Intella User Manual. Version 1.9.1

Size: px

Start display at page:

Download "Intella User Manual. Version 1.9.1"

Primrose Mason
6 years ago
Views:

1 Intella User Manual Version 1.9.1

2 Contact To learn more about Intella, please contact us using the contact information below, or contact an Intella Channel Partner. Vound Office Phone Postal Address PO Box 308 Evergreen, Colorado U.S.A. Sales Contacts We will be pleased to provide additional information concerning Intella and schedule a demonstration at your convenience. To become an Intella reseller, please contact us! For user and technical support please visit our website: Page 2 Intella User Manual 2016 Vound

3 Vound Colorado ( Vound ) Vound. All rights reserved. The information in this User Manual is subject to change without notice. Every effort has been made to ensure that the information in this manual is accurate. Vound is not responsible for printing or clerical errors. VOUND PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED AND SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL. Other company and product names mentioned herein are trademarks of their respective companies. It is the responsibility of the user to comply with all applicable copyright laws. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Vound assumes no responsibility with regard to the performance or use of these products. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Vound. Your rights to the software are governed by the accompanying software license agreement. The Vound logo is a trademark of Vound. Use of the Vound logo for commercial purposes without the prior written consent of Vound may constitute trademark infringement and unfair competition in violation of federal and state laws. All rights reserved by Vound. Intella is a trademark of Vound. Page 3 Intella User Manual 2016 Vound

4 Contents Contact Preface Training Document conventions An introduction to Intella Key benefits Intella editions Supported file formats Supported sources Supported languages Supported platforms Feedback Getting support Different ways to get support Standard technical support User support contract Certified Intella training courses Working with Vound support Upgrade contract Installation and configuration Installation Step 1: Check the hardware requirements Step 2: Check the software requirements Step 3: Learn about licenses and dongles Step 4: Install the software Step 5 (optional): Support for S/MIME- and PGP-encrypted s Storage considerations Installation troubleshooting Error code 7 (H0007) Error code 31 (H0031) Error code 33 (H0033) Error code 37 (H0037) Error code 41 (H0041) Error code 51 (H0051) Memory settings Where are Intella's data files located? Where can I find Intella s log files? Frequently asked questions Dongle activation Using the Dongle Manager Using haspupdate.exe Products and workflow Feature overview Standalone use...41 Page 4 Intella User Manual 2016 Vound

5 7.3 Sharing cases Sharing cases across a network Sharing cases offline Work reports Cross-case work reports Managing cases Adding cases Creating a new case Opening a shared case Opening an existing case not in the list Importing a case Opening a case Editing a case Deleting a case Exporting a case Sharing a case Overview of the Intella interface Insight view Search view Previewer Sources Source types Adding sources Adding a File or Folder source Adding a load file source Adding a Hotmail Search Warrant Result source Adding a Disk Image source Adding an IMAP account source Adding a MS Exchange EDB Archive source Last steps in a source definition Indexing Automatic item decryption Supported formats Supplying access credentials Post-processing Tasks Custodians OCR Thumbnail generation Importing an overlay file Content analysis Editing sources Exceptions report Restoring annotations Optical Character Recognition (OCR) Starting OCR OCR methods...73 Page 5 Intella User Manual 2016 Vound

6 11.3 Using an external OCR tool Using ABBYY Recognition Server Reviewing OCRed items Insight view Evidence Types Custodians Internet Artifacts Timeline Identities Notable Registry Artifacts Supported registry hives Operating system information Time zones User accounts Network interfaces Network connections USB mass storage devices Recent files Shellbags Typed URLs Devices Networks Significant Words Workflow Keyword search Search options Search query syntax Lowercase vs. uppercase Use of multiple terms (AND/OR operators) Minus sign (NOT operator) Phrase search Grouping Single and multiple character wildcard searches Fuzzy search Proximity search Field-specific search Special characters Regular expressions Using facets Available facets Saved Searches Features Tags Custodians Location Address...93 Page 6 Intella User Manual 2016 Vound

7 Phone Number Chat Account Date Type Author Content Analysis Keyword Lists MD5 and Message Hash Item ID Lists Language Size Duration Device Identifier Export Sets Including and excluding facet values Including a facet value Excluding a facet value Cluster Map Understanding a Cluster Map Manipulating Cluster Maps Options Social Graph Basics Controls Limitations Statistics Overview tab Histogram tab s tab Keywords tab Details panel Table view Adding and removing columns Reorganizing table columns Sorting the list Showing a conversation Showing the child items Showing the parent items List view Thumbnails view Timeline view Deduplication and irrelevant items Previewing results Overview of the Previewer The Toolbar Tabs Contents Page 7 Intella User Manual 2016 Vound

8 Preview Headers Raw Data Properties Attachments Thumbnails Tree Entries Comments Words Actions Redaction Tagging Tagging in the main window Adding tags Removing tags Tagging in the previewer Automatic tag inheritance Pin a tag to a button See all tagged items Searching with tags Deleting a tag Redaction Workflow Redacting an item Exporting Mass redaction Redaction profiles Caveats Exporting Exporting a single result Exporting a list of results Export formats Destination folder Export templates Suppressing irrelevant items Export sets PDF file options File naming and numbering (original format, PDF, load files) PDF rendering options (PDF, load files) PST options ibase and Analyst s Notebook options Load file options Relativity options Headers and footers (PDF, load files) Redacted items Creating an export report Page 8 Intella User Manual 2016 Vound

9 Skipped items Exporting to a CSV file Exporting the result counts Exporting the social graph data Exporting the event log Command-line support Load file checklist Load file diagnostics Summation Concordance Preferences General Display and Locale Dates Search Results Tagging MS Outlook IBM Notes Menu, mouse, and keyboard shortcuts Main Menu File Sources View Export Team Help Mouse actions Table and thumbnail view Timeline Cluster Map Social Graph Histogram Keyboard shortcuts Main window Previewer window Appendix I. HASP problem resolution Problem flowchart Problems and solutions Installation problems HASP dongle drivers do not install HASP dongle not found Hardware problems No dongle detected Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Normal operation Page 9 Intella User Manual 2016 Vound

10 27.7 Installation flowchart Page 10 Intella User Manual 2016 Vound

11 1 Preface Intella is designed to be an investigation and e-discovery tool. It is ideally suited for use by enterprise, law enforcement, and regulatory agencies in civil, criminal, or policy-related investigations. Intella is an excellent tool to prepare electronically stored information for discovery. Intella s powerful indexing search engine and its unique visual presentation will let you quickly and easily search and review and electronically stored information to find critical evidence and visualize relevant relationships. With Intella, you can... Gain deeper insight through visualizations and statistics. Search , attachments, archives, headers, and metadata. Drill deeply using Intella s unique facets. Group and trace conversations. Reveal the social graph of a person or group of persons of interest. Preview, cull, and deduplicate and data. Export results in a variety of formats for reporting, follow-up investigation, e-discovery, or later use. Page 11 Intella User Manual 2016 Vound

12 1.1 Training This manual outlines the features incorporated in the Intella products. Its focus is to explain the rudimentary functions of each Intella feature. It should not be seen as explaining how to manage data or cases. While Intella is an easy and intuitive software package to use in the fields of forensic search, data analysis and ediscovery, the user is required to have a firm grasp of how Intella treats and manages certain information/data types as applicable to these fields. As with any software, the user must understand the issues and actions required that may arise prior to and while using Intella, particularly in the following areas: Different data types. s and attachments (parent-child relationships). Search parameters. Date formats. Inclusions and exclusions. Chain of custody. Legal and privacy issues. How to cross-verify results to ensure the accuracy of those results before they are relied upon. How to identify inconsistent results. The necessity to pre-process or convert certain data types prior to processing. The user should understand that his manual does not seek, nor can it be an exhaustive list of the usage of Intella. This manual is structured to explain the use of certain, but not all, features at a basic level. This manual does not take into account specific user requirements when explaining those features. Furthermore, this manual does not outline the steps required to be undertaken prior to processing data to ensure the accuracy of all results. The user should always ensure that they are personally aware of any special circumstances or steps required with the data, prior to processing and searching that data. This is critical to being able to get the most out of Intella and undertake your investigation free from mistakes. This manual cannot and does not offer this information. We do however offer training that will help the user to have a better understanding of these issues. We highly recommend that the user takes advantage of this training on the correct use of Intella. This can be critical for any matter where the user will rely upon the results produced in Intella as part of an action or investigation. Failure to undertake adequate training may cause unreliable results. Please contact us for additional information at training@vound-software.com or visit us at Page 12 Intella User Manual 2016 Vound

13 1.2 Document conventions The following section introduces you to conventions used throughout the Intella documentation. Menu Functions For functions that can be reached through menus, the different menu levels are illustrated as follows: Menu > Menu entry Important Entries Some text will be shown as follows: Important: Important information on Intella. These entries discuss a key concept or technical information that should, or must, be followed or taken into account. Please pay special attention to these entries. Notes Some sections provide additional information that will assist your use of Intella. These are displayed as shown below: Note: Information on function or parameter. Keyboard Shortcuts Some Intella functions can be activated or accessed through keyboard shortcuts. They are shown as follows: CTRL+E Tips A number of shortcuts, alternative methods, or general working tips are included throughout the documentation. These may help your workflow, or provide additional information on other uses of functions. Tips are shown as below: Tip: Information on Intella. Folder and file names Folder and file names are shown as below: C:\Program Files\Vound\Intella\ Page 13 Intella User Manual 2016 Vound

14 2 An introduction to Intella Intella is an instrument for data and investigation and ediscovery. It helps you search and explore information stored on your computer, network disks, in boxes and PST, OST and NSF files. Intella is being used by Law Enforcement, Legal and regulatory bodies to do all of the above. Intella indexes all places where you expect valuable information and provides powerful means for retrieving that information. The important advantage over similar tools is that Intella presents the search results using facets, Cluster Maps and Social Graphs. Facets allow you to find items based on more than just keywords and the visualizations provided by the Cluster Maps and Social Graphs allow you to see how files and s are related to your query. The birds-eye view helps you gain insight in information that is available on combinations of keywords. In each step of your search it shows the number of s or files that match your search (and of course a link to the e- mails and files themselves) so that you can effectively zoom in to find what you are looking for. Setting up Intella on your computer takes little time. Install the software, define the sources to search and explore and let Intella index the sources. Searching with Intella is also easy. Start as if you are using a familiar search engine by entering a search term, or choose any value from the information facets. Let Intella help you to refine your question with a list of suggested refinements. 2.1 Key benefits Easy to use interface means cutting down on training expenses and time and allows a broad group of investigators to join in an investigation. Visualizations of search results provide you with deeper insight. See how files, s and cellphone items relate to parts of your query. Facets, like Type, Date, and Language, help you to drill down to the wanted information and to focus on the information you need. Search attachments and archives such as zip files. Searching is simple and requires very little training. Export the search results for later use and for creation of reports. Page 14 Intella User Manual 2016 Vound

15 2.2 Intella editions Intella comes in seven different product editions. The table below shows the most important features of these editions Professional Viewer TEAM P.I. GB GB GB Manager Preparation Evidence size limit 10 GB 100 GB 250 GB none none none 10 GB Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Export Work Reports Import Work Reports License License type P P P P P P A License key D D D D D D S P = Perpetual license A = Annual license D = Dongle can be used on any PC, supports virtual machines. S = Software-based license locked to 1 PC, does not support virtual machines. Page 15 Intella User Manual 2016 Vound

16 2.3 Supported file formats Intella can extract contents and metadata of the following file formats: Mail formats: o Microsoft Outlook PST/OST. Versions: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013 and o Microsoft Outlook Express DBX, MBX. Versions: 4, 5 and 6. o Microsoft Exchange EDB files. Versions: 2003, 2007 and o IBM Notes NSF (formerly known as Lotus Notes or IBM Lotus Notes). Notes 8.5.x or higher needs to be installed on the computer running Intella in order to process the NSF files. Intella supports all NSF files that can be processed by the installed IBM Notes version. o Mbox (e.g. Thunderbird, Foxmail) o Saved s (.eml,.msg) o Apple Mail (.emlx) o TNEF-encoded files ( winmail.dat files). o Bloomberg XML dump Cellphone extraction formats: o Cellebrite UFED XML export o Micro Systemation XRY XML and Extended XML exports (Extended XML is strongly recommended) o Oxygen Forensic Suite XML export Disk image formats: o EnCase images (E01, Ex01, L01, Lx01 and S01 files) o FTK images (AD1 files), version 3 and 4 o DD images o ISO images Document formats: o MS Office: Word, Excel, PowerPoint, Visio, Publisher, OneNote, both old (e.g.,.doc) and new (.docx) formats, up to MS Office MS OneNote 2007 is not supported. o OpenOffice: both OpenDocument and legacy OpenOffice/StarOffice formats o Hangul word processor (.hwp files) o Corel Office: WordPerfect, Quattro, Presentations o MS Works o Plain text o HTML o RTF o PDF (incl. entered form data) Archives: o Zip o Gzip o Bzip2 o Tar o Rar o 7-Zip o Cpio o ARJ o Cabinet (CAB) Page 16 Intella User Manual 2016 Vound

17 o DEB o XZ o Partial support for ZipX Search Warrant Results: o Hotmail (uses a HTML-based collection of files) o Gmail and Yahoo (uses an Mbox variant) Instant Messaging o Skype SQLite databases o IBM Notes Sametime chats o Pidgin account stores o Note that cellphone extraction reports typically also contain instant messaging fragments that Intella may pick up during indexing. Databases o SQLite databases, version 3. Note that Skype SQLite databases get processed differently. o Mac OS property lists (.plist files), in ASCII, XML or binary form. Miscellaneous formats: o ical o vcard o XML o IBM Notes deletion stubs (experimental, requires a hidden configuration setting) The following types of encrypted files and items can be decrypted, provided that the required access keys (passwords, certificates, ID files) are provided: PST/OST NSF PDF DOC XLS OpenXML (.docx,.xlsx,.pptx) PDF ZIP RAR 7-Zip S-MIME-encrypted s PGP-encrypted s Note: To decrypt and index encrypted s and MS Office documents, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files need to be installed. See the Installation and Configuration chapter. When indexing plain text file formats, Intella can essentially handle all character encodings supported by the Java 7 platform. This relates to regular text files and to bodies encoded in plain text format. See for a complete listing. When the encoding is not specified, Intella will try to heuristically determine the encoding. The following encodings are then supported: UTF-8 Page 17 Intella User Manual 2016 Vound

18 UTF-16BE UTF-16LE UTF-32BE UTF-32LE Shift_JIS Japanese ISO-2022-JP Japanese ISO-2022-CN Simplified Chinese ISO-2022-KR Korean GB18030 Chinese Big5 Traditional Chinese EUC-JP Japanese EUC-KR Korean ISO Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish ISO Czech, Hungarian, Polish, Romanian ISO Russian ISO Arabic ISO Greek ISO Hebrew ISO Turkish windows-1250 Czech, Hungarian, Polish, Romanian windows-1251 Russian windows-1252 Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish windows-1253 Greek windows-1254 Turkish windows-1255 Hebrew windows-1256 Arabic KOI8-R Russian IBM420 Arabic IBM424 Hebrew 2.4 Supported sources File or Folder Files on local and network file systems can be indexed by Intella. Please check the list of supported file formats. Load files Intella can index load files that are stored in Concordance, Relativity and CSV format. Hotmail Search Warrant Result Intella can index the mail packages delivered by Microsoft when responding to a search warrant. Disk images Intella can open disk image files in EnCase and DD formats and index their contents as if they were mounted and indexed as a regular Folder source. No recovery of items from unallocated or slack space Page 18 Intella User Manual 2016 Vound

19 is performed. IMAP account Intella is able to access an accounts on an IMAP server and index s and attachments. Versions: Intella was tested on several IMAP servers with good results. However, we cannot guarantee that Intella is able to create IMAP account sources for every IMAP server. MS Exchange EDB Archive Use this option to index an MS Exchange EDB files and restrict indexing to a specific set of mailboxes. Indexing an EDB file in its entirety can be done by using the File or Folder source type. 2.5 Supported languages As Intella is entirely based on Unicode, it is able to index and provide keyword search for texts from any language. The Language facet supports detection of the following languages: af Afrikaans he Hebrew nl Dutch th Thai Ar Arabic hi Hindi no Norwegian tl Tagalog bg Bulgarian hr Croatian pa Punjabi tr Turkish bn Bengali hu Hungarian pl Polish uk Ukrainian cs Czech id Indonesian pt Portuguese ur Urdu da Danish it Italian ro Romanian vi Vietnamese de German ja Japanese ru Russian zh-cn Simplified Chinese el Greek kn Kannada sk Slovak zh-tw Traditional Chinese En English ko Korean sl Slovene es Spanish lt Lithuanian so Somali et Estonian Lv Latvian sq Albanian fa Persian mk Macedonian sv Swedish fi Finnish ml Malayalam sw Swahili fr French mr Marathi ta Tamil gu Gujarati ne Nepali te Telugu 2.6 Supported platforms Intella is currently only supported on Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8/8.1. Note that Intella is not supported on Windows Server 2003, Windows Server 2008 and Windows Server Page 19 Intella User Manual 2016 Vound

20 For detailed instructions about installation and running Intella, please read section 4: Installation and configuration. 2.7 Feedback We take great care in providing our customers with a pleasant experience, and therefore greatly value your feedback. You can contact us through the form on or by mailing to one of the addresses on the Contact page. Page 20 Intella User Manual 2016 Vound

21 3 Getting support 3.1 Different ways to get support Vound offers four support options designed to assist users that experience problems while working with Intella : 1. Standard technical support 2. User support contract 3. Vound User Support portal 4. Certified Intella training courses Standard technical support Standard technical support is offered free of charge to all Vound customers that have a current support and maintenance contract. Standard technical support can be requested at the Vound support page, Support is provided on business days, Monday through Friday. We attempt to give you a first answer within 2 business days. All communication will be remote , GoToMeeting, and other means and not in person unless otherwise arranged. Standard technical support will only be provided if your computer and operating system meet the minimum recommended specifications listed in the latest version of the Intella manual. Who is eligible for technical support? Our goal at Vound is to provide our customers high quality and timely technical support. To do this we limit technical support to the registered owners of Intella. Companies that allow a third party to use their Intella licenses must have that third party channel all technical support through the original registered owner of the software. To ensure that we support our customers, Vound regrets it cannot support users who are not the original registered owner of Intella. What technical support is included? Installation and set-up support limited to one computer in your environment. Configuration technical support and user support on use for standard Intella options. Support for errors in the software (bugs). Please note that Vound will make reasonable efforts to correct identified software errors. However this may not be achievable until a later date or version release. If this is the case, the user should make efforts and take responsibility to achieve the required outcomes via other methods. Where the errors relate or are caused by corrupt data (within source files), Vound reserves the right to charge for the work needed to rectify the issue. No support can be provided When your computer does not meet the minimum or essential system requirements. Page 21 Intella User Manual 2016 Vound

22 When you made any kind of modifications to the installed software. When you are not using the software for its intended purpose. When 3rd party applications, like virus scanners, firewalls, and other forensic applications, interfere with Intella. Explaining the method needed to use each feature to achieve a set outcome. Note: At no time should Vound technical support be seen as legal or forensic advice. Our support is given with no knowledge of the specific case or matter Intella is being used on. Technical support is focused on the correct installation and usage of Intella features. We do not warrant that we are aware of all facts around the case that may be under investigation. As such our replies should not be seen as advice or the only way to achieve the required outcome User support contract A paid user support contract is offered to those customers that want additional user support. The user support contract provides assistance that falls outside the standard support package (see Standard technical support). What can be included in the user support contract? Help with the case or setup configuration of Intella. Assistance in using the basic and advanced features of Intella such as searching, tagging, and exporting. Help with the installation of Intella, or help with the configuration and set-up of your computer that runs Intella. Detailed explanation of Intella case management and help with Intella case setup. Help with the export of search results found with Intella for use with other applications. Support for using Intella in combination with software from other vendors. Support for issues that a newer Intella release has addressed. How to buy to a user support contract? User support contracts are based on your specific needs. If you want to know more, please contact your nearest Vound representative or your local Intella reseller Certified Intella training courses Vound offers a number of paid training courses for its product. These courses are designed to expand your effectiveness and output when using Intella. It is recommended that all users take a minimum basic training course to ensure they are correctly using the product. Users who have taken a recent training course for their Intella product will be offered a discount on a paid user support contract. For more information on types of training and available dates please visit Page 22 Intella User Manual 2016 Vound

23 3.2 Working with Vound support It is highly recommended that customers and users take advantage of the Vound support page when seeking assistance. The support portal takes care of collecting all necessary information such as the Intella version, Windows version, source types used, etc. and will suggest relevant articles from the Intella knowledge base. 3.3 Upgrade contract Vound customers that purchased an Intella license are entitled to install free upgrades of the software for a period of one-year. In other words: an Intella license comes with a one-year upgrade contract. After this period purchasing an upgrade subscription will continue the upgrade contract. Please contact your nearest Vound representative for more information. Please know that you will only have access to standard technical support if you have an upgrade contract. Page 23 Intella User Manual 2016 Vound

24 4 Installation and configuration 4.1 Installation Step 1: Check the hardware requirements Intella is supported on Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8/8.1. CPU, memory and disk space requirements depend on how Intella is intended to be used: Indexing As a rule of thumb, the case folder requires between 150% and 200% of the size of the combined evidence data, depending on data complexity and amount of compression used on the evidence data. When caching of original evidence items is turned off, this reduces the amount of disk space. For better indexing performance, we suggest to store the case data folder on a physically different disk than the one with the evidence data. Disk access times for the case indexes are critical for performance. We therefore strongly suggest not using USB or network drives for the case data folder. See the section on Storage Recommendations for more storage-related tips. When indexing MS Exchange EDB files, the memory sizes in the table below should be doubled and the memory settings will need to be adjusted (see the Memory Settings section). Main memory and CPU requirements for indexing: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 2 GB 4 GB 2 10 to 100 GB 4 GB 8 GB to 500 GB 8 GB 16 GB or more 4 or more Case sharing (TEAM Manager) Memory requirements depend on the evidence size and number of concurrent reviewers. Recommended memory sizes (in GB, more is better) and CPU cores for the machine that is sharing the case depends on both the evidence size and the number of concurrent reviewers: Evidence size 1-4 Reviewers 5-10 Reviewers Reviewers Up to 10 GB 4 GB, 2 cores 8 GB, 4 cores 16 GB, 4 cores 10 to 100 GB 8 GB, 4 cores 16 GB, 4 cores 32 GB, 8 cores 100 to 500 GB 16 GB, 4 cores 32 GB, 6 cores To prevent bottlenecks, the storage system should scale with the size of the case and team. Larger teams are better served with a case folder stored on RAID arrays and/or fast solid state drives (SSD). Page 24 Intella User Manual 2016 Vound

25 Connecting to shared cases (Viewer) While technically Intella TEAM will work over slow network connections, a local and fast (gigabit) network is preferable, especially when working with large cases or with large reviewer teams. Main memory and CPU requirements for connecting to a shared case: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 2 GB 4 GB 2 10 to 100 GB 4 GB 8 GB to 500 GB 8 GB 16 GB or more Step 2: Check the software requirements The following external applications may also be necessary to use all of Intella s functionalities, see below for details: MS Office IBM Notes Microsoft.NET kcura Relativity SDK MS Office Microsoft Office is NOT is required to index PST/OST files or any MS Office document formats or for exporting items to PDF (the latter was a requirement with earlier Intella versions). An Office installation is still required for exporting items to a PST. The PST export requires MS Office 2007 or higher or higher is recommended. The 32-bit Intella version requires 32-bit MS Outlook. The 64-bit Intella version can use both 32-bit and 64-bit MS Outlook. IBM Notes In order to index NSF files, IBM Notes 8.5 or higher is required. Only the application files are necessary, IBM Notes does not have to be fully setup to be used by Intella. In principle all IBM Notes 8.5.x versions or later can be used, but the following versions will produce a warning: FP FP FP These versions contain a bug described here that cause s with multiple Received headers to be altered: all Received headers will get the value of the first header. At the time of writing IBM Notes was available, in which this bug has been fixed. To index files made with IBM Notes 9.x, we recommend installing IBM Notes 9.x. Note: Intella needs to know the location of IBM Notes in order to index NSF files. Please go to File > Preferences > IBM Notes to check if the location is validated. Microsoft.NET and kcura Relativity SDK In order to be able to export directly to a Relativity server, i.e. without having to handle Relativity load files, Microsoft.NET 4.5 and the kcura Relativity SDK need to be installed. Page 25 Intella User Manual 2016 Vound

26 Microsoft.NET can be obtained from the Microsoft website. The Relativity SDK can be obtained here. This functionality was tested with version 8.2 of the SDK. After running the SDK installer, copy all 20 DLLs from this folder: C:\Program Files\kCura Corporation\Relativity SDK\ImportAPI\Client\x64 to this folder (assuming the default installation path): C:\Program Files\Vound\Intella 1.9\bin\relativity\ Step 3: Learn about licenses and dongles Notes on the trial license that is bundled with the software that you have downloaded: 14-Day evaluation period. The trial version runs under a HASP Software License, which gives you the ability to use Intella for 14 days. The 14 days evaluation period cannot be extended. The only way to continue using Intella is to purchase a dongle. Trial restrictions. Besides the 14 days of usage, the trial only allows 10 GB of evidence files per case. Also, exporting is limited to maximally 1000 items per export. Continue working with a USB dongle. If you would like to continue using Intella after this 14 day period, you will need to buy a license. After buying the license you will receive a USB dongle that will allow you to continue using the version you already installed. A dongle provides a perpetual license without export restrictions. Evidence size restrictions may still apply, based on the licensed product. An exception is the Intella P.I. product, which is licensed using a software-based license locked to a single machine. System clock. Changing the clock on your system will cause the trial to automatically expire. When this occurs, the only way to continue using Intella will be to purchase a license. Virtual Machines, VMware. The evaluation version and Intella P.I. will not work in VMware without a dongle. RDP (Remote Desktop Protocol) connection. When using RDP, the dongle or trial license must be in/on the computer running the Intella software, not in the computer running the RDP viewer. Note that versions < 1.7 do not support use of the trial license over RDP. Other dongle-protected software must be closed All other HASP protected software, like EnCase (Guidance), Smart Mount (ASR Data), HBGary and i2 products, must be closed when installing Intella Step 4: Install the software 1. Download Intella through the download page on the Vound support website: Page 26 Intella User Manual 2016 Vound

27 2. Double-click on the downloaded.exe file to launch the installer. Accept the license. 3. Enter the location to store the application files and shortcuts or accept the default settings. All files will be extracted to the location of your choosing and an Intella shortcut is (optionally) placed on your desktop and in your Start menu. The application folder contains an executable called "Intella.exe" that can be used to launch the application. The desktop and menu shortcuts also start this executable. The program will start with the Case Manager window. Important: Intella will not install in an installation folder of an earlier version. Install a new version of Intella in a folder with a new name, for example: C:\Program Files\Vound\Intella 1.9.1\ It is possible to install multiple Intella versions side by side Step 5 (optional): Support for S/MIME- and PGP-encrypted s By default you will not be able to decrypt many S/MIME s, PGP s and MS Office documents until you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files in Intella s installed application files. Due to US export policies we are not allowed to distribute these files as part of Intella. When these files are not installed, you will see a warning message when you open the "Key Store" dialog. Follow these steps to install the JCE files: Close Intella. Download "JCE Unlimited Strength Jurisdiction Policy Files for Java 7" from Unpack the archive. Copy the two extracted JAR files into the following folders (replacing any existing files): o <Intella Folder>\jre\lib\security\ o <Intella Folder>\jre-x86\lib\security\ (only applies to Intella 64-bit edition) Note: Intella bundles its own Java JRE(s). The JCE files should be installed in these JRE(s). Installing it in the system s Java installation has no effect. 4.2 Storage considerations Besides the memory and CPU requirements above, there are other hardware considerations that impact performance. Use of USB drives Our testing shows that USB drives are generally slower than internal hard drives or esata drives. Please note that Windows allows you to use USB drives in two performance modes: the default Quick Removal mode and the Better Performance mode. Using the latter helps a lot to achieve better performance, but you will have to make sure to properly remove the drive in Windows before unplugging the drive. Not doing so means you risk damaging your case files beyond repair. Page 27 Intella User Manual 2016 Vound

28 Evidence on external drives Many users like to keep their evidence data on an external drive, for a variety of reasons. A common question is whether they can still use the case when this drive is disconnected after indexing. This is certainly possible. Access to the original evidence files is only necessary when you want to export the original evidence files themselves and have disabled the Cache original evidence files option when you added the source. For the rest the case folder is completely self-contained as all extracted items are stored in the case folder and can be exported without access to the original evidence files. For example, when you index a folder with PST files, any and other embedded items extracted from those PST files are stored in the case folder and can always be exported. The PST files themselves are not copied into the case folder, unless the Cache original evidence files setting is selected. Selection and configuration of hard drives Because Intella is an intensive user of a system's hard drive, we recommend careful selection and configuration of the hard drives in order to optimize performance. As a general rule, newer hard drives will outperform older drives in that they benefit from design improvements and new technology. Consider the following when using Intella: Separate disks for evidence and case indexes. During indexing, Intella accesses the database continually performing read and write functions. In order to more efficiently use the resources, it is recommended that the evidence data and the case data be allocated to separate hard drives. For example, put the case data on the "C" Drive and the evidence data on the "E" Drive. Optimization folder. Since Intella 1.8 the case creator can specify a third folder for optimization purposes in the case details. Currently this folder is used for storing temporary indexing data that else would be stored in the case folder. When the optimization folder resides on a different drive than the case folder or evidence folder(s), this can further improve indexing performance. Proper connection. To realize maximum benefit from Intella's multi-disk optimization architecture, ensure that the hard drives are appropriately connected to the computer's motherboard so as to benefit from the higher available bandwidth. For example, connect the drives to the SATA-300 or SATA-600 connector rather than the smaller bandwidth carrying SATA-150. Configure the system's BIOS correctly. Typically the computer's BIOS defaults to the lowest common denominator to facilitate compatibility for connected hardware components. As a result, performance and speed can suffer. To address this possibility, check the BIOS to: o Ensure the hard drive supports Native Command Queuing it should! o Confirm that the SATA control mode is set to either AHCI or RAID. Note: if the setting is at IDE (typically the default), Intella's performance will suffer with slower indexing and searching as a result. Use of external and/or network drives. Internal drives are always the preferred option for Intella. Intella's indexing and search performance can deteriorate significantly when used with external or network drives. o If required, external drives such as a USB can be used to hold the evidence data; however it is recommended that the fastest available connection option be used. USB 3.0 or esata should offer acceptable performance. Avoid USB 2.0 drives as they are significantly slower for any evidence or case file greater than 2-5 GB. o Network drives may be acceptable for holding evidence files if on a fast network. When using network drives, it is imperative that no other users access the files at the same time. You should also ensure that no network antivirus or filtering software blocks the indexing processes. Page 28 Intella User Manual 2016 Vound

