fields. A task may combine any number of conditions. The match option controls if the items should match all specified criteria or at least one of them, i.e. a Boolean AND or OR of the specified conditions.

81 A date range search on all date fields. A task may combine any number of conditions. The match option controls if the items should match all specified criteria or at least one of them, i.e. a Boolean AND or OR of the specified conditions. An optional list of post-conditions (Step 2) specify how to transform the item set retrieved in the previous step. Possible post-condition steps are: Deduplicate results Identify parents of the retrieved items Identify children of the retrieved items Suppress irrelevant items It is possible to define multiple post-conditions for a single task. The first post-condition is applied on the set of items resulting from the conditions in Step 1. Subsequent post-conditions are applied on the outcome of the preceding post-condition. Finally, task actions (Step 3) define the operations that will be applied to the items resulting from the previous steps. The following actions can be defined: Page 81 Intella User Manual 2017 Vound

Tag all found items with one or more tags. The tag(s) can optionally be inherited by items in the same family hierarchy and/or by duplicates of the found items. Set custodian attributes.

82 Tag all found items with one or more tags. The tag(s) can optionally be inherited by items in the same family hierarchy and/or by duplicates of the found items. Set custodian attributes. Flag all found items. Add a comment to all found items. Export all found items using an export template. Export the metadata of all found items to a CSV file. Click the Configure button to set the CSV file name and path and to select the metadata fields that are to be included. Start an OCR process on the found items using an external OCR tool or by connecting to an ABBYY Recognition Server. Start a Content Analysis process on the found items for the selected entity types. Every task may define multiple actions that will be applied sequentially to the determined item set. Tasks can be exported to a file so that they can be reused in other cases. These files are self-contained, i.e. when the task involves MD5 hash lists or keyword lists, these lists are embedded in the task file. Tasks are executed in the order they have in the task list. This makes it possible to pipeline tasks, e.g. use one task to assign specific tags to a subset of the items and use a subsequent task that is based on those tags. The order can be changed by selecting a task and using the Move Up and Move Down buttons Custodians The Custodian attribute can be assigned to items after indexing. This can be used to represent the custodian of the evidence items. To enable automated assigning of multiple custodians in a folder source (10.2.1), the root folder should organize the evidence in subfolders, one subfolder for every custodian. If the evidence folder is structured in this way, the Indexing Tasks sheet in the Source Wizard will contain a Configure custodians button that opens the below dialog: By default, the custodian names are set to equal the subfolder names. It is possible to alter the used custodian names by double-clicking the values in the table. This Custodian value will be assigned to all items obtained from the evidence files within the respective subfolder. For other types of sources, the Indexing Tasks tab contains a text field for setting a single custodian name. Besides the above method, the Custodian attributes can also be set or changed using the Set Custodian indexing task with an arbitrary condition, or edited manually in the Details right-click menu OCR OCRing, or applying Optical Character Recognition techniques, is a common way to make the text inside bitmap images responsive to keyword searches. Intella s OCR support is documented in the next chapter. Page 82 Intella User Manual 2017 Vound

83 Thumbnail generation Cases that rely heavily on viewing collections of images in the Thumbnail view will benefit from pre-creating the thumbnail images in advance. Especially when dealing with digital camera images that each are multiple megabytes in size, the time needed to generate the thumbnail image can make the Thumbnails view appear sluggish. When the thumbnails have been pre-generated, the time needed to populate the view will be a lot faster and it will be constant regarding the number of visible images, i.e. the file size of the original image is no longer a factor. To pre-generate the thumbnail images, select the Generate Thumbnails option from the File menu. The thumbnail generation process will start immediately and show its progress in the main window. The thumbnail generation process can be cancelled at any point. The thumbnail images that have been generated will be kept. When the user starts the process once more at a later point in time, it will reuse the existing thumbnails and only create the missing thumbnails Importing an overlay file An overlay file is a file that contains additional information about the current items in a case. By importing the overlay file, the metadata of these items can be extended. Intella currently only supports the importing of tags, tag columns and comments. Importing overlay images, texts, natives and custom columns may be added in a future release. The following file formats are supported for overlay files: Concordance/Relativity load file (.DAT) Comma Separated Values file (.CSV) To import an overlay file, select File > Import Load File... in the main menu. Next, set the Import operation to Overlay and specify the location of the file. You can optionally use a previously saved template. On the "Configure Delimiters" page you can set the file encoding, delimiter settings and date formats. Please see the "Adding a load file source" section for a description of these options. On the "Map Fields" page you need to specify the identifier field and type. This is how Intella will match items in the overlay file with the existing items in the case. There are four options for matching items: By Document ID, also known as DocID. This is the most common way to import new tags and comments into previously imported load file. The Item ID is the internal item identifier used by Intella. This is the simplest way to process your data using an external tool and then import the result back into Intella. Note that if the case has been reindexed, the item IDs will no longer match. By MD5 Hash. This is the most flexible way of matching items. Using the MD5 hash it is possible to transfer tags from one case to another. Note that the imported tags will be applied to all copies. The Item URI is an internal item identifier that is not changed after re-indexing the case, but it may be changed when re-indexed with a newer Intella version due to changes in the crawling software. This method can be used to transfer tags when other options are not suitable, e.g. when migrating tags from a case backup to a live case that has been re-indexed in the meantime. Please see the "Adding a load file source" section for a description of the remaining options on this page. Page 83 Intella User Manual 2017 Vound

10.5.6 Content analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items.

84 Content analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are: Credit card numbers Social security numbers (SSNs) Phone numbers The other categories are more computationally expensive to calculate and therefore require an explicitly triggered post-processing step. These categories are: Person names Organizations (e.g. company names) Locations (e.g. city and country names) Monetary amounts Time (words and phrases related to the hours, minutes, weekdays, dates, etc.) Skin tone (sub-categorized as Weak, Medium and Strong based on the presence of human skin colors, applies only to images) Custom regular expressions (for searching e.g. bank account numbers, patent numbers and other types of codes that can be formally described as a regular expression) To start the content analysis procedure, select one or more items in the Details view and select Content Analysis in the context menu. This will open a dialog like the one below: Select the desired categories of entities in the list by clicking the checkboxes and click the Run button. The results of analysis will appear in the Content Analysis facet. Page 84 Intella User Manual 2017 Vound

85 Check the "Replace existing facet values" option selected if you want to clear the results of the previous analysis or keep it unselected to add new results to the existing content of the selected categories. The content analysis procedure will open a separate window showing the progress of the procedure. The procedure can be stopped at any time by clicking on the Cancel button. In this case, the categories will contain information from the items processed up to the moment of cancellation. You can continue the processing later by repeating the steps above on the same set of items and choose not to clear the existing results (unselect the "Replace existing facet values" option). The items that have been analyzed can be found by using the Content Analyzed category in the Features facet. Content analysis also supports doing a test run, without storing the results in the facet database. To use this mode, click the Preview button. After the analysis has completed, the Content Analysis Preview window will appear where the extracted entities and associated items can be reviewed. This mode can be especially useful for testing and refinement of the custom regular expression-based categories (see below). Thera are some important caveats and disclaimers concerning Content Analysis: Content analysis is a heuristic procedure based on typical patterns and correlations that occur in natural language texts. Therefore, the quality of the output may vary within a broad probability range. Content analysis works best on English texts. The quality of the output may be poor on texts in other languages. Content analysis works best on texts containing properly formulated natural language sentences. Unstructured texts (e.g. spreadsheets) usually lead to poor quality of the output. Content analysis is both CPU- and memory-intensive. For adequate performance, please make sure that your computer meets the system requirements and that no other processes are taxing your system at the same time. Use of the 64-bit version of Intella is highly recommended, especially for analyzing large quantities of items. In our experiments the amount of time needed for processing an entire case was roughly similar to the amount of time it took to index the case. Skin tone analysis is based on a colorimetry method that is proven to be good for detection of pictures exposing natural variations of human skin colors under various light conditions. However, the output may include photos of other objects colored similarly, for example sandstone walls, some ceramic sculptures, etc. On the other hand, the algorithm may miss some skin photos if the amount of the skin tone pixels is too small or if the skin has an unnatural tint, for example due to wrong white balance or exposure settings of the camera Custom Content Analysis categories and Regular Expression search Along with the predefined categories for built-in entity types such as Person names, Organizations, etc., it is possible to define custom Content Analysis categories populated by scanning the text of selected items for specific text patterns. The text patterns are defined using IEEE POSIX regular expressions syntax. See for documentation on this syntax. This provides an effective and versatile mechanism for extracting user-defined entities, such as national passport numbers, bank account information etc. To create a new custom category, click the New button in the Content Analysis window. In the dialog that opens, enter name of the new category and a regular expression that defines the pattern to search for. Click the Regex Assistant button to open the Regular Expression Assistant window. This is where you can test your expression on a custom text fragment, choose one from the examples library and get quick help on the regular expression syntax. Page 85 Intella User Manual 2017 Vound

Once the new custom category has been created, it can be selected in the Content Analysis dialog and populated by analysis of the selected item set, just like the other (predefined) categories.

86 Once the new custom category has been created, it can be selected in the Content Analysis dialog and populated by analysis of the selected item set, just like the other (predefined) categories. To edit a custom category, select it in the list and click the Edit button. In the dialog that appears, edit the name and/or the regular expression of the category. To delete a custom category, select it in the list and click the Delete button. An alternative way to create custom categories is to click the New button in the Content Analysis facet panel. The custom categories can also be edited and deleted through the context menu of that facet Editing sources To see the configuration of a source, go to Sources > Edit Sources or type CTRL+E. A dialog will open that displays the list of sources on the left. When you click on a source, its details will be shown in the area to the right of the list. The name and type are shown as well as source type-specific details such as files or folders to index, indexing options, etc. See the section on adding sources above for the precise meaning of these settings per source type. Only the source name and suspect base time zone are editable, all other options are fixed after source definition. When you change source names, the Apply button will become enabled. Changes will only be applied when you click Apply. If you select a different source or click the Close button without first clicking Apply, a dialog will appear to prompt you to apply the changes, discard the changes, or cancel the operation Exceptions report An indexing exceptions report can be produced by choosing Sources > Exceptions Report. The produces a XLSX or CSV file that lists all items that had issues during indexing. This can range from minor issues such as date parsing problems to file corruptions that affect the entire item and all nested items. For every item the following information is listed: The item ID. This can be used to quickly locate the item using View > Preview Item The Previewer will also show a warning icon when displaying such an exception item. The MD5 hash. This can be used to locate duplicates of the item within the case or in other cases. The source to which this item belongs. The file name, file size and detected file type of the problematic item. Page 86 Intella User Manual 2017 Vound

87 The name of the source in which the item was found. The location of the problematic item. This includes both the path to the containing evidence file (e.g. a PST file) as well as the path within that file (e.g. the mail folder and parent , when the exception occurred on an attachment). Information on the parent if there is any: its item ID, the sender, sent date and subject. A warning scope, warning code and warning description. The scope and code are the most useful for end users and are documented below. The description provides a low-level error message that is also contained in the log file and can be used for error diagnosis by Vound s technical support team. The warning scope indicates the type of data that is affected by the exception. Possible values are: Item the entire item is affected. Text the extracted text is affected. Metadata the extracted metadata is affected. Embedded embedded items such as attachments and archive entries are affected. An example is a document that internally references an embedded image but the image is not present in the file, resulting in an error when processing the embedded items of the document. In that case the document gets an error with "Embedded items" as the Warning Scope. The warning code indicates the nature of the issue. Possible values are: Unprocessable data The data cannot be processed because it is corrupt, malformed, or not understood by the processor. Retrying will most likely result in the same result. I/O errors The processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. There can be a lot of reasons for such errors, e.g. a drive that fails to respond, or permissions blocking Intella from accessing it. The indexing logs will have the full error. The difference with the other errors is that the reason is typically external to Intella, which is why retrying indexing may sometimes resolve the issue. Decryption failed The data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. Timeout The processing took too long and was aborted. Out of memory The processing failed due to a lack of memory. Processing error The processing failed due to a problem/bug in the processor. The description should contain the stack trace. Truncated text The document text was larger than the imposed document text limit and any additional text was ignored. See the Sources section for a description of this limit and how to alter it. When an item has multiple exceptions, it will occupy several rows in the table. During indexing Intella tries to prevent processing of duplicate items (detected by their MD5 hash), as their contents will by definition also be the same. Therefore, an item may occur only once in the exceptions report, even though there can be many copies throughout the case. All items that produced an exception during indexing can easily be found using the Exception Items category in the Features facet, with subcategories for the warning codes. The XLSX variant of the exception report additionally holds the following information: Number of exceptions per source, subdivided by the warning codes. Overall statistics for the warning codes. Source-level errors, e.g. broken PST files. Page 87 Intella User Manual 2017 Vound

88 Besides holding more information, the XLSX variant is also better able to handle non-ascii characters Restoring annotations If may occur that a case will no longer open. Possible causes are unexpected power failures or the incorrect handling of external or network drives, as this can result in the files in the case folder getting damaged to the point where normal handling of the case becomes impossible. When this has happened to your case, it may still be possible to extract the annotations (tags, flags and comments) from the broken case and import them into a backup copy of the case, so that the results of your work on the case are also restored. To restore the annotations, create a copy of the backed-up case (ideally the back-up has been made right after indexing), open the copy and select "File > Restore Annotations..." in the main menu. Next, select the file named "events.log" in the "audits" subfolder of the case that holds the annotations. The annotations from the broken case will then be imported into the current case copy. It is important to consider the following: The original case must be indexed with Intella version or later. Annotations can be restored only from a copy of the same base case and only if both case copies have not been re-indexed. Any annotations that exist in the importing case will be removed before importing. The copy of the current "events.log" file is stored in the "audits" folder as "events.log.old". You can use this copy to restore the state in case this removal was not intended. Page 88 Intella User Manual 2017 Vound

89 11 Optical Character Recognition (OCR) Cases often contain images with human-readable text in them, e.g. web page screenshots. These images can be embedded in documents, e.g. a scanned or faxed document is packaged as a PDF containing TIFF images, or a chart is embedded as a picture in a Word document. The techniques for identifying the text in such images (embedded or not) is called Optical Character Recognition, commonly abbreviated to OCR. Application of such OCR techniques can make the textual contents of these images available for keyword search. Some modern scanners already apply OCR techniques during scanning and add the extracted text to the PDF. If this is the case, Intella will pick up the text automatically during indexing. Often this machine-accessible text is missing though, or it contains too many recognition errors to be useful for keyword searching. Also, loose images do not come with such text at all. To overcome this, Intella offers OCR support, letting you improve your case index Starting OCR Intella s OCR support is currently a post-processing step, performed manually by the case admin after indexing has completed. In the future, we may make this part of the indexing process. To OCR a collection of search results, you can use the following procedure: 1. Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. 2. Right-click and choose OCR Highlighted Item(s). This opens the OCR Wizard. This wizard lets you choose the OCR method and its settings OCR methods Intella currently supports two OCR methods: External OCR tool This method consists of exporting the items as loose files, processing them with the user s preferred OCR software, and importing the OCRed files back into the case. ABBYY Recognition Server This method consists of sending the files to a Recognition Server for processing, automatically incorporating the received results into the case. This method is fully automatic and requires a licensed and configured instance of ABBYY Recognition Server available over the network. Page 89 Intella User Manual 2017 Vound

90 11.3 Using an external OCR tool To OCR the selected items with an external OCR tool, you initially only need to specify an export folder. Once you click the Export button, Intella will export the items in their original format to the folder. Every file will be named after the MD5 of the item note that this means that unique items are only exported once! Next you can use any OCR tool to process the exported files. To import the OCRed files back to Intella, the tool and its configuration should comply with the following requirements: The OCR tool must be able to create a single OCRed file for each input file. Put these files in a separate folder. The file name of the OCR output must match the original file name, but it may have a different file extension, per the file type produced by the OCR tool. For example, if the original file name is 6345b60187d08be d7543c54.tif, then the OCRed file name can be 6345b60187d08be d7543c54.txt. The OCRed file format must be of one of the Intella supported formats, e.g. plain text, PDF, MS Office, etc. After you have OCRed the files, select "File -> Import OCRed files..." in the main menu. Next, specify the folder where the OCR output is located and click on the Import button. Intella will analyze every file in the specified folder, extract the text and link it to the original item and all its copies. If the original item already had some text, then the OCRed text will be appended to the original text Using ABBYY Recognition Server When you have access to an ABBYY Recognition Server, you can utilize it to OCR selected items in the case fully automatically. Note: ABBYY Recognition Server 3.5 or 4.0 should be used. Steps to OCR selected items with ABBYY Recognition Server: Select the desired items and open the OCR Wizard, as described above. Specify the server s IP address. The Service URL field will be populated automatically based on the entered IP address. If you know that your server uses a different URL, you can override it by checking the Use custom service URL check box. Specify the workflow name that should be used. Alternatively, you can press the Get list from server button to select a value from all available workflows on that server. Click the OCR button to start the OCR process. The selected documents are will now be send to the Recognition Server. The results that it sends back will be processed automatically, similar to how the external method works. Please make sure that your ABBYY Recognition Server is configured correctly: A separate document should be generated for each input file. The output format is a format that Intella can index. Page 90 Intella User Manual 2017 Vound

91 The following parameters need to be set correctly in the following file (suggested parameters allow for processing files up to 30 MB): C:\Program Files (x86)\abbyy Recognition Server 3.5\RecognitionWS\web.config Parameters: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <httpruntime maxrequestlength="409600" /> </system.web> <system.webserver> <security> <requestfiltering> <requestlimits maxallowedcontentlength=" " /> </requestfiltering> </security> </system.webserver> </configuration> 11.5 Reviewing OCRed items To find all items in a case that have been OCRed, you can use the OCRed category in the Features facet. This attribute is also reflected in the Details table in the OCRed column. When an OCRed item is previewed, this will be shown as an additional property in the Properties tab. Note that when the OCR software enhances an existing PDF document by inserting the text in it, this text will be extracted and added to the index, but the binary item stored in the case is not replaced. This means that when exporting or previewing that item, you get the original PDF, not the OCR-enhanced PDF. This will be addressed in a future version. Warning: After items in a case have been OCRed, the case will not open anymore in Intella 1.7. Page 91 Intella User Manual 2017 Vound

92 12 Insight view The Insight tab contains several information panels that together give a concise overview of the information inside the case, revealing suspect behavior and giving rise to follow-up investigative questions. The information is extracted from a variety of sources, such as s and documents, web browser histories, Windows registries and more. Clicking on entries like a document type or custodian name in the Insight tab will add a relevant search for that item category to the Cluster Map in the Search view. The main window will then automatically switch to the Search view as well. The entire tab can be exported to HTML by clicking on the Export button in the top right corner Evidence The Evidence section shows important global statistics regarding your data. A detailed description of each category can be found in the section explaining the Features facet Types The Types section shows a breakdown of the different types of files and other items in the case. It shows the same hierarchical structure as the Type facet in the Search tab Custodians The Custodians section shows the list of custodians in the case, if any, together with the number of items that are assigned to them. A pie chart showing these amounts is shown to the right of the table. For detailed information on how to define custodians see the section titled Custodians Internet Artifacts The Internet Artifacts section contains information about web browser activity, based on the browser histories detected in the evidence data. All major browsers are supported: MS Internet Explorer/Edge, Mozilla Firefox, Google Chrome and Apple Safari. The top chart shows the list of encountered browser histories, listing the following information: The path of the browser history in the evidence data. The type of browser, represented by the browser s desktop icon. The number of visited URLs in the browser history, both as a number and as a bar showing the amount relative to the total amount of visited URLs in the entire case. The last used date of the browser history, i.e. the last time a new URL was added or a visit count was updated. Note that manual deletions of URLs in the history by the end user are not considered when Page 92 Intella User Manual 2017 Vound

93 determining the last used dates; it is merely indicative of when the regular day-to-day usage of that browser ended. At the very top of this list is a row that represents the total amount of visited URLs in the case, regardless of location and web browser type. Beneath the list of browser histories there is a breakdown of the visited URLs: The "Top 100 visited URLs" table shows the most visited URLs, with for each URL the number of visits as indicated by the browser history. The "Top 100 visited domains" table shows the most visited domains, together with the sum of the visit counts of all URLs in that domain. Subdomains are treated as independent domains. The panels Social media, Cloud storage, Webmail and Productivity show the number of visits that belong to some commonly used websites, such as Facebook and Twitter for social media, DropBox and OneDrive for cloud storage, Gmail and Yahoo Mail for webmail, etc. By default, this breakdown covers all visited URLs in the case. By clicking on a row in the list of browser histories one can narrow down on the visited URLs in that browser history. The selected browser is indicated by the blue URL count bar. Note: the categories and domains that are checked can be configured by editing the common-websites.xml file in the [CASEDIR]\prefs folder. Warning: during the development of this functionality we observed that the semantics of a visited URL may differ between browsers, possibly even between browser versions. In some cases, it indicates that the user explicitly visited a URL by entering it in the browser s address bar or by clicking a link. In other cases, all resources loaded as a consequence of displaying that page may also be registered as visited, even resources from other domains, without making any distinction between the explicitly entered or clicked URLs on the one hand and the other resources on the other hand. One should therefore carefully look at the operation of a specific browser before drawing any final conclusions Timeline The Timeline shows the timestamps of all items in the case over the years of months. This not only gives a rough overview of events over time, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of s, which for example may be caused by an incomplete capture of evidence files, bugs in the custodian s software, default values entered by client software and actions of malicious custodians (resetting date fields, deleting information). To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the timeline to include or exclude the counts for that date field. This update may take some time, depending on the case size and whether a local or remote case is used. The resulting counts are cached so that afterwards the user can toggle that checkbox and see the chart change instantly. The chart can alternatively show months or years. Note: The Timeline s time axis only shows dates between January and two years from now. This is to prevent obviously incorrect dates that have been extracted from corrupt files from spoiling the graph. Page 93 Intella User Manual 2017 Vound

94 12.6 Identities The Identities section consists of three tables with various types of identities, which may be representing users or other entities. The User accounts table shows a list of user accounts extracted from the evidence data. These can be: Windows user accounts, extracted from Windows registry hives. Skype user accounts, extracted from Skype databases. These are the database s local account, not the entire contacts list of that account. Pidgin user accounts. Again, these are the local accounts, not the entire contact list. User accounts in cellphone reports as produced by Cellebrite UFED, Micro Systemation XRY and the Oxygen Forensic suite. See the documentation of the respective product for details on the correct interpretation of such information. The Origin column in this table shows either a machine name extracted from a Windows registry or the location of the evidence file that the account was extracted from. The Top 10 addresses table shows the 10 addresses with the highest number of s in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts. The Top 10 host names table shows the host names that have the most s associated with them. These are essentially the host names that show up when you expand the All Senders and Receivers branch in the Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts Notable Registry Artifacts Note: the information provided in this view is experimental. We greatly value your feedback on this via our support portal at or via our community forum at The Notable Registry Artifacts (NRA) section gives insight into the most important artifacts extracted from the Windows registry hives of the investigated machines/operating systems. A case may contain evidence files (usually in the form of disk images) that relate to multiple operating systems (OSes), simply because multiple machines may be involved, but also because a machine may have multiple operating systems installed. Hence the artifacts are grouped by OS, labeled by the Computer Name that was extracted from the registry, and further subdivided in several categories. The following artifact types are currently extracted and reported: Basic OS information OS time zones OS user accounts Network interfaces Network connections USB mass storage devices that have been connected Recently used files Shellbags Typed URLs registered by web browsers using the registry Page 94 Intella User Manual 2017 Vound

