Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8

Size: px

Start display at page:

Download "Intella User Manual. evidence made visible. Intella. Vound investigation and ediscovery software. Version 1.8"

Ralph Camron Sullivan
6 years ago
Views:

1 Intella User Manual Intella evidence made visible Vound investigation and ediscovery software Version 1.8

2 Contact To learn more about Intella, please contact us using the contact information below, or contact an Intella Channel Partner. Vound Office Phone Postal Address 1153 Bergen Parkway - #1537 MBE # 267 Evergreen, Colorado U.S.A. Sales Contacts We will be pleased to provide additional information concerning Intella and schedule a demonstration at your convenience. To become an Intella reseller, please contact us! For user and technical support please visit our website:

3 Vound Colorado ( Vound ) Vound. All rights reserved. The information in this User Manual is subject to change without notice. Every effort has been made to ensure that the information in this manual is accurate. Vound is not responsible for printing or clerical errors. VOUND PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED AND SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL. Other company and product names mentioned herein are trademarks of their respective companies. It is the responsibility of the user to comply with all applicable copyright laws. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Vound assumes no responsibility with regard to the performance or use of these products. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Vound. Your rights to the software are governed by the accompanying software license agreement. The Vound logo is a trademark of Vound. Use of the Vound logo for commercial purposes without the prior written consent of Vound may constitute trademark infringement and unfair competition in violation of federal and state laws. All rights reserved by Vound. Intella is a trademark of Vound. Page 3 Intella User Manual 2014 Vound

4 Contents Contact Preface Training Document conventions An introduction to Intella Key benefits Intella editions Supported file formats Supported sources Supported platforms Feedback Getting support Different ways to get support Standard technical support User support contract Certified Intella training courses Working with Vound support Upgrade contract Installation and configuration Installation Step 1: Check the requirements! Step 2: Learn about licenses and dongles Step 3: Install the software Step 4 (optional): Support for S/MIME- and PGP-encrypted s Storage considerations Installation troubleshooting Error code 7 (H0007) Error code 31 (H0031) Error code 33 (H0033) Error code 37 (H0037) Error code 41 (H0041) Error code 51 (H0051) Memory settings Where are Intella's data files located? Where can I find Intella s log files? How to add a Lotus Notes NSF source? Frequently asked questions Dongle activation Overall process Dongle Manager Using haspupdate.exe Page 4 Intella User Manual 2014 Vound

5 7 Products and workflow Feature overview Standalone use Sharing cases Sharing cases across a network Sharing cases offline Work reports Cross-case work reports Managing cases Adding cases Creating a new case Opening a shared case Opening an existing case not in the list Importing a case Opening a case Editing a case Deleting a case Exporting a case Sharing a case Overview of the Intella interface Main window Previewer Sources Source types Adding sources Adding a File or Folder source Adding a load file source Adding a Hotmail Search Warrant Result source Adding a Disk Image source Adding an IMAP account source Last steps in a source definition Indexing and re-indexing Indexing Re-indexing Automatic decryption of items Supported formats Supplying access credentials Post-processing Tasks OCR Thumbnail generation Content analysis Editing sources Exceptions report Restoring annotations Page 5 Intella User Manual 2014 Vound

6 11 Optical Character Recognition (OCR) Starting OCR OCR methods Using an external OCR tool Using ABBYY Recognition Server Reviewing OCRed items Keyword search Search options Search query syntax Use of multiple terms (AND/OR operators) Minus sign (NOT operator) Phrase search Grouping Single and multiple character wildcard searches Fuzzy search Proximity search Field-specific search Special characters Regular expressions Using facets Available facets Saved Searches Features Tags Location Address Phone Number Date Type Author Content Analysis Keyword Lists MD5 and Message Hash Item ID Lists Language Size Duration Device Identifier Export Sets Including and excluding facet values Including a facet value Excluding a facet value Cluster Map Understanding a Cluster Map Manipulating Cluster Maps Page 6 Intella User Manual 2014 Vound

7 14.3 Options Social Graph Basics Controls Limitations Statistics Overview tab Histogram tab s tab Details panel Table view Adding and removing columns Reorganizing table columns Sorting the list Showing a conversation Showing the child items Showing the parent items List view Thumbnails view Timeline view Deduplication Previewing results Overview of the Previewer The Toolbar Tabs Contents Preview Headers Raw Data Properties Attachments Thumbnails Tree Entries Comments Words Actions Redaction Tagging Tagging in the main window Adding tags Removing tags Tagging in the previewer Automatic tag inheritance Pin a tag to a button Page 7 Intella User Manual 2014 Vound

8 19.5 See all tagged items Searching with tags Deleting a tag Undo tags Redaction Workflow Redacting an item Exporting Mass redaction Redaction profiles Caveats Exporting Exporting a single result Exporting a list of results Export formats Destination folder Export templates Export sets PDF file options File naming and numbering (original format, PDF, load files) PDF rendering options (PDF, load files) PST options ibase and Analyst s Notebook options Load file options Headers and footers (PDF, load files) Creating an export report Skipped items Exporting to a CSV file Exporting the result counts Exporting the social graph data Load file checklist Summation Concordance Audit trail Preferences General Display Search Results Tagging MS Outlook IBM Lotus Notes Menu, mouse, and keyboard shortcuts Main Menu File Page 8 Intella User Manual 2014 Vound

9 Sources View Export Team Help Mouse actions Table and thumbnail view Timeline Cluster Map Social Graph Histogram Keyboard shortcuts Main window Previewer window Appendix I. HASP problem resolution Problem flowchart Problems and solutions Installation problems HASP dongle drivers do not install HASP dongle not found Hardware problems No dongle detected Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Normal operation Installation flowchart Page 9 Intella User Manual 2014 Vound

1 Preface Intella is designed to be an email investigation and e-discovery tool.

10 1 Preface Intella is designed to be an investigation and e-discovery tool. It is ideally suited for use by enterprise, law enforcement, and regulatory agencies in civil, criminal, or policy-related investigations. Intella is an excellent tool to prepare electronically stored information for discovery. Intella s powerful indexing search engine and its unique visual presentation will let you quickly and easily search and review and electronically stored information to find critical evidence and visualize relevant relationships. With Intella, you can... Gain deeper insight through visualizations and statistics. Search , attachments, archives, headers, and metadata. Drill deeply using Intella s unique facets. Group and trace conversations. Reveal the social graph of a person or group of persons of interest. Preview, cull, and deduplicate and data. Export results in a variety of formats for reporting, follow-up investigation, e-discovery, or later use. Page 10 Intella User Manual 2014 Vound

11 1.1 Training This manual outlines the features incorporated in the Intella products. Its focus is to explain the rudimentary functions of each Intella feature. It should not be seen as explaining how to manage data or cases. While Intella is an easy and intuitive software package to use in the fields of forensic search, data analysis and ediscovery, the user is required to have a firm grasp of how Intella treats and manages certain information/data types as applicable to these fields. As with any software, the user must understand the issues and actions required that may arise prior to and while using Intella, particularly in the following areas: Different data types. s and attachments (parent-child relationships). Search parameters. Date formats. Inclusions and exclusions. Chain of custody. Legal and privacy issues. How to cross-verify results to ensure the accuracy of those results before they are relied upon. How to identify inconsistent results. The necessity to pre-process or convert certain data types prior to processing. The user should understand that his manual does not seek, nor can it be an exhaustive list of the usage of Intella. This manual is structured to explain the use of certain, but not all, features at a basic level. This manual does not take into account specific user requirements when explaining those features. Furthermore, this manual does not outline the steps required to be undertaken prior to processing data to ensure the accuracy of all results. The user should always ensure that they are personally aware of any special circumstances or steps required with the data, prior to processing and searching that data. This is critical to being able to get the most out of Intella and undertake your investigation free from mistakes. This manual cannot and does not offer this information. We do however offer training that will help the user to have a better understanding of these issues. We highly recommend that the user takes advantage of this training on the correct use of Intella. This can be critical for any matter where the user will rely upon the results produced in Intella as part of an action or investigation. Failure to undertake adequate training may cause unreliable results. Please contact us for additional information at training@vound-software.com or visit us at Page 11 Intella User Manual 2014 Vound

12 1.2 Document conventions The following section introduces you to conventions used throughout the Intella documentation. Menu Functions For functions that can be reached through menus, the different menu levels are illustrated as follows: Menu > Menu entry Important Entries Some text will be shown as follows: Important: Important information on Intella. These entries discuss a key concept or technical information that should, or must, be followed or taken into account. Please pay special attention to these entries. Notes Some sections provide additional information that will assist your use of Intella. These are displayed as shown below: Note: Information on function or parameter. Keyboard Shortcuts Some Intella functions can be activated or accessed through keyboard shortcuts. They are shown as follows: CTRL+E Tips A number of shortcuts, alternative methods, or general working tips are included throughout the documentation. These may help your workflow, or provide additional information on other uses of functions. Tips are shown as below: Tip: Information on Intella. Folder and file names Folder and file names are shown as below: C:\Program Files\Vound\Intella\ Page 12 Intella User Manual 2014 Vound

13 2 An introduction to Intella Intella is an instrument for data and investigation and ediscovery. It helps you search and explore information stored on your computer, network disks, in boxes and PST, OST and NSF files. Intella is being used by Law Enforcement, Legal and regulatory bodies to do all of the above. Intella indexes all places where you expect valuable information and provides powerful means for retrieving that information. The important advantage over similar tools is that Intella presents the search results using facets, Cluster Maps and Social Graphs. Facets allow you to find items based on more than just keywords and the visualizations provided by the Cluster Maps and Social Graphs allow you to see how files and s are related to your query. The birds-eye view helps you gain insight in information that is available on combinations of keywords. In each step of your search it shows the number of s or files that match your search (and of course a link to the s and files themselves) so that you can effectively zoom in to find what you are looking for. Setting up Intella on your computer takes little time. Install the software, define the sources to search and explore and let Intella index the sources. Searching with Intella is also easy. Start as if you are using a familiar search engine by entering a search term, or choose any value from the information facets. Let Intella help you to refine your question with a list of suggested refinements. 2.1 Key benefits Easy to use interface means cutting down on training expenses and time and allows a broad group of investigators to join in an investigation. Visualizations of search results provide you with deeper insight. See how files, s and cellphone items relate to parts of your query. Facets, like Type, Date, and Language, help you to drill down to the wanted information and to focus on the information you need. Search attachments and archives such as zip files. Searching is simple and requires very little training. Export the search results for later use and for creation of reports. Page 13 Intella User Manual 2014 Vound

14 2.2 Intella editions Intella comes in six different product editions. The table below shows the most important features of these editions. Preparation 10 GB 100 GB 250 GB Professional Viewer TEAM Manager Evidence size limit 10 GB 100 GB 250 GB none none none Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Export Work Reports Import Work Reports Page 14 Intella User Manual 2014 Vound

15 2.3 Supported file formats Intella can extract contents and metadata of the following file formats: Mail formats: o Microsoft Outlook PST/OST Experimental support for Outlook 2013 OST files o Microsoft Outlook Express DBX, MBX o Lotus Notes NSF o Mbox (e.g. Thunderbird, Foxmail) o Saved s (.eml,.msg) o Apple Mail (.emlx) o TNEF-encoded files ( winmail.dat files). o Bloomberg XML dump Cellphone extraction formats: o Cellebrite UFED XML export o Micro Systemation XRY XML export (XRY 6.4 s new Extended XML is recommended) o Oxygen Forensic Suite XML export Disk image formats: o EnCase images (E01, Ex01, L01, Lx01 and S01 files) o DD images Document formats: o MS Office: Word, Excel, PowerPoint, Visio, Publisher, both old (e.g.,.doc) and new (.docx) formats o OpenOffice: both OpenDocument and legacy OpenOffice/StarOffice formats o Hangul word processor (.hwp files) o Corel Office: WordPerfect, Quattro, Presentations o MS Works o Plain text o HTML o RTF o PDF (incl. entered form data) Archives: o Zip o Gzip o Bzip2 o Tar o Rar o 7-Zip o Cpio o ARJ o Cabinet (CAB) o DEB o Partial support for ZipX Page 15 Intella User Manual 2014 Vound

16 Search Warrant Results: o Hotmail (uses a HTML-based collection of files) o Gmail and Yahoo (uses an Mbox variant) Miscellaneous formats: o ical o vcard o XML The following types of encrypted files and items can be decrypted, provided that the required access keys (passwords, certificates, ID files) are provided: PST/OST NSF PDF XLS OpenXML (.docx,.xlsx,.pptx) PDF ZIP RAR 7-Zip S-MIME-encrypted s PGP-encrypted s Note: To decrypt and index encrypted s, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files need to be installed. See the Installation and Configuration chapter. When indexing plain text file formats, Intella can essentially handle all character encodings supported by the Java 7 platform. This relates to regular text files and to bodies encoded in plain text format. See for a complete listing. When the encoding is not specified, Intella will try to heuristically determine the encoding. The following encodings are then supported: UTF-8 UTF-16BE UTF-16LE UTF-32BE UTF-32LE Shift_JIS Japanese ISO-2022-JP Japanese ISO-2022-CN Simplified Chinese ISO-2022-KR Korean GB18030 Chinese Big5 Traditional Chinese EUC-JP Japanese EUC-KR Korean ISO Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish Page 16 Intella User Manual 2014 Vound

17 ISO Czech, Hungarian, Polish, Romanian ISO Russian ISO Arabic ISO Greek ISO Hebrew ISO Turkish windows-1250 Czech, Hungarian, Polish, Romanian windows-1251 Russian windows-1252 Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish windows-1253 Greek windows-1254 Turkish windows-1255 Hebrew windows-1256 Arabic KOI8-R Russian IBM420 Arabic IBM424 Hebrew 2.4 Supported sources Folder Files on local and network file systems can be indexed by Intella. Please check the list of supported file formats. Microsoft Outlook file (PST, OST) s and attachments in the archive file of Microsoft Outlook can be indexed by Intella. Versions: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013 (experimental ability to recover deleted s from OST 2013 files, this is being worked on) Microsoft Outlook Express file (DBX, MBX) Intella will index s and attachments stored in a Microsoft Outlook Express DBX and MBX files. Versions: 4, 5 and 6 Lotus Notes NSF file Intella will index and attachments in an archive file of IBM Lotus Notes. Versions: IBM Lotus Notes 8.5.x or higher needs to be installed on the computer that runs Intella in order to process Lotus Notes NSF files. Intella supports all NSF files that can be processed by the installer Lotus Notes version. See the section on indexing NSF files for more details. Mbox file Intella will index and attachments stored in Mbox files. Versions: We tested Intella on several programs that use Mbox files with good results, e.g. Thunderbird and Foxmail. Page 17 Intella User Manual 2014 Vound

18 Hotmail Search Warrant Result Intella can index the mail packages delivered by Microsoft when responding to a search warrant. IMAP account Intella is able to access an accounts on a IMAP server and index s and attachments. Versions: Intella was tested on several IMAP servers with good results. However, we cannot guarantee that Intella is able to create IMAP account sources for every IMAP server. Cellphone XML report(s) Intella can index information that has been extracted from cellphones with Cellebrite s UFED devices, Micro Systemation s XRY and Oxygen. To do so, the native file formats need to be exported to XML, which can then be added to an Intella case. See the documentation of the respective tool for instructions on how to export to XML. Disk images Intella can open disk image files in EnCase and DD formats and index their contents as if they are mounted and indexed as a regular Folder source. No recovery of items from unallocated or slack space is performed. Load files Intella can index load files that are stored in Concordance, Relativity and CSV format. 2.5 Supported platforms Intella is currently only supported on Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8/8.1. Note that Intella is not supported on Windows Server 2003, Windows Server 2008 and Windows Server For detailed instructions about installation and running Intella, please read section 4: Installation and configuration. 2.6 Feedback We take great care in providing our customers with a pleasant experience, and therefore greatly value your feedback. You can contact us through the form on or by mailing to one of the addresses on the Contact page. Page 18 Intella User Manual 2014 Vound

19 3 Getting support 3.1 Different ways to get support Vound offers four support options designed to assist users that experience problems while working with Intella : 1. Standard technical support 2. User support contract 3. Vound User Support portal 4. Certified Intella training courses Standard technical support Standard technical support is offered free of charge to all Vound customers that have a current support and maintenance contract. Standard technical support can be requested at the Vound support page, Support is provided on business days, Monday through Friday. We attempt to give you a first answer within 2 business days. All communication will be remote , GoToMeeting, and other means and not in person unless otherwise arranged. Standard technical support will only be provided if your computer and operating system meet the minimum recommended specifications listed in the latest version of the Intella manual. Who is eligible for technical support? Our goal at Vound is to provide our customers high quality and timely technical support. To do this we limit technical support to the registered owners of Intella. Companies that allow a third party to use their Intella licenses must have that third party channel all technical support through the original registered owner of the software. To ensure that we support our customers, Vound regrets it cannot support users who are not the original registered owner of Intella. What technical support is included? Installation and set-up support limited to one computer in your environment. Configuration technical support and user support on use for standard Intella options. Support for errors in the software (bugs). Please note that Vound will make reasonable efforts to correct identified software errors. However this may not be achievable until a later date or version release. If this is the case, the user should make efforts and take responsibility to achieve the required outcomes via other methods. Where the errors relate or are Page 19 Intella User Manual 2014 Vound

20 caused by corrupt data (within source files), Vound reserves the right to charge for the work needed to rectify the issue. No support can be provided When your computer does not meet the minimum or essential system requirements. When you made any kind of modifications to the installed software. When you are not using the software for its intended purpose. When 3rd party applications, like virus scanners, firewalls, and other forensic applications, interfere with Intella. Explaining the method needed to use each feature to achieve a set outcome. Note: At no time should Vound technical support be seen as legal or forensic advice. Our support is given with no knowledge of the specific case or matter Intella is being used on. Technical support is focused on the correct installation and usage of Intella features. We do not warrant that we are aware of all facts around the case that may be under investigation. As such our replies should not be seen as advice or the only way to achieve the required outcome User support contract A paid user support contract is offered to those customers that want additional user support. The user support contract provides assistance that falls outside the standard support package (see Standard technical support). What can be included in the user support contract? Help with the case or setup configuration of Intella. Assistance in using the basic and advanced features of Intella such as searching, tagging, and exporting. Help with the installation of Intella, or help with the configuration and set-up of your computer that runs Intella. Detailed explanation of Intella case management and help with Intella case setup. Help with the export of search results found with Intella for use with other applications. Support for using Intella in combination with software from other vendors. Support for issues that a newer Intella release has addressed. How to buy to a user support contract? User support contracts are based on your specific needs. If you want to know more, please contact your nearest Vound representative or your local Intella reseller Certified Intella training courses Vound offers a number of paid training courses for its product. These courses are designed to expand your effectiveness and output when using Intella. It is recommended that all users take a minimum basic training course to ensure they are correctly using the product. Page 20 Intella User Manual 2014 Vound

21 Users who have taken a recent training course for their Intella product will be offered a discount on a paid user support contract. For more information on types of training and available dates please visit Working with Vound support It is highly recommended that customers and users take advantage of the Vound support page when seeking assistance. The support portal takes care of collecting all necessary information such as the Intella version, Windows version, source types used, etc. and will suggest relevant articles from the Intella knowledge base. 3.3 Upgrade contract Vound customers that purchased an Intella license are entitled to install free upgrades of the software for a period of one-year. In other words: an Intella license comes with a one-year upgrade contract. After this period purchasing an upgrade subscription will continue the upgrade contract. Please contact your nearest Vound representative for more information. Please know that you will only have access to standard technical support if you have an upgrade contract. Page 21 Intella User Manual 2014 Vound

22 4 Installation and configuration 4.1 Installation Step 1: Check the requirements! Intella is supported on Windows 2000, Windows XP, Windows Vista, Windows 7 and Windows 8. CPU, memory and disk space requirements depend on how Intella is intended to be used: Indexing As a rule of thumb, the case folder requires between 150% and 200% of the size of the combined evidence data, depending on data complexity and amount of compression used on the evidence data. When caching of original evidence items is turned off, this reduces the amount of disk space. For better indexing performance, we suggest to store the case data folder on a physically different disk than the one with the evidence data. Disk access times for the case indexes are critical for performance. We therefore strongly suggest not using USB or network drives for the case data folder. See the section on Storage Recommendations for more storage-related tips. Main memory and CPU requirements for indexing: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 2 GB 4 GB 2 10 to 100 GB 4 GB 8 GB to 500 GB 8 GB 16 GB or more 4 or more Case sharing (TEAM Manager) Memory requirements depend on the evidence size and number of concurrent reviewers. Recommended memory sizes (in GB, more is better) and CPU cores for the machine that is sharing the case depends on both the evidence size and the number of concurrent reviewers: Evidence size 1-4 Reviewers 5-10 Reviewers Reviewers Up to 10 GB 4 GB, 2 cores 8 GB, 4 cores 16 GB, 4 cores 10 to 100 GB 8 GB, 4 cores 16 GB, 4 cores 32 GB, 8 cores 100 to 500 GB 16 GB, 4 cores 32 GB, 6 cores To prevent bottlenecks, the storage system should scale with the size of the case and team. Larger teams are better served with a case folder stored on RAID arrays and/or fast solid state drives (SSD). Page 22 Intella User Manual 2014 Vound

23 Connecting to shared cases (Viewer) While technically Intella TEAM will work over slow network connections, a local and fast (gigabit) network is preferable, especially when working with large cases or with large reviewer teams. Main memory and CPU requirements for connecting to a shared case: Evidence size Minimum memory Recommended memory Number of CPU cores Up to 10 GB 2 GB 4 GB 2 10 to 100 GB 4 GB 8 GB to 500 GB 8 GB 16 GB or more 4 External applications No Microsoft Office installation is required to index PST/OST files or any MS Office document formats. A Microsoft Office installation is still required for the following tasks: Exporting items to a PST Exporting to PDF with original rendering enabled. MS Office 2007 or higher is required, 2010 is recommended. For exporting to PST, the 32-bit Intella version requires 32-bit MS Outlook. The 64-bit Intella version can use both 32-bit and 64-bit MS Outlook. For exporting to PDF with the original rendering enabled, the bit variants of MS Office and Intella do not have to match, any combination will work. In order to index NSF files, Lotus Notes 8.5 or higher is required. Only the application files are necessary, Notes does not have to be fully setup to be used by Intella. In principle all Lotus Nodes 8.5.x versions or later can be used, but the following versions will produce a warning: FP FP FP These versions contain a bug described here that cause s with multiple Received headers to be altered: all Received headers will get the value of the first header. At the time of writing Lotus Notes was available, in which this bug has been fixed. Note: Intella needs to know the location of Lotus Notes in order to index NSF files. Please go to File > Preferences > IBM Lotus Notes to check if the location is validated Step 2: Learn about licenses and dongles Notes on the trial license that is bundled with the software that you have downloaded: 14-Day evaluation period. The trial version runs under a HASP Software License, which gives you the ability to use Intella for 14 days. The 14 days evaluation period cannot be extended. The only way to continue using Page 23 Intella User Manual 2014 Vound

24 Intella is to purchase a dongle. Trial restrictions. Besides the 14 days of usage, the trial only allows 10 GB of evidence files per case. Also, exporting is limited to maximally 1000 items per export. Continue working with a USB dongle. If you would like to continue using Intella after this 14 day period, you will need to buy a license. After buying the license you will receive a USB dongle that will allow you to continue using the version you already installed. A dongle provides a perpetual license without export restrictions. Evidence size restrictions may still apply, based on the licensed product. System clock. Changing the clock on your system will cause the trial to automatically expire. When this occurs, the only way to continue using Intella will be to purchase a license. Virtual Machines, VMware. The evaluation version will not work in VMware without a dongle. RDP (Remote Desktop Protocol) connection. When using RDP, the dongle or trial license must be in/on the computer running the Intella software, not in the computer running the RDP viewer. Note that versions < 1.7 do not support use of the trial license over RDP. Other dongle-protected software must be closed All other HASP protected software, like EnCase (Guidance), Smart Mount (ASR Data), HBGary and i2 products, must be closed when installing Intella Step 3: Install the software 1. Download Intella through the download page on the Vound support website: 2. Double-click on the downloaded.exe file to launch the installer. Accept the license. 3. Enter the location to store the application files and shortcuts or accept the default settings. All files will be extracted to the location of your choosing and an Intella shortcut is (optionally) placed on your desktop and in your Start menu. The application folder contains an executable called "Intella.exe" that can be used to launch the application. The desktop and menu shortcuts also start this executable. The program will start with the Case Manager window. Page 24 Intella User Manual 2014 Vound