29 When processing a large case (> 100 GB of evidence files), it is advisable to format the NTFS disk with a cluster size that is larger than the default (usually 4 KB). This reduces the chance of defragmentation issues during indexing. Furthermore it is recommended to turn off disk compression. 4.3 Installation troubleshooting Error code 7 (H0007) "HASP key not found (H0007)" This error code might be caused by other HASP dongle protected programs. Please close down all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella Error code 31 (H0031) Could not find a valid Intella license, please insert a dongle This error message is shown when your trial license has expired, or when you unplug your dongle while Intella is running and it cannot fall back to a non-expired trial license. You can only continue using Intella by inserting a dongle Error code 33 (H0033) "Unable to access HASP SRM Run-Time Environment (H0033)" This error code may be triggered if you run antivirus software. It is probably due to the antivirus software incorrectly blocking access to the HASP install. Please update your antivirus software to the latest virus definition file. If this problem persists, reboot your computer, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella Error code 37 (H0037) Other HASP dongle protected software may cause this error. Please close down all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella. If this problem persists, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella. If problem persists after running this command, please open a Command Prompt as administrator and run net start hasplms Tip: To open a Command Prompt and run as administrator (in Vista and Windows 7), please select Start > Accessories > Command Prompt. Right click and select "Run as administrator. Page 29 Intella User Manual 2016 Vound

30 4.3.5 Error code 41 (H0041) "Your Intella (trial) license has expired (H0041)" This error will be triggered if Intella is run and your trial license has expired. Once the trial has expired, you can only continue using Intella by inserting a dongle Error code 51 (H0051) "Virtual machine detected, cannot run without a dongle (H0051)" In order to protect our intellectual property, the evaluation version of Intella WILL NOT run in a virtual machine (VM) environment. A stand-alone machine is required. This is only true for the evaluation version; Intella will run in a VM environment using a dongle. Solution 1: Reconnect the USB dongle to your computer Solution 2: Install the Intella evaluation version outside a virtual machine Memory settings The Intella process and its child processes (one for each case that you open + additional processes during indexing and exporting) are limited by the amount of RAM that the process can maximally use, despite how much memory is installed in the machine. On some data sets this limitation can cause issues when indexing or reviewing the data. These issues can be recognized by errors in the log files containing the text OutOfMemoryError or java heap space. When such errors occur, a workaround may be to increase the automatically managed memory settings, especially when the machine meets the recommended hardware settings (at least 8 GB of RAM). To increase these limits, select the case in the Case Manager and click Edit button. Change the Memory allocation setting from Auto to Manual and increase the value. Note that you can never specify more than half of the available system RAM. This is to make sure that Intella s child processes and the OS still have sufficient memory available to them. When the memory issue relates to the processing of evidence files (you may need to contact tech support for that diagnosis) or to exporting, then locate the Intella.l4j.ini file in Intella s program files folder and open it in a text editor. You will typically need administrative privileges to edit this file. Locate the following line: # -Dintella.serviceMaxHeap=600M When the # is removed, this instructs Intella to use maximally 600 MB of memory for these child processes. Remove the # and increase this number to the higher value suggested to you by tech support. Make sure that you do not go beyond 1300M for the 32-bit Intella version. With the 64-bit version of Intella you can use larger values, but never more than your machine and OS supports. For processing of EDB files, a minimum of 3 GB will be necessary, e.g.: -Dintella.serviceMaxHeap=3G Where are Intella's data files located? There is an Intella data folder in your home folder. The actual path to this folder depends on your platform. Windows Vista, Windows 7 and Windows 8/8.1 C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella Page 30 Intella User Manual 2016 Vound

31 Windows 2000, XP C:\Documents and Settings\<USERNAME>\Application Data\Intella Where can I find Intella s log files? Intella has two types of log files: Case-specific log files. These will contain any messages (errors, warnings, status messages) relating to your activities in the case, such as indexing, searching and exporting. They are located in \Intella\cases\<CASE FOLDER>\logs Log files of operations performed in the Case Manager, such as exporting or importing a case. These are located in \Intella\logs The log files can be opened in any text editor like TextPad or Notepad++. Be aware that Windows default text editor Notepad may have issues opening large files. Tip: Click Help > Open Log Folder to open the log folder of the current case. Page 31 Intella User Manual 2016 Vound

32 5 Frequently asked questions How is a file type determined? Intella looks for certain binary markers (so-called magic numbers) that identify certain file types regardless of the file extension (e.g.,.pst,.doc, etc.). When this detection process fails to produce a detected file type, Intella uses a list of known file types by file extensions. Intella may not be able to determine the file type of files with non-standard (unknown) file extensions. Should I re-index a case when I want to add a new source? No, in order to add a new source to case you do not need to re-index the whole case. When you add the source, make sure that the option "Yes, I want to index this source now (recommended)" is selected on the last page of the "Add new source" wizard. Intella will index only the new source when you click Finish. When you define the new source without the "Yes, I want to index this source now" option selected, you can use the Index new data menu item in the Sources menu. This will scan all sources for new evidence items, including sources that have not been indexed at all. Can I re-index a single source in my case? No, you can only re-index the entire case. When the information in one of the sources has changed and re-indexing the entire case is undesirable (e.g. because of the time needed), you can work around this by adding a new source and masking the old one. For example, when you have a source named "Evidence 1", which is one of several evidence folders in the case, and only the files in Evidence 1 have changed, you can do the following: 1. Rename the source folder "Evidence 1", e.g. to "Evidence 1 (updated)". 2. Add it as a new source to the case and keep the "Yes, I want to index this source now selected when you click Finish. 3. Exclude the old source "Evidence 1" using the "Location" facet: select the node, click on the arrows in the Search button and click Exclude. Even though the old data is still in the case, all search operations will filter out the results from the old Evidence 1 source. Important note: when the items in the old source have any annotations (tags, comments, etc.), these will not be copied to the items obtained from the new source. You will need to transfer them manually, e.g. using MD5 and message hash lists. When there is a substantial amount of such annotations, you may want to reconsider re-indexing the entire case, as this is a fully automatic operation. Page 32 Intella User Manual 2016 Vound

33 Will I lose my tags and comments after re-indexing my case? No, all your existing tags and comments will remain in the case after re-indexing. Will the item IDs be the same after re-indexing? Item IDs may be the same after re-indexing, but this cannot be guaranteed. Especially the use of multiple extractor pipelines can cause evidence items to get slightly different IDs during re-indexing. As the item IDs are NOT used for storing annotations (tags, comments, etc.), the annotations will not suffer from changes to the IDs. The changed IDs have only consequences for exported item ID lists. Why are some characters ignored in search queries? This is caused by what is called the analyzer: before an item can be indexed, the analyzer breaks down the text in order to determine the individual words used in it. This analyzer discards white space, punctuation characters, etc. The same analyzer is also used to break down your query into individual terms. As non-letters and non-digits are ignored, for example, the queries searchterm, searchterm/ and searchterm (with an extra space at the end) all end up being equivalent. Why does the number of messages in the ($All) folder in my case not match the number of messages in the All Documents folder in IBM Notes? Intella collects all items from all folders and lists them in the Location facet. The only exception is "($All)" folder. This is a special folder that usually contains all items from all folders the other folders are essentially a selection of items from the ($All) folder. Intella won't attribute a copy found in the ($All) folder when it is already present in another folder, in order to prevent duplication. Can Intella perform live indexing? Some cases may require you to index files while the computer is being used, or across a network. For such cases we have made Intella to work with the best-of-breed application F-Response, by Matt Shannon. This combination provides you with a live forensic solution for under $300. You can obtain F-Response at Does Intella index attachments? Intella will search both the and the attachment for the keyword(s) and metadata. Can Intella deduplicate results? Yes, Intella can deduplicate search results. During indexing, the checksum (hash) of every item is stored. Intella can be set to show or hide duplicates while you use it. Intella uses the MD5 hash to calculate checksums of binary items. For s and SMS messages a more specialized algorithm is used that can deduplicate across sources and source types. Are there any EnCase EnScripts for use with disk images? In collaboration with a number of users Vound has created an Export to Intella EnScript. The EnScript is freely available for Intella users. Please contact our support department for a download link. Page 33 Intella User Manual 2016 Vound

34 This EnScript Package is designed to provide a simple, yet powerful, method to export relevant electronic files, including , documents, and images, from EnCase to Intella for efficient investigatory review prior to full forensic analysis. Note that since the time this EnScript was published, Intella has been extended with support for direct indexing and filtering of disk images. Why do Chinese/Japanese/Korean queries give imprecise search results? Documents written in Chinese, Japanese and Korean (often referred to as the CJK languages ) differ from western languages in that the use of whitespace characters in CJK texts is optional. This makes it harder to create indexing software, as it typically uses whitespace, punctuation and other character classes to determine the words in a text that need to be stored in the index. Proper segmentation of CJK texts into words is still an open research issue and every method has its drawbacks. A solution could for example be to index all characters from the CJK character sets as independent words. This would be fairly trivial to implement, but has as a drawback that words that do consist of multiple characters will be much harder to find due to the large amount of false positives that this method generates. The solution used in Intella is to index the texts using bi-grams: every combination of two adjacent CJK characters in the text is seen and indexed as a word. In practice this method gives reasonable performance: It is simple to create and does not rely on e.g. expensive word dictionaries and perfect document language identification. It is quick to process and produces a fairly small text index. The resulting index will find all occurrences of the entered terms, but with some amount of false positives; this method favors recall over precision. Note: A way to find out how a certain piece of text is processed by Intella s indexing engine is to create a short document with this text, index it, open the item in the Previewer and look at the Words tab. This tab shows a table with all terms extracted from the document and stored in the full-text index. Sort the table by the Field column and look for the words in all rows that have text as value in the Field column. How can I print and export PDF reports with characters of my language? By default, Intella supports printing and PDF generation for basic Latin character set only. To enable printing and PDF export for a language with another character set, you need to install an additional Unicode font that supports your language. 1. Download the font file and install it in your system 2. Copy the font file to the font subfolder of your Intella installation: C:\Program Files\Vound\Intella 1.9\font 3. Restart Intella The font must be a Unicode TrueType font with ".ttf" file name extension. It is recommended that the Intella font folder contains only one font file. Recommendations for font selection: For Chinese, Japanese or Korean languages it is recommended to install a language-specific font. A large list of fonts for different languages and writing systems is available at Page 34 Intella User Manual 2016 Vound

35 you already have the native font installed on your Windows system, you can copy it from "C:\Windows\fonts" to the Intella "font" folder. For languages than Chinese, Japanese or Korean, it is possible to install a single universal font supporting a broad range of character sets. You can take a look at the GNU FreeFont font collection at Page 35 Intella User Manual 2016 Vound

6 Dongle activation To protect our intellectual property, dongles may not be activated when shipped. In that case it is necessary to activate your Intella dongle in order to use Intella. 6.

$These updates are then downloaded and applied automatically. The Dongle Manager is located in the Intella program folder (on Windows 7: C:\Program Files\Vound\Intella 1.9.$

36 6 Dongle activation To protect our intellectual property, dongles may not be activated when shipped. In that case it is necessary to activate your Intella dongle in order to use Intella. 6.1 Using the Dongle Manager Intella ships with a Dongle Manager application. The Dongle Manager will list all connected Vound dongles and the products they currently contain. When the PC running the Dongle Manager is connected to the Internet, it can also contact the Vound license server to check for any updates for a dongle. These updates are then downloaded and applied automatically. The Dongle Manager is located in the Intella program folder (on Windows 7: C:\Program Files\Vound\Intella 1.9.1): A shortcut to the Dongle Manager can also be found in the Start menu. After starting the Dongle Manager, the following screen will appear: Page 36 Intella User Manual 2016 Vound

This screenshot shows a typical setup where only one Vound dongle is connected. When multiple dongles are present, they will each be listed separately in this list.

37 This screenshot shows a typical setup where only one Vound dongle is connected. When multiple dongles are present, they will each be listed separately in this list. Click on Blink to see to which physical dongle an entry in the list corresponds. This will cause the LED in the represented dongle to blink rapidly. This can be useful when you have multiple Vound dongles plugged in or are using HASP dongles from a different Vendor. Show Products will list the licensed products on that dongle. All products typically have a perpetual license; hence no license restrictions are displayed by the Dongle Manager. Show Products also shows a list of expiration dates. These reflect the end date after which you will not be able to receive technical product support and license updates. These end dates do not affect the ability to use the existing licenses on your dongle. To update your dongle, click on Check for Updates. This will contact the Vound license server and download and apply any updates. When the process has finished, the Dongle Manager will show which products, if any, have been added to the dongle. The update procedure will only add new licenses to the dongle; it will leave your existing licenses untouched. When you are on a network using a proxy, Intella will automatically try to detect and use it. If this fails, the proxy settings can still be set using the Configure proxy settings. Consult your IT admin for further instructions. 6.2 Using haspupdate.exe If the dongle cannot be updated in this fashion, e.g. because external network connections are not allowed, please follow the steps below. Step 1: Collect your dongle and license information and send it to Vound Support at: support@voundsoftware.com. 1. Plug your dongle into an available USB port. 2. Start haspupdate.exe. You will find haspupdate.exe in the bin folder in the installation folder of Intella. The default installation folder is: C:\Program Files\Vound\Intella Select the Collect Key Status Information tab. Click Collect information. 4. In the next dialog you will be asked to Save key status as. Please save the file with your company name. If you are activating more than one dongle please number the files. The file(s) you create will have a c2v file extension. Example: ACME_Forensics_1.c2v ACME_Forensics_2.c2v Page 37 Intella User Manual 2016 Vound

5. After you clicked Save, you will see the Select HASP dialog. Please select the HASP HL key, not the HASP SL key 6. Record the dongle ID numbers for each dongle.

Organization Name b. Address c. Zip code d. Country e. Contact Name f. Phone Number g. Email Address h. Vound Product type select only one per dongle: i. Intella 10 GB ii. Intella 100 GB iii.

38 5. After you clicked Save, you will see the Select HASP dialog. Please select the HASP HL key, not the HASP SL key 6. Record the dongle ID numbers for each dongle. This will help when applying the update files. 7. Send the created c2v files to Please ensure you include the following details in the when sending the c2v files: a. Organization Name b. Address c. Zip code d. Country e. Contact Name f. Phone Number g. Address h. Vound Product type select only one per dongle: i. Intella 10 GB ii. Intella 100 GB iii. Intella 250 GB iv. Intella Professional v. Intella Viewer vi. Intella TEAM Manager Step 2: Apply the license update file(s) you receive from Vound Support. 1. Make sure your dongle is connected to the computer that runs Intella. 2. Vound Support will send a dongle activation file. The activation files are dongle-specific. The file will end with a.v2c file extension and the name of the file contains the dongle ID. Page 38 Intella User Manual 2016 Vound

Example: HaspUpdate_68_304466763.v2c (the dongle ID in this case is 304466763) Save the.v2c file on your computer. Be sure to remember where it is stored! 3. Start "haspupdate.exe" as before. 4.

39 Example: HaspUpdate_68_ v2c (the dongle ID in this case is ) Save the.v2c file on your computer. Be sure to remember where it is stored! 3. Start "haspupdate.exe" as before. 4. Click the Apply License Update tab. Then click the Browse button labeled next to the Update File field. This opens a file selector dialog. 5. Select the.v2c file in the file selector and click Open. 6. Click Apply update button. This will activate the dongle. Your Intella dongle is now activated! In case of questions or problems, please contact Vound Support at Page 39 Intella User Manual 2016 Vound

40 7 Products and workflow 7.1 Feature overview The following table lists the seven different Intella desktop applications and their features: Professional Viewer TEAM P.I. GB GB GB Manager Preparation Evidence size limit GB 250 GB none none none 10 GB Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Export Work Reports Import Work Reports Page 40 Intella User Manual 2016 Vound

41 7.2 Standalone use The following Intella products can be used for standalone use: Intella 10 Intella 100 Intella 250 GB Intella Professional Intella TEAM Manager Intella P.I. They allow a user to create cases, index evidence files, search, filter, flag, tag or otherwise annotate and export items. The number in the 10/100/250 products indicates the amount of gigabytes of evidence files that each case can hold in a case. Intella Professional and Intella TEAM Manager have no such limit. Intella P.I. equals Intella 10 in all its abilities; the only difference is in how the product is licensed (perpetual, dongle-based license vs. annual, software-based license). The cases created by these products can also be reviewed by the following products: Intella Viewer: a desktop product with reduced functionality. Intella Connect: a separate, server-based product accessed via a web browser. The workflow for standalone use is as follows: 1. The investigator creates a case in the case manager of Intella and indexes evidence files. 2. The investigator flags and tags items, and gives comments to items of interest. 3. The investigator exports the results for further processing of the case. In principle it is possible cooperate on a case by giving other investigators a copy of the case folder. While technically this will work (a case is in no way tied to a specific end user license or machine), the main challenge will be to coordinate that joint investigation. A case copy essentially starts a life on its own, meaning that tags and other annotations exist only within that copy. Ideally the tags are visible to all other investigators, perhaps filtered based on a permissions model. This is where Intella TEAM comes into the picture. 7.3 Sharing cases The Intella TEAM product makes it possible to work with multiple investigators on the same case in a way that goes beyond simply giving each reviewer a copy of the case folder. In order to do so, you need Intella TEAM Manager for the case administrator and Intella Viewer for the investigators in your team. Intella TEAM as mentioned in Vound s marketing documents is merely the default bundle of one Intella TEAM Manager and three Intella Viewer licenses, as it is typically sold. Note: Previous Intella releases also featured an Intella TEAM Reviewer product. In the 1.8 release the Intella Viewer and Intella TEAM Reviewer products have been merged. The new product is called Intella Viewer but has all of the functionality of the TEAM Reviewer product (which was a superset of the Viewer functionality). This means that the new Viewer can open both local and remote/shared cases and export work reports. A dongle license for either Intella Viewer or Intella TEAM Reviewer can be used to start the new Viewer product. Page 41 Intella User Manual 2016 Vound

42 As with standalone use, the case administrator creates the case in Intella TEAM Manager and indexes the evidence files. The case administrator then has two options for giving other investigators access to the case: Share the case across a network. The investigators use their Viewers to connect to the running TEAM Manager instance and will instantly see changes such as tags, flags and comments made by other investigators working on the same case. Export the case as an.icf file for use by the investigator. In this case no network access between the Viewer and TEAM Manager is necessary, but setting up the investigator s machine and sharing the work product such as tags and comments will take more time and effort Sharing cases across a network 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The administrator closes the case and returns to the Case Manager screen. The administrator selects the case and clicks Share In the screen that follows, the administrator enters a free network port number, configures the authorization rules and clicks Share case. 3. The case administrator informs the investigators of the Case URL that they can use to access the case. 4. The investigators start Intella Viewer, choose to add a new shared case, and enter the Case URL and their username and password. After checking the connection to the shared case and specifying a local data folder, the Viewer opens the case. 5. Investigators start reviewing the case. Any flags, tags and comments that they add are immediately stored in the central case and will be visible to the other investigators Sharing cases offline 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The case administrator exports the case to an Intella case file (.icf file) and informs the investigators where they can find the case file. 3. The investigators use Intella Viewer to import the Intella case file. 4. The investigators can then locally open their copy of the case. 5. Investigators flag, tag items and comment on items of interest. They export an Intella work report (.iwr file) that holds these annotations. 6. The case administrator opens the case in Intella TEAM Manager and imports all the Intella work reports created by the investigators. The administrator exports the combined results for further processing of the case Work reports When sharing cases offline, work reports are essential in merging the work product of all investigators working on the same case into the master copy of the case. Page 42 Intella User Manual 2016 Vound

43 Exporting work reports Exporting an Intella work report means that an *.iwr file is created (Team> Export Work Report ). This file contains all tags, flags and comments given to items by an investigator. We refer to these types of information as item updates as they extend the stored item metadata. Furthermore it contains the user actions on items that can be found in the Features facet (Previewed, Opened and Exported). In the Export Work Report dialog you can set the file name of the work report that is to be created. When you select the option Create CSV report, a CSV file will be created that contains a list of all the items that are flagged, tagged or commented. This CSV file lets the investigator double-check the tags, flags and comments that are contained in the work report. It is not necessary to give this CSV to the case administrator, only the.iwr file will suffice. In the second section you can choose what type of updates will be reported: tags, flags, comments, action statistics and saved searches. You can further specify what tags should be in the report by clicking the Select button. In the third section you can (optionally) further restrict the item updates included in the work report. By selecting Also include updates from these reviewers and by selecting one or more names after clicking the Select button, the work report will also contain annotations made by the selected investigators. This option is disabled when your case does not contain updates made by other reviewers. Only include updates made between and allows you to restrict the work report to updates that were made in a specified date interval. Only include updates in these sources allows you to limit the report to selected sources only. Only include updates from items selected in the Details view allows you to filter the report to the items that are currently selected in the Details panel. The creation of the work report may take some time, depending on the case size and the amount of updates. Afterwards a dialog is shown that lists the created files and statistics on how many tags/flags/etc. are stored in the work report. Importing work reports Importing work reports means that work report files (*.iwr files) created by investigators are added to the original case managed by the case administrator. Flags, tags and comments, audit logs and statistics generated by an investigator are imported into the case. In this way, the results of a team of investigators can be combined. Use Team > Import Work Report menu entry will show the Open dialog. Select a work report and click Open. The Work Report History dialog shows a list of imported work reports. Use to Team > Work Report History to open this dialog Cross-case work reports The work report mechanism can also be used to transfer the annotations between different cases that contain copies of the same items, e.g. one original case and a newer case that is partially based on the same evidence files. Page 43 Intella User Manual 2016 Vound

44 When Intella detects that the work report that is being imported comes from a different case, it starts a heuristic procedure to match the items in the work report with the items in the current case. The results of this procedure are presented in a dialog that shows: The number of annotations (tags, flags, comments and actions) whose items are identified and verified in the target case. The number of annotations whose items are identified but not with full certainty (potential matches). For instance, if an identified item has duplicates in the target case, they are included into this category. The number of annotations belonging to items that could not be located in the target case. When the number of potential matches is non-zero, the dialog contains a checkbox controlling whether these annotations should be imported into the target case. When this option is not selected, only annotations for verified matches will be imported. To start importing, press the OK button. It is possible to generate a CSV report listing the details of annotations contained in this work report and their matching items. The CSV file contains: Basic item metadata: MD5 hash, item ID, file name or message subject, item size, type and source name Type of annotation: tag, flag, comment or action. Status of the item matching algorithm: Verified, "Potential match" or "Missing". To generate this report, click the "Generate detailed report" button, then select the file location and categories of matches to include into the report. Page 44 Intella User Manual 2016 Vound

8 Managing cases A case is a collection of sources that can be searched by Intella. Use cases to organize your investigations. When you start Intella, the Intella Case Manager will first show up.

The icons represent local cases (folder icon), remote cases (TEAM icon) and old cases (grayed-out folder icon). If the case is made with 1.6.x or older, it cannot be opened. Cases made with 1.7.

45 8 Managing cases A case is a collection of sources that can be searched by Intella. Use cases to organize your investigations. When you start Intella, the Intella Case Manager will first show up. Here you can select existing cases, define new cases, remove old ones, share and export cases. The icons represent local cases (folder icon), remote cases (TEAM icon) and old cases (grayed-out folder icon). If the case is made with 1.6.x or older, it cannot be opened. Cases made with 1.7.x can be opened but cannot be re-indexed or have new evidence items added to them. Above the case list is a field for entering the Investigator name. This name will be used as the default user name when creating new cases and connecting to remote cases. Also, when opening a local case made by someone else, all user actions like previewing, tagging and exporting will be associated with this user name. The initial value used here is your Windows user name. Below the cases list you can see the ID of your dongle. This can be relevant in conversations with Vound s support department. When you are using a trial license, this line will reflect that. When you have your dongle inserted but still see a line indicating that you are using a trial license message, this could indicate technical problems with accessing the dongle, but also that your dongle needs to be updated to run with this Intella version. 8.1 Adding cases To create a new case, select Add in the Case Manager window. The Add Case options will appear. It shows the four ways of adding a new case to Intella: 1. Create a new, local case from scratch. Use this to index a new set of evidence files on your machine. Page 45 Intella User Manual 2016 Vound

2. Open a shared case. With this option you can connect to a case that is shared by a TEAM Manager user. This option is only available when running Intella with a TEAM Manager or Viewer license. 3.

46 2. Open a shared case. With this option you can connect to a case that is shared by a TEAM Manager user. This option is only available when running Intella with a TEAM Manager or Viewer license. 3. Add an existing case. Use this when you have a case folder already on your system but it is not yet in the list of cases shown by the Case Manager. 4. Import a case. Use this when you have received a copy of a case from another investigator as an ICF file. Importing the ICF file will extract its contents into a local case folder and add the case to the Case Manager s list Creating a new case Choose Create a new case to create a new local case from scratch. When the Create New Case dialog is displayed, give the case a name, enter an optional description, enter the name of the investigator creating the case and select a location where you want to store the data that belongs to this case. Note: The default location for data storage, visible when you click the Suggest button, is C:\Documents and Setting\<username>\Application Data\Intella\cases\ or C:\Users\<username>\AppData\Roaming\Intella\cases The selected case folder will be checked for being a hard disk formatted with the NTFS file system. A warning is displayed when this is not the case, e.g. when a FAT file system is used, which has file size limitations unusable for Intella, or when a USB flash drive is detected, which is not recommended for various reasons. Note: When processing a large case (> 100 GB of evidence files), it is advisable to format the NTFS disk with a cluster size that is larger than the default (usually 4 KB). This reduces the chance of defragmentation issues during indexing. Furthermore it is recommended to turn off disk compression. Clicking on the Advanced button adds more options that normally are only necessary when dealing with very large cases (hundreds or GBs or more): Page 46 Intella User Manual 2016 Vound

The optimization folder can be used to speed up indexing by distributing certain database files during indexing across the case folder drive and the optimization folder drive.

47 The optimization folder can be used to speed up indexing by distributing certain database files during indexing across the case folder drive and the optimization folder drive. See the Storage considerations section for more details. The memory allocation settings can normally stay at Auto. See the Memory Settings section for instructions on how to use this Opening a shared case In the Add Case dialog, select Open a shared case to open a case on another machine that has been shared by a TEAM Manager user. A Create new case dialog will open that asks for a Case URL, investigator name and passphrase. This information should be provided to you by the case administrator (typically the TEAM Manager user). Check the Remember passphrase checkbox if you want to store the password locally, so that you don t have to re-enter it each time you select the case in the Case Manager and click Open. Click Check connection to test the URL and passphrase. If the credentials successfully give you access to the case, a Connection OK status message will display and the case name and description will be loaded from the server. Click Suggest or enter a custom data folder for local storage. This folder will hold local log files, user preferences, etc. The memory allocation settings can typically be left to their default value. See the Memory Settings section for more information on this. Now the case will be added to the Case Manager list and will open instantly when you keep the Open case immediately checkbox selected Opening an existing case not in the list In the Add Case dialog, select Add an existing case. This will open a dialog prompting you to choose a case file (case.xml). This file is located in the top level case folder. Choose the case file and click on Open. The case will now be added to the Case Manager s list and can be opened by selecting the case and clicking the Open button Importing a case In the Add Case dialog, select Import a case. This will open a dialog prompting you to choose an Intella case file (.icf file). Choose the case file and click on Import. Once importing has completed, the case will be added to your Case Manager s case list. Page 47 Intella User Manual 2016 Vound

48 8.2 Opening a case Opening a case is merely a matter of selecting the case in the Case Manager s list and clicking the Open button. The Case Manager window will disappear and Intella s main screen will be opened. This may take some time, depending on factors like disk speed, case size and concurrent tasks performed by the PC. In some scenarios a case may be grayed out: There may be a lock icon next to the case name, with the text Case in use. This indicates that there is already a process running that is accessing this case. Access to the case is blocked for other processes to prevent damage to the case databases. This locked status will disappear as soon as the other process has ended. If there is no other Intella window visible, it may be that an earlier Intella session did not exit correctly and completely, still holding the lock. A reboot of the machine is the simplest solution to fix this situation. If the case folder is on a shared network drive, then it may also mean that an Intella process on another machine is accessing the case. In that scenario rebooting the local machine will not help; the process on the other machine has to be ended first before other processes can open the case again. The case data folder that the cases.xml file points to cannot be found or does not contain a case.xml file. In that scenario the case will be listed as Unnamed case. All other grayed out and disabled cases are cases made with Intella 1.6.x or older. These are not supported by Intella 1.9. See the Release Notes for details. 8.3 Editing a case In the Case Manager, use Edit to open the Edit case dialog to change the name, description, and the investigator s name. You cannot change the Data folder. For remote cases the case name and case description cannot be changed. 8.4 Deleting a case In the Case Manager, use Delete to remove the selected case(s) from the Case Manager s cases list. You will be asked to confirm the deletion. By default, only the reference to the case is removed, the case folder is left intact. By checking Also remove the related case folders from disk, the case folder will be permanently removed as well. Warning: removal of the case folder cannot be undone. Also, all files that you may have placed manually in the case folder will also be removed. Page 48 Intella User Manual 2016 Vound

8.5 Exporting a case In the Case Manager, use Export to export the selected case. Choose a name and folder for the ICF file in the Choose file to export the case dialog and click Save.

49 8.5 Exporting a case In the Case Manager, use Export to export the selected case. Choose a name and folder for the ICF file in the Choose file to export the case dialog and click Save. Once the case file has been created, a dialog is shown that lists the location of the created ICF file. This file is to be handed out to the investigators that need to work on this case. The dialog also lists the location(s) of the evidence file(s) used in the case. These only need to be distributed when the receiver of the ICF file needs to be able to re-index the case. For all other tasks, including exporting, the case is fully self-contained. 8.6 Sharing a case In the Case Manager, use Share to share the case for other TEAM Manager and Viewer users. The TEAM sharing functionality requires a free network port on your computer for communicating with the reviewers. By default port 8080 will be used, but you can specify a different port number before starting the case sharing. In case the port is already used by another application Intella will be unable to share the case and report an error. This also means that, when sharing multiple cases on one machine, each case needs to be assigned a different port. Also the port(s) needs to be reachable for other machines, which may involve setting some firewall rules. When sharing a case for the first time, you will need to authorize the reviewers. You can add, enable and disable user accounts for the shared case by clicking the Authorizations button. This can also be done when the case is already being shared. To start the case sharing, click the Share case button. When this process has completed, you will see two new buttons: one for unsharing the case and a Copy button. The latter button can be used to copy an invitation text to the Windows clipboard, which you can then paste into, for example, an to the reviewers. This invitation text contains one or more case links that indicate the network address and port for the shared case. These addresses are based on the configuration of the computer s network adapters and should work fine in most local networks. In more advanced network setups, for example when using Network Address Translation (NAT), you may need to change the case links for the reviewers. Your network administrator should be able to assist you with this. When investigators connect to the case their usernames will be shown in the Users view on the top-right. The Event Log on the bottom of the screen will show the user activities like item reviews and exports. All tags, flags and comments will be stored in the central, shared case and will immediately be visible to other investigators connected to the case. To stop the case sharing, click the Unshare case button. Page 49 Intella User Manual 2016 Vound

9 Overview of the Intella interface Intella s main window consists of two tabs: the Insight tab and the Search tab. Together they give access to all information stored in an Intella case.

50 9 Overview of the Intella interface Intella s main window consists of two tabs: the Insight tab and the Search tab. Together they give access to all information stored in an Intella case. Another prominent window is the Previewer, showing detailed information about a particular item. The Previewer can be opened by clicking or double-clicking on certain elements within the Insight or Search tabs. This chapter gives a brief overview of these user interface parts. More detailed information is provided in later chapters. 9.1 Insight view The Insight view shows notable aspects of the indexed evidence files and possible next steps to take. The overview given here can help an investigator get a grasp of the case s contents, such as the encountered item types and their volumes, date ranges, web browser activity, etc. This will help formulating follow-up questions for further research. Most elements in this view can be clicked or double-clicked, which starts a search in the Search tab or opens a corresponding item in the Previewer. Page 50 Intella User Manual 2016 Vound

9.2 Search view The Search view allows for arbitrary searches in the case data using keywords or one of the navigation facets such as date, location, item type, etc. 1 3 4 2 5 1.