95 A registry artifact is a logical concept in Intella that is modeled as an atomic item in the case and that holds important information typically used in digital forensic investigations. This information is specially selected for this purpose by experienced forensic experts. While the properties of a registry artifact may be scattered across different registry hives and backups of these hives, Intella will unify them into a coherent item. The NRA section is divided into two parts. On the left-hand side, labeled Overview, the tree organizing the registry artifacts is shown. The first level nodes represent OSes labeled with the Computer Name extracted from the registry. One lever deeper we find sub-nodes for the various registry categories (e.g. User Accounts ), followed by leaf nodes representing the actual artifacts (e.g. a specific User Account). One can select a leaf node in this tree, which will show the properties of that registry artifact in the Details view on the right-hand side. Double-clicking on a leaf node opens the registry artifact item in the Previewer. This shows additional information such as the location of the item and allows for browsing to nearby items in the item hierarchy using the Previewer s Tree tab. One can also right-click on a leaf node and select Preview from the context menu. Right-clicking on a category node (e.g. a User Accounts node) shows a context menu with a Search option. This launches a search for all User Accounts in the Search view. Note that this searches for all user accounts, not just the ones in the currently explored OS. Besides the regular registry hives, the Windows registry maintains backup files in the form of so-called RegBack files. Intella will process these files as well and display the extracted data in the NRA section. Values coming from such backup registry hives are marked with a RegBack label and are only displayed when they differ from the corresponding values in the current files. Not doing so would greatly increase the amount of redundant registry information Supported registry hives Intella will process the following registry hives: Registry Hive Name SYSTEM SYSTEM (RegBack) Location Windows/System32/config/SYSTEM Windows/System32/config/RegBack/SYSTEM Windows/repair/SYSTEM NTUSER.DAT SOFTWARE SOFTWARE (RegBack) Found under folder Users/<user id> or Documents and Settings Windows/System32/config/SOFTWARE Windows/System32/config/RegBack/SOFTWARE Windows/repair/SOFTWARE SAM SAM (RegBack) Windows/System32/config/SAM Windows/System32/config/RegBack/SAM Windows/repair/SAM Note: registry artifacts can be extracted from disk images and folders only if all relevant files are in the proper folders, e.g. Windows\System32\config\SYSTEM. Page 95 Intella User Manual 2017 Vound

96 Note: support for Windows XP and older is limited Operating system information This category contains only one item, named after the computer name stored in the registry. The properties of the OS Info item are extracted from the SOFTWARE and SYSTEM hives and the corresponding backup files. Keys extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion are: ProductName ProductId CurrentVersion RegisteredOwner RegisteredOrganization InstallDate Keys extracted from SYSTEM\CurrentControlSetXXX are: ComputerName ShutdownTime Time zones The Time Zones category provides the time zone of the suspect s machine. The properties of the time zone artifact are extracted from SYSTEM\CurrentControlSetXXX\Control\TimeZoneInformation. The following keys are extracted from the hive and make up a time zone artifact: ActiveTimeBias Bias StandardBias DaylightBias TimeZoneKeyName DaylightName StandardName DynamicDaylightTimeDisabled DisableAutoDaylightTimeSet DaylightStart StandardStart User accounts The User Accounts category contains all user accounts detected in an OS. The user accounts are found and extracted from the SAM hive and the corresponding backup files from SAM\Domains\Account\Users. The following keys are extracted from the hive: User RID Key/F: o Last Login Date o Password Reset Date o Account Expiration Date Page 96 Intella User Manual 2017 Vound

97 o Last Failed Login o Login Count o Password Required User RID Key/V: o Privilege Lever o User Name o User Description UserPasswordHint ForcePasswordReset Network interfaces The Network Interfaces category contains all network adapters registered in the registry of an investigated OS. Information about network interfaces is extracted from the SYSTEM and SOFTWARE registry hives and their backup files. The following keys found in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\<ID> refer to basic network interface properties: Service Name (it is used as a lookup reference for DHCP settings) Description The DHCP settings are obtained from the following keys in SYSTEM\currentControlSetNameXXX\Services\Tcpip\Parameters\Interfaces\<Name>: LeaseObtainedTime LeaseTerminatesTime T1 T2 DhcpIpAddress DhcpDefaultGateway DhcpNameServer DhcpServer DhcpSubnetMask DhcpDomains EnableDHCP Network connections The Network Connections category contains all connections to networks stored and extracted from the Windows registry. Information about registered network connections is obtained from a single place: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\<ProfileName> USB mass storage devices Under USB Mass Storage Devices one can find data about USB devices that have been connected to the machine(s) being investigated. When a user connects a USB device, the Windows operating system keeps track of that device in the registry. All relevant data are distributed across the SOFTWARE and SYSTEM registry hives and their backups. Besides the hives, certain USB-related information can be found in the setupapi.dev Windows log files. Page 97 Intella User Manual 2017 Vound

98 In the SYSTEM hive all data about USB drives are stored in the CurrentControlSetXXX\Enum\USBSTOR branch. Under its sub-key MountedDevices, the Windows registry registers USB device connections in registry values having the DosDevices keyword in their value name. Besides the keyword, the key name contains a device GUID value. The signature of the connected device is stored as a byte array in the registry value. The USB vendor name is stored in CurrentControlSetXXX\Enum\USB. The SOFTWARE hive stores information about connected portable devices. The names of the portable devices can be found at Microsoft\Windows Portable Devices\Devices. Device installation dates are stored in the textual setupapi.dev files. Intella searches for sections containing the USBSTOR keyword and extracts device identifier and device installation dates from them Recent files Information about the most recently used files is extracted from the NTUSER registry hive. All relevant information is found in the following location: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\<extension>. Recent files are grouped by file extension. For each file extension, the registry maintains a separate MRU list. The last access timestamp is stored only for the most recent items of each extension. For the rest of the items Intella provides users with an estimated time period, based on the order of the items in the MRU lists. Furthermore, the files accessed before and after the current file are shown in the Details view Shellbags The Shellbags category contains all shellbags extracted from registry hives. A shellbag is a registry item that stores data about user actions in a Windows file system folder. Extracted are Access, LastModified, LastExplored and Create dates, the size of the folder and information about the OS user that accessed or modified the folder. All relevant information (registry keys) is extracted from the NTUSER.DAT registry hive in the following branches: Software\Microsoft\Windows\Shell Software\Microsoft\Windows\ShellNoRoam Typed URLs The Typed URLs category contains the most recent URLs of webpages that a user has visited with the MS Internet Explorer or MS Edge browsers. This information is extracted from the NTUSER.DAT registry hive in the Software\Microsoft\Internet Explorer\TypedURLs branch Devices The Devices section contains a list of all USB mass storage devices that have been connected to the suspect machines. This information is taken from the Notable Registry Artifacts section. It provides the ability to quickly oversee and sort all devices found in the case. Page 98 Intella User Manual 2017 Vound

99 12.9 Networks The Networks section contains a list of wired and wireless networks that a suspect machine has been connected to. This information is taken from the Notable Registry Artifacts section and from cellphone reports. It provides the ability to quickly oversee and sort all networks found in the case Significant Words The Significant Words panel visualizes important words encountered in the item texts in the case, based on a statistical model of term relevance. The bigger the font of a word, the higher the relevance that word may have for the data set at hand. These results are purely suggestive: though they are based on commonly used information retrieval techniques, they only look at the evidence data. They do not take the investigative research questions into account, or any investigative results such as items tagged as relevant. The Paragraphs section shows statistics on the paragraphs that Intella has registered, when the Analyze Paragraphs setting was set on the source(s) in the case. It lists the number of unique and duplicate paragraphs, both as raw numbers and as percentages. Furthermore, the Paragraphs marked as Seen or Unseen are counted. Finally, the number of Documents, s and Other item types with unique content (i.e. a paragraph that does not occur in any other item) is listed. These groups can be clicked, which shows these item sets in the Search tab Workflow The Workflow section lists additional tasks that one might consider after the initial indexing is done. These tasks can further refine the case index quality and kick-start the investigation and analysis phases. Additional Processing category: The OCR images and empty documents link opens the OCR wizard and will process all items that fall into the Images category in the Type facet and Empty Document category in the Features facet. The Export encrypted items link opens the Export wizard for all items that are encrypted but have not been decrypted. Export encrypted items list exports the metadata of these items to a CSV file. The Export unprocessed items link opens the Export wizard for all items that fall into the Extraction Unsupported category in the Features facet. Export unprocessed items list exports the metadata of these items to a CSV file. The Export exception items link opens the Export wizard for all items that fall into the Exception Items category in the Features facet. Export exception items list exports the metadata of these items to a CSV file. Search & Analysis category: The Generate thumbnails link initiates the thumbnail generation process for all items in the case. Doing so will speed up the performance of the Thumbnails results view and the Previewer s Thumbnails tab. Page 99 Intella User Manual 2017 Vound

100 The Run content analysis link initiates the content analysis procedure for all items in the case. This detects person, organization and location names used in the item texts and reports them in the Content Analysis facets. Add keyword list adds a keyword list to the case, for use in the Keyword Lists facet or Keywords tab in the Statistics view. Add MD5 list adds an MD5 or message hash list, for use in the MD5 and Message Hash facet. Add saved search adds a saved search obtained from another case to this case, for use in the Saved Searches facet and Keywords tab in the Statistics view. Add task adds a post-processing task (e.g. running a keyword list and tagging the results), to be used during post-processing or on-demand via the Tasks option in the File menu. Report category: The Export n events link opens the Export Event Log window, letting one export all or selected case events. These events capture all actions that have taken place inside the case since the start of its existence, such as source creation and indexing, searching, tagging and exporting. These events include the user that took the action and the time the action took place. Open log folder opens the folder where the case s log files are stored in Windows Explorer. Page 100 Intella User Manual 2017 Vound

13 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below.

101 13 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below. Note: Due to technical limitations a search on the Comments field cannot be combined with a search on other fields Search options With the search options panel, you can limit keyword searching to specific item parts or attributes: Text Title / Subject Summary & Description Path & File name Message Headers Raw Data (e.g. low-level data from PST files, MS Office documents, vcards) Comments Authors & Addresses Each of the From, Sender To, Cc and Bcc fields separately Export IDs To see the search options, click the Options button under the search text field. The options box will be displayed as a popup menu below the button. Select the options for properties that you want to include in your search, and deselect those you want to exclude. Your selected search options will be stored and used for future searches until you change them. The Options box also has a checkbox for setting whether the excluded paragraphs should be considered. By default, this is turned on. Uncheck this checkbox to search the entire document text again. Note: As a reminder, the Options button will show a yellow triangle when not all options are selected. To hide the options box, click the Options button again. If you have made any changes, the icon on the Options button will change to a yellow warning sign as a reminder that you have changed options that will affect your searches Search query syntax In the text field of the Search panel you can use special query syntax to perform complex multi-term queries and use other advanced capabilities. Page 101 Intella User Manual 2017 Vound

102 Tip: You can also see the list below by clicking on the question mark button in the Search panel Lowercase vs. uppercase Keyword searches work in a case-insensitive manner: during indexing all characters are lowercased, as are the characters in a keyword query. This means that the query "john" will match with "john", "John" and "JOHN" Use of multiple terms (AND/OR operators) By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for: john johnson returns all items that contain both john and johnson. There is no need to add an AND (or && ) as searches are performed as such already, however doing so will not negatively affect your search. If you want to find items containing at least one term but not necessarily both, use one of the following queries: john OR johnson john johnson Minus sign (NOT operator) The NOT operator excludes items that contain the term after NOT: john NOT johnson john -johnson Both queries return items that contain the word john and not the word johnson. john -"john goes home" This returns all items with john in it, excluding items that contain the phrase john goes home. The NOT operator cannot be used with a single term. For example, the following queries will return no results: NOT john NOT "john johnson" Phrase search To search for a certain phrase (a list of words appearing right after each other and in that order), enter the phrase within full quotes in the search field: "john goes home" will match with the text John goes home after work but will not match the text John goes back home after work. Phrase searches also support the use of nested wildcards, e.g. "john* goes home" Page 102 Intella User Manual 2017 Vound

103 will match both John goes home and Johnny goes home Grouping You can use parentheses to control how your Boolean queries are evaluated: (desktop OR server) AND application retrieves all items that contain desktop and/or server, as well as the term application Single and multiple character wildcard searches To perform a single character wildcard search you can use the? symbol. To perform a multiple character wildcard search you can use the * symbol. To search for next or nest, use: ne?t To search for text, texts or texting use: text* The? wildcard matches with exactly one character. The * wildcard matches zero or more characters Fuzzy search Intella supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde ( ~ ) symbol at the end of a single term: roam~ returns items containing terms like foam, roams, room, etc. The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this: roam~0.8 The default value of this parameter is Proximity search Intella supports finding items based on words that are within a specified maximum distance from each other in the items text. This is a generalization of a phrase search. To do a proximity search you place a tilde ( ~ ) symbol at the end of a phrase, followed by the maximum word distance: "desktop application"~10 returns items with these two words in it at a maximum of 10 words distance. Like phrase searches, proximity searches also support nested wildcards. Page 103 Intella User Manual 2017 Vound

104 Field-specific search Intella's Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search. title:intella returns all items that contain the word intella in their title. The following field names are available: text - searches in the item text title - searches in titles and subjects path - searches in file and folder names summary - searches in descriptions, metadata keywords, etc. agent searches in authors, contributors and senders and receivers from searches in From fields sender searches in Sender fields to searches in To fields cc searches in Cc fields bcc searches in Bcc fields headers - searches in the raw headers rawdata - searches in raw document metadata comment - searches in all comments made by reviewer(s) export - searches in the export IDs of the items that are part of any export set You can mix the use of various fields in a single query: intella agent:john searches for all items containing the word intella (in one of the fields selected in the Options) that have john in their author metadata or senders and receivers Special characters The following characters need to be escaped before they can be used in a query: + - &&! ( ) { } [ ] ^ " ~ *? : \ / They can be escaped by prefixing them with a \ character. Note: During indexing, most of the characters in this list are typically filtered out and will never make it into the index. The rules for handling specific characters depend on the context in which they occur. For instance, punctuation characters like dots ('.') or dashes ('-') are significant within numbers, addresses or host names, while being ignored (i.e. interpreted as whitespaces) between regular words. In the latter case, escaping them in the query will not make them searchable Regular expressions This release contains experimental support for searching with regular expressions. This will be extended, refined and documented in a future release. For now, please visit for more information. Page 104 Intella User Manual 2017 Vound

105 Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters! Your search expressions should therefore take the tokenization of the text into account. Page 105 Intella User Manual 2017 Vound

106 14 Using facets Besides keyword searching, the indexed items can be browsed by facets, which represent specific item properties. Every facet organizes the items into groups (possibly hierarchical) depending on a specific item property. Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel. In the example on the right, the Type facet has a list of file types as values. To search for items that match a facet value, select the facet value and click the Search button. Tip: To export facet information, (1) select a facet, (2) open the context menu - right mouse click - on the facet values, and (3) select Export values. This will open the Export values dialog. Choose a file name and folder and save the export file. The CSV file will contain the facet values (e.g. file types, addresses, folder names), their total counts in the case, and their currently shown counts, which represents the overlap with the currently shown search results Available facets Saved Searches The Saved Searches is a list of previous sets of searches that the user has stored. When there are search results displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be enabled. When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. A default name will be suggested based on the current searches. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet. Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used. The Replace current results checkbox controls what happens with the currently displayed searches when you restore a saved search. Page 106 Intella User Manual 2017 Vound

When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them.

107 When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them. The Combine queries checkbox can be used to combine the result sets of all parts of the saved search into a single result set. This is for example useful when the various parts conceptually are meant to find the same set of items, just in a technically different way. Example are different complex Boolean queries, which could have been combined into a single Boolean OR query but that the user prefers to keep separate in the saved search definition. Saved searches can be shared across cases. To transfer a saved search, right-click on the saved search in the list and select Export search. The search is then exported as an XML file can then be imported into any other case by right-clicking in this list and selecting Import searches. Saved searches are grouped by the user who made them. Depending on the Intella version used to create the case, a Default searches branch may also be present with pre-defined saved searches Features The Features facet allows you to identify items that fall in certain special purpose categories: Encrypted: all items that are encrypted. Example: password-protected PDF documents. If you select Encrypted and click the search button, you will be shown all items that are encrypted. Note: Sometimes files inside an encrypted ZIP file are visible without entering a password, but a password still needs to be entered to extract the file. Such files cannot be exported with Intella if the password has not been provided prior to indexing. In this case both the ZIP file and its encrypted entries will be marked as Encrypted, so searching for all encrypted items and exporting those will capture the parent ZIP file. Decrypted: all items in the Encrypted category that Intella could decrypt using the specified access credentials. Unread: all s that are marked as "unread" in the source file. Note that this status is not related to previewing in Intella. Note: This property is only available for PST and OST s and some cellphone dumps. If the Unread property is not set, it could mean that either the item was not read or that the property is not available for this item. Some tools allow the user to reset a message s unread status, so even when the flag is set, it cannot be said with certainty that the message has not been read. Empty documents: all items that have no text while text was expected. Example: a PDF file with only images. Has Duplicates: all items that have a copy in the case, i.e. an item with the same MD5 or message hash. Has Geolocation: Indicates whether the item has geolocation information. OCRed: indicates whether the item has been OCRed after indexing. See the separate chapter on OCRing of documents and images. Content Analyzed: all items for which the Content Analysis procedure has been applied. Exception items: all items that experienced processing errors during indexing. This has six subcategories that match the warning codes in the exception report: Page 107 Intella User Manual 2017 Vound

108 o Unprocessable items: the data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result. o I/O errors: the processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. o Decryption failures: the data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. o Timeout errors: the processing took too long and was aborted. o Out of memory errors: the processing failed due to a lack of memory. o Processing errors: the processing failed due to a problem/bug in the processor. The description should contain the stack trace. Extraction unsupported: all items that are larger than zero bytes, whose type could be identified by Intella, are not encrypted, but for which Intella does not support content extraction. An example would be AutoCAD files: we detect this image type but do not support extraction any content out of it. Text Fragments Extracted: indicates whether heuristic string extraction has been applied on a (typically unrecognized or unsupported) binary item. Irrelevant: all items that fall into one of the Irrelevant Items categories and that themselves are often considered to be of little relevance to a review. See the Preferences section for details on this automatic classification. Recovered: all items that were deleted from a PST, NSF or EDB file and that Intella could still (partially) recover. These are the items that appear in the artificial <RECOVERED> and <ORPHAN ITEMS> folders of these files in the Location facet. This branch has four sub-branches, based on the recovery type and the container type: o Recovered from PST. o Orphan from EDB. o Orphan from NSF. o Orphan from PST. Attached: all items that are attached to an , conversation or document. Only the direct attachments are reported; any items nested in these attachments are not classified as Attachment. Furthermore, items that are classified as Embedded Image are not classified as Attachment, and vice versa. Embedded images: all inlined images in s, documents, spreadsheets or presentations. Formally, an image is classified as embedded image when it is displayed as part of the native rendering of its direct parent. This happens when the parent is displayed in the Preview tab of the Previewer and when the parent is exported to PDF in Original view mode. An embedded image is thus already visible elsewhere when the original view is used, which (depending on your policy) may be reason not to export this image item separately as well, saving exporting and/or reviewing time. Tagged: all items that are tagged. Flagged: all items that are flagged. Commented: all items that have a comment. Previewed: all items that have been opened in Intella s previewer. Opened: all items that have been opened in their native application. Exported: all items that have been exported. Redacted: all items that have one or more parts blacked out due to redactions. Items on which the Redact function has been used but in which no parts have been marked as redacted are not included in this category. All items: all items (non-deduplicated) in the entire case. Page 108 Intella User Manual 2017 Vound

109 Note: In cases in which multiple users have worked, i.e. shared cases or cases with imported Work Reports, the Previewed, Opened, Exported, Commented, Tagged and Flagged nodes shown in the Facet panel will have subnodes, one node for each user Tags Tags are labels defined by the user to group individual items. Typically used tags in an example are for example relevant, not relevant and legally privileged. Tags are added to items by right-clicking in the Results table or the Cluster Map and choosing the Add Tags option. Tags can also be added in the Previewer. The exact procedure is described in other sections of this manual. To search for all items with a certain tag, select the tag from the Tags list and click the Search button below the list. When tags have been added by different users in the same case, the Tags facet panel will have a drop-down list at the bottom, listing the names of all reviewers that have been active in this case. You can use this list to filter the tags list for taggings made by a selected reviewer only. Select the "all" option to show taggings from all users. If the same tag has been used by different reviewers, their names and the numbers of tagged items are displayed in the tag statistics line (in the parentheses after the tag name). The list of reviewers can include "You" to indicate taggings made by the current case user. If no reviewer name is mentioned, it means that all taggings with this tag are made by the current user only. The tags can be organized into a hierarchical system by the creation of sub-tags within an existing (parent) tag group. To create a sub-tag, select an existing tag in the Tags facet and choose "Create new tag inside..." in the context menu. In the dialog box, enter the name and (optionally) the description of the new tag. To rename a tag or change the tag description, select the tag in the facet and choose "Edit..." in the context menu. Important: When a tag is renamed, all items associated with this tag will be assigned the new tag name automatically. However, some operations that depend on specific tag names (such as indexing tasks with the Tag condition, see ) may need to be corrected manually. To delete a tag, select it in the facet and choose "Delete..." in the context menu. Note for remote cases: If a tag has item associations made by other reviewers, only users of the Intella TEAM Manager product are permitted to delete this tag. Intella viewer users may only delete their own tags Custodians Custodians are assigned to items to indicate the owner from whom an evidence item was obtained. The Custodians facet lists all custodian names in the current case and allows searching for all items with a certain attribute value. Custodian name attributes are assigned to items either automatically (see the section on custodian name postprocessing) or manually in the Details panel. To assign a custodian to items selected in the Details panel, use the Set Custodian option in the right-click menu. To remove custodian information from selected items, choose the Clear Custodian option. Page 109 Intella User Manual 2017 Vound

110 To change a custodian s name, select it in the list and choose Edit custodian name in the right-click menu. To delete a custodian from the case and clear the custodian attribute in all associated items, select the value in the facet panel and choose Delete in the right-click menu Location This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder. When Search subfolders is selected, the selected folder, all items in that folder, and all items nested in subfolders will be returned, i.e. all items in that entire sub-tree. When Search subfolders is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned. When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with Search subfolders switched on will therefore return all items in your case. When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree Address This facet represents the names and/or addresses of persons involved in sending and receiving s. The names are grouped in the following categories: From Sender To Cc Bcc Addresses in Text All Senders (From, Sender) All Receivers (To, Cc, Bcc) All Senders and Receivers All Addresses The first five categories list addresses found in the corresponding message headers. Most s typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author. The "All Senders", "All Receivers" and "All Senders and Receivers" categories group addresses into specific sender or recipient roles, abstracting from the specific header that was used. The "Addresses in Text" category lists addresses that are mentioned in message and document bodies. "All Addresses" group together all other categories and thus contains all addresses found anywhere in either message headers or textual content. Page 110 Intella User Manual 2017 Vound