25 Important: Intella will not install in an installation folder of an earlier version. Install a new version of Intella in a folder with a new name, for example: C:\Program Files\Vound\Intella 1.8\ It is possible to install multiple Intella versions side by side Step 4 (optional): Support for S/MIME- and PGP-encrypted s By default you will not be able to decrypt many S/MIME or PGP s until you have installed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files in Intella s installed application files. Due to US export policies we are not allowed to distribute these files as part of Intella. When these files are not installed, you will see a warning message when you open the "Key Store" dialog. Follow these steps to install the JCE files: Close Intella. Download "JCE Unlimited Strength Jurisdiction Policy Files for Java 7" from Unpack the archive. Copy the two extracted JAR files into the following folders (replacing any existing files): o <Intella Folder>\jre\lib\security\ o <Intella Folder>\jre-x86\lib\security\ (only applies to Intella 64-bit edition) Note: Intella bundles its own Java JRE(s). The JCE files should be installed in these JRE(s). Installing it in the system s Java installation has no effect. 4.2 Storage considerations Besides the memory and CPU requirements above, there are other hardware considerations that impact performance. Use of USB drives Our testing shows that USB drives are generally slower than internal hard drives or esata drives. Please note that Windows allows you to use USB drives in two performance modes: the default Quick Removal mode and the Better Performance mode. Using the latter helps a lot to achieve better performance, but you will have to make sure to properly remove the drive in Windows before unplugging the drive. Not doing so means you risk damaging your case files beyond repair. Evidence on external drives Many users like to keep their evidence data on an external drive, for a variety of reasons. A common question is whether they can still use the case when this drive is disconnected after indexing. This is certainly possible. Access to the original evidence files is only necessary when you want to export the original evidence files themselves and have disabled the Cache original evidence files option when you added the source. For the rest the case folder is completely self-contained as all extracted items are stored in the case folder and can be exported without access to the original evidence files. Page 25 Intella User Manual 2014 Vound

26 For example, when you index a folder with PST files, any and other embedded items extracted from those PST files are stored in the case folder and can always be exported. The PST files themselves are not copied into the case folder, unless the Cache original evidence files setting is selected. Selection and configuration of hard drives Because Intella is an intensive user of a system's hard drive, we recommend careful selection and configuration of the hard drives in order to optimize performance. As a general rule, newer hard drives will outperform older drives in that they benefit from design improvements and new technology. Consider the following when using Intella: Separate disks for evidence and case indexes. During indexing, Intella accesses the database continually performing read and write functions. In order to more efficiently use the resources, it is recommended that the evidence data and the case data be allocated to separate hard drives. For example, put the case data on the "C" Drive and the evidence data on the "E" Drive. Optimization folder. Since Intella 1.8 the case creator can specify a third folder for optimization purposes in the case details. Currently this folder is used for storing temporary indexing data that else would be stored in the case folder. When the optimization folder resides on a different drive than the case folder or evidence folder(s), this can further improve indexing performance. Proper connection. To realize maximum benefit from Intella's multi-disk optimization architecture, ensure that the hard drives are appropriately connected to the computer's motherboard so as to benefit from the higher available bandwidth. For example, connect the drives to the SATA-300 or SATA-600 connector rather than the smaller bandwidth carrying SATA-150. Configure the system's BIOS correctly. Typically the computer's BIOS defaults to the lowest common denominator to facilitate compatibility for connected hardware components. As a result, performance and speed can suffer. To address this possibility, check the BIOS to: o Ensure the hard drive supports Native Command Queuing it should! o Confirm that the SATA control mode is set to either AHCI or RAID. Note: if the setting is at IDE (typically the default), Intella's performance will suffer with slower indexing and searching as a result. Use of external and/or network drives. Internal drives are always the preferred option for Intella. Intella's indexing and search performance can deteriorate significantly when used with external or network drives. o If required, external drives such as a USB can be used to hold the evidence data; however it is recommended that the fastest available connection option be used. USB 3.0 or esata should offer acceptable performance. Avoid USB 2.0 drives as they are significantly slower for any evidence or case file greater than 2-5 GB. o Network drives may be acceptable for holding evidence files if on a fast network. When using network drives, it is imperative that no other users access the files at the same time. You should also ensure that no network antivirus or filtering software blocks the indexing processes. Page 26 Intella User Manual 2014 Vound

27 4.3 Installation troubleshooting Error code 7 (H0007) "HASP key not found (H0007)" This error code might be caused by other HASP dongle protected programs. Please close down all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella Error code 31 (H0031) Could not find a valid Intella license, please insert a dongle This error message is shown when your trial license has expired, or when you unplug your dongle while Intella is running and it cannot fall back to a non-expired trial license. You can only continue using Intella by inserting a dongle Error code 33 (H0033) "Unable to access HASP SRM Run-Time Environment (H0033)" This error code may be triggered if you run antivirus software. It is probably due to the antivirus software incorrectly blocking access to the HASP install. Please update your antivirus software to the latest virus definition file. If this problem persists, reboot your computer, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella Error code 37 (H0037) Other HASP dongle protected software may cause this error. Please close down all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella. If this problem persists, open a Command Prompt and run (as administrator) <intella-dir>\bin\haspdinst.exe -i -kp and restart Intella. Tip: To open a Command Prompt and run as administrator (in Vista and Windows 7), please select Start > Accessories > Command Prompt. Right click and select "Run as administrator. If problem persists after running this command, please open a Command Prompt as administrator and run net start hasplms Page 27 Intella User Manual 2014 Vound

28 4.3.5 Error code 41 (H0041) "Your Intella (trial) license has expired (H0041)" This error will be triggered if Intella is run and your trial license has expired. Once the trial has expired, you can only continue using Intella by inserting a dongle Error code 51 (H0051) "Virtual machine detected, cannot run without a dongle (H0051)" In order to protect our intellectual property, the evaluation version of Intella WILL NOT run in a virtual machine (VM) environment. A stand-alone machine is required. This is only true for the evaluation version; Intella will run in a VM environment using a dongle. Solution 1: Reconnect the USB dongle to your computer Solution 2: Install the Intella evaluation version outside a virtual machine Memory settings The Intella process and its child processes (one for each case that you open + additional processes during indexing and exporting) are limited by the amount of RAM that the process can maximally use, despite how much memory is installed in the machine. On some data sets this limitation can cause issues when indexing or reviewing the data. These issues can be recognized by errors in the log files containing the text OutOfMemoryError or java heap space. When such errors occur, a workaround may be to increase the automatically managed memory settings, especially when the machine meets the recommended hardware settings (at least 8 GB of RAM). To increase these limits, select the case in the Case Manager and click Edit button. Change the Memory allocation setting from Auto to Manual and increase the value. Note that you can never specify more than half of the available system RAM. This is to make sure that Intella s child processes and the OS still have sufficient memory available to them. When the memory issue relates to the extraction of items from PST or NSF files (you may need to contact tech support for that diagnosis) or to exporting, then locate the Intella.l4j.ini file in Intella s program files folder and open it in a text editor. You will typically need administrative privileges to edit this file. Locate the following line: # -Dintella.serviceMaxHeap=600M When the # is removed, this instructs Intella to use maximally 600 MB of memory for these child processes. Remove the # and increase this number to the higher value suggested to you by tech support. Make sure that you do not go beyond 1300M for the 32-bit Intella version. With the 64-bit version of Intella you can use larger values, but never more than your machine and OS supports Where are Intella's data files located? There is an Intella data folder in your home folder. The actual path to this folder depends on your platform. Windows Vista, Windows 7 and Windows 8/8.1 Page 28 Intella User Manual 2014 Vound

29 C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella Windows 2000, XP C:\Documents and Settings\<USERNAME>\Application Data\Intella Where can I find Intella s log files? Intella has two types of log files: Case-specific log files. These will contain any messages (errors, warnings, status messages) relating to your activities in the case, such as indexing, searching and exporting. They are located in \Intella\cases\<CASE FOLDER>\logs Log files of operations performed in the Case Manager, such as exporting or importing a case. These are located in \Intella\logs The log files can be opened in any text editor like TextPad or Notepad++. Be aware that Windows default text editor Notepad may have issues opening large files. Tip: Click Help > Open Log Folder to open the log folder of the current case How to add a Lotus Notes NSF source? If you want to index Lotus Notes NSF files, Lotus Notes 8.5 or higher needs to be installed on your computer. Only the application files are necessary, Notes does not have to be fully setup to be used by Intella. See the section on indexing NSF files for more details. If the "Lotus Notes NSF file" option is greyed out in the Add New Source wizard, please check File > Preferences > IBM Lotus Notes tab. If the status is not OK, please click Browse and select the correct path to the installation folder of IBM Lotus Notes. Page 29 Intella User Manual 2014 Vound

30 5 Frequently asked questions How is a file type determined? Intella looks for certain binary markers (so-called magic numbers) that identify certain file types regardless of the file extension (e.g.,.pst,.doc, etc.). When this detection process fails to produce a detected file type, Intella uses a list of known file types by file extensions. Intella may not be able to determine the file type of files with non-standard (unknown) file extensions. Should I re-index a case when I want to add a new source? No, in order to add a new source to case you do not need to re-index the whole case. When you add the source, make sure that the option "Yes, I want to index this source now (recommended)" is selected on the last page of the "Add new source" wizard. Intella will index only the new source when you click Finish. When you define the new source without the "Yes, I want to index this source now" option selected, you will need to re-index the entire case to get this source indexed. This will typically take longer than when you index the source directly. Can I re-index a single source in my case? No, you can only re-index the entire case. When the information in one of the sources has changed and re-indexing the entire case is undesirable (e.g. because of the time needed), you can work around this by adding a new source and masking the old one. For example, when you have a source named "Evidence 1", which is one of several evidence folders in the case, and only the files in Evidence 1 have changed, you can do the following: 1. Rename the source folder "Evidence 1", e.g. to "Evidence 1 (updated)". 2. Add it as a new source to the case and keep the "Yes, I want to index this source now selected when you click Finish. 3. Exclude the old source "Evidence 1" using the "Location" facet: select the node, click on the arrows in the Search button and click Exclude. Even though the old data is still in the case, all search operations will filter out the results from the old Evidence 1 source. Important note: when the items in the old source have any annotations (tags, comments, etc.), these will not be copied to the items obtained from the new source. You will need to transfer them manually, e.g. using MD5 and message hash lists. When there is a substantial amount of such annotations, you may want to reconsider re-indexing the entire case, as this is a fully automatic operation. Will I lose my tags and comments after re-indexing my case? No, all your existing tags and comments will remain in the case after re-indexing. Page 30 Intella User Manual 2014 Vound

31 Will the item IDs be the same after re-indexing? Item IDs may be the same after re-indexing, but this cannot be guaranteed. Especially the use of multiple extractor pipelines can cause evidence items to get slightly different IDs during re-indexing. As the item IDs are NOT used for storing annotations (tags, comments, etc.), the annotations will not suffer from changes to the IDs. The changed IDs have only consequences for exported item ID lists. Why are some characters ignored in search queries? This is caused by what is called the analyzer: before an item can be indexed, the analyzer breaks down the text in order to determine the individual words used in it. This analyzer discards white space, punctuation characters, etc. The same analyzer is also used to break down your query into individual terms. As non-letters and non-digits are ignored, for example, the queries searchterm, searchterm/ and searchterm (with an extra space at the end) all end up being equivalent. Why does the number of messages in the ($All) folder in my case not match the number of messages in the All Documents folder in Lotus Notes? Intella collects all items from all folders and lists them in the Location facet. The only exception is "($All)" folder. This is a special folder that usually contains all items from all folders the other folders are essentially a selection of items from the ($All) folder. Intella won't attribute a copy found in the ($All) folder when it is already present in another folder, in order to prevent duplication. Can Intella perform live indexing? Some cases may require you to index files while the computer is being used, or across a network. For such cases we have made Intella to work with the best-of-breed application F-Response, by Matt Shannon. This combination provides you with a live forensic solution for under $300. You can obtain F-Response at Does Intella index attachments? Intella will search both the and the attachment for the keyword(s) and metadata. Can Intella deduplicate results? Yes, Intella can deduplicate search results. During indexing, the checksum (hash) of every item is stored. Intella can be set to show or hide duplicates while you use it. Intella uses the MD5 hash to calculate checksums of binary items. For s and SMS messages a more specialized algorithm is used that can deduplicate across sources and source types. Are there any EnCase EnScripts for use with disk images? In collaboration with a number of users Vound has created an Export to Intella EnScript. The EnScript is freely available for Intella users. Please contact our support department for a download link. Page 31 Intella User Manual 2014 Vound

32 This EnScript Package is designed to provide a simple, yet powerful, method to export relevant electronic files, including , documents, and images, from EnCase to Intella for efficient investigatory review prior to full forensic analysis. Note that since the time this EnScript was published, Intella has been extended with support for direct indexing and filtering of disk images. Why do Chinese/Japanese/Korean queries give imprecise search results? Documents written in Chinese, Japanese and Korean (often referred to as the CJK languages ) differ from western languages in that the use of whitespace characters in CJK texts is optional. This makes it harder to create indexing software, as it typically uses whitespace, punctuation and other character classes to determine the words in a text that need to be stored in the index. Proper segmentation of CJK texts into words is still an open research issue and every method has its drawbacks. A solution could for example be to index all characters from the CJK character sets as independent words. This would be fairly trivial to implement, but has as a drawback that words that do consist of multiple characters will be much harder to find due to the large amount of false positives that this method generates. The solution used in Intella is to index the texts using bi-grams: every combination of two adjacent CJK characters in the text is seen and indexed as a word. In practice this method gives reasonable performance: It is simple to create and does not rely on e.g. expensive word dictionaries and perfect document language identification. It is quick to process and produces a fairly small text index. The resulting index will find all occurrences of the entered terms, but with some amount of false positives; this method favors recall over precision. Note: A way to find out how a certain piece of text is processed by Intella s indexing engine is to create a short document with this text, index it, open the item in the Previewer and look at the Words tab. This tab shows a table with all terms extracted from the document and stored in the full-text index. Sort the table by the Field column and look for the words in all rows that have text as value in the Field column. How can I print and export PDF reports with characters of my language? By default, Intella supports printing and PDF generation for basic Latin character set only. To enable printing and PDF export for a language with another character set, you need to install an additional Unicode font that supports your language. 1. Download the font file and install it in your system 2. Copy the font file to the font subfolder of your Intella installation: C:\Program Files\Vound\Intella 1.7\font 3. Restart Intella The font must be a Unicode TrueType font with ".ttf" file name extension. It is recommended that the Intella font folder contains only one font file. Page 32 Intella User Manual 2014 Vound

33 Recommendations for font selection: For Chinese, Japanese or Korean languages it is recommended to install a language-specific font. A large list of fonts for different languages and writing systems is available at you already have the native font installed on your Windows system, you can copy it from "C:\Windows\fonts" to the Intella "font" folder. For languages than Chinese, Japanese or Korean, it is possible to install a single universal font supporting a broad range of character sets. You can take a look at the GNU FreeFont font collection at Page 33 Intella User Manual 2014 Vound

34 6 Dongle activation Overall process To protect our intellectual property, dongles may not be activated when shipped. In that case it is necessary to activate your Intella dongle in order to use Intella. 6.1 Dongle Manager Intella ships with a Dongle Manager application. The Dongle Manager will list all connected Vound dongles and the products they currently contain. When the PC running the Dongle Manager is connected to the Internet, it can also contact the Vound license server to check for any updates for a dongle. These updates are then downloaded and applied automatically. The Dongle Manager is located in the Intella program folder (on Windows 7: C:\Program Files (x86)\vound\intella 1.7): A shortcut to the Dongle Manager can also be found in the Start menu. After starting the Dongle Manager, the following screen will appear: Page 34 Intella User Manual 2014 Vound

This screenshot shows a typical setup where only one Vound dongle is connected. When multiple dongles are present, they will each be listed separately in this list.

35 This screenshot shows a typical setup where only one Vound dongle is connected. When multiple dongles are present, they will each be listed separately in this list. Click on Blink to see to which physical dongle an entry in the list corresponds. This will cause the LED in the represented dongle to blink rapidly. This can be useful when you have multiple Vound dongles plugged in or are using HASP dongles from a different Vendor. Show Products will list the licensed products on that dongle. All products typically have a perpetual license; hence no license restrictions are displayed by the Dongle Manager. To update your dongle, click on Check for Updates. This will contact the Vound license server and download and apply any updates. When the process has finished, the Dongle Manager will show which products, if any, have been added to the dongle. The update procedure will only add new licenses to the dongle; it will leave your existing licenses untouched. When you are on a network using a proxy, Intella will automatically try to detect and use it. If this fails, the proxy settings can still be set using the Configure proxy settings. Consult your IT admin for further instructions. 6.2 Using haspupdate.exe If the dongle cannot be updated in this fashion, e.g. because external network connections are not allowed, please follow the steps below. Step 1: Collect your dongle and license information and send it to Vound Support at: support@vound-software.com. 1. Plug your dongle into an available USB port. 2. Start haspupdate.exe. You will find haspupdate.exe in the bin folder in the installation folder of Intella. The default installation folder is: C:\Program Files\Vound\Intella 1.6 Page 35 Intella User Manual 2014 Vound

3. Select the Collect Key Status Information tab. Click Collect information. 4.

Please save the file with your company name.

The file(s) you create will have a c2v file extension. Example: ACME_Forensics_1.

36 3. Select the Collect Key Status Information tab. Click Collect information. 4. In the next dialog you will be asked to Save key status as. Please save the file with your company name. If you are activating more than one dongle please number the files. The file(s) you create will have a c2v file extension. Example: ACME_Forensics_1.c2v ACME_Forensics_2.c2v 5. After you clicked Save, you will see the Select HASP dialog. Please select HASP HL, not HASP SL! Page 36 Intella User Manual 2014 Vound

6. Record the dongle ID numbers for each dongle. This will help when applying the update files. 7. Send the created c2v files to support@vound-software.com.

37 6. Record the dongle ID numbers for each dongle. This will help when applying the update files. 7. Send the created c2v files to Please ensure you include the following details in the when sending the c2v files: a. Organization Name b. Address c. Zip code d. Country e. Contact Name f. Phone Number g. Address h. Vound Product type select only one per dongle: i. Intella 10 GB ii. Intella 100 GB iii. Intella 250 GB iv. Intella Professional v. Intella Viewer vi. Intella TEAM Manager Step 2: Apply the license update file(s) you receive from Vound Support. 1. Make sure your dongle is connected to the computer that runs Intella. 2. Vound Support will send a dongle activation file. The activation files are dongle-specific. The file will end with a.v2c file extension and the name of the file contains the dongle ID. Example: HaspUpdate_68_ v2c (the dongle ID in this case is ) Save the.v2c file on your computer. Be sure to remember where it is stored! 3. Start "haspupdate.exe" as before. 4. Click the Apply License Update tab. Then click the Browse button labeled next to the Update File field. This opens a file selector dialog. 5. Select the.v2c file in the file selector and click Open. Page 37 Intella User Manual 2014 Vound

38 6. Click Apply update button. This will activate the dongle. Your Intella dongle is now activated! In case of questions or problems, please contact Vound Support at Page 38 Intella User Manual 2014 Vound

39 7 Products and workflow 7.1 Feature overview The following table lists the six different Intella desktop applications and their features: Preparation 10 GB 100 GB 250 GB Professional Viewer TEAM Manager Evidence size limit GB 250 GB none none none Create new cases Index evidence files Investigation Search, filter & review Preview items Flag & tag items Export items Cooperation Export Cases Import Cases Share Cases Connect to Shared Export Work Reports Import Work Reports Page 39 Intella User Manual 2014 Vound

40 7.2 Standalone use The following Intella products can be used for standalone use: Intella 10 Intella 100 Intella 250 GB Intella Professional Intella TEAM Manager They allow a user to create cases, index evidence files, search, filter, flag, tag or otherwise annotate and export items. The number in the 10/100/250 products indicates the amount of gigabytes of evidence files that each case can hold in a case. Intella Professional and Intella TEAM Manager have no such limit. The cases created by these products can also be reviewed by the following products: Intella Viewer: a desktop product with reduced functionality. Intella Connect: a separate, server-based product accessed via a web browser. The workflow for standalone use is as follows: 1. The investigator creates a case in the case manager of Intella and indexes evidence files. 2. The investigator flags and tags items, and gives comments to items of interest. 3. The investigator exports the results for further processing of the case. In principle it is possible cooperate on a case by giving other investigators a copy of the case folder. While technically this will work (a case is in no way tied to a specific end user license or machine), the main challenge will be to coordinate that joint investigation. A case copy essentially starts a life on its own, meaning that tags and other annotations exist only within that copy. Ideally the tags are visible to all other investigators, perhaps filtered based on a permissions model. This is where Intella TEAM comes into the picture. 7.3 Sharing cases The Intella TEAM product makes it possible to work with multiple investigators on the same case in a way that goes beyond simply giving each reviewer a copy of the case folder. In order to do so, you need Intella TEAM Manager for the case administrator and Intella Viewer for the investigators in your team. Intella TEAM as mentioned in Vound s marketing documents is merely the default bundle of one Intella TEAM Manager and three Intella Viewer licenses, as it is typically sold. Note: Previous Intella releases also featured an Intella TEAM Reviewer product. In the 1.8 release the Intella Viewer and Intella TEAM Reviewer products have been merged. The new product is called Intella Viewer but has all of the functionality of the TEAM Reviewer product (which was a superset of the Viewer functionality). This means that the new Viewer can open both local and remote/shared cases and export work reports. A dongle license for either Intella Viewer or Intella TEAM Reviewer can be used to start the new Viewer product. Page 40 Intella User Manual 2014 Vound

41 As with standalone use, the case administrator creates the case in Intella TEAM Manager and indexes the evidence files. The case administrator then has two options for giving other investigators access to the case: Share the case across a network. The investigators use their Viewers to connect to the running TEAM Manager instance and will instantly see changes such as tags, flags and comments made by other investigators working on the same case. Export the case as an.icf file for use by the investigator. In this case no network access between the Viewer and TEAM Manager is necessary, but setting up the investigator s machine and sharing the work product such as tags and comments will take more time and effort Sharing cases across a network 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The administrator closes the case and returns to the Case Manager screen. The administrator selects the case and clicks Share In the screen that follows, the administrator enters a free network port number, configures the authorization rules and clicks Share case. 3. The case administrator informs the investigators of the Case URL that they can use to access the case. 4. The investigators start Intella Viewer, choose to add a new shared case, and enter the Case URL and their username and password. After checking the connection to the shared case and specifying a local data folder, the Viewer opens the case. 5. Investigators start reviewing the case. Any flags, tags and comments that they add are immediately stored in the central case and will be visible to the other investigators Sharing cases offline 1. The case administrator creates a case in Intella TEAM Manager using the case manager and indexes the evidence files. 2. The case administrator exports the case to an Intella case file (.icf file) and informs the investigators where they can find the case file. 3. The investigators use Intella Viewer to import the Intella case file. 4. The investigators can then locally open their copy of the case. 5. Investigators flag, tag items and comment on items of interest. They export an Intella work report (.iwr file) that holds these annotations. 6. The case administrator opens the case in Intella TEAM Manager and imports all the Intella work reports created by the investigators. The administrator exports the combined results for further processing of the case Work reports When sharing cases offline, work reports are essential in merging the work product of all investigators working on the same case into the master copy of the case. Page 41 Intella User Manual 2014 Vound

42 Exporting work reports Exporting an Intella work report means that an *.iwr file is created (Team> Export Work Report ). This file contains all tags, flags and comments given to items by an investigator. We refer to these types of information as item updates as they extend the stored item metadata. Furthermore it contains the user actions on items that can be found in the Features facet (Previewed, Opened and Exported). Finally, the audit trail is added, allowing for more precise investigator audits. In the Export Work Report dialog you can set the file name of the work report that is to be created. When you select the option Create CSV report, a CSV file will be created that contains a list of all the items that are flagged, tagged or commented. This CSV file lets the investigator double-check the tags, flags and comments that are contained in the work report. It is not necessary to give this CSV to the case administrator, only the.iwr file will suffice. In the second section you can choose what type of updates will be reported: tags, flags, comments, action statistics, saved searches and an audit log. You can further specify what tags should be in the report by clicking the Select button. In the third section you can (optionally) further restrict the item updates included in the work report. By selecting Also include updates from these reviewers and by selecting one or more names after clicking the Select button, the work report will also contain annotations made by the selected investigators. This option is disabled when your case does not contain updates made by other reviewers. Only include updates made between and allows you to restrict the work report to updates that were made in a specified date interval. Only include updates in these sources allows you to limit the report to selected sources only. Only include updates from items selected in the Details view allows you to filter the report to the items that are currently selected in the Details panel. The creation of the work report may take some time, depending on the case size and the amount of updates. Afterwards a dialog is shown that lists the created files and statistics on how many tags/flags/etc. are stored in the work report. Importing work reports Importing work reports means that work report files (*.iwr files) created by investigators are added to the original case managed by the case administrator. Flags, tags and comments, audit logs and statistics generated by an investigator are imported into the case. In this way, the results of a team of investigators can be combined. Page 42 Intella User Manual 2014 Vound

43 Use Team > Import Work Report menu entry will show the Open dialog. Select a work report and click Open. The Work Report History dialog shows a list of imported work reports. Use to Team > Work Report History to open this dialog. When you want to delete the results imported from a work report, select the work report in the list and click Remove Work Report contents. Since this operation can t be undone you will be asked to confirm Cross-case work reports The work report mechanism can also be used to transfer the annotations between different cases that contain copies of the same items, e.g. one original case and a newer case that is partially based on the same evidence files. When Intella detects that the work report that is being imported comes from a different case, it starts a heuristic procedure to match the items in the work report with the items in the current case. The results of this procedure are presented in a dialog that shows: The number of annotations (tags, flags, comments and actions) whose items are identified and verified in the target case. The number of annotations whose items are identified but not with full certainty (potential matches). For instance, if an identified item has duplicates in the target case, they are included into this category. The number of annotations belonging to items that could not be located in the target case. When the number of potential matches is non-zero, the dialog contains a checkbox controlling whether these annotations should be imported into the target case. When this option is not selected, only annotations for verified matches will be imported. To start importing, press the OK button. It is possible to generate a CSV report listing the details of annotations contained in this work report and their matching items. The CSV file contains: Basic item metadata: MD5 hash, item ID, file name or message subject, item size, type and source name Type of annotation: tag, flag, comment or action. Status of the item matching algorithm: Verified, "Potential match" or "Missing". To generate this report, click the "Generate detailed report" button, then select the file location and categories of matches to include into the report. Page 43 Intella User Manual 2014 Vound

8 Managing cases A case is a collection of sources that can be searched by Intella. Use cases to organize your investigations. When you start Intella, the Intella Case Manager will first show up.