51 9.2 Search view The Search view allows for arbitrary searches in the case data using keywords or one of the navigation facets such as date, location, item type, etc The Search panel is the place to enter search terms or phrases. 2. The Facets panel shows a list of facets for searching and filtering results. Each facet represents a different dimension in which the items can be discerned. Select a facet from the list to see the navigation options offered by that facet, shown beneath the list. 3. The Searches panel shows the user s keyword and facet queries, together with their result count. 4. The Cluster Map and Social Graph show the search results of these queries in various ways. 5. The Details panel shows a table, list, thumbnail view or timeline view of the results in a selected cluster or result set. It is populated by selecting elements in the Cluster Map, Social Graph or Searches list. Click or double-click (depending on the chosen view) on an item to view in in full detail in the Previewer. Page 51 Intella User Manual 2016 Vound

9.3 Previewer The Previewer is typically opened by clicking on elements in the Insight or Search tab, but it can also be opened by clicking on hyperlinks in the Previewer s own Tree tab, or by using

52 9.3 Previewer The Previewer is typically opened by clicking on elements in the Insight or Search tab, but it can also be opened by clicking on hyperlinks in the Previewer s own Tree tab, or by using the Preview item option in the Sources menu and entering the item s ID Use the tabs at the top to inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted terms, comments and performed user actions. The tabs shown for a specific item depends on the item type and its data. Bold tab names indicate the presence of a keyword search hit in the text inside that tab. 2. The Contents tab always starts with a summary of important information of the item, followed by a document or message body, image content, etc. 3. When the Search view shows the results of one or more keyword queries, the status bar at the bottom will show the keywords found in the current item and offer buttons to navigate from hit to hit. 4. The toolbar on the left lets one navigate to and search for related items, annotate the current item in various ways and produce the current item in a number of formats. Page 52 Intella User Manual 2016 Vound

53 10 Sources Sources are one of the key concepts of Intella. They represent the locations where items such as s, documents and images can be found. Sources are explicitly defined by the user, providing full control over what information is searched Source types Intella distinguishes between various types of sources: File or Folder: A single file or folder with source files on a local hard drive or on a shared/network drive. Such source files could be: o Regular loose files like MS Word, Excel and PDF files. o containers such as MS Outlook PST/OST and IBM Notes NSF files. o Cellphone XML reports such as made by Cellebrite XRY, MicroSystemation s XRY and Oxygen Software s Forensic Suite. Load file: a Concordance, Relativity or CSV load file. Hotmail Search Warrant Result (experimental): a collection of files in HTML and other formats, provided by Microsoft pursuant to a search warrant. Disk Image: one or more disk images in E01, Ex01, L01, Lx01, S01 or DD format. IMAP account: One or more account(s) on an IMAP server. MS Exchange EDB Archive: a single MS Exchange EDB file. Notes on mail formats Intella supports PST and OST files created by the following versions of Microsoft Outlook: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013 and Make sure that Intella has exclusive access to the PST or OST file; it cannot be open in Outlook or other application at the same time. Intella will try to recover the deleted items from the file. Recovered items will be located in a special folder named <RECOVERED>. Furthermore, Intella may encounter items outside the regular root folder. Any such items are placed in a special folder called <ORPHAN ITEMS>. There is limited ability to recover deleted s from OST 2013 files, this is being worked on. In order to index NSF files, IBM Notes 8.5 or higher needs to be installed. For NSF files made with IBM Notes 9 it is recommended to install IBM Notes 9. Intella supports all NSF files that can be processed by the installed IBM Notes version. Make sure that Intella has exclusive access to the NSF file; it cannot be open in a Notes client or other application at the same time. Only NSF files containing s are supported by Intella, all other types are not supported. Make sure to use a default Notes installation and user configuration. A corporate Notes installation is often problematic for indexing, e.g. because of installed plugins interfering with access to the NSF file, the installation being tied to the corporate identify management system, etc. Intella 1.9 contains experimental support for indexing Notes deletion stubs. Extraction of deletion stubs is disabled by default. To enable it, add the following line to the case.prefs file: Page 53 Intella User Manual 2016 Vound

54 NotesIndexDeletionStubs=True Tip: The IBM Notes tool nupdall.exe can be used to convert older NSF files to NSF files that can be processed by IBM Notes 8.5 and higher. Intella supports DBX files created by the following versions of Microsoft Outlook Express: 4.0, 5.0, 6.0. Intella has been tested on Thunderbird Mbox files. Intella supports MS Exchange EDB files of Exchange versions 2003, 2007 and Notes on cellphone formats When indexing Cellebrite, MicroSystemation or Oxygen cellphone reports, each report should be in its own subfolder. Any additional files that were produced together with the XML report, such as audio, video and image files, should have the same relative location to the XML file as the exporting application produced them. These two requirements are crucial for correctly linking the binary files with the XML report. Finally, no other evidence files should be placed in these folders, as they will be ignored. The folder should reside in the file system, i.e. not in a ZIP file or disk image, as quick random access is needed in order to be able to process the files linked from these report. A folder with the XML report and its related files can in principle be indexed straight away. However, most XML reports will often only contain the external numbers related to the calls and messages, i.e. the number of the phone itself is not in the report. This has valid technical reasons (e.g. it cannot be guaranteed that the current SIM card was used for these calls and messages), but it makes analysis of the communication a lot harder. Also Intella functionalities like message deduplication require this information. When the number is known by the investigator, e.g. obtained from the network provider, it may be specified through a separate text file: 1. Create a text file named after the XML report. For example, if the report is called report.xml, the text file should be named report.numbers.txt. 2. Put it in the same folder as the XML report. 3. Store the phone s own number in this file. When the XML report holds information about multiple phones, enter the number of each phone on a separate line, like this: number1 number2 < > The first line will be used for the first phone found in the report, the second line for the second phone, and so on. When indexing XRY s XML reports, we recommend using the Extended XML report introduced in XRY 6.4. This new format solves many issues with the encodings of dates and other fields. Furthermore the older XML format did not support exporting binary items. To get binary items with the Extended XML report, you need to select the Export media files and manifest option. Important: The XML formats used by these cellphone extraction vendors are often evolving over time and are not fully documented. While we strive to extract all information from these reports as completely and correctly as we can, we can only offer this functionality on a best-effort basis. We recommend that you verify any results that you may rely on in your report with the original cellphone extraction software. Page 54 Intella User Manual 2016 Vound

Notes on IBM Sametime dumps When indexing an IBM Sametime dump, each dump and its related files should be in its own subfolder. This should be file system folder, i.e. not a ZIP file or disk image, as quick random access is needed in order to be able to process the files linked from these report.

55 Notes on IBM Sametime dumps When indexing an IBM Sametime dump, each dump and its related files should be in its own subfolder. This should be file system folder, i.e. not a ZIP file or disk image, as quick random access is needed in order to be able to process the files linked from these report. Common file locations MS Outlook PST and OST files are typically located in the following folder: Windows Vista, Windows 7 and Windows 8/8.1: C:\Users\<username>\AppData\Local\Microsoft\Outlook Windows 2000 and XP: C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook MS Outlook Express DBX files are typically located in the following folder: Windows 2000 and XP: C:\Documents & Settings\<username>\Local Settings\Application Data\Identities\{<arbitrary string>}\microsoft\outlook Express IBM Notes NSF files are typically found in the following folder: Version 7.x: C:\Program Files\Lotus\Notes\Data Version 8.x: C:\Program Files\IBM\Lotus\Notes\Data Version 9.x: C:\Program Files\IBM\Notes\Data 10.2 Adding sources Adding sources to Intella is done with the Add New Source wizard. You can start this wizard by selecting Add New from the Sources menu or by typing CTRL+N Adding a File or Folder source Follow these steps to add a Folder source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select File or Folder and click Next. A folder tree will be displayed next. 2. Specify File or Folder Select the folder or file from the tree that you want to index, or enter the folder or file name Page 55 Intella User Manual 2016 Vound

56 in the text field above the tree. When selecting a folder, all files in the selected folder will be indexed. When the Include subfolders checkbox is selected, files in all subfolders (and subsubfolders, etc.) will also be indexed. When the Include hidden folders and files checkbox is selected, hidden files and folders will be indexed as well. Note: Folder trees containing many items may take some time to be displayed. Please be patient. Click Next to continue. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition Adding a load file source Tip: An experimental set of load file templates is available on request that can be used to export items and reimport them in another case, effectively creating a subset of the original case. Contact us at for more information. Follow these steps to add a load file to an Intella case: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Load file" and click Next. 2. Specify File Add the file name and location of the load file that you wish to investigate: click Open to browse for the file. If the load file comes with an Opticon image file then you should specify it in the "Opticon image file" field. Specify the load file format: "Concordance/Relativity" or "Comma Separated Values". You can use a previously saved import template. Click the "Default" button to clear the selected template. Click Next to continue. 3. Formatting options On the "Formatting options" page you can set the file encoding and delimiter settings for: Column delimiter the character that separates the columns. Text qualifier the character that marks the beginning and end of each field. New line the character that marks the end of a line inside a text field. Multi-value delimiter the character that separates distinct values in a column. Currently it can be used with the "Tags" column only. Use absolute path select this option when the load file uses absolute paths rather than relative paths. You can click "Detect Encoding" button in case you are not sure about what encoding to use. Intella will validate the load file using these settings and display the validation result in the status line. When the file can be validated successfully, the number of columns and records found in the load file will be displayed. When validation fails, a reason will be given in this line. At the bottom of the panel a Data preview is shown. It can be used to make sure that you Page 56 Intella User Manual 2016 Vound

57 have specified the correct parameters for the load file. Additionally the "Image preview" panel will show the first image associated with the selected table record. It can be used to ensure that the Opticon file is correctly loaded. Click "Next". 4. Column mapping and date formats On this screen you can define the mapping of some essential load file fields. For each column you can select a column name from the drop-down list. The fields have the following meaning: Document ID the unique identifier of the record. Parent document ID the unique identifier of the parent record. File folder & folder fields that are used to reconstruct the original location of the record. You can specify either two separate columns for s and loose files or just a single column for any type. Extracted text the extracted or OCRed text of the document. Select the "Extracted text column is a link to an external file" checkbox when the column contains a link to the text file rather than the text itself. Native file the path to the native (original format) file of the document. Select the "Extract text and metadata from native files" checkbox when you want to extract the text and metadata from the native file. Note that Intella will replace any original metadata from the load file with the new metadata extracted from the native file. The option is turned off by default. You can specify date and time formats in the second part of the screen. 5. metadata options Specify which columns should be used to load the metadata information from. In order to load a date into separate date and time columns use the "XXX date and time are separate columns" checkbox. 6. Loose files options You can specify the loose files and attachments metadata mapping on this page. Remarks: The Size column should contain the size of the document in bytes. The MIME Type column should contain a correct mime type of the document, e.g. "application/pdf". The File Extension column can be used for loose file identification instead of or in addition to the MIME Type column. When the MIME type is not present, the file extension will be used to derive the MIME type. When you select the "Use the following column and value to identify s" checkbox, then you can specify a column and some value to tell Intella that this record represents an message. This may be useful in situations where your load file has no correct MIME type information, but you still want to distinguish s from loose files. An example is a load files conforming to the U.S. Department of Justice load file delivery standard: you will want to specify the column "EPROPERTIES" and value " " to correctly import s. Page 57 Intella User Manual 2016 Vound

58 7. Tags The Tags column should contain a list of tags separated by the character specified in the Multi-value delimiter field on the Formatting options page. All found tags will be imported into the current case. If the tag does not exist, it will be created automatically. You can also select to import the custom columns as tag columns. 8. Validation Intella will automatically validate the load file and the Opticon image file. All found errors will be shown in the Data preview table. For each error you will see: The line number where the error was detected. The field name and value that failed to validate. An error description. It is highly recommended to resolve all errors before importing the load file. Important notes on load file importing There are several aspects to be aware of when importing a load file into an Intella case: All paths in the load file to external resources should be relative to the load file, unless the "Use absolute paths" checkbox is selected. The original load file record identifiers will be imported into the "Import ID" column and can be used in a subsequent load file export. Imported images can be viewed in the "Image" tab in the Previewer. Custom fields that are not supported by Intella s data model can be imported using Tag Columns. Note however that tag columns are designed to hold tag-like data where the number of unique values is not high. It is not suitable for importing columns where each item contains a unique value, like an external identifier. This functionality may be added in a future release. You can save the specified load file import options as a template for later usage on the last page "Completed Source Definition". All import templates are stored as XML files in the "<Intella System Folder>\importtemplates" folder Adding a Hotmail Search Warrant Result source Important: This source type is still in an experimental stage. We welcome any feedback; please visit our support portal at Follow these steps to add a Hotmail Search Warrant Result to Intella: 1. Prepare evidence files The evidence files you have received may consist of a folder containing a Click Here.html file and some legal files related to the search warrant, with a subfolder for each account involved. It may also be that you have only one of those account subfolders, recognizable by a Folders.html and Messages file in this folder. In case you have received a ZIP file or some other type of archive file, please unpack this archive file first. 2. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select Hotmail Page 58 Intella User Manual 2016 Vound

59 Search Warrant Result and click Next. 3. Specify File Select the folder holding the Hotmail Search Warrant Result files that you wish to investigate: click Open to browse for folders. Select the top-level folder of the provided file collection and click Open. Click Next to continue. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition Adding a Disk Image source Follow these steps to add a Disk Image source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Disk Image" and click Next. 2. Specify Files Specify the location of one or more image files: click Add to browse for image files. Select the image file and all its parts and click Add. All selected files will be listed in the disk image list. Alternatively, one can select a single image part and then click Find Parts. Intella will then try to find the related image parts that belong to that same multi-volume image (see below) and add them to the list. Files of a multi-volume image should be listed in the correct order. Select rows and use the Move Up and Move Down buttons to put files in the correct order. 3. Select files and folders to process Indicate which files and folders should be processed by selecting a pre-defined profile or creating a custom one. See below for detailed instructions. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition. Important: A single disk image source should only contain the files relating to a single conceptual image. Files relating to a different image should be entered as a separate source. Important: Due to limitations in the indexing framework it is not possible to include or exclude compound file types such as the newer MS Office file formats (based on ZIP) or the older MS Office file formats (based on OLE). Please use filtering by file extension instead. This shortcoming will be addressed in a future Intella version. Filtering disk image content A disk image often contains a lot irrelevant files, such as executables, DLLs. These files add to the processing time and disk space that the case will consume. It is possible to define a set of rules to filter out unnecessary files and folders, to save processing time and disk space. On the File types and locations page you can choose either to index all the data by selecting "Index all files and folders" check box, or use a specific disk image indexing profile. There are several built-in profiles: Page 59 Intella User Manual 2016 Vound

60 All supported files. Index all file types supported by Intella. Supported means that Intella can do something meaningful with it besides detecting the file type, i.e. it can extract text, metadata and/or embedded items from the file, or display it as an image. All executables for example are not hashed and cached with this profile. All supported files, exclude system files. Index all file types supported by Intella and exclude three system folders: "Windows", "Program Files" and "Program Files (x86)". Mail stores. Index only mail store files: PST, OST, NSF, Mbox, etc. Mail stores, exclude system files. Index only mail store files. Also exclude the three system folders listed above. You can also adjust any index profile to your needs. To create a new profile, type a new name in the "Use index profile" box and click the Save button. You can delete any profile by selecting it first and clicking the Remove button. The first section on this page defines the rules on which files should be included or excluded. You can filter files by type and by file name. If you select "Include selected entries", then only the listed files and file types will be indexed. Otherwise, the listed entries will be excluded. Note that you use wildcard names such as "*.txt" to filter all files that end with ".txt". A single "File name" entry can contain only a single file name definition; you cannot enter several file names in a row such as "*.txt, *.exe". You should add two separate entries to the list in this case. The second section on this page defines a list of locations that should be included or excluded. If you select "Include selected entries" then only the listed locations will be indexed. Otherwise, the listed locations will be excluded from indexing. You can adjust the folder selection on the next screen called "Select Folders". All index profiles are stored in XML format in the "<Intella System Folder>\index-profiles" folder and can be used in all local cases. Supported disk image formats The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01 files. Password-protected files are supported and indexed without manual interaction, except for FTK-encrypted files. DD images are supported, but when a Folder source is used, they need to use the.dd file extension in order to be detected and processed as DD images. Because of potential issues with DD image detection, we recommend using the Disk Image source directly. This is also required when you want to index a multi-volume DD image. Supported file systems and partition types The following file systems have been tested: FAT16, FAT32, NTFS, Ext2/Ext3, HFS/HFS+ and ISO Other file systems such as EXT4, ExFAT, YAFFS2 and ISO (UDF) may work but have not been tested yet. MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When Intella fails to index such an image, we recommend mounting it manually and indexing the mounted drive using a File or Folder source. Multi-volume files When using a Folder source to index multiple image files, Intella will rely on the following file name convention to determine which files together make up a single image: image1.e01 (first volume of image 1) image1.e02 (second volume of image 1) image1.e03 (third volume of image 1) image2.e01 (first volume of image 2) Page 60 Intella User Manual 2016 Vound

61 image2.e02 (second volume of image 2) image2.e03 (third volume of image 2) image2.e99 (99 th volume of image 2) image2.eaa (100 th volume of image 2) image2.eab (101 st volume of image 2) Adding an IMAP account source Important: The IMAP standard is implemented in many different ways. Furthermore some mail servers may throttle the network connection during mass downloads. We tested Intella on several IMAP servers with good response. However, we cannot guarantee that Intella is able to create IMAP account sources for every IMAP server. Specifically, retrieval of s through Outlook 365 s IMAP connection gave incomplete results. Tip: We recommend using a mail client to download the entire mailbox and indexing the resulting PST or Mbox file instead, rather than using Intella to download the mailbox. This way a copy of the mailbox is created outside of the Intella case. This results in a cleaner and better auditable workflow, allowing e.g. cross-validation of the investigation results with other forensic tools or indexing with future Intella versions. Follow these steps to add an IMAP Account source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "IMAP account" and click Next. 2. Specify Account Enter the settings for the target account, e.g., mail.my-isp.com with the username and password. Select the use secure connection (SSL) checkbox if you want or need a secure connection to the mail server. This is recommended, because without a secure connection your password will be sent as plain text. Click Next to continue. 3. Select Folders In the next step, Intella will contact the specified server to retrieve the mail folder tree. If you selected a secure connection and the server uses a certificate that cannot be validated automatically, a dialog will appear that asks you whether the certificate should be accepted. Once connected, after you accept the certificate if applicable, Intella will display the folder tree of the target mail account. You can then select the folders that you want to make searchable by placing a check in the box next to the desired folders. When you want to index subfolders, you will need to select them; otherwise they will be ignored. The wizard has two convenient buttons for selecting and deselecting all folders. Click Next to continue Adding a MS Exchange EDB Archive source Important: The 64-bit version of Intella is required. Important: Processing an EDB archive may require to adjust memory settings. Please see the Memory settings" section for detailed instructions. Page 61 Intella User Manual 2016 Vound

62 The currently supported MS Exchange versions are 2003, 2007 and Follow these steps to add a MS Exchange EDB Archive source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "MS Exchange EDB Archive" and click Next. 2. Specify EDB File Specify the location of the EDB file you wish to investigate: click Add to browse for the file. Select the file. Click Next to continue. 3. Select Mailboxes Indicate which mailboxes should be processed. You can click the Select All button in order to process the entire archive. Click Next to continue. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition. When an EDB source has been added and not all mailboxes were selected, it is still possible to index additional mailboxes in that EDB file at a later stage. In order to do that, the following steps should be performed: 1. Start the Edit Sources dialog from the Sources menu (Sources > Edit Sources). 2. Select the source from the list in the left panel and click "Select mailboxes...". 3. Indicate which mailboxes should be processed. Note that you cannot unselect or remove already processed mailboxes. Click OK. 4. Close the Edit Sources dialog, saving the changes. 5. You will see a message dialog asking "Some of the sources have been modified to include new data. Would you like to index new data now?". Click Yes to index the new mailboxes. 6. When you clicked No in the previous step, you can index the new mailboxes at a later point in time by selecting Index new data in the Sources menu Last steps in a source definition The following final steps are the same for all source types. 1. Source Name and Time Zone In the Source Name and Time Zone sheet you are asked to enter a name for the source. The name will be shown in the list of sources in the Sources panel and functions purely as a label for your reference. Furthermore a suspected system base time zone can be entered. This setting indicates the time zone of the system from which the evidence file(s) were obtained. By entering this time zone, all dates associated with items from this source will be displayed in that time zone, rather than the time zone of the investigator s system. This often makes it easier to correctly interpret those dates, e.g. determine whether a given timestamp falls inside regular business hours. By default the local time zone is used f7or new sources. Time zones supporting Daylight Savings Time (DST) are marked with an asterisk (*). Click Next to continue. Page 62 Intella User Manual 2016 Vound

63 2. Items Intella makes the indexing of certain complex file types optional. You can disable this to improve indexing performance at the cost of fewer results. Select Index mail archives if you want to extract all s and attachments from mail archives like PST and NSF files. Subsequent processing of documents, archives and other items found in the attachments are still subject to the other options. Select index chat messages if you want to index chat messages inside Skype SQLite databases, Pidgin accounts and Bloomberg XML dumps. This also controls what happens with Skype, WhatsApp messages etc. in cellphone reports. Select Index archives if you want Intella to index files inside archives such as ZIP and RAR files. Select Index content embedded in documents if you want to extract images and other binary items embedded in Microsoft Office, OpenOffice and PDF documents. This will make these items separately searchable and viewable. Select Index databases to enable the indexing of all tables in SQLite databases. Select Windows registry to make all keys and values in a Windows registry file searchable by full-text keyword search. When turned off, a limited amount of registry indexing necessary for populating the Insight tab will still take place. The overhead for this is negligible. Select Index browser history to let Intella process the contents of web browser histories. Select recovered deleted s and Notes deletion stubs to enable the processing of deleted s from MS Outlook files (PST, OST) and deletion stubs in IBM Notes files (NSF). Select Extract text fragments from unsupported and unrecognized file types to enable heuristic string processing on all items whose type is not recognized by Intella (they are considered to be binary blobs) or whose type is not supported apart from type detection (e.g., executable files). 3. Options This sheet provides additional options affecting the time needed for indexing. Select Cache original evidence files to copy all evidence files into the case folder. Use this option if you want to create a self-contained case where the evidence files can be opened or exported even when they are not found in their original locations, for instance when the case is moved to another system). When this option is turned on, additional processing time (especially for compression) and disk space is needed. This setting has no effect on storing of the items extracted from these evidence files (e.g. the mails, attachments and other embedded items extracted from a PST file), as these are always stored in the case folder after extraction. Select Analyze paragraphs to let Intella determine the paragraph boundaries and to let it build a database registering which paragraph occurs in which item and where. This enables various search and review options at the expense of additional processing time. The required storage space is negligible. For subsequent sources this setting is forced to be same as what has been used for the first source. Click Next to continue. 4. Tasks This sheet lets the user define post-processing steps that need to take place once all evidence files Page 63 Intella User Manual 2016 Vound

64 have been crawled and all indices have been build. See the Tasks section for more details. 5. Completed Source Definition Finally you will be presented with a dialog to inform you that you have successfully defined a new source. You may optionally start indexing the source. Indexing is required to be able to search and explore the items in this source. Once you click the Finish button, the indexing process will proceed according to the options you have selected. Tip: Because the active indexing process prevents you from interacting with the rest of the program until finished, you may wish to skip this part now (e.g., to define more new sources) and index the sources later by clicking the Re-index menu item in the Sources menu. Note: At any time except before the step "Completed Source Definition, you can click the Cancel button to return to the Intella interface without having added a new source to the case Indexing After defining a source, Intella will index it. During indexing it will inspect all items ( s, files etc.) that it can find in the source file(s), enabling Intella to return instantaneous results during your investigation for relevant evidence. Warning: Having anti-virus software active during indexing can lead to certain items not being indexed. This will usually be restricted to the files that are blocked by the anti-virus software, but this cannot be guaranteed. Running anti-virus software may also affect indexing performance. During indexing, you will see an overlay displaying various types of information: Statistics on indexing speed. Statistics on encountered file types. The amount of data that is being indexed and how much has been indexed already. The number of indexing steps to perform, which current step is being performed and (for some steps) a progress percentage. You will not be able to interact with the rest of the program while this dialog is shown. Resizing and minimizing the main window remains possible though, as is stopping the index process. You can stop the index process at any time by clicking the Stop button. Intella will finish processing the current item and then complete its case databases with the information that has been extracted thus far. Afterwards it will let you close the dialog. Re-indexing a case There may be circumstances when you want to re-index the entire case, e.g. to use extraction features offered by a newer Intella version or fix a broken index. To rebuild the case index from scratch, use the Re-index option in the Sources menu. Intella will remove all indices it has previously created and create new ones. In order for this to work, all evidence files have to be present at the location they had during the initial indexing. Page 64 Intella User Manual 2016 Vound

65 Updating a case Alternatively, there may be times when you want to update an index, e.g. in the following scenarios: Files and/or folders have been added to folders that have already been indexed. New sources have been defined but were not indexed immediately. The set of mailboxes to index in an EDB source has been extended. You interrupted indexing using the Stop button. In these cases the Index new data option in the source menu will scan all sources for new evidence items. Items that have already been indexed are not changed, also when their original evidence items are no longer available Automatic item decryption Intella can automatically decrypt a number of file formats, provided that the required credentials are supplied before indexing starts. Therefore you may want to uncheck the checkbox in the Add Source wizard that starts indexing and use the Re-index option (see above) after these credentials have been entered Supported formats The following file formats can be decrypted by Intella when the credentials are specified before indexing: IBM Notes NSF files. S/MIME- and PGP-encrypted s, regardless of the container type they reside in (e.g. EML, MSG, PST, OST, NSF, Mbox, DBX). PDF documents. Old format MS Word documents (.doc) and MS Excel spreadsheets (.xls). MS PowerPoint (.ppt) is still being worked on. MS Office 2007 formats (OpenXML):.docx,.xlsx,.pptx, ZIP, RAR and 7-Zip archives. Partial support for ZipX. Furthermore, password-protected PST files can be automatically decrypted without specifying any passwords Supplying access credentials In order to let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first. Click File -> Key Store and follow the instructions below. Afterwards you can (re)index your data and let the items be decrypted automatically. All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type. After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such. Password-protected files Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives. Page 65 Intella User Manual 2016 Vound

66 You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file. IBM Notes NSF files In order to decrypt IBM Notes NSF files, so-called ID files need to be added to the key store. Go to the "IBM Notes ID Files" tab and click "Add...". Enter the location of an ID file and the password associated with the file. Click "OK" to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files. S/MIME-encrypted s To decrypt s with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click "Import", then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys. Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the s. PGP-encrypted s In order to index PGP-encrypted s you will need to import the PGP private keys. Go to the "PGP Keys" tab and click "Import". Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format. An ASCII armored PGP private key usually starts with the following text: -----BEGIN PGP PRIVATE KEY BLOCK----- Note: For complete support for S/MIME- and PGP-encrypted s and encrypted MS Office files, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files need to be installed. See the Installation chapter for more details. Importing multiple.p12 files At the moment it is not possible to enter multiple.p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development. Please note that.p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single.p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once. Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well Post-processing After indexing has completed, the case owner can opt to refine the indexing results in a number of ways. These steps are kept separate from indexing as they typically contribute considerably to the processing time and disk space usage and, depending on the case at hand, may not be needed Tasks Intella allows for the definition of tasks. These are essentially compound processing steps such as searching for all items that match a certain keyword or keyword list and tag or export the results. These tasks can be defined and selected during source creation, which will run these tasks right after indexing. The tasks editor Page 66 Intella User Manual 2016 Vound

67 can also be reached by selecting Tasks from the File menu, which allows for defining and running the tasks at any point in time after index creation. Each task consists of a condition and an action. Currently the following conditions can be defined: A keyword search optionally combined with a date range search on all date fields. A keyword list search optionally combined with a date range search on all date fields. An MD5 list search optionally combined with a date range search on all date fields. An arbitrary Saved Search, which can combine all of Intella s search facets. A tag, possibly assigned by one of the tasks executed earlier. All items that match the defined condition have an action applied to them. The following actions can be defined: Tag all found items with one or more tags. The tag(s) can optionally be inherited by items in the same family hierarchy and/or by duplicates of the found items. Set custodian attributes. Flag all found items. Add a comment to all found items. Export all found items using an export template. Export the metadata of all found items to a CSV file. Use the Configure button to set CSV file name and path and to select the metadata fields that are to be included. See also section 21.3, Exporting to a CSV file. Start an OCR process on the found items using an external OCR tool or by connecting to an ABBYY Recognition Server. See Chapter 11, Optical Character Recognition (OCR) for details. When the Deduplicate results option is selected, the items matching the condition will be deduplicated before applying the action. Tasks can be exported to a file so that they can be reused in other cases. These files are self-contained, i.e. when the task involves MD5 hash lists or keyword lists, these lists are embedded in the task file. Tasks are executed in the order they have in the task list. This makes it possible to pipeline tasks, e.g. use one task to assign specific tags to a subset of the items and use a subsequent task that is based on those tags. The order can be changed by selecting a task and using the Move Up and Move Down buttons Custodians The Custodian attribute can be assigned to items after indexing. This can be used to represent the custodian of the evidence items. To enable automated assigning of multiple custodians in a folder source (10.2.1), the root folder should organize the evidence in subfolders, one subfolder for every custodian. If the evidence folder is structured in this way, the Indexing Tasks sheet in the Source Wizard will contain a Configure custodians button that opens the below dialog: Page 67 Intella User Manual 2016 Vound

By default the custodian names are set to equal the subfolder names. It is possible to alter the used custodian names by double-clicking the values in the table.