111 Sorting and grouping The contacts can be sorted alphabetically by addresses (the default order), by the contact name associated with them or by the number of items associated with this contact. To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the Organize menu. The addresses can optionally be grouped by the host name used in the address. To enable or disable grouping, select the "Group by host name" option in the "Organize" section of the context menu. Enabling this option adds another level of nodes to the tree, representing the host names. Filtering on text To quickly find specific addresses, contact names or host names, it is possible to filter the facet content to only display the values that contain a specific substring. To filter the contacts in a specific category, expand the tree branch and click on the button below the tree. In the text field that appears enter the text. The tree will be filtered to show only those contacts whose contact name or address matches the entered text. To cancel filtering and hide the text field, click the filter button again or type Escape. Filtering on presence in the current search results To display only the highlighted addresses, i.e. the addresses that occur in the currently visible or selected search results, click on the button. To return to displaying all addresses, just click this button again. This type of filtering is removed automatically when a different branch is expanded, the selection in the facet or Cluster Map changes or when the sorting or grouping mode changes. This filter can be used in combination with the text filter Phone Number This facet lists phone numbers observed in phone calls, SMS and MMS messages extracted from cellphone reports. Furthermore, this includes phone numbers listed in PST contacts and vcard files. The incoming and outgoing branches are specific to phone calls and SMS/MMS messages. The All Phone Numbers branch combines all the above contexts. Depending on the type of evidence files and their contents, the phone numbers may or may not have a name associated with them. This facet also supports the filtering options described in the Address section Chat Account This facet lists chat accounts used to send or receive chat messages, such as Skype and WhatsApp account IDs. Phone numbers used for SMS and MMS messages are also included in this facet. Each chat account has the service (e.g. Skype) added as a suffix to the identifier, to be able to distinguish the same identifier on different chat networks. Depending on the type of evidence files and their contents, the chat accounts may or may not have a humanreadable name associated with them. This facet also supports the filtering options described in the Address section Recipient Count This facet lets the user search on recipient count ranges by entering the type and the number of recipients (minimum and maximum). The following recipient types are supported: Page 111 Intella User Manual 2017 Vound

112 All Recipients: all , chat and cellphone recipients. Visible Recipients: visible , chat and cellphone recipients (To, Cc). Blind Recipients: blind carbon copy recipients (Bcc) Date This facet lets the user search on date ranges by entering a From and To date. Please note that the date entered in the To field is considered part of the date range. Besides start and end dates, Intella lets the user control which date attribute(s) are used: Sent (e.g. all items) Received (e.g. all items) File Last Modified (e.g. file items) File Last Accessed (e.g. file items) File Created (e.g. file items) Content Created (e.g. file items and items from PST files) Content Last Modified (e.g. file items and items from PST files) Primary Date Family Date Last Printed (e.g. documents) Called (e.g. phone calls) Start Date (e.g. meetings) End Date (e.g. meetings) Due Date (e.g. tasks) The Date facet will only show the types of dates that occur in the evidence data of the current case. Furthermore, it is possible to narrow the search to only specific days or specific hours. This makes it possible to e.g. search for items sent outside of regular office hours. Note that the Preferences dialog has a setting that controls how dates are displayed: by selecting a geographic region, all dates will be displayed in a manner commonly used in that region Type This facet represents the file types (Microsoft Word, PDF, JPEG, etc.), organized into categories like Documents, Spreadsheets, etc. To refine your query with a specific file type, select a type from the list and click Search. Note that you can search for both specific document types like PNG Images, but also for the entire Image category. Empty (zero byte) files are classified as Empty files in the Others branch, regardless of their file extension Author This facet represents the name(s) of the person(s) involved in the creation of documents. The names are grouped into two categories, as is done in most office formats: Creator Contributor To refine your query by a specific creator or contributor name, select the name and click the Search button. Page 112 Intella User Manual 2017 Vound

113 This facet also supports the filtering options described in the Address section Content Analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. The top three categories are populated automatically during indexing and are available immediately afterwards: Credit Card Numbers suspected numbers of the major world-wide credit card systems (Visa, MasterCard, American Express and others). The numbers are validated using the procedures defined in the ISO/IEC standard. Social Security Numbers suspected SSN numbers issued by the United States Social Security Administration. Phone Numbers suspected phone numbers. The other categories in this facet are empty by default. To populate them, a user needs to perform the automatic content analysis procedure on a selected set of items. Please see the "Content Analysis" section for instructions. This facet also supports the filtering options that are available in the Address facet Keyword Lists In the Keyword List facet, you can load a keyword list, for automating searching with sets of previously determined queries. The most basic keyword list is a text file in UTF-8 encoding that contains one search term per line. Once loaded, all the search terms found in the keyword list are shown in the Keyword Lists facet. They are now available for searching: just select one or more queries, or select the name of the keyword list, and click the Search button to search with these queries. When the Combine queries checkbox is selected and you have multiple queries selected, they will be combined into one query, effectively creating a single Boolean OR query. The matching items are then returned as a single set of results. When the checkbox is deselected, the selected queries will be evaluated separately, resulting in as many result sets as there are selected queries in the list. This may cause the Cluster Map to turn to Sets mode to handle a large amount of result sets. Keyword lists can also use more advanced queries. The complete keyword search query syntax is supported here, e.g. wildcards, Boolean operators and field names can be used. Besides searching, keyword lists can also be used to tag items. To do this, select the keyword list and click the Auto-tag button. A window will open that lists the queries in the first column and the proposed tag in the second column. When you click Apply, each query in the first column will be evaluated separately and have its results tagged with the proposed tag. By default, the proposed tags are the queries itself. You can change this interactively in the table by clicking on the proposed tag and entering a new value. Alternatively, a keyword list can take the form of a CSV file in which the first column specifies the query and subsequent columns specify the tags. Use slashes to denote hierarchical tags. If a line has only one column, the proposed tag will default to the query text itself. Page 113 Intella User Manual 2017 Vound

114 As keyword lists are essentially CSV files, it is not recommended to use commas in queries, because they result in a different interpretation of the keyword list. If a comma in a query is required, you can wrap the entire query in quotes. The tags specified in the CSV file will be mapped to or result in the creation of top-level tags. It is not possible to specify nested tags MD5 and Message Hash Intella can calculate MD5 and message hashes to check the uniqueness of files and messages. If two files have the same MD5 hash, Intella considers them to be duplicates. Similarly, two s or SMS messages with the same message hash are duplicates. With the MD5 and Message Hash facet you can: 1. Find items with a specific MD5 or message hash and 2. Find items that match with a list of MD5 and message hashes. Specific MD5 or message hash You can use Intella to search for files that have a specific MD5 or message hash. To do so, enter the hash (32 hexadecimal digits) in the field and click the Search button. List of MD5 or message hashes The hash list feature allows you to search the entire case for MD5 and message hash values from an imported list. Create a text file (.txt) with one hash value per line. Use the Add button in the MD5 Hash facet to add the list. Select the imported text file in the panel and click the Search button below the panel. The items that match with the MD5 or message hashes in the imported list will be returned as a single set of results (one cluster). Message hash calculation The message hash is calculated by calculating the MD5 hash of a list of concatenated item properties. For s the following properties are used: From, Sender, To, Cc and Bcc headers. Subject header. Date header. body. All other MIME parts (attachments, nested messages, signatures, etc.). For SMS, MMS and other types of chat messages such as Skype and WhatsApp messages the following parts are used: The sender information. The receiver information. The textual content of the message. When certain headers/properties occur multiple times, all occurrences are used. A difference between message hashes and chat message hashes is that the hashing procedure for s will simply skip missing values, whereas for chat messages all fields need to be present to calculate a hash. These message hash computation methods have the benefit that they are source-agnostic: a specific message always gets the same message hash, regardless of whether it is stored in e.g. a PST, NSF, Mbox or EML file. Message hashes can therefore find duplicates across a variety of mail formats and be used to deduplicate such a diverse set of mail formats. When one of the copies has a minor difference, the will get a different hash and be treated as different from the other occurrences. A good example is a bcc-ed , as the bcc is only known by the sender and the Page 114 Intella User Manual 2017 Vound

115 recipient listed in the Bcc header. Therefore, these two copies will be seen as identical to each other but different from the copies received by the recipients listed in the To and Cc headers. Another example is an archived which has one or more attachments removed: it will be seen as different from all copies that still have the full list of attachments. Tip: Install a free tool such as MD5 Calculator by BullZip to calculate the MD5 hash of a file. You can then search for this calculated hash in Intella to determine if duplicate files have been indexed. Tip: Use the Export table as CSV option in the Details table to export all MD5 and message hashes of a selected set of results to a CSV file Item ID Lists In the Item ID Lists facet you can load a list of item IDs, to automate the searching with sets of previously determined item IDs, e.g. obtained by exporting the Details table to a CSV file. An item ID list is a text file in UTF-8 encoding that contains one item ID per line. Once loaded into the case, you can select the list name and click Search. The result will be a single result set consisting of the items with the specified IDs. Invalid item IDs will be skipped Language This facet shows a list of languages that are automatically detected in your items. To refine your query with a specific language, select the language from the list and click the Search button. When Intella cannot determine the language of an item, e.g. because the text is too short or mixes multiple languages, then the item will be classified as Unidentified. When language detection is not applicable to the item s file type, e.g. images, then the item is classified as Not Applicable Size This facet groups items based on their byte size. To refine your query with a specific size range, select a value from the list and click the Search button Duration This facet reflects the duration of phone calls listed in a cellphone report, grouped into meaningful categories Device Identifier This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items. Please consult the documentation of the forensic cellphone toolkit provider for more information on what these numbers mean. This facet also supports the filtering options described in the Address section Export Sets All export sets that have been defined during exporting are listed in this facet. Searching for the set returns all items that have been exported as part of that export set. Page 115 Intella User Manual 2017 Vound

116 14.2 Including and excluding facet values Facet values can be included and excluded. This allows filtering items on facet values without these values appearing as individual result sets in the Cluster Map visualization. To include or exclude items based on a facet value, select the value and click on the arrows in the Search button. This will reveal a drop-down menu with the Include and Exclude options Including a facet value Including a facet value means that only those search results will be shown that also match with the chosen included facet value. Example: The user selects the facet value and includes this facet value with the drop-down menu of the Search button in the facet panel. The Searches panel in the Cluster Map shows that PDF Document is now an included term. This means that from now on all result sets and clusters will only hold PDF Documents. Empty clusters will be filtered out. For example, see the image on the right: the Enron search term resulted in 1,658,954 items, but after applying the category with its 2,278,804 items as an inclusion filter, only 333,780 items remain. When multiple includes are used, the results are filtered for all items that are in at least one of the include sets, i.e. it is like filtering with the union of all includes Excluding a facet value Excluding a facet value means that only those search results will be shown that do not match with the chosen excluded facet value. Example: The user selects the facet value PDF Document and excludes this facet value with the drop-down menu of the Search button in the facet panel. The searches panel in the Cluster Map shows that PDF Document is excluded. As long as this exclusion remains, all result sets and clusters will not hold any PDF Documents. Empty clusters will be filtered out. Note: Excludes are often used to filter out privileged items before exporting a set of items, e.g. by tagging items that match the privilege criteria with a tag called privileged. In this scenario, it is important to realize that when exporting an to e.g. Original Format or PST format, it is exported with all its attachments embedded in it. The same applies to a Word document: it is exported intact, i.e. with all embedded items. Therefore, when an attachment is tagged as privileged and privileged is excluded from all results, but the holding the attachment is in the set of items to export, the privileged attachment will still end up in the exported items. The solution is to also tag both the parent and its attachment as privileged. The tagging preferences can be configured so that all parent items and the items nested in them automatically inherit a tag when a tag is applied to a set of items. Page 116 Intella User Manual 2017 Vound

117 When filtering privileged information with the intent to export the remaining information, we recommend that you verify the results by indexing the exported results as a separate case and checking that there are no items matching your criteria for privileged items. Page 117 Intella User Manual 2017 Vound

15 Cluster Map The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works.

Searches panel shows the list of result sets. 15.1 Understanding a Cluster Map The figure above shows a graph with two labels and three clusters.

Every cluster is connected to one or more labels. In this Cluster Map, we see that the user has evaluated two keyword searches: one for the word buy and one for the word sell.

sell returned 67 items and is represented by the red edges.

118 15 Cluster Map The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works. Cluster with 51 items. Label or Result set. Control buttons adjust the contents of the Cluster Map. Cluster with 16 items, connected to two results sets. Searches panel shows the list of result sets Understanding a Cluster Map The figure above shows a graph with two labels and three clusters. The larger, colored spheres are called clusters. They represent groups of items such as s and files. The queries entered by the user are shown as labels and are used to organize the map. Every cluster is connected to one or more labels. In this Cluster Map, we see that the user has evaluated two keyword searches: one for the word buy and one for the word sell. The Cluster Map shows these two result sets, using the search terms as their labels: buy returned 99 items and is represented by the blue edges. sell returned 67 items and is represented by the red edges. The colored edges connect the clusters of items to their search terms, indicating that these items are returned by that search term. For example, this Cluster Map shows that there are 16 items that were returned by both the sell and buy queries, 51 items that contain sell but not buy, and 83 items that contain buy but not sell. When a third keyword search for money is added, the graph changes as follows on our data set: Page 118 Intella User Manual 2017 Vound

Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to.

119 In the middle is a single cluster of 6 items that is connected to all three labels. This represents the 6 items that match all three search terms. There are three clusters of 19, 9 and 10 items, each connecting to two labels but not a third. They represent the items that match two out of the three search terms. Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to. A Cluster Map can always draw a reasonable picture of up to three search terms: the above map shows the maximum complexity that such a graph may have. Beyond three search terms the graph may become too complex and cluttered to be meaningful. That is why the Cluster Map has a second visualization mode called Sets. This mode can be chosen by clicking on the Sets mode in the toolbar. When the user enters more than seven queries, the Cluster Map will automatically switch to that mode. In Sets mode, the three result sets are visualized like this: Page 119 Intella User Manual 2017 Vound

Furthermore, all sets are grouped by their order of magnitude indicated on the left in this case all result sets are of the same order of magnitude.

120 Here, each result set is depicted as a single rounded square shape with the label and number of items on top. The size of the square is related to the number of items in the set: bigger means more items. Furthermore, all sets are grouped by their order of magnitude indicated on the left in this case all result sets are of the same order of magnitude. The overlap between sets is no longer visualized until the user selects one of the sets. Sets mode can scale to a much larger amount of result sets. The following image is a visualization of 16 result sets, divided among four different orders of magnitude. Adjacent groups get alternating colors for better separation. Note that the visual size of the result sets, indicating the number of items in each set, is only comparable within the group Manipulating Cluster Maps The result sets created with the current query are listed in the box at the top right corner of the Cluster Map panel. To remove a result set from the Cluster Map, click on the remove icon (red X) in the list. To clear the Cluster Map - remove all result sets - and start a new search, click the Clear button in the terms list. If the Cluster Map regeneration takes too long, you can stop the process by clicking the Stop button. Page 120 Intella User Manual 2017 Vound

121 To view and open the individual items in a cluster or result set, first click on the cluster or label. This will list the items in that set in the Details view below. From there the items can be opened by a single or double click, depending on the currently selected view mode of the Details view Options When the Cluster Map is in Clusters mode, the Filters button in the toolbar will be enabled. When this toggle button is selected, the graph is filtered to show only the clusters with the most connections. These could be seen as the most relevant result clusters. This filtering has no equivalent in Sets mode and therefore is disabled in that mode. The last button in the toolbar indicates whether the graph should be shown at normal size (with scrollbars if necessary) or be scaled to fit in the visible space. For Clusters the fit to size mode makes the most sense. For Sets mode showing at normal size is often preferable, especially when dealing with lots of result sets (tens or more). The current visualization can be exported as a transparent, 24-bit PNG image. To do so, choose the Cluster Map option in the Export menu. Page 121 Intella User Manual 2017 Vound

16 Histogram The Histogram shows how a set of search results is spread over time. This tells the user when certain communications or other activities took place.

122 16 Histogram The Histogram shows how a set of search results is spread over time. This tells the user when certain communications or other activities took place. Another important use case of this visualization is to find anomalies in the data. Any gaps in the chart may indicate shortcomings in the data collection process, e.g. due to a device or disk that should have been included. However, it can also indicate custodians intentionally or unintentionally withholding data, e.g. by deleting s prior to the collection. The image below shows the results of a keyword search for invoice, grouped by year: This histogram immediately tells you that the timestamps of the items matching invoice range from 1980 to 2016, with the majority between 2000 and 2009, and peaking in The date range that Intella looks for ranges from 1969 to the current year plus two years. This will filter out bogus dates that are far in the past or future. Large, real-life data sets will often show items on specific dates like January 1 st 1970, January 1 st 1980 or similar round dates. These are typically caused by default date values used in some applications. Future versions may make it possible to filter out such dates. Initially the Histogram will show the items grouped by year. It is possible to toggle between years and months by using the supplied toggle buttons Date attributes The date attribute used to create the chart is configurable. By default, the Family Date is used. This typically gives a good sense of the when of an evidence set, without dates in older attachments and files giving a warped sense of the relevant dates. To use a different date, click on the button showing Family Date (if the default has not been altered yet) and use the checkboxes in the popup to indicate the desired date attribute(s). Multiple date attributes may be used, e.g. Sent and Received. In this case it may occur that an item is represented in multiple bars in the histogram, because one date attribute may be in one bar s date interval and Page 122 Intella User Manual 2017 Vound

another date attribute falls into a different bar s date interval. To get a sense of the volume of the data, it is best to use a single date attribute. 16.

123 another date attribute falls into a different bar s date interval. To get a sense of the volume of the data, it is best to use a single date attribute Selections To see the items in a specific year or month, simply click on the bar representing that year or month. This will list the items in the Details view below. To see all items in a range of years or months, drag the mouse cursor across the chart. This will show a marker in the background, indicating the selected date range. All bars overlapping with that date range will be selected. Page 123 Intella User Manual 2017 Vound

17 Geolocation The Geolocation view shows the (estimated) locations of all search results that have

Cluster containing a single item, in this case an email Controls for adjusting the zoom level Cluster

help you understand how this visualization works. 17.

method. Emails through geolocation lookup of the sender IP.

representing the where of the found items.

124 17 Geolocation The Geolocation view shows the (estimated) locations of all search results that have geolocation information on the world map. Cluster containing a single item, in this case an Controls for adjusting the zoom level Cluster containing 501 search results Searches panel, showing the list of search result sets This chapter will help you understand how this visualization works Basics Currently, geolocation data is extracted from the following sources: Images GPS coordinates in the EXIF metadata. Cellphone reports available information depending on the device model, extraction utility and extraction method. s through geolocation lookup of the sender IP. Using this information, a set of search results can be mapped to a set of geographic coordinates, roughly representing the where of the found items. Any items that do not have any geolocation information associated with them are omitted in this view. Showing each item s estimated location on the map would make the view very cluttered. Items laying in the same area are therefore grouped into clusters, shown as a blue circle in the screenshot above. The number in a cluster represents the number of items whose geolocation falls in that area. Page 124 Intella User Manual 2017 Vound

When zooming in, the geographic size of what constitutes the same area will be reduced, resulting in clusters getting split up into smaller clusters.

Zoom in Zoom out The clustering is determined by imposing an invisible grid on the map and bundling all items in a grid cell into a cluster.

This gives the user a quick overview of the images located in a specific area. For all other items, the item s file type icon will be shown. 17.

To pan (move sideways) in a zoomed map, move the mouse while holding down the left mouse button. To inspect the content of clusters, the user can select: A single cluster, by clicking on it.

125 When zooming in, the geographic size of what constitutes the same area will be reduced, resulting in clusters getting split up into smaller clusters. Zooming out of the map consolidates clusters into fewer and larger clusters again. This cluster management allows the user to inspect specific locations in detail. Zoom in Zoom out The clustering is determined by imposing an invisible grid on the map and bundling all items in a grid cell into a cluster. When a grid cell contains only a single item, an icon will be placed on the map instead, representing that single item. For image items, this icon will be a thumbnail of the image. This gives the user a quick overview of the images located in a specific area. For all other items, the item s file type icon will be shown Interaction Zooming can be done using the control buttons in the top-right toolbar or by using the mouse wheel. To pan (move sideways) in a zoomed map, move the mouse while holding down the left mouse button. To inspect the content of clusters, the user can select: A single cluster, by clicking on it. Multiple clusters, by clicking on them while holding down the CTRL key. Multiple clusters, by dragging in the map while holding down the right mouse button. The contents of the selected cluster(s) will be displayed in the Details view below the Geolocation view. The view also responds to facet selections. The image below shows the Geolocation view, showing all images in a specific case. Selecting the 500 KB 1 MB category in the Size facet has turned all cluster discs into pie charts. The solid, dark blue areas in the pie charts represent the items that match this Size facet category. This Page 125 Intella User Manual 2017 Vound

126 way, the user can quickly identify the geographic spread of the matching items in the map without having to change the set of queries. This works for every available facet that supports value selections. In the figure below, the map is shown after an Include search is added using the same Size facet query: Page 126 Intella User Manual 2017 Vound

127 17.3 Resources Intella may need two resources to make the most out of the Geolocation visualization Tile server By default, Intella uses tiles (images containing parts of the map) that are embedded in Intella to construct the world map. This makes it possible to use the Geolocation view without any configuration and without requiring an Internet connection to download these tiles. Due to the enormous size of a complete tile set covering all zoom levels of the entire world map, the embedded tile set is limited to the first 6 zoom levels. As a rule of thumb, this usually shows the major cities in most countries, but it will not let you zoom in to see where in the city an item is located. To zoom in beyond that zoom level, a connection to a tile server is needed. This can be a public tile server or one located in your network. See the Preferences section on how to configure a tile server. Note that a tile server may not only let you zoom in and create more fine-grained maps, it can also let you apply a different map rendering, e.g. a map containing elevation data, infrastructural information, etc IP geolocation database To determine the geolocation of s, Intella uses the chronologically first IP address in the Received headers (i.e. the one nearest to the bottom of the SMTP headers). Next, a geolocation lookup of that IP address is done using MaxMind s GeoIP2 or GeoLite2 database. These databases are not distributed with Intella and therefore one needs to be installed manually. See the Preferences section on how to acquire and install an IP Geolocation database Caveats While the Geolocation view can quickly give a unique and insightful overview of a data set, there are some aspects of geolocation visualization to be aware of. Geolocation data is approximative by nature and manual verification of the findings will always be required. This is not an Intella limitation; it is inherent to the complexity and unreliability of the systems producing the geolocation information. Make sure that you are fully aware of these aspects and their consequences before relying on the findings GPS coordinates GPS coordinates, such as obtained from the EXIF metadata of images or location-bound items extracted from cellphones, are usually quite accurate. However, they are subject to the limitations of GPS: In the best-case scenario, the accuracy is typically in the range of several meters. The accuracy can be lower or coordinates can even be completely wrong when the GPS hardware cannot receive a good signal (e.g. in the direct vicinity of buildings), due to hardware limitations of the GPS device (the theoretical maximum precision possible varies between devices) or simply due to bugs and hardware faults in the device. The same applies to comparable satellite-based navigation systems such as GLONASS. Geolocation coordinates may also have been determined using other techniques, e.g. based on geolocation information about nearby Wi-Fi networks and cell towers. Page 127 Intella User Manual 2017 Vound

128 Some devices combine several of these techniques to improve accuracy and coverage. Therefore, what is commonly referred to as GPS coordinates may not have been established through GPS at all. Coordinates may have been edited after the fact by a custodian using an image metadata editor. A set of different images with the precise same coordinates may point in that direction. This may be harmless, e.g. to fill in the coordinates of images taken with a camera that does not have GPS functionality IP geolocation The determination of an s geolocation by using its sender s IP address is imprecise by nature, typically even more so than GPS coordinates. First, the determined Source IP address may be incorrect due to several reasons: Some servers mask such IP addresses. Instead, it may in fact be the second IP address of the transport path that is being used. A web client (e.g. Gmail used through a web browser) may have been used to send the . The IP address may have been spoofed. The IP address may not reflect the sender s location due to the use of a VPN, Tor, etc. Second, IP geolocation databases are typically never 100% accurate and the accuracy varies by region. See MaxMind s website for statistical information on their accuracy. Reasons for this imprecision are: The geolocation of an IP address may change over time. Note: take this into account when indexing an older data set! Some IP addresses may only be linked to a larger area like a city or even a complete country, yet the precise coordinates may give a false sense of GPS-style precision. The techniques behind the collection process for creating this database introduces a certain amount of imprecision Tile servers Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs. Note that to use a public tile servers, you need to ensure that you comply with the tile server's usage policy. This is your responsibility, not Vound s Attribution We are grateful for obtaining the data we have used for the embedded tiles generation from the OpenStreetMap project, OpenStreetMap contributors. See for more information on this project. The tile set is made available under the Open Database License: Any rights in individual contents of the database are licensed under the Database Contents License: Page 128 Intella User Manual 2017 Vound

18 Social Graph The Social Graph is another visualization of search results, showing where the emails in the search results came from and went to. 18.