44 8 Managing cases A case is a collection of sources that can be searched by Intella. Use cases to organize your investigations. When you start Intella, the Intella Case Manager will first show up. Here you can select existing cases, define new cases, remove old ones, share and export cases. The icons represent local cases (folder icon), remote cases (TEAM icon) and old cases (grayed-out folder icon). If the case is made with 1.6.x or older, it cannot be opened. Cases made with 1.7.x can be opened but cannot be re-indexed or have new evidence items added to them. Above the case list is a field for entering the Investigator name. This name will be used as the default user name when creating new cases and connecting to remote cases. Also, when opening a local case made by someone else, all user actions like previewing, tagging and exporting will be associated with this user name. The initial value used here is your Windows user name. Below the cases list you can see the ID of your dongle. This can be relevant in conversations with Vound s support department. When you are using a trial license, this line will reflect that. When you have your dongle inserted but still see a line indicating that you are using a trial license message, this could indicate technical problems with accessing the dongle, but also that your dongle needs to be updated to run with this Intella version. 8.1 Adding cases To create a new case, select Add in the Case Manager window. The Add Case options will appear. It shows the four ways of adding a new case to Intella: Page 44 Intella User Manual 2014 Vound

Use this when you have a case folder already on your system but it is not yet in the list of cases shown by the Case Manager. 4. Import a case.

45 1. Create a new, local case from scratch. Use this to index a new set of evidence files on your machine. 2. Open a shared case. With this option you can connect to a case that is shared by a TEAM Manager user. This option is only available when running Intella with a TEAM Manager or Viewer license. 3. Add an existing case. Use this when you have a case folder already on your system but it is not yet in the list of cases shown by the Case Manager. 4. Import a case. Use this when you have received a copy of a case from another investigator as an ICF file. Importing the ICF file will extract its contents into a local case folder and add the case to the Case Manager s list Creating a new case Choose Create a new case to create a new local case from scratch. When the Create New Case dialog is displayed, give the case a name, enter an optional description, enter the name of the investigator creating the case and select a location where you want to store the data that belongs to this case. Note: The default location for data storage, visible when you click the Suggest button, is C:\Documents and Setting\<username>\Application Data\Intella\cases\ or C:\Users\<username>\AppData\Roaming\Intella\cases Page 45 Intella User Manual 2014 Vound

46 The selected case folder will be checked for being a hard disk formatted with the NTFS file system. A warning is displayed when this is not the case, e.g. when a FAT file system is used, which has file size limitations unusable for Intella, or when a USB flash drive is detected, which is not recommended for various reasons. Note: When processing a large case (> 100 GB of evidence files), it is advisable to format the NTFS disk with a cluster size that is larger than the default (usually 4 KB). This reduces the chance of defragmentation issues during indexing. Furthermore it is recommended to turn off disk compression. Clicking on the Advanced button adds more options that normally are only necessary when dealing with very large cases (hundreds or GBs or more): The optimization folder can be used to speed up indexing by distributing certain database files during indexing across the case folder drive and the optimization folder drive. See the Storage considerations section for more details. The memory allocation settings can normally stay at Auto. See the Memory Settings section for instructions on how to use this Opening a shared case In the Add Case dialog, select Open a shared case to open a case on another machine that has been shared by a TEAM Manager user. A Create new case dialog will open that asks for a Case URL, investigator name and passphrase. This information should be provided to you by the case administrator (typically the TEAM Manager user). Check the Remember passphrase checkbox if you want to store the password locally, so that you don t have to reenter it each time you select the case in the Case Manager and click Open. Click Check connection to test the URL and passphrase. If the credentials successfully give you access to the case, a Connection OK status message will display and the case name and description will be loaded from the server. Click Suggest or enter a custom data folder for local storage. This folder will hold local log files, user preferences, etc. The memory allocation settings can typically be left to their default value. See the Memory Settings section for more information on this. Now the case will be added to the Case Manager list and will open instantly when you keep the Open case immediately checkbox selected. Page 46 Intella User Manual 2014 Vound

47 8.1.3 Opening an existing case not in the list In the Add Case dialog, select Add an existing case. This will open a dialog prompting you to choose a case file (case.xml). This file is located in the top level case folder. Choose the case file and click on Open. The case will now be added to the Case Manager s list and can be opened by selecting the case and clicking the Open button Importing a case In the Add Case dialog, select Import a case. This will open a dialog prompting you to choose an Intella case file (.icf file). Choose the case file and click on Import. Once importing has completed, the case will be added to your Case Manager s case list. 8.2 Opening a case Opening a case is merely a matter of selecting the case in the Case Manager s list and clicking the Open button. The Case Manager window will disappear and Intella s main screen will be opened. This may take some time, depending on factors like disk speed, case size and concurrent tasks performed by the PC. In some scenarios a case may be grayed out: There may be a lock icon next to the case name, with the text Case in use. This indicates that there is already a process running that is accessing this case. Access to the case is blocked for other processes to prevent damage to the case databases. This locked status will disappear as soon as the other process has ended. If there is no other Intella window visible, it may be that an earlier Intella session did not exit correctly and completely, still holding the lock. A reboot of the machine is the simplest solution to fix this situation. If the case folder is on a shared network drive, then it may also mean that an Intella process on another machine is accessing the case. In that scenario rebooting the local machine will not help; the process on the other machine has to be ended first before other processes can open the case again. The case data folder that the cases.xml file points to cannot be found or does not contain a case.xml file. In that scenario the case will be listed as Unnamed case. All other grayed out and disabled cases are cases made with Intella 1.6.x or older. These are not supported by Intella 1.8. See the Release Notes for details. 8.3 Editing a case In the Case Manager, use Edit to open the Edit case dialog to change the name, description, and the investigator s name. Page 47 Intella User Manual 2014 Vound

48 You cannot change the Data folder. For remote cases the case name and case description cannot be changed. 8.4 Deleting a case In the Case Manager, use Delete to remove the selected case(s) from the Case Manager s cases list. You will be asked to confirm the deletion. By default, only the reference to the case is removed, the case folder is left intact. By checking Also remove the related case folders from disk, the case folder will be permanently removed as well. Warning: removal of the case folder cannot be undone. Also, all files that you may have placed manually in the case folder will also be removed. 8.5 Exporting a case In the Case Manager, use Export to export the selected case. Choose a name and folder for the ICF file in the Choose file to export the case dialog and click Save. Once the case file has been created, a dialog is shown that lists the location of the created ICF file. This file is to be handed out to the investigators that need to work on this case. The dialog also lists the location(s) of the evidence file(s) used in the case. These only need to be distributed when the receiver of the ICF file needs to be able to re-index the case. For all other tasks, including exporting, the case is fully self-contained. 8.6 Sharing a case In the Case Manager, use Share to share the case for other TEAM Manager and Viewer users. The TEAM sharing functionality requires a free network port on your computer for communicating with the reviewers. By default port 8080 will be used, but you can specify a different port number before starting the case sharing. In case the port is already used by another application Intella will be unable to share the case and report an error. This also means that, when sharing multiple cases on one machine, each case needs to be assigned a different port. Also the port(s) needs to be reachable for other machines, which may involve setting some firewall rules. Page 48 Intella User Manual 2014 Vound

When sharing a case for the first time, you will need to authorize the reviewers. You can add, enable and disable user accounts for the shared case by clicking the Authorizations button.

49 When sharing a case for the first time, you will need to authorize the reviewers. You can add, enable and disable user accounts for the shared case by clicking the Authorizations button. This can also be done when the case is already being shared. To start the case sharing, click the Share case button. When this process has completed, you will see two new buttons: one for unsharing the case and a Copy button. The latter button can be used to copy an invitation text to the Windows clipboard, which you can then paste into, for example, an to the reviewers. This invitation text contains one or more case links that indicate the network address and port for the shared case. These addresses are based on the configuration of the computer s network adapters and should work fine in most local networks. In more advanced network setups, for example when using Network Address Translation (NAT), you may need to change the case links for the reviewers. Your network administrator should be able to assist you with this. When investigators connect to the case their usernames will be shown in the Users view on the top-right. The Event Log on the bottom of the screen will show the user activities like item reviews and exports. All tags, flags and comments will be stored in the central, shared case and will immediately be visible to other investigators connected to the case. To stop the case sharing, click the Unshare case button. Page 49 Intella User Manual 2014 Vound

9 Overview of the Intella interface 9.1 Main window The Search panel is the place to enter the word or phrase to search for. The Cluster Map and Social Graph show search results in various ways.

50 9 Overview of the Intella interface 9.1 Main window The Search panel is the place to enter the word or phrase to search for. The Cluster Map and Social Graph show search results in various ways. The Searches panel shows the user s queries. The Facet panel shows a list of facets for searching and filtering results. The values or the selected facet are shown below the list. The Details panel shows a table, list, thumbnail or timeline view of the results in a selected cluster. Page 50 Intella User Manual 2014 Vound

9.2 Previewer Previewer actions: navigate to and search for related items, tag the current item and produce the current item in a number of formats.

51 9.2 Previewer Previewer actions: navigate to and search for related items, tag the current item and produce the current item in a number of formats. Previewer window: opens when item in table is double clicked. Item tabs: inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted terms, comments and performed Item summary: shows summary of important information related to the item. Keyword hits: see the particular keywords found in this item. Keyword hits: loop over all occurrences of the keywords you searched for. Page 51 Intella User Manual 2014 Vound

52 10 Sources Sources are one of the key concepts of Intella. They represent the locations where items such as s, documents and images can be found. Sources are explicitly defined by the user, providing full control over what information is searched Source types Intella distinguishes between various types of sources: File or Folder: A single file or folder with source files on a local hard drive or on a shared/network drive. Such source files could be: o Regular loose files like MS Word, Excel and PDF files. o containers such as MS Outlook PST/OST and IBM Lotus Notes NSF files. o Cellphone XML reports such as made by Cellebrite XRY, MicroSystemation s XRY and Oxygen Software s Forensic Suite. Load file: a Concordance, Relativity or CSV load file. Hotmail Search Warrant Result (experimental): a collection of files in HTML and other formats, provided by Microsoft pursuant to a search warrant. Disk Image: one or more disk images in E01, Ex01, L01, Lx01, S01 or DD format. IMAP account: One or more account(s) on an IMAP server. Notes on mail formats Intella supports PST and OST files created by the following versions of Microsoft Outlook: 97, 98, 2000, 2002, 2003, 2007, 2010 and Make sure that Intella has exclusive access to the PST or OST file; it cannot be open in Outlook or other application at the same time. Intella will try to recover the deleted items from the file. Recovered items will be located in a special folder named <RECOVERED>. Furthermore, Intella may encounter items outside the regular root folder. Any such items are placed in a special folder called <ORPHAN ITEMS>. There is limited ability to recover deleted s from OST 2013 files, this is being worked on. In order to index NSF files, Lotus Notes 8.5 or higher needs to be installed. Intella supports all NSF files that can be processed by the installed Lotus Notes version. Make sure that Intella has exclusive access to the NSF file; it cannot be open in a Notes client or other application at the same time. Only NSF files containing s are supported by Intella, all other types are not supported. Make sure to use a default Notes installation and user configuration. A corporate Notes installation is often problematic for indexing, e.g. because of installed plugins interfering with access to the NSF file, the installation being tied to the corporate identify management system, etc. Page 52 Intella User Manual 2014 Vound

53 Tip: The Lotus Notes tool nupdall.exe can be used to convert older NSF files to NSF files that can be processed by Lotus Notes 8.5. Intella supports DBX files created by the following versions of Microsoft Outlook Express: 4.0, 5.0, 6.0. Intella has been tested on Thunderbird Mbox files. Notes on cellphone formats When indexing Cellebrite, MicroSystemation and Oxygen cellphone reports, a folder with the XML report and its related files can in principle be indexed straight away. However, most XML reports will often only contain the external numbers related to the calls and messages, i.e. the number of the phone itself is not in the report. This has valid technical reasons (e.g. it cannot be guaranteed that the current SIM card was used for these calls and messages), but it makes analysis of the communication a lot harder. Also Intella functionalities like message deduplication require this information. When the number is known by the investigator, e.g. obtained from the network provider, it may be specified through a separate text file: 1. Create a text file named after the XML report. For example, if the report is called report.xml, the text file should be named report.numbers.txt. 2. Put it in the same folder as the XML report. 3. Store the phone s own number in this file. When the XML report holds information about multiple phones, enter the number of each phone on a separate line, like this: number1 number2 < > The first line will be used for the first phone found in the report, the second line for the second phone, and so on. When indexing multiple cellphone XML reports, each report should be in its own subfolder. Any additional files that were produced together with the XML report, such as audio, video and image files, should have the same relative location to the XML file as the exporting application produced them. These two requirements are crucial for correctly linking the binary files with the XML report. Finally, no other evidence files should be placed in these folders, as they will be ignored. When indexing XRY XML reports, we recommend using the Extended XML report introduced in XRY 6.4. This new format solves many issues with encodings of dates and other fields. Furthermore the older XML format did not support exporting binary items. You need to select the Export media files and manifest option to get these files as well. Common file locations MS Outlook PST and OST files are typically located in the following folder: Windows Vista, Windows 7 and Windows 8: * C:\Users\<username>\AppData\Local\Microsoft\Outlook Windows 2000 and XP: C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook Page 53 Intella User Manual 2014 Vound

$MS Outlook Express DBX files are typically located in the following folder: Windows 2000 and XP: C:\Documents & Settings\<username>\Local Settings\Application Data\Identities\{<arbitrary$

54 MS Outlook Express DBX files are typically located in the following folder: Windows 2000 and XP: C:\Documents & Settings\<username>\Local Settings\Application Data\Identities\{<arbitrary string>}\microsoft\outlook Express IBM Lotus Notes NSF files are typically found in the following folder: Version 7.x: C:\Program Files\Lotus\Notes\Data Version 8.x: C:\Program Files\IBM\Lotus\Notes\Data Version 9.x: C:\Program Files\IBM\Notes\Data 10.2 Adding sources Adding sources to Intella is done with the Add New Source wizard. You can start this wizard by selecting Add New from the Sources menu or by typing CTRL+N Adding a File or Folder source Follow these steps to add a Folder source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select File or Folder and click Next. A folder tree will be displayed next. 2. Specify File or Folder Select the folder or file from the tree that you want to index, or enter the folder or file name in the text field above the tree. When selecting a folder, all files in the selected folder will be indexed. When the Include subfolders checkbox is selected, files in all subfolders (and sub-subfolders, etc.) will also be indexed. When the Include hidden folders and files checkbox is selected, hidden files and folders will be indexed as well. Note: Folder trees containing many items may take some time to be displayed. Please be patient. Page 54 Intella User Manual 2014 Vound

55 Click Next to continue. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition Adding a load file source Important: This source type is still in an experimental stage. We welcome any feedback; please visit our support portal at Follow these steps to add a load file to an Intella case: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Load file" and click Next. 2. Specify File Add the file name and location of the load file that you wish to investigate: click Open to browse for the file. If the load file comes with an Opticon image file then you should specify it in the "Opticon image file" field. Specify the load file format: "Concordance/Relativity" or "Comma Separated Values". You can use a previously saved import template. Click the "Default" button to clear the selected template. Click Next to continue. 3. Formatting options On the "Formatting options" page you can set the file encoding and delimiter settings for: Column delimiter the character that separates the columns. Text qualifier the character that marks the beginning and end of each field. New line the character that marks the end of a line inside a text field. Multi-value delimiter the character that separates distinct values in a column. Currently it can be used with the "Tags" column only. You can click the Validate button to validate the selected load file. The status line will display the number of found columns and records. Click "Next". 4. Column mapping and date formats On this screen you can define the mapping of some essential load file fields. For each column you can either type a column name or select one from the drop-down list. The fields have the following meaning: Document ID the unique identifier of the record. Parent document ID the unique identifier of the parent record. File folder & folder fields that are used to reconstruct the original location of the record. You can specify either two separate columns for s and loose files or just a single column for any type. Page 55 Intella User Manual 2014 Vound

56 Extracted text the extracted or OCRed text of the document. Select the "Extracted text column is a link to an external file" checkbox when the column contains a link to the text file rather than the text itself. Native file the path to the native (original format) file of the document. Select the "Extract text and metadata from native files" checkbox when you want to extract the text and metadata from the native file. Note that Intella will replace any original metadata from the load file with the new metadata extracted from the native file. The option is turned off by default. You can specify date and time formats in the second part of the screen. 5. metadata options Specify which columns should be used to load the metadata information from. In order to load a date into separate date and time columns use the "XXX date and time are separate columns" checkbox. 6. Loose files and tags options You can specify the loose files and attachments metadata mapping on this page. Remarks: The Size column should contain the size of the document in bytes. The MIME Type column should contain a correct mime type of the document, e.g. "application/pdf". The Tags column should contain a list of tags separated by the character specified in the "Multi-value delimiter" field on the "Formatting options" page. All found tags will be imported into the current case. If the tag doesn't exist it will be created automatically. When you select the "Use the following column and value to identify s" checkbox, then you can specify a column and some value to tell Intella that this record represents an message. This may be useful in situations where your load file has no correct MIME type information, but you still want to distinguish s from loose files. An example is a load files conforming to the U.S. Department of Justice load file delivery standard: you will want to specify the column "EPROPERTIES" and value " " to correctly import s. Important notes on load file importing There are several aspects to be aware of when importing a load file into an Intella case: All paths in the load file to external resources should be relative to the load file. Imported images will be added as child items, treated similarly as embedded/attached items from regular sources. They can be viewed in the "Thumbnail" tab in the Previewer. Custom fields (e.g. "Custodian") that are not supported in Intella will be shown in the Previewer s "Raw data" tab only. No new custom column will be created. Such a feature may be added in a future release. The original load file record identifiers cannot be used in a subsequent load file export. Such a feature may be added in a future release. Imported images cannot be directly used in a subsequent load file export; the images can be exported as separate items only. Such a feature may be added in a future release. Page 56 Intella User Manual 2014 Vound

57 You can save the specified load file import options as a template for later usage on the last page "Completed Source Definition". All import templates are stored as XML files in the "<Intella System Folder>\import-templates" folder Adding a Hotmail Search Warrant Result source Important: This source type is still in an experimental stage. We welcome any feedback; please visit our support portal at Follow these steps to add a Hotmail Search Warrant Result to Intella: 1. Prepare evidence files The evidence files you have received may consist of a folder containing a Click Here.html file and some legal files related to the search warrant, with a subfolder for each account involved. It may also be that you have only one of those account subfolders, recognizable by a Folders.html and Messages file in this folder. In case you have received a ZIP file or some other type of archive file, please unpack this archive file first. 2. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select Hotmail Search Warrant Result and click Next. 3. Specify File Select the folder holding the Hotmail Search Warrant Result files that you wish to investigate: click Open to browse for folders. Select the top-level folder of the provided file collection and click Open. Click Next to continue. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition Adding a Disk Image source Follow these steps to add a Disk Image source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "Disk Image" and click Next. 2. Specify Files Specify the location of one or more image files: click Add to browse for image files. Select the image file and all its parts and click Add. All selected files will be listed in the disk image list. Alternatively, one can select a single image part and then click Find Parts. Intella will then try to find the related image parts that belong to that same multi-volume image (see below) and add them to the list. Files of a multi-volume image should be listed in the correct order. Select rows and use the Page 57 Intella User Manual 2014 Vound

58 Move Up and Move Down buttons to put files in the correct order. 3. Select files and folders to process Indicate which files and folders should be processed by selecting a pre-defined profile or creating a custom one. See below for detailed instructions. Important: A single disk image source should only contain the files relating to a single conceptual image. Files relating to a different image should be entered as a separate source. Important: Due to limitations in the indexing framework it is not possible to include or exclude compound file types such as the newer MS Office file formats (based on ZIP) or the older MS Office file formats (based on OLE). Please use filtering by file extension instead. This shortcoming will be addressed in a future Intella version. The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition. Filtering disk image content A disk image often contains a lot irrelevant files, such as executables, DLLs. These files add to the processing time and disk space that the case will consume. It is possible to define a set of rules to filter out unnecessary files and folders, to save processing time and disk space. On the File types and locations page you can choose either to index all the data by selecting "Index all files and folders" check box, or use a specific disk image indexing profile. There are several built-in profiles: All supported files. Index all file types supported by Intella. Supported means that Intella can do something meaningful with it besides detecting the file type, i.e. it can extract text, metadata and/or embedded items from the file, or display it as an image. All executables for example are not hashed and cached with this profile. All supported files, exclude system files. Index all file types supported by Intella and exclude three system folders: "Windows", "Program Files" and "Program Files (x86)". Mail stores. Index only mail store files: PST, OST, NSF, Mbox, etc. Mail stores, exclude system files. Index only mail store files. Also exclude the three system folders listed above. You can also adjust any index profile to your needs. To create a new profile, type a new name in the "Use index profile" box and click the Save button. You can delete any profile by selecting it first and clicking the Remove button. The first section on this page defines the rules on which files should be included or excluded. You can filter files by type and by file name. If you select "Include selected entries", then only the listed files and file types will be indexed. Otherwise, the listed entries will be excluded. Note that you use wildcard names such as "*.txt" to filter all files that end with ".txt". A single "File name" entry can contain only a single file name definition; you cannot enter several file names in a row such as "*.txt, *.exe". You should add two separate entries to the list in this case. Page 58 Intella User Manual 2014 Vound

59 The second section on this page defines a list of locations that should be included or excluded. If you select "Include selected entries" then only the listed locations will be indexed. Otherwise, the listed locations will be excluded from indexing. You can adjust the folder selection on the next screen called "Select Folders". All index profiles are stored in XML format in the "<Intella System Folder>\index-profiles" folder and can be used in all local cases. Supported disk image formats The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01 files. Password-protected files are supported and indexed without manual interaction, except for FTK-encrypted files. DD images are supported, but when a Folder source is used, they need to use the.dd file extension in order to be detected and processed as DD images. Because of potential issues with DD image detection, we recommend using the Disk Image source directly. This is also required when you want to index a multi-volume DD image. Supported file systems and partition types The following file systems have been tested: FAT16, FAT32, NTFS, Ext2/Ext3, HFS/HFS+ and ISO Other file systems such as EXT4, ExFAT, YAFFS2 and ISO (UDF) may work but have not been tested yet. MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When Intella fails to index such an image, we recommend mounting it manually and indexing the mounted drive using a File or Folder source. Multi-volume files When using a Folder source to index multiple image files, Intella will rely on the following file name convention to determine which files together make up a single image: image1.e01 (first volume of image 1) image1.e02 (second volume of image 1) image1.e03 (third volume of image 1) image2.e01 (first volume of image 2) image2.e02 (second volume of image 2) image2.e03 (third volume of image 2) image2.e99 (99 th volume of image 2) image2.eaa (100 th volume of image 2) image2.eab (101 st volume of image 2) Adding an IMAP account source Important: The IMAP standard is implemented in many different ways. We tested Intella on several IMAP servers with good response. However, we cannot guarantee that Intella is able to create IMAP account sources for every IMAP server. Page 59 Intella User Manual 2014 Vound