68 By default the custodian names are set to equal the subfolder names. It is possible to alter the used custodian names by double-clicking the values in the table. This Custodian value will be assigned to all items obtained from the evidence files within the respective subfolder. For other types of sources, the Indexing Tasks tab contains a text field for setting a single custodian name. Besides the above method, the Custodian attributes can also be set or changed using the Set Custodian indexing task with an arbitrary condition, or edited manually in the Details right-click menu OCR OCRing, or applying Optical Character Recognition techniques, is a common way to make the text inside bitmap images responsive to keyword searches. Intella s OCR support is documented in the next chapter Thumbnail generation Cases that rely heavily on viewing collections of images in the Thumbnail view will benefit from pre-creating the thumbnail images in advance. Especially when dealing with digital camera images that each are multiple megabytes in size, the time needed to generate the thumbnail image can make the Thumbnails view appear sluggish. When the thumbnails have been pre-generated, the time needed to populate the view will be a lot faster and it will be constant with regard to the number of visible images, i.e. the file size of the original image is no longer a factor. To pre-generate the thumbnail images, select the Generate Thumbnails option from the File menu. The thumbnail generation process will start immediately and show its progress in the main window. The thumbnail generation process can be cancelled at any point. The thumbnail images that have been generated will be kept. When the user starts the process once more at a later point in time, it will reuse the existing thumbnails and only create the missing thumbnails Importing an overlay file An overlay file is a file that contains additional information about the current items in a case. By importing the overlay file, the metadata of these items can be extended. Intella currently only supports the importing of tags and tag columns. Importing overlay images, texts, natives and custom columns may be added in a future release. The following file formats are supported for overlay files: Concordance/Relativity load file (.DAT) Comma Separated Values file (.CSV) Page 68 Intella User Manual 2016 Vound

69 In order to import an overlay file, select "File -> Import Overlay File..." in the main menu. Next, specify the location of the file and file format. You can optionally use a previously saved template. On the "Formatting options" page you can set the file encoding and delimiter settings. Please see the "Adding a load file source" section for a description of these options. On the "Column mapping" page you need to specify the item identifier column. This is how Intella will match items in the overlay file with items in the case. There are three options for matching items: By MD5 Hash. This is the most flexible way of matching items. Using the MD5 hash it is possible to transfer tags from one case to another. Note that the imported tags will be applied to all copies. The Item ID is the internal item identifier used by Intella. This is the simplest way to process your data using an external tool and then import the result back into Intella. Note that if the case has been reindexed, the item IDs will no longer match. The Item URI is an internal item identifier that is not changed after re-indexing the case, but it may be changed when re-indexed with a newer Intella version. This method can be used to transfer tags when other options are not suitable, e.g. when migrating tags from a case backup to a live case that been reindexed in the mean tiem. You can use the "Tags" field to specify the column that contains the tags. Tag columns can be specified in the table below. On the next page Intella will automatically validate the load file. Any errors will be shown in the table. It is highly recommended to resolve all errors before importing the overlay file Content analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are: credit card numbers, social security numbers (SSNs) and phone numbers. Three other categories are more computationally expensive to calculate and therefore require a post-processing step. These categories are: person names, organizations and locations. To start the content analysis procedure: Select one or more items in the Details view. Right-click on one of the selected items and select Content Analysis from the popup menu. In the dialog window that appears, click Yes if you want to clear the results of the previous analysis or No to add new results to the existing content of these three categories. You can also cancel the content analysis procedure. The content analysis procedure will open a separate window that shows the progress of the procedure. The procedure can be stopped at any time by clicking on the Cancel button. In this case, the categories will contain information from items processed up to the moment of cancellation. You can continue the processing later on by repeating the steps above on the same set of items and choose not to clear the existing results (answer No in the dialog window). The items that have been analyzed can be found by using the Content Analyzed category in the Features facet. Important: please realize the following aspects of the content analysis procedure: Page 69 Intella User Manual 2016 Vound

70 Content analysis is a heuristic procedure based on knowledge of certain patterns and correlations that occur in natural language texts. Therefore, the quality of the results may vary within a broad probability range. Content analysis works best on English texts. The quality of the results may be poor on texts in other languages. Content analysis works best on texts containing properly formulated natural language sentences. Unstructured texts (e.g. spreadsheets) usually lead to poor quality of the results. Content analysis is both CPU- and memory-intensive. For adequate performance, please make sure that your computer meets the system requirements and that no other processes are taxing your system at the same time. Use of the 64-bit version of Intella is highly recommended, especially for analyzing large quantities of items. In our experiments the amount of time needed for processing an entire case was roughly similar to the amount of time it took to index the case Editing sources To see the configuration of a source, go to Sources > Edit Sources or type CTRL+E. A dialog will open that displays the list of sources on the left. When you click on a source, its details will be shown in the area to the right of the list. The name and type are shown as well as source type-specific details such as files or folders to index, indexing options, etc. See the section on adding sources above for the precise meaning of these settings per source type. Only the source name and suspect base time zone are editable, all other options are fixed after source definition. When you change source names, the Apply button will become enabled. Changes will only be applied when you click Apply. If you select a different source or click the Close button without first clicking Apply, a dialog will appear to prompt you to apply the changes, discard the changes, or cancel the operation Exceptions report An indexing exceptions report can be produced by choosing Sources > Exceptions Report. The produces a XLSX or CSV file that lists all items that had issues during indexing. This can range from minor issues such as date parsing problems to file corruptions that affect the entire item and all nested items. For every item the following information is listed: The item ID. This can be used to quickly locate the item using View > Preview Item The Previewer will also show a warning icon when displaying such an exception item. The MD5 hash. This can be used to locate duplicates of the item within the case or in other cases. The source to which this item belongs. Page 70 Intella User Manual 2016 Vound

71 The file name, file size and detected file type of the problematic item. The name of the source in which the item was found. The location of the problematic item. This includes both the path to the containing evidence file (e.g. a PST file) as well as the path within that file (e.g. the mail folder and parent , when the exception occurred on an attachment). Information on the parent if there is any: its item ID, the sender, sent date and subject. A warning scope, warning code and warning description. The scope and code are the most useful for end users and are documented below. The description provides a low-level error message that is also contained in the log file and can be used for error diagnosis by Vound s technical support team. The warning scope indicates the type of data that is affected by the exception. Possible values are: Item the item as a whole is affected. Text the extracted text is affected. Metadata the extracted metadata is affected. Embedded embedded items such as attachments and archive entries are affected. An example is a document that internally references an embedded image but the image is not present in the file, resulting in an error when processing the embedded items of the document. In that case the document gets an error with "Embedded items" as the Warning Scope. The warning code indicates the nature of the issue. Possible values are: Unprocessable items The data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result. I/O errors The processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. There can be a lot of reasons for such errors, e.g. a drive that fails to respond, or permissions blocking Intella from accessing it. The indexing logs will have the full error. The difference with the other errors is that the reason is typically external to Intella, which is why retrying indexing may sometimes resolve the issue. Decryption failures The data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. Timeout errors The processing took too long and was aborted. Out of memory errors The processing failed due to a lack of memory. Processing errors The processing failed due to a problem/bug in the processor. The description should contain the stack trace. When an item has multiple exceptions, it will occupy several rows in the table. During indexing Intella tries to prevent processing of duplicate items (detected by their MD5 hash), as their contents by definition will be the same. Therefore an item may occur only once in the exceptions report, even though there can be many copies throughout the case. All items that produced an exception during indexing can easily be found using the Exception Items category in the Features facet, with subcategories for the warning codes. The XLSX variant of the exception report additionally holds the following information: Number of exceptions per source, subdivided by the warning codes. Overall statistics for the warning codes. Source-level errors, e.g. broken PST files. Besides holding more information, the XLSX variant is also better able to handle non-ascii characters. Page 71 Intella User Manual 2016 Vound

72 10.8 Restoring annotations If may occur that a case will no longer open. Possible causes are unexpected power failures or the incorrect handling of external or network drives, as this can result in the files in the case folder getting damaged to the point where normal handling of the case becomes impossible. When this has happened to your case, it may still be possible to extract the annotations (tags, flags and comments) from the broken case and import them into a backup copy of the case, so that the results of your work on the case are also restored. To restore the annotations, create a copy of the backed-up case (ideally the back-up has been made right after indexing), open the copy and select "File > Restore Annotations..." in the main menu. Next, select the file named "events.log" in the "audits" subfolder of the case that holds the annotations. The annotations from the broken case will then be imported into the current case copy. It is important to consider the following: The original case has to be indexed with Intella version or later. Annotations can be restored only from a copy of the same base case and only if both case copies have not been re-indexed. Any annotations that exist in the importing case will be removed before importing. The copy of the current "events.log" file is stored in the "audits" folder as "events.log.old". You can use this copy to restore the state in case this removal was not intended. Page 72 Intella User Manual 2016 Vound

73 11 Optical Character Recognition (OCR) Cases often contain images with human-readable text in them, e.g. web page screenshots. These images can be embedded in documents, e.g. a scanned or faxed document is packaged as a PDF containing TIFF images, or a chart is embedded as a picture in a Word document. The techniques for identifying the text in such images (embedded or not) is called Optical Character Recognition, commonly abbreviated to OCR. Application of such OCR techniques can make the textual contents of these images available for keyword search. Some modern scanners already apply OCR techniques during scanning and add the extracted text to the PDF. If this is the case, Intella will pick up the text automatically during indexing. Often this machine-accessible text is missing though, or it contains too many recognition errors to be useful for keyword searching. Also, loose images do not come with such text at all. To overcome this, Intella offers OCR support, letting you improve your case index Starting OCR Intella s OCR support is currently a post-processing step, performed manually by the case admin after indexing has completed. In the future we may make this part of the indexing process. To OCR a collection of search results, you can use the following procedure: 1. Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. 2. Right-click and choose OCR Highlighted Item(s). This opens the OCR Wizard. This wizard lets you choose the OCR method and its settings OCR methods Intella currently supports two OCR methods: External OCR tool This method consists of exporting the items as loose files, processing them with the user s preferred OCR software, and importing the OCRed files back into the case. ABBYY Recognition Server This method consists of sending the files to a Recognition Server for processing, automatically incorporating the received results into the case. This method is fully automatic and requires a licensed and configured instance of ABBYY Recognition Server available over the network. Page 73 Intella User Manual 2016 Vound

74 11.3 Using an external OCR tool To OCR the selected items with an external OCR tool, you initially only need to specify an export folder. Once you click the Export button, Intella will export the items in their original format to the folder. Every file will be named after the MD5 of the item note that this means that unique items are only exported once! Next you can use any OCR tool to process the exported files. In order to import the OCRed files back to Intella, the tool and its configuration should comply with the following requirements: The OCR tool must be able to create a single OCRed file for each input file. Put these files in a separate folder. The file name of the OCR output must match the original file name, but it may have a different file extension, according to the file type produced by the OCR tool. For example, if the original file name is 6345b60187d08be d7543c54.tif, then the OCRed file name can be 6345b60187d08be d7543c54.txt. The OCRed file format must be of one of the Intella supported formats, e.g. plain text, PDF, MS Office, etc. After you have OCRed the files, select "File -> Import OCRed files..." in the main menu. Next, specify the folder where the OCR output is located and click on the Import button. Intella will analyze every file in the specified folder, extract the text and link it to the original item and all its copies. If the original item already had some text, then the OCRed text will be appended to the original text Using ABBYY Recognition Server When you have access to an ABBYY Recognition Server, you can utilize it to OCR selected items in the case fully automatically. Note: ABBYY Recognition Server 3.5 or 4.0 should be used. Steps to OCR selected items with ABBYY Recognition Server: Select the desired items and open the OCR Wizard, as described above. Specify the server s IP address. The Service URL field will be populated automatically based on the entered IP address. If you know that your server uses a different URL, you can override it by checking the Use custom service URL check box. Specify the workflow name that should be used. Alternatively you can press the Get list from server button to select a value from all available workflows on that server. Click the OCR button to start the OCR process. The selected documents are will now be send to the Recognition Server. The results that it sends back will be processed automatically, similar to how the external method works. Please make sure that your ABBYY Recognition Server is configured correctly: A separate document should be generated for each input file. The output format is a format that Intella can index. Page 74 Intella User Manual 2016 Vound

75 The following parameters need to be set correctly in the following file (suggested parameters allow for processing files up to 30 MB): C:\Program Files (x86)\abbyy Recognition Server 3.5\RecognitionWS\web.config Parameters: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <httpruntime maxrequestlength="409600" /> </system.web> <system.webserver> <security> <requestfiltering> <requestlimits maxallowedcontentlength=" " /> </requestfiltering> </security> </system.webserver> </configuration> 11.5 Reviewing OCRed items To find all items in a case that have been OCRed, you can use the OCRed category in the Features facet. This attribute is also reflected in the Details table in the OCRed column. When an OCRed item is previewed, this will be shown as an additional property in the Properties tab. Note that when the OCR software enhances an existing PDF document by inserting the text in it, this text will be extracted and added to the index, but the binary item stored in the case is not replaced. This means that when exporting or previewing that item, you get the original PDF, not the OCR-enhanced PDF. This will be addressed in a future version. Warning: After items in a case have been OCRed, the case will not open anymore in Intella 1.7. Page 75 Intella User Manual 2016 Vound

12 Insight view The Insight tab contains a number of information panels that together give a concise overview of the information inside the case, revealing suspect behavior and giving rise to

76 12 Insight view The Insight tab contains a number of information panels that together give a concise overview of the information inside the case, revealing suspect behavior and giving rise to follow-up investigative questions. The information is extracted from a variety of sources, such as s and documents, web browser histories, Windows registries and more. Clicking on entries like a document type or custodian name in the Insight tab will add a relevant search for that item category to the Cluster Map in the Search view. The main window will then automatically switch to the Search view as well. The entire tab can be exported to HTML by clicking on the Esxport button in the top right corner Evidence The Evidence section shows important global statistics regarding your data. A detailed description of each category can be found in the section explaining the Features facet Types The Types section shows a breakdown of the different types of files and other items in the case. It shows the same hierarchical structure as the Type facet in the Search tab Custodians The Custodians section shows the list of custodians in the case, if any, together with the number of items that are assigned to them. A pie chart showing these amounts is shown to the right of the table. For detailed information on how to define custodians see the section titled Custodians Internet Artifacts The Internet Artifacts section contains information about web browser activity, based on the browser histories detected in the evidence data. All major browsers are supported: MS Internet Explorer/Edge, Mozilla Firefox, Google Chrome and Apple Safari. Page 76 Intella User Manual 2016 Vound

77 The top chart shows the list of encountered browser histories, listing the following information: The path of the browser history in the evidence data. The type of browser, represented by the browser s desktop icon. The number of visited URLs in the browser history, both as a number and as a bar showing the amount relative to the total amount of visited URLs in the entire case. The last used date of the browser history, i.e. the last time a new URL was added or a visit count was updated. Note that manual deletions of URLs in the history by the end user are not taken into account when determining the last used dates; it is merely indicative of when the regular day-to-day usage of that browser ended. At the very top of this list is a row that represents the total amount of visited URLs in the case, regardless of location and web browser type. Beneath the list of browser histories there is a breakdown of the visited URLs: The "Top 100 visited URLs" table shows the most visited URLs, with for each URL the number of visits as indicated by the browser history. The "Top 100 visited domains" table shows the most visited domains, together with the sum of the visit counts of all URLs in that domain. Subdomains are treated as independent domains. The panels Social media, Cloud storage, Webmail and Productivity show the number of visits that belong to some commonly used websites, such as Facebook and Twitter for social media, DropBox and OneDrive for cloud storage, Gmail and Yahoo Mail for webmail, etc. By default this breakdown covers all visited URLs in the case. By clicking on a row in the list of browser histories one can narrow down on the visited URLs in that particular browser history. The selected browser is indicated by the blue URL count bar. Note: the categories and domains that are checked can be configured by editing the common-websites.xml file in the [CASEDIR]\prefs folder. Warning: during the development of this functionality we observed that the semantics of a visited URL may differ between browsers, possibly even between browser versions. In some cases it indicates that the user explicitly visited a URL by entering it in the browser s address bar or by clicking a link. In other cases all resources loaded as a consequence of displaying that page may also be registered as visited, even resources from other domains, without making any distinction between the explicitly entered or clicked URLs on the one hand and the other resources on the other hand. One should therefore carefully look at the operation of a specific browser before drawing any final conclusions Timeline The Timeline shows the timestamps of all items in the case over the years of months. This not only gives a rough overview of events over time, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of s, which for example may be caused by an incomplete capture of evidence files, bugs in the custodian s software, default values entered by client software and actions of malicious custodians (resetting date fields, deleting information). To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the timeline to include or exclude the counts for that date field. Page 77 Intella User Manual 2016 Vound

78 This update may take some time, depending on the case size and whether a local or remote case is used. The resulting counts are cached so that afterwards the user can toggle that checkbox and see the chart change instantly. The chart can alternatively show months or years. Note: the Timeline s time axis only shows dates between January and two years from now. This is to prevent obviously incorrect dates that have been extracted from corrupt files from spoiling the graph Identities The Identities section consists of three tables with various types of identities, which may be representing users or other entities. The User accounts table shows a list of user accounts extracted from the evidence data. These can be: Windows user accounts, extracted from Windows registry hives. Skype user accounts, extracted from Skype databases. These are the database s local account, not the entire contacts list of that account. Pidgin user accounts. Again these are the local accounts, not the entire contact list. User accounts in cellphone reports as produced by Cellebrite UFED, Micro Systemation XRY and the Oxygen Forensic suite. See the documentation of the respective product for details on the correct interpretation of such information. The Origin column in this table shows either a machine name extracted from a Windows registry or the location of the evidence file that the account was extracted from. The Top 10 addresses table shows the 10 addresses with the highest number of s in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts. The Top 10 host names table shows the host names that have the most s associated with them. These are essentially the host names that show up when you expand the All Senders and Receivers branch in the Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts Notable Registry Artifacts Note: the information provided in this view is experimental. We greatly value your feedback on this via our support portal at or via our community forum at The Notable Registry Artifacts (NRA) section gives insight into the most important artifacts extracted from the Windows registry hives of the investigated machines/operating systems. A case may contain evidence files (usually in the form of disk images) that relate to multiple operating systems (OSes), simply because multiple machines may be involved, but also because a machine may have multiple operating systems installed. Hence the artifacts are grouped by OS, labeled by the Computer Name that was extracted from the registry, and further subdivided in a number of categories. The following artifact types are currently extracted and reported: Basic OS information Page 78 Intella User Manual 2016 Vound

79 OS time zones OS user accounts Network interfaces Network connections USB mass storage devices that have been connected Recently used files Shellbags Typed URLs registered by web browsers using the registry A registry artifact is a logical concept in Intella that is modeled as an atomic item in the case and that holds important information typically used in digital forensic investigations. This information is specially selected for this purpose by experienced forensic experts. While the properties of a registry artifact may be scattered across different registry hives and backups of these hives, Intella will unify them into a coherent item. The NRA section is divided into two parts. On the left hand side, labeled Overview, the tree organizing the registry artifacts is shown. The first level nodes represent OSes labeled with the Computer Name extracted from the registry. One lever deeper we find sub-nodes for the various registry categories (e.g. User Accounts ), followed by leaf nodes representing the actual artifacts (e.g. a specific User Account). One can select a leaf node in this tree, which will show the properties of that registry artifact in the Details view on the right hand side. Double-clicking on a leaf node opens the registry artifact item in the Previewer. This shows additional information such as the location of the item and allows for browsing to nearby items in the item hierarchy using the Previewer s Tree tab. One can also right-click on a leaf node and select Preview from the context menu. Right-clicking on a category node (e.g. a User Accounts node) shows a context menu with a Search option. This launches a search for all User Accounts in the Search view. Note that this searches for all user accounts, not just the ones in the currently explored OS. Besides the regular registry hives, the Windows registry maintains backup files in the form of so-called RegBack files. Intella will process these files as well and display the extracted data in the NRA section. Values coming from such backup registry hives are marked with a RegBack label and are only displayed when they differ from the corresponding values in the current files. Not doing so would greatly increase the amount of redundant registry information Supported registry hives Intella will process the following registry hives: Registry Hive Name SYSTEM SYSTEM (RegBack) Location Windows/System32/config/SYSTEM Windows/System32/config/RegBack/SYSTEM Windows/repair/SYSTEM NTUSER.DAT SOFTWARE SOFTWARE (RegBack) Found under folder Users/<user id> or Documents and Settings Windows/System32/config/SOFTWARE Windows/System32/config/RegBack/SOFTWARE Page 79 Intella User Manual 2016 Vound

80 Windows/repair/SOFTWARE SAM SAM (RegBack) Windows/System32/config/SAM Windows/System32/config/RegBack/SAM Windows/repair/SAM Note: registry artifacts can be extracted from disk images and folders only if all relevant files are located in the proper folders, e.g. Windows\System32\config\SYSTEM. Note: support for Windows XP and older is limited Operating system information This category contains only one item, named after the computer name stored in the registry. The properties of the OS Info item are extracted from the SOFTWARE and SYSTEM hives and the corresponding backup files. Keys extracted from SOFTWARE\Microsoft\Windows NT\CurrentVersion are: ProductName ProductId CurrentVersion RegisteredOwner RegisteredOrganization InstallDate Keys extracted from SYSTEM\CurrentControlSetXXX are: ComputerName ShutdownTime Time zones The Time Zones category provides the time zone of the suspect s machine. The properties of the time zone artifact are extracted from SYSTEM\CurrentControlSetXXX\Control\TimeZoneInformation. The following keys are extracted from the hive and make up a time zone artifact: ActiveTimeBias Bias StandardBias DaylightBias TimeZoneKeyName DaylightName StandardName DynamicDaylightTimeDisabled DisableAutoDaylightTimeSet DaylightStart StandardStart Page 80 Intella User Manual 2016 Vound

81 User accounts The User Accounts category contains all user accounts detected in an OS. The user accounts are found and extracted from the SAM hive and the corresponding backup files from SAM\Domains\Account\Users. The following keys are extracted from the hive: User RID Key/F: o Last Login Date o Password Reset Date o Account Expiration Date o Last Failed Login o Login Count o Password Required User RID Key/V: o Privilege Lever o User Name o User Description UserPasswordHint ForcePasswordReset Network interfaces The Network Interfaces category contains all network adapters registered in the registry of an investigated OS. Information about network interfaces is extracted from the SYSTEM and SOFTWARE registry hives and their backup files. The following keys found in SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\<ID> refer to basic network interface properties: Service Name (it is used as a lookup reference for DHCP settings) Description The DHCP settings are obtained from the following keys in SYSTEM\currentControlSetNameXXX\Services\Tcpip\Parameters\Interfaces\<Name>: LeaseObtainedTime LeaseTerminatesTime T1 T2 DhcpIpAddress DhcpDefaultGateway DhcpNameServer DhcpServer DhcpSubnetMask DhcpDomains EnableDHCP Page 81 Intella User Manual 2016 Vound

82 Network connections The Network Connections category contains all connections to networks stored and extracted from the Windows registry. Information about registered network connections is obtained from a single place: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\<ProfileName> USB mass storage devices Under USB Mass Storage Devices one can find data about USB devices that have been connected to the machine(s) being investigated. When a user connects a USB device, the Windows operating system keeps track of that device in the registry. All relevant data are distributed across the SOFTWARE and SYSTEM registry hives and their backups. Besides the hives, certain USB-related information can be found in the setupapi.dev Windows log files. In the SYSTEM hive all data about USB drives are stored in the CurrentControlSetXXX\Enum\USBSTOR branch. Under its sub-key MountedDevices, the Windows registry registers USB device connections in registry values having the DosDevices keyword in their value name. Besides the keyword, the key name contains a device GUID value. The signature of the connected device is stored as a byte array in the registry value. The USB vendor name is stored in CurrentControlSetXXX\Enum\USB. The SOFTWARE hive stores information about connected portable devices. The names of the portable devices can be found at Microsoft\Windows Portable Devices\Devices. Device installation dates are stored in the textual setupapi.dev files. Intella searches for sections containing the USBSTOR keyword and extracts device identifier and device installation dates from them Recent files Information about the most recently used files is extracted from the NTUSER registry hive. All relevant information is found in the following location: Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\<extension>. Recent files are grouped by file extension. For each file extension the registry maintains a separate MRU list. The last access timestamp is stored only for the most recent items of each extension. For the rest of the items Intella provides users with an estimated time period, based on the order of the items in the MRU lists. Furthermore the files accessed before and after the current file are shown in the Details view Shellbags The Shellbags category contains all shellbags extracted from registry hives. A shellbag is a registry item that stores data about user actions in a Windows file system folder. Extracted are Access, LastModified, LastExplored and Create dates, the size of the folder and information about the OS user that accessed or modified the folder. All relevant information (registry keys) is extracted from the NTUSER.DAT registry hive in the following branches: Software\Microsoft\Windows\Shell Software\Microsoft\Windows\ShellNoRoam Page 82 Intella User Manual 2016 Vound

83 Typed URLs The Typed URLs category contains the most recent URLs of webpages that a user has visited with the MS Internet Explorer or MS Edge browsers. This information is extracted from the NTUSER.DAT registry hive in the Software\Microsoft\Internet Explorer\TypedURLs branch Devices The Devices section contains a list of all USB mass storage devices that have been connected to the suspect machines. This information is taken from the Notable Registry Artifacts section. It provides the ability to quickly oversee and sort all devices found in the case Networks The Networks section contains a list of wired and wireless networks that a suspect machine has been connected to. This information is taken from the Notable Registry Artifacts section and from cellphone reports. It provides the ability to quickly oversee and sort all networks found in the case Significant Words The Significant Words panel visualizes important words encountered in the item texts in the case, based on a statistical model of term relevance. The bigger the font of a particular word, the higher the relevance that word may have for the data set at hand. These results are purely suggestive: though they are based on commonly used information retrieval techniques, they only look at the evidence data. In particular, they do not take the investigative research questions into account, or any investigative results such as items tagged as relevant Workflow The Workflow section lists additional tasks that one might consider after the initial indexing is done. These tasks can further refine the case index quality and kick-start the investigation and analysis phases. Additional Processing category: The OCR images and empty documents link opens the OCR wizard and will process all items that fall into the Images category in the Type facet and Empty Document category in the Features facet. The Export encrypted items link opens up the Export wizard for all items that are encrypted but have not been decrypted. Export encrypted items list exports the metadata of these items to a CSV file. The Export unprocessed items link opens up the Export wizard for all items that fall into the Extraction Unsupported category in the Features facet. Export unprocessed items list exports the metadata of these items to a CSV file. The Export exception items link opens up the Export wizard for all items that fall into the Exception Items category in the Features facet. Export exception items list exports the metadata of these items to a CSV file. Search & Analysis category: Page 83 Intella User Manual 2016 Vound

84 The Generate thumbnails link initiates the thumbnail generation process for all items in the case. Doing so will speed up the performance of the Thumbnails results view and the Previewer s Thumbnails tab. The Run content analysis link initiates the content analysis procedure for all items in the case. This detects person, organization and location names used in the item texts and reports them in the Content Analysis facets. Add keyword list adds a keyword list to the case, for use in the Keyword Lists facet or Keywords tab in the Statistics view. Add MD5 list adds an MD5 or message hash list, for use in the MD5 and Message Hash facet. Add saved search adds a saved search obtained from another case to this case, for use in the Saved Searches facet and Keywords tab in the Statistics view. Add task adds a post-processing task (e.g. running a keyword list and tagging the results), to be used during post-processing or on-demand via the Tasks option in the File menu. Report category: The Export n events link opens the Export Event Log window, letting one export all or selected case events. These events capture all actions that have taken place inside the case since the start of its existence, such as source creation and indexing, searching, tagging and exporting. These events include the user that took the action and the time the action took place. Open log folder opens the folder where the case s log files are stored in Windows Explorer. Page 84 Intella User Manual 2016 Vound

13 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below.

85 13 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below. Note: Due to technical limitations a search on the Comments field cannot be combined with a search on other fields Search options With search options you can limit keyword searching to specific item parts or attributes: Text Title / Subject Summary & Description Path & File name Message Headers Raw Data (e.g. low-level data from PST files, MS Office documents, vcards) Comments Authors & Addresses Each of the From, Sender To, Cc and Bcc fields separately Export IDs To see the search options, click the Options button under the search text field. The options box will be displayed as a popup menu below the button. Select the options for properties that you want to include in your search, and deselect those you want to exclude. Your selected search options will be stored and used for future searches until you change them. The Options box also has a checkbox for setting whether the excluded paragraphs should be taken into account. By default this is turned on. Uncheck this checkbox to search the entire document text again. Note: As a reminder, the Options button will show a yellow triangle when not all options are selected. To hide the options box, click the Options button again. If you have made any changes, the icon on the Options button will change to a yellow warning sign as a reminder that you have changed options that will affect your searches Search query syntax In the text field of the Search panel you can use special query syntax to perform complex multi-term queries and use other advanced capabilities. Page 85 Intella User Manual 2016 Vound

86 Tip: You can also see the list below by clicking on the question mark button in the Search panel Lowercase vs. uppercase Keyword searches work in a case-insensitive manner: during indexing all characters are lowercased, as are the characters in a keyword query. This means that the query "john" will match with "john", "John" and "JOHN" Use of multiple terms (AND/OR operators) By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for: john johnson returns all items that contain both john and johnson. There is no need to add an AND (or && ) as searches are performed as such already, however doing so will not negatively affect your search. If you want to find items containing at least one term but not necessarily both, use one of the following queries: john OR johnson john johnson Minus sign (NOT operator) The NOT operator excludes items that contain the term after NOT: john NOT johnson john -johnson Both queries return items that contain the word john and not the word johnson. john - john goes home This returns all items with john in it, excluding items that contain the phrase john goes home. The NOT operator cannot be used with a single term. For example, the following queries will return no results: NOT john NOT john johnson Phrase search To search for a certain phrase (a list of words appearing right after each other and in that particular order), enter the phrase within full quotes in the search field: john goes home will match with the text John goes home after work but will not match the text John goes back home after work. Phrase searches also support the use of nested wildcards, e.g. john* goes home Page 86 Intella User Manual 2016 Vound

87 will match both John goes home and Johnny goes home Grouping You can use parentheses to control how your Boolean queries are evaluated: (desktop OR server) AND application retrieves all items that contain desktop and/or server, as well as the term application Single and multiple character wildcard searches To perform a single character wildcard search you can use the? symbol. To perform a multiple character wildcard search you can use the * symbol. To search for next or nest, use: ne?t To search for text, texts or texting use: text* The? wildcard matches with exactly one character. The * wildcard matches zero or more characters Fuzzy search Intella supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde ( ~ ) symbol at the end of a single term: roam~ returns items containing terms like foam, roams, room, etc. The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this: roam~0.8 The default value of this parameter is Proximity search Intella supports finding items based on words that are within a specified maximum distance from each other in the items text. This can be seen as a generalization of a phrase search. To do a proximity search you place a tilde ( ~ ) symbol at the end of a phrase, followed by the maximum word distance: desktop application ~10 returns items with these two words in it at a maximum of 10 words distance. Like phrase searches, proximity searches also support nested wildcards. Page 87 Intella User Manual 2016 Vound

88 Field-specific search Intella's Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search. title:intella returns all items that contain the word intella in their title. The following field names are available: text - searches in the item text title - searches in titles and subjects path - searches in file and folder names summary - searches in descriptions, metadata keywords, etc. agent searches in authors, contributors and senders and receivers from searches in From fields sender searches in Sender fields to searches in To fields cc searches in Cc fields bcc searches in Bcc fields headers - searches in the raw headers rawdata - searches in raw document metadata comment - searches in all comments made by reviewer(s) export - searches in the export IDs of the items that are part of any export set You can mix the use of various fields in a single query: intella agent:john searches for all items containing the word intella (in one of the fields selected in the Options) that have john in their author metadata or senders and receivers Special characters The following characters need to be escaped before they can be used in a query: + - &&! ( ) { } [ ] ^ " ~ *? : \ / They can be escaped by prefixing them with a \ character. Note: During indexing most of the characters in this list are typically filtered out and will never make it into the index. The rules for handling specific characters depend on the context in which they occur. For instance, punctuation characters like dots ('.') or dashes ('-') are significant within numbers, addresses or host names, while being ignored (i.e. interpreted as whitespaces) between regular words. In the latter case, escaping them in the query will not make them searchable Regular expressions This release contains experimental support for searching with regular expressions. This will be extended, refined and documented in a future release. For now, please visit for more information. Page 88 Intella User Manual 2016 Vound

89 Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters! Your search expressions should therefore take the tokenization of the text into account. Page 89 Intella User Manual 2016 Vound

Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel.