129 18 Social Graph The Social Graph is another visualization of search results, showing where the s in the search results came from and went to Basics The social graph is revealed by clicking on the Social Graph button in the Results toolbar. Next, just enter any type of query and the results will be displayed as a social graph. When switching from a populated Cluster Map to the Social Graph, the graph will start loading immediately with these results. Page 129 Intella User Manual 2017 Vound

130 When multiple searches have been evaluated, the graph is based on the union of all search results, with the Includes and Excludes applied. In other words, the social graph is based on the same items that are visible in the Cluster Map at the same moment. To see the s in this result set that relate to a specific contact, i.e. that have that contact as sender or recipient, click on the node representing that contact. To see the s in this result set that have been sent between two contacts, click on the edge between those nodes. In both cases the Details panel below the Social Graph will display these s. Tip: note that the Timeline view is a natural fit to display the s represented by a node or edge. All s are sorted by sent date, and you can easily see the sender and receivers of the individual s. When a person sends a mail to several people, this will result in several edges in the graph. Therefore you may encounter the same several times when browsing the graph and selecting edges Controls The toolbar at the top left offers four buttons for managing the zoom level of the graph: Zoom in. Zoom out. Reset zoom level to the default value. Change the zoom level to make the graph fit the available screen space. The fifth button shows or hides all node labels. When set to hide, only the labels of selected nodes and their connected nodes are displayed. Page 130 Intella User Manual 2017 Vound

131 Finally, the sixth button collapses the toolbar and the Searches panel, revealing any graph structures beneath it. Click on the button that appears in the top-right corner to expand these panels again. The lower part of the toolbar is used to specify what should be shown as node labels: Show only the contact name; use the address if there is no contact name. Show only the address; use the contact name if there is no address. Show both the contact name and address. By default, only contact names are shown, as these are typically shorter than addresses and lead to less cluttered displays. The following mouse operations are supported: Drag a node to improve readability. Click on a node to highlight that node and the nodes connected to it. Use Ctrl-clicking to select and highlight multiple nodes. Hold down the right mouse button while dragging to scroll (pan) the graph. The graph can be exported to a PNG file by using Export Social Graph Limitations At this moment, the Social Graph only displays s. Future versions will also handle phone calls, other message types, and attachments that are embedded in these messages. Furthermore, the graph displays a warning when your result set contains more than 700 unique s, as this may take considerable time to create. Future versions will again address this in various ways. Page 131 Intella User Manual 2017 Vound

19 Details panel To inspect the contents of the visualization, the user can select a cluster or result set by clicking on it. Its contents will be displayed in the Details panel below the map.

132 19 Details panel To inspect the contents of the visualization, the user can select a cluster or result set by clicking on it. Its contents will be displayed in the Details panel below the map. This panel contains a list of the items that can be presented in four modes: Table view List view Thumbnails view Timeline view 19.1 Table view The table view displays the results as a table in which each row represents a single item and the columns represent the attributes such as title, date, location etc. The set of attributes to display can be customized with Toggle visible table columns button - the right button of the Details Panel Control. Click on a table column header to sort the table by specific item attributes Adding and removing columns With the Toggle visible table columns button in the Details toolbar you can add and remove columns in the table, by (de)selecting column names in the popup that shows when you click the button. The selected columns are stored: every time you start Intella, these columns will be shown until you select other columns. This option is only available in the Table view. The following columns are available: Page 132 Intella User Manual 2017 Vound

General columns: Certificate: The certificate with which an encrypted item could be decrypted. Contact name: The name of a contact encountered in a PST file or as a vcard file.

133 General columns: Certificate: The certificate with which an encrypted item could be decrypted. Contact name: The name of a contact encountered in a PST file or as a vcard file. Decrypted: Shows if an item is encrypted and Intella has decrypted it. Direct Child IDs: The item IDs of the direct children of this item. Direct Parent ID: The ID of the item s direct parent item. Document ID: The ID as imported from a load file. This ID is maintained for cross-reference purposes. Duplicates: Shows the number of duplicates of an item within the case. Embedded Image: Indicates whether the item is an embedded image extracted from an , Microsoft Office or PDF document. See the Features facet section for a precise definition of this category. Encrypted: Shows if an item is encrypted. Exception: Shows if an item had one or more issues indexing properly. File Name: The name of a file in the file system, in an archive or used as an attachment name. Has Geolocation: Indicates whether the item has geolocation information associated with it. Item ID: The ID used internally in Intella s database to refer to this item. Language: The language of the item's text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be unidentified. Item types that inherently do not have a language, e.g. images or archives, show the not applicable value. Location: Name of the location in the original evidence data where the item is stored. For example, an in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file. MIME type: The type of an item per the MIME standard. Native ID: The native ID of the item. Currently only IBM Notes UNID (Universal Notes ID) are listed here. This column may be used for other native ID types in the future. Page 133 Intella User Manual 2017 Vound

134 Parent Document ID: The ID of a parent document as imported from a load file. This ID is maintained for cross-reference purposes. Password: The password with which an encrypted item could be decrypted. Recovered: Indicates whether the item has been recovered. See the Features facet section for the definition of the Recovered status. Size: The item's size in bytes. Source: The name of the Intella source that holds the item. Typically, this is the root folder name or the name of the mail container file (e.g. PST or NSF file). Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files the name of the evidence file and the derived source name may not hold enough information to easily discern the origin of the information. Subject: The subject of an or document item note that some document formats can have both a title and a subject. Title: The title of a document item. Type: The item's human-readable type, e.g. MS PowerPoint Document or Message. URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID. -specific columns: All Receivers: The combined list of To, Cc and Bcc agents. All Senders: The combined list of From and Sender agents. Attached: Whether this item is an attachment to an , conversation or document. Attachments: Shows the file names of an s attachments. Bcc: The addresses in the Bcc header. Bcc Count: The total number of unique blind carbon copy recipients (Bcc). Cc: The addresses in the Cc header. From: The addressed in the From header. Has Attachments: s that are marked as having attachments. Has Internet Headers: s that have regular SMTP headers. When this is not the case, information about e.g. the sender, receiver and dates may still be obtained from other fields, depending on the source format. Message Hash: Shows the Message Hash for s and SMS messages. This hash is used for deduplicating s and SMS messages in a manner that works across different mail formats and phone data source types. Message ID: Shows the Message ID extracted from messages. Recipient Count: The total number of unique , chat and cellphone recipients. Sender: The addresses in the Sender header. Source IP: the determined source IP of the . To: The addresses in the To header. Unread: Shows if an item was unread at the time of indexing. Visible Recipient Count: The total number of unique visible , chat and cellphone recipients (To, Cc). Cellphone-specific columns: All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts. Page 134 Intella User Manual 2017 Vound

135 Chat Accounts: all instant messaging accounts (Skype, WhatsApp, but also SMS and MMS phone numbers) that have been used to send or receive a chat message. Chat Receivers: all instant messaging accounts used to receive a chat message. Chat Senders: all instant messaging accounts used to send a chat message. Duration: how long the phone call took. IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained. IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item. Incoming Phone Numbers: phone numbers used for incoming phone calls. Outgoing Phone Numbers: phone numbers used for outgoing phone calls. File- and document-specific columns: Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents. Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document. Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images. File Extension: the file extension of a file, e.g. doc, pdf. Irrelevant: Indicates whether the item is classified as Irrelevant. See the Preferences section for the definition of the Irrelevant category. MD5 Hash: The MD5 hash that uniquely identifies the item. OCRed: Shows whether an OCR method has been applied on this file. Page Count: the number of pages of the items as reported by the metadata present in the original evidence item. I.e., this is not a verified and is only possible for certain document formats that support such a metadata attribute. Columns containing dates: Called: The date a phone call was made. Content Created: The date that the content was created, per the document metadata. Content Last Modified: The date that the content of the item was last modified, per the documentinternal last modified date. Due: The due date of a task. End Date: The end date of an appointment, task or journal item. Family Date: The family date of the item. Family dates build on primary dates and take the item hierarchy into account. The family date of an item is defined as the primary date of its top-level parent, i.e. all items in an item family have the same family date. Sorting on Family Date sorts by this date, but also puts attachments and nested items right behind their parent. This is strictly enforced, i.e. two item families with the same family date are not intertwined. This makes it possible to review items in chronological order while maintaining a sense of their context. Certain types of items are skipped when determining the family root, namely all folders, mail containers, disk images, load files and cellphone reports. File Created: The date a file was made, according to the file system. File Last Accessed: The date a file was last accessed, according to the file system. File Last Modified: The date of the last time the file was modified, according to the file system. Last Printed: The date a document was last printed, according to the document-internal metadata. Primary Date: The date that is the best match for the given item. Default or user-defined rules are used to pick the most appropriate date attribute based on the item s type. Page 135 Intella User Manual 2017 Vound

136 Received: The date the item was received. Sent: The date the item was sent. Start Date: the start date of an appointment, task or journal item. Visited: The last visited date of an item obtained from a browser history or Windows registry. Review-specific columns: Comments: Shows if an item has comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item. Custodian: shows the name of the custodian associated with this item. Exported: Shows if an item has been exported. Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item. Opened: Shows if an item has been opened in its native application. Previewed: Shows if an item has been opened in the previewer. Redacted: Indicates whether the item has been redacted. Tags: Shows the tags connected to an item. Tag groups (optional) These columns are created for every top-level tag with sub-tags. If selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag. Export (optional) When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set. Use the Check / uncheck all checkbox to immediately set all checkboxes on or off. For contacts, e.g. senders and receivers, this popup lets the user choose whether to display the contact name, the address or both. The chosen setting will affect the table sorting when the involved columns are used to sort the table. The contents of the date columns can be adjusted to show their time zones: When set to Always, each date and time value is always accompanied by an explicit time zone. When set to For different sources, time zones are only shown when items from different sources are being shown in the table. Do not show suppresses all time zones Reorganizing table columns The columns can be reorganized by dragging a column header to a different location in the table. The order is persistent across application sessions, but specific to that case Sorting the list By clicking on a column header, the search results will be sorted alphabetically, numerically, or chronologically, depending on the type of information shown in that column. By clicking the header once more, the sort order will be reversed. Clicking one more time will remove the sorting, letting the results be displayed in their original order. Sorting on the Family Date column is implemented as a compound sorting on two columns. Items are first sorted by the Family Date itself and next by the Hierarchy criterion. This process is transparent to the user and Page 136 Intella User Manual 2017 Vound

137 results in attachments and embedded items always getting placed directly after their parent item, which can greatly simplify the review of the items. Sorting by multiple columns can be achieved by holding the Ctrl button while clicking on the column names. Any additional clicked column will be added to the list of sorting criterions. When two items cannot be sorted using the values from the first column (because the values are identical), the second column will be used, and so on. Besides clicking on column headers, you can alter the sorting with the Sort table button. This opens a dialog that lets you select the sorting columns and the sort order per column (ascending/a-z or descending/z-a). This dialog lets you use all the columns available, regardless of whether the column is currently present in the table. Furthermore, this dialog offers a sort criterion called Hierarchy, which is not available as a table column. Sorting on this criterion puts the items in hierarchical order, e.g. an is directly followed by its attachments Showing a conversation Right-clicking a message item and selecting the Show conversation option will display a new result set in the Cluster Map, showing all messages that are part of the conversation. This includes replies and forwarded messages. The messages in a conversation set are determined by matching keywords in their subject lines and by inspecting values in the "In-Reply-To" and "References" headers. More specifically: 1. The algorithm takes the item's subject and reduces this to the "base subject" by stripping all prefixes like "Re:", "Fwd:". It supports common prefixes for several languages. 2. Next, it determines the set of Message IDs mentioned in the item's "Message-ID", "In-Reply-To" and "References" headers. 3. It does a Boolean AND query for the words in the base subject, restricting the search to the "title" field. 4. It narrows this set down to all items that have at least one of the Message IDs in the determined set in their headers, i.e. regardless of the specific header name it is associated with Showing the child items To determine all items nested in an item, right-click on the item and select Preview. Next, switch to the Tree tab to see the full hierarchy, including all child items. To determine the children of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show children option. This will open a dialog that asks you what children to put in the result set, as child items may also again contain child items Showing the parent items Right-click an attachment and select the option Preview parent to view the message that contains the selected item. This feature looks up the parent item recursively until it reaches an item. To determine the parent of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show parents option. This will open a dialog that asks you whether to produce the top-level or direct parents, and what to do with items that have no parent. See the search preferences for settings related to how the top-level and direct parents are determined. Page 137 Intella User Manual 2017 Vound

19.1.7 Showing native ID duplicates To determine all items that have the same Native ID as a specific item, right-click on the item and select Show Native ID duplicates.

138 Showing native ID duplicates To determine all items that have the same Native ID as a specific item, right-click on the item and select Show Native ID duplicates. See the Adding and removing columns for the definition of the Native ID column List view The List view displays the results in a form similar to conventional web search engines. Select the third button in the Details toolbar to switch to this view. For each item, the title and other important metadata will be displayed, as well as a fragment of the document text, if any text has been extracted from this item. When Intella currently is displaying keyword search results, the selected text fragment will show the keyword matches and their context. The title is normally displayed in a light green color; dark green indicates that the item has been previewed before by the current user. If the item has any tags applied to it, these will be shown on the right as blue labels. To flag an item, use the checkbox on the left. Items can be selected by clicking, Ctrl-clicking and right-clicking. Right-clicking on any item reveals the same popup as used in the Table view Thumbnails view The Thumbnails view displays the thumbnails of the images detected within a selected cluster. This includes images embedded in bodies, attachments and images inside documents. Page 138 Intella User Manual 2017 Vound

Hover over the thumbnails with your mouse cursor to see a summary of the data connected to the image. You can flag an image with the checkbox below the thumbnail.

Tip: the Thumbnails view will work a lot smoother when you let it pre-generate the thumbnail representation of all images in the case in advance.

139 Hover over the thumbnails with your mouse cursor to see a summary of the data connected to the image. You can flag an image with the checkbox below the thumbnail. When you double-click a thumbnail, the image will open in the previewer. Tip: the Thumbnails view will work a lot smoother when you let it pre-generate the thumbnail representation of all images in the case in advance. This can be done by selecting Generate Thumbnails from the Sources menu Timeline view The Timeline view shows a chronological representation of communications, phone calls and SMS/MMS messages. The left pane shows the senders and receivers, i.e. addresses or phone numbers, with their communication plotted chronologically. Every edge in the timeline view represents a communication and points to the receiver of that communication. The node color represents the role a contact (i.e. an address or phone number) has in a communication, e.g. sender or caller. Click the Legend button to see an explanation of all node colors that can occur. Page 139 Intella User Manual 2017 Vound

140 When displaying s, it may occur that an appears to have two senders. That happens when the has both a From and a Sender header. As in most circumstances the From header is of primary interest, the visualization of the Sender headers is by default disabled. It can be enabled by clicking on the Options button and checking the Display the Sender header in addition to the From header checkbox. Tip: When you click an arrow, the arrow, the connected arrows, and the connected squares will be highlighted. When you double click an arrow, the will show in a preview window. Tip: Export a timeline by choosing Export > Timeline from the menu. The timeline will be saved as a PNG image Deduplication and irrelevant items With the Deduplicate button duplicates are removed from the search results based on the MD5 and message hashes of the results. Similarly, the Hide Irrelevant button removes all items marked as Irrelevant during indexing. See the Preferences section for information on the Irrelevant Items category. When used in the Thumbnails view, which shows both the images in the selected results as well as any images nested in those results, the end result is filtered. In other words: first the set of images in the item set is determined, then it is extended with the set of nested images, and finally the deduplication and irrelevant item filters are applied on this combined set. Page 140 Intella User Manual 2017 Vound

141 20 Previewing results Produce the item in several formats. Inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted words, comments and performed user actions Iterate over your result list. Item summary shows important item metadata. Tag or flag the current item. Navigate to or search for related items. Hts indicators show where keyword search hits are located in the text. Prepare a copy redacted for privileged content. Collapse and expand paragraphs. Loop over all search hits found in this item. Page 141 Intella User Manual 2017 Vound

142 20.1 Overview of the Previewer When you double-click an item, it will open in the Previewer. This window allows you to inspect, flag, and tag the item, to explore its relations with other items, and to export the item for later use. The Previewer will show several tabs, presenting differ aspects of the item, such as Contents, Preview, Headers, Raw Data, Properties, Attachments, etc. The set of tabs will differ from item to item, depending on the type of item that you selected and what information is available for that item The Toolbar The toolbar on the right of the window contains options for producing and annotating the current item, as well as navigating to other items and starting new searches that use this item as a starting point. At the top is a panel with buttons for producing the current item in several formats: Export This button opens the Export result as dialog. Enter a name and location if you want to store the item. This exports the item in its original format. Print Tab This button opens a print dialog that shows the contents of the selected tabs (Contents, Headers, Thumbnails, etc.) of the item. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Print Report This button opens a print dialog that shows the contents of all tabs of the item. If the item has attachments, you are asked if these should also be printed. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Open in Application This button opens the item using the computer's default application (e.g. a PDF file would be opened with Adobe Acrobat Reader if that is the default PDF viewer on your computer). Open Containing Folder This button is enabled for items that represent files in the file system and provides quick access to it. When clicked, Windows Explorer will open, show the file s folder and select the file in the folder. The next panel lets one iterate over all items in the Details view from which the Previewer was launched: Previous and Next buttons Go to the next or previous item in a list. Alternatively, you can also use the keyboard shortcuts Alt+right-arrow to go to the next item, and Alt+left-arrow to go to the previous item. This functionality is not available when the Previewer was launched by clicking in the Cluster Map, from the Tree tab of another Previewer, etc. The next two panels are for annotating the current item: Tag button Opens the tag space where you can add new tags to your case and select a tag from a list of existing Page 142 Intella User Manual 2017 Vound

143 tags. Quick tag buttons You can assign a tag to a quick tag button. Clicking the button tags the item and switches the previewer to the next untagged item in the list. If no tag is pinned to a Quick tag button, it is randomly associated with one of the recently used tags by default. Go to next item after tagging check box When this check box is selected, clicking the quick tag buttons will switch the Previewer to the next item in the list (if there is one). Flagged Select this check box to flag the previewed item. You might want to flag an item for organizational reasons. For example, to keep track of the items that you have reviewed in the case. The next panel holds actions for navigating to and searching for related items: Preview Parent Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: Pictures found in a Microsoft Word document are separate items in Intella. The Word document is the parent item for these pictures. The same is true for items found in archive file, such as a ZIP file: The archive file is the parent item for these items. Preview Parent Mail Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: A picture attached to an is a separate item in Intella. The is the parent for the picture. Show Children Use this button to search for and display the children associated with the item being viewed in the previewer. When selected, a search result with the associated children of the selected items will be available in the Cluster Map panel. The label of the cluster will be Children of [file name] or Children of [subject]. An example of a child item would be an attachment of an . Intella views s and attachments as separate items. The attachment would be the child of the parent . Child items can have child items of their own. Depending on the option that you select, the Show Children shows either only the directly nested children or all children in the tree. Show Conversation Based on the subject of an item and certain headers, Intella can find items that are part of a conversation. Click the button Show Conversation to show all these items in the Cluster Map panel. The label of this cluster will be Conv: [ subject]. The subject is the subject of the item in the previewer. Show Duplicates When an item has duplicates in the case, click Show duplicates to display these duplicates in the Cluster Map. The label of this cluster will be Duplicates of [file name] or Duplicates of [subject]. Page 143 Intella User Manual 2017 Vound

Smart Search Smart search lets one search for items that are similar to a selected item. It determines a set of keywords in the selected item that have a high information value.