60 Follow these steps to add an IMAP Account source to Intella: 1. Source Type Start the Add New Source wizard from the Sources menu. (Sources > Add New...). Select "IMAP account" and click Next. 2. Specify Account Enter the settings for the target account, e.g., mail.my-isp.com with the username and password. Select the use secure connection (SSL) checkbox if you want or need a secure connection to the mail server. This is recommended, because without a secure connection your password will be sent as plain text. Click Next to continue. 3. Select Folders In the next step, Intella will contact the specified server to retrieve the mail folder tree. If you selected a secure connection and the server uses a certificate that cannot be validated automatically, a dialog will appear that asks you whether the certificate should be accepted. Once connected, after you accept the certificate if applicable, Intella will display the folder tree of the target mail account. You can then select the folders that you want to make searchable by placing a check in the box next to the desired folders. Click Next to continue. Note: If you want to index subfolders, you will need to select them; otherwise they will be ignored. The wizard has two convenient buttons for selecting and deselecting all folders Last steps in a source definition The following final steps are the same for all source types. 1. Source Name and Time Zone In the Source Name and Time Zone sheet you are asked to enter a name for the source. The name will be shown in the list of sources in the Sources panel and functions purely as a label for your reference. Furthermore a suspected system base time zone can be entered. This setting indicates the time zone of the system from which the evidence file(s) were obtained. By entering this time zone, all dates associated with items from this source will be displayed in that time zone, rather than the time zone of the investigator s system. This often makes it easier to correctly interpret those dates, e.g. determine whether a given timestamp falls inside regular business hours. By default the local time zone is used for new sources. Click Next to continue. 2. Items Intella makes the indexing of certain complex file types optional. You can disable this to improve indexing performance at the cost of fewer results. Page 60 Intella User Manual 2014 Vound

61 Select Index mail archives if you want to extract all s and attachments from mail archives like PST and NSF files. Subsequent processing of documents and archives found in the attachments are still subject to the next two options. Select Index archives if you want Intella to index files inside archives such as ZIP and RAR files. Select Index content embedded in documents if you want to extract images and other binary items embedded in Microsoft Office, OpenOffice and PDF documents. This will make these items separately searchable and viewable. 3. Options This sheet provides additional options affecting the time needed for indexing. Select Cache original evidence files to copy all evidence files into the case folder. Use this option if you want to create a self-contained case where the evidence files can be opened or exported even when they are not found in their original locations, for instance when the case is moved to another system). When this option is turned on, additional processing time (especially for compression) and disk space is needed. This setting has no effect on storing of the items extracted from these evidence files (e.g. the mails, attachments and other embedded items extracted from a PST file), as these are always stored in the case folder after extraction. Select Analyze paragraphs to let Intella determine the paragraph boundaries and to let it build a database registering which paragraph occurs in which item and where. This enables various search and review options at the expense of additional processing time. The required storage space is negligible. Click Next to continue. 4. Tasks This sheet lets the user define post-processing steps that need to take place once all evidence files have been crawled and all indices have been build. See the Tasks section for more details. 5. Completed Source Definition Finally you will be presented with a dialog to inform you that you have successfully defined a new source. You may optionally start indexing the source. Indexing is required to be able to search and explore the items in this source. Once you click the Finish button, the indexing process will proceed according to the options you have selected. Tip: Because the active indexing process prevents you from interacting with the rest of the program until finished, you may wish to skip this part now (e.g., to define more new sources) and index the sources later by clicking the Re-index menu item in the Sources menu. Note: At any time except before the step "Completed Source Definition, you can click the Cancel button to return to the Intella interface without having added a new source to the case. Page 61 Intella User Manual 2014 Vound

62 10.3 Indexing and re-indexing Indexing After defining a source, Intella will index it: it will inspect all items ( s, files etc.) that it can find in the source file(s), enabling Intella to return instantaneous results during your investigation for relevant evidence. Warning: Having anti-virus software active during indexing can lead to certain items not being indexed. This will usually be restricted to the files that are blocked by the anti-virus software, but this cannot be guaranteed. During indexing, you will see an overlay displaying various types of information: Statistics on indexing speed. Statistics on encountered file types. The amount of data that is being indexed and how much has been indexed already. The number of indexing steps to perform, which current step is being performed and (for some steps) a progress percentage. You will not be able to interact with the rest of the program while this dialog is shown. Resizing and minimizing the main window remains possible though. You can abort the index process at any time by clicking the Stop button. Intella will finish processing the current item and then lets you close the dialog. Note though that there is no way to resume the indexing process, it needs to be redone from scratch in a later session using the Re-index option Re-indexing There may be circumstances when you want to re-index the entire case, e.g.: The original indexing attempt has been manually aborted by the user. The database files have become corrupted, e.g. because of a power failure, an incorrectly removed external drive or hardware failure. You opted not to index immediately after defining a source, e.g. because you wanted to define multiple sources at once, or because access credentials for automatic decryption still had to be entered. The Re-index option is available in the Sources menu. Intella will remove all indexes it has previously created and create new ones Automatic decryption of items Intella can automatically decrypt a number of file formats, provided that the required credentials are supplied before indexing starts. Therefore you may want to uncheck the checkbox in the Add Source wizard that starts indexing and use the Re-index option (see above) after these credentials have been entered. Page 62 Intella User Manual 2014 Vound

63 Supported formats The following file formats can be decrypted by Intella: Lotus Notes NSF files. S/MIME- and PGP-encrypted s, regardless of the container type they reside in (e.g. EML, MSG, PST, OST, NSF, Mbox, DBX). PDF documents. Old format MS Excel (.xls) spreadsheets (.doc and.ppt are still being worked on). MS Office 2007 formats (OpenXML):.docx,.xlsx,.pptx, ZIP, RAR and 7-Zip archives. Partial support for ZipX Supplying access credentials In order to let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first. Click File -> Key Store and follow the instructions below. Afterwards you can (re)index your data and let the items be decrypted automatically. All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type. After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such. Password-protected files Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives. You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file. Lotus Notes NSF files In order to decrypt Lotus Notes NSF files, so-called ID files need to be added to the key store. Go to the "Lotus Notes ID Files" tab and click "Add...". Enter the location of an ID file and the password associated with the file. Click "OK" to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files. S/MIME-encrypted s To decrypt s with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click "Import", then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys. Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the s. PGP-encrypted s In order to index PGP-encrypted s you will need to import the PGP private keys. Go to the "PGP Keys" tab and click "Import". Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format. Page 63 Intella User Manual 2014 Vound

64 An ASCII armored PGP private key usually starts with the following text: -----BEGIN PGP PRIVATE KEY BLOCK----- Note: For complete support for S/MIME- and PGP-encrypted mails, the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files need to be installed. See the Installation chapter for more details. Importing multiple.p12 files At the moment it is not possible to enter multiple.p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development. Please note that.p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single.p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once. Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well Post-processing After indexing has completed, the case owner can opt to refine the indexing results in a number of ways. These steps are kept separate from indexing as they typically contribute considerably to the processing time and disk space usage and, depending on the case at hand, may not be needed Tasks Intella allows for the definition of tasks. These are essentially compound processing steps such as searching for all items that match a certain keyword or keyword list and tag or export the results. These tasks can be defined and selected during source creation, which will run these tasks right after indexing. The tasks editor can also be reached by selecting Tasks from the File menu, which allows for defining and running the tasks at any point in time after index creation. Each task consists of a condition and an action. Currently the following conditions can be defined: A keyword search optionally combined with a date range search on all date fields. A keyword list search optionally combined with a date range search on all date fields. An MD5 list search optionally combined with a date range search on all date fields. An arbitrary Saved Search, which can combine all of Intella s search facets. All items that match the defined condition have an action applied to them. The following actions can be defined: Tag all found items with one or more tags. The tag(s) can optionally be inherited by items in the same family hierarchy and/or by duplicates of the found items. Flag all found items. Add a comment to all found items. Export all found items using an export template. Page 64 Intella User Manual 2014 Vound

65 OCR OCRing, or applying Optical Character Recognition techniques, is a common way to make the text inside bitmap images responsive to keyword searches. Intella s OCR support is documented in the next chapter Thumbnail generation Cases that rely heavily on viewing collections of images in the Thumbnail view will benefit from precreating the thumbnail images in advance. Especially when dealing with digital camera images that each are multiple megabytes in size, the time needed to generate the thumbnail image can make the Thumbnails view appear sluggish. When the thumbnails have been pre-generated, the time needed to populate the view will be a lot faster and it will be constant with regard to the number of visible images, i.e. the file size of the original image is no longer a factor. To pre-generate the thumbnail images, select the Generate Thumbnails option from the File menu. The thumbnail generation process will start immediately and show its progress in the main window. The thumbnail generation process can be cancelled at any point. The thumbnail images that have been generated will be kept. When the user starts the process once more at a later point in time, it will reuse the existing thumbnails and only create the missing thumbnails Content analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are: credit card numbers, social security numbers (SSNs) and phone numbers. Three other categories are more computationally expensive to calculate and therefore require a post-processing step. These categories are: person names, organizations and locations. To start the content analysis procedure: Select one or more items in the Details view. Right-click on one of the selected items and select Content Analysis from the popup menu. In the dialog window that appears, click Yes if you want to clear the results of the previous analysis or No to add new results to the existing content of these three categories. You can also cancel the content analysis procedure. The content analysis procedure will open a separate window that shows the progress of the procedure. The procedure can be stopped at any time by clicking on the Cancel button. In this case, the categories will contain information from items processed up to the moment of cancellation. You can continue the processing later on by repeating the steps above on the same set of items and choose not to clear the existing results (answer No in the dialog window). The items that have been analyzed can be found by using the Content Analyzed category in the Features facet. Important: please realize the following aspects of the content analysis procedure: Page 65 Intella User Manual 2014 Vound

66 Content analysis is a heuristic procedure based on knowledge of certain patterns and correlations that occur in natural language texts. Therefore, the quality of the results may vary within a broad probability range. Content analysis works best on English texts. The quality of the results may be poor on texts in other languages. Content analysis works best on texts containing properly formulated natural language sentences. Unstructured texts (e.g. spreadsheets) usually lead to poor quality of the results. Content analysis is both CPU- and memory-intensive. For adequate performance, please make sure that your computer meets the system requirements and that no other processes are taxing your system at the same time. Use of the 64-bit version of Intella is highly recommended, especially for analyzing large quantities of items. In our experiments the amount of time needed for processing an entire case was roughly similar to the amount of time it took to index the case Editing sources To see the configuration of a source, go to Sources > Edit Sources or type CTRL+E. A dialog will open that displays the list of sources on the left. When you click on a source, its details will be shown in the area to the right of the list. The name and type are shown as well as source type-specific details such as files or folders to index, indexing options, etc. See the section on adding sources above for the precise meaning of these settings per source type. Only the source name and suspect base time zone are editable, all other options are fixed after source definition. When you change source names, the Apply button will become enabled. Changes will only be applied when you click Apply. If you select a different source or click the Close button without first clicking Apply, a dialog will appear to prompt you to apply the changes, discard the changes, or cancel the operation Exceptions report An indexing exceptions report can be produced by choosing Sources > Exceptions Report. The produces a XLSX or CSV file that lists all items that had issues during indexing. This can range from minor issues such as date parsing problems to file corruptions that affect the entire item and all nested items. For every item the following information is listed: The item ID. This can be used to quickly locate the item using View > Preview Item The Previewer will also show a warning icon when displaying such an exception item. Page 66 Intella User Manual 2014 Vound

67 The MD5 hash. This can be used to locate duplicates of the item within the case or in other cases. The source to which this item belongs. The file name, file size and detected file type of the problematic item. The name of the source in which the item was found. The location of the problematic item. This includes both the path to the containing evidence file (e.g. a PST file) as well as the path within that file (e.g. the mail folder and parent , when the exception occurred on an attachment). Information on the parent if there is any: its item ID, the sender, sent date and subject. A warning scope, warning code and warning description. The scope and code are the most useful for end users and are documented below. The description provides a low-level error message that is also contained in the log file and can be used for error diagnosis by Vound s technical support team. The warning scope indicates the type of data that is affected by the exception. Possible values are: Item the item as a whole is affected. Text the extracted text is affected. Metadata the extracted metadata is affected. Embedded embedded items such as attachments and archive entries are affected. The warning code indicates the nature of the issue. Possible values are: Unprocessable items The data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result. I/O errors The processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. Decryption failures The data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. Timeout errors The processing took too long and was aborted. Out of memory errors The processing failed due to a lack of memory. Processing errors The processing failed due to a problem/bug in the processor. The description should contain the stack trace. When an item has multiple exceptions, it will occupy several rows in the table. During indexing Intella tries to prevent processing of duplicate items (detected by their MD5 hash), as their contents by definition will be the same. Therefore an item may occur only once in the exceptions report, even though there can be many copies throughout the case. All items that produced an exception during indexing can easily be found using the Exception Items category in the Features facet, with subcategories for the warning codes. The XLSX variant of the exception report additionally holds the following information: Number of exceptions per source, subdivided by the warning codes. Overall statistics for the warning codes. Source-level errors, e.g. broken PST files. Besides holding more information, the XLSX variant is also better able to handle non-ascii characters. Page 67 Intella User Manual 2014 Vound

68 10.8 Restoring annotations If may occur that a case will no longer open. Possible causes are unexpected power failures or the incorrect handling of external or network drives, as this can result in the files in the case folder getting damaged to the point where normal handling of the case becomes impossible. When this has happened to your case, it may still be possible to extract the annotations (tags, flags and comments) from the broken case and import them into a backup copy of the case, so that the results of your work on the case are also restored. To restore the annotations, create a copy of the backed-up case (ideally the back-up has been made right after indexing), open the copy and select "File > Restore Annotations..." in the main menu. Next, select the file named "events.log" in the "audits" subfolder of the case that holds the annotations. The annotations from the broken case will then be imported into the current case copy. It is important to consider the following: The original case has to be indexed with Intella version or later. Annotations can be restored only from a copy of the same base case and only if both case copies have not been re-indexed. Any annotations that exist in the importing case will be removed before importing. The copy of the current "events.log" file is stored in the "audits" folder as "events.log.old". You can use this copy to restore the state in case this removal was not intended. Page 68 Intella User Manual 2014 Vound

69 11 Optical Character Recognition (OCR) Cases often contain images with human-readable text in them, e.g. web page screenshots. These images can be embedded in documents, e.g. a scanned or faxed document is packaged as a PDF containing TIFF images, or a chart is embedded as a picture in a Word document. The techniques for identifying the text in such images (embedded or not) is called Optical Character Recognition, commonly abbreviated to OCR. Application of such OCR techniques can make the textual contents of these images available for keyword search. Some modern scanners already apply OCR techniques during scanning and add the extracted text to the PDF. If this is the case, Intella will pick up the text automatically during indexing. Often this machineaccessible text is missing though, or it contains too many recognition errors to be useful for keyword searching. Also, loose images do not come with such text at all. To overcome this, Intella offers OCR support, letting you improve your case index Starting OCR Intella s OCR support is currently a post-processing step, performed manually by the case admin after indexing has completed. In the future we may make this part of the indexing process. To OCR a collection of search results, you can use the following procedure: 1. Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. 2. Right-click and choose OCR Highlighted Item(s). This opens the OCR Wizard. This wizard lets you choose the OCR method and its settings OCR methods Intella currently supports two OCR methods: External OCR tool This method consists of exporting the items as loose files, processing them with the user s preferred OCR software, and importing the OCRed files back into the case. ABBYY Recognition Server This method consists of sending the files to a Recognition Server for processing, automatically incorporating the received results into the case. This method is fully automatic and requires a licensed and configured instance of ABBYY Recognition Server available over the network. Page 69 Intella User Manual 2014 Vound

70 11.3 Using an external OCR tool To OCR the selected items with an external OCR tool, you initially only need to specify an export folder. Once you click the Export button, Intella will export the items in their original format to the folder. Every file will be named after the MD5 of the item note that this means that unique items are only exported once! Next you can use any OCR tool to process the exported files. In order to import the OCRed files back to Intella, the tool and its configuration should comply with the following requirements: The OCR tool must be able to create a single OCRed file for each input file. Put these files in a separate folder. The file name of the OCR output must match the original file name, but it may have a different file extension, according to the file type produced by the OCR tool. For example, if the original file name is 6345b60187d08be d7543c54.tif, then the OCRed file name can be 6345b60187d08be d7543c54.txt. The OCRed file format must be of one of the Intella supported formats, e.g. plain text, PDF, MS Office, etc. After you have OCRed the files, select "File -> Import OCRed files..." in the main menu. Next, specify the folder where the OCR output is located and click on the Import button. Intella will analyze every file in the specified folder, extract the text and link it to the original item and all its copies. If the original item already had some text, then the OCRed text will be appended to the original text Using ABBYY Recognition Server When you have access to an ABBYY Recognition Server, you can utilize it to OCR selected items in the case fully automatically. Note: ABBYY Recognition Server 3.5 should be used. Recognition Server 4.0 and higher is not yet supported. Steps to OCR selected items with ABBYY Recognition Server: Select the desired items and open the OCR Wizard, as described above. Specify the server s IP address. The Service URL field will be populated automatically based on the entered IP address. If you know that your server uses a different URL, you can override it by checking the Use custom service URL check box. Specify the workflow name that should be used. Alternatively you can press the Get list from server button to select a value from all available workflows on that server. Click the OCR button to start the OCR process. The selected documents are will now be send to the Recognition Server. The results that it sends back will be processed automatically, similar to how the external method works. Page 70 Intella User Manual 2014 Vound

71 Please make sure that your ABBYY Recognition Server is configured correctly: A separate document should be generated for each input file. The output format is a format that Intella can index. The following parameters need to be set correctly in the following file (suggested parameters allow for processing files up to 30 MB): C:\Program Files (x86)\abbyy Recognition Server 3.5\RecognitionWS\web.config Parameters: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <httpruntime maxrequestlength="409600" /> </system.web> <system.webserver> <security> <requestfiltering> <requestlimits maxallowedcontentlength=" " /> </requestfiltering> </security> </system.webserver> </configuration> 11.5 Reviewing OCRed items To find all items in a case that have been OCRed, you can use the OCRed category in the Features facet. This attribute is also reflected in the Details table in the OCRed column. When an OCRed item is previewed, this will be shown as an additional property in the Properties tab. Note that when the OCR software enhances an existing PDF document by inserting the text in it, this text will be extracted and added to the index, but the binary item stored in the case is not replaced. This means that when exporting or previewing that item, you get the original PDF, not the OCR-enhanced PDF. This will be addressed in a future version. Warning: After items in a case have been OCRed, the case will not open anymore in Intella 1.7. Page 71 Intella User Manual 2014 Vound

12 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below. 12.

72 12 Keyword search To search for text, enter a query in the Search panel and click the Search button. For query syntax rules, refer to the Search query syntax section below Search options With search options you can limit keyword searching to specific item parts or attributes: Text Title / Subject Summary & Description Path & File name Message Headers Raw Data (e.g. low-level data from PST files, MS Office documents, vcards) Comments Authors & Addresses Each of the From, Sender To, Cc and Bcc fields separately Export IDs To see the search options, click the Options button under the search text field. The options box will be displayed as a popup menu below the button. Select the options for properties that you want to include in your search, and deselect those you want to exclude. Your selected search options will be stored and used for future searches until you change them. Note: As a reminder, the Options button will show a yellow triangle when not all options are selected. To hide the options box, click the Options button again. If you have made any changes, the icon on the Options button will change to a yellow warning sign as a reminder that you have changed options that will affect your searches Search query syntax In the text field of the Search panel you can use special query syntax to perform complex multi-term queries and use other advanced capabilities. Tip: You can also see the list below by clicking on the question mark button in the Search panel. Page 72 Intella User Manual 2014 Vound

73 Use of multiple terms (AND/OR operators) By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for: John Johnson returns all items that contain both John and Johnson. There is no need to add an AND (or && ) as searches are performed as such already, however doing so will not negatively affect your search. If you want to find items containing at least one term but not necessarily both, use one of the following queries: John OR Johnson John Johnson Minus sign (NOT operator) The NOT operator excludes items that contain the term after NOT: John NOT Johnson John -Johnson Both queries return items that contain the word John and not the word Johnson. John - John goes home This returns all items with John in it, excluding items that contain the phrase John goes home. The NOT operator cannot be used with a single term. For example, the following queries will return no results: NOT John NOT John Johnson Phrase search To search for a certain phrase (a list of words appearing right after each other and in that particular order), enter the phrase within full quotes in the search field: John goes home will match with the text John goes home after work but will not match the text John goes back home after work. Phrase searches also support the use of nested wildcards, e.g. John* goes home will match both John goes home and Johnny goes home Grouping You can use parentheses to control how your Boolean queries are evaluated: Page 73 Intella User Manual 2014 Vound

74 (desktop OR server) AND application retrieves all items that contain desktop and/or server, as well as the term application Single and multiple character wildcard searches To perform a single character wildcard search you can use the? symbol. To perform a multiple character wildcard search you can use the * symbol. To search for next or nest, use: ne?t To search for text, texts or texting use: text* The? wildcard matches with exactly one character. The * wildcard matches zero or more characters Fuzzy search Intella supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde ( ~ ) symbol at the end of a single term: roam~ returns items containing terms like foam, roams, room, etc. The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this: roam~0.8 The default value of this parameter is Proximity search Intella supports finding items based on words that are within a specified maximum distance from each other in the items text. This can be seen as a generalization of a phrase search. To do a proximity search you place a tilde ( ~ ) symbol at the end of a phrase, followed by the maximum word distance: desktop application ~10 returns items with these two words in it at a maximum of 10 words distance. Like phrase searches, proximity searches also support nested wildcards Field-specific search Intella's Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search. Page 74 Intella User Manual 2014 Vound

75 title:intella returns all items that contain the word intella in their title. The following field names are available: text - searches in the item text title - searches in titles and subjects path - searches in file and folder names summary - searches in descriptions, metadata keywords, etc. agent searches in authors, contributors and senders and receivers from searches in From fields sender searches in Sender fields to searches in To fields cc searches in Cc fields bcc searches in Bcc fields headers - searches in the raw headers rawdata - searches in raw document metadata comment - searches in all comments made by reviewer(s) export - searches in the export IDs of the items that are part of any export set You can mix the use of various fields in a single query: intella agent:john searches for all items containing the word intella (in one of the fields selected in the Options) that have john in their author metadata or senders and receivers Special characters The following characters need to be escaped before they can be used in a query: + - &&! ( ) { } [ ] ^ " ~ *? : \ / They can be escaped by prefixing them with a \ character. Note that during indexing some of these characters will be filtered out and will never make it into the index. The rules for handling specific characters depend on the context in which they occur. For instance, the punctuation characters like dots ('.') or dashes ('-') are significant within numbers, addresses or host names, while being ignored (i.e. interpreted as whitespaces) between regular words. In the latter case, escaping those characters will not make them searchable Regular expressions This release contains experimental support for searching with regular expressions. This will be extended, refined and documented in a future release. For now, please visit for more information. Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters! Your search expressions should therefore take the tokenization of the text into account. Page 75 Intella User Manual 2014 Vound

Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel.