90 14 Using facets Besides keyword searching, the indexed items can be browsed by facets, which represent specific item properties. Every facet organizes the items into groups (possibly hierarchical) depending on a specific item property. Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel. In the example on the right, the Type facet has a list of file types as values. To search for items that match with a facet value, select the facet value and click the Search button. Tip: To export facet information, (1) select a facet, (2) open the context menu - right mouse click - on the facet values, and (3) select Export values. This will open the Export values dialog. Choose a file name and folder and save the export file. The CSV file will contain the facet values (e.g. file types, addresses, folder names), their total counts in the case, and their currently shown counts, which represents the overlap with the currently shown search results Available facets Saved Searches The Saved Searches is a list of previous sets of searches that the user has stored. When there are search results displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be enabled. When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. A default name will be suggested based on the current searches. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet. Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used. The Replace current results checkbox controls what happens with the currently displayed searches when you restore a saved search. When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them. The Combine queries checkbox can be used to combine the result sets of all parts of the saved search into a single result set. This is for example useful when the various parts conceptually are meant to find the same set of items, just in a technically different way. Example are different complex Boolean queries, which could have been combined into a single Boolean OR query but that the user prefers to keep separate in the saved search definition. Saved searches can be shared across cases. To transfer a saved search, right-click on Page 90 Intella User Manual 2016 Vound

91 the saved search in the list and select Export search. The search is then exported as an XML file can then be imported into any other case by right-clicking in this list and selecting Import searches. Saved searches are grouped by the user who made them. Depending on the Intella version used to create the case, a Default searches branch may also be present with pre-defined saved searches Features The Features facet allows you to identify items that fall in certain special purpose categories: Encrypted: all items that are encrypted. Example: password-protected PDF documents. If you select Encrypted and click the search button, you will be shown all items that are encrypted. Note: Sometimes files inside an encrypted ZIP file are visible without entering a password, but a password still needs to be entered to extract the file. Such files cannot be exported with Intella if the password has not been provided prior to indexing. In this case both the ZIP file and its encrypted entries will be marked as Encrypted, so searching for all encrypted items and exporting those will capture the parent ZIP file. Decrypted: all items in the Encrypted category that Intella was able to decrypt using the specified access credentials. Unread: all s that are marked as "unread" in the source file. Note that this status is not related to previewing in Intella. Note: This property is only available for PST and OST s and some cellphone dumps. If the Unread property is not set, it could mean that either the item was not read or that the property is not available for this item. Some tools allow the user to reset a message s unread status, so even when the flag is set, it cannot be said with certainty that the message has not been read. Empty document: all items that have no text while text was expected. Example: a PDF file with only images. Has Duplicates: all items that have a copy in the case, i.e. an item with the same MD5 or message hash. OCRed: indicates whether the item has been OCRed after indexing. See the separate chapter on OCRing of documents and images. Content Analyzed: all items for which the Content Analysis procedure has been applied. Exception items: all items that experienced processing errors during indexing. This has six subcategories that match the warning codes in the exception report: o Unprocessable items: the data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result. o I/O errors: the processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. o Decryption failures: the data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. o Timeout errors: the processing took too long and was aborted. o Out of memory errors: the processing failed due to a lack of memory. o Processing errors: the processing failed due to a problem/bug in the processor. The description should contain the stack trace. Page 91 Intella User Manual 2016 Vound

92 Unsupported: all items that are larger than zero bytes, whose type could be identified by Intella, are not encrypted, but for which Intella does not support content extraction. An example would be AutoCAD files: we detect this image type but do not support extraction any content out of it. Irrelevant: all items that fall into one of the categories below and that themselves are considered to be of little relevance to a review (as opposed to their child items): o Folders o containers (PST, NSF, Mbox,...) o Disk images (E01, L01, DD,...) o Cellphone reports (UFDR, XRY XML,...) o Archives (ZIP, RAR,...) o Executables (EXE, BAT,...) o Load files (DII, DAT,...) o Empty (zero byte) files Recovered: all items that were deleted from a PST, NSF or EDB file and that Intella could still (partially) recover. These are the items that appear in the artificial <RECOVERED> and <ORPHAN ITEMS> folders of these files in the Location facet. This branch has four sub-branches, based on the recovery type and the container type: o Recovered from PST. o Orphan from EDB. o Orphan from NSF. o Orphan from PST. Attached: all items that are attached to an . Only the direct attachments are reported; any items nested in these attachments are not classified as Attachment. Embedded: all items that have been extracted from a document, spreadsheet or presentation. Tagged: all items that are tagged. Flagged: all items that are flagged. Commented: all items that have a comment. Previewed: all items that have been opened in Intella s previewer. Opened: all items that have been opened in their native application. Exported: all items that have been exported. Redacted: all items that have one or more parts blacked out due to redactions. Items on which the Redact function has been used but in which no parts have actually been marked as redacted are not included in this category. All items: all items (non-deduplicated) in the entire case. Note: In cases in which multiple users have worked, i.e. shared cases or cases with imported Work Reports, the Previewed, Opened, Exported, Commented, Tagged and Flagged nodes shown in the Facet panel will have subnodes, one node for each user Tags Tags are labels defined by the user to group individual items. Typically used tags in an example are for example relevant, not relevant and legally privileged. Tags are added to items by right-clicking in the Results table or the Cluster Map and choosing the Add Tags option. Tags can also be added in the Previewer. The exact procedure is described in other sections of this manual. Page 92 Intella User Manual 2016 Vound

93 To search for all items with a certain tag, select the tag from the Tags list and click the Search button below the list. When tags have been added by different users in the same case, the tag node will have sub-nodes for each individual user. These sub-nodes can be used to search for all items that have been tagged with that tag by that user Custodians Custodians are assigned to items to indicate the owner from whom an evidence item was obtained. The Custodians facet lists all custodian names in the current case and allows searching for all items with a certain attribute value. Custodian name attributes are assigned to items either automatically (see the section on custodian name postprocessing) or manually in the Details panel. To assign a custodian to items selected in the Details panel, use the Set Custodian option in the right-click menu. To remove custodian information from selected items, choose the Clear Custodian option. To change a custodian s name, select it in the list and choose Edit custodian name in the right-click menu. To delete a custodian from the case and clear the custodian attribute in all associated items, select the value in the facet panel and choose Delete in the right-click menu Location This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder. When Search subfolders is selected, the selected folder, all items in that folder, and all items nested in subfolders will be returned, i.e. all items in that entire sub-tree. When Search subfolders is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned. When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with Search subfolders switched on will therefore return all items in your case. When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree Address This facet represents the names and/or addresses of persons involved in sending and receiving s. The names are grouped in the following categories: From Sender To Cc Bcc Page 93 Intella User Manual 2016 Vound

94 Addresses in Text All Senders (From, Sender) All Receivers (To, Cc, Bcc) All Senders and Receivers All Addresses The first five categories list addresses found in the corresponding message headers. Most s typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author. The "All Senders", "All Receivers" and "All Senders and Receivers" categories group addresses into specific sender or recipient roles, abstracting from the specific header that was used. The "Addresses in Text" category lists addresses that are mentioned in message and document bodies. "All Addresses" group together all other categories and thus contains all addresses found anywhere in either message headers or textual content. Sorting and grouping The contacts can be sorted alphabetically by addresses (the default order), by the contact name associated with them or by the number of items associated with this contact. To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the Organize menu. The addresses can optionally be grouped by the host name used in the address. To enable or disable grouping, select the "Group by host name" option in the "Organize" section of the context menu. Enabling this option adds another level of nodes to the tree, representing the host names. Filtering on text To quickly find specific addresses, contact names or host names, it is possible to filter the facet content to only display the values that contain a specific substring. To filter the contacts in a specific category, expand the tree branch and click on the button below the tree. In the text field that appears enter the text. The tree will be filtered to show only those contacts whose contact name or address matches the entered text. To cancel filtering and hide the text field, click the filter button again or type Escape. Filtering on presence in the current search results To display only the highlighted addresses, i.e. the addresses that occur in the currently visible or selected search results, click on the button. To return to displaying all addresses, just click this button again. This type of filtering is removed automatically when a different branch is expanded, the selection in the facet or Cluster Map changes or when the sorting or grouping mode changes. This filter can be used in combination with the text filter Phone Number This facet lists phone numbers observed in phone calls, SMS and MMS messages extracted from cellphone reports. Furthermore this includes phone numbers listed in PST contacts and vcard files. The incoming and outgoing branches are specific to phone calls and SMS/MMS messages. The All Phone Numbers branch combines all of the above contexts. Page 94 Intella User Manual 2016 Vound

95 Depending on the type of evidence files and their contents, the phone numbers may or may not have a name associated with them. This facet also supports the filtering options described in the Address section Chat Account This facet lists chat accounts used to send or receive chat messages, such as Skype and WhatsApp account IDs. Phone numbers used for SMS and MMS messages are also included in this facet. Each chat account has the service (e.g. Skype) added as a suffix to the identifier, in order to be able to distinguish the same identifier on different chat networks. Depending on the type of evidence files and their contents, the chat accounts may or may not have a humanreadable name associated with them. This facet also supports the filtering options described in the Address section Date This facet lets the user search on date ranges by entering a From and To date. Please note that the date entered in the To field is considered part of the date range. Besides start and end dates, Intella lets the user control which date attribute(s) are used: Sent (e.g. all items) Received (e.g. all items) File Last Modified (e.g. file items) File Last Accessed (e.g. file items) File Created (e.g. file items) Content Created (e.g. file items and items from PST files) Content Last Modified (e.g. file items and items from PST files) Primary Date Family Date Last Printed (e.g. documents) Called (e.g. phone calls) Start Date (e.g. meetings) End Date (e.g. meetings) Due Date (e.g. tasks) The Date facet will only show the types of dates that actually occur in the evidence data of the current case. Furthermore it is possible to narrow the search to only specific days or specific hours. This makes it possible to e.g. search for items sent outside of regular office hours. Note that the Preferences dialog has a setting that controls how dates are displayed: by selecting a geographic region, all dates will be displayed in a manner commonly used in that region Type This facet represents the file types (Microsoft Word, PDF, JPEG, etc.), organized into categories like Documents, Spreadsheets, etc. To refine your query with a specific file type, select a type from the list and click Search. Page 95 Intella User Manual 2016 Vound

96 Note that you can search for both specific document types like PNG Images, but also for the entire Image category. Empty (zero byte) files are classified as Empty files in the Others branch, regardless of their file extension Author This facet represents the name(s) of the person(s) involved in the creation of documents. The names are grouped into two categories, as is done in most office formats: Creator Contributor To refine your query by a specific creator or contributor name, select the name and click the Search button. This facet also supports the filtering options described in the Address section Content Analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. The top three categories are populated automatically during indexing and are available immediately afterwards: Credit Card Numbers suspected numbers of the major world-wide credit card systems (Visa, MasterCard, American Express and others). The numbers are validated using the procedures defined in the ISO/IEC standard. Social Security Numbers suspected SSN numbers issued by the United States Social Security Administration. Phone Numbers suspected phone numbers. The next three categories are empty by default. To populate them, a user needs to perform the automatic content analysis procedure on a selected set of items, see the Sources chapter. Afterwards, the following three branches will be added: Person name Organization e.g. Company names Location Names of cities, countries, etc. Note that the techniques used to determine these entities are heuristic by nature and therefore typically produce a certain amount of false positives. This facet also supports the filtering options that are available in the Address facet Keyword Lists In the Keyword List facet you can load a keyword list, for automating searching with sets of previously determined queries. The most basic keyword list is a text file in UTF-8 encoding that contains one search term per line. Once loaded, all the search terms found in the keyword list are shown in the Keyword Lists facet. They are now available for searching: just select one or more queries, or select the name of the keyword list, and click the Search button to search with these queries. Page 96 Intella User Manual 2016 Vound

97 When the Combine queries checkbox is selected and you have multiple queries selected, they will be combined into one query, effectively creating a single Boolean OR query. The matching items are then returned as a single set of results. When the checkbox is deselected, the selected queries will be evaluated separately, resulting in as many result sets as there are selected queries in the list. This may cause the Cluster Map to turn to Sets mode to handle a large amount of result sets. Keyword lists can also use more advanced queries. The complete keyword search query syntax is supported here, e.g. wildcards, Boolean operators and field names can be used. Besides searching, keyword lists can also be used to tag items. To do this, select the keyword list and click the Auto-tag button. A window will open that lists the queries in the first column and the proposed tag in the second column. When you click Apply, each query in the first column will be evaluated separately and have its results tagged with the proposed tag. By default, the proposed tags are the queries itself. You can change this interactively in the table by clicking on the proposed tag and entering a new value. Alternatively, a keyword list can take the form of a CSV file in which the first column specifies the query and subsequent columns specify the tags. Use slashes to denote hierarchical tags. If a line has only one column, the proposed tag will default to the query text itself. As keyword lists are essentially CSV files, it is not recommended to use commas in queries, because they result in a different interpretation of the keyword list. If a comma in a query is required, you can wrap the entire query in quotes. The tags specified in the CSV file will be mapped to or result in the creation of top-level tags. It is not possible to specify nested tags MD5 and Message Hash Intella can calculate MD5 and message hashes to check the uniqueness of files and messages. If two files have the same MD5 hash, Intella considers them to be duplicates. Similarly, two s or SMS messages with the same message hash are considered to be duplicates. With the MD5 and Message Hash facet you can: 1. Find items with a specific MD5 or message hash and 2. Find items that match with a list of MD5 and message hashes. Specific MD5 or message hash You can use Intella to search for files that have a specific MD5 or message hash. To do so, enter the hash (32 hexadecimal digits) in the field and click the Search button. List of MD5 or message hashes The hash list feature allows you to search the entire case for MD5 and message hash values from an imported list. Create a text file (.txt) with one hash value per line. Use the Add button in the MD5 Hash facet to add the list. Select the imported text file in the panel and click the Search button below the panel. The items that match with the MD5 or message hashes in the imported list will be returned as a single set of results (one cluster). Message hash calculation The message hash is calculated by calculating the MD5 hash of a number of concatenated item properties. For s the following properties are taken into account: From, Sender, To, Cc and Bcc headers. Subject header. Date header. body. All other MIME parts (attachments, nested messages, signatures, etc.). Page 97 Intella User Manual 2016 Vound

98 For SMS, MMS and other types of chat messages such as Skype and WhatsApp messages the following parts are used: The sender information. The receiver information. The textual content of the message. When certain headers/properties occur multiple times, all occurrences are taken into account. A difference between message hashes and chat message hashes is that the hashing procedure for s will simply skip missing values, whereas for chat messages all fields need to be present in order to calculate a hash. These message hash computation methods have the benefit that they are source-agnostic: a specific message always gets the same message hash, regardless of whether it is stored in e.g. a PST, NSF, Mbox or EML file. Message hashes can therefore find duplicates across a variety of mail formats and be used to deduplicate such a diverse set of mail formats. When one of the copies has a minor difference, the will get a different hash and be seen as different from the other occurrences. A good example is a bcc-ed , as the bcc is only known by the sender and the recipient listed in the Bcc header. Therefore, these two copies will be seen as identical to each other but different from the copies received by the recipients listed in the To and Cc headers. Another example is an archived which has one or more attachments removed: it will be seen as different from all copies that still have the full list of attachments. Tip: Install a free tool such as MD5 Calculator by BullZip to calculate the MD5 hash of a file. You can then search for this calculated hash in Intella to determine if duplicate files have been indexed. Tip: Use the Export table as CSV option in the Details table to export all MD5 and message hashes of a selected set of results to a CSV file Item ID Lists In the Item ID Lists facet you can load a list of item IDs, to automate the searching with sets of previously determined item IDs, e.g. obtained by exporting the Details table to a CSV file. An item ID list is a text file in UTF-8 encoding that contains one item ID per line. Once loaded into the case, you can select the list name and click Search. The result will be a single result set consisting of the items with the specified IDs. Invalid item IDs will be skipped Language This facet shows a list of languages that are automatically detected in your items. To refine your query with a specific language, select the language from the list and click the Search button. When Intella cannot determine the language of an item, e.g. because the text is too short or mixes multiple languages, then the item will be classified as Unidentified. When language detection is not applicable to the item s file type, e.g. images, then the item is classified as Not Applicable Size This facet groups items based on their byte size. Page 98 Intella User Manual 2016 Vound

To refine your query with a specific size range, select a value from the list and click the Search button. 14

99 To refine your query with a specific size range, select a value from the list and click the Search button Duration This facet reflects the duration of phone calls listed in a cellphone report, grouped into meaningful categories Device Identifier This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items. Please consult the documentation of the forensic cellphone toolkit provider for more information on what these numbers mean. This facet also supports the filtering options described in the Address section Export Sets All export sets that have been defined during exporting are listed in this facet. Searching for the set returns all items that have been exported as part of that export set Including and excluding facet values Facet values can be included and excluded. This allows filtering items on facet values without these values appearing as individual result sets in the Cluster Map visualization. To include or exclude items based on a facet value, select the value and click on the arrows in the Search button. This will reveal a drop-down menu with the Include and Exclude options Including a facet value Including a facet value means that only those search results will be shown that also match with the chosen included facet value. Example: The user selects the facet value PDF Document and includes this facet value with the dropdown menu of the Search button in the facet panel. The Searches panel in the Cluster Map shows that PDF Document is now an included term. This means that from now on all result sets and clusters will only hold PDF Documents. Empty clusters will be filtered out. For example, see the image above: the Enron search term resulted in 1,606,638 items, but after applying the PDF Documents category with its 22,167 items as an inclusion filter, only 6,325 items remain. When multiple includes are used, the results are filtered for all items that are in at least one of the include sets, i.e. it is like filtering with the union of all includes. Page 99 Intella User Manual 2016 Vound

100 Excluding a facet value Excluding a facet value means that only those search results will be shown that do not match with the chosen excluded facet value. Example: The user selects the facet value PDF Document and excludes this facet value with the drop-down menu of the Search button in the facet panel. The searches panel in the Cluster Map shows that PDF Document is excluded. As long as this exclusion remains, all result sets and clusters will not hold any PDF Documents. Empty clusters will be filtered out. Note: Excludes are often used to filter out privileged items before exporting a set of items, e.g. by tagging items that match the privilege criteria with a tag called privileged. In this scenario it is important to realize that when exporting an to e.g. Original Format or PST format, it is exported with all its attachments embedded in it. The same applies to a Word document: it is exported intact, i.e. with all embedded items. Therefore, when an attachment is tagged as privileged and privileged is excluded from all results, but the holding the attachment is in the set of items to export, the privileged attachment will still end up in the exported items. The solution is to also tag both the parent and its attachment as privileged. The tagging preferences can be configured so that all parent items and the items nested in them automatically inherit a tag when a tag is applied to a set of items. When filtering privileged information with the intent to export the remaining information, we recommend that you verify the results by indexing the exported results as a separate case and checking that there are no items matching your criteria for privileged items. Page 100 Intella User Manual 2016 Vound

15 Cluster Map The Cluster Map shows search results in a graphical manner, grouping

This chapter will help you understand how this visualization works.

Control buttons adjust the contents of the Cluster Map.

Searches panel shows the list of result sets. 15.

three clusters. The larger, colored spheres are called clusters.

The queries entered by the user are shown as labels and are used to organize the map.

In this Cluster Map we see that the user has evaluated two keyword searches: one for

The Cluster Map shows these two result sets, using the search terms as their labels:

sell returned 67 items and is represented by the red edges.

101 15 Cluster Map The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works. Cluster with 51 items. Label or Result set. Control buttons adjust the contents of the Cluster Map. Cluster with 16 items, connected to two results sets. Searches panel shows the list of result sets Understanding a Cluster Map The figure above shows a graph with two labels and three clusters. The larger, colored spheres are called clusters. They represent groups of items such as s and files. The queries entered by the user are shown as labels and are used to organize the map. Every cluster is connected to one or more labels. In this Cluster Map we see that the user has evaluated two keyword searches: one for the word buy and one for the word sell. The Cluster Map shows these two result sets, using the search terms as their labels: buy returned 99 items and is represented by the blue edges. sell returned 67 items and is represented by the red edges. The colored edges connect the clusters of items to their search terms, indicating that these items are returned by that search term. For example, this Cluster Map shows that there are 16 items that were returned by both the sell and buy queries, 51 items that contain sell but not buy, and 83 items that contain buy but not sell. When a third keyword search for money is added, the graph changes as follows on our data set: Page 101 Intella User Manual 2016 Vound

Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to.

102 In the middle is a single cluster of 6 items that is connected to all three labels. This represents the 6 items that match all three search terms. There are three clusters of 19, 9 and 10 items, each connecting to two labels but not a third. They represent the items that match two out of the three search terms. Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to. A Cluster Map can always draw a reasonable picture of up to three search terms: the above map shows the maximum complexity that such a graph may have. Beyond three search terms the graph may become too complex and cluttered to be meaningful. That is why the Cluster Map has a second visualization mode called Sets. This mode can be chosen by clicking on the Sets mode in the toolbar. When the user enters more than seven queries, the Cluster Map will automatically switch to that mode. In Sets mode the three result sets are visualized like this: Here each result set is depicted as a single rounded square shape with the label and number of items on top. The size of the square is related to the number of items in the set: bigger means more items. Furthermore, all Page 102 Intella User Manual 2016 Vound

The following image is a visualization of 16 result sets, divided among four different orders of magnitude. Adjacent groups get alternating colors for better separation.

103 sets are grouped by their order of magnitude indicated on the left in this case all result sets are of the same order of magnitude. The overlap between sets is no longer visualized until the user selects one of the sets. Sets mode can scale to a much larger amount of result sets. The following image is a visualization of 16 result sets, divided among four different orders of magnitude. Adjacent groups get alternating colors for better separation. Note that the visual size of the result sets, indicating the number of items in each set, is only comparable within the group Manipulating Cluster Maps The result sets created with the current query are listed in the box at the top right corner of the Cluster Map panel. To remove a result set from the Cluster Map, click on the remove icon (red X) in the list. To clear the Cluster Map - remove all result sets - and start a new search, click the Clear button in the terms list. If the Cluster Map regeneration takes too long, you can stop the process by clicking the Stop button. To view and open the individual items in a cluster or result set, first click on the Page 103 Intella User Manual 2016 Vound

104 cluster or label. This will list the items in that set in the Details view below. From there the items can be opened by a single or double click, depending on the currently selected view mode of the Details view Options When the Cluster Map is in Clusters mode, the Filters button in the toolbar will be enabled. When this toggle button is selected, the graph is filtered to show only the clusters with the most connections. These could be seen as the most relevant result clusters. This filtering has no equivalent in Sets mode and therefore is disabled in that mode. The last button in the toolbar indicates whether the graph should be shown at normal size (with scrollbars if necessary) or be scaled to fit in the visible space. For Clusters the fit to size mode makes the most sense. For Sets mode showing at normal size is often preferable, especially when dealing with lots of result sets (tens or more). The current visualization can be exported as a transparent, 24-bit PNG image. To do so, choose the Cluster Map option in the Export menu. Page 104 Intella User Manual 2016 Vound

16 Social Graph The Social Graph is another visualization of search results, showing where the emails in the search results came from and went to. 16.

105 16 Social Graph The Social Graph is another visualization of search results, showing where the s in the search results came from and went to Basics The social graph is revealed by clicking on the Social Graph button in the Results toolbar. Next, just enter any type of query and the results will be displayed as a social graph. When switching from a populated Cluster Map to the Social Graph, the graph will start loading immediately with these results. Page 105 Intella User Manual 2016 Vound

106 When multiple searches have been evaluated, the graph is based on the union of all search results, with the Includes and Excludes applied. In other words, the social graph is based on the same items that are visible in the Cluster Map at the same moment. To see the s in this result set that relate to a specific contact, i.e. that have that contact as sender or recipient, click on the node representing that contact. To see the s in this result set that have been sent between two contacts, click on the edge between those nodes. In both cases the Details panel below the Social Graph will display these s. Tip: note that the Timeline view is a natural fit to display the s represented by a node or edge. All s are sorted by sent date, and you can easily see the sender and receivers of the individual s. When a person sends a mail to several people, this will result in several edges in the graph. Therefore you may encounter the same several times when browsing the graph and selecting edges Controls The toolbar at the top left offers four buttons for managing the zoom level of the graph: Zoom in. Zoom out. Reset zoom level to the default value. Change the zoom level to make the graph fit the available screen space. The fifth button shows or hides all node labels. When set to hide, only the labels of selected nodes and their connected nodes are displayed. Finally, the sixth button collapses the toolbar and the Searches panel, revealing any graph structures beneath it. Click on the button that appears in the top-right corner to expand these panels again. Page 106 Intella User Manual 2016 Vound

107 The lower part of the toolbar is used to specify what should be shown as node labels: Show only the contact name; use the address if there is no contact name. Show only the address; use the contact name if there is no address. Show both the contact name and address. By default only contact names are shown, as these are typically shorter than addresses and lead to less cluttered displays. The following mouse operations are supported: Drag a node to improve readability. Click on a node to highlight that node and the nodes connected to it. Use Ctrl-clicking to select and highlight multiple nodes. Hold down the right mouse button while dragging to scroll (pan) the graph. The graph can be exported to a PNG file by using Export Social Graph Limitations At this moment the Social Graph only displays s. Future versions will also handle phone calls, other message types, and attachments that are embedded in these messages. Furthermore, the graph displays a warning when your result set contains more than 700 unique s, as this may take considerable time to create. Future versions will again address this in various ways. Page 107 Intella User Manual 2016 Vound

108 17 Statistics The Statistics view is the third view in the visualization box in the upper right corner. It contains several tabs that provide a quick overview of the case, helping investigators to form an impression of the type of data in the case and formulating the best next steps to tackle the case Overview tab The Overview tab shows general statistics on various types of items. The Item counts table shows the total number and deduplicated number of items of various key categories. The Documents category is equal to the Documents branch in the Type facet and combines common document formats like MS Office and PDF document. s are all items with MIME type message/rfc822. contains reflects the number of PST, OST, NSF, Mbox files etc. The remaining categories are identical to the same categories in the Features facet. The Types panel shows a pie chart of the top 4 item type categories, as captured by the top-level categories in the Type facet. The top 4 are determined by item count. All other categories are combined into a single Others category. Placing the mouse over a section in the pie chart shows a tooltip that reveals the total number and percentage of that section. Finally, the Top 10 types table shows the ten item types with the highest number of items, measured by their total (non-deduplicated) count. These items are all leaf nodes in the Type branch Histogram tab The Histogram shows the timestamps of all items over the years of months. The histogram not only gives a rough timeline overview of events, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of s, which may be caused by an incomplete capture of evidence files, bugs in software, default values entered by client software, etc. To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the histogram to include or exclude the counts for that date field. Page 108 Intella User Manual 2016 Vound

109 Depending on the case size and whether a local or remote case is used, this update may take some time. The resulting counts are cached, so that afterwards the user can toggle that checkbox and see the chart change instantly. The chart can alternatively show years or months. There are various ways to manipulate the visualization: Selecting a rectangular area in the chart results in the chart zooming in on that area. Especially when the granularity is set to Months and the chart contains some peaks, this can be useful to closer inspect a given time period. The mouse scroll wheel can also be used to zoom in and out. Once zoomed in, drag the mouse cursor while holding the CTRL key to pan the chart (move sideways). Zooming and panning can be reset by either dragging the chart upwards or using the Reset zoom level button. Note: the Histogram s time axis only shows dates between January and two years from now. This is to prevent obviously incorrect dates that have been extracted from corrupt files from spoiling the graph. Page 109 Intella User Manual 2016 Vound

110 17.3 s tab The s tab shows various typed of -specific statistics. The top-left panel shows the first and last Sent date of a case. This is both shown for all s as well as for all top-level s. The latter set results in the forwarded s being excluded. Note that the dates in this example are clearly invalid. Usually this is caused bugs in the mail clients of the person(s) whose is being investigated. The Header table shows how many unique addresses occur in any of the five headers. The sixth row combines the number of unique values in the To, Cc and Bcc headers. The Top 10 addresses show the 10 addresses with the highest number of s in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts. The Top 10 host names shows the host names that have the most s associated with them. These are essentially the host names that show up when you expand the All Senders and Receivers branch in the Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts Keywords tab This tab differs from the other tabs in that it requires used input before any statistics are shown. In this Keywords tab the user can choose a keyword list, specify a number of calculation criteria and click Calculate. This will produce a table showing the keyword list and several statistics for every query in the list. All controls are placed on the right hand side of the view. The user can choose a previously uploaded keyword list or add one here. A second drop-down list controls what field(s) is searched. By default all fields are searched, but you can choose to restrict searches to e.g. the document text, headers, etc. The four checkboxes determine what columns the table should contain: The Items option adds columns indicating the total number of items that contain the keyword, what percentage of the total items that is, and the deduplicated amount of items. Page 110 Intella User Manual 2016 Vound

111 The Hits option counts the number of occurrences of the search term in the texts. For example, when a keyword produces a document that contains the keyword 3 times and another document that contains the keyword 5 times, this column will show 8. The Custodians option adds a column for every custodian in the case. Each custodian column indicates how many of the matching items originate from that custodian. The Families option adds two columns: "Families" and "Family items". A family is a set consisting of a top-level item (e.g. a mail in a PST file) and all its nested items (e.g. attachments, embedded items, archive entries). o The Families column shows in how many families the keyword occurs. For example, if a mail and two of its attachments all contain the keyword, that counts as a single family. o The Family Items column shows the total number of items that are contained in these families. This may (and usually will) include items that do not contain the keyword at all; they just belong to a family that has a hit in one of its other items. In cases where you are not directly exporting search results but rather their top-level parents (i.e. the default when exporting to PST), this will tell you how much of the case is conceptually being exported. The Saved searches checkbox enables a Configure button. Clicking this button opens a dialog in which the user can select one or more saved searches from the case. Each saved search will add a column, which will contain the number of items matching both the keyword in that row and the saved search. One can click on a row in the table and see the items from that result set in the Details view beneath the Statistics. The table can be exported to CSV format. Although we call this functionality "keyword statistics", you can use the complete full-text search syntax here: wildcards, Boolean operators, phrase queries etc. are all available. Page 111 Intella User Manual 2016 Vound

112 18 Details panel In order to inspect the contents of the visualization, the user can select a cluster or result set by clicking on it. Its contents will be displayed in the Details panel below the map. This panel contains a list of the items that can be presented in four modes: Table view List view Thumbnails view Timeline view 18.1 Table view The table view displays the results as a table in which each row represents a single item and the columns represent the attributes such as title, date, location etc. The set of attributes to display can be customized with Toggle visible table columns button - the right button of the Details Panel Control. Click on a table column header to sort the table by specific item attributes Adding and removing columns With the Toggle visible table columns button in the Details toolbar you can add and remove columns in the table, by (de)selecting column names in the popup that shows when you click the button. The selected columns are stored: every time you start Intella, these columns will be shown until you select other columns. This option is only available in the Table view. The following columns are available: Page 112 Intella User Manual 2016 Vound

General columns: Contact name: The name of a contact encountered in a PST file or as a vcard file. Decrypted: Shows if an item is encrypted and Intella was able to decrypt it.