144 Smart Search Smart search lets one search for items that are similar to a selected item. It determines a set of keywords in the selected item that have a high information value. Typically these are keywords that occur often in the selected document but are not common words across the case or in any of the supported languages, which makes them representative for the content of the selected document. Using the Smart Search dialog one can then find other documents that share these keywords and therefore have a good statistical chance of being related to the selected document. A slider is provided that the user can use to set a threshold: the lower the threshold, the more documents are returned but at the cost of less relevance to the set of keywords. Checkboxes are provided to control which item fields should be used when determining the set of keywords. This way one can restrict the search for similar items to e.g. the document or message body only. The next panel controls redaction: Redact When this button is clicked, a PDF is generated for the current item and shown in the Redaction tab. See the section on Redaction for more details. Finally, the last panel relates to functionality for handling paragraphs: Hide seen paragraphs When selected, paragraphs that have been marked as Seen by the user are removed from the text, only leaving an eye icon in the left margin as an indication that a paragraph has been removed there. Click on the eye to bring back the text. Colorize paragraphs When selected, paragraphs marked as Seen by the user are displayed as grayed out text. Page 144 Intella User Manual 2017 Vound

145 20.3 Tabs The tabs show the various aspects of the current item. The set of tabs shown for an item can differ from item to item, depending on the item type and which information that item holds. When moving from one item to the next using the Next and Previous buttons, the current tab will stay selected if that tab is also available for the next or previous item. When a specific tab is never used in a case, its visibility can be toggled using the Previewer s View menu. The benefit of this is a less crowded user interface and shorter loading time. Keyword matches When the current item has any keyword matches, the tabs containing one or more of the keywords change their appearance: The tab name will show with a bold blue font and contain a number indicating the number of hits. When the tab contains text (not metadata properties), like the document text or headers, it will get a status bar at the bottom listing the found keywords and providing buttons to jump from one match to another. When the tab contains text and has a scrollbar, the location of the keyword matches will be marked in the scrollbar as horizontal stripes. Next we explain which tabs can occur Contents This tab shows the body of an item, e.g. the message in an or the text inside a Word document. The Contents shows a limited set of stylistic elements such as bold, italic and underlined text, tables and lists. However, text is always drawn as black text on a white background, as to reveal all extracted text. For a native rendering of the item use the Preview tab (when available). If the item text is too long, it is truncated in the previewer for performance purposes. Click on the "Show full text" button to view the complete item text. When the item is an image, this tab will show the image s content. An extra toolbar is then provided, allowing for zooming, rotating and flipping the image. When an item is encrypted and could not be decrypted, the Contents tab will show an image of a lock, to explain why no text could be shown. Handling paragraphs When the Analyze paragraphs option was selected during source creation, extra UI elements will be shown in the left margin. These UI elements indicate the start and end of the paragraphs that Intella has detected. They can be used to collapse and expand the paragraph. The UI elements are omitted for very short paragraphs (typically one-liners). Furthermore, a popup menu will be shown when the user right-clicks on a paragraph, offering the following options: Mark the paragraph as Seen, or back to Unseen. This grays out all occurrences of this paragraph in all items, facilitating the review of large amounts of long and overlapping documents such as threads with lots of quoted paragraphs. Mark all paragraphs above or below the current paragraph as Seen or Unseen. Page 145 Intella User Manual 2017 Vound

146 Search for all items in which this paragraph occurs. All items that contain the selected paragraph will be returned, ignoring small variances such as white spaces. Mark the paragraph for exclusion from keyword search. This can be used to suppress information present in lots of items but with little relevance to the investigation, such as signatures and legal disclaimers. Consequently, keyword queries containing terms such as confidential and legal are more likely to return meaningful results Preview This tab shows the item as if it was opened in its native application. The Preview tab is only shown when the format of the current item is supported and the Contents tab is not already showing it in its native form. The following file formats are supported: s (when the contains an HTML body) Legacy MS Office formats (doc, xls, ppt) New MS Office formats (docx, xlsx, pptx) RTF HTML PDF CSV and TSV files WordPerfect Open Office (Writer, Calc, Impress) Important: When previewing s, only images that are already bundled with the are shown. Any images that a mail client would load from a web server are shown as static icons. When there are any such missing images, a Show external images button appears. Clicking this button will load the images from the servers and show them embedded in the representation. Note that loading these images may constitute a violation of investigation policies Headers This tab shows the complete header of the item. This tab is only shown when you open an item Raw Data The content of this tab depends on the item type. For example, in case of PST s the low-level information obtained from the PST is listed here. This typically includes the transport headers (shown on the Headers tab) and the body, but also a lot more. In case of vcard files the raw vcard contents is displayed here. All this information is also searched through when using a keyword search. This may lead to additional hits based on information in obscure areas that Intella does not process any further Properties This tab shows a list of properties connected to the item. Examples are Size, MIME Type, Creator and Character Set. The list of properties shown depends on the type of the item and what data is available in that item. To copy all the text to the clipboard click Copy all. Tip: Hover over the question marks at the right-hand side with your mouse and see a short definition of each property. Page 146 Intella User Manual 2017 Vound

147 Attachments This tab lists the attachments of an . When you double-click an attachment, or select it and click View, it will be opened in new Previewer window Thumbnails This tab shows thumbnails of the images (jpg, png, gif etc.) attached to an item or embedded in a document, e.g. the images embedded in a MS Word document. Select the checkbox below the image to flag a thumbnail. When you double-click a thumbnail, the image will be opened in a new previewer window Tree This tab shows the location of the reviewed item in the item hierarchy (entire path from root to descendants), as well as all its child items. The file names and subjects are clickable. You can also right-click and choose to either select all above or select all below, or simply select items manually, to assign them to a tag Entries This tab shows the list of items found in an archive file, e.g. a ZIP or RAR file. When you double-click an item in the list or select it and click View, it will be opened in a new Previewer window. However, when the entry is a sub-folder inside the archive, its content will be opened in the same 'Entries' tab. Double-click the '..' entry at the top of the list to return to the parent folder Comments This tab lists the reviewer comments attached to the item. Every comment has an author name and time stamp, and the option to Edit or Delete the comment. Note that this is not related to the comments such as found in the MS Word document metadata Words The Words tab lists all words/terms extracted from this item, together with the following information: The search field the term belongs to: text, title, path, etc. The frequency of the word in this document and document field. The number of documents having this term in the same field. This list can be used to diagnose why a certain document is or is not returned by a certain query. The list can be exported as a CSV file by right-clicking anywhere in the table. Right-clicking also lets you evaluate a query with the right-clicked term Actions This tab shows the list of actions performed on the item. The action s date and the user that triggered the action are shown in the list. Actions listed are: Page 147 Intella User Manual 2017 Vound

148 Previewed the item was opened in the previewer. Opened the item was opened in its native application. Exported the item was exported. Tagged with the item was tagged with the specified tag. Flagged the item was flagged. Commented the item was commented. OCRed the item has text content imported from OCR. Redacted the item was redacted Geolocation This tab shows the item s geographic location on the world map. It is only present when the item has geolocation information (Longitude and Latitude properties) associated with it. See the section on the Geolocation view for the correct interpretation of this information, including its caveats Redaction This tab is only visible after the Redact button in the toolbar has been clicked (see above). See the section on Redaction for a detailed explanation of the functionality in this tab. Page 148 Intella User Manual 2017 Vound

21 Reviewing results Users can open a Review tab on a specific set of items. This top-level tab combines the functionality of the Details view and the Previewer.

149 21 Reviewing results Users can open a Review tab on a specific set of items. This top-level tab combines the functionality of the Details view and the Previewer. On the left of the tab is the item list, either as a Table, List, Thumbnails or Timeline view. On the right of the tab is an embedded Previewer. Selecting items in the list on the left displays them in the Previewer on the right. This makes a quick and efficient review of a list of items possible within a single window. To open a Review tab, the user can: Right-click on a cluster or result set in the Cluster Map and select Review n items. Right-click on a result set in the Searches list and select Review n items. Right-click on a selected item range in the Table, List or Thumbnails view and select Review n items. It is possible to have an unlimited number of Review tabs. Note that it is even possible to open a new Review tab by selecting items in an existing Review tab, right-clicking and selecting the Review option. Likewise, it is also possible to open a Previewer by double-clicking on an item in a Review tab. A Review tab can be closed by clicking on the Close icon next to the tab s name. Currently, the set of Review tabs is not persisted: closing Intella will close all Review tabs. The embedded Previewer features all features of the standalone Previewer, i.e. one can tag, flag, comment, redact, etc. Clicking on any of the search links, e.g. Show Conversation, will let Intella switch automatically to the Search tab. Page 149 Intella User Manual 2017 Vound

22 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example, one of your items is a PDF document containing valuable information.

150 22 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example, one of your items is a PDF document containing valuable information. You decide to tag the item with the word Important. Tagging helps you to organize results, for example by separating important and unimportant information. Tagging can be done in several ways in Intella. This chapter gives you an overview of the possibilities: Tagging in the main window Tagging in the previewer Letting other items inherit tags automatically Pin a tag to a button See all tagged items Searching with tags Deleting a tag When entering a tag name, one cannot use the slash character ( / ) as that is commonly used in various places to denote hierarchical tags Tagging in the main window Adding tags To add tags: 1. Select one or more items from the table, the thumbnail view or the timeline. 2. Open the context menu (right mouse click), and select Add tags 3. In the Add tags to x items dialog you can select already defined tags, or define a new tag with optional description. When you click OK, the marked tags will be linked to the selected items. The Add Tags menu option is also available in the Cluster Map: right-click on a cluster or label to open a popup menu with this and other options. Page 150 Intella User Manual 2017 Vound

Parent tags can be used to logically group tags, e.g. grouping custodian names, reviewers, locations or priorities. Parent tags can also be used to tag items.

151 When you start typing the name of a new tag, the list of tags is filtered to show existing tags whose name starts with the entered text. This can be used to check whether the intended tag already exists or to quickly navigate to the tag in a long list of tags. When creating a new tag, a parent tag can be specified. Parent tags can be used to logically group tags, e.g. grouping custodian names, reviewers, locations or priorities. Parent tags can also be used to tag items. For example, when you have tags called Europe and Asia with subtags representing specific countries, you can choose whether to tag an item with a continent or a country Removing tags The Remove Tags dialog is used to remove tags from selected items: 1. Select the items from which you want to remove the tags in the table, timeline, thumbnail view, or cluster map panel. 2. Open the context menu (right mouse click), and select the Remove tags menu option. 3. In the Remove tags from x items dialog select the tags that you want to remove, and click OK. Now the tags are no longer connected to the items Tagging in the previewer If you want to tag or remove a tag in the previewer, please take the following steps: 1. Open the previewer 2. Click the Tag button to open the tag space 3. Enter a new tag or select an existing tag. To remove a tag (to remove the connection between an item and a tag) just deselect the tag from the list. Page 151 Intella User Manual 2017 Vound

152 Three, six or nine tags can be shown as button in the previewer. When a tag is listed as a button, clicking the button results in the tag being assigned to the current item. You can set the desired amount of these quick-tag buttons in the File > Preferences > Results tab > Previewer section. You can also use Ctrl+1, Ctrl+2, Ctrl+3, etc. to quick-tag an item. The numbers correspond with the button positions. When the Go to next item after tagging toggle button is selected, the previewer will automatically switch to the next item in the list Automatic tag inheritance When tagging items, the policy of your investigation may be that some related items should be tagged as well. One use case is when tagging items as irrelevant: all nested items may then be considered as irrelevant as well. Another use is tagging items as privileged; depending on your policy, this may then be extended to all other items within the same mail as well. Intella offers mechanisms that let these additional tags to be set automatically. For more information, see the section on tagging preferences Pin a tag to a button In File > Preferences > Tagging tab > Previewer section you can select the number of quick tag buttons: three, six or nine. The default value is three quick tag buttons. You can pin a tag to a button and keyboard shortcut (Ctrl+1, Ctrl+2, Ctrl+3) with the following steps: 1. Select Tags in the facet panel 2. Right click on a tag in the list to open the context menu. 3. Select Pin tag to button and select a number from the submenu. Now you can use the buttons in the previewer and the keyboard shortcuts to tag an item. Tags that are pinned to a button are marked with a small blue pin in both the Tag facet and previewer. Note: To unpin a tag from a button, select 'Unpin tag' in the context menu of Tags See all tagged items To get an overview of all items that are tagged in your case, please take the following steps: 1. Select Features in the facet panel. 2. Select Tagged from the list and click Search Now you can see all the items that have a tag in the Cluster Map panel. Page 152 Intella User Manual 2017 Vound

153 22.6 Searching with tags To search with tags, please take the following steps: 1. Select Tags in the facet panel. 2. Select a tag and click Search Now you can see the items that have the selected tag in the Cluster Map panel. When querying for a parent tag, the result set will contain all items tagged with that tag or with any of its child tags Deleting a tag To delete a tag from your case, please take the following steps: 1. Select Tags in the facet panel. 2. Right click on a tag in the list. 3. Select Delete and confirm. Now this tag is no longer in your case. When you delete a parent tag and confirming the operation, the tag and all its child tags are removed Annotations History To revert a tagging or other type of annotation, open the Annotations History dialog by selecting File > Annotations History... This dialog represents a chronological list of all changes in tags, flags, comments and custodians made on the case. Page 153 Intella User Manual 2017 Vound

154 In the top panel, it is possible to set the start and end dates of the events to show. To include only events of specific case users, click the Select button and choose their names in the pop-up list. Click the Refresh button to update the events list. To revert a specific change, select the annotation in the list and click the "Undo selected action" button. The reverted changes are marked with a strikethrough font. To restore a previously reverted change, click "Redo selected action". Note that some actions cannot be reverted directly. For instance, the creation of a tag cannot be undone without undoing or removing all associated item taggings that depend on it beforehand. The actions that cannot be undone at the moment are grayed out in the list. Page 154 Intella User Manual 2017 Vound

155 23 Keyword Statistics The Keywords tab gives detailed statistics about the keywords in a keyword list. The workflow is as simple as choosing a keyword list, specifying several calculation options and clicking Calculate. This will produce a table showing the keyword list and several statistics for every keyword query in the list. The nature of the information shown here potentially goes beyond what can be established in the Search tab Configuration All controls for configuring the calculation are placed on the left side of the tab. The options are divided into three groups: 1. The keyword list to use. 2. The document fields to search in. 3. The statistics to be calculated. At the top the user can choose a previously uploaded keyword list or add one here. This uses the same collection of keyword lists as the Keyword Lists facet in the Search tab. Any list added in the facet can be used here and vice versa. Although we call this functionality "keyword statistics", the user can use the complete full-text search syntax here: wildcards, Boolean operators, phrase queries etc. are all available. Field-specific searches are also possible. When used in a query, these overrule the field settings set in the second panel. Page 155 Intella User Manual 2017 Vound

156 The second panel offers the available search fields. These are the same as offered in the Search tab. By default, all fields are searched, but the user can choose to restrict searches to e.g. the document text, headers, etc. Any combination of fields can be used. The last panel offers five checkboxes that determine what information the table will contain: The Items option adds columns indicating: o the number of items containing the keyword, o the corresponding percentage of items, and o the deduplicated number of items. The Hits option counts the number of occurrences of the search term in the texts. For example, when a keyword produces a document that contains the keyword 3 times and another document that contains the keyword 5 times, this column will show 8. The Custodians option adds a column for every custodian in the case. Each custodian column indicates how many of the matching items originate from that custodian. The Families option adds two columns: "Families" and "Family items". As described elsewhere in this manual, a family is an item set consisting of a top-level item (e.g. a mail in a PST file) and all its nested items (e.g. attachments, embedded images, archive entries). See the Preferences window for how families are determined in the case. The meaning of the two columns is then as follows: o The Families column shows in how many families the keyword occurs. For example, if a mail and two of its attachments all contain the keyword, that counts as a single family. o The Family Items column shows the total number of items that are contained in these families. This may (and usually will) include items that do not contain the keyword at all; they just belong to a family that has a hit in one of its other items. In cases where you are not directly exporting search results but rather their top-level parents (i.e. the default setting when exporting to PST), this will tell you how much of the case is conceptually being exported this way. This may give an indication of how well a certain search filters items in a case. The Saved searches checkbox enables a Configure button. Clicking this button opens a dialog in which the user can select one or more saved searches stored in the case. Each saved search will then be represented by a table column, showing how many items matching the saved search also match the keyword in that row Calculation When the Calculate button is clicked, Intella will populate the table row by row. The time required for the calculation is dependent on several factors, including the size of the keyword list, the hardware, the chosen search options and the storage location and size of the case. While most options can benefit from indices that make the calculation fast regardless of case size, the Hits option will have a considerable impact on the search speed. The progress of the calculation will be shown in the status panel above the table. During calculation, the Calculate button will change into a Stop button, allowing for manually terminating the process. When clicking Calculate again, the previous results will be discarded and the table will be populated from scratch, using the (possibly changed) configuration options. Page 156 Intella User Manual 2017 Vound

157 23.3 Results Once calculation has completed, the user can use the results in the table in several ways. The table can be sorted by clicking on one of the headers. This lets you find the queries with the most or the fewest item counts, the queries that involved the most families, etc. By default, the table order is the same as the order in the keyword list. One can click on a row in the table and see the matching items from that result set in the Details view in the Search tab. The table can be exported to a CSV file by clicking on the Export button in the top right corner. Page 157 Intella User Manual 2017 Vound

158 24 Redaction Redaction is the process of concealing part of an item s text, graphics and/or metadata to conceal that content part from unauthorized view. A typical use case of redaction is the concealing of legally privileged information in information that is produced for an opposing party in an e-discovery matter, e.g. because of attorney-client privilege. Other scenarios are hiding person names, birth dates, social security numbers, credit card numbers, etc. due to privacy laws or when they are not relevant to the matter at hand Workflow When redacting an item, Intella first creates a temporary PDF representation of the item and then lets the user mark the sensitive areas in it. This PDF and the added redactions are stored in the case. The original evidence item is not changed, nor is any information removed from the Intella case. At any time, the redaction marks can be reviewed, edited and removed. Only when the item is exported to the final PDF or to a load file, are the redactions burned in : all pages in the temporary PDF are converted to images in which the sensitive part is literally blacked out. The result is a PDF that is guaranteed not to contain the sensitive information. Redaction affects the results of the regular PDF export and the PDFs and TIFFs that are created as part of a load file. For the sake of brevity, the remainder of this section will only refer to exported PDFs when both are meant Redacting an item Items are redacted by opening them in the Previewer and clicking on the Redact button in the toolbar. This adds a tab called Redaction. The Redaction tab contains a PDF rendering of the item and offers various controls for adding and editing redactions. As the PDF is generated on demand, the tab may take some time to appear, depending on the type and complexity of the item. The item is now ready to be redacted. To redact a part of the content, simply select the rectangular area in the rendered item that needs to be hidden. The selected area will now be covered with a black rectangle. You can repeat this step to conceal additional parts of the item. The redactions are stored automatically; no manual save action is needed. The rectangle is semi-transparent so that the reviewer can still see what content has been redacted without having to move it. In the final exported document the rectangle will be a solid black. To move or resize a redaction mark, simply place the mouse pointer above the redaction rectangle. When placed in the middle, the mouse cursor changes to a four-arrowed cross and the rectangle can then be moved by holding the mouse button and dragging the mouse. When placed on a corner, the mouse cursor changes into an arrow and the rectangle can then be resized by holding the mouse button and dragging the mouse. To remove a redaction, select it and click Delete Redaction. To remove all redactions of this item, click the Clear Redactions button. Page 158 Intella User Manual 2017 Vound

159 When you close and reopen the item, the Previewer will immediately show the Redaction tab again with all previously made redactions, as the PDF is cached. Only when no redactions are added will the PDF be discarded. Redacted items can easily be found using the Redacted category in the Features facet Exporting When exporting an item to PDF, Intella will by default use the redacted version if there is one. More specifically, it will convert the temporary PDF into a final PDF that contains only images, and will burn in the redactions in these images so that the sensitive content is concealed permanently. Exported load files containing PDFs or TIFFs will undergo a similar process. The result of this last conversion step is a PDF that has no regular machine-processable text. To verify this, simply open the PDF in a PDF reader like Acrobat and try to select the text. That makes this redaction method very safe (as opposed to removing the sensitive text from the source file) as all information is in plain sight; there is e.g. no hidden metadata that could still leak the sensitive information. The downside is that the PDFs can have a large file size as all text is represented as images, and that they would need to be OCR-ed to make the non-concealed text accessible again for text selection, keyword search, etc. As the final PDF is derived from the temporary PDF, the PDF export settings entered in the Export dialog will only have any effect on the non-redacted items in the export set. The redaction toolbar in the Previewer also has an Export button, to export the current item as a redacted PDF. This PDF will be the same as when it is exported as part of a collection of items to PDF, i.e. all pages will be converted to images with their redacted parts showing as black rectangles. This option is useful when only a few redacted documents are necessary or to verify the redaction export Mass redaction A common redaction method is to search for a company or organization name and to review and optionally redact the search hits. Intella can assist with this process: when the Redaction tab is viewed while Intella s search interface shows one or more keyword queries, the keyword search hits will be highlighted in the Redaction tab and can be redacted with the click of a button. Note that this highlighting works best on single term queries. It does not work reliably or even at all for more advanced queries such as phrase searches, wildcard queries, etc. The currently used keyword(s) will be shown in a text field beneath the item content and can be changed. Use the arrow keys to move from one keyword hit to another. Click the Redact button to redact the currently highlighted occurrence, or click the Redact All button to redact all occurrences in the current item. Please see the subsection on Caveats below when using the Redact All button Redaction profiles When the Redact button in the Previewer is clicked, a PDF that is generated will consist of a limited set of content and metadata properties. For example, s will show their most important headers ( sender and recipients, subject and sent/received dates) on the first page, followed by the body. The full SMTP Page 159 Intella User Manual 2017 Vound

160 headers of the are printed on one or more separate pages, followed by the list and content of the s attachments. When this default set of content and metadata properties is not suitable for a specific case, or different settings are desired for different types of items or different audiences, the user can define one or more redaction profiles for the case. Such a profile defines the set of content and metadata properties to be used in the redacted PDF. When a redaction profile is defined and the reviewer subsequently clicks the Redact button in the Previewer, Intella will ask which redaction profile to use for this item and generate the PDF accordingly. To define a redaction profile, click the Configure redaction profiles button in the Export menu of the main window and choose Create in the next dialog. The window that opens allows the reviewer to enter a profile name and select which content and metadata properties should be used when this redaction profile is chosen. For a detailed description of the available properties see the section on exporting to PDF Caveats As the purpose of redaction is to conceal sensitive information, it is vital that the reviewer takes notice of the following caveats on the redaction functionality. First, there are a few issues to be aware of when using keyword hit highlighting to control the redactions. When highlighting the search hits in a PDF, the highlighted area may not exactly cover the responsive text in the PDF. The redaction rectangle then needs to be manually moved and resized. Whether this happens depends on the fonts used in the PDF: PDFs that Intella has generated using texts from its own databases are fine (e.g. pages with bodies and headers), but text in existing evidence PDFs or in Word documents that are converted to PDF may be a different story. We have no control over the font characteristics used in those documents and therefore cannot guarantee correct placement of the redaction rectangle. Another important aspect is that hit highlighting may not find all occurrences of the text that is searched for. For example, words that are misspelled, use a spelling variation or are hyphenated may not be found. Texts inside graphics will also not be found. Note that OCR software that is used to combat this can also introduce spelling errors. Finally, tables and graphs may require extra attention. When creating a redacted PDF rendering of an item, the PDF is only associated with that specific item, not with any duplicates of that item. We may introduce that functionality in a future version. Page 160 Intella User Manual 2017 Vound

25 Exporting Intella supports several exporting formats, each focusing on a different use case. 25.

161 25 Exporting Intella supports several exporting formats, each focusing on a different use case Exporting a single result A single result can be exported by right-clicking on a row in the Details table (or on the item in any of the other views) and selecting Export in the content menu. Alternatively, select an item by clicking on it and choose Export > Result in the menu bar. A file chooser will open that lets you specify the folder and file name. Click Save to export the result to that file. The mouse cursor will show a busy icon while the exporting is taking place. The result will be saved in its original format, i.e. a Word document attached to a mail gets saved as a Word file. All mails from mail sources (PST/OST/NSF/DBX/MBX/Mbox files and IMAP servers) are exported as EML files. Evidence files that are already in EML, EMLX or MSG format as exported as such. Contacts will be stored in vcard format. Calendar items from PST files will be stored in ical format Exporting a list of results To export a collection of search results at a time, you can use the following procedure: Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. Right-click and choose Export Highlighted Item(s), or choose Results List from the Export menu. This opens the Export Wizard. This wizard lets you choose the export format and its settings and the export process Export formats The first wizard page lets you choose an export format: Original format exports a file into its original format, i.e. a Word document attached to an is saved as a Word file. All s from mail sources (e.g. a PST or NSF file) are exported as EML files. s that are already in EML, EMLX or MSG format are exported as such. All contact items from PST/OST files are exported as vcard (.vcf) files. All calendar items from PST sources are exported as icalendar (.ics or. ical) files. The exported files can be opened with the program that your system has associated with the file extension used. Folders may be created during exporting whose name ends Page 161 Intella User Manual 2017 Vound