76 13 Using facets Besides keyword searching, the indexed items can be browsed by facets, which represent specific item properties. Every facet organizes the items into groups (possibly hierarchical) depending on a specific item property. Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel. In the example on the right, the Type facet has a list of file types as values. To search for items that match with a facet value, select the facet value and click the Search button. Tip: To export facet information, (1) select a facet, (2) open the context menu - right mouse click - on the facet values, and (3) select Export values. This will open the Export values dialog. Choose a file name and folder and save the export file. The CSV file will contain the facet values (e.g. file types, addresses, folder names), their total counts in the case, and their currently shown counts, which represents the overlap with the currently shown search results Available facets Saved Searches The Saved Searches is a list of previous sets of searches that the user has stored. When there are search results displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be enabled. When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. A default name will be suggested based on the current searches. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet. Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used. The Replace current results checkbox controls what happens with the currently displayed searches when you restore a saved search. When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them. The Combine queries checkbox can be used to combine the result sets of all parts of the saved search into a single result set. This is for example useful when the various parts conceptually are meant to find Page 76 Intella User Manual 2014 Vound

77 the same set of items, just in a technically different way. Example are different complex Boolean queries, which could have been combined into a single Boolean OR query but that the user prefers to keep separate in the saved search definition Features The Features facet allows you to identify items that fall in certain special purpose categories: Encrypted: all items that are encrypted. Example: password-protected PDF documents. If you select Encrypted and click the search button, you will be shown all items that are encrypted. Note: Sometimes files inside an encrypted ZIP file are visible without entering a password, but a password still needs to be entered to extract the file. Such files cannot be exported with Intella if the password has not been provided prior to indexing. In this case both the ZIP file and its encrypted entries will be marked as Encrypted, so searching for all encrypted items and exporting those will capture the parent ZIP file. Decrypted: all items in the Encrypted category that Intella was able to decrypt using the specified access credentials. Unread: all s that are marked as "unread" in the source file (PST/OST only). Note that this status is not related to previewing in Intella. Empty document: all items that have no text while text was expected. Example: a PDF file with only images. Has Duplicates: all items that have a copy in the case, i.e. an item with the same MD5 or message hash. OCRed: indicates whether the item has been OCRed after indexing. See the separate chapter on OCRing of documents and images. Content Analyzed: all items for which the Content Analysis procedure has been applied. Exception items: all items that experienced processing errors during indexing. This has six subcategories that match the warning codes in the exception report: o Unprocessable items: the data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result. o I/O errors: the processing failed due to I/O errors. The processing might succeed in a repeated processing attempt. o Decryption failures: the data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied. o Timeout errors: the processing took too long and was aborted. o Out of memory errors: the processing failed due to a lack of memory. o Processing errors: the processing failed due to a problem/bug in the processor. The description should contain the stack trace. Tagged: all items that are tagged. Flagged: all items that are flagged. Commented: all items that have a comment. Previewed: all items that have been opened in Intella s previewer. Opened: all items that have been opened in their native application. Page 77 Intella User Manual 2014 Vound

Exported: all items that have been exported. Redacted: all items that have one or more parts blacked out due to redactions. Note: In cases in which multiple users have worked, i.e. shared cases or cases with imported Work Reports, the Previewed, Opened, Exported, Commented, Tagged and Flagged nodes shown in the Facet panel will have sub-nodes, one node for each user.

78 Exported: all items that have been exported. Redacted: all items that have one or more parts blacked out due to redactions. Note: In cases in which multiple users have worked, i.e. shared cases or cases with imported Work Reports, the Previewed, Opened, Exported, Commented, Tagged and Flagged nodes shown in the Facet panel will have sub-nodes, one node for each user Tags Tags are labels defined by the user to group individual items. Typically used tags in an example are for example relevant, not relevant and legally privileged. Tags are added to items by right-clicking in the Results table or the Cluster Map and choosing the Add Tags option. Tags can also be added in the Previewer. The exact procedure is described in other sections of this manual. To search for all items with a certain tag, select the tag from the Tags list and click the Search button below the list. When tags have been added by different users in the same case, the tag node will have sub-nodes for each individual user. These sub-nodes can be used to search for all items that have been tagged with that tag by that user Location This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder. When Search subfolders is selected, the selected folder, all items in that folder, and all items nested in subfolders will be returned, i.e. all items in that entire sub-tree. When Search subfolders is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned. When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with Search subfolders switched on will therefore return all items in your case. When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree Address This facet represents the names and/or addresses of persons involved in sending and receiving s. The names are grouped in the following categories: From Sender To Page 78 Intella User Manual 2014 Vound

79 Cc Bcc Addresses in Text All Senders (From, Sender) All Receivers (To, Cc, Bcc) All Senders and Receivers All Addresses The first five categories list addresses found in the corresponding message headers. Most s typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author. The "All Senders", "All Receivers" and "All Senders and Receivers" categories group addresses into specific sender or recipient roles, abstracting from the specific header that was used. The "Addresses in Text" category lists addresses that are mentioned in message and document bodies. "All Addresses" group together all other categories and thus contains all addresses found anywhere in either message headers or textual content. Sorting and grouping The contacts can be sorted alphabetically by addresses (the default order), by the contact name associated with them or by the number of items associated with this contact. To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the Organize menu. The addresses can optionally be grouped by the host name used in the address. To enable or disable grouping, select the "Group by host name" option in the "Organize" section of the context menu. Enabling this option adds another level of nodes to the tree, representing the host names. Filtering on text To quickly find specific addresses, contact names or host names, it is possible to filter the facet content to only display the values that contain a specific substring. To filter the contacts in a specific category, expand the tree branch and click on the button below the tree. In the text field that appears enter the text. The tree will be filtered to show only those contacts whose contact name or address matches the entered text. To cancel filtering and hide the text field, click the filter button again or type Escape. Filtering on presence in the current search results To display only the highlighted addresses, i.e. the addresses that occur in the currently visible or selected search results, click on the button. To return to displaying all addresses, just click this button again. This type of filtering is removed automatically when a different branch is expanded, the selection in the facet or Cluster Map changes or when the sorting or grouping mode changes. Page 79 Intella User Manual 2014 Vound

80 This filter can be used in combination with the text filter Phone Number This facet lists phone numbers observed in phone calls from cellphone reports as well as phone numbers listed in PST contacts and vcard files. The incoming and outgoing branches are specific to phone calls. The All Phone Numbers branch combines all of the above contexts. This facet also supports the filtering options described in the Address section Date This facet lets the user search on date ranges by entering a From and To date. Please note that the date entered in the To field is considered part of the date range. Besides start and end dates, Intella lets the user control which date attribute(s) are used: Sent (e.g. all items) Received (e.g. all items) File Last Modified (e.g. file items) File Last Accessed (e.g. file items) File Created (e.g. file items) Content Created (e.g. file items and items from PST files) Content Last Modified (e.g. file items and items from PST files) Last Printed (e.g. documents) Called (e.g. phone calls) Start Date (e.g. meetings) End Date (e.g. meetings) Due Date (e.g. tasks) The Date facet will only show the types of dates that actually occur in the evidence data of the current case. Furthermore it is possible to narrow the search to only specific days or specific hours. This makes it possible to e.g. search for items sent outside of regular office hours. Note that the Preferences dialog has a setting that controls how dates are displayed: by selecting a geographic region, all dates will be displayed in a manner commonly used in that region Type This facet represents the file types (Microsoft Word, PDF, JPEG, etc.), organized into categories like Documents, Spreadsheets, etc. To refine your query with a specific file type, select a type from the list and click Search. Note that you can search for both specific document types like PNG Images, but also for the entire Image category. Empty (zero byte) files are classified as Empty files in the Others branch. Page 80 Intella User Manual 2014 Vound

81 Author This facet represents the name(s) of the person(s) involved in the creation of documents. The names are grouped into two categories: Creator Contributor To refine your query by a specific creator or contributor name, select the name and click the Search button. This facet also supports the filtering options described in the Address section Content Analysis The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. The top three categories are populated automatically during indexing and are available immediately afterwards: Credit Card Numbers suspected numbers of the major world-wide credit card systems (Visa, MasterCard, American Express and others). The numbers are validated using the procedures defined in the ISO/IEC standard. Social Security Numbers suspected SSN numbers issued by the United States Social Security Administration. Phone Numbers suspected phone numbers. The next three categories are empty by default. To populate them, a user needs to perform the automatic content analysis procedure on a selected set of items, see the Sources chapter. Afterwards, the following three branches will be added: Person name Organization e.g. Company names Location Names of cities, countries, etc. Note that the techniques used to determine these entities are heuristic by nature and therefore typically produce a certain amount of false positives. This facet also supports the filtering options that are available in the Address facet Keyword Lists In the Keyword List facet you can load keyword list, to automate the searching with sets of previously determined search terms. A keyword list is a text file in UTF-8 encoding that contains one search term per line. Note that a search term can also be a combination of search terms, like Paris AND Lyon. Once loaded, all the search terms (or queries) found in the keyword list are shown in the Queries panel in the Keyword Lists facet. They are now available for search. Page 81 Intella User Manual 2014 Vound

82 When the 'Combine queries' checkbox is selected, multiple terms selected in the 'Queries' panel will be combined to search for items matching any of the selected terms (Boolean OR operator). The items will be returned as a single set of results (one cluster). If the checkbox is not selected, the selected terms will be searched separately, resulting in as many result sets as there are selected queries in the list. Tip: Keyword lists can be used to share search terms between investigators MD5 and Message Hash Intella can calculate MD5 and message hashes to check the uniqueness of files and messages. If two files have the same MD5 hash, Intella considers them to be duplicates. Similarly, two s or SMS messages with the same message hash are considered to be duplicates. With the MD5 and Message Hash facet you can: 1. Find items with a specific MD5 or message hash and 2. Find items that match with a list of MD5 and message hashes. Specific MD5 or message hash You can use Intella to search for files that have a specific MD5 or message hash. To do so, enter the hash (32 hexadecimal digits) in the field and click the Search button. List of MD5 or message hashes The hash list feature allows you to search the entire case for MD5 and message hash values from an imported list. Create a text file (.txt) with one hash value per line. Use the Add button in the MD5 Hash facet to add the list. Select the imported text file in the panel and click the Search button below the panel. The items that match with the MD5 or message hashes in the imported list will be returned as a single set of results (one cluster). Message hash calculation The message hash is calculated by calculating the MD5 hash of a number of concatenated properties. For s the following properties are taken into account: From, Sender, To, Cc and Bcc headers. Subject header. Date header. body. All other MIME parts (attachments, nested messages, signatures, etc.). For SMS messages the following parts are used: The sender information. The reviewer information. The textual content of the message. When certain headers occur multiple times, all occurrences are taken into account. These message hash computation methods have the benefit that they are source-agnostic: a specific message always gets the same message hash, regardless of whether it is stored in e.g. a PST, NSF, Mbox or EML file. Message hashes can therefore find duplicates across a variety of mail formats and be used to deduplicate such a diverse set of mail formats. Page 82 Intella User Manual 2014 Vound

83 When one of the copies has a minor difference, the will get a different hash and be seen as different from the other occurrences. A good example is a bcc-ed , as the bcc is only known by the sender and the recipient listed in the Bcc header. Therefore, these two copies will be seen as identical to each other but different from the copies received by the recipients listed in the To and Cc headers. Another example is an archived which has one or more attachments removed: it will be seen as different from all copies that still have the full list of attachments. Tip: Install a free tool such as MD5 Calculator by BullZip to calculate the MD5 hash of a file. You can then search for this calculated hash in Intella to determine if duplicate files have been indexed. Tip: Use the Export table as CSV option in the Details table to export all MD5 and message hashes of a selected set of results to a CSV file Item ID Lists In the Item ID Lists facet you can load a list of item IDs, to automate the searching with sets of previously determined item IDs, e.g. obtained by exporting the Details table to a CSV file. An item ID list is a text file in UTF-8 encoding that contains one item ID per line. Once loaded into the case, you can select the list name and click Search. The result will be a single result set consisting of the items with the specified IDs. Invalid item IDs will be skipped Language This facet shows a list of languages that are automatically detected in your items. To refine your query with a specific language, select the language from the list and click the Search button. Important: If Intella cannot determine the language of an item, e.g. because the text is too short or mixes multiple languages, then the item will be classified as Unidentified. When language detection is not applicable to the item s file type, e.g. images, then the item is classified as Not Applicable Size This facet groups items based on their byte size. To refine your query with a specific size range, select a value from the list and click the Search button Duration This facet reflects the duration of phone calls listed in a cellphone report, grouped into meaningful categories. Page 83 Intella User Manual 2014 Vound

13.1.17 Device Identifier This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items.

84 Device Identifier This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items. Please consult the documentation of the forensic cellphone toolkit provider for more information on what these numbers mean. This facet also supports the filtering options described in the Address section Export Sets All export sets that have been defined during exporting are listed in this facet. Searching for the set returns all items that have been exported as part of that export set Including and excluding facet values Facet values can be included and excluded. This allows filtering items on facet values without these values appearing as individual result sets in the Cluster Map visualization. To include or exclude items based on a facet value, select the value and click on the arrows in the Search button. This will reveal a drop-down menu with the Include and Exclude options Including a facet value Including a facet value means that only those search results will be shown that also match with the chosen included facet value. Example: The user selects the facet value PDF Document and includes this facet value with the drop-down menu of the Search button in the facet panel. The Searches panel in the Cluster Map shows that PDF Document is now an included term. This means that from now on all result sets and clusters will only hold PDF Documents. Empty clusters will be filtered out. For example, see the image above: the Enron search term resulted in 1,606,638 items, but after applying the PDF Documents category with its 22,167 items as an inclusion filter, only 6,325 items remain. When multiple includes are used, the results are filtered for all items that are in at least one of the include sets, i.e. it is like filtering with the union of all includes Excluding a facet value Excluding a facet value means that only those search results will be shown that do not match with the chosen excluded facet value. Example: The user selects the facet value PDF Document and excludes this facet value with the dropdown menu of the Search button in the facet panel. The searches panel in the Cluster Map shows that Page 84 Intella User Manual 2014 Vound

85 PDF Document is excluded. As long as this exclusion remains, all result sets and clusters will not hold any PDF Documents. Empty clusters will be filtered out. Note: Excludes are often used to filter out privileged items before exporting a set of items, e.g. by tagging items that match the privilege criteria with a tag called privileged. In this scenario it is important to realize that when exporting an to e.g. Original Format or PST format, it is exported with all its attachments embedded in it. The same applies to a Word document: it is exported intact, i.e. with all embedded items. Therefore, when an attachment is tagged as privileged and privileged is excluded from all results, but the holding the attachment is in the set of items to export, the privileged attachment will still end up in the exported items. The solution is to also tag both the parent and its attachment as privileged. The tagging preferences can be configured so that all parent items and the items nested in them automatically inherit a tag when a tag is applied to a set of items. When filtering privileged information with the intent to export the remaining information, we recommend that you verify the results by indexing the exported results as a separate case and checking that there are no items matching your criteria for privileged items. Page 85 Intella User Manual 2014 Vound

14 Cluster Map The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works.

86 14 Cluster Map The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works. Cluster with 51 items. Label or Result set. Control buttons adjust the contents of the Cluster Map. Cluster with 16 items, connected to two results sets. Searches panel shows the list of result sets Understanding a Cluster Map The figure above shows a graph with two labels and three clusters. The larger, colored spheres are called clusters. They represent groups of items such as s and files. The queries entered by the user are shown as labels and are used to organize the map. Every cluster is connected to one or more labels. In this Cluster Map we see that the user has evaluated two keyword searches: one for the word buy and one for the word sell. The Cluster Map shows these two result sets, using the search terms as their labels: buy returned 99 items and is represented by the blue edges. sell returned 67 items and is represented by the red edges. The colored edges connect the clusters of items to their search terms, indicating that these items are returned by that search term. For example, this Cluster Map shows that there are 16 items that were returned by both the sell and buy queries, 51 items that contain sell but not buy, and 83 items that contain buy but not sell. When a third keyword search for money is added, the graph changes as follows on our data set: Page 86 Intella User Manual 2014 Vound

Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to.

87 In the middle is a single cluster of 6 items that is connected to all three labels. This represents the 6 items that match all three search terms. There are three clusters of 19, 9 and 10 items, each connecting to two labels but not a third. They represent the items that match two out of the three search terms. Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to. A Cluster Map can always draw a reasonable picture of up to three search terms: the above map shows the maximum complexity that such a graph may have. Beyond three search terms the graph may become too complex and cluttered to be meaningful. That is why the Cluster Map has a second visualization mode called Sets. This mode can be chosen by clicking on the Sets mode in the toolbar. When the user enters more than seven queries, the Cluster Map will automatically switch to that mode. In Sets mode the three result sets are visualized like this: Page 87 Intella User Manual 2014 Vound

Furthermore, all sets are grouped by their order of magnitude indicated on the left in this case all result sets are of the same order of magnitude.

88 Here each result set is depicted as a single rounded square shape with the label and number of items on top. The size of the square is related to the number of items in the set: bigger means more items. Furthermore, all sets are grouped by their order of magnitude indicated on the left in this case all result sets are of the same order of magnitude. The overlap between sets is no longer visualized until the user selects one of the sets. Sets mode can scale to a much larger amount of result sets. The following image is a visualization of 16 result sets, divided among four different orders of magnitude. Adjacent groups get alternating colors for better separation. Note that the visual size of the result sets, indicating the number of items in each set, is only comparable within the group Manipulating Cluster Maps The result sets created with the current query are listed in the box at the top right corner of the Cluster Map panel. To remove a result set from the Cluster Map, click on the remove icon (red X) in the list. Page 88 Intella User Manual 2014 Vound

89 To clear the Cluster Map - remove all result sets - and start a new search, click the Clear button in the terms list. If the Cluster Map regeneration takes too long, you can stop the process by clicking the Stop button. To view and open the individual items in a cluster or result set, first click on the cluster or label. This will list the items in that set in the Details view below. From there the items can be opened by a single or double click, depending on the currently selected view mode of the Details view Options When the Cluster Map is in Clusters mode, the Filters button in the toolbar will be enabled. When this toggle button is selected, the graph is filtered to show only the clusters with the most connections. These could be seen as the most relevant result clusters. This filtering has no equivalent in Sets mode and therefore is disabled in that mode. The last button in the toolbar indicates whether the graph should be shown at normal size (with scrollbars if necessary) or be scaled to fit in the visible space. For Clusters the fit to size mode makes the most sense. For Sets mode showing at normal size is often preferable, especially when dealing with lots of result sets (tens or more). The current visualization can be exported as a transparent, 24-bit PNG image. To do so, choose the Cluster Map option in the Export menu. Page 89 Intella User Manual 2014 Vound

15 Social Graph The Social Graph is another visualization of search results, showing where the emails in the search results came from and went to.

90 15 Social Graph The Social Graph is another visualization of search results, showing where the s in the search results came from and went to. The Social Graph is a new Intella visualization and will be enhanced in future versions. We would appreciate your feedback via the Vound forum, see Basics The social graph is revealed by clicking on the Social Graph button in the Results toolbar. Next, just enter any type of query and the results will be displayed as a social graph. When switching from a populated Cluster Map to the Social Graph, the graph will start loading immediately with these results. Page 90 Intella User Manual 2014 Vound

91 When multiple searches have been evaluated, the graph is based on the union of all search results, with the Includes and Excludes applied. In other words, the social graph is based on the same items that are visible in the Cluster Map at the same moment. To see the s in this result set that relate to a specific contact, i.e. that have that contact as sender or recipient, click on the node representing that contact. To see the s in this result set that have been sent between two contacts, click on the edge between those nodes. In both cases the Details panel below the Social Graph will display these s. Tip: note that the Timeline view is a natural fit to display the s represented by a node or edge. All s are sorted by sent date, and you can easily see the sender and receivers of the individual s. When a person sends a mail to several people, this will result in several edges in the graph. Therefore you may encounter the same several times when browsing the graph and selecting edges Controls The toolbar at the top left offers four buttons for managing the zoom level of the graph: Zoom in. Zoom out. Reset zoom level to the default value. Change the zoom level to make the graph fit the available screen space. The fifth button shows or hides all node labels. When set to hide, only the labels of selected nodes and their connected nodes are displayed. Page 91 Intella User Manual 2014 Vound

92 Finally, the sixth button collapses the toolbar and the Searches panel, revealing any graph structures beneath it. Click on the button that appears in the top-right corner to expand these panels again. The lower part of the toolbar is used to specify what should be shown as node labels: Show only the contact name; use the address if there is no contact name. Show only the address; use the contact name if there is no address. Show both the contact name and address. By default only contact names are shown, as these are typically shorter than addresses and lead to less cluttered displays. The following mouse operations are supported: Drag a node to improve readability. Click on a node to highlight that node and the nodes connected to it. Use Ctrl-clicking to select and highlight multiple nodes. Hold down the right mouse button while dragging to scroll (pan) the graph. The graph can be exported to a PNG file by using Export Social Graph Limitations At this moment the Social Graph only displays s. Future versions will also handle phone calls, other message types, and attachments that are embedded in these messages. Furthermore, the graph displays a warning when your result set contains more than 700 unique s, as this may take considerable time to create. Future versions will again address this in various ways. Page 92 Intella User Manual 2014 Vound

93 16 Statistics The Statistics view is the third view in the visualization box in the upper right corner. It contains several tabs that provide a quick overview of the case, helping investigators to form an impression o the type of data in it and formulate the best next steps to tackle the case Overview tab The Overview tab shows general statistics on various types of items. The Item counts table shows the total number and deduplicated number of items of various key categories. The Documents category is equal to the Documents branch in the Type facet and combines common document formats like MS Office and PDF document. s are all items with MIME type message/rfc822. contains reflects the number of PST, OST, NSF, Mbox files etc. The remaining categories are identical to the same categories in the Features facet. The Types panel shows a pie chart of the top 4 item type categories, as captured by the top-level categories in the Type facet. The top 4 are determined by item count. All other categories are combined into a single Others category. Placing the mouse over a section in the pie chart shows a tooltip that reveals the total number and percentage of that section. Finally, the Top 10 types table shows the ten item types with the highest number of items, measured by their total (non-deduplicated) count. These items are all leaf nodes in the Type branch Histogram tab The Histogram shows the timestamps of all items over the years of months. The histogram not only gives a rough timeline overview of events, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of s, which may be caused by an incomplete capture of evidence files, bugs in software, default values entered by client software, etc. Page 93 Intella User Manual 2014 Vound

94 To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the histogram to include or exclude the counts for that date field. Depending on the case size and whether a local or remote case is used, this update may take some time. The resulting counts are cached, so that afterwards the user can toggle that checkbox and see the chart change instantly. The chart can alternatively show years or months. There are various ways to manipulate the visualization: Selecting a rectangular area in the chart results in the chart zooming in on that area. Especially when the granularity is set to Months and the chart contains some peaks, this can be useful to closer inspect a given time period. The mouse scroll wheel can also be used to zoom in and out. Once zoomed in, drag the mouse cursor while holding the CTRL key to pan the chart (move sideways). Zooming and panning can be reset by either dragging the chart upwards or using the Reset zoom level button. Note: the Histogram s time axis only shows dates between January and two years from now. This is to prevent obviously incorrect dates that have been extracted from corrupt files from spoiling the graph. Page 94 Intella User Manual 2014 Vound

95 16.3 s tab The s tab shows various typed of -specific statistics. The top-left panel shows the first and last Sent date of a case. This is both shown for all s as well as for all top-level s. The latter set results in the forwarded s being excluded. Note that the dates in this example are clearly invalid. Usually this is caused bugs in the mail clients of the person(s) whose is being investigated. The Header table shows how many unique addresses occur in any of the five headers. The sixth row combines the number of unique values in the To, Cc and Bcc headers. The Top 10 addresses show the 10 addresses with the highest number of s in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts. The Top 10 host names shows the host names that have the most items associated with them. These are essentially the host names that show up when you expand the All Senders and Receivers branch in the Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts. Page 95 Intella User Manual 2014 Vound

96 17 Details panel In order to inspect the contents of the visualization, the user can select a cluster or result set by clicking on it. Its contents will be displayed in the Details panel below the map. This panel contains a list of the items that can be presented in four modes: Table view List view Thumbnails view Timeline view 17.1 Table view The table view displays the results as a table in which each row represents a single item and the columns represent the attributes such as title, date, location etc. The set of attributes to display can be customized with Toggle visible table columns button - the right button of the Details Panel Control. Click on a table column header to sort the table by specific item attributes Adding and removing columns With the Toggle visible table columns button in the Details toolbar you can add and remove columns in the table, by (de)selecting column names in the popup that shows when you click the button. The selected columns are stored: every time you start Intella, these columns will be shown until you select other columns. This option is only available in the Table view. The following columns are available: Page 96 Intella User Manual 2014 Vound

General columns: Contact name: The name of a contact encountered in a PST file or as a vcard file. Decrypted: Shows if an item is encrypted and Intella was able to decrypt it.