113 General columns: Contact name: The name of a contact encountered in a PST file or as a vcard file. Decrypted: Shows if an item is encrypted and Intella was able to decrypt it. Direct Child IDs: The item IDs of the direct children of this item. Direct Parent ID: The ID of the item s direct parent item. Duplicates: Shows the number of duplicates of an item within the case. Encrypted: Shows if an item is encrypted. Exception: Shows if an item had one or more issues indexing properly. File Name: The name of a file in the file system, in an archive or used as an attachment name. Import ID: The ID as imported from a load file. This ID is maintained for cross-reference purposes. Item ID: The ID used internally in Intella s database to refer to this item. Language: The language of the item's text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be unidentified. Item types that inherently do not have a language, e.g. images or archives, show the not applicable value. Location: Name of the location in the original evidence data where the item is stored. For example, an in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file. MIME type: The type of an item according to the MIME standard. Native ID: The native ID of the item. Currently only IBM Notes UNID (Universal Notes ID) are listed here. This column may be used for other native ID types in the future. Recovered: Indicates whether the item has been recovered. See the Features facet section for the definition of the Recovered status. Size: The item's size in bytes. Source: The name of the Intella source that holds the item. Typically this is the root folder name or the name of the mail container file (e.g. PST or NSF file). Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files the name of the evidence file Page 113 Intella User Manual 2016 Vound

114 and the derived source name may not hold enough information to easily discern the origin of the information. Subject: The subject of an or document item note that some document formats can have both a title and a subject. Title: The title of a document item. Type: The item's human-readable type, e.g. MS PowerPoint Document or Message. URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID. -specific columns: All Receivers: The combined list of To, Cc and Bcc agents. All Senders: The combined list of From and Sender agents. Attachments: Shows the file names of an s attachments. Bcc: The addresses in the Bcc header. Cc: The addresses in the Cc header. From: The addressed in the From header. Has Attachments: s that are marked as having attachments. Has Internet Headers: s that have regular SMTP headers. When this is not the case, information about e.g. the sender, receiver and dates may still be obtained from other fields, depending on the source format. Is Attachment: Indicates whether the item is an attachment. Message Hash: Shows the Message Hash for s and SMS messages. This hash is used for deduplicating s and SMS messages in a manner that works across different mail formats and phone data source types. Message ID: Shows the Message ID extracted from messages. Sender: The addresses in the Sender header. To: The addresses in the To header. Unread: Shows if an item was unread at the time of indexing. Cellphone-specific columns: All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts. Chat Accounts: all instant messaging accounts (Skype, WhatsApp, but also SMS and MMS phone numbers) that have been used to send or receive a chat message. Chat Receivers: all instant messaging accounts used to receive a chat message. Chat Senders: all instant messaging accounts used to send a chat message. Incoming Phone Numbers: phone numbers used for incoming phone calls. IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained. IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item. Outgoing Phone Numbers: phone numbers used for outgoing phone calls. Duration: how long the phone call took. File- and document-specific columns: Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents. Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document. Page 114 Intella User Manual 2016 Vound

115 Embedded Item: Indicates whether the item has been extracted from a document, spreadsheet or presentation. Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images. Irrelevant: Indicates whether the item is classified as Irrelevant. See the Features facet section for the definition of the Irrelevant category. MD5 Hash: The MD5 hash that uniquely identifies the item. OCRed: Shows whether an OCR method has been applied on this file. Page Count: the number of pages of the items as reported by the metadata present in the original evidence item. I.e., this is not a verified and is only possible for certain document formats that support such a metadata attribute. Columns containing dates: Called: The date a phone call was made. Content Created: The date that the content was created, according to the document metadata. Content Last Modified: The date that the content of the item was last modified, according to the document-internal last modified date. Due Date: The due date of a task. End Date: The end date of an appointment, task or journal item. Family Date: The family date of the item. Family dates build on primary dates and also take the item hierarchy into account. The family date of an item is defined as the primary date of its top-level parent, i.e. all items in an item family have the same family date. Sorting on Family Date sorts by this date, but also puts attachments and nested items right behind their parent. This is strictly enforced, i.e. two item families with the same family date are not intertwined. This makes it possible to review items in chronological order while maintaining a sense of their context. Certain types of items are skipped when determining the family root, namely all folders, mail containers, disk images, load files and cellphone reports. File Created: The date a file was made, according to the file system. File Last Accessed: The date a file was last accessed, according to the file system. File Last Modified: The date of the last time the file was modified, according to the file system. Last Printed: The date a document was last printed, according to the document-internal metadata. Primary Date: The date that is the best match for the given item. Default or user-defined rules are used to pick the most appropriate date attribute based on the item s type. Received: The date the item was received. Sent: The date the item was sent. Start Date: the start date of an appointment, task or journal item. Review-specific columns: Comments: Shows if an item has comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item. Custodian: shows the name of the custodian associated with this item. Exported: Shows if an item has been exported. Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item. Opened: Shows if an item has been opened in its native application. Previewed: Shows if an item has been opened in the previewer. Redacted: Indicates whether the item has been redacted. Tags: Shows the tags connected to an item. Page 115 Intella User Manual 2016 Vound

116 Tag groups (optional) These columns are created for every top-level tag with sub-tags. If selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag. Export (optional) When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set. Use the Check / uncheck all checkbox to immediately set all checkboxes on or off. For contacts, e.g. senders and receivers, this popup lets the user choose whether to display the contact name, the address or both. The chosen setting will affect the table sorting when the involved columns are used to sort the table. The contents of the date columns can be adjusted to show their time zones: When set to Always, each date and time value is always accompanied by an explicit time zone. When set to For different sources, time zones are only shown when items from different sources are being shown in the table. Do not show suppresses all time zones Reorganizing table columns The columns can be reorganized by dragging a column header to a different location in the table. The order is persistent across application sessions, but specific to that case Sorting the list By clicking on a column header, the search results will be sorted alphabetically, numerically, or chronologically, depending on the type of information shown in that column. By clicking the header once more, the sort order will be reversed. Clicking one more time will remove the sorting, letting the results be displayed in their original order. Sorting on the Family Date column is implemented as a compound sorting on two columns. Items are first sorted by the Family Date itself and next by the Hierarchy criterion. This process is transparent to the user and results in attachments and embedded items always getting placed directly after their parent item, which can greatly simplify the review of the items. Sorting by multiple columns can be achieved by holding the Ctrl button while clicking on the column names. Any additional clicked column will be added to the list of sorting criterions. When two items cannot be sorted using the values from the first column (because the values are identical), the second column will be used, and so on. Besides clicking on column headers, you can alter the sorting with the Sort table button. This opens a dialog that lets you select the sorting columns and the sort order per column (ascending/a-z or descending/z-a). This dialog lets you use all of the columns available, regardless of whether the column is currently present in the table. Furthermore this dialog offers a sort criterion called Hierarchy, which is not available as a table column. Sorting on this criterion puts the items in hierarchical order, e.g. an is directly followed by its attachments. Page 116 Intella User Manual 2016 Vound

18.1.4 Showing a conversation Right-clicking an message item and selecting the Show conversation option will display a new result set in the Cluster Map, showing all messages that are part of the

117 Showing a conversation Right-clicking an message item and selecting the Show conversation option will display a new result set in the Cluster Map, showing all messages that are part of the conversation, including replies and forwarded messages Showing the child items To determine all items nested in an item, right-click on the item and select Preview. Next, switch to the Tree tab to see the full hierarchy, including all child items. To determine the children of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show children option. This will open a dialog that asks you what children to put in the result set, as child items may also again contain child items Showing the parent items Right-click an attachment and select the option Preview parent to view the message that contains the selected item. This feature looks up the parent item recursively until it reaches an item. To determine the parent of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show parents option. This will open a dialog that asks you whether to produce the top-level or direct parents, and what to do with items that have no parent. See the search preferences for settings related to how the top-level and direct parents are determined List view The List view displays the results in a form similar to conventional web search engines. Select the third button in the Details toolbar to switch to this view. For each item, the title and other important metadata will be displayed, as well as a fragment of the document text, if any text has been extracted from this item. When Intella currently is displaying keyword search results, the selected text fragment will show the keyword matches and their context. Page 117 Intella User Manual 2016 Vound

118 The title is normally displayed in a light green color; dark green indicates that the item has been previewed before by the current user. If the item has any tags applied to it, these will be shown on the right as blue labels. To flag an item, use the checkbox on the left. Items can be selected by clicking, Ctrl-clicking and right-clicking. Right-clicking on any item reveals the same popup as used in the Table view Thumbnails view The Thumbnails view displays the thumbnails of the images detected within a selected cluster. This includes images embedded in attachments and images inside documents. Hover over the thumbnails with your mouse cursor to see a summary of the data connected to the image. You can flag an image with the checkbox below the thumbnail. When you double-click a thumbnail, the image will open in the previewer. Tip: the Thumbnails view will work a lot smoother when you let it pre-generate the thumbnail representation of all images in the case in advance. This can be done by selecting Generate Thumbnails from the Sources menu Timeline view The Timeline view shows a chronological representation of communications, phone calls and SMS/MMS messages. Page 118 Intella User Manual 2016 Vound

The left pane shows the senders and receivers, i.e. email addresses or phone numbers, with their communication plotted chronologically.

119 The left pane shows the senders and receivers, i.e. addresses or phone numbers, with their communication plotted chronologically. Every edge in the timeline view represents a communication and points to the receiver of that communication. The node color represents the role a contact (i.e. an address or phone number) has in a communication, e.g. sender or caller. Click the Legend button to see an explanation of all node colors that can occur. When displaying s, it may occur that an appears to have two senders. That happens when the has both a From and a Sender header. As in most circumstances the From header is of primary interest, the visualization of the Sender headers is by default disabled. It can be enabled by clicking on the Options button and checking the Display the Sender header in addition to the From header checkbox. Tip: When you click an arrow, the arrow, the connected arrows, and the connected squares will be highlighted. When you double click an arrow, the will show in a preview window. Tip: Export a timeline by choosing Export > Timeline from the menu. The timeline will be saved as a PNG image Deduplication and irrelevant items With the Deduplicate button duplicates are removed from the search results based on the MD5 and message hashes of the results. Similarly, the Hide Irrelevant button removes all items marked as Irrelevant during indexing. When used in the Thumbnails view, which shows both the images in the selected results as well as any images nested in those results, the end result is filtered. Page 119 Intella User Manual 2016 Vound

120 19 Previewing results Produce the item in a number of formats. Inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted words, comments and performed user actions The Previewer window opens when the item in the Details view is (double-)clicked. Iterate over your result list. Item summary shows important item metadata. Tag or flag the current item. Navigate to or search for related items. His indicators show where keyword search hits are located in the text. Prepare a copy redacted for privileged content. Collapse and expand paragraphs. Loop over all search hits found in this item. Page 120 Intella User Manual 2016 Vound

121 19.1 Overview of the Previewer When you double-click an item, it will open in the Previewer. This window allows you to inspect, flag, and tag the item, to explore its relations with other items, and to export the item for later use. The Previewer will show a number of tabs, presenting differ aspects of the item, such as Contents, Preview, Headers, Raw Data, Properties, Attachments, etc. The set of tabs will differ from item to item, depending on the type of item that you selected and what information is available for that particular item The Toolbar The toolbar on the right of the window contains options for producing and annotating the current item, as well as navigating to other items and starting new searches that use this item as a starting point. At the top is a panel with buttons for producing the current item in a number of formats: Export This button opens the Export result as dialog. Enter a name and location if you want to store the item. This exports the item in its original format. Print Tab This button opens a print dialog that shows the contents of the selected tabs (Contents, Headers, Thumbnails, etc.) of the item. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Print Report This button opens a print dialog that shows the contents of all tabs of the item. If the item has attachments you are asked if these should also be printed. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Open in Application This button opens the item using the computer's default application (e.g. a PDF file would be opened with Adobe Acrobat Reader if that is the default PDF viewer on your computer). Open Containing Folder This button is enabled for items that represent files in the file system and provides quick access to it. When clicked, Windows Explorer will open, show the file s folder and select the file in the folder. The next panel lets one iterate over all items in the Details view from which the Previewer was launched: Previous and Next buttons Go to the next or previous item in a list. Alternatively you can also use the keyboard shortcuts Alt+right-arrow to go to the next item, and Alt+left-arrow to go to the previous item. This functionality is not available when the Previewer was launched by clicking in the Cluster Map, from the Tree tab of another Previewer, etc. The next two panels are for annotating the current item: Tag button Opens the tag space where you can add new tags to your case and select a tag from a list of existing Page 121 Intella User Manual 2016 Vound

122 tags. Quick tag buttons You can assign a tag to a quick tag button. Clicking the button tags the item and switches the previewer to the next untagged item in the list. If no tag is pinned to a Quick tag button, it is randomly associated with one of the recently used tags by default. Go to next item after tagging check box When this check box is selected, clicking the quick tag buttons will switch the Previewer to the next item in the list (if there is one). Flagged Select this check box to flag the previewed item. You might want to flag an item for organizational reasons. For example, to keep track of the items that you have reviewed in the case. The next panel holds actions for navigating to and searching for related items: Preview Parent Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: Pictures found in a Microsoft Word document are separate items in Intella. The Word document is the parent item for these pictures. The same is true for items found in archive file, such as a ZIP file: The archive file is the parent item for these items. Preview Parent Mail Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: A picture attached to an is a separate item in Intella. The is the parent for the picture. Show Children Use this button to search for and display the children associated with the item being viewed in the previewer. When selected, a search result with the associated children of the selected items will be available in the Cluster Map panel. The label of the cluster will be Children of [file name] or Children of [subject]. An example of a child item would be an attachment of an . Intella views s and attachments as separate items. The attachment would be the child of the parent . Child items can have child items of their own. Depending on the option that you select, the Show Children shows either only the directly nested children or all children in the tree. Show Conversation Based on the subject of an item and certain headers, Intella can find items that are part of a conversation. Click the button Show Conversation to show all these items in the Cluster Map panel. The label of this cluster will be Conv: [ subject]. The subject is the subject of the item in the previewer. Show Duplicates When an item has duplicates in the case, click Show duplicates to display these duplicates in the Cluster Map. The label of this cluster will be Duplicates of [file name] or Duplicates of [subject]. Page 122 Intella User Manual 2016 Vound

Smart Search Smart search lets one search for items that are similar to a selected item. It determines a set of keywords in the selected item that have a high information value.

123 Smart Search Smart search lets one search for items that are similar to a selected item. It determines a set of keywords in the selected item that have a high information value. Typically these are keywords that occur often in the selected document but are not common words across the case or in any of the supported languages, which makes them representative for the content of the selected document. Using the Smart Search dialog one can then find other documents that share these keywords and therefore have a good statistical chance of being related to the selected document. A slider is provided that the user can use to set a threshold: the lower the threshold, the more documents are returned but at the cost of less relevance to the set of keywords. Checkboxes are provided to control which item fields should be used when determining the set of keywords. This way one can restrict the search for similar items to e.g. the document or message body only. The next panel controls redaction: Redact When this button is clicked, a PDF is generated for the current item and shown in the Redaction tab. See the section on Redaction for more details. Finally, the last panel relates to functionality for handling paragraphs: Hide seen paragraphs When selected, paragraphs that have been marked as Seen by the user are removed from the text, only leaving an eye icon in the left margin as an indication that a paragraph has been removed there. Click on the eye to bring back the text. Colorize paragraphs When selected, paragraphs marked as Seen by the user are displayed as grayed out text. Page 123 Intella User Manual 2016 Vound

124 19.3 Tabs The tabs show the various aspects of the current item. The set of tabs shown for a particular item can differ from item to item, depending on the item type and which information that particular item holds. When moving from one item to the next using the Next and Previous buttons, the current tab will stay selected provided that that tab is also available for the next or previous item. When a specific tab is never used in a case, its visibility can be toggled using the Previewer s View menu. The benefit of this is a less crowded user interface and shorter loading time. Keyword matches When the current item has any keyword matches, the tabs containing one or more of the keywords change their appearance: The tab name will show with a bold blue font and contain a number indicating the amount of hits. When the tab contains text (not metadata properties), like the document text or headers, it will get a status bar at the bottom listing the found keywords and providing buttons to jump from one match to another. When the tab contains text and has a scrollbar, the location of the keyword matches will be marked in the scrollbar as horizontal stripes. Next we explain which tabs can occur Contents This tab shows the body of an item, e.g. the message in an or the text inside a Word document. The Contents shows a limited set of stylistic elements such as bold, italic and underlined text, tables and lists. However, text is always drawn as black text on a white background, as to reveal all extracted text. For a native rendering of the item use the Preview tab (when available). If the item text is too long, it is truncated in the previewer for performance purposes. Click on the "Show full text" button to view the complete item text. When the item is an image, this tab will show the image s content. An extra toolbar is then provided that allows for zooming, rotating and flipping the image. When an item is encrypted and could not be decrypted, the Contents tab will show an image of a lock, to explain why no text could be shown. Handling paragraphs When the Analyze paragraphs option was selected during source creation, extra UI elements will be shown in the left margin. These UI elements indicate the start and end of the paragraphs that Intella has detected. They can be used to collapse and expand the paragraph. The UI elements are omitted for very short paragraphs (typically one-liners). Furthermore a popup menu will be shown when the user right-clicks on a paragraph, offering the following options: Mark the paragraph as Seen, or back to Unseen. This grays out all occurrences of this paragraph in all items, facilitating the review of large amounts of long and overlapping documents such as threads with lots of quoted paragraphs. Mark all paragraphs above or below the current paragraph as Seen or Unseen. Page 124 Intella User Manual 2016 Vound

125 Search for all items in which this paragraph occurs. All items that contain the selected paragraph will be returned, ignoring small variances such as white spaces. Mark the paragraph for exclusion from keyword search. This can be used to suppress information present in lots of items but with little relevance to the investigation, such as signatures and legal disclaimers. Consequently, keyword queries containing terms such as confidential and legal are more likely to return meaningful results Preview This tab shows the item as if it was opened in its native application. The Preview tab is only shown when the format of the current item is supported and the Contents tab is not already showing it in its native form. The following file formats are supported: s (when the contains an HTML body) Legacy MS Office formats (doc, xls, ppt) New MS Office formats (docx, xlsx, pptx) RTF HTML PDF CSV and TSV files WordPerfect Open Office (Writer, Calc, Impress) Important: When previewing s, only images that are already bundled with the are shown. Any images that a mail client would load from a web server are shown as static icons. When there are any such missing images, a Show external images button appears. Clicking this button will load the images from the servers and show them embedded in the representation. Note that loading these images may constitute a violation of investigation policies Headers This tab shows the complete header of the item. This tab is only shown when you open an item Raw Data The content of this tab depends on the item type. For example, in case of PST s the low-level information obtained from the PST is listed here. This typically includes the transport headers (shown on the Headers tab) and the body, but also a lot more. In case of vcard files the raw vcard contents is displayed here. All this information is also searched through when using a keyword search. This may lead to additional hits based on information in obscure areas that Intella does not process any further Properties This tab shows a list of properties connected to the item. Examples are Size, MIME Type, Creator and Character Set. The list of properties shown depends on the type of the item and what data is available in that particular item. To copy all the text to the clipboard click Copy all. Page 125 Intella User Manual 2016 Vound

126 Tip: Hover over the question marks at the right hand side with your mouse and see a short definition of each property Attachments This tab lists the attachments of an . When you double-click an attachment or select it and click View, it will be opened in new Previewer window Thumbnails This tab shows thumbnails of the images (jpg, png, gif etc.) attached to an item or embedded in a document, e.g. the images embedded in a MS Word document. Select the checkbox below the image to flag a thumbnail. When you double-click a thumbnail, the image will be opened in a new previewer window Tree This tab shows the location of the reviewed item in the item hierarchy (entire path from root to descendants), as well as all its child items. The file names and subjects are clickable. You can also right-click and choose to either select all above or select all below, or simply select items manually, to assign them to a tag Entries This tab shows the list of items found in an archive file, e.g. a ZIP or RAR file. When you double-click an item in the list or select it and click View, it will be opened in a new Previewer window. However, when the entry is a sub-folder inside the archive, its content will be opened in the same 'Entries' tab. Double-click the '..' entry at the top of the list to return to the parent folder Comments This tab lists the reviewer comments attached to the item. Every comment has an author name and time stamp, and the option to Edit or Delete the comment. Note that this is not related to the comments such as found in the MS Word document metadata Words The Words tab lists all words/terms extracted from this item, together with the following information: The search field the term belongs to: text, title, path, etc. The frequency of the word in this document and document field. The number of documents having this term in the same field. This list can be used to diagnose why a certain document is or is not returned by a certain query. The list can be exported as a CSV file by right-clicking anywhere in the table. Right-clicking also lets you evaluate a query with the right-clicked term. Page 126 Intella User Manual 2016 Vound

127 Actions This tab shows the list of actions performed on the item. The action s date and the user that triggered the action are shown in the list. Actions listed are: Previewed the item was opened in the previewer. Opened the item was opened in its native application. Exported the item was exported. Tagged with the item was tagged with the specified tag. Flagged the item was flagged. Commented the item was commented. OCRed the item has text content imported from OCR. Redacted the item was redacted Redaction This tab is only visible after the Redact button in the toolbar has been clicked (see above). See the section on Redaction for a detailed explanation of the functionality in this tab. Page 127 Intella User Manual 2016 Vound

20 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example, one of your items is a PDF document containing valuable information.

128 20 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example, one of your items is a PDF document containing valuable information. You decide to tag the item with the word Important. Tagging helps you to organize results, for example by separating important and unimportant information. Tagging can be done in several ways in Intella. This chapter gives you an overview of the possibilities: Tagging in the main window Tagging in the previewer Letting other items inherit tags automatically Pin a tag to a button See all tagged items Searching with tags Deleting a tag When entering a tag name, one cannot use the slash character ( / ) as that is commonly used in various places to denote hierarchical tags Tagging in the main window Adding tags To add tags: 1. Select one or more items from the table, the thumbnail view or the timeline. 2. Open the context menu (right mouse click), and select Add tags 3. In the Add tags to x items dialog you can select already defined tags, or define a new tag with optional description. When you click OK, the marked tags will be linked to the selected items. The Add Tags menu option is also available in the Cluster Map: right-click on a cluster or label to open a popup menu with this and other options. Page 128 Intella User Manual 2016 Vound

Parent tags can be used to logically group tags, e.g. grouping custodian names, reviewers, locations or priorities. Parent tags can also be used to tag items.

129 When you start typing the name of a new tag, the list of tags is filtered to show existing tags whose name starts with the entered text. This can be used to check whether the intended tag already exists or to quickly navigate to the tag in a long list of tags. When creating a new tag, a parent tag can be specified. Parent tags can be used to logically group tags, e.g. grouping custodian names, reviewers, locations or priorities. Parent tags can also be used to tag items. For example, when you have tags called Europe and Asia with subtags representing specific countries, you can choose whether to tag an item with a continent or a country Removing tags The Remove Tags dialog is used to remove tags from a selected items: 1. Select the items from which you want to remove the tags in the table, timeline, thumbnail view, or cluster map panel. 2. Open the context menu (right mouse click), and select the Remove tags menu option. 3. In the Remove tags from x items dialog select the tags that you want to remove, and click OK. Now the tags are no longer connected to the items Tagging in the previewer If you want to tag or remove a tag in the previewer, please take the following steps: 1. Open the previewer 2. Click the Tag button to open the tag space 3. Enter a new tag or select an existing tag. To remove a tag (to remove the connection between an item and a tag) just deselect the tag from the list. Page 129 Intella User Manual 2016 Vound

130 Three, six or nine tags can be shown as button in the previewer. When a tag is listed as a button, clicking the button results in the tag being assigned to the current item. You can set the desired amount of these quick-tag buttons in the File > Preferences > Results tab > Previewer section. You can also use Ctrl+1, Ctrl+2, Ctrl+3, etc. to quick-tag an item. The numbers correspond with the button positions. When the Go to next item after tagging toggle button is selected, the previewer will automatically switch to the next item in the list Automatic tag inheritance When tagging items, the policy of your investigation may be that some related items should be tagged as well. One use case is when tagging items as irrelevant: all nested items may then be considered as irrelevant as well. Another use is tagging items as privileged; depending on your policy, this may then be extended to all other items within the same mail as well. Intella offers mechanisms that let these additional tags to be set automatically. For more information, see the section on tagging preferences Pin a tag to a button In File > Preferences > Tagging tab > Previewer section you can select the number of quick tag buttons: three, six or nine. The default value is three quick tag buttons. You can pin a tag to a button and keyboard shortcut (Ctrl+1, Ctrl+2, Ctrl+3) with the following steps: 1. Select Tags in the facet panel 2. Right click on a tag in the list to open the context menu. 3. Select Pin tag to button and select a number from the submenu. Now you can use the buttons in the previewer and the keyboard shortcuts to tag an item. Tags that are pinned to a button are marked with a small blue pin in both the Tag facet and previewer. Note: To unpin a tag from a button, select 'Unpin tag' in the context menu of Tags See all tagged items To get an overview of all items that are tagged in your case, please take the following steps: 1. Select Features in the facet panel. 2. Select Tagged from the list and click Search Now you can see all the items that have a tag in the Cluster Map panel. Page 130 Intella User Manual 2016 Vound

131 20.6 Searching with tags To search with tags, please take the following steps: 1. Select Tags in the facet panel. 2. Select a tag and click Search Now you can see the items that have the selected tag in the Cluster Map panel. When querying for a parent tag, the result set will contain all items tagged with that tag or with any of its child tags Deleting a tag To delete a tag from your case, please take the following steps: 1. Select Tags in the facet panel. 2. Right click on a tag in the list. 3. Select Delete and confirm. Now this tag is no longer in your case. When you delete a parent tag and confirming the operation, the tag and all its child tags are removed.s Page 131 Intella User Manual 2016 Vound

132 21 Redaction Redaction is the process of concealing part of an item s text, graphics and/or metadata in order to conceal that content part from unauthorized view. A typical use case of redaction is the concealing of legally privileged information in information that is produced for an opposing party in an e-discovery matter, e.g. because of attorney-client privilege. Other scenarios are hiding person names, birth dates, social security numbers, credit card numbers, etc. due to privacy laws or when they are not relevant to the matter at hand Workflow When redacting an item, Intella first creates a temporary PDF representation of the item and then lets the user mark the sensitive areas in it. This PDF and the added redactions are stored in the case. The original evidence item is not changed, nor is any information removed from the Intella case. At any time the redaction marks can be reviewed, edited and removed. Only when the item is exported to the final PDF or to a load file, are the redactions burned in : all pages in the temporary PDF are converted to images in which the sensitive part is literally blacked out. The result is a PDF that is guaranteed not to contain the sensitive information. Redaction affects the results of the regular PDF export and the PDFs and TIFFs that are created as part of a load file. For the sake of brevity, the remainder of this section will only refer to exported PDFs when both are meant Redacting an item Items are redacted by opening them in the Previewer and clicking on the Redact button in the toolbar. This adds a tab called Redaction. The Redaction tab contains a PDF rendering of the item and offers various controls for adding and editing redactions. As the PDF is generated on demand, the tab may take some time to appear, depending on the type and complexity of the item. The item is now ready to be redacted. To redact a part of the content, simply select the rectangular area in the rendered item that needs to be hidden. The selected area will now be covered with a black rectangle. You can repeat this step to conceal additional parts of the item. The redactions are stored automatically; no manual save action is needed. The rectangle is semi-transparent so that the reviewer can still see what content has been redacted without having to move it. In the final exported document the rectangle will be a solid black. To move or resize a redaction mark, simply place the mouse pointer above the redaction rectangle. When placed in the middle, the mouse cursor changes to a four-arrowed cross and the rectangle can then be moved by holding the mouse button and dragging the mouse. When placed on a corner, the mouse cursor changes into an arrow and the rectangle can then be resized by holding the mouse button and dragging the mouse. To remove a redaction, select it and click Delete Redaction. To remove all redactions of this item, click the Clear Redactions button. Page 132 Intella User Manual 2016 Vound

133 When you close and reopen the item, the Previewer will immediately show the Redaction tab again with all previously made redactions, as the PDF is cached. Only when no redactions are added will the PDF be discarded. Redacted items can easily be found using the Redacted category in the Features facet Exporting When exporting an item to PDF, Intella will by default use the redacted version if there is one. More specifically, it will convert the temporary PDF into a final PDF that contains only images, and will burn in the redactions in these images so that the sensitive content is concealed permanently. Exported load files containing PDFs or TIFFs will undergo a similar process. The result of this last conversion step is a PDF that has no regular machine-processable text. To verify this, simply open the PDF in a PDF reader like Acrobat and try to select the text. That makes this redaction method very safe (as opposed to removing the sensitive text from the source file) as all information is in plain sight; there is e.g. no hidden metadata that could still leak the sensitive information. The downside is that the PDFs can have a large file size as all text is represented as images, and that they would need to be OCR-ed to make the non-concealed text accessible again for text selection, keyword search, etc. As the final PDF is derived from the temporary PDF, the PDF export settings entered in the Export dialog will only have any effect on the non-redacted items in the export set. The redaction toolbar in the Previewer also has an Export button, to export the current item as a redacted PDF. This PDF will be the same as when it is exported as part of a collection of items to PDF, i.e. all pages will be converted to images with their redacted parts showing as black rectangles. This option is useful when only a few redacted documents are necessary or to verify the redaction export Mass redaction A common redaction method is to search for a company or organization name and to review and optionally redact the search hits. Intella can assist with this process: when the Redaction tab is viewed while Intella s search interface shows one or more keyword queries, the keyword search hits will be highlighted in the Redaction tab and can be redacted with the click of a button. Note that this highlighting works best on single term queries. It does not work reliably or even at all for more advanced queries such as phrase searches, wildcard queries, etc. The currently used keyword(s) will be shown in a text field beneath the item content and can be changed. Use the arrow keys to move from one keyword hit to another. Click the Redact button to redact the currently highlighted occurrence, or click the Redact All button to redact all occurrences in the current item. Please see the subsection on Caveats below when using the Redact All button Redaction profiles When the Redact button in the Previewer is clicked, a PDF that is generated will consist of a limited set of content and metadata properties. For example, s will show their most important headers ( sender and recipients, subject and sent/received dates) on the first page, followed by the body. The full SMTP Page 133 Intella User Manual 2016 Vound

134 headers of the are printed on one or more separate pages, followed by the list and content of the s attachments. When this default set of content and metadata properties is not suitable for a specific case, or different settings are desired for different types of items or different audiences, the user can define one or more redaction profiles for the case. Such a profile defines the set of content and metadata properties to be used in the redacted PDF. When a redaction profile is defined and the reviewer subsequently clicks the Redact button in the Previewer, Intella will ask which redaction profile to use for this item and generate the PDF accordingly. To define a redaction profile, click the Configure redaction profiles button in the Export menu of the main window and choose Create in the next dialog. The window that opens allows the reviewer to enter a profile name and select which content and metadata properties should be used when this redaction profile is chosen. For a detailed description of the available properties see the section on exporting to PDF Caveats As the purpose of redaction is to conceal sensitive information, it is vital that the reviewer takes notice of the following caveats on the redaction functionality. First, there are a number of issues to be aware of when using keyword hit highlighting to control the redactions. When highlighting the search hits in a PDF, the highlighted area may not exactly cover the responsive text in the PDF. The redaction rectangle then needs to be manually moved and resized. Whether this happens depends on the fonts used in the PDF: PDFs that Intella has generated using texts from its own databases are fine (e.g. pages with bodies and headers), but text in existing evidence PDFs or in Word documents that are converted to PDF may be a different story. We have no control over the font characteristics used in those documents and therefore cannot guarantee correct placement of the redaction rectangle. Another important aspect is that hit highlighting may not find all occurrences of the text that is searched for. For example, words that are misspelled, use a spelling variation or are hyphenated may not be found. Texts inside graphics will also not be found. Note that OCR software that is used to combat this can also introduce spelling errors. Finally, tables and graphs may require extra attention. When creating a redacted PDF rendering of an item, the PDF is only associated with that specific item, not with any duplicates of that item. We may introduce that functionality in a future version. Page 134 Intella User Manual 2016 Vound