162 with _files. This is necessary to separate e.g. an archive from the items that were extracted from that archive, as both may be exported at the same time. PDF converts every item into a PDF document, containing the content of the original item and a configurable set of properties. PST lets you export items to a MS Outlook PST file. The main purpose of this option is to use the PST file as a carrier for transport of s, but other item types are supported as well. The receiver can open the PST file in Microsoft Outlook or process it in another forensic application. i2 Analyst s Notebook/iBase exports the results in a format that can easily be digested with i2 s Analyst s Notebook and ibase applications. All metadata of all items, all attachments and all bodies can be imported into these tools, allowing rapid social network analysis and all other analytical abilities of these applications on and cellphone evidence data. Load file will export the items in a format that can be imported into Summation, Concordance, Ringtail and Relativity. Relativity will export items directly to a Relativity server, i.e. without the use of an intermediary load file. This functionality is still in an experimental state. Only one format can be chosen per export run Destination folder The chosen destination folder will contain all exported items, including all export reports (see below). You will get a warning when this folder is not empty. Though Intella tries not to overwrite any files in the specified folder, we recommend specifying an empty folder to be sure. For every selected format a subfolder will be created that holds the files of that export format. All export reports will be placed in the top folder. When exporting several sets to the same destination folder, the subfolders with produced files will be merged, but earlier produced files will not be overwritten. Each export run will have its own set of export reports Export templates The configuration entered in the Export window or sub-windows like the load file field chooser will automatically be restored the next time the Export window is opened. No manual action is necessary to achieve that. The current configuration can also be stored as a user-named template in the last wizard sheet. In the first sheet, all stored templates are listed in a drop-down list. Selecting one restores the state of the Export wizard to the one stored in the selected template. Export templates are typically stored in: C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella\ export-templates You can easily access this folder through the Help > Open Export Templates Folder menu item. Note that export templates are stored outside of the case data folder. This makes all templates automatically available across all cases on the same machine and user account. To use templates with other user accounts or on other machines, just copy the XML file named after the template to the export-templates folder on that account or machine. When you click next, the wizard will let you configure the format-specific options. Page 162 Intella User Manual 2017 Vound

163 Suppressing irrelevant items You can use the "Suppress irrelevant items" checkbox to automatically exclude all items from the export that have been classified as Irrelevant during indexing. See the Preferences section for a definition of irrelevant items. The number of irrelevant items in the current item set will be shown in parentheses Export sets When a set of items is exported, they can optionally be added to an export set. This is a named set that captures information about the export. When a specific item is about to be exported, the file name and number is recorded in the export set. Furthermore, the current export settings are stored as part of a set. When the export set is later selected again when exporting another set of items, this will affect that export run in the following ways: All export settings such as the chosen export format, file naming and numbering schemes, etc. will all be the same as in the first export run. In other words, the export set works like an export template. File numbering continues where it left off, rather than starting at again. Items that have been exported before with this export set selected will get the same name and number as the previous time(s) they were exported. When an export set is specified, the resulting export ID (typically based on subject, file name and/or consecutive number) can be made visible in the Details column by adding an Export column that corresponds to the export set. The Export IDs can also be searched for using keyword search and keyword list search PDF file options The first wizard sheet on PDF options lets you decide whether to export to individual PDF files, one for every selected item, or to export all items into one single concatenated PDF file. When exporting to a concatenated PDF, the resulting PDF can optionally be split in chunks of a given size. This is recommended for performance and stability reasons File naming and numbering (original format, PDF, load files) This wizard sheet consists of three sections: File naming defines how to compose an exported file name (original format, PDF) or page (load file export). File numbering defines how exported files are numbered. File grouping defines how exported files are grouped into folders. File naming By default, exported files will be named using the original evidence file s name or the subject of an . Alternatively, you can choose to number the files using consecutive numbers. These options can also be combined: a number followed by the file name or subject. Load file naming offers more elaborate numbering style, whose parts can be further configured in the File Numbering section. Page 163 Intella User Manual 2017 Vound

164 When using a numbering style, you can also define a prefix. Anything you type here will be added to the beginning of the filename. E.g. the prefix export- will result in the first being named export eml, when you combine it with consecutive numbering. Using "Advanced" mode you can define a file name template that will be a base for exported file name. The template may include the following fields: %num% A counter value will be added. You can also define leading zeroes in the counter using the following format: %000num%. The number of zeroes defines the number of digits used in the counter. The default number format for the counter is to use 8 digits. %group1%, %group2% Group counters used with load file export only. See the "Export as a load file" section for details. Any Intella column identifier surrounded by the '%' symbol, like %md5%. %Best_Title% One of the following fields: File name, Subject, Title, Contact Name or "Untitled". To insert any field in the template you can either type it manually or select the field from the drop-down list and press "Add field". File numbering Using the "Start at" option you can define the number to start counting with. By default, exporting will start counting at 1. A typical reason to use a different start number is when you want to combine the exported results with another set of already exported files. Numbers are always 8 digits long. Folder, Page rollover and Box are only relevant when using load file naming. File grouping Select the option "All in one folder" to put all exported files in one folder. Select the option "Keep location structure" to preserve the original folder structure that the items have in the evidence files. A folder will be created for every source, in which the original folder structure of that source (as shown in the Location facet) will be recreated. File name examples On the right side you can see a live preview of how the exported file names would look based on the current settings, using items from your current item set as examples PDF rendering options (PDF, load files) [Note: when exporting a load file, this sheet is called PDF or image rendering options ] The options in this sheet only apply to non-redacted items; the exporting of redacted items is governed by the Redacted items sheet. For all types of items, you can indicate whether to include a basic item header, properties, raw data, body and comments in the PDF: The item header is shown at the top, above a black line, and shows the subject or file name. The properties include typical metadata attributes such as titles, authors, all dates, hashes, sizes, etc. By default, all properties are included, but you can remove some of them in the "Select properties..." dialog. The raw data varies between item types. For example, for PSTs the low-level information obtained from the PST is listed here and for vcards the actual content of the file is listed. This field may reveal properties that Intella does not recognize and are therefore not to be found in the Properties section. Page 164 Intella User Manual 2017 Vound

165 The main properties above body include main properties such as Subject, From, To, Sent, Received, etc. By default, all properties are included, but you can remove some of them and change the order of the remaining elements by clicking the Configure button. The comments refer to the ones made by Intella user(s) in the Comments tab in the Previewer. They are not to be confused with comments that can be made in, for example, a Word document. These are part of the Properties section. Note that the reviewer comments may include sensitive information such as evidence file names, investigator insights, etc. Furthermore, the item s content can be exported in its original format, as the extracted text, or both. The following file formats can be exported in their original view: s with a HTML body. MS Office (doc, docx, xls, xlsx, ppt, pptx) Open Office (Writer, Calc, Impress) WordPerfect RTF HTML PDF When you select "Original view", you will also be able to define a list of item types that should be skipped for this. You can use this to e.g. prevent native view generation of spreadsheets, which often are hard to read in PDF form. An optional placeholder text can be added to make clear that original view generation has been skipped on purposes for this item. When you also select the "Export skipped item as native file" option during load file export, the resulting load file will not contain the corresponding native file. By selecting "Also skip extracting text" you can skip generating the extracted text as well. This includes extracted text added to the resulting PDF and extracted text exported as a separate file as part of a load file. When the option Prefer image imported from load file over Original view is selected, an image imported from a load file will be used instead of the Original view. Note that this is the image shown under the Image tab in the Previewer. If you uncheck "Include item metadata", the resulting PDF will not contain any additional information except for the actual item content (in its original format and/or as extracted text), the document title/subject and the headers and footers defined in the next sheet. Most of the options on this sheet will then be disabled. For s, the following additional information can optionally be included: A checkbox is provided, controlling whether the HTML or plain text body is preferred. This option is only available when the Content as setting is set to a value that involves original view generation, i.e. anything other than Extracted text. The full headers. A list of all attachments, as a separate page. The file name, type and size of each attachment will be listed. The actual contents of the attachments. The original view (described below) will always be selected by default, with the extracted text used as a fallback. For loose files and attachments that are not s, the following additional information can optionally be included: The OCRed text for images checkbox controls whether to include the OCRed text when the file is an image. Page 165 Intella User Manual 2017 Vound

166 List all embedded images and attachments. It is possible not to include the lines that separate the headers and footers from the content by unchecking the "Draw header and footer line separators" checkbox. Section names such as "Image", "Original view", "Extracted text" etc. can also be excluded from the resulting PDF by unchecking "Include section names" PST options Enter a file name to use for the generated PST. Enter a display and folder name. After opening the exported PST file in MS Outlook, you will see the names you entered. They help you to locate the PST file and its contents in MS Outlook. Select the option "Keep location structure" to preserve the original folder structure during the export. The resulting file can optionally be split into chunks of a given size. This is highly recommended for larger result sets that would make the PST grow beyond the default suggested file size, as Outlook may become unstable with very large PST files. The produced files will have a file size that is close to the specified maximum file size (usually smaller). The export report will list for every item to which PST it was added. Item types that can be exported directly to a PST file Besides s, the following item types can be exported directly to a PST file: Contacts Calendar items: o Appointments o Meetings o Meeting requests Tasks Journal entries Notes Distribution lists Limitations: ical recurrence rules (RRULE property) are not exported. PST Distribution lists are exported, but their list members are not. These limitations may be removed in a future Intella release. Please note that non- items will be exported to a regular PST folder under the Mail section, so not in e.g. the Contact section. How to export other item types to a PST file Items such as Word and PDF documents cannot be exported directly to a PST file. As such items may be attached to an , Intella can be configured to export the parent instead. You can choose to either include the top-level parent or the direct parent. An example would be an attachment contained within an message within another message. With the top-level parent selected all parent items of the attachment (both s) would be included in the PST, one nested within the other. The second option exports the nested to the PST. You can also choose to simply skip non- attachments. Page 166 Intella User Manual 2017 Vound

167 Although this option only mentions parent s, it also applies to e.g. PDF files attached to a meeting request or any of the other exportable items. In this case, enabling this option will export the meeting request instead. This option may therefore be renamed in the future. Note: Files in a folder source lack a parent and therefore cannot be exported to a PST file, except for mail files like EML, EMLX and MSG files, or files of the types listed above. How to export attached s The last setting controls what happens with s that are selected for export and that also happen to be attachments. These are typically forwarded messages. Such s can technically be exported to a PST without any restrictions, but the investigation policy may require that the parent is exported instead, to completely preserve the context in which this was found. That can be done by choosing the Replace with its top-level parent option. Alternatively, use the Export attached option to export the attached directly to the PST ibase and Analyst s Notebook options At the moment, the Analyst s Notebook and ibase export does not provide any configuration options. Templates, import specifications and instructions are provided for Analyst s Notebook and ibase. Please contact support@vound-software.com for more information Load file options You can select one of the following load file formats: Summation. Concordance. Relativity. Ringtail. Comma Separated Values file. Each load file export consists of several parts: The main load file, containing the selected fields. Native files, representing the items in their original format. Image files, containing metadata and content as configured in the "PDF or image rendering options" sheet. Text files that contain the extracted text. The first part is mandatory; the others can be turned off. The main load file name can be changed using the "File name" text field. It is also possible to specify the main file encoding when the Summation format is selected. By selecting "Use custom date/time formats" you can override the date and time format used in the load file. Please see this document for the date/time format syntax details: In order to control the quality of the exported images, you can set the "Image DPI" parameter. It defines the number of dots (pixels) per inch. A higher DPI setting results in higher quality images, but these will take more time to produce and consume more disk space. Page 167 Intella User Manual 2017 Vound

168 It is also possible to adjust the TIFF compression type. Note that the image will be converted into black-andwhite variant if one of the "Group Fax Encoding" compression type is selected. The extracted text can be configured by clicking the Configure button. In the Configure extracted text dialog you can choose which components to include and change their order. When you need to embed the extracted text directly into the load file itself (the DII, DAT or CSV file) instead of exporting it into a separate file, you can use the checkbox "Embed extracted text into load file". A custom field of type "EXTRACTED_TEXT" should be used to insert the text as a field in this case. When exporting to Summation the checkbox "Include Summation control list file (.LST)" can be used to generate a plain text file that lists all document IDs along with the extracted text files. The "OCR Base" field controls the prefix used for the extracted text files. The "Exclude content" option can be used to completely exclude the items tagged with a specified tag. For every excluded item, only the metadata will be added to the load file. The text and the images will contain the text specified in the "Placeholder text" field. Native files will also not be generated for such items. Numbering with load files The numbering used for load files differs from the other export formats. When exporting to a load file, every exported page has its own unique number. The number of the first page is usually used as a number of the document. Please note that pages are numbered only if image files are included in the export. On the "Headers and footers" sheet you may choose a special field PAGE_NAME which is available only with load file export. This will put the current page name as it was configured on the "Naming and numbering" sheet. Another difference is that by default all export files are grouped into folders and optionally boxes. The "Page rollover" option defines a maximum number of pages that a folder can contain. The maximum number of folders in a box is fixed to 999 (at the moment it can be changed via an export template XML file only). Additionally, you can set a starting number for the page ("Start at"), folder and box. By default, the page counter starts over when switching to the next folder, so the first page in the next folder will have the number "1". This approach can be changed when using the "Continue page numbers from previous folder" option. When it is selected, the page counter will continue page numbering from the last page of the previous folder. In other words, page numbers will be unique among the entire export set. Additionally, the "Advanced" numbering mode can be selected when exporting to a load file. In this case, you will be able to set a custom file name template. Please see the file naming and numbering section for details. Note that %num% means a page number, not a document number in this case. Also, there are two new fields that can be used: %group1% folder counter %group2% box counter You can also use the %000group1% syntax to define the number of leading zeroes in the counter (similar to the %000num% syntax). Thus, the default load file numbering schemes can be expressed using the following templates: PREFIX.%group2%.%group1%.%num% = Prefix, Box, Folder, Page PREFIX.%group1%.%num% = Prefix, Folder, Page %group2%.%group1%.%num% = Box, Folder, Page Page 168 Intella User Manual 2017 Vound

169 When using the Advanced mode it is important to set a file grouping: All in one folder or Load file mode. When the Load file grouping mode is selected, the exported files will be grouped by folders and, optionally, boxes in exactly the same way as it is described above. Field chooser The "Field chooser" sheet contains a table of the fields that will be included in the load file. By default, the starting set of fields depends on the selected load file format. The "Name" and "Comment" columns in this table are used only for managing the fields within Intella and are not included in the load file. The "Label" column value is used as a column label in the load file. The "Type" column can be one of the following: SUMMATION It can be used only with Summation load file format and cannot be modified. RINGTAIL It can be used only with Ringtail load file format and cannot be modified. CUSTOM User-created field. It can be used with any load file format. You can include an additional custom field by pressing the "Add custom field..." button. Next, enter the name, label and comment. Select one of the following types: FIXED_VALUE Fixed value as specified in the "Value" field. INTELLA_COLUMN One of the Intella columns. ITEM_BEST_TITLE One of the following Intella columns: File name, Subject, Title, Contact name or "Untitled". RECORD_ID_START Name of the first page of the document. RECORD_ID_END Name of the last page of the document. RECORD_ID_GROUP_BEGIN Name of the first page of the first document in the current "parentchild" group. RECORD_ID_GROUP_END Name of the last page of the last document in the current "parent-child" group. RECORD_ID_PARENT Name of the first page of the parent document. NUMBER_OF_PAGES number of pages of the document FILE_NATIVE relative path of the original format of the document to the base folder. FILE_IMAGE relative path of the first image of the document to the base folder. FILE_TEXT relative path of the extracted text file of the document to the base folder. EXTRACTED_TEXT extracted text directly embedded in the load file body. See the "Embed extracted text into load file" option described above. _INTERNET_HEADERS full Internet headers of the . ATTACH_ID_LIST The list of attachment IDs. ATTACH_COUNT The number of attachments that belong to the current "parent-child" group. IS_ "True" if the document is , "False" otherwise. FILE_EXTENSION The file extension of the document. DIRECT_PARENT ID of the document's direct parent. DIRECT_CHILDREN_IDS The list of IDs of the document's direct children. BEG_ATTACH Name of the first page of the first attachment document in the current "parent-child" group. Empty if there are no attachments in the current group. Used for s only. END_ATTACH Name of the last page of the last attachment document in the current "parent-child" group. Empty if there are no attachments in the current group. Used for s only. When exporting to a load file, all documents are grouped by their parent-child relationship. For example, an and its attachments form a single group. The columns "RECORD_ID_GROUP_BEGIN" and "RECORD_ID_GROUP_END" denote the start and end page numbers of such a group. Page 169 Intella User Manual 2017 Vound

170 When adding a date column as a custom field, it is possible to choose the way how the date is formatted: show date only, show time only or show full date and time. Note that you can add the same date field more than once and use different formatting options. For example, you can add two custom fields: DATE_SENT ("Sent" column, show date only) and TIME_SENT ("Sent" column, show time only). Click the "Select default fields" button to select only those fields that are part of the default field set for the selected load file format Relativity options Intella can export items directly into a Relativity database, i.e. without the need to manually handle load files. Note that this functionality requires Microsoft.NET and the Relativity SDK to be installed. See the Installation section for further details. On the "Relativity options" page you can specify a service URL, user name and password. Please ask your Relativity administrator for the correct settings. The Relativity service URL usually looks like this: You should use the same service URL as you use in Relativity Desktop Client. Click the "Get list from server" button to get a list of Relativity workspaces. Select the workspace you want to export the items to. You should also choose an identity field which is used as a key field in the selected workspace (it's usually "Control Number"). The rest of the settings are the same as you can use during an export to a load file. You can include natives, images and texts. Please note that when you use a field chooser, you can choose an existing field from the selected workspace. The field editor will also show a little warning icon near the field label if you enter an incorrect field name. Current limitations: The Overwrite mode is currently fixed to "Append". An option may be added in a future release. To export a folder structure, the "Location" field should be added to the list. To export natives, the field "FILE_PATH" should be added to the list. To export texts, the field "FILE_TEXT" should be added to the list. Items are exported to the workspace root folder. An option may be added in a future release Headers and footers (PDF, load files) You can set headers and footers for the generated PDFs and images. For each of the four corners, as well as the top and bottom center, you can select one of the following fields to display: EMPTY Nothing will be displayed. EXPORTED_FILE_NAME A file name as it was configured on the "File naming and numbering" sheet. PAGE_NAME A page name as it was configured on the "File naming and numbering" sheet. Note: this option will work only with load file export. For other export types this will be replaced with EXPORTED_FILE_NAME. BEST_TITLE This is one of the following fields: File name, Subject, Title, Contact name or "Untitled". DESIGNATION one or more textual labels, e.g. Confidential or For Attorneys Eyes Only. Tags control the presence of the labels. After selecting DESIGNATION, click on the gear icon next to the field chooser to specify the controlling tag and the text that should be shown on items that have that tag. It is possible to specify multiple tags here. If an item has multiple tags, the designation will be a commaseparated list of the corresponding designation labels. Any Intella column This will be the same value as displayed in the result table. Page 170 Intella User Manual 2017 Vound

Also, you can type any static text instead of selecting one of the fields. 25

171 Also, you can type any static text instead of selecting one of the fields Redacted items This wizard sheet controls how Redacted items are to be handled when they are part of the set of items to export. The options available depend on the chosen export format. When exporting to Original format or PDF: When the option Use redacted images when available is selected, any redacted item will be exported in its redacted form. Note that for Original format export a PDF will then be generated, rather than the item being exported in its original file format. When exporting to Original format, PST or i2 ibase/anb: When the option Suppress redacted items is selected, then any redacted item will be skipped. When exporting to Load file or Relativity: When the option Use redacted images when available is selected, then the image will be exported in its redacted form. When the option Suppress natives for redacted items is selected, then exporting of the native file will be skipped when the item has been redacted. When the option Suppress text for redacted items is selected, then exporting of the extracted text will be skipped when the item has been redacted. The text can optionally be replaced with the specified placeholder text Creating an export report You can indicate whether you want to create an export report for this export. The report can be formatted as a PDF, RTF, CSV and/or HTML file. For PDF, RTF and HTML reports you can also add a comment that will be displayed on the first page of the report. Export reports link the original files to the exported files, by listing identifying information about the original item (e.g. source evidence file, MD5 hash) and linking to the exported file. Also the export report may contain information that is lost during export, such as the evidence file s last modification date; like any copy, the export file has the date of export as its last modification date. Important: If the export of a specific result resulted in errors, you will be notified with an error message in the application. You can find the error notifications at the end of the PDF and RTF report or in the last column of the CSV report Skipped items The exporting progress user interface may report skipped items. These relate to the fact that not all items are inherently exportable to the chosen export format(s). Examples are: Page 171 Intella User Manual 2017 Vound

172 A file inside an encrypted ZIP file may be known to Intella but it cannot be exported to Original Format if Intella could not decrypt the ZIP file. Exporting to PDF is possible though, with the information that is known. When using the default PST export settings, Intella will try to replace non-exportable items with their parent . If there is no parent , the item is skipped. Folder results are always skipped. All skipped items are listed in the export report Exporting to a CSV file You can export a results list to a comma separated value (CSV) file. A CSV file contains all information listed in the table. CSV files can be opened in a spreadsheet application such as Microsoft Excel and can be processed through scripting, which opens up new analytical abilities. This functionality can also be used to generate MD5 lists. To export the table to a CSV file: 1. Select the results in the table that you want to export to a CSV file. You can use the Select All option in the right-click menu to easily select all rows. 2. Right click on the selected files and click Export table as CSV. 3. Mark the names of all columns that you want to include in the CSV file. 4. Give the CSV file a name and select Export. The selected columns are stored so that the next time you bring up this dialog, the same columns will be selected. Should you frequently use different export settings, then you can save these as separate templates. Click the New button to create a new template and enter a name. The new template will automatically be selected and any selection changes will be stored under that template name. Click the drop-down list to go back to the previous (default) template. The settings will now be restored to what they were before you created/selected the other template. The contents of the Senders and Receivers columns are configurable to show either the contact name(s), the address(es), or both. The maximum text length of a value inside a cell can optionally be trimmed to 32,000 characters. This is often necessary when one wants to open the CSV file in MS Excel. When opening a CSV with longer texts in Excel, these long texts are typically broken up and roll over to the next row, breaking the table structure. Tip: The CSV format is not a formal standard; different applications may have different conventions on how to separate cells and escape special characters. Intella uses the comma character to separate cells and uses a double quote character to escape values containing commas or other special characters. To import such files in MS Excel 2010, select Data From Text in the ribbon. Next, select the file with the file chooser. In the wizard that opens next, choose Delimited. Set the Delimiters option to Comma and set the Text Qualifier to the " character. Click Finish. Page 172 Intella User Manual 2017 Vound

173 25.4 Exporting the result counts The number of hits per search query can be exported by right-clicking in the Searches list in the upper-right corner and selecting Export queries. This produces a CSV file with the following columns: Facet e.g. Type or Keyword Search. Result the textual representation of the search, e.g. the entered search terms or selected facet values. Total Count the total number of items that matched this query. Count after Includes and Excludes the number of items that were retained after applying the Includes and Excludes (if any) to the original set Exporting the social graph data Intella can export the social graph of a collection of s by selecting the items in the Details view, rightclicking on one of the selected items and choosing Export Social Graph. This procedure creates a graph data file where all nodes represent contacts and all edges represent the fact that mails have been sent between those two contacts. Important: This is different from exporting social graph image, which is covered in the Social Graph chapter. The edges are weighted, with the weight representing the number of mails that have been sent from one contact to another. The edges are directed to differentiate mails from A to B to those sent from B to A. The graph can be exported into one of the following formats: A CSV file containing three columns: the sender, the receiver and the number of mails. A GML (Graph Modeling Language) file containing that same information. A GraphML file containing that same information. A CSV file can be very practical because it can be viewed and edited in spreadsheets and it is easy to write scripts that can process them. Be aware though that CSV is a very informal standard. Different tools may have different rules on how to encode special characters. Some tools that can process CSV graph files may require that the third column be removed. GML and GraphML are formats specifically designed for specifying graph structures. They can be processed in free tools such as Gephi and NodeXL as well as several commercial applications. As GraphML is based on XML, it offers the best solution for dealing with foreign character sets Exporting the event log The case event log keeps the history of all actions performed by all users of this case, such as adding new sources, individual searches, taggings, exports and so on. The event log records can be exported to CSV or MS Excel (.xlsx) format for auditing purposes. Page 173 Intella User Manual 2017 Vound

To export the event log, select Export > Event Log in the main menu. In the dialog box, specify the format (CSV or XLSX), name and path of the CSV file to export to.