97 General columns: Contact name: The name of a contact encountered in a PST file or as a vcard file. Decrypted: Shows if an item is encrypted and Intella was able to decrypt it. Duplicates: Shows the number of duplicates of an item within the case. Encrypted: Shows if an item is encrypted. Exception: Shows if an item had one or more issues indexing properly. File Name: The name of a file in the file system, in an archive or used as an attachment name. Item ID: The ID used internally in Intella s database to refer to this item. Language: The language of the item's text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be unidentified. Item types that inherently do not have a language, e.g. images or archives, show the not applicable value. Location: Name of the location in the original evidence data where the item is stored. For example, an in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file. MIME type: The type of an item according to the MIME standard. Size: The item's size in bytes. Source: The name of the Intella source that holds the item. Typically this is the root folder name or the name of the mail container file (e.g. PST or NSF file). Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files the name of the evidence file and the derived source name may not hold enough information to easily discern the origin of the information. Subject: The subject of an or document item note that some document formats can have both a title and a subject. Page 97 Intella User Manual 2014 Vound

98 Title: The title of a document item. Type: The item's human-readable type, e.g. MS PowerPoint Document or Message. URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID. -specific columns: All Receivers: The combined list of To, Cc and Bcc agents. All Senders: The combined list of From and Sender agents. Attachments: Shows the file names of an s attachments. Bcc: The addresses in the Bcc header. Cc: The addresses in the Cc header. From: The addressed in the From header. Has Attachments: s that are marked as having attachments. Has Internet Headers: s that have regular SMTP headers. When this is not the case, information about e.g. the sender, receiver and dates may still be obtained from other fields, depending on the source format. Message Hash: Shows the Message Hash for s and SMS messages. This hash is used for deduplicating s and SMS messages in a manner that works across different mail formats and phone data source types. Message ID: Shows the Message ID extracted from messages. Sender: The addresses in the Sender header. To: The addresses in the To header. Unread: Shows if an item was unread at the time of indexing. Cellphone-specific columns: All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts. Incoming Phone Numbers: phone numbers used for incoming phone calls. IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained. IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item. Outgoing Phone Numbers: phone numbers used for outgoing phone calls. Duration: how long the phone call took. File- and document-specific columns: Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents. Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document. Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images. MD5 Hash: The MD5 hash that uniquely identifies the item. OCRed: Shows whether an OCR method has been applied on this file. Columns containing dates: Called: The date a phone call was made. Page 98 Intella User Manual 2014 Vound

99 Content Created: The date that the content was created, according to the document metadata. Content Last Modified: The date that the content of the item was last modified, according to the document-internal last modified date. Due Date: The due date of a task. End Date: The end date of an appointment, task or journal item. File Created: The date a file was made, according to the file system. File Last Accessed: The date a file was last accessed, according to the file system. File Last Modified: The date of the last time the file was modified, according to the file system. Last Printed: The date a document was last printed, according to the document-internal metadata. Received: The date the item was received. Sent: The date the item was sent. Start Date: the start date of an appointment, task or journal item. Review-specific columns: Comments: Shows if an item has comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item. Export ID: The name the item received when exported as part of an export set. To see the name the item has in a specific set, choose the export set from the drop-down list at the bottom. Exported: Shows if an item has been exported. Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item. Opened: Shows if an item has been opened in its native application. Previewed: Shows if an item has been opened in the previewer. Tags: Shows the tags connected to an item. Use the Check / uncheck all checkbox to immediately set all checkboxes on or off. For contacts, e.g. senders and receivers, this popup lets the user choose whether to display the contact name, the address or both. The chosen setting will affect the table sorting when the involved columns are used to sort the table. The contents of the date columns can be adjusted to show their time zones: When set to Always, each date and time value is always accompanied by an explicit time zone. When set to For different sources, time zones are only shown when items from different sources are being shown in the table. Do not show suppresses all time zones. Finally, the Show export set lets the user choose the export set from which the values of the Export ID column should be fetched Reorganizing table columns The columns can be reorganized by dragging a column header to a different location in the table. The order is persistent across application sessions, but specific to that case. Page 99 Intella User Manual 2014 Vound

100 Sorting the list By clicking on a column header, the search results will be sorted alphabetically, numerically, or chronologically, depending on the type of information shown in that column. By clicking the header once more, the sort order will be reversed. Clicking one more time will remove the sorting, letting the results be displayed in their original order. With the Sort table button you can extend the sorting setup. This feature allows you to add multiple sort levels, which means that if the first column is not met, sorting will be based on the second (third, fourth, etc.) column selected. You can also specify the sort order per column by select ascending (A-Z) or descending (Z-A) order. This dialog lets you use all of the columns available, regardless of whether the column is currently present in the table. Sorting by multiple columns can also be achieved by holding the Ctrl button while you click on column names. Any additional column will be added to the list of sorting criterions Showing a conversation Right-clicking an item and selecting the Show conversation option will display a new result set in the Cluster Map -- its label starting with Conv: showing all e mail items that are part of the conversation, including replies and forwarded messages Showing the child items To determine all items nested in an item, right-click on the item and select Preview. Next, switch to the Tree tab to see the full hierarchy, including all child items. To determine the children of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show children option. This will open a dialog that asks you what children to put in the result set, as child items may also again contain child items Showing the parent items Right-click an attachment and select the option Preview parent to view the message that contains the selected item. This feature looks up the parent item recursively until it reaches an item. To determine the parent of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show parents option. This will open a dialog that asks you whether to produce the top-level or direct parents, and what to do with items that have no parent. See the search preferences for settings related to how the top-level and direct parents are determined List view The List view displays the results in a form similar to conventional web search engines. Select the third button in the Details toolbar to switch to this view. Page 100 Intella User Manual 2014 Vound

For each item, the title and other important metadata will be displayed, as well as a fragment of the document text, if any text has been extracted from this item.

The title is normally displayed in a light green color; dark green indicates that the item has been previewed before by the current user.

101 For each item, the title and other important metadata will be displayed, as well as a fragment of the document text, if any text has been extracted from this item. When Intella currently is displaying keyword search results, the selected text fragment will show the keyword matches and their context. The title is normally displayed in a light green color; dark green indicates that the item has been previewed before by the current user. If the item has any tags applied to it, these will be shown on the right as blue labels. To flag an item, use the checkbox on the left. Items can be selected by clicking, Ctrl-clicking and right-clicking. Right-clicking on any item reveals the same popup as used in the Table view Thumbnails view The Thumbnails view displays the thumbnails of the images detected within a selected cluster. This includes images embedded in attachments and images inside documents. Hover over the thumbnails with your mouse cursor to see a summary of the data connected to the image. Page 101 Intella User Manual 2014 Vound

102 You can flag an image with the checkbox below the thumbnail. When you double-click a thumbnail, the image will open in the previewer. Tip: the Thumbnails view will work a lot smoother when you let it pre-generate the thumbnail representation of all images in the case in advance. This can be done by selecting Generate Thumbnails from the Sources menu Timeline view The Timeline view shows a chronological representation of communications, phone calls and SMS/MMS messages. The left pane shows the senders and receivers, i.e. addresses or phone numbers, with their communication plotted chronologically. Every edge in the timeline view represents a communication and points to the receiver of that communication. The node color represents the role a contact (i.e. an address or phone number) has in a communication, e.g. sender or caller. Click the Legend button to see an explanation of all node colors that can occur. When displaying s, it may occur that an appears to have two senders. That happens when the has both a From and a Sender header. As in most circumstances the From header is of primary interest, the visualization of the Sender headers is by default disabled. It can be enabled by clicking on the Options button and checking the Display the Sender header in addition to the From header checkbox. Tip: When you click an arrow, the arrow, the connected arrows, and the connected squares will be highlighted. When you double click an arrow, the will show in a preview window. Tip: Export a timeline by choosing Export > Timeline from the menu. The timeline will be saved as a PNG image. Page 102 Intella User Manual 2014 Vound

103 17.5 Deduplication With the Deduplicate results button duplicates are removed from the search results based on the MD5 and message hashes of the results. The text next to the button informs you if duplicates are removed and how many duplicates are removed, if applicable. When used in the Thumbnails view, which shows both the images in the selected results as well as any images nested in those results, the end result is deduplicated. Page 103 Intella User Manual 2014 Vound

104 18 Previewing results Produce the item in a number of formats. Inspect an item s contents, headers, properties, attachments, thumbnails, tree structure, extracted words, comments and performed user actions The Previewer window opens when the item in the Details view is (double-)clicked. Iterate over your result list. Item summary shows important item metadata. Tag or flag the current item. Navigate to or search for related items. His indicators show where keyword search hits are located in the text. Prepare a copy redacted for privileged content. Collapse and expand paragraphs. Loop over all search hits found in this item. Page 104 Intella User Manual 2014 Vound

105 18.1 Overview of the Previewer When you double-click an item, it will open in the Previewer. This window allows you to inspect, flag, and tag the item, to explore its relations with other items, and to export the item for later use. The Previewer will show a number of tabs, presenting differ aspects of the item, such as Contents, Preview, Headers, Raw Data, Properties, Attachments, etc. The set of tabs will differ from item to item, depending on the type of item that you selected and what information is available for that particular item The Toolbar The toolbar on the right of the window contains options for producing and annotating the current item, as well as navigating to other items and starting new searches that use this item as a starting point. At the top is a panel with buttons for producing the current item in a number of formats: Export This button opens the Export result as dialog. Enter a name and location if you want to store the item. This exports the item in its original format. Print Tab This button opens a print dialog that shows the contents of the selected tabs (Contents, Headers, Thumbnails, etc.) of the item. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Print Report This button opens a print dialog that shows the contents of all tabs of the item. If the item has attachments you are asked if these should also be printed. Click the print button on the lower right to print the item. Alternatively, the print output can also be saved as a PDF document. Open in Application This button opens the item using the computer's default application (e.g. a PDF file would be opened with Adobe Acrobat Reader if that is the default PDF viewer on your computer). Open Containing Folder This button is enabled for items that represent files in the file system and provides quick access to it. When clicked, Windows Explorer will open, show the file s folder and select the file in the folder. The next panel lets one iterate over all items in the Details view from which the Previewer was launched: Previous and Next buttons Go to the next or previous item in a list. Alternatively you can also use the keyboard shortcuts Alt+right-arrow to go to the next item, and Alt+left-arrow to go to the previous item. This functionality is not available when the Previewer was launched by clicking in the Cluster Map, from the Tree tab of another Previewer, etc. Page 105 Intella User Manual 2014 Vound

106 The next two panels are for annotating the current item: Tag button Opens the tag space where you can add new tags to your case and select a tag from a list of existing tags. Quick tag buttons You can assign a tag to a quick tag button. Clicking the button tags the item and switches the previewer to the next untagged item in the list. If no tag is pinned to a Quick tag button, it is randomly associated with one of the recently used tags by default. Go to next item after tagging check box When this check box is selected, clicking the quick tag buttons will switch the Previewer to the next item in the list (if there is one). Flagged Select this check box to flag the previewed item. You might want to flag an item for organizational reasons. For example, to keep track of the items that you have reviewed in the case. The next panel holds actions for navigating to and searching for related items: Preview Parent Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: Pictures found in a Microsoft Word document are separate items in Intella. The Word document is the parent item for these pictures. The same is true for items found in archive file, such as a ZIP file: The archive file is the parent item for these items. Preview Parent Mail Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: A picture attached to an is a separate item in Intella. The is the parent for the picture. Show Children Use this button to search for and display the children associated with the item being viewed in the previewer. When selected, a search result with the associated children of the selected items will be available in the Cluster Map panel. The label of the cluster will be Children of [file name] or Children of [subject]. An example of a child item would be an attachment of an . Intella views s and attachments as separate items. The attachment would be the child of the parent . Child items can have child items of their own. Depending on the option that you select, the Show Children shows either only the directly nested children or all children in the tree. Show Conversation Based on the subject of an item and certain headers, Intella can find items that are part of a conversation. Click the button Show Conversation to show all these items in the Cluster Map panel. Page 106 Intella User Manual 2014 Vound

The label of this cluster will be Conv: [email subject]. The email subject is the email subject of the item in the previewer.

107 The label of this cluster will be Conv: [ subject]. The subject is the subject of the item in the previewer. Show Duplicates When an item has duplicates in the case, click Show duplicates to display these duplicates in the Cluster Map. The label of this cluster will be Duplicates of [file name] or Duplicates of [subject]. Smart Search Smart search lets one search for items that are similar to a selected item. It determines a set of keywords in the selected item that have a high information value. Typically these are keywords that occur often in the selected document but are not common words across the case or in any of the supported languages, which makes them representative for the content of the selected document. Using the Smart Search dialog one can then find other documents that share these keywords and therefore have a good statistical chance of being related to the selected document. A slider is provided that the user can use to set a threshold: the lower the threshold, the more documents are returned but at the cost of less relevance to the set of keywords. Checkboxes are provided to control which item fields should be used when determining the set of keywords. This way one can restrict the search for similar items to e.g. the document or message body only. The next panel controls redaction: Redact When this button is clicked, a PDF is generated for the current item and shown in the Redaction tab. See the section on Redaction for more details. Finally, the last panel relates to functionality for handling paragraphs: Page 107 Intella User Manual 2014 Vound

108 Hide seen paragraphs When selected, paragraphs that have been marked as Seen by the user are removed from the text, only leaving an eye icon in the left margin as an indication that a paragraph has been removed there. Click on the eye to bring back the text. Colorize paragraphs When selected, paragraphs marked as Seen by the user are displayed as grayed out text Tabs The tabs show the various aspects of the current item. The set of tabs shown for a particular item can differ from item to item, depending on the item type and which information that particular item holds. When moving from one item to the next using the Next and Previous buttons, the current tab will stay selected provided that that tab is also available for the next or previous item. When a specific tab is never used in a case, its visibility can be toggled using the Previewer s View menu. The benefit of this is a less crowded user interface and shorter loading time. Keyword matches When the current item has any keyword matches, the tabs containing one or more of the keywords change their appearance: The tab name will show with a bold blue font and contain a number indicating the amount of hits. When the tab contains text (not metadata properties), like the document text or headers, it will get a status bar at the bottom listing the found keywords and providing buttons to jump from one match to another. When the tab contains text and has a scrollbar, the location of the keyword matches will be marked in the scrollbar as horizontal stripes. Next we explain which tabs can occur Contents This tab shows the body of an item, e.g. the message in an or the text inside a Word document. The Contents shows a limited set of stylistic elements such as bold, italic and underlined text, tables and lists. However, text is always drawn as black text on a white background, as to reveal all extracted text. For a native rendering of the item use the Preview tab (when available). If the item text is too long, it is truncated in the previewer for performance purposes. Click on the "Show full text" button to view the complete item text. When the item is an image, this tab will show the image s content. An extra toolbar is then provided that allows for zooming, rotating and flipping the image. When an item is encrypted and could not be decrypted, the Contents tab will show an image of a lock, to explain why no text could be shown. Handling paragraphs When the Analyze paragraphs option was selected during source creation, extra UI elements will be Page 108 Intella User Manual 2014 Vound

109 shown in the left margin. These UI elements indicate the start and end of the paragraphs that Intella has detected. They can be used to collapse and expand the paragraph. The UI elements are omitted for very short paragraphs (typically one-liners). Furthermore a popup menu will be shown when the user right-clicks on a paragraph, offering the following options: Mark the paragraph as Seen, or back to Unseen. This grays out all occurrences of this paragraph in all items, facilitating the review of large amounts of long and overlapping documents such as threads with lots of quoted paragraphs. Mark all paragraphs above or below the current paragraph as Seen or Unseen. Search for all items in which this paragraph occurs. All items that contain the selected paragraph will be returned, ignoring small variances such as white spaces. Mark the paragraph for exclusion from keyword search. This can be used to suppress information present in lots of items but with little relevance to the investigation, such as signatures and legal disclaimers. Consequently, keyword queries containing terms such as confidential and legal are more likely to return meaningful results Preview This tab shows the item as if it was opened in its native application. The Preview tab is only shown when the format of the current item is supported and the Contents tab is not already showing it in its native form. The following file formats are supported: s (when the contains an HTML body) Legacy MS Office formats (doc, xls, ppt) New MS Office formats (docx, xlsx, pptx) RTF HTML PDF CSV and TSV files WordPerfect Open Office (Writer, Calc, Impress) Note: To preview the MS Office formats, a local installation of MS Office 2010, or a MS Office 2007 installation with the Save as PDF add-in, is required. Important: When previewing s, only images that are already bundled with the are shown. Any images that a mail client would load from a web server are shown as static icons. When there are any such missing images, a Show external images button appears. Clicking this button will load the images from the servers and show them embedded in the representation. Note that loading these images may constitute a violation of investigation policies Headers This tab shows the complete header of the item. This tab is only shown when you open an item. Page 109 Intella User Manual 2014 Vound

110 Raw Data The content of this tab depends on the item type. For example, in case of PST s the low-level information obtained from the PST is listed here. This typically includes the transport headers (shown on the Headers tab) and the body, but also a lot more. In case of vcard files the raw vcard contents is displayed here. All this information is also searched through when using a keyword search. This may lead to additional hits based on information in obscure areas that Intella does not process any further Properties This tab shows a list of properties connected to the item. Examples are Size, MIME Type, Creator and Character Set. The list of properties shown depends on the type of the item and what data is available in that particular item. To copy all the text to the clipboard click Copy all. Tip: Hover over the question marks at the right hand side with your mouse and see a short definition of each property Attachments This tab lists the attachments of an . When you double-click an attachment or select it and click View, it will be opened in new Previewer window Thumbnails This tab shows thumbnails of the images (jpg, png, gif etc.) attached to an item or embedded in a document, e.g. the images embedded in a MS Word document. Select the checkbox below the image to flag a thumbnail. When you double-click a thumbnail, the image will be opened in a new previewer window Tree This tab shows the location of the reviewed item in the item hierarchy (entire path from root to descendants), as well as all its child items. The file names and subjects are clickable. You can also right-click and choose to either select all above or select all below, or simply select items manually, to assign them to a tag Entries This tab shows the list of items found in an archive file, e.g. a ZIP or RAR file. When you double-click an item in the list or select it and click View, it will be opened in a new Previewer window. However, when the entry is a sub-folder inside the archive, its content will be opened in the same 'Entries' tab. Double-click the '..' entry at the top of the list to return to the parent folder. Page 110 Intella User Manual 2014 Vound

111 Comments This tab lists the reviewer comments attached to the item. Every comment has an author name and time stamp, and the option to Edit or Delete the comment. Note that this is not related to the comments such as found in the MS Word document metadata Words The Words tab lists all words/terms extracted from this item, together with the following information: The search field the term belongs to: text, title, path, etc. The frequency of the word in this document and document field. The number of documents having this term in the same field. This list can be used to diagnose why a certain document is or is not returned by a certain query. The list can be exported as a CSV file by right-clicking anywhere in the table. Right-clicking also lets you evaluate a query with the right-clicked term Actions This tab shows the list of actions performed on the item. The action s date and the user that triggered the action are shown in the list. Actions listed are: Previewed the item was opened in the previewer. Opened the item was opened in its native application. Exported the item was exported Redaction This tab is only visible after the Redact button in the toolbar has been clicked (see above). See the section on Redaction for a detailed explanation of the functionality in this tab. Page 111 Intella User Manual 2014 Vound

19 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example: One of your items is a PDF document that contains valuable information.

112 19 Tagging Tagging is the process where you connect a descriptive word to an item or a group of items. For example: One of your items is a PDF document that contains valuable information. You decide to tag the item with the word important. Tagging helps you to organize results, for example by separating important and unimportant information. Tagging can be done in several ways in Intella. This chapter gives you an overview of the possibilities: Tagging in the main window Tagging in the previewer Letting other items inherit tags automatically Pin a tag to a button See all tagged items Searching with tags Deleting a tag 19.1 Tagging in the main window Adding tags To add tags: 1. Select one or more items from the table, the thumbnail view or the timeline. 2. Open the context menu (right mouse click), and select Add tags 3. In the Add tags to x items dialog you can select already defined tags, or define a new tag with optional description. When you click OK, the marked tags will be linked to the selected items. The Add Tags menu option is also available in the Cluster Map. Right-click on a cluster or label to open a popup menu with this and other options. Page 112 Intella User Manual 2014 Vound

19.1.2 Removing tags The Remote Tags dialog is used to remove tags from a selected items: 1.

Open the context menu (right mouse click), and select the Remove tags menu option. 3. In the Remove tags from x items dialog select the tags that you want to remove, and click OK.

113 Removing tags The Remote Tags dialog is used to remove tags from a selected items: 1. Select the items from which you want to remove the tags in the table, timeline, thumbnail view, or cluster map panel. 2. Open the context menu (right mouse click), and select the Remove tags menu option. 3. In the Remove tags from x items dialog select the tags that you want to remove, and click OK. Now the tags are no longer connected to the items Tagging in the previewer If you want to tag or remove a tag in the previewer, please take the following steps: 1. Open the previewer 2. Click the Tag button to open the tag space 3. Enter a new tag or select an existing tag. To remove a tag (to remove the connection between an item and a tag) just deselect the tag from the list. Three, six or nine tags can be shown as button in the previewer. When a tag is listed as a button, clicking the button results in the tag being assigned to the current item. You can set the desired amount of these quick-tag buttons in the File > Preferences > Results tab > Previewer section. Page 113 Intella User Manual 2014 Vound

114 You can also use Ctrl+1, Ctrl+2, Ctrl+3, etc. to quick-tag an item. The numbers correspond with the button positions. When the Go to next item after tagging toggle button is selected, the previewer will automatically switch to the next item in the list Automatic tag inheritance When tagging items, the policy of your investigation may be that some related items should be tagged as well. One use case is when tagging items as irrelevant: all nested items may then be considered as irrelevant as well. Another use is tagging items as privileged; depending on your policy, this may then be extended to all other items within the same mail as well. Intella offers mechanisms that let these additional tags to be set automatically. For more information, see the section on tagging preferences Pin a tag to a button In File > Preferences > Tagging tab > Previewer section you can select the number of quick tag buttons: three, six or nine. The default value is three quick tag buttons. You can pin a tag to a button and keyboard shortcut (Ctrl+1, Ctrl+2, Ctrl+3) with the following steps: 1. Select Tags in the facet panel 2. Right click on a tag in the list to open the context menu. 3. Select Pin tag to button and select a number from the submenu. Now you can use the buttons in the previewer and the keyboard shortcuts to tag an item. Tags that are pinned to a button are marked with a small blue pin in both the Tag facet and previewer. Note: To unpin a tag from a button, select 'Unpin tag' in the context menu of Tags See all tagged items To get an overview of all items that are tagged in your case, please take the following steps: 1. Select Features in the facet panel. 2. Select Tagged from the list and click Search Now you can see all the items that have a tag in the Cluster Map panel. Page 114 Intella User Manual 2014 Vound

115 19.6 Searching with tags To search with tags, please take the following steps: 1. Select Tags in the facet panel. 2. Select a tag and click Search Now you can see the items that have the selected tag in the Cluster Map panel Deleting a tag To delete a tag from your case, please take the following steps: 1. Select Tags in the facet panel. 2. Right click on a tag in the list. 3. Select Delete and confirm. Now this tag is no longer in your case Undo tags Besides the Delete option in the Tags facet and the Remove Tags menu item in the main window, there is a third way to remove tags from a case: the Undo Actions menu. It can be reached by clicking File > Undo Actions in the menu bar. The Undo Actions provides a history of all tagging, flagging and commenting actions done by all users. In case of tags, it displays the date and time of tagging, the tag used and the amount of items that were tagged: Page 115 Intella User Manual 2014 Vound

116 A typical use case is when several tags have been used for tagging sets of items and one of these tagging actions was a mistake. Removing the tag from only some of its items through table row selection and the Remote Tags window would be time-consuming and error-prone. The Delete Tag option would eliminate all correct taggings. The Undo Actions then provides the option to undo that one mistake and leave the rest intact. Page 116 Intella User Manual 2014 Vound