22 Exporting Intella supports a number of exporting formats, each focusing on a different use case. 22.

135 22 Exporting Intella supports a number of exporting formats, each focusing on a different use case Exporting a single result A single result can be exported by right-clicking on a row in the Details table (or on the item in any of the other views) and selecting Export in the content menu. Alternatively, select an item by clicking on it and choose Export > Result in the menu bar. A file chooser will open that lets you specify the folder and file name. Click Save to export the result to that file. The mouse cursor will show a busy icon while the exporting is taking place. The result will be saved in its original format, i.e. a Word document attached to a mail gets saved as a Word file. All mails from mail sources (PST/OST/NSF/DBX/MBX/Mbox files and IMAP servers) are exported as EML files. Evidence files that are already in EML, EMLX or MSG format as exported as such. Contacts will be stored in vcard format. Calendar items from PST files will be stored in ical format Exporting a list of results To export a collection of search results at a time, you can use the following procedure: Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. Right-click and choose Export Highlighted Item(s), or choose Results List from the Export menu. This opens the Export Wizard. This wizard lets you choose the export format and its settings and the export process Export formats The first wizard page lets you choose an export format: Original format exports a file into its original format, i.e. a Word document attached to an is saved as a Word file. All s from mail sources (e.g. a PST or NSF file) are exported as EML files. s that are already in EML, EMLX or MSG format are exported as such. All contact items from PST/OST files are exported as vcard (.vcf) files. All calendar items from PST sources are exported as icalendar (.ics or.ical) files. The exported files can be opened with the program that your system has associated with the file extension used. Folders may be created during exporting whose name ends Page 135 Intella User Manual 2016 Vound

136 with _files. This is necessary to separate e.g. an archive from the items that were extracted from that archive, as both may be exported at the same time. PDF converts every item into a PDF document, containing the content of the original item and a configurable set of properties. PST lets you export items to a MS Outlook PST file. The main purpose of this option is to use the PST file as a carrier for transport of s, but other item types are supported as well. The receiver can open the PST file in Microsoft Outlook or process it in another forensic application. i2 Analyst s Notebook/iBase exports the results in a format that can easily be digested with i2 s Analyst s Notebook and ibase applications. All metadata of all items, all attachments and all bodies can be imported into these tools, allowing rapid social network analysis and all other analytical abilities of these applications on and cellphone evidence data. Load file will export the items in a format that can be imported into Summation, Concordance, Ringtail and Relativity. Relativity will export items directly to a Relativity server, i.e. without the use of an intermediary load file. This functionality is still in an experimental state. Only one format can be chosen per export run Destination folder The chosen destination folder will contain all exported items, including all export reports (see below). You will get a warning when this folder is not empty. Though Intella tries not to overwrite any files in the specified folder, we recommend specifying an empty folder to be sure. For every selected format a subfolder will be created that holds the files of that export format. All export reports will be placed in the top folder. When exporting a number of sets to the same destination folder, the subfolders with produced files will be merged, but earlier produced files will not be overwritten. Each export run will have its own set of export reports Export templates The configuration entered in the Export window or sub-windows like the load file field chooser will automatically be restored the next time the Export window is opened. No manual action is necessary to achieve that. The current configuration can also be stored as a user-named template in the last wizard sheet. In the first sheet all stored templates are listed in a drop-down list. Selecting one restores the state of the Export wizard to the one stored in the selected template. Export templates are stored in the following folder: Windows Vista, Windows 7 and Windows 8/8.1 C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella\ export-templates Windows 2000, XP C:\Documents and Settings\<USERNAME>\Application Data\Intella\exporttemplates You can easily access this folder through the Help > Open Export Templates Folder menu item. Page 136 Intella User Manual 2016 Vound

137 Note that export templates are stored outside of the case data folder. This makes all templates automatically available across all cases on the same machine and user account. To use templates with other user accounts or on other machines, just copy the XML file named after the template to the export-templates folder on that account or machine. When you click next, the wizard will let you configure the format-specific options Suppressing irrelevant items You can use the "Suppress irrelevant items" checkbox to automatically exclude all items from the export that have been classified as Irrelevant during indexing. See the Features facet section for a definition of irrelevant items. The number of irrelevant items in the current item set will be shown in parentheses Export sets When a set of items is exported, they can optionally be added to an export set. This is a named set that captures information about the export. When a specific item is about to be exported, the file name and number is recorded in the export set. Furthermore the current export settings are stored as part of a set. When the export set is later selected again when exporting another set of items, this will affect that export run in the following ways: All export settings such as the chosen export format, file naming and numbering schemes, etc. will all be the same as in the first export run. On other words, the export set works similar to an export template. File numbering continues where it left off, rather than starting at again. Items that have been exported before with this export set selected will get the same name and number as the previous time(s) they were exported. When an export set is specified, the resulting export ID (typically based on subject, file name and/or consecutive number) can be made visible in the Details column by adding an Export column that corresponds to the export set. The Export IDs can also be searched for using keyword search and keyword list search PDF file options The first wizard sheet on PDF options lets you decide whether to export to individual PDF files, one for every selected item, or to export all items into one single concatenated PDF file. When exporting to a concatenated PDF, the resulting PDF can optionally be split in chunks of a given size. This is recommended for performance and stability reasons File naming and numbering (original format, PDF, load files) This wizard sheet consists of three sections: File naming defines how to compose an exported file name (original format, PDF) or page (load file export). File numbering defines how exported files are numbered. File grouping defines how exported files are grouped into folders. File naming By default, exported files will be named using the original evidence file s name or the subject of an . Page 137 Intella User Manual 2016 Vound

138 Alternatively, you can choose to number the files using consecutive numbers. These options can also be combined: a number followed by the file name or subject. Load file naming offers more elaborate numbering style, whose parts can be further configured in the File Numbering section. When using a numbering style, you can also define a prefix. Anything you type here will be added to the beginning of the filename. E.g. the prefix export- will result in the first being named export eml, when you combine it with consecutive numbering. Using "Advanced" mode you can define a file name template that will be a base for exported file name. The template may include the following fields: %num% A counter value will be added. You can also define a number of leading zeroes in the counter using the following format: %000num%. The number of zeroes defines the number of digits used in the counter. The default number format for the counter is to use 8 digits. %group1%, %group2% Group counters used with load file export only. See the "Export as a load file" section for details. Any Intella column identifier surrounded by the '%' symbol, like %md5%. %Best_Title% One of the following fields: File name, Subject, Title, Contact Name or "Untitled". In order to insert any field in the template you can either type it manually or select the field from the dropdown list and press "Add field". File numbering Using the "Start at" option you can define the number to start counting with. By default exporting will start counting at 1. A typical reason to use a different start number is when you want to combine the exported results with another set of already exported files. Numbers are always 8 digits long. Folder, Page rollover and Box are only relevant when using load file naming. File grouping Select the option "All in one folder" to put all exported files in one folder. Select the option "Keep location structure" to preserve the original folder structure that the items have in the evidence files. A folder will be created for every source, in which the original folder structure of that source (as shown in the Location facet) will be recreated. File name examples On the right side you can see a live preview of how the exported file names would look based on the current settings, using items from your current item set as examples PDF rendering options (PDF, load files) [Note: when exporting a load file, this sheet is called PDF or image rendering options ] The options in this sheet only apply to non-redacted items; the exporting of redacted items is governed by the Redacted items sheet. For all types of items, you can indicate whether to include a basic item header, properties, raw data, body and comments in the PDF: The item header is shown at the top, above a black line, and shows the subject or file name. Page 138 Intella User Manual 2016 Vound

139 The properties include typical metadata attributes such as titles, authors, all dates, hashes, sizes, etc. By default all properties are included, but you can remove some of them in the "Select properties..." dialog. The raw data varies between item types. For example, for PSTs the low-level information obtained from the PST is listed here and for vcards the actual content of the file is listed. This field may reveal properties that Intella does not recognize and are therefore not to be found in the Properties section. The main properties above body include main properties such as Subject, From, To, Sent, Received, etc. By default all properties are included, but you can remove some of them and change the order of the remaining elements by clicking the Configure button. The comments refer to the ones made by Intella user(s) in the Comments tab in the Previewer. They are not to be confused with comments that can be made in, for example, a Word document. These are part of the Properties section. Note that the reviewer comments may include sensitive information such as evidence file names, investigator insights, etc. Furthermore, the item s content can be exported in its original format, as the extracted text, or both. The following file formats can be exported in their original view: s with a HTML body. MS Office (doc, docx, xls, xlsx, ppt, pptx) Open Office (Writer, Calc, Impress) WordPerfect RTF HTML PDF When you select "Original view", you will also be able to define a list of item types that should be skipped for this. You can use this to e.g. prevent native view generation of spreadsheets, which often are hard to read in PDF form. An optional placeholder text can be added to make clear that original view generation has been skipped on purposes for this item. When you also select the "Export skipped item as native file" option during load file export, the resulting load file will not contain the corresponding native file. By selecting "Also skip extracting text" you can skip generating the extracted text as well. This includes extracted text added to the resulting PDF and extracted text exported as a separate file as part of a load file. When the option Prefer image imported from load file over Original view is selected, an image imported from a load file will be used instead of the Original view. Note that this is the image shown under the Image tab in the Previewer. If you uncheck "Include item metadata", the resulting PDF will not contain any additional information except for the actual item content (in its original format and/or as extracted text), the document title/subject and the headers and footers defined in the next sheet. Most of the options on this sheet will then be disabled. For s, the following additional information can optionally be included: A checkbox is provided that controls whether the HTML or plain text body is preferred. This option is only available when the Content as setting is set to a value that involves original view generation, i.e. anything other than Extracted text. The full headers. A list of all attachments, as a separate page. The file name, type and size of each attachment will be listed. Page 139 Intella User Manual 2016 Vound

140 The actual contents of the attachments. The original view (described below) will always be selected by default, with the extracted text used as a fallback. For loose files and attachments that are not s, the following additional information can optionally be included: List all embedded items, e.g. images found in the document. It is possible not to include the lines that separate the headers and footers from the content by unchecking the "Draw header and footer line separators" checkbox. Section names such as "Image", "Original view", "Extracted text" etc. can also be excluded from the resulting PDF by unchecking "Include section names" PST options Enter a file name to use for the generated PST. Enter a display and folder name. After opening the exported PST file in MS Outlook you will see the names you entered. They help you to locate the PST file and its contents in MS Outlook. Select the option "Keep location structure" to preserve the original folder structure during the export. The resulting file can optionally be split into chunks of a given size. This is highly recommended for larger result sets that would make the PST grow beyond the default suggested file size, as Outlook may become unstable with very large PST files. The produced files will have a file size that is close to the specified maximum file size (usually smaller). The export report will list for every item to which PST it was added. Item types that can be exported directly to a PST file Besides s, the following item types can be exported directly to a PST file: Contacts Calendar items: o Appointments o Meetings o Meeting requests Tasks Journal entries Notes Distribution lists Limitations: ical recurrence rules (RRULE property) are not exported. PST Distribution lists are exported, but their list members are not. These limitations may be removed in a future Intella release. Please note that non- items will be exported to a regular PST folder under the Mail section, so not in e.g. the Contact section. How to export other item types to a PST file Items such as Word and PDF documents cannot be exported directly to a PST file. As such items may be attached to an , Intella can be configured to export the parent instead. You can choose to either include the top-level parent or the direct parent. An example would be an attachment contained within an message within another message. With the top-level parent selected all parent items of the attachment (both s) would be included in the PST, one nested within the Page 140 Intella User Manual 2016 Vound

141 other. The second option exports the nested to the PST. You can also choose to simply skip non- attachments. Although this option only mentions parent s, it also applies to e.g. PDF files attached to a meeting request or any of the other exportable items. In this case, enabling this option will export the meeting request instead. This option may therefore be renamed in the future. Note: Files in a folder source lack a parent and therefore cannot be exported to a PST file, except for mail files like EML, EMLX and MSG files, or files of the types listed above. How to export attached s The last setting controls what happens with s that are selected for export and that also happen to be attachments. These are typically forwarded messages. Such s can technically be exported to a PST without any restrictions, but the investigation policy may require that the parent is exported instead, to completely preserve the context in which this was found. That can be done by choosing the Replace with its top-level parent option. Alternatively, use the Export attached option to export the attached directly to the PST ibase and Analyst s Notebook options At the moment the Analyst s Notebook and ibase export does not provide any configuration options. Templates, import specifications and instructions are provided for Analyst s Notebook and ibase. Please contact support@vound-software.com for more information Load file options You can select one of the following load file formats: Summation. Concordance. Relativity. Ringtail. Comma Separated Values file. Each load file export consists of several parts: The main load file, containing the selected fields. Native files, representing the items in their original format. Image files, containing metadata and content as configured in the "PDF or image rendering options" sheet. Text files that contain the extracted text. The first part is mandatory; the others can be turned off. The main load file name can be changed using the "File name" text field. It is also possible to specify the main file encoding when the Summation format is selected. By selecting "Use custom date/time formats" you can override the date and time format used in the load file. Please see this document for the date/time format syntax details: Page 141 Intella User Manual 2016 Vound

142 In order to control the quality of the exported images, you can set the "Image DPI" parameter. It defines the number of dots (pixels) per inch. A higher DPI setting results in higher quality images, but these will take more time to produce and consume more disk space. It is also possible to adjust the TIFF compression type. Note that the image will be converted into black-andwhite variant if one of the "Group Fax Encoding" compression type is selected. The extracted text can be configured by clicking the Configure button. In the Configure extracted text dialog you can choose which components to include and also change their order. When you need to embed the extracted text directly into the load file itself (the DII, DAT or CSV file) instead of exporting it into a separate file, you can use the checkbox "Embed extracted text into load file". A custom field of type "EXTRACTED_TEXT" should be used to insert the text as a field in this case. When exporting to Summation the checkbox "Include Summation control list file (.LST)" can be used to generate a plain text file that lists all document IDs along with the extracted text files. The "OCR Base" field controls the prefix used for the extracted text files. The "Exclude content" option can be used to completely exclude the items tagged with a specified tag. For every excluded item only the metadata will be added to the load file. The text and the images will contain the text specified in the "Placeholder text" field. Native files will also not be generated for such items. Numbering with load files The numbering used for load files differs from the other export formats. When exporting to a load file, every exported page has its own unique number. The number of the first page is usually used as a number of the document. Please note that pages are numbered only if image files are included in the export. On the "Headers and footers" sheet you may choose a special field PAGE_NAME which is available only with load file export. This will put the current page name as it was configured on the "Naming and numbering" sheet. Another difference is that by default all export files are grouped into folders and optionally boxes. The "Page rollover" option defines a maximum amount of pages that a folder can contain. The maximum number of folders in a box is fixed to 999 (at the moment it can be changed via an export template XML file only). Additionally you can set a starting number for the page ("Start at"), folder and box. By default, the page counter starts over when switching to the next folder, so the first page in the next folder will have the number "1". This approach can be changed when using the "Continue page numbers from previous folder" option. When it is selected, the page counter will continue page numbering from the last page of the previous folder. In other words, page numbers will be unique among the entire export set. Additionally, the "Advanced" numbering mode can be selected when exporting to a load file. In this case you will be able to set a custom file name template. Please see the file naming and numbering section for details. Note that %num% means a page number, not a document number in this case. Also there are two new fields that can be used: %group1% folder counter %group2% box counter You can also use the %000group1% syntax to define the number of leading zeroes in the counter (similar to %000num% syntax). Thus, the default load file numbering schemes can be expressed using the following templates: PREFIX.%group2%.%group1%.%num% = Prefix, Box, Folder, Page PREFIX.%group1%.%num% = Prefix, Folder, Page Page 142 Intella User Manual 2016 Vound

143 %group2%.%group1%.%num% = Box, Folder, Page When using the Advanced mode it is important to set a file grouping: All in one folder or Load file mode. When Load file grouping mode is selected then the exported files will be grouped by folders and, optionally, boxes in exactly the same way as it is described above. Field chooser The "Field chooser" sheet contains a table of the fields that will be included in the load file. By default the starting set of fields depends on the selected load file format. The "Name" and "Comment" columns in this table are used only for managing the fields within Intella and are not included in the load file. The "Label" column value is used as a column label in the load file. The "Type" column can be one of the following: SUMMATION It can be used only with Summation load file format and cannot be modified. RINGTAIL It can be used only with Ringtail load file format and cannot be modified. CUSTOM User-created field. It can be used with any load file format. You can include an additional custom field by pressing the "Add custom field..." button. Next, enter the name, label and comment. Select one of the following types: FIXED_VALUE Fixed value as specified in the "Value" field. INTELLA_COLUMN One of the Intella columns. ITEM_BEST_TITLE One of the following Intella columns: File name, Subject, Title, Contact name or "Untitled". RECORD_ID_START Name of the first page of the document. RECORD_ID_END Name of the last page of the document. RECORD_ID_GROUP_BEGIN Name of the first page of the first document in the current "parentchild" group. RECORD_ID_GROUP_END Name of the last page of the last document in the current "parent-child" group. RECORD_ID_PARENT Name of the first page of the parent document. NUMBER_OF_PAGES number of pages of the document FILE_NATIVE relative path of the original format of the document to the base folder. FILE_IMAGE relative path of the first image of the document to the base folder. FILE_TEXT relative path of the extracted text file of the document to the base folder. EXTRACTED_TEXT extracted text directly embedded in the load file body. See the "Embed extracted text into load file" option described above. _INTERNET_HEADERS full Internet headers of the . ATTACH_ID_LIST The list of attachment IDs. IS_ "True" if the document is , "False" otherwise. FILE_EXTENSION The file extension of the document. DIRECT_PARENT ID of the document's direct parent. DIRECT_CHILDREN_IDS The list of IDs of the document's direct children. BEG_ATTACH Name of the first page of the first attachment document in the current "parent-child" group. Empty if there are no attachments in the current group. Used for s only. END_ATTACH Name of the last page of the last attachment document in the current "parent-child" group. Empty if there are no attachments in the current group. Used for s only. Page 143 Intella User Manual 2016 Vound

144 When exporting to a load file, all documents are grouped by their parent-child relationship. For example, an and its attachments form a single group. The columns "RECORD_ID_GROUP_BEGIN" and "RECORD_ID_GROUP_END" denote the start and end page numbers of such a group. When adding a date column as a custom field, it is possible to choose the way how the date is formatted: show date only, show time only or show full date and time. Note that you can add the same date field more than once and use different formatting options. For example, you can add two custom fields: DATE_SENT ("Sent" column, show date only) and TIME_SENT ("Sent" column, show time only). Click the "Select default fields" button to select only those fields that are part of the default field set for the selected load file format Relativity options Intella can export items directly into a Relativity database, i.e. without the need to manually handle load files. Note that this functionality requires Microsoft.NET and the Relativity SDK to be installed. See the Installation section for further details. On the "Relativity options" page you can specify a service URL, user name and password. Please ask your Relativity administrator for the correct settings. The Relativity service URL usually looks like this: You should use the same service URL as you use in Relativity Desktop Client. Click the "Get list from server" button to get a list of Relativity workspaces. Select the workspace you want to export the items to. You should also choose an identity field which is used as a key field in the selected workspace (it's usually "Control Number"). The rest of the settings are the same as you can use during an export to a load file. You can include natives, images and texts. Please note that when you use a field chooser, you can choose an existing field from the selected workspace. The field editor will also show a little warning icon near the field label if you enter an incorrect field name. Current limitations: The Overwrite mode is currently fixed to "Append". An option may be added in a future release. In order to export a folder structure, the "Location" field should be added to the list. In order to export natives the field "FILE_PATH" should be added to the list. In order to export texts the field "FILE_TEXT" should be added to the list. Items are exported to the workspace root folder. An option may be added in a future release Headers and footers (PDF, load files) You can set headers and footers for the generated PDFs and images. For each corner you can select one of the following fields to display: EMPTY Nothing will be displayed. EXPORTED_FILE_NAME A file name as it was configured on the "File naming and numbering" sheet. PAGE_NAME A page name as it was configured on the "File naming and numbering" sheet. Note: this option will work only with load file export. For other export types this will be replaced with EXPORTED_FILE_NAME. BEST_TITLE This is one of the following fields: File name, Subject, Title, Contact name or "Untitled". Any Intella column This will be exactly the same value as it is displayed in the result table. Also you can type any static text instead of selecting one of the fields. Page 144 Intella User Manual 2016 Vound

22.2.14 Redacted items This wizard sheet controls how Redacted items are to be handled when they are part of the set of items to export. The options available depend on the chosen export format.

145 Redacted items This wizard sheet controls how Redacted items are to be handled when they are part of the set of items to export. The options available depend on the chosen export format. When exporting to Original format or PDF: When the option Use redacted images when available is selected, any redacted item will be exported in its redacted form. Note that for Original format export a PDF will then be generated, rather than the item being exported in its original file format. When exporting to Original format, PST or i2 ibase/anb: When the option Suppress redacted items is selected, then any redacted item will be skipped. When exporting to Load file or Relativity: When the option Use redacted images when available is selected, then the image will be exported in its redacted form. When the option Suppress natives for redacted items is selected, then exporting of the native file will be skipped when the item has been redacted. When the option Suppress text for redacted items is selected, then exporting of the extracted text will be skipped when the item has been redacted. The text can optionally be replaced with the specified placeholder text Creating an export report You can indicate whether you want to create an export report for this export. The report can be formatted as a PDF, RTF, CSV and/or HTML file. For PDF, RTF and HTML reports you can also add a comment that will be displayed on the first page of the report. Export reports link the original files to the exported files, by listing identifying information about the original item (e.g. source evidence file, MD5 hash) and linking to the exported file. Also the export report may contain information that is lost during export, such as the evidence file s last modification date; like any copy, the export file has the date of export as its last modification date. Important: If the export of a specific result resulted in errors, you will be notified with an error message in the application. You can find the error notifications at the end of the PDF and RTF report or in the last column of the CSV report Skipped items The exporting progress user interface may report skipped items. These relate to the fact that not all items are inherently exportable to the chosen export format(s). Examples are: Page 145 Intella User Manual 2016 Vound

146 A file inside an encrypted ZIP file may be known to Intella but it cannot be exported to Original Format if Intella could not decrypt the ZIP file. Exporting to PDF is possible though, with the information that is known. When using the default PST export settings, Intella will try to replace non-exportable items with their parent . If there is no parent , the item is skipped. Folder results are always skipped. All skipped items are listed in the export report Exporting to a CSV file You can export a results list to a comma separated value (CSV) file. A CSV file contains all information listed in the table. CSV files can be opened in a spreadsheet application such as Microsoft Excel and can be processed through scripting, which opens up new analytical abilities. This functionality can also be used to generate MD5 lists. To export the table to a CSV file: 1. Select the results in the table that you want to export to a CSV file. You can use the Select All option in the right-click menu to easily select all rows. 2. Right click on the selected files and click Export table as CSV. 3. Mark the names of all columns that you want to include in the CSV file. 4. Give the CSV file a name and select Export. The selected columns are stored so that the next time you bring up this dialog, the same columns will be selected. Should you frequently use different export settings, then you can save these as separate templates. Click the New button to create a new template and enter a name. The new template will automatically be selected and any selection changes will be stored under that template name. Click the drop-down list to go back to the previous (default) template. The settings will now be restored to what they were before you created/selected the other template. The contents of the Senders and Receivers columns are configurable to show either the contact name(s), the address(es), or both. The maximum text length of a value inside a cell can optionally be trimmed to 32,000 characters. This is often necessary when one wants to open the CSV file in MS Excel. When opening a CSV with longer texts in Excel, these long texts are typically broken up and roll over to the next row, breaking the table structure. Tip: The CSV format is not a formal standard; different applications may have different conventions on how to separate cells and escape special characters. Intella uses the comma character to separate cells and uses a double quote character to escape values containing commas or other special characters. To import such files in MS Excel 2010, select Data From Text in the ribbon. Next, select the file with the file chooser. In the wizard that opens next, choose Delimited. Set the Delimiters option to Comma and set the Text Qualifier to the " character. Click Finish. Page 146 Intella User Manual 2016 Vound

147 22.4 Exporting the result counts The number of hits per search query can be exported by right-clicking in the Searches list in the upper-right corner and selecting Export queries. This produces a CSV file with the following columns: Facet e.g. Type or Keyword Search. Result the textual representation of the search, e.g. the entered search terms or selected facet values. Total Count the total number of items that matched this query. Count after Includes and Excludes the number of items that were retained after applying the Includes and Excludes (if any) to the original set Exporting the social graph data Intella can export the social graph of a collection of s by selecting the items in the Details view, rightclicking on one of the selected items and choosing Export Social Graph. This procedure creates a graph data file where all nodes represent contacts and all edges represent the fact that mails have been sent between those two contacts. Important: This is different from exporting social graph image, which is covered in the Social Graph chapter. The edges are weighted, with the weight representing the number of mails that have been sent from one contact to another. The edges are directed to differentiate mails from A to B to those sent from B to A. The graph can be exported into one of the following formats: A CSV file containing three columns: the sender, the receiver and the number of mails. A GML (Graph Modeling Language) file containing that same information. A GraphML file containing that same information. A CSV file can be very practical because it can be viewed and edited in spreadsheets and it is easy to write scripts that can process them. Be aware though that CSV is a very informal standard. Different tools may have different rules on how to encode special characters. Some tools that can process CSV graph files may require that the third column be removed. GML and GraphML are formats specifically designed for specifying graph structures. They can be processed in free tools such as Gephi and NodeXL as well as a number of commercial applications. As GraphML is based on XML, it offers the best solution for dealing with foreign character sets Exporting the event log The case event log keeps the history of all actions performed by all users of this case, such as adding new sources, individual searches, taggings, exports and so on. The event log records can be exported to CSV format for auditing purposes. Page 147 Intella User Manual 2016 Vound

148 To export the event log, select Export > Event Log in the main menu. In the dialog box, specify the name and path of the CSV file to export to. In the Export events between part you can choose the start and end dates of the events to export. By default, the dates range is automatically set to cover all events. The options in the Select event types part allow for specifying the type of events that should be exported. Furthermore, you also can narrow down the events to cover specific users only, by checking the Only include events of these reviewers option and selecting the user(s) in the pop-up box. The exported CSV file contains the chronologically ordered event log records, one record per line. The records include the following columns: Time date and time of the event. Event Type ID a number indicating the type of the event. This can be used for sorting event records by type, for example in MS Excel. User name of the user responsible for this event. Message human-readable description of the event. Page 148 Intella User Manual 2016 Vound

149 23 Command-line support Important: This functionality is still in an experimental stage. We welcome any feedback; please visit our support portal at Intella supports command-line arguments for opening or creating a case and indexing a folder of evidence files. You can choose between two different executables: Intella.exe will always open the Intella main window with the (new or existing) case open. Use this for e.g. shortcuts or other scripts that should launch Intella s main user interface. IntellaCmd.exe will only show feedback on the command-line. Use this for automating case creation and indexing. For IntellaCmd.exe an Intella Professional or Intella TEAM Manager license is required. Intella.exe can be used with all licenses. Opening a case In order to open a specific case the following arguments can be used: Intella.exe -user <user> -case <case location> If the case folder doesn't exist then the case will be created automatically at this place with default options. You can also use abbreviated argument names, like this: Intella.exe -u <user> -c <case location> Creating a new case The following instruction creates a new case at a specific location with specific user, name and description: Intella.exe -user <user> -case <case location> -casename <name> -casedescription <description> When a case already exists at that location, it is simply opened and the specified case name and description arguments are not used. In other words, there is no difference in syntax between creating a new case and opening an existing case. The abbreviated form of the above instruction would be: Intella.exe -u <user> -c <case location> -cn <name> -cn <description> Indexing a folder The following instruction can be used for open or create a new case and index a folder with evidence files: Intella.exe -user <user> -case <case location> -evidence <evidence location> -sourcename <name> or in the abbreviated form: Intella.exe -u <user> -c <case location> -e <evidence location> -sn <name> Indexing options can be specified using the following arguments: -tz, -sourcetimezone [TZ] The timezone of the new source (example: -sourcetimezone CET). -ima, -indexmailarchives [true false] Index mails and files in mail archives (default: true). -ia, -indexarchives [true false] Index files inside archives, such as ZIP and RAR files (default: true). Page 149 Intella User Manual 2016 Vound

150 -ie, -indexembedded [true false] Extract images and other files embedded in MS Office, OpenOffice and PDF documents (default: true). -cef, -cacheevidencefiles [true false] Copy all evidence files into the case folder (default: false). -ap, -analyzeparagraphs [true false] Enable paragraph analysis (default: false). -tf, -taskfile [File] Specify a.json task file to run after indexing completes, containing e.g. keyword of hash list searches and tagging or exporting the results. Headless mode It is possible to run Intella in a non-interactive (headless) mode. IntellaCmd.exe should then be used instead of Intella.exe, for example: IntellaCmd.exe -user <user> -case <case location> -evidence <evidence location> -sourcename <name> Logging The desired log level can be specified using the "-log" argument, for example: Intella.exe -user <user>... -log DEBUG Valid options for the log level are: ERROR WARN INFO DEBUG Both Intella.exe and IntellaCmd.exe support specifying the log level. Page 150 Intella User Manual 2016 Vound

151 24 Load file checklist To help battle the complex nature of load file exporting and importing, we provide checklists for use with Summation (formerly iblaze) and Concordance load files, as well as a general checklist for common issues and solutions with load files. The Summation checklist contains general considerations that can also apply to the use of other load file formats. The Concordance checklist is specific to the standards used by the US Securities and Exchange Commission (SEC) and US Department of Justice (DoJ) Load file diagnostics This section is intended to identify common issues in the preparation and presentation of load files. It is addressed to individuals using Intella to produce load files for third party applications like Concordance, Relativity, Ringtail and/or Summation. Load file purposes It is useful to understand what the final recipient of the load files is going to do with them. Your client will use your load files: To create document records in their database. To upload field values for the records in their database. To upload native files associated with the records in their database. To upload image files associated with records in their database. To upload the text associated with records in their database. Load file errors Essentially these come in two types: Data-related Presentation-related Common mistakes avoiding them There are a number of common errors that can occur when producing load files. Most of them can be avoided by following some simple rules of planning: Obtain a specification. Run a test ahead of time with a small selection of the real data that you have put through the process. Do not manually edit the load file after it has been produced it is terribly easy to introduce further errors when doing this. Use templates for your export settings. Develop and use a checklist to quality control a sample from your export and match it to the specification provided. Common mistakes correcting them Page 151 Intella User Manual 2016 Vound

Incorrect field names If you have presented data to a client and they are complaining that the field names do not fit the requirements, repeat the export.

The example below shows exporting of the value extracted by Intella from the Sent field as a date time value and exporting it to a field called EM Sent Date in the load file.