174 To export the event log, select Export > Event Log in the main menu. In the dialog box, specify the format (CSV or XLSX), name and path of the CSV file to export to. In the Export events between part you can choose the start and end dates of the events to export. By default, the dates range is automatically set to cover all events. The options in the Select event types part allow for specifying the type of events that should be exported. Furthermore, you also can narrow down the events to cover specific users only, by checking the Only include events of these reviewers option and selecting the user(s) in the pop-up box. The "Export IDs of items associated with the events" option control how item identifiers are exported: Do not export item IDs disables exporting of item identifiers. Export item IDs to separate text files identifiers are exported (one per line) to separate text files in the same folder. The files are named per the numbers indicated in the first column of the exported event log records (1.txt, 2.txt,...). The file format is compatible with the Item ID Lists facet, i.e. this facet can be used to locate these items using the produced files. Export item IDs within the log file identifiers are included into the last column of the exported event log file. Note that this can produce a significantly larger file. Important: The "Export item IDs within the log file" option may cause problems when previewing an exported file with long identifier lists in MS Excel. This is related to limitations on individual cell lengths imposed by Excel and does not indicate that the event log file is malformed or corrupted. Using the option for separate text files allows to overcome this issue. The exported event log file contains the chronologically ordered event log records, one record per line. The records include the following columns: Time date and time of the event. Event Type ID a number indicating the type of the event. This can be used for sorting event records by type, for example in MS Excel. User name of the user responsible for this event. Message human-readable description of the event. Item IDs a space-separated list of item identifiers associated with this event (only when the "Export item IDs within the log file" option is selected). Page 174 Intella User Manual 2017 Vound

175 26 Command-line support Important: This functionality is still in an experimental stage. We welcome any feedback; please visit our support portal at Intella supports command-line arguments for opening or creating a case and indexing a folder of evidence files. You can choose between two different executables: Intella.exe will always open the Intella main window with the (new or existing) case open. Use this for e.g. shortcuts or other scripts that should launch Intella s main user interface. IntellaCmd.exe will only show feedback on the command-line. Use this for automating case creation and indexing. For IntellaCmd.exe an Intella Professional or Intella TEAM Manager license is required. Intella.exe can be used with all licenses. Opening a case To open a specific case the following arguments can be used: Intella.exe -user <user> -case <case location> This can be used for both local and remote cases. If the case folder doesn't exist, the case will be created automatically at this place with default options. You can also use abbreviated argument names, like this: Intella.exe -u <user> -c <case location> Creating a new case The following instruction creates a new case at a specific location with specific user, name and description: Intella.exe -user <user> -case <case location> -casename <name> -casedescription <description> When a case already exists at that location, it is simply opened and the specified case name and description arguments are not used. In other words, there is no difference in syntax between creating a new case and opening an existing case. The abbreviated form of the above instruction would be: Intella.exe -u <user> -c <case location> -cn <name> -cn <description> Indexing a folder The following instruction can be used for open or create a new case and index a folder with evidence files: Intella.exe -user <user> -case <case location> -evidence <evidence location> -sourcename <name> or in the abbreviated form: Intella.exe -u <user> -c <case location> -e <evidence location> -sn <name> Indexing options can be specified using the following arguments: -tz, -sourcetimezone [TZ] The time zone of the new source (example: -sourcetimezone CET). -ima, -indexmailarchives [true false] Index mails and files in mail archives (default: true). Page 175 Intella User Manual 2017 Vound

176 -ia, -indexarchives [true false] Index files inside archives, such as ZIP and RAR files (default: true). -ie, -indexembedded [true false] Extract images embedded in s, MS Office and PDF documents (default: true). -cef, -cacheevidencefiles [true false] Copy all evidence files into the case folder (default: false). -ap, -analyzeparagraphs [true false] Enable paragraph analysis (default: false). -tf, -taskfile [File] Specify a.json task file to run after indexing completes, containing e.g. keyword of hash list searches and tagging or exporting the results. Headless mode It is possible to run Intella in a non-interactive (headless) mode. IntellaCmd.exe should then be used instead of Intella.exe, for example: IntellaCmd.exe -user <user> -case <case location> -evidence <evidence location> -sourcename <name> Listing the defined sources Use the -exportsourcelist or -esl option to export the list of sources in a case, including their configuration, to an XML file: IntellaCmd.exe -u <user> -c <case location> -exportsourcelist <file> Logging The desired log level can be specified using the "-log" argument, for example: Intella.exe -user <user>... -log DEBUG Valid options for the log level are: ERROR WARN INFO DEBUG Both Intella.exe and IntellaCmd.exe support specifying the log level. Page 176 Intella User Manual 2017 Vound

177 27 Load file checklist To help battle the complex nature of load file exporting and importing, we provide checklists for use with Summation (formerly iblaze) and Concordance load files, as well as a general checklist for common issues and solutions with load files. The Summation checklist contains general considerations that can also apply to the use of other load file formats. The Concordance checklist is specific to the standards used by the US Securities and Exchange Commission (SEC) and US Department of Justice (DoJ) Load file diagnostics This section is intended to identify common issues in the preparation and presentation of load files. It is addressed to individuals using Intella to produce load files for third party applications like Concordance, Relativity, Ringtail and/or Summation. Load file purposes It is useful to understand what the final recipient of the load files is going to do with them. Your client will use your load files: To create document records in their database. To upload field values for the records in their database. To upload native files associated with the records in their database. To upload image files associated with records in their database. To upload the text associated with records in their database. Load file errors Essentially these come in two types: Data-related Presentation-related Common mistakes avoiding them There are several common errors that can occur when producing load files. Most of them can be avoided by following some simple rules of planning: Obtain a specification. Run a test ahead of time with a small selection of the real data that you have put through the process. Do not manually edit the load file after it has been produced it is terribly easy to introduce further errors when doing this. Use templates for your export settings. Develop and use a checklist to quality control a sample from your export and match it to the specification provided. Common mistakes correcting them Page 177 Intella User Manual 2017 Vound

Incorrect field names If you have presented data to a client and they are complaining that the field names do not fit the requirements, repeat the export.

The example below shows exporting of the value extracted by Intella from the Sent field as a date time value and exporting it to a field called EM Sent Date in the load file.

178 Incorrect field names If you have presented data to a client and they are complaining that the field names do not fit the requirements, repeat the export. When you come to specify the fields remember that you can customise the label for any field that you choose to export. The example below shows exporting of the value extracted by Intella from the Sent field as a date time value and exporting it to a field called EM Sent Date in the load file. Field type / data presentation mismatch When there is a field type mismatch this will frequently be where the date export options have not been set. The presentation of date values required by the various review systems varies and you will need to consult your client to determine the right settings to use. These are set using the following page in the export process: Detailed Troubleshooting When you are trying to understand why a load file will not load, here are some suggestions as to how to proceed. Note that Concordance, Relativity, Ringtail and Summation have different requirements in terms of data load files and each also provides differing levels of diagnostics and error messages to assist in Page 178 Intella User Manual 2017 Vound

179 troubleshooting. The following suggestions are aimed mainly at Concordance and Relativity but may also provide some assistance with Summation. When following these steps, it is best practice to work from a copy of the load file. Open the load file with a text editor and check the following: What is the encoding and is it correct? (Summation only) If you are exporting data from Intella the only issues that can occur with encoding are for Summation. For all the other load file formats, the system defaults to using UTF-8, which your client should be able to use. If incorrect, regenerate the load file from Intella with updated settings. Confirm that field names are correct These should appear in the first row, which should happen automatically for the formats where it might apply. Are field names spelt correctly? Best practice is to update the Intella settings (and template) and regenerate the load file to avoid introducing errors using manual editing. Is the ID field the first field and is the field order correct? Having the ID field first is best practice and makes for easier diagnostics but isn t necessary. The field order can be specified in the export process. Are delimiters present and correct? It is highly unlikely that these will be wrong since Intella uses the default values and you cannot change them. If the problem appears to be with data appearing in the wrong field, it may be that there is a data problem, e.g. delimiters appearing in the data such that they are misinterpreted during the import process. Note that Intella is like MS Excel in that it only inserts quotes as text qualifiers in csv files if they are needed. This can cause issues when using the CSV load file format with some of the review platforms. Is it a data issue? In many ways data issues are the hardest to diagnose. The best technique is to start with any indication from the software as to where the issue occurs references to error in line X can be helpful in this regard. If there is no indication of where the error might be, an approach is to edit the load file manually (always use a copy), to slice it up into chunks (vertically first and then if necessary horizontally) and try loading each chunk until you find the error. First of all, try loading just the header line and the first record. If this succeeds, your field names are right and the non-null fields in the first line have correct data types. You can then try loading the first half of the load file. If this works then the issue is somewhere in the second half of the file. Load the first half of that and so on. Using this approach you will usually be able to identify an individual record, or possibly a set of Page 179 Intella User Manual 2017 Vound

180 records, which will not load. At this point you slice the records up horizontally by test loading each field in turn, eliminating those fields that load until you find the culprit. In practice, most difficulties arise from three sources (1) failing to check the quality of the finished product against the specification, (2) somebody editing the load file after it was generated (and introducing errors) or (3) from delimiters being present in the data Summation Due to the customization options available in Summation, it is often the case that no two clients will have the same load file specifications or requirements. To ensure the most professional outcome when working with Summation load files, it is highly recommended that you (the Intella user) engage with the recipient of the load file (the client) at the beginning of any engagement or well before any deadline to produce a load file. Our suggested workflow would be along the lines of the following steps: 1. Ask the client to confirm that they require a Summation load file. 2. Supply the checklist below to the client and ask them to complete it. 3. Collect the completed checklist. 4. Ask the client to confirm that they have added any extra fields they require to their Summation installation. 5. Make any changes to the Intella Summation load file export options that are needed to comply with the client s requirements. 6. Create a load file from a test data set similar to the data set of this engagement. 7. (*) Test the load file in your own Summation installation with the client s configuration. 8. Ask the client to verify that the sample load file imports correctly in their own Summation installation on all fields, OCR and so on. 9. If not, make any corrections needed and repeat steps 5 to Once it imports correctly, ask the client to sign-off on this format. 11. Save the export options as a custom export template in Intella. 12. Use the custom export template for producing the final load file(s). (*) When creating a Summation load file as a part of your engagement, it is highly recommended that you have sufficient qualifications for Summation to understand and troubleshoot any issues that may arise. Furthermore, it is also highly recommended that you have a copy of Summation in-house that you can use to test and improve the output of your work. The next pages contain a sample checklist that you can use with your client. Page 180 Intella User Manual 2017 Vound

181 Acme ediscovery Corporation Load File Engagement Checklist Due to the customization options available in Summation it is often the case that no two clients will have the same load file specifications or requirements. The information below provides you with a list of options to configure a Summation load file, as part of the proposed engagement. Please complete the sections A to D and return the form to our litigation support team prior to this engagement. Options Description Completed YES NO Table selection Option A Option B Summation E-tables or Stdtable Additional Summation Fields Document Rendering Option C Option D Document numbering during rendering Document exclusions Dates Option E Option F Date Selection Other options Option A: Summation E-tables or Stdtable The following represents the standard Summation E-table or Stdtable offered in Intella. Please select the fields that you require for the production of the load file requested. To do this ticking the appropriate check boxes on the right-hand side of the table. If a particular field is not present, write it in at the bottom of the table and send us those details. Page 181 Intella User Manual 2017 Vound

182 Token Field Description DOCID Document ID ATTCHIDS Document IDs of attached PARENTID Parent document ID MEDIA Document category: or efile FOLDER File or location (e.g. Bob.pst/Top of Personal Folders/Inbox) DOCTYPE MIME type of document (e.g. DOCTITLE Document AUTHOR Name of the document s EDITEDBY* Other authors or contributors of the DATECRTD Creation date of the DATESVD Last modification date of the SUBJECT FROM TO recipient(s) (TO CC recipient(s) (CC BCC recipient(s) (BCC DATERCVD Date that the document was TIMERCVD Time that the document was DATESENT Date that the document was TIMESENT Time that the document was INTMSGID Internet message READ Whether the message was read (Y or HEADER message BODY message ATITLE Name of the PGCOUNT Page HASHCODE MD5 hash IID* Intella item ID. Required to locate items in Intella. Required <Add custom > Page 182 Intella User Manual 2017 Vound

183 Option B: Additional Summation Fields It is also required that you include two additional fields that are not listed as standard E-tables in Summation. The additional fields are: ETABLE Description 1 IID Used to identify the item in Intella. 2 EDITEDBY Taken form the Intella Authors and Contributors Facet and used to identify which user edited or created the document. These fields and any additional custom fields that are not default in Summation need to be added using the Summation Form Editor before the load file is imported. Page 183 Intella User Manual 2017 Vound

184 Option C: Document Numbering during Rendering Option Description Value Numbering scheme How the documents and pages are numbered ABC Starting number The number of the first document 1 Starting folder The starting folder number 1 Starting box The starting box number n/a Page rollover Maximum number of pages per folder Grouping scheme All files in one folder Prefix, Folder Please identify the positions where you would like the DocID and numbering options to be displayed on the rendered images: Positions Placement Please identify at what position you would like the DocID to be located in the rendering: Position 1: Position 2: Position 3: Position 4: Also indicate if you would like either to: 1. Show the same DocID, for a particular document, on all pages of that document. 2. Increment DocIDs for each subsequent page of a document, e.g. first page ABC , second page ABC , etc. 3. Do not stamp the image files stamp with the DocID. Page 184 Intella User Manual 2017 Vound

185 Option D: Document Exclusions Some documents formats such as spread sheets do not render very well as images. On occasions, a single spread sheet may generate thousands of rendered image files that will have no value to the reviewer. It is recommended that you opt to exclude certain file types for final rendering. File Extension Comment EXCLUDE Spreadsheets Recommended to exclude YES / NO CSV Recommended to exclude YES / NO XLS Recommended to exclude YES / NO XLSX Recommended to exclude YES / NO Custom Option E: Date Formatting The date format in the load file needs to match the date format selected in the Summation s default settings. Failure to do so may cause the day and month to be reported incorrectly in Summation when reviewing. Although the dd/mm/yyyy date format is the standard in many countries, some clients prefer to use dd/mmm/yyyy. This format is preferred because there can be no mistake interpreting the date. For example, the date 4/5/2013 could be interpreted as either 4 May 2013 or 5 April Using the format dd/mmm/yyyy, the date will be displayed as 4/Apr/2013. Option Description Value Date format How to format date only fields dd/mm/yyyy MM/dd/yyy dd/mmm/yyyy Other: Time format How to format time only fields HH:mm:ss Date/time format How to format full date/time fields dd/mm/yyyy HH:mm:ss Page 185 Intella User Manual 2017 Vound

186 Option F: Other options Option Description Value File encoding UTF-8 Native files Include native files? Yes / No Image files Include image files? Yes / No Image format PDF TIFF PNG Text files Include extracted text? Yes / No Page 186 Intella User Manual 2017 Vound

187 27.3 Concordance US Securities and Exchange Commission (SEC) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding checkboxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required FIRSTBATES First Bates number of native file document/ LASTBATES Last Bates number of native file document/ BEGATTACH First Bates number of attachment range ENDATTACH Last Bates number of attachment range PARENT_BATES First Bates number of parent document/ FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATE_SENT Date the was sent TIME_SENT LINK Hyperlink to the or native file document MIME_TYPE The content type of an or native file document AUTHOR Author of the document DATE_CREATED Date the document was created TIME_CREATED Time the document was created DATE_MOD Date the document was last modified TIME_MOD Time the document was last modified DATE_ACCESSD Date the document was last accessed TIME_ACCESSD Time the document was last accessed PRINTED_DATE Date the document was last printed FILE_SIZE Size of native file document/ in bytes PGCOUNT Number of pages in native file document/ PATH Document location INTMSGID message ID MD5HASH MD5 hash TEXT Extracted text of the native file document/ <Add custom > Page 187 Intella User Manual 2017 Vound

188 US Department of Justice (DoJ) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding check boxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required COMPANIES Company submitting data HASHMD5 Document MD5 hash value BEGDOC# Start Bates ENDDOC# End Bates DOCID Must equal the value appearing in the BEGDOC# field and be UNIQUE NUMPAGES Page count PARENTID Parent record's BEGDOC# FOLDERLABEL or Document location FILEPATH FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATECREATED Date electronic file was created DATESENT Date the was sent TIMESENT Time was sent DATERECEIVED Date was received TIMERECEIVED Time was received HEADER The internet header information for sent through the internet INTERNETMSGID Globally unique identifier for a message which typically includes message ID and a domain name DATESAVED Date native file was last modified DATEPRINTED Date native file was printed EAUTHOR Author of the document LAST AUTHOR Last Saved By field value extracted from metadata of a native file ESUBJECT Document title FILESIZE File size in Bytes FILENAME File name of native file APPLICATION MIME type of document (e.g. application/pdf) DOCLINK File path location to the current native file location on the delivery medium DATEAPPTSTART Start date of calendar appointment TIMEAPPTSTART Start time of calendar appointment DATEAPPTEND End date of calendar appointment TIMEAPPTEND End time of calendar appointment Page 188 Intella User Manual 2017 Vound

189 28 Preferences To open the Preferences dialog, select the File > Preferences menu option. To apply changes of the settings, click the Apply button. To apply changes and close the dialog box, click the OK button. The Cancel button will close the dialog box and discard all unapplied changes. The specific settings per tab are explained below General The Backup section controls how case backups are handled. The three options control whether a backup of the case needs to be made when the case is closed, or whether this needs to be asked on every occasion. This setting is set for each case individually. The Backups folder is shared by all cases though. When a case is backed up, a copy of the entire case folder is made and placed in this folder. A previous backup is removed, if the backup has succeeded note that this will have consequences for the disk space that needs to be available. The default location of this backup folder is next to the cases folder. We recommend changing this to a location that is located on a physical disk, so that disk malfunctions do not damage both the actual case and the backup. The Temp Folder controls where Intella stores its temporary files, e.g. for opening an item in its native application. By default, the used folder is inherited from the operating system, but it can be modified here, e.g. to accommodate a system with a small operating system drive or for performance or security reasons. When the Check for availability of original evidence files at start-up option is on, Intella will check for the presence of evidence files at their original locations every time a case is opened. If any of the evidence files are missing, the Attach Evidence dialog to correct the evidence paths will be shown. The Check for updates on start-up option lets Intella look online for new versions of the software during startup. This lookup will be done once in every 24 hours. New versions will be shown in the upper right corner of the application. A message will also be shown here when this option is turned off or when fetching the last version information has failed Display and Locale The Display splash screen while loading a case option controls whether a splash screen will be displayed after you have selected a case in the Case Manager for opening in Intella. Page 189 Intella User Manual 2017 Vound

190 The Language selection option lets you select the display language used for Intella. The set of values in the list depends on which language profiles are detected in the translations subfolder, located in the folder where Intella is installed. Intella checks online whether new language profiles are available for the current Intella version and the currently used language. When this is the case, a message is displayed in the upper right corner of the main window. Clicking on that message will open a web browser and download the new language profile. The Browse button in this panel can then be used to install the new profile. The Date format setting lets the user select how dates and times will be displayed. The dropdown menu allows for various formats selected by country. This setting is not dependent on the display languages and allows for all generally used formats, regardless of which language profiles are available. Finally, the Page format lets you select which paper size to use when exporting to PDF or printing items. Available options are ISO A4 and US Letter Dates The Primary Date option controls how Primary Dates are determined for each item, based on a set of rules holding preferred attributes. While processing the dates of all items, Intella will try to pick a matching date rule based on the item s type and use it to determine the primary date attribute for that item. First it will first look for a rule that has the same MIME type as the item has, e.g. the MS Word MIME type. When no such rule exists, it looks for a more general rule covering the type group that holds this MIME type, e.g. the Documents group. See the Type facet for how item types are grouped. If no such rule exists either, it will fall back on the default rule to compute the Primary Date. Each rule holds a prioritized list of all the date attributes that Intella supports. Once a primary date rule is selected for the item, the first date in this list that occurs in that item s metadata is used to set the item s primary date. You can define many date rules for different MIME types or groups. You can add or remove rules from the set, but it must always contain the default rule. By pressing the Reorder dates button, you can change the priorities of the date attributes for the selected rules. Page 190 Intella User Manual 2017 Vound

191 Because of the way rule selection works, the order of the rules does not affect the outcome. Only the order of attributes in a rule matters. Note that the Primary Date settings also affect the Family Date attributes, as the Family Date of an item is defined as the Primary Date of its top-level parent. When a change is made to the Primary Date settings, Intella will ask whether you want to rebuild the indices for those two dates. These indices are used for displaying and sorting the Primary Date and Family Date columns and for any Date facet searches on these attributes. Updating these indices can be a lengthy operation on large data sets. In case you wish to cancel this update operation, you can click the Cancel button in the progress dialog. This will revert your Primary Date settings back to the previous configuration and leave the indices unaltered. Note that it is not possible to alter the Primary Date settings without updating the relevant indices Irrelevant Items Intella automatically classifies certain items as Irrelevant during indexing. These are items that are generally regarded as non-relevant from a review point of view. Note that this only applies to the item itself, not its child items. One can think of this category as containing those items that you would likely not review when they show up as part of a keyword search result, unless in certain types of deep forensic analysis. This classification has no effect on the processing of the affected items, other than storing the classification. It can be used to suppress items during searching and exporting, e.g. by toggling the Hide Irrelevant button, using the Features facet category or setting the corresponding options during export. This reduces the time needed for reviewing and exporting. If such filtering is not desirable, all one has to do is leave these options to their default, unselected state. The following items are classified as Irrelevant: Folders regardless of origin containers e.g., PST, NSF, Mbox,... Disk images e.g., E01, L01, DD,... Cellphone reports e.g., UFDR, XRY XML,... Archives e.g., ZIP, RAR,... Executables e.g., EXE, BAT,... Load files e.g., DII, DAT,... Empty i.e., zero byte files Embedded images see the Features facet section for a definition of this category Note that the flag is not inherited by child items; they only get classified as Irrelevant when they also meet one of these criteria. Currently, the criteria for classifying items as Irrelevant are hardcoded and fixed; the disabled checkboxes in the Irrelevant Items tab are only there to explain the process. We may make these options configurable in a future release. Page 191 Intella User Manual 2017 Vound

192 28.5 Search The Enable Search History option allows you turn off the search history. The main use of this is when you do not wish these search terms to be recorded be aware that they are still being added to the audit trail and may leave traces in the log file. This setting is also a workaround for character sets (e.g. Korean characters) that cannot be entered properly when the history functionality is active. The Restore the queries that were shown last option lets the current queries being stored during shutdown, and restores them the next time the case is opened. The Show Children options allow you to specify what children are returned when you click on Show Children in the Previewer or in the search results popup menu. You can specify the level by including only directly nested children (direct children only) or directly and indirectly nested children (all children). When you select the Ask every time option, you will be prompted for the desired level every time you use Show Children. The Show Parents options control what items are ignored when the top-level or direct parent is selected for an item. This operation affects not only the Show Parents and Show Top-level Parents functions, but also what items are tagged when the Also tag all other items nested in the same top-level item option is selected in the Tagging tab Results The Opening results option controls what happens when a result is double-clicked: open it in Intella s internal Previewer or in the native application registered with that file type. The Following HTML links option relates to the links and externally linked images that can be found in HTMLbased s. Both can be dangerous to download automatically, e.g. because they can tip-off suspects that their s are being read by another party. This panel lets you control how these link types are handled. By default, links are blocked and external images are not loaded automatically. This can be managed per individual in the Previewer window or for all items at once in this preferences panel. The Cluster Map options let you specify whether transitions on the Cluster Map should be animated and if so, how long that animation may take. You may want to disable animation if it causes performance problems on your system. Furthermore, you can specify whether or not the Cluster Map should automatically be scaled when it does not fit inside the window. You can also change this option using the Cluster map toolbar button, or go to View > Cluster Map > Scale to fit window. Page 192 Intella User Manual 2017 Vound