117 20 Redaction Redaction is the process of concealing part of an item s text, graphics and/or metadata in order to conceal that content part from unauthorized view. A typical use case of redaction is the concealing of legally privileged information in information that is produced for an opposing party in an e-discovery matter, e.g. because of attorney-client privilege. Other scenarios are hiding person names, birth dates, social security numbers, credit card numbers, etc. due to privacy laws or when they are not relevant to the matter at hand Workflow When redacting an item, Intella first creates a temporary PDF representation of the item and then lets the user mark the sensitive areas in it. This PDF and the added redactions are stored in the case. The original evidence item is not changed, nor is any information removed from the Intella case. At any time the redaction marks can be reviewed, edited and removed. Only when the item is exported to the final PDF or to a load file, are the redactions burned in : all pages in the temporary PDF are converted to images in which the sensitive part is literally blacked out. The result is a PDF that is guaranteed not to contain the sensitive information. Redaction affects the results of the regular PDF export and the PDFs and TIFFs that are created as part of a load file. For the sake of brevity, the remainder of this section will only refer to exported PDFs when both are meant Redacting an item Items are redacted by opening them in the Previewer and clicking on the Redact button in the toolbar. This adds a tab called Redaction. The Redaction tab contains a PDF rendering of the item and offers various controls for adding and editing redactions. As the PDF is generated on demand, the tab may take some time to appear, depending on the type and complexity of the item. The item is now ready to be redacted. To redact a part of the content, simply select the rectangular area in the rendered item that needs to be hidden. The selected area will now be covered with a black rectangle. You can repeat this step to conceal additional parts of the item. The redactions are stored automatically; no manual save action is needed. The rectangle is semi-transparent so that the reviewer can still see what content has been redacted without having to move it. In the final exported document the rectangle will be a solid black. To move or resize a redaction mark, simply place the mouse pointer above the redaction rectangle. When placed in the middle, the mouse cursor changes to a four-arrowed cross and the rectangle can then be moved by holding the mouse button and dragging the mouse. When placed on a corner, the mouse cursor changes into an arrow and the rectangle can then be resized by holding the mouse button and dragging the mouse. To remove a redaction, select it and click Delete Redaction. To remove all redactions of this item, click the Clear Redactions button. Page 117 Intella User Manual 2014 Vound

118 When you close and reopen the item, the Previewer will immediately show the Redaction tab again with all previously made redactions, as the PDF is cached. Only when no redactions are added will the PDF be discarded. Redacted items can easily be found using the Redacted category in the Features facet Exporting When exporting an item to PDF, Intella will by default use the redacted version if there is one. More specifically, it will convert the temporary PDF into a final PDF that contains only images, and will burn in the redactions in these images so that the sensitive content is concealed permanently. Exported load files containing PDFs or TIFFs will undergo a similar process. The result of this last conversion step is a PDF that has no regular machine-processable text. To verify this, simply open the PDF in a PDF reader like Acrobat and try to select the text. That makes this redaction method very safe (as opposed to removing the sensitive text from the source file) as all information is in plain sight; there is e.g. no hidden metadata that could still leak the sensitive information. The downside is that the PDFs can have a large file size as all text is represented as images, and that they would need to be OCR-ed to make the non-concealed text accessible again for text selection, keyword search, etc. As the final PDF is derived from the temporary PDF, the PDF export settings entered in the Export dialog will only have any effect on the non-redacted items in the export set. The redaction toolbar in the Previewer also has an Export button, to export the current item as a redacted PDF. This PDF will be the same as when it is exported as part of a collection of items to PDF, i.e. all pages will be converted to images with their redacted parts showing as black rectangles. This option is useful when only a few redacted documents are necessary or to verify the redaction export Mass redaction A common redaction method is to search for a company or organization name and to review and optionally redact the search hits. Intella can assist with this process: when the Redaction tab is viewed while Intella s search interface shows one or more keyword queries, the keyword search hits will be highlighted in the Redaction tab and can be redacted with the click of a button. Note that this highlighting works best on single term queries. It does not work reliably or even at all for more advanced queries such as phrase searches, wildcard queries, etc. The currently used keyword(s) will be shown in a text field beneath the item content and can be changed. Use the arrow keys to move from one keyword hit to another. Click the Redact button to redact the currently highlighted occurrence, or click the Redact All button to redact all occurrences in the current item. Please see the subsection on Caveats below when using the Redact All button. Page 118 Intella User Manual 2014 Vound

119 20.5 Redaction profiles When the Redact button in the Previewer is clicked, a PDF that is generated will consist of a limited set of content and metadata properties. For example, s will show their most important headers ( sender and recipients, subject and sent/received dates) on the first page, followed by the body. The full SMTP headers of the are printed on one or more separate pages, followed by the list and content of the s attachments. When this default set of content and metadata properties is not suitable for a specific case, or different settings are desired for different types of items or different audiences, the user can define one or more redaction profiles for the case. Such a profile defines the set of content and metadata properties to be used in the redacted PDF. When a redaction profile is defined and the reviewer subsequently clicks the Redact button in the Previewer, Intella will ask which redaction profile to use for this item and generate the PDF accordingly. To define a redaction profile, click the Configure redaction profiles button in the Export menu of the main window and choose Create in the next dialog. The window that opens allows the reviewer to enter a profile name and select which content and metadata properties should be used when this redaction profile is chosen. For a detailed description of the available properties see the section on exporting to PDF Caveats As the purpose of redaction is to conceal sensitive information, it is vital that the reviewer takes notice of the following caveats on the redaction functionality. First, there are a number of issues to be aware of when using keyword hit highlighting to control the redactions. When highlighting the search hits in a PDF, the highlighted area may not exactly cover the responsive text in the PDF. The redaction rectangle then needs to be manually moved and resized. Whether this happens depends on the fonts used in the PDF: PDFs that Intella has generated using texts from its own databases are fine (e.g. pages with bodies and headers), but text in existing evidence PDFs or in Word documents that are converted to PDF may be a different story. We have no control over the font characteristics used in those documents and therefore cannot guarantee correct placement of the redaction rectangle. Another important aspect is that hit highlighting may not find all occurrences of the text that is searched for. For example, words that are misspelled, use a spelling variation or are hyphenated may not be found. Texts inside graphics will also not be found. Note that OCR software that is used to combat this can also introduce spelling errors. Finally, tables and graphs may require extra attention. When creating a redacted PDF rendering of an item, the PDF is only associated with that specific item, not with any duplicates of that item. We may introduce that functionality in a future version. Page 119 Intella User Manual 2014 Vound

21 Exporting Intella supports a number of exporting formats, each focusing on a different use case. 21.

120 21 Exporting Intella supports a number of exporting formats, each focusing on a different use case Exporting a single result A single result can be exported by right-clicking on a row in the Details table (or on the item in any of the other views) and selecting Export in the content menu. Alternatively, select an item by clicking on it and choose Export > Result in the menu bar. A file chooser will open that lets you specify the folder and file name. Click Save to export the result to that file. The mouse cursor will show a busy icon while the exporting is taking place. The result will be saved in its original format, i.e. a Word document attached to a mail gets saved as a Word file. All mails from mail sources (PST/OST/NSF/DBX/MBX/Mbox files and IMAP servers) are exported as EML files. Evidence files that are already in EML, EMLX or MSG format as exported as such. Contacts will be stored in vcard format. Calendar items from PST files will be stored in ical format Exporting a list of results To export a collection of search results at a time, you can use the following procedure: Use Ctrl-click or Shift-click to select multiple items in the Details pane, using the table or thumbnails view. Alternatively, right-click and choose Select All to select all items in the list. Right-click and choose Export Highlighted Item(s), or choose Results List from the Export menu. This opens the Export Wizard. This wizard lets you choose the export format and its settings and the export process Export formats The first wizard page lets you choose an export format: Original format exports a file into its original format, i.e. a Word document attached to an is saved as a Word file. All s from mail sources (e.g. a PST or NSF file) are exported as EML files. s that are already in EML, EMLX or MSG format are exported as such. All contact Page 120 Intella User Manual 2014 Vound

121 items from PST/OST files are exported as vcard (.vcf) files. All calendar items from PST sources are exported as icalendar (.ics or.ical) files. The exported files can be opened with the program that your system has associated with the file extension used. PDF converts every item into a PDF document, containing the content of the original item and a configurable set of properties. PST lets you export items to a MS Outlook PST file. The main purpose of this option is to use the PST file as a carrier for transport of s, but other item types are supported as well. The receiver can open the PST file in Microsoft Outlook or process it in another forensic application. i2 Analyst s Notebook/iBase exports the results in a format that can easily be digested with i2 s Analyst s Notebook and ibase applications. All metadata of all items, all attachments and all bodies can be imported into these tools, allowing rapid social network analysis and all other analytical abilities of these applications on and cellphone evidence data. Load file will export the items in a format that can be imported into Summation, Concordance, Ringtail and Relativity. Only one format can be chosen per export run Destination folder The chosen destination folder will contain all exported items, including all export reports (see below). You will get a warning when this folder is not empty. Though Intella tries not to overwrite any files in the specified folder, we recommend specifying an empty folder to be sure. For every selected format a subfolder will be created that holds the files of that export format. All export reports will be placed in the top folder. When exporting a number of sets to the same destination folder, the subfolders with produced files will be merged, but earlier produced files will not be overwritten. Each export run will have its own set of export reports Export templates The configuration entered in the Export window or sub-windows like the load file field chooser will automatically be restored the next time the Export window is opened. No manual action is necessary to achieve that. The current configuration can also be stored as a user-named template in the last wizard sheet. In the first sheet all stored templates are listed in a drop-down list. Selecting one restores the state of the Export wizard to the one stored in the selected template. Export templates are stored in the following folder: Windows Vista, Windows 7 and Windows 8 C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella\ export-templates Windows 2000, XP C:\Documents and Settings\<USERNAME>\Application Data\Intella\exporttemplates You can easily access this folder through the Help > Open Export Templates Folder menu item. Page 121 Intella User Manual 2014 Vound

122 Note that export templates are stored outside of the case data folder. This makes all templates automatically available across all cases on the same machine and user account. To use templates with other user accounts or on other machines, just copy the XML file named after the template to the exporttemplates folder on that account or machine. When you click next, the wizard will let you configure the format-specific options Export sets When a set of items is exported, they can optionally be added to an export set. This is a named set that captures information about the export. When a specific item is about to be exported, the file name and number is recorded in the export set. Furthermore the current export settings are stored as part of a set. When the export set is later selected again when exporting another set of items, this will affect that export run in the following ways: All export settings such as the chosen export format, file naming and numbering schemes, etc. will all be the same as in the first export run. On other words, the export set works similar to an export template. File numbering continues where it left off, rather than starting at again. Items that have been exported before with this export set selected will get the same name and number as the previous time(s) they were exported. When an export set is specified, the resulting export ID (typically based on subject, file name and/or consecutive number) can be made visible in the Details column by adding the Export ID column and selecting the export set in the Show export set option. The Export IDs can also be searched for using keyword search and keyword list search PDF file options The first wizard sheet on PDF options lets you decide whether to export to individual PDF files, one for every selected item, or to export all items into one single concatenated PDF file. When exporting to a concatenated PDF, the resulting PDF can optionally be split in chunks of a given size. This is recommended for performance and stability reasons File naming and numbering (original format, PDF, load files) This wizard sheet consists of three sections: File naming defines how to compose an exported file name (original format, PDF) or page (load file export). File numbering defines how exported files are numbered. File grouping defines how exported files are grouped into folders. File naming By default, exported files will be named using the original evidence file s name or the subject of an . Alternatively, you can choose to number the files using consecutive numbers. These options can also be combined: a number followed by the file name or subject. Page 122 Intella User Manual 2014 Vound

123 Load file naming offers more elaborate numbering style, whose parts can be further configured in the File Numbering section. When using a numbering style, you can also define a prefix. Anything you type here will be added to the beginning of the filename. E.g. the prefix export- will result in the first being named export eml, when you combine it with consecutive numbering. Using "Advanced" mode you can define a file name template that will be a base for exported file name. The template may include the following fields: %num% A counter value will be added. You can also define a number of leading zeroes in the counter using the following format: %000num%. The number of zeroes defines the number of digits used in the counter. The default number format for the counter is to use 8 digits. %group1%, %group2% Group counters used with load file export only. See the "Export as a load file" section for details. Any Intella column identifier surrounded by the '%' symbol, like %md5%. %Best_Title% One of the following fields: File name, Subject, Title, Contact Name or "Untitled". In order to insert any field in the template you can either type it manually or select the field from the drop-down list and press "Add field". File numbering Using the "Start at" option you can define the number to start counting with. By default exporting will start counting at 1. A typical reason to use a different start number is when you want to combine the exported results with another set of already exported files. Numbers are always 8 digits long. Folder, Page rollover and Box are only relevant when using load file naming. File grouping Select the option "All in one folder" to put all exported files in one folder. Select the option "Keep location structure" to preserve the original folder structure that the items have in the evidence files. A folder will be created for every source, in which the original folder structure of that source (as shown in the Location facet) will be recreated. File name examples On the right side you can see a live preview of how the exported file names would look based on the current settings, using items from your current item set as examples PDF rendering options (PDF, load files) [Note: when exporting a load file, this sheet is called PDF or image rendering options ] The first option in this sheet is Use redacted versions when available. When this is selected, the PDF is essentially already generated as part of the redaction process. All other export options in this sheet do not apply to these redacted items; they only apply to those items in the set that have not been redacted. For all types of items, you can indicate whether to include a basic item header, properties, raw data and comments in the PDF: The item header is shown at the top, above a black line, and shows the subject or file name. Page 123 Intella User Manual 2014 Vound

124 The properties include typical metadata attributes such as titles, authors, all dates, hashes, sizes, etc. By default all properties are included, but you can remove some of them in the "Select properties..." dialog. The raw data varies between item types. For example, for PSTs the low-level information obtained from the PST is listed here and for vcards the actual content of the file is listed. This field may reveal properties that Intella does not recognize and are therefore not to be found in the Properties section. The comments refer to the ones made by Intella user(s) in the Comments tab in the Previewer. They are not to be confused with comments that can be made in, for example, a Word document. These are part of the Properties section. Note that the reviewer comments may include sensitive information such as evidence file names, investigator insights, etc. If you uncheck "Include item metadata", the resulting PDF will not contain any additional information except for the actual item content (in its native form or as extracted text) and the headers and footers defined in the next sheet. Most of the options on this sheet will then be disabled. For s, the following information can optionally be included: The message body. The full headers. A list of all attachments, added as a single line in the "Properties" section. It mentions only file name. A list of all attachments, as a separate page. The file name, type and size of each attachment will be listed. The actual contents of the attachments. The original view (described below) will always be selected by default, with the extracted text used as a fallback. For loose files and attachments that are not s, the following options are available: Include the file s content. By default, the original view is used, i.e. a Word document is rendered as Word would render it, and the extracted text is only used when the original view cannot be made, e.g. because the file format is not supported. Alternatively, you can configure exporting to always use the original view, always use the extracted view, or both. List all embedded items, e.g. images found in the document. The following file formats can be exported in their original view: MS Office (doc, docx, xls, xlsx, ppt, pptx) Open Office (Writer, Calc, Impress) WordPerfect RTF HTML PDF When you select "Original view", you will also be able to define a list of item types that should be skipped for this. You can use this to e.g. prevent native view generation of spreadsheets, which often are hard to read in PDF form. An optional placeholder text can be added to make clear that original view generation has been skipped on purposes for this item. Page 124 Intella User Manual 2014 Vound

125 Note: To export most of these formats in their original form, a local installation of MS Office 2010, or an MS Office 2007 installation with the Save as PDF add-in, is required. We strongly recommend that you do not use any MS Office applications until exporting to PDF has completed. Using these applications during exporting can result in these applications exiting suddenly and without warning, risking data loss on any opened documents PST options Enter a file name to use for the generated PST. Enter a display and folder name. After opening the exported PST file in MS Outlook you will see the names you entered. They help you to locate the PST file and its contents in MS Outlook. Select the option "Keep location structure" to preserve the original folder structure during the export. The resulting file can optionally be split into chunks of a given size. This is highly recommended for larger result sets that would make the PST grow beyond the default suggested file size, as Outlook may become unstable with very large PST files. The produced files will have a file size that is close to the specified maximum file size (usually smaller). The export report will list for every item to which PST it was added. Item types that can be exported directly to a PST file Besides s, the following item types can be exported directly to a PST file: Contacts Calendar items: o Appointments o Meetings o Meeting requests Tasks Journal entries Notes Distribution lists Limitations: ical recurrence rules (RRULE property) are not exported. PST Distribution lists are exported, but their list members are not. These limitations may be removed in a future Intella release. Please note that non- items will be exported to a regular PST folder under the Mail section, so not in e.g. the Contact section. How to export other item types to a PST file Items such as Word and PDF documents cannot be exported directly to a PST file. As such items may be attached to an , Intella can be configured to export the parent instead. You can choose to either include the top-level parent or the direct parent. An example would be an attachment contained within an message within another message. With the top-level parent selected all parent items of the attachment (both s) would be included in the PST, one nested Page 125 Intella User Manual 2014 Vound

126 within the other. The second option exports the nested to the PST. You can also choose to simply skip non- attachments. Although this option only mentions parent s, it also applies to e.g. PDF files attached to a meeting request or any of the other exportable items. In this case, enabling this option will export the meeting request instead. This option may therefore be renamed in the future. Note: Files in a folder source lack a parent and therefore cannot be exported to a PST file, except for mail files like EML, EMLX and MSG files, or files of the types listed above. How to export attached s The last setting controls what happens with s that are selected for export and that also happen to be attachments. These are typically forwarded messages. Such s can technically be exported to a PST without any restrictions, but the investigation policy may require that the parent is exported instead, to completely preserve the context in which this was found. That can be done by choosing the Replace with its top-level parent option. Alternatively, use the Export attached option to export the attached directly to the PST ibase and Analyst s Notebook options At the moment the Analyst s Notebook and ibase export does not provide any configuration options. Templates, import specifications and instructions are provided for Analyst s Notebook and ibase. Please contact support@vound-software.com for more information Load file options You can select one of the following load file formats: Summation. Concordance. Relativity. Ringtail. Comma Separated Values file. Each load file export consists of several parts: The main load file, containing the selected fields. Native files, representing the items in their original format. Image files, containing metadata and content as configured in the "PDF or image rendering options" sheet. Text files that contain the extracted text. The first part is mandatory; the others can be turned off. The main load file name can be changed using the "File name" text field. It is also possible to specify the main file encoding when the Summation format is selected. By selecting "Use custom date/time formats" you can override the date and time format used in the load file. Please see this document for the date/time format syntax details: Page 126 Intella User Manual 2014 Vound

127 In order to control the quality of the exported images, you can set the "Image DPI" parameter. It defines the number of dots (pixels) per inch. A higher DPI setting results in higher quality images, but these will take more time to produce and consume more disk space. It is also possible to adjust the TIFF compression type. Note that the image will be converted into blackand-white variant if one of the "Group Fax Encoding" compression type is selected. Numbering with load files The numbering used for load files differs from the other export formats. When exporting to a load file, every exported page has its own unique number. The number of the first page is usually used as a number of the document. Please note that pages are numbered only if image files are included in the export. On the "Headers and footers" sheet you may choose a special field PAGE_NAME which is available only with load file export. This will put the current page name as it was configured on the "Naming and numbering" sheet. Another difference is that by default all export files are grouped into folders and optionally boxes. The "Page rollover" option defines a maximum amount of pages that a folder can contain. The maximum number of folders in a box is fixed to 999 (at the moment it can be changed via an export template XML file only). Additionally you can set a starting number for the page ("Start at"), folder and box. By default, the page counter starts over when switching to the next folder, so the first page in the next folder will have the number "1". This approach can be changed when using the "Continue page numbers from previous folder" option. When it is selected, the page counter will continue page numbering from the last page of the previous folder. In other words, page numbers will be unique among the entire export set. Additionally, the "Advanced" numbering mode can be selected when exporting to a load file. In this case you will be able to set a custom file name template. Please see the file naming and numbering section for details. Note that %num% means a page number, not a document number in this case. Also there are two new fields that can be used: %group1% folder counter %group2% box counter You can also use the %000group1% syntax to define the number of leading zeroes in the counter (similar to %000num% syntax). Thus, the default load file numbering schemes can be expressed using the following templates: PREFIX.%group2%.%group1%.%num% = Prefix, Box, Folder, Page PREFIX.%group1%.%num% = Prefix, Folder, Page %group2%.%group1%.%num% = Box, Folder, Page When using the Advanced mode it is important to set a file grouping: All in one folder or Load file mode. When Load file grouping mode is selected then the exported files will be grouped by folders and, optionally, boxes in exactly the same way as it is described above. Field chooser The "Field chooser" sheet contains a table of the fields that will be included in the load file. By default the starting set of fields depends on the selected load file format. Page 127 Intella User Manual 2014 Vound

128 The "Name" and "Comment" columns in this table are used only for managing the fields within Intella and are not included in the load file. The "Label" column value is used as a column label in the load file. The "Type" column can be one of the following: SUMMATION It can be used only with Summation load file format and cannot be modified. RINGTAIL It can be used only with Ringtail load file format and cannot be modified. CUSTOM User-created field. It can be used with any load file format. You can include an additional custom field by pressing the "Add custom field..." button. Next, enter the name, label and comment. Select one of the following types: FIXED_VALUE Fixed value as specified in the "Value" field. INTELLA_COLUMN One of the Intella columns. ITEM_BEST_TITLE One of the following Intella columns: File name, Subject, Title, Contact name or "Untitled". RECORD_ID_START Name of the first page of the document. RECORD_ID_END Name of the last page of the document. RECORD_ID_GROUP_BEGIN Name of the first page of the first document in the current "parent-child" group. RECORD_ID_GROUP_END Name of the last page of the last document in the current "parentchild" group. RECORD_ID_PARENT Name of the first page of the parent document. NUMBER_OF_PAGES - number of pages of the document FILE_NATIVE - relative path of the original format of the document to the base folder. FILE_IMAGE - relative path of the first image of the document to the base folder. FILE_TEXT - relative path of the extracted text file of the document to the base folder. _INTERNET_HEADERS - full Internet headers of the . ATTACH_ID_LIST - The list of attachment IDs. IS_ - "True" if the document is , "False" otherwise. FILE_EXTENSION - The file extension of the document. DIRECT_PARENT - ID of the document's direct parent. DIRECT_CHILDREN_IDS - The list of IDs of the document's direct children. When exporting to a load file, all documents are grouped by their parent-child relationship. For example, an and its attachments form a single group. The columns "RECORD_ID_GROUP_BEGIN" and "RECORD_ID_GROUP_END" denote the start and end page numbers of such a group. When adding a date column as a custom field, it is possible to choose the way how the date is formatted: show date only, show time only or show full date and time. Note that you can add the same date field more than once and use different formatting options. For example, you can add two custom fields: DATE_SENT ("Sent" column, show date only) and TIME_SENT ("Sent" column, show time only). Click the "Select default fields" button to select only those fields that are part of the default field set for the selected load file format Headers and footers (PDF, load files) You can set headers and footers for the generated PDFs and images. For each corner you can select one of the following fields to display: Page 128 Intella User Manual 2014 Vound

129 EMPTY Nothing will be displayed. EXPORTED_FILE_NAME A file name as it was configured on the "File naming and numbering" sheet. PAGE_NAME A page name as it was configured on the "File naming and numbering" sheet. Note: this option will work only with load file export. For other export types this will be replaced with EXPORTED_FILE_NAME. BEST_TITLE This is one of the following fields: File name, Subject, Title, Contact name or "Untitled". Any Intella column This will be exactly the same value as it is displayed in the result table. Also you can type any static text instead of selecting one of the fields Creating an export report You can indicate whether you want to create an export report for this export. The report can be formatted as a PDF, RTF, CSV and/or HTML file. For PDF, RTF and HTML reports you can also add a comment that will be displayed on the first page of the report. Export reports link the original files to the exported files, by listing identifying information about the original item (e.g. source evidence file, MD5 hash) and linking to the exported file. Also the export report may contain information that is lost during export, such as the evidence file s last modification date; like any copy, the export file has the date of export as its last modification date. Important: If the export of a specific result resulted in errors, you will be notified with an error message in the application. You can find the error notifications at the end of the PDF and RTF report or in the last column of the CSV report Skipped items The exporting progress user interface may report skipped items. These relate to the fact that not all items are inherently exportable to the chosen export format(s). Examples are: A file inside an encrypted ZIP file may be known to Intella but it cannot be exported to Original Format if Intella could not decrypt the ZIP file. Exporting to PDF is possible though, with the information that is known. When using the default PST export settings, Intella will try to replace non-exportable items with their parent . If there is no parent , the item is skipped. Folder results are always skipped. All skipped items are listed in the export report. Page 129 Intella User Manual 2014 Vound

130 21.3 Exporting to a CSV file You can export a results list to a comma separated value (CSV) file. A CSV file contains all information listed in the table. CSV files can be opened in a spreadsheet application such as Microsoft Excel and can be processed through scripting, which opens up new analytical abilities. This functionality can also be used to generate MD5 lists. To export the table to a CSV file: 1. Select the results in the table that you want to export to a CSV file. You can use the Select All option in the right-click menu to easily select all rows. 2. Right click on the selected files and click Export table as CSV. 3. Mark the names of all columns that you want to include in the CSV file. 4. Give the CSV file a name and select Export. The selected columns are stored so that the next time you bring up this dialog, the same columns will be selected. Should you frequently use different export settings, then you can save these as separate templates. Click the New button to create a new template and enter a name. The new template will automatically be selected and any selection changes will be stored under that template name. Click the drop-down list to go back to the previous (default) template. The settings will now be restored to what they were before you created/selected the other template. The contents of the Senders and Receivers columns are configurable to show either the contact name(s), the address(es), or both Exporting the result counts The number of hits per search query can be exported by right-clicking in the Searches list in the upperright corner and selecting Export queries. This produces a CSV file with the following columns: Facet e.g. Type or Keyword Search. Result the textual representation of the search, e.g. the entered search terms or selected facet values. Total Count the total number of items that matched this query. Count after Includes and Excludes the number of items that were retained after applying the Includes and Excludes (if any) to the original set Exporting the social graph data Intella can export the social graph of a collection of s. This procedure creates a graph data file where all nodes where all nodes represent contacts and all edges represent the fact that mails have been sent between those two contacts. Page 130 Intella User Manual 2014 Vound

131 Important: this is different from exporting social graph image, which is covered in the Social Graph chapter. The edges are weighted, with the weight representing the number of mails that have been sent from one contact to another. The edges are directed to differentiate mails from A to B to those sent from B to A. The graph can be exported into the following formats: A CSV file containing three columns: the sender, the receiver and the number of mails. A GML (Graph Modeling Language) file containing that same information. A GraphML file containing that same information. A CSV file can be very practical because it can be viewed and edited in spreadsheets and it is easy to write scripts that can process them. Be aware though that CSV is a very informal standard. Different tools may have different rules on how to encode special characters. Some tools that can process CSV graph files may require that the third column be removed. GML and GraphML are formats specifically designed for specifying graph structures. They can be processed in free tools such as Gephi and NodeXL as well as a number of commercial applications. As GraphML is based on XML, it offers the best solution for dealing with foreign character sets. Page 131 Intella User Manual 2014 Vound

132 22 Load file checklist To help battle the complex nature of load file exporting and importing, we provide checklists for use with Summation (formerly iblaze) and Concordance load files. The Summation checklist contains general considerations that can also apply to the use of other load file formats. The Concordance checklist is specific to the standards used by the US Securities and Exchange Commission (SEC) and US Department of Justice (DoJ) Summation Due to the customization options available in Summation it is often the case that no two clients will have the same load file specifications or requirements. To ensure the most professional outcome when working with Summation load files, it is highly recommended that you (the Intella user) engage with the recipient of the load file (the client) at the beginning of any engagement or well before any deadline to produce a load file. Our suggested workflow would be along the lines of the following steps: 1. Ask the client to confirm that they require a Summation load file. 2. Supply the checklist below to the client and ask them to complete it. 3. Collect the completed checklist. 4. Ask the client to confirm that they have added any extra fields they require to their Summation installation. 5. Make any changes to the Intella Summation load file export options that are needed to comply with the client s requirements. 6. Create a load file from a test data set similar to the data set of this engagement. 7. (*) Test the load file in your own Summation installation with the client s configuration. 8. Ask the client to verify that the sample load file imports correctly in their own Summation installation on all fields, OCR and so on. 9. If not, make any corrections needed and repeat steps 5 to Once it imports correctly, ask the client to sign-off on this format. 11. Save the export options as a custom export template in Intella. 12. Use the custom export template for producing the final load file(s). (*) When creating a Summation load file as a part of your engagement, it is highly recommended that you have sufficient qualifications for Summation to understand and troubleshoot any issues that may arise. Furthermore it is also highly recommended that you have a copy of Summation in-house that you can use to test and improve the output of your work. The next pages contain a sample checklist that you can use with your client. Page 132 Intella User Manual 2014 Vound

133 Load File Engagement Checklist Acme ediscovery Corporation Due to the customization options available in Summation it is often the case that no two clients will have the same load file specifications or requirements. The information below provides you with a list of options to configure a Summation load file, as part of the proposed engagement. Please complete the sections A to D and return the form to our litigation support team prior to this engagement. Options Description Completed YES NO Table selection Option A Option B Summation E-tables or Stdtable Additional Summation Fields Document Rendering Option C Option D Document numbering during rendering Document exclusions Dates Option E Option F Date Selection Other options Page 133 Intella User Manual 2014 Vound

134 Option A: Summation E-tables or Stdtable The following represents the standard Summation E-table or Stdtable offered in Intella. Please select the fields that you require for the production of the load file requested. To do this ticking the appropriate check boxes on the right hand side of the table. If a particular field is not present, write it in at the bottom of the table and send us those details. Page 134 Intella User Manual 2014 Vound

135 Token Field Description DOCID Document ID ATTCHIDS Document IDs of attached PARENTID Parent document ID MEDIA Document category: or efile FOLDER File or location (e.g. Bob.pst/Top of Personal Folders/Inbox) DOCTYPE MIME type of document (e.g. DOCTITLE Document AUTHOR Name of the document s EDITEDBY* Other authors or contributors of the DATECRTD Creation date of the DATESVD Last modification date of the SUBJECT FROM TO recipient(s) (TO CC recipient(s) (CC BCC recipient(s) (BCC DATERCVD Date that the document was TIMERCVD Time that the document was DATESENT Date that the document was TIMESENT Time that the document was INTMSGID Internet message READ Whether the message was read (Y or HEADER message BODY message ATITLE Name of the PGCOUNT Page HASHCODE MD5 hash IID* Intella item ID. Required to locate items in Intella. Required <Add custom > Page 135 Intella User Manual 2014 Vound

136 Option B: Additional Summation Fields It is also required that you include two additional fields that are not listed as standard E-tables in Summation. The additional fields are: ETABLE Description 1 IID Used to identify the item in Intella. 2 EDITEDBY Taken form the Intella Authors and Contributors Facet and used to identify which user edited or created the document. These fields and any additional custom fields that are not default in Summation need to be added using the Summation Form Editor before the load file is imported. Page 136 Intella User Manual 2014 Vound

137 Option C: Document Numbering during Rendering Option Description Value Numbering scheme How the documents and pages are numbered ABC Starting number The number of the first document 1 Starting folder The starting folder number 1 Starting box The starting box number n/a Page rollover Maximum number of pages per folder Grouping scheme All files in one folder Prefix, Folder Please identify the positions where you would like the DocID and numbering options to be displayed on the rendered images: Positions Placement Please identify at what position you would like the DocID to be located in the rendering: Position 1: Position 2: Position 3: Position 4: Also indicate if you would like either to: 1. Show the same DocID, for a particular document, on all pages of that document. 2. Increment DocIDs for each subsequent page of a document, e.g. first page ABC , second page ABC , etc. 3. Do not stamp the image files stamp with the DocID. Page 137 Intella User Manual 2014 Vound

138 Option D: Document Exclusions Some documents formats such as spread sheets do not render very well as images. On occasions, a single spread sheet may generate thousands of rendered image files that will have no value to the reviewer. It is recommended that you opt to exclude certain file types for final rendering. File Extension Comment EXCLUDE Spreadsheets Recommended to exclude YES / NO CSV Recommended to exclude YES / NO XLS Recommended to exclude YES / NO XLSX Recommended to exclude YES / NO Custom Option E: Date Formatting The date format in the load file needs to match the date format selected in the Summation s default settings. Failure to do so may cause the day and month to be reported incorrectly in Summation when reviewing. Although the dd/mm/yyyy date format is the standard in many countries, some clients prefer to use dd/mmm/yyyy. This format is preferred because there can be no mistake interpreting the date. For example, the date 4/5/2013 could be interpreted as either 4 May 2013 or 5 April Using the format dd/mmm/yyyy, the date will be displayed as 4/Apr/2013. Option Description Value Date format How to format date only fields dd/mm/yyyy MM/dd/yyy dd/mmm/yyyy Other: Time format How to format time only fields HH:mm:ss Date/time format How to format full date/time fields dd/mm/yyyy HH:mm:ss Page 138 Intella User Manual 2014 Vound

139 Option F: Other options Option Description Value File encoding UTF-8 Native files Include native files? Yes / No Image files Include image files? Yes / No Image format PDF TIFF PNG Text files Include extracted text? Yes / No Page 139 Intella User Manual 2014 Vound

140 22.2 Concordance US Securities and Exchange Commission (SEC) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding checkboxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required FIRSTBATES First Bates number of native file document/ LASTBATES Last Bates number of native file document/ BEGATTACH First Bates number of attachment range ENDATTACH Last Bates number of attachment range PARENT_BATES First Bates number of parent document/ FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATE_SENT Date the was sent TIME_SENT LINK Hyperlink to the or native file document MIME_TYPE The content type of an or native file document AUTHOR Author of the document DATE_CREATED Date the document was created TIME_CREATED Time the document was created DATE_MOD Date the document was last modified TIME_MOD Time the document was last modified DATE_ACCESSD Date the document was last accessed TIME_ACCESSD Time the document was last accessed PRINTED_DATE Date the document was last printed FILE_SIZE Size of native file document/ in bytes PGCOUNT Number of pages in native file document/ PATH Document location INTMSGID message ID MD5HASH MD5 hash TEXT Extracted text of the native file document/ <Add custom > US Department of Justice (DoJ) standard Please select the fields that you require for the production of the requested load file by ticking the corresponding check boxes on the right hand side of the table. If a particular field is not present, add it at the bottom of the table and send us those details. Field Description Required COMPANIES Company submitting data HASHMD5 Document MD5 hash value BEGDOC# Start Bates ENDDOC# End Bates DOCID Must equal the value appearing in the BEGDOC# field and be UNIQUE NUMPAGES Page count Page 140 Intella User Manual 2014 Vound

141 PARENTID Parent record's BEGDOC# FOLDERLABEL or Document location FILEPATH FROM Sender TO Recipients (To, Cc, Bcc) SUBJECT Subject DATECREATED Date electronic file was created DATESENT Date the was sent TIMESENT Time was sent DATERECEIVED Date was received TIMERECEIVED Time was received HEADER The internet header information for sent through the internet INTERNETMSGID Globally unique identifier for a message which typically includes message ID and a domain name DATESAVED Date native file was last modified DATEPRINTED Date native file was printed EAUTHOR Author of the document LAST AUTHOR Last Saved By field value extracted from metadata of a native file ESUBJECT Document title FILESIZE File size in Bytes FILENAME File name of native file APPLICATION MIME type of document (e.g. application/pdf) DOCLINK File path location to the current native file location on the delivery medium DATEAPPTSTART Start date of calendar appointment TIMEAPPTSTART Start time of calendar appointment DATEAPPTEND End date of calendar appointment TIMEAPPTEND End time of calendar appointment Page 141 Intella User Manual 2014 Vound

23 Audit trail Every case has an audit trail file that contains a list of all user actions. Every line in the file describes a user-initiated action.

142 23 Audit trail Every case has an audit trail file that contains a list of all user actions. Every line in the file describes a user-initiated action. The audit trail file is CSV file that can be opened with Microsoft Excel or Open Office Calc. You will find the audit trail file in the audits folder. This is a subfolder in the case data folder. Page 142 Intella User Manual 2014 Vound

24 Preferences To open the Preferences dialog, select the File > Preferences menu option. To apply changes of the settings, click the Apply button.

143 24 Preferences To open the Preferences dialog, select the File > Preferences menu option. To apply changes of the settings, click the Apply button. To apply changes and close the dialog box, click the OK button. The Cancel button will close the dialog box and discard all unapplied changes. The specific settings per tab are explained below General The Backup section controls how case backups are handled. The three options control whether or not a backup of the case needs to be made when the case is closed, or whether this needs to be asked on every occasion. This setting is set for each case individually. The Backups folder is shared by all cases though. When a case is backed up, a copy of the entire case folder is made and placed in this folder. A previous backup is removed, if the backup has succeeded note that this will have consequences for the disk space that needs to be available. The default location of this backup folder is next to the cases folder. We recommend changing this to a location that is located on a physical disk, so that disk malfunctions do not damage both the actual case and the backup. The Temp Folder controls where Intella stores its temporary files, e.g. for indexing or opening an item in its native application. By default the used folder is inherited from the operating system, but it can be modified here, e.g. to accommodate a system with a small operating system drive or for performance or security reasons. The Check for updates on start-up option lets Intella look online for new versions of the software during startup. This lookup will be done once in every 24 hours. New versions will be shown in the upper right corner of the application. A message will also be shown here when this option is turned off or when fetching the last version information has failed Display The Display splash screen while loading a case option controls whether a splash screen will be displayed after you have selected a case in the Case Manager for opening in Intella. Page 143 Intella User Manual 2014 Vound

Intella checks online whether new language profiles are available for the current Intella version and the currently used language.

144 The Language selection option lets you select the display language used for Intella. The set of values in the list depends on which language profiles are detected in the translations subfolder, located in the folder where Intella is installed. Intella checks online whether new language profiles are available for the current Intella version and the currently used language. When this is the case, a message is displayed in the upper right corner of the main window. Clicking on that message will open a web browser and download the new language profile. The Browse button in this panel can then be used to install the new profile. The Date format setting lets the user select how dates and times will be displayed. The dropdown menu allows for various formats selected by country. This setting is not dependent on the display languages and allows for all generally used formats, regardless of which language profiles are available Search The Enable Search History option allows you turn off the search history. The main use of this is when you do not wish these search terms to be recorded be aware that they are still being added to the audit trail and may leave traces in the log file. This setting is also a workaround for character sets (e.g. Korean characters) that cannot be entered properly when the history functionality is active. The Restore the queries that were shown last option lets the current queries being stored during shutdown, and restores them the next time the case is opened. The Show Children options allow you to specify what children are returned when you click on Show Children in the Previewer or in the search results popup menu. You can specify the level by including only directly nested children (direct children only) or directly and indirectly nested children (all children). When you select the Ask every time option, you will be prompted for the desired level every time you use Show Children. The Show Parents options control what items are ignored when Page 144 Intella User Manual 2014 Vound

145 the top-level or direct parent is selected for an item. This operation affects not only the Show Parents and Show Top-level Parents functions, but also what items are tagged when the Also tag all other items nested in the same top-level item option is selected in the Tagging tab Results The Opening results option controls what happens when a result is double-clicked: open it in Intella s internal Previewer or in the native application registered with that file type. The Following HTML links option relates to the links and externally linked images that can be found in HTML-based s. Both of these can be dangerous to download automatically, e.g. because they can tip-off suspects that their s are being read by another party. This panel lets you control how these link types are handled. By default, links are blocked and external images are not loaded automatically. This can be managed per individual in the Previewer window or for all items at once in this preferences panel. The Cluster Map options let you specify whether transitions on the Cluster Map should be animated and if so, how long that animation may take. You may want to disable animation if it causes performance problems on your system. Furthermore you can specify whether or not the Cluster Map should automatically be scaled when it does not fit inside the window. You can also change this option using the Cluster map toolbar button, or go to View > Cluster Map > Scale to fit window. The Thumbnails View setting controls which thumbnails are shown based on the size of the original image in kilobytes. Images that are below this threshold are filtered out. The Previewer window setting controls how many pages are shown in the Preview tab. This is by default restricted to the first 5 pages, as rendering of this tab may trigger a conversion from the document format at hand (e.g. an MS Word document) to PDF. This can take a long time for large and complex documents. This can be minimized by only converting and showing the first five pages. Furthermore, the paragraph controls shown in the left margin of the Contents tab can be disabled using the Enable paragraph features checkbox. This only has an effect on items from sources that have the Analyze paragraph setting enabled during indexing Tagging When tagging items, the policy of your investigation may be that some related items should be tagged as well, e.g. tagging items in a mail as privileged may require that all other items in that same mail are also tagged as privileged. The settings in this tab can make that happen automatically. Page 145 Intella User Manual 2014 Vound

146 The three radio buttons specify how other items in the hierarchy need to be handled: Only tag the selected item is self-explanatory. Also tag all attached/nested items results in all attached or nested items being tagged with the same tag as well. This works recursively, i.e. all children in the hierarchy are tagged. Also tag all other items nested in the same top-level item means that everything from the top-level mail down to the most deeply nested child gets the tag. In addition to these three settings, you can specify that all duplicates should also be tagged. When this setting is switched on, all items in the case with the same MD5 or message hash will inherit the tag. Furthermore, their children or siblings may also be tagged automatically, based on the setting described above. Note that the top-level parent of an item is determined according to the Show Parents settings in the Search preferences. The upper part of the Tagging tab with the tagging inheritance options can also available by opened by clicking the Tag Preferences button when setting a new tag. This dialog will also let you override the settings for the tag currently being set. The Previewer setting controls the maximum number of quick tag buttons that is shown in the Previewer MS Outlook Click Validate to ensure that Intella can locate the Outlook program files on the system. This is necessary for the ability to export to PST files. The status is shown in the (non-editable) field. If validation fails, please consult your system administrator to make sure that MS Outlook is installed correctly. Page 146 Intella User Manual 2014 Vound

147 24.7 IBM Lotus Notes Click Validate to ensure that Intella can locate the Lotus Notes program files on the system. The status is shown in the (non-editable) field. If validation fails, click the Browse button, select the path to the Lotus Notes folder in the file chooser and click Apply. Tip: The default installation directories for Lotus Notes is C:\Program Files\IBM\Lotus\Notes or on 64-bit systems C:\Program Files (x86)\ibm\lotus\notes Intella uses the last folder by default. Page 147 Intella User Manual 2014 Vound

148 25 Menu, mouse, and keyboard shortcuts 25.1 Main Menu Below is a description of all menu items in the main window. Not all options appear in all products File Preferences Open the Preferences dialog (see Preferences) Key Store Open the Key Store dialog, for viewing and editing decryption passwords, certificates, etc. Undo Actions User can undo any actions listed in the Undo Actions Pane, including tags, flags, and comments. Restore Annotations The user can restore the annotations from a copy of this case, e.g. when the working copy has been damaged beyond repair. Import OCRed files Import files that have been processed using an external OCR tool. Generate Thumbnails (Ctrl+T) Pre-generates all thumbnail images used in the Thumbnails view, speeding up its responsiveness. Tasks Opens a window that show all defined post-processing tasks and lets the user edit and launch them. Excluded Paragraphs (Ctrl+Shift+F) Opens a window that shows all paragraphs explicitly excluded from keyword search and let the user search for them or remove them from the list of excluded paragraphs. Close Case Closes the current case and brings the user back to the Case Manager window. Exit (Ctrl+Q) Exit the application Sources Re-index (CTRL+R) Recreate all indexes from scratch (after user confirmation). Add New... (Ctrl+N) Opens the Add New Source wizard. Page 148 Intella User Manual 2014 Vound

149 Edit Sources (Ctrl+E) Open the Edit Sources dialog window. Edit Evidence Paths Opens the Attach Evidence dialog. This dialog can be used to edit the paths of the evidence files used to create the case. These paths need to be set correctly when the case is re-indexed. Exceptions report Lets the user choose a CSV file to which the exceptions report will be written View Cluster Map Animate Changes Turn cluster map animation on or off. Cluster Map Scale to Fit Window Turn cluster map size scaling on or off. Details Use the four sub-items to switch the Details panel to Table, List, Thumbnail or Timeline mode. Preview Item (CTRL+O) Lets the user open a specific item. See the Item ID column in the Details table for these numbers. Close All Previews (Ctrl+Shift+W) Closes all open Previewer windows. Full screen Toggles full-screen mode Export Cluster Map... Exports the current Cluster Map as a PNG image. Social Graph Exports the current Social Graph as a PNG image. Timeline Exports the current timeline as a PNG image. Words Export all words used in the indexed evidence files. When the results table shows a list of results, exporting of the words of only these items is also possible. Result... Export a single result. This option is available when a single item is selected in the Detauks table. Result List Opens the export dialog to let you export the currently selected results. Page 149 Intella User Manual 2014 Vound

150 Configure Redaction Profiles Opens the dialog that lets you create and edit redaction profiles. See the section on redaction for more information Team Set Work Folder (Viewer and TEAM Manager only) Open the dialog to set the location (folder) where the Intella work reports will be stored. Select a folder in the dialog and click Select folder. The default TEAM work folder is C:\Users\USER\Desktop. Export Work Report (Ctrl+W Viewer and TEAM Manager only) Open the dialog to export an Intella work report file (.iwr extension) to the work folder. Open CSV Exports (Viewer and TEAM Manager only) Open the dialog to open CSV files that were created together with a work report. Select the CSV file and click Open. The CSV file will be opened in the application that is linked to the CSV file type by your operating system. For example: MS Excel or OpenOffice Calc. Import Work Report (Ctrl+I TEAM Manager only) Open the dialog to import an Intella work report. Select an Intella work report file (.iwr extension) and click Open. Work Reports History (TEAM Manager only) Open the dialog that shows the list of work reports that were imported to this case. Every entry in the list has the investigator name, the creation date of the Intella work report and the import date. To delete a selected work report from you case, click Remove Work Report contents in the Work Reports History dialog. You are asked to confirm since this operation cannot be undone Help Help Topics (F1) Opens the bundled user manual (this document). Forum Opens the Intella forum in a web browser. Dongle Manager A shortcut to the separate Dongle Manager application, which is used to inspect and update the contents of your Intella dongle. Open Log Folder Opens the folder where Intella stores logging information. Open Export Templates Folder Opens the folder where the user-defined export templates are stored. These files are.xml files that can be shared and copied to other case folders. About Intella <product edition> Shows a dialog with three tabs. (1) The first tab contains the version number of Intella. (2) The second tab contains system information. (3) The third tab shows license information such as ID, type and restrictions. Page 150 Intella User Manual 2014 Vound

151 25.2 Mouse actions Table and thumbnail view Click and drag Select multiple items. Ctrl+click Select/deselect items. Double click on item Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on item Opens the popup or context menu Timeline Click on Opens the in the Previewer. Double-click on Depending on the preferences, this opens the clicked item in Intella s internal Previewer, the registered native application, or opens a dialog asking the user what to do. Right click on Opens the popup or context menu on that Cluster Map Click on cluster or on label Select a cluster or result set and shows its items in the Details panel below. Click and drag Move cluster to reorganize the Cluster Map. Right click on cluster, label or on the selections panel Opens the popup or context menu on that item Social Graph Click on a node Selects a node and shows its items in the Details panel below. Click on an edge Select an edge and shows its items in the Details panel below. Click and drag Move node to reorganize the graph. Page 151 Intella User Manual 2014 Vound

152 Drag with right-mouse button pressed Scroll (pan) the graph Histogram Click and drag Zoom in on a specific area in the chart. Ctrl-click and drag Pan (scroll) the chart. Click and move up Restore zoom level. Mouse wheel Zoom in and out of the chart Keyboard shortcuts Main window Ctrl+R Re-index all sources Ctrl+N Add new source Ctrl+E Edit sources Ctrl+O Open a specific numbered item Ctrl+Q Exit the application Ctrl+W Export work report (TEAM Manager and Viewer) Ctrl+I Import work report (TEAM Manager only) Ctrl+Shift+W Closes all open preview windows F1 Open Intella help file (requires PDF-viewer, like Adobe Acrobat) Spacebar (in thumbnail view) Flag selected item Page 152 Intella User Manual 2014 Vound

153 Ctrl+A Select all items or text Previewer window Alt+Right Arrow Move to next item Alt+Left Arrow Move to previous item Ctrl+C Copy selected text Ctrl+V Paste copied text Ctrl+A Select all text Ctrl+1, Ctrl+2, or Ctrl+3 Tag an item with the tag assigned to button 1, 2 or, 3 in the previewer Page 153 Intella User Manual 2014 Vound

154 26 Appendix I. HASP problem resolution 26.1 Problem flowchart Page 154 Intella User Manual 2014 Vound

26.2 Problems and solutions 26.3 Installation problems 26.3.1 HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers.

155 26.2 Problems and solutions 26.3 Installation problems HASP dongle drivers do not install Problem: You are not able to install the HL Key (dongle) drivers. Cause: Presence of older HASP HL key drivers installed on the machine Solution: Uninstall the older drivers. 1. Click Start > Run or click the Windows key + R 2. Enter C:\Program Files\Vound\Intella\bin\haspdinst.exe -kp purge and click OK. 3. Wait for message that operation was successful. Caveat: These steps uninstall ALL other HASP drivers. Make sure you have no other HASP dongle that requires an older driver. Install the latest driver HASP dongle not found Problem: The following message is triggered "HASP key not found (H0007)" Possible cause 1: The HASP dongle LED is not lit. The dongle is not connected or not properly connected to the USB port