152 Incorrect field names If you have presented data to a client and they are complaining that the field names do not fit the requirements, repeat the export. When you come to specify the fields remember that you can customise the label for any field that you choose to export. The example below shows exporting of the value extracted by Intella from the Sent field as a date time value and exporting it to a field called EM Sent Date in the load file. Field type / data presentation mismatch When there is a field type mismatch this will frequently be where the date export options have not been set. The presentation of date values required by the various review systems varies and you will need to consult your client to determine the right settings to use. These are set using the following page in the export process: Detailed Troubleshooting When you are trying to understand why a load file will not load, here are some suggestions as to how to proceed. Note that Concordance, Relativity, Ringtail and Summation have different requirements in terms of data load files and each also provides differing levels of diagnostics and error messages to assist in Page 152 Intella User Manual 2016 Vound

153 troubleshooting. The following suggestions are aimed mainly at Concordance and Relativity but may also provide some assistance with Summation. When following these steps it is best practice to work from a copy of the load file. Open the load file with a text editor and check the following: What is the encoding and is it correct? (Summation only) If you are exporting data from Intella the only issues that can occur with encoding are for Summation. For all the other load file formats, the system defaults to using UTF-8, which your client should be able to use. If incorrect, regenerate the load file from Intella with updated settings. Confirm that field names are correct These should appear in the first row, which should happen automatically for the formats where it might apply. Are field names spelt correctly? Best practice is to update the Intella settings (and template) and regenerate the load file to avoid introducing errors using manual editing. Is the ID field the first field and is the field order correct? Having the ID field first is best practice and makes for easier diagnostics but isn t necessary. The field order can be specified in the export process. Are delimiters present and correct? It is highly unlikely that these will be wrong since Intella uses the default values and you cannot change them. If the problem appears to be with data appearing in the wrong field, it may be that there is a data problem, e.g. delimiters appearing in the data such that they are misinterpreted during the import process. Note that Intella is like MS Excel in that it only inserts quotes as text qualifiers in csv files if they are needed. This can cause issues when using the CSV load file format with some of the review platforms. Is it a data issue? In many ways data issues are the hardest to diagnose. The best technique is to start with any indication from the software as to where the issue occurs references to error in line X can be helpful in this regard. If there is no indication of where the error might be, an approach is to edit the load file manually (always use a copy), to slice it up into chunks (vertically first and then if necessary horizontally) and try loading each chunk until you find the error. First of all, try loading just the header line and the first record. If this succeeds then your field names are right and the non-null fields in the first line have correct data types. You can then try loading the first half of the load file. If this works then the issue is somewhere in the second half of the file. Load the first half of that and so on. Using this approach you will usually be able to identify an individual record, or possibly a set of Page 153 Intella User Manual 2016 Vound

154 records, which will not load. At this point you slice the records up horizontally by test loading each field in turn, eliminating those fields that load until you find the culprit. In practice most difficulties arise from three sources (1) failing to check the quality of the finished product against the specification, (2) somebody editing the load file after it was generated (and introducing errors) or (3) from delimiters being present in the data Summation Due to the customization options available in Summation it is often the case that no two clients will have the same load file specifications or requirements. To ensure the most professional outcome when working with Summation load files, it is highly recommended that you (the Intella user) engage with the recipient of the load file (the client) at the beginning of any engagement or well before any deadline to produce a load file. Our suggested workflow would be along the lines of the following steps: 1. Ask the client to confirm that they require a Summation load file. 2. Supply the checklist below to the client and ask them to complete it. 3. Collect the completed checklist. 4. Ask the client to confirm that they have added any extra fields they require to their Summation installation. 5. Make any changes to the Intella Summation load file export options that are needed to comply with the client s requirements. 6. Create a load file from a test data set similar to the data set of this engagement. 7. (*) Test the load file in your own Summation installation with the client s configuration. 8. Ask the client to verify that the sample load file imports correctly in their own Summation installation on all fields, OCR and so on. 9. If not, make any corrections needed and repeat steps 5 to Once it imports correctly, ask the client to sign-off on this format. 11. Save the export options as a custom export template in Intella. 12. Use the custom export template for producing the final load file(s). (*) When creating a Summation load file as a part of your engagement, it is highly recommended that you have sufficient qualifications for Summation to understand and troubleshoot any issues that may arise. Furthermore it is also highly recommended that you have a copy of Summation in-house that you can use to test and improve the output of your work. The next pages contain a sample checklist that you can use with your client. Page 154 Intella User Manual 2016 Vound

155 Acme ediscovery Corporation Load File Engagement Checklist Due to the customization options available in Summation it is often the case that no two clients will have the same load file specifications or requirements. The information below provides you with a list of options to configure a Summation load file, as part of the proposed engagement. Please complete the sections A to D and return the form to our litigation support team prior to this engagement. Options Description Completed YES NO Table selection Option A Option B Summation E-tables or Stdtable Additional Summation Fields Document Rendering Option C Option D Document numbering during rendering Document exclusions Dates Option E Option F Date Selection Other options Option A: Summation E-tables or Stdtable The following represents the standard Summation E-table or Stdtable offered in Intella. Please select the fields that you require for the production of the load file requested. To do this ticking the appropriate check boxes on the right hand side of the table. If a particular field is not present, write it in at the bottom of the table and send us those details. Page 155 Intella User Manual 2016 Vound

156 Token Field Description DOCID Document ID ATTCHIDS Document IDs of attached PARENTID Parent document ID MEDIA Document category: or efile FOLDER File or location (e.g. Bob.pst/Top of Personal Folders/Inbox) DOCTYPE MIME type of document (e.g. DOCTITLE Document AUTHOR Name of the document s EDITEDBY* Other authors or contributors of the DATECRTD Creation date of the DATESVD Last modification date of the SUBJECT FROM TO recipient(s) (TO CC recipient(s) (CC BCC recipient(s) (BCC DATERCVD Date that the document was TIMERCVD Time that the document was DATESENT Date that the document was TIMESENT Time that the document was INTMSGID Internet message READ Whether the message was read (Y or HEADER message BODY message ATITLE Name of the PGCOUNT Page HASHCODE MD5 hash IID* Intella item ID. Required to locate items in Intella. Required <Add custom > Page 156 Intella User Manual 2016 Vound

157 Option B: Additional Summation Fields It is also required that you include two additional fields that are not listed as standard E-tables in Summation. The additional fields are: ETABLE Description 1 IID Used to identify the item in Intella. 2 EDITEDBY Taken form the Intella Authors and Contributors Facet and used to identify which user edited or created the document. These fields and any additional custom fields that are not default in Summation need to be added using the Summation Form Editor before the load file is imported. Page 157 Intella User Manual 2016 Vound

158 Option C: Document Numbering during Rendering Option Description Value Numbering scheme How the documents and pages are numbered ABC Starting number The number of the first document 1 Starting folder The starting folder number 1 Starting box The starting box number n/a Page rollover Maximum number of pages per folder Grouping scheme All files in one folder Prefix, Folder Please identify the positions where you would like the DocID and numbering options to be displayed on the rendered images: Positions Placement Please identify at what position you would like the DocID to be located in the rendering: Position 1: Position 2: Position 3: Position 4: Also indicate if you would like either to: 1. Show the same DocID, for a particular document, on all pages of that document. 2. Increment DocIDs for each subsequent page of a document, e.g. first page ABC , second page ABC , etc. 3. Do not stamp the image files stamp with the DocID. Page 158 Intella User Manual 2016 Vound

159 Option D: Document Exclusions Some documents formats such as spread sheets do not render very well as images. On occasions, a single spread sheet may generate thousands of rendered image files that will have no value to the reviewer. It is recommended that you opt to exclude certain file types for final rendering. File Extension Comment EXCLUDE Spreadsheets Recommended to exclude YES / NO CSV Recommended to exclude YES / NO XLS Recommended to exclude YES / NO XLSX Recommended to exclude YES / NO Custom Option E: Date Formatting The date format in the load file needs to match the date format selected in the Summation s default settings. Failure to do so may cause the day and month to be reported incorrectly in Summation when reviewing. Although the dd/mm/yyyy date format is the standard in many countries, some clients prefer to use dd/mmm/yyyy. This format is preferred because there can be no mistake interpreting the date. For example, the date 4/5/2013 could be interpreted as either 4 May 2013 or 5 April Using the format dd/mmm/yyyy, the date will be displayed as 4/Apr/2013. Option Description Value Date format How to format date only fields dd/mm/yyyy MM/dd/yyy dd/mmm/yyyy Other: Time format How to format time only fields HH:mm:ss Date/time format How to format full date/time fields dd/mm/yyyy HH:mm:ss Page 159 Intella User Manual 2016 Vound

160 Option F: Other options Option Description Value File encoding UTF-8 Native files Include native files? Yes / No Image files Include image files? Yes / No Image format PDF TIFF PNG Text files Include extracted text? Yes / No Page 160 Intella User Manual 2016 Vound

161 24.3 Concordance US Securities and Exchange Commission (SEC) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding checkboxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required FIRSTBATES First Bates number of native file document/ LASTBATES Last Bates number of native file document/ BEGATTACH First Bates number of attachment range ENDATTACH Last Bates number of attachment range PARENT_BATES First Bates number of parent document/ FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATE_SENT Date the was sent TIME_SENT LINK Hyperlink to the or native file document MIME_TYPE The content type of an or native file document AUTHOR Author of the document DATE_CREATED Date the document was created TIME_CREATED Time the document was created DATE_MOD Date the document was last modified TIME_MOD Time the document was last modified DATE_ACCESSD Date the document was last accessed TIME_ACCESSD Time the document was last accessed PRINTED_DATE Date the document was last printed FILE_SIZE Size of native file document/ in bytes PGCOUNT Number of pages in native file document/ PATH Document location INTMSGID message ID MD5HASH MD5 hash TEXT Extracted text of the native file document/ <Add custom > Page 161 Intella User Manual 2016 Vound

162 US Department of Justice (DoJ) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding check boxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required COMPANIES Company submitting data HASHMD5 Document MD5 hash value BEGDOC# Start Bates ENDDOC# End Bates DOCID Must equal the value appearing in the BEGDOC# field and be UNIQUE NUMPAGES Page count PARENTID Parent record's BEGDOC# FOLDERLABEL or Document location FILEPATH FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATECREATED Date electronic file was created DATESENT Date the was sent TIMESENT Time was sent DATERECEIVED Date was received TIMERECEIVED Time was received HEADER The internet header information for sent through the internet INTERNETMSGID Globally unique identifier for a message which typically includes message ID and a domain name DATESAVED Date native file was last modified DATEPRINTED Date native file was printed EAUTHOR Author of the document LAST AUTHOR Last Saved By field value extracted from metadata of a native file ESUBJECT Document title FILESIZE File size in Bytes FILENAME File name of native file APPLICATION MIME type of document (e.g. application/pdf) DOCLINK File path location to the current native file location on the delivery medium DATEAPPTSTART Start date of calendar appointment TIMEAPPTSTART Start time of calendar appointment DATEAPPTEND End date of calendar appointment TIMEAPPTEND End time of calendar appointment Page 162 Intella User Manual 2016 Vound

25 Preferences To open the Preferences dialog, select the File > Preferences menu option. To apply changes of the settings, click the Apply button.

163 25 Preferences To open the Preferences dialog, select the File > Preferences menu option. To apply changes of the settings, click the Apply button. To apply changes and close the dialog box, click the OK button. The Cancel button will close the dialog box and discard all unapplied changes. The specific settings per tab are explained below General The Backup section controls how case backups are handled. The three options control whether or not a backup of the case needs to be made when the case is closed, or whether this needs to be asked on every occasion. This setting is set for each case individually. The Backups folder is shared by all cases though. When a case is backed up, a copy of the entire case folder is made and placed in this folder. A previous backup is removed, if the backup has succeeded note that this will have consequences for the disk space that needs to be available. The default location of this backup folder is next to the cases folder. We recommend changing this to a location that is located on a physical disk, so that disk malfunctions do not damage both the actual case and the backup. The Temp Folder controls where Intella stores its temporary files, e.g. for opening an item in its native application. By default the used folder is inherited from the operating system, but it can be modified here, e.g. to accommodate a system with a small operating system drive or for performance or security reasons. The Check for updates on start-up option lets Intella look online for new versions of the software during startup. This lookup will be done once in every 24 hours. New versions will be shown in the upper right corner of the application. A message will also be shown here when this option is turned off or when fetching the last version information has failed Display and Locale The Display splash screen while loading a case option controls whether a splash screen will be displayed after you have selected a case in the Case Manager for opening in Intella. Page 163 Intella User Manual 2016 Vound

Intella checks online whether new language profiles are available for the current Intella version and the currently used language.

164 The Language selection option lets you select the display language used for Intella. The set of values in the list depends on which language profiles are detected in the translations subfolder, located in the folder where Intella is installed. Intella checks online whether new language profiles are available for the current Intella version and the currently used language. When this is the case, a message is displayed in the upper right corner of the main window. Clicking on that message will open a web browser and download the new language profile. The Browse button in this panel can then be used to install the new profile. The Date format setting lets the user select how dates and times will be displayed. The dropdown menu allows for various formats selected by country. This setting is not dependent on the display languages and allows for all generally used formats, regardless of which language profiles are available. Finally, the Page format lets you select which paper size to use when exporting to PDF or printing items. Available options are ISO A4 and US Letter Dates The Primary Date option controls how Primary Dates are determined for each item, based on a set of rules holding preferred attributes. While processing the dates of all items, Intella will try to pick a matching date rule based on the item s type and use it to determine the primary date attribute for that item. First it will first look for a rule that has the same MIME type as the item has, e.g. the MS Word MIME type. When no such rule exists, it looks for a more general rule covering the type group that holds this MIME type, e.g. the Documents group. See the Type facet for how item types are grouped. If no such rule exists either, it will fall back on the default rule to compute the Primary Date. Each rule holds a prioritized list of all the date attributes that Intella supports. Once a primary date rule is selected for the item, the first date in this list that occurs in that item s metadata is used to set the item s primary date. You can define many date rules for different MIME types or groups. You can add or remove rules from the set, but it must always contain the default rule. By pressing the Reorder dates button you can change the priorities of the date attributes for the selected rules. Because of the way rule selection works, the order of the rules does not affect the outcome. Only the order of attributes in a rule matters. Page 164 Intella User Manual 2016 Vound

Note that the Primary Date settings also affect the Family Date attributes, as the Family Date of an item is defined as the Primary Date of its top-level parent.

These indices are used for displaying and sorting the Primary Date and Family Date columns and for any Date facet searches on these attributes.

165 Note that the Primary Date settings also affect the Family Date attributes, as the Family Date of an item is defined as the Primary Date of its top-level parent. When a change is made to the Primary Date settings, Intella will ask whether you want to rebuild the indices for those two dates. These indices are used for displaying and sorting the Primary Date and Family Date columns and for any Date facet searches on these attributes. Updating these indices can be a lengthy operation on large data sets. In case you wish to cancel this update operation, you can click the Cancel button in the progress dialog. This will revert your Primary Date settings back to the previous configuration and leave the indices unaltered. Note that it is not possible to alter the Primary Date settings without updating the relevant indices Search The Enable Search History option allows you turn off the search history. The main use of this is when you do not wish these search terms to be recorded be aware that they are still being added to the audit trail and may leave traces in the log file. This setting is also a workaround for character sets (e.g. Korean characters) that cannot be entered properly when the history functionality is active. The Restore the queries that were shown last option lets the current queries being stored during shutdown, and restores them the next time the case is opened. The Show Children options allow you to specify what children are returned when you click on Show Children in the Previewer or in the search results popup menu. You can specify the level by including only directly nested children (direct children only) or directly and indirectly nested children (all children). When you select the Ask every time option, you will be prompted for the desired level every time you use Show Children. The Show Parents options control what items are ignored when the top-level or direct parent is selected for an item. This operation affects not only the Show Parents and Show Top-level Parents functions, but also what items are tagged when the Also tag all other items nested in the same top-level item option is selected in the Tagging tab Results The Opening results option controls what happens when a result is double-clicked: open it in Intella s internal Previewer or in the native application registered with that file type. The Following HTML links option relates to the links and externally linked images that can be found in HTML-based s. Both of these can be dangerous to download automatically, e.g. Page 165 Intella User Manual 2016 Vound

because they can tip-off suspects that their emails are being read by another party. This panel lets you control how these link types are handled.

166 because they can tip-off suspects that their s are being read by another party. This panel lets you control how these link types are handled. By default, links are blocked and external images are not loaded automatically. This can be managed per individual in the Previewer window or for all items at once in this preferences panel. The Cluster Map options let you specify whether transitions on the Cluster Map should be animated and if so, how long that animation may take. You may want to disable animation if it causes performance problems on your system. Furthermore you can specify whether or not the Cluster Map should automatically be scaled when it does not fit inside the window. You can also change this option using the Cluster map toolbar button, or go to View > Cluster Map > Scale to fit window. The Thumbnails View setting controls which thumbnails are shown based on the size of the original image in kilobytes. Images that are below this threshold are filtered out. The Previewer window setting controls how many pages are shown in the Preview tab. This is by default restricted to the first 5 pages, as rendering of this tab may trigger a conversion from the document format at hand (e.g. an MS Word document) to PDF. This can take a long time for large and complex documents. This can be minimized by only converting and showing the first five pages. Furthermore, the paragraph controls shown in the left margin of the Contents tab can be disabled using the Enable paragraph features checkbox. This only has an effect when the Analyze paragraph setting has been used during source creation Tagging When tagging items, the policy of your investigation may be that some related items should be tagged as well, e.g. tagging items in a mail as privileged may require that all other items in that same mail are also tagged as privileged. The settings in this tab can make that happen automatically. The three radio buttons specify how other items in the hierarchy need to be handled: Only tag the selected item is self-explanatory. Also tag all attached/nested items results in all attached or nested items being tagged with the same tag as well. This works recursively, i.e. all children in the hierarchy are tagged. Also tag all other items nested in the same top-level item means that everything from the top-level mail down to the most deeply nested child gets the tag. In addition to these three settings, you can specify that all duplicates should also be tagged. When this setting is switched on, all items in the case with the same MD5 or message hash will inherit the tag. Furthermore, their children or siblings may also be tagged automatically, based on the setting described above. Page 166 Intella User Manual 2016 Vound

This dialog will also let you override the settings for the tag currently being set. The Previewer setting controls the maximum number of quick tag buttons that is shown in the Previewer.

167 Note that the top-level parent of an item is determined according to the Show Parents settings in the Search preferences. The upper part of the Tagging tab with the tagging inheritance options can also available by opened by clicking the Tag Preferences button when setting a new tag. This dialog will also let you override the settings for the tag currently being set. The Previewer setting controls the maximum number of quick tag buttons that is shown in the Previewer. Finally, the Verify taggings checkbox controls whether Intella should check whether any taggings made by the user have made it into the database. Recent improvements have reduced the usefulness of this operation to such an extent that it typically no longer warrants the overhead MS Outlook Click Validate to ensure that Intella can locate the Outlook program files on the system. This is necessary for the ability to export to PST files. The status is shown in the (non-editable) field. If validation fails, please consult your system administrator to make sure that MS Outlook is installed correctly IBM Notes Click Validate to ensure that Intella can locate the IBM Notes program files on the system. The status is shown in the (noneditable) field. If validation fails, click the Browse button, select the path to the IBM Notes folder in the file chooser and click Apply. During Notes validation Intella will check the Notes version. Some versions are not recommended, see the Installation section. To enable use of such non-recommended Notes versions, select the Enable using unsupported version of IBM Notes checkbox. Tip: The default installation directories for IBM Notes is one of the following: C:\Program Files\IBM\Lotus\Notes C:\Program Files\IBM\Notes C:\Program Files (x86)\ibm\lotus\notes C:\Program Files (x86)\ibm\notes Page 167 Intella User Manual 2016 Vound

168 26 Menu, mouse, and keyboard shortcuts 26.1 Main Menu Below is a description of all menu items in the main window. Not all options appear in all products File Preferences Open the Preferences dialog (see Preferences) Key Store Open the Key Store dialog, for viewing and editing decryption passwords, certificates, etc. Restore Annotations The user can restore the annotations from a copy of this case, e.g. when the working copy has been damaged beyond repair. Import OCRed files Import files that have been processed using an external OCR tool. Generate Thumbnails (Ctrl+T) Pre-generates all thumbnail images used in the Thumbnails view, speeding up its responsiveness. Tasks Opens a window that show all defined post-processing tasks and lets the user edit and launch them. Excluded Paragraphs (Ctrl+Shift+F) Opens a window that shows all paragraphs explicitly excluded from keyword search and let the user search for them or remove them from the list of excluded paragraphs. Close Case Closes the current case and brings the user back to the Case Manager window. Exit (Ctrl+Q) Exit the application Sources Re-index (CTRL+R) Recreate all indexes from scratch (after user confirmation). Index new data Searches the current sources for new evidence files. Add New... (Ctrl+N) Opens the Add New Source wizard. Edit Sources (Ctrl+E) Open the Edit Sources dialog window. Page 168 Intella User Manual 2016 Vound

169 Edit Evidence Paths Opens the Attach Evidence dialog. This dialog can be used to edit the paths of the evidence files used to create the case. These paths need to be set correctly when the case is re-indexed. Exceptions report Lets the user choose a CSV file to which the exceptions report will be written View Cluster Map Animate Changes Turn cluster map animation on or off. Cluster Map Scale to Fit Window Turn cluster map size scaling on or off. Details Use the four sub-items to switch the Details panel to Table, List, Thumbnail or Timeline mode. Preview Item (CTRL+O) Lets the user open a specific item. See the Item ID column in the Details table for these numbers. Close All Previews (Ctrl+Shift+W) Closes all open Previewer windows. Full screen Toggles full-screen mode Export Cluster Map... Exports the current Cluster Map as a PNG image. Social Graph Exports the current Social Graph as a PNG image. Timeline Exports the current timeline as a PNG image. Words Export all words used in the indexed evidence files. When the results table shows a list of results, exporting of the words of only these items is also possible. Result... Export a single result. This option is available when a single item is selected in the Detauks table. Result List Opens the export dialog to let you export the currently selected results. Configure Redaction Profiles Opens the dialog that lets you create and edit redaction profiles. See the section on redaction for more information. Event Log Opens the dialog that lets you export part of or the entire case event log. Page 169 Intella User Manual 2016 Vound

170 Team Set Work Folder (Viewer and TEAM Manager only) Open the dialog to set the location (folder) where the Intella work reports will be stored. Select a folder in the dialog and click Select folder. The default TEAM work folder is C:\Users\USER\Desktop. Export Work Report (Ctrl+W Viewer and TEAM Manager only) Open the dialog to export an Intella work report file (.iwr extension) to the work folder. Open CSV Exports (Viewer and TEAM Manager only) Open the dialog to open CSV files that were created together with a work report. Select the CSV file and click Open. The CSV file will be opened in the application that is linked to the CSV file type by your operating system. For example: MS Excel or OpenOffice Calc. Import Work Report (Ctrl+I TEAM Manager only) Open the dialog to import an Intella work report. Select an Intella work report file (.iwr extension) and click Open. Work Reports History (TEAM Manager only) Open the dialog that shows the list of work reports that were imported to this case. Every entry in the list has the investigator name, the creation date of the Intella work report and the import date. To delete a selected work report from you case, click Remove Work Report contents in the Work Reports History dialog. You are asked to confirm since this operation cannot be undone Help Help Topics (F1) Opens the bundled user manual (this document). Forum Opens the Intella forum in a web browser. Dongle Manager A shortcut to the separate Dongle Manager application, which is used to inspect and update the contents of your Intella dongle. Open Log Folder Opens the folder where Intella stores logging information. Open Export Templates Folder Opens the folder where the user-defined export templates are stored. These files are.xml files that can be shared and copied to other case folders. About Intella <product edition> Shows a dialog with three tabs. (1) The first tab contains the version number of Intella. (2) The second tab contains system information. (3) The third tab shows license information such as ID, type and restrictions Mouse actions Table and thumbnail view Click and drag Select multiple items. Page 170 Intella User Manual 2016 Vound

171 Ctrl+click Select/deselect items. Double click on item Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on item Opens the popup or context menu Timeline Click on Opens the in the Previewer. Double-click on Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on Opens the popup or context menu on that Cluster Map Click on cluster or on label Select a cluster or result set and shows its items in the Details panel below. Click and drag Move cluster to reorganize the Cluster Map. Right click on cluster, label or on the selections panel Opens the popup or context menu on that item Social Graph Click on a node Selects a node and shows its items in the Details panel below. Click on an edge Select an edge and shows its items in the Details panel below. Click and drag Move node to reorganize the graph. Drag with right-mouse button pressed Scroll (pan) the graph Histogram Click and drag Zoom in on a specific area in the chart. Ctrl-click and drag Pan (scroll) the chart. Page 171 Intella User Manual 2016 Vound

172 Click and move up Restore zoom level. Mouse wheel Zoom in and out of the chart Keyboard shortcuts Main window Ctrl+R Re-index all sources Ctrl+N Add new source Ctrl+E Edit sources Ctrl+O Open a specific numbered item Ctrl+Q Exit the application Ctrl+W Export work report (TEAM Manager and Viewer) Ctrl+I Import work report (TEAM Manager only) Ctrl+Shift+W Closes all open preview windows F1 Open Intella help file (requires PDF-viewer, like Adobe Acrobat) Spacebar (in thumbnail view) Flag selected item Ctrl+A Select all items or text Previewer window Alt+Right Arrow Move to next item Alt+Left Arrow Move to previous item Ctrl+C Copy selected text Page 172 Intella User Manual 2016 Vound

173 Ctrl+V Paste copied text Ctrl+A Select all text Ctrl+1, Ctrl+2, or Ctrl+3 Tag an item with the tag assigned to button 1, 2 or, 3 in the previewer Page 173 Intella User Manual 2016 Vound

174 27 Appendix I. HASP problem resolution 27.1 Problem flowchart Page 174 Intella User Manual 2016 Vound

27.2 Problems and solutions 27.3 Installation problems 27.3.1 HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers.

175 27.2 Problems and solutions 27.3 Installation problems HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers. Cause: Presence of older HASP HL key drivers installed on the machine Solution: Uninstall the older drivers. 1. Click Start > Run or click the Windows key + R 2. Enter C:\Program Files\Vound\Intella\bin\haspdinst.exe -kp purge and click OK. 3. Wait for message that operation was successful. Caveat: These steps uninstall ALL other HASP drivers. Make sure you have no other HASP dongle that requires an older driver. Install the latest driver HASP dongle not found Problem: The following message is triggered "HASP key not found (H0007)" Possible cause 1: The HASP dongle LED is not lit. The dongle is not connected or not properly connected to the USB port. Solution 1. Disconnect, pause a few seconds, then reconnect. If the LED lights up, the application should be able to access the dongle. You may need to wait a few seconds for the dongle to be completely installed by the operating system. 2. The required HASP HL key drivers are not installed. If you are running HASP SRM on a Windows platform, check for an entry for HASP SRM in the Device Manager utility. If there is no entry, you must install the drivers. 3. Check if the USB port is functioning correctly. Disconnect all other USB devices from their respective ports. Connect the HASP dongle to a different USB port. Try using a different USB device in the port from which the dongle was not accessible to test if the port is actually working. Possible cause 2: HASP License Manager Service is not running. Solution 1. Check if the HASP License Manager Service is running by opening a Command Prompt (Start > All Programs > Accessories > Command Prompt) 2. Enter: sc query hasplms 3. Check the result. It should show like this... Page 175 Intella User Manual 2016 Vound

176 SERVICE_NAME: hasplms TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 When you see RUNNING it means that the hasplms service is running Hardware problems No dongle detected Problem: The computer does not detect the dongle. There are several potential causes, listed below. Cause 1:Conflict with other USB devices On occasion, the presence of other USB devices may cause problems with the HASP dongle. Solution: Remove conflicting USB device/devices Cause 2:Incorrect device driver installed The HASP dongle may not function if an incorrect version driver is installed. Solution: see section Installation problems, HASP dongle drivers do not install. Cause 3:USB port is defective or HASP dongle not properly inserted Solution: Check that the LED light is lit on the dongle. If not, remove and reinsert. Wait for the operating system to detect the dongle. If it still does not light up, try another USB port or use a USB hub. Cause 4:Faulty dongle On rare occasions one may get a faulty dongle. The dongle neither lights nor is detected in Device Manager, even with proper driver installed. Request a replacement Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Problem: The error message: "Unable to access HASP SRM RunTime Environment (H0033)" might be caused by too restrictive firewall settings. Possible causes: C:\WINDOWS\system32\hasplms.exe is blocked by firewall or antivirus application. Port 1947 is blocked by a firewall application. HASP License Manager Service is stopped. Preliminary test: Page 176 Intella User Manual 2016 Vound

1. Disable all antivirus and firewall applications. Note that some applications such as Norton, McAfee, and AVG have both antivirus and firewall settings that may need to be individually disabled. 2.

177 1. Disable all antivirus and firewall applications. Note that some applications such as Norton, McAfee, and AVG have both antivirus and firewall settings that may need to be individually disabled. 2. If the HASP License Manager Control Center does not appear in the browser at then we know that the anti-virus or firewall application will have to be configured. 3. If the Control Center still does not appear, check for other firewall or antivirus applications that may be running and disable them or turn them off. Solution: 1. Add C:\WINDOWS\system32\hasplms.exe in the Exception list of the antivirus and firewall application 2. Add port 1947 to the Exception list 3. Restart the HASP License Manager Service (Control Panel > Administrative Tools > Services) An example of a firewall exception is shown in the image on the right. Important: You must perform an installation Reinstall of Intella as the antivirus software may have blocked components during the first install. The following information is adapted from the SafeNet Sentinel HASP knowledgebase. Message: "Unable to access HASP SRM RunTime Environment (H0033)" Problem: This error means that there is a communication error between the program and the local license manager. This error can be triggered by a number of causes, including (1) improper installation of the HASP RTE software, (2) personal firewall software blocking communication with the HASP LMS service, or (3) other software using the same port that the HASP License Manager uses (i.e. port 1947). Solution: To troubleshooting the error follow the steps below until the cause for the error is found: 1. Open a web browser and connect to This is the HASP SRM Admin Control Center. If it's possible to connect to this page, then the HASP SRM Runtime is installed properly. The problem lies elsewhere and you can disregard the rest of this document. If you get a message Page cannot be displayed then it's possible that HASP SRM Runtime is not installed (go to step 2) or blocked (go to step 3 and 4). 2. Go to Start > Run, enter services.msc and click OK. The list is alphabetical. Search for HASP License Manager in the table and then check if its status is Started Page 177 Intella User Manual 2016 Vound

178 If this entry is not listed, then the HASP SRM Runtime is not installed. Please reinstall it. If the status is not Started check the event log for entries relating to the HASP License Manager service that will give an error message and further diagnostic information. 3. Check your personal firewall software. There are many types of personal firewall software including Norton Internet Security (the Firewall is one component of this software), ZoneAlarm and others. By default most personal firewall software will request permission to allow access for the HASP License Manager the first time it is run. If access is allowed there should be no problems. If access is denied you will encounter communication problems. To resolve such problems either disable the firewall completely (Note: this option has risks. Please contact your firewall vendor for details) or create a rule or exception in the firewall to allow the HASP License Manager communication. If there is an option to create a rule/exception based on a port number, allow port As there are many personal firewall products on the market it is not possible to list all the ways to configure each piece of software here. Please contact your firewall vendor for details on how to create exceptions or rules as detailed above. 4. Check that there aren't any applications that use HASP registered port (Port 1947). If you find such a program, disable it and run the HASP application again Normal operation Dongle installation Intella is shipped with the latest SafeNet HASP dongles. Intella is packaged with the SafeNet HASP RTE installer. When correctly installed, the Windows Device Manager reports three items in the Universal Serial Bus controllers section: SafeNet HASP HL Key SafeNet HASP Key SafeNet USB Key. When incorrectly or incompletely installed, warning icons appear on the device. HASP License Manager Service The HASP installer includes the HASP License Manager application that runs as a system service: C:\WINDOWS\system32\hasplms.exe Page 178 Intella User Manual 2016 Vound

The HASP License Manager Service hasplms.

When this application is running you should be able to

entering http://localhost:1947 in an internet browser.

HASP HL will only show when the dongle is plugged in.

License Manager Service is running properly, is that

179 The HASP License Manager Service hasplms.exe must be running to allow Intella to open. When this application is running you should be able to load the HASP License Manager Admin Control Center by entering in an internet browser. HASP SL is the trial version license. HASP HL will only show when the dongle is plugged in. Windows system services A good indication that the License Manager Service is running properly, is that the entry is flagged as Started in the table of Windows system services: Page 179 Intella User Manual 2016 Vound

180 27.7 Installation flowchart Page 180 Intella User Manual 2016 Vound

Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8

Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8 Intella User Manual Intella evidence made visible Vound email investigation and ediscovery software Version 1.8 Contact To learn more about Intella, please contact us using the contact information below,