193 The Thumbnails View setting controls which thumbnails are shown based on the size of the original image in kilobytes. Images that are below this threshold are filtered out. The Previewer window setting controls how many pages are shown in the Preview tab. This is by default restricted to the first 5 pages, as rendering of this tab may trigger a conversion from the document format at hand (e.g. an MS Word document) to PDF. This can take a long time for large and complex documents. This can be minimized by only converting and showing the first five pages. Furthermore, the paragraph controls shown in the left margin of the Contents tab can be disabled using the Enable paragraph features checkbox. This only has an effect when the Analyze paragraph setting has been used during source creation Tagging When tagging items, the policy of your investigation may be that some related items should be tagged as well, e.g. tagging items in a mail as privileged may require that all other items in that same mail are also tagged as privileged. The settings in this tab can make that happen automatically. The three radio buttons specify how other items in the hierarchy need to be handled: Only tag the selected item is self-explanatory. Also tag all attached/nested items results in all attached or nested items being tagged with the same tag as well. This works recursively, i.e. all children in the hierarchy are tagged. Also tag all other items nested in the same top-level item means that everything from the top-level mail down to the most deeply nested child gets the tag. In addition to these three settings, you can specify that all duplicates should also be tagged. When this setting is switched on, all items in the case with the same MD5 or message hash will inherit the tag. Furthermore, their children or siblings may also be tagged automatically, based on the setting described above. Page 193 Intella User Manual 2017 Vound

194 Note that the top-level parent of an item is determined per the Show Parents settings in the Search preferences. The upper part of the Tagging tab with the tagging inheritance options can also available by opened by clicking the Tag Preferences button when setting a new tag. This dialog will also let you override the settings for the tag currently being set. The Previewer setting controls the maximum number of quick tag buttons that is shown in the Previewer. Finally, the Verify taggings checkbox controls whether Intella should check whether any taggings made by the user have made it into the database. Recent improvements have reduced the usefulness of this operation to such an extent that it typically no longer warrants the overhead MS Outlook Click Validate to ensure that Intella can locate the Outlook program files on the system. This is necessary for the ability to export to PST files. The status is shown in the (non-editable) field. If validation fails, please consult your system administrator to make sure that MS Outlook is installed correctly IBM Notes Click Validate to ensure that Intella can locate the IBM Notes program files on the system. The status is shown in the (non-editable) field. If validation fails, click the Browse button, select the path to the IBM Notes folder in the file chooser and click Apply. During Notes validation Intella will check the Notes version. Some versions are not recommended, see the Installation section. To enable use of such non-recommended Notes versions, select the Enable using unsupported version of IBM Notes checkbox. Page 194 Intella User Manual 2017 Vound

195 Tip: The default installation directories for IBM Notes is one of the following: C:\Program Files\IBM\Lotus\Notes C:\Program Files\IBM\Notes C:\Program Files (x86)\ibm\lotus\notes C:\Program Files (x86)\ibm\notes Page 195 Intella User Manual 2017 Vound

28.10 Geolocation The Tile preferences section defines how the world map gets rendered in the Geolocation results view and the Previewer s Geolocation tab.

196 28.10 Geolocation The Tile preferences section defines how the world map gets rendered in the Geolocation results view and the Previewer s Geolocation tab. Intella embeds a set of tiles for rendering this map. By default, this tile set is used. This embedded tile set enables use of the Geolocation views without requiring any configuration and/or network connection. The drawback of using this tile set is that the user can only zoom in six levels. Another option is to integrate with a custom tile server. To enable use of such a server, select the Integrate with the tile server option. The Geolocation tab will then expand to offer additional settings. In the example on the right, MapBox s tile server is used. You can use any tile server you wish by typing its address into the Tile server integration URL field. The format for the URL is dependent on the chosen tile server. Note that to use a public tile servers, you need to ensure that you comply with the tile server's usage policy. This is your responsibility, not Vound s. The Min. zoom option defines the desired minimum zoom level in the user interface. This should be in the range of supported zoom levels of the chosen tile server. The Max. zoom option defines the desired maximum zoom level in the user interface. This should be in the range of supported zoom levels of the chosen tile server. The Tile Size (pixels) option defines the size of a single square tile. This value should match the size of the tiles which are returned by the tile server. The Reverse X tile numbering and Reverse Y tile numbering options should be used when the tile numbering order used by the tile server is reversed. Usually there will be no need to use these two options. Important: Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs. Tip: If the investigation system has no internet connection, a custom tile server can be set up on the local network. One way of how this can be achieved can be found at This is out of the scope of this manual and Vound s technical support. Page 196 Intella User Manual 2017 Vound

197 geolocation allows one to estimate the geographic location of an s sender using the sender IP address. This process takes place during indexing. See the Geolocation chapter for a description of the process and its caveats. Determination of the geographic location of an IP address requires the presence of MaxMind s GeoIP2 or GeoLite2 database. These databases associate IP addresses with geographic locations. The databases can be found here: GeoIP2 database (commercial) GeoLite2 database (free) See the MaxMind website for a description of their differences, beyond price. The chosen database can be installed here by placing it in the following folder: C:\Users\[USER]\AppData\Roaming\Intella\ip-2-geo-db Alternatively, when you are on an Internet-connected machine, you can let Intella download and install the GeoLite2 database automatically by clicking the Download GeoLite2 database button. After clicking this button, a dialog opens that states that proceeding with this download implies that you agree with the GeoLite2 license terms. After clicking Proceed, the download will start. The download progress will be shown in the Status field. Once the download has completed successful, a green validation message will be shown here. To use the geolocation feature, check the Determine the geographic location of an sender s IP address option when adding a new source. Page 197 Intella User Manual 2017 Vound

198 29 Reading your log files Each Intella case has its own log files: main-[date].log and warnings-[date].log. The main file contains all of Intella's case-specific log messages. The warnings file only contains those messages that have a WARN or ERROR message level. This will typically be a much shorter file and is therefore easier to handle, but it may miss critical contextual information needed for the proper diagnosis of errors. Log files roll over every day at midnight. When a case is opened for the first time on a specific day, two new log files are made for that day. When you open the case another time on the same day, all log messages are appended to these files. When Intella still has the case open at midnight, it starts creating two new log files for the next day. When you keep track of when you indexed or exported information in the case, this split up will ease looking up the relevant log messages. This split up also prevents the log files from becoming too large to handle. Your log files are always stored in the logs subfolder of the case folder. By searching your own log files for common error messages, you can often troubleshoot these common errors without need of contacting our support department. To open very large log files, we suggest free tools such as Large Text File Viewer. This tool is optimized for viewing very large (> 1 GB) text files List of known errors The following is a list of known error messages and their explanation and solution. Most of these errors have causes that are external to Intella. java.lang.outofmemoryerror Explanation: Intella has run out of memory while processing a file or index. This error can also happen on machines with lots of RAM, as each of Intella's processes has a maximum amount of memory it is allowed to use. Solution: increase Intella's memory settings. See the Memory settings chapter for details. Caveat: some out of memory errors are caused by corrupt documents and Intella may safely recover from this, so that the integrity of the case is not harmed. When in doubt, please send the error message and the 50 lines surrounding it to our support department. java.io.ioexception: The device is not ready Explanation: the USB disk or network drive is not available to Intella. Solution: process the case on an internal disk to see if this solves the issue. The network/external disk or the connection to it may not be reliable. "Exception while processing stream of..." Explanation: the file being indexed may be corrupt. Solution: check the file in its native application. java.io.ioexception: An unexpected network error occurred Explanation: your network is dropping connections. Solution: move the case and evidence data to an internal drive and retry. Page 198 Intella User Manual 2017 Vound

199 java.io.ioexception: Access is denied Explanation: you do not have the correct file or folder permissions. Solution: ensure all permissions on the case files and evidence data are correct. java.io.filenotfoundexception: X:\FILE_NAME_AND_PATH (Access is denied) Explanation: the file or folder is missing. Perhaps you have moved the case or evidence folder? Solution: verify that the original data is where it should be. java.io.ioexception: There is not enough space on the disk Explanation: Please check if you have sufficient drive space to continue. Note that heavily fragmented files can also cause such errors Background information Log files are useful in diagnosing problems or errors that may arise while using Intella. Intella records log files during all normal program operation, including indexing and exporting. In the default logging mode, Intella records basic operational messages and errors. The log files are stored in the logs folder inside the case folder. When using the default suggested case folder, the log files are typically stored here: C:\Users\<USERNAME>\AppData\Roaming\Intella\cases\<CASE NAME>\logs The log files are main-[date].log, warnings-[date].log and any other *.log files in the same directory. Note that the Help menu in Intella has an Open Log Folder option that takes you straight to this folder, regardless of where the actual log folder is located Log levels When an issue arises and the log files do not contain sufficient information to resolve the issue, you may wish to increase the logging level from basic (INFO) to a more detailed level (typically DEBUG). Intella will then log actions and operations in more detail. Note that this will considerably increase the size of the resulting log files. To increase the logging level. please do the following: 1. Close your Intella case, remembering the case name and the location of the case folder. 2. Assuming the default suggested case folder, open the following folder in Windows Explorer: C:\Users\<USERNAME>\AppData\Roaming\Intella\cases\<CASE NAME>\conf When your case is saved to a location other than the suggested location (e.g. a USB device), please use the path to that folder. 3. Once in the conf folder, use a text editor (e.g. Notepad) to open the logback.xml file. This file is unique to every case. Locate and change the line containing <level value="info" /> into <level value="debug" /> 4. Once the changes are made, save the file and close the text editor. Now open your Intella case again. Logging will from now on report more detailed information. Page 199 Intella User Manual 2017 Vound

200 30 Menu, mouse, and keyboard shortcuts 30.1 Main Menu Below is a description of all menu items in the main window. Not all options appear in all products File Preferences Open the Preferences dialog (see Preferences) Key Store Open the Key Store dialog, for viewing and editing decryption passwords, certificates, etc. Restore Annotations The user can restore the annotations from a copy of this case, e.g. when the working copy has been damaged beyond repair. Import OCRed files Import files that have been processed using an external OCR tool. Generate Thumbnails (Ctrl+T) Pre-generates all thumbnail images used in the Thumbnails view, speeding up its responsiveness. Tasks Opens a window that show all defined post-processing tasks and lets the user edit and launch them. Excluded Paragraphs (Ctrl+Shift+F) Opens a window that shows all paragraphs explicitly excluded from keyword search and let the user search for them or remove them from the list of excluded paragraphs. Close Case Closes the current case and brings the user back to the Case Manager window. Exit (Ctrl+Q) Exit the application Sources Re-index (CTRL+R) Recreate all indexes from scratch (after user confirmation). Index new data Searches the current sources for new evidence files. Add New... (Ctrl+N) Opens the Add New Source wizard. Edit Sources (Ctrl+E) Open the Edit Sources dialog window. Page 200 Intella User Manual 2017 Vound

201 Edit Evidence Paths Opens the Attach Evidence dialog. This dialog can be used to edit the paths of the evidence files used to create the case. These paths need to be set correctly when the case is re-indexed. Exceptions report Lets the user choose a CSV file to which the exceptions report will be written View Cluster Map Animate Changes Turn cluster map animation on or off. Cluster Map Scale to Fit Window Turn cluster map size scaling on or off. Details Use the four sub-items to switch the Details panel to Table, List, Thumbnail or Timeline mode. Preview Item (CTRL+O) Lets the user open a specific item. See the Item ID column in the Details table for these numbers. Close All Previews (Ctrl+Shift+W) Closes all open Previewer windows. Full screen Toggles full-screen mode Export Cluster Map... Exports the current Cluster Map as a PNG image. Social Graph Exports the current Social Graph as a PNG image. Timeline Exports the current timeline as a PNG image. Words Export all words used in the indexed evidence files. When the results table shows a list of results, exporting of the words of only these items is also possible. Result... Export a single result. This option is available when a single item is selected in the Detauks table. Result List Opens the export dialog to let you export the currently selected results. Configure Redaction Profiles Opens the dialog that lets you create and edit redaction profiles. See the section on redaction for more information. Event Log Opens the dialog that lets you export part of or the entire case event log. Page 201 Intella User Manual 2017 Vound

202 Team Set Work Folder (Viewer and TEAM Manager only) Open the dialog to set the location (folder) where the Intella work reports will be stored. Select a folder in the dialog and click Select folder. The default TEAM work folder is C:\Users\USER\Desktop. Export Work Report (Ctrl+W Viewer and TEAM Manager only) Open the dialog to export an Intella work report file (.iwr extension) to the work folder. Open CSV Exports (Viewer and TEAM Manager only) Open the dialog to open CSV files that were created together with a work report. Select the CSV file and click Open. The CSV file will be opened in the application that is linked to the CSV file type by your operating system. For example: MS Excel or OpenOffice Calc. Import Work Report (Ctrl+I TEAM Manager only) Open the dialog to import an Intella work report. Select an Intella work report file (.iwr extension) and click Open. Work Reports History (TEAM Manager only) Open the dialog that shows the list of work reports that were imported to this case. Every entry in the list has the investigator name, the creation date of the Intella work report and the import date. To delete a selected work report from you case, click Remove Work Report contents in the Work Reports History dialog. You are asked to confirm since this operation cannot be undone Help Help Topics (F1) Opens the bundled user manual (this document). Forum Opens the Intella forum in a web browser. Dongle Manager A shortcut to the separate Dongle Manager application, which is used to inspect and update the contents of your Intella dongle. Open Log Folder Opens the folder where Intella stores logging information. Open Export Templates Folder Opens the folder where the user-defined export templates are stored. These files are.xml files that can be shared and copied to other case folders. About Intella <product edition> Shows a dialog with three tabs. (1) The first tab contains the version number of Intella. (2) The second tab contains system information. (3) The third tab shows license information such as ID, type and restrictions Mouse actions Table and thumbnail view Click and drag Select multiple items. Page 202 Intella User Manual 2017 Vound

203 Ctrl+click Select/deselect items. Double click on item Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on item Opens the popup or context menu Timeline Click on Opens the in the Previewer. Double-click on Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on Opens the popup or context menu on that Cluster Map Click on cluster or on label Select a cluster or result set and shows its items in the Details panel below. Click and drag Move cluster to reorganize the Cluster Map. Right click on cluster, label or on the selections panel Opens the popup or context menu on that item Social Graph Click on a node Selects a node and shows its items in the Details panel below. Click on an edge Select an edge and shows its items in the Details panel below. Click and drag Move node to reorganize the graph. Drag with right-mouse button pressed Scroll (pan) the graph Histogram Click and drag Zoom in on a specific area in the chart. Ctrl-click and drag Pan (scroll) the chart. Page 203 Intella User Manual 2017 Vound

204 Click and move up Restore zoom level. Mouse wheel Zoom in and out of the chart Keyboard shortcuts Main window Ctrl+R Re-index all sources Ctrl+N Add new source Ctrl+E Edit sources Ctrl+O Open a specific numbered item Ctrl+Q Exit the application Ctrl+Shift+E Export work report (TEAM Manager and Viewer) Ctrl+Shift+I Import work report (TEAM Manager only) Ctrl+Shift+W Closes all open preview windows F1 Open Intella help file (requires PDF-viewer, like Adobe Acrobat) Spacebar (in thumbnail view) Flag selected item Ctrl+A Select all items or text Previewer window Alt+Right Arrow Move to next item Alt+Left Arrow Move to previous item Ctrl+C Copy selected text Page 204 Intella User Manual 2017 Vound

205 Ctrl+V Paste copied text Ctrl+A Select all text Ctrl+1, Ctrl+2, or Ctrl+3 Tag an item with the tag assigned to button 1, 2 or, 3 in the previewer Page 205 Intella User Manual 2017 Vound

206 31 HASP dongle problem resolution 31.1 Problem flowchart Page 206 Intella User Manual 2017 Vound

31.2 Problems and solutions 31.3 Installation problems 31.3.1 HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers.

207 31.2 Problems and solutions 31.3 Installation problems HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers. Cause: Presence of older HASP HL key drivers installed on the machine Solution: Uninstall the older drivers. 1. Click Start > Run or click the Windows key + R 2. Enter C:\Program Files\Vound\Intella\bin\haspdinst.exe -kp purge and click OK. 3. Wait for message that operation was successful. Caveat: These steps uninstall ALL other HASP drivers. Make sure you have no other HASP dongle that requires an older driver. Install the latest driver HASP dongle not found Problem: The following message is triggered "HASP key not found (H0007)" Possible cause 1: The HASP dongle LED is not lit. The dongle is not connected or not properly connected to the USB port. Solution 1. Disconnect, pause a few seconds, then reconnect. If the LED lights up, the application should be able to access the dongle. You may need to wait a few seconds for the dongle to be completely installed by the operating system. 2. The required HASP HL key drivers are not installed. If you are running HASP SRM on a Windows platform, check for an entry for HASP SRM in the Device Manager utility. If there is no entry, you must install the drivers. 3. Check if the USB port is functioning correctly. Disconnect all other USB devices from their respective ports. Connect the HASP dongle to a different USB port. Try using a different USB device in the port from which the dongle was not accessible to test if the port is working. Possible cause 2: HASP License Manager Service is not running. Solution 1. Check if the HASP License Manager Service is running by opening a Command Prompt (Start > All Programs > Accessories > Command Prompt) 2. Enter: sc query hasplms 3. Check the result. It should show like this... Page 207 Intella User Manual 2017 Vound

208 SERVICE_NAME: hasplms TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 When you see RUNNING it means that the hasplms service is running Hardware problems No dongle detected Problem: The computer does not detect the dongle. There are several potential causes, listed below. Cause 1:Conflict with other USB devices On occasion, the presence of other USB devices may cause problems with the HASP dongle. Solution: Remove conflicting USB device/devices Cause 2:Incorrect device driver installed The HASP dongle may not function if an incorrect version driver is installed. Solution: see section Installation problems, HASP dongle drivers do not install. Cause 3:USB port is defective or HASP dongle not properly inserted Solution: Check that the LED light is lit on the dongle. If not, remove and reinsert. Wait for the operating system to detect the dongle. If it still does not light up, try another USB port or use a USB hub. Cause 4:Faulty dongle On rare occasions one may get a faulty dongle. The dongle neither lights nor is detected in Device Manager, even with proper driver installed. Request a replacement Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Problem: The error message: "Unable to access HASP SRM RunTime Environment (H0033)" might be caused by too restrictive firewall settings. Possible causes: C:\WINDOWS\system32\hasplms.exe is blocked by firewall or antivirus application. Port 1947 is blocked by a firewall application. HASP License Manager Service is stopped. Preliminary test: Page 208 Intella User Manual 2017 Vound

1. Disable all antivirus and firewall applications. Note that some applications such as Norton, McAfee, and AVG have both antivirus and firewall settings that may need to be individually disabled. 2.

209 1. Disable all antivirus and firewall applications. Note that some applications such as Norton, McAfee, and AVG have both antivirus and firewall settings that may need to be individually disabled. 2. If the HASP License Manager Control Center does not appear in the browser at then we know that the anti-virus or firewall application will have to be configured. 3. If the Control Center still does not appear, check for other firewall or antivirus applications that may be running and disable them or turn them off. Solution: 1. Add C:\WINDOWS\system32\hasplms.exe in the Exception list of the antivirus and firewall application 2. Add port 1947 to the Exception list 3. Restart the HASP License Manager Service (Control Panel > Administrative Tools > Services) An example of a firewall exception is shown in the image on the right. Important: You must perform an installation Reinstall of Intella as the antivirus software may have blocked components during the first install. The following information is adapted from the SafeNet Sentinel HASP knowledgebase. Message: "Unable to access HASP SRM RunTime Environment (H0033)" Problem: This error means that there is a communication error between the program and the local license manager. This error can be triggered by several causes, including (1) improper installation of the HASP RTE software, (2) personal firewall software blocking communication with the HASP LMS service, or (3) other software using the same port that the HASP License Manager uses (i.e. port 1947). Solution: To troubleshooting the error follow the steps below until the cause for the error is found: 1. Open a web browser and connect to This is the HASP SRM Admin Control Center. If it's possible to connect to this page, then the HASP SRM Runtime is installed properly. The problem lies elsewhere and you can disregard the rest of this document. If you get a message Page cannot be displayed, it's possible that HASP SRM Runtime is not installed (go to step 2) or blocked (go to step 3 and 4). 2. Go to Start > Run, enter services.msc and click OK. The list is alphabetical. Search for HASP License Manager in the table and then check if its status is Started Page 209 Intella User Manual 2017 Vound

210 If this entry is not listed, then the HASP SRM Runtime is not installed. Please reinstall it. If the status is not Started check the event log for entries relating to the HASP License Manager service that will give an error message and further diagnostic information. 3. Check your personal firewall software. There are many types of personal firewall software including Norton Internet Security (the Firewall is one component of this software), ZoneAlarm and others. By default, most personal firewall software will request permission to allow access for the HASP License Manager the first time it is run. If access is allowed there should be no problems. If access is denied you will encounter communication problems. To resolve such problems either disable the firewall completely (Note: this option has risks. Please contact your firewall vendor for details) or create a rule or exception in the firewall to allow the HASP License Manager communication. If there is an option to create a rule/exception based on a port number, allow port As there are many personal firewall products on the market it is not possible to list all the ways to configure each piece of software here. Please contact your firewall vendor for details on how to create exceptions or rules as detailed above. 4. Check that there aren't any applications that use HASP registered port (Port 1947). If you find such a program, disable it and run the HASP application again Normal operation Dongle installation Intella is shipped with the latest SafeNet HASP dongles. Intella is packaged with the SafeNet HASP RTE installer. When correctly installed, the Windows Device Manager reports three items in the Universal Serial Bus controllers section: SafeNet HASP HL Key SafeNet HASP Key SafeNet USB Key. When incorrectly or incompletely installed, warning icons appear on the device. HASP License Manager Service The HASP installer includes the HASP License Manager application that runs as a system service: C:\WINDOWS\system32\hasplms.exe Page 210 Intella User Manual 2017 Vound

The HASP License Manager Service hasplms.

When this application is running, you should be able to

entering http://localhost:1947 in an internet browser.

HASP HL will only show when the dongle is plugged in.

License Manager Service is running properly, is that

211 The HASP License Manager Service hasplms.exe must be running to allow Intella to open. When this application is running, you should be able to load the HASP License Manager Admin Control Center by entering in an internet browser. HASP SL is the trial version license. HASP HL will only show when the dongle is plugged in. Windows system services A good indication that the License Manager Service is running properly, is that the entry is flagged as Started in the table of Windows system services: Page 211 Intella User Manual 2017 Vound

212 31.7 Installation flowchart Page 212 Intella User Manual 2017 Vound

Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8

Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8 Intella User Manual Intella evidence made visible Vound email investigation and ediscovery software Version 1.8 Contact To learn more about Intella, please contact us using the contact information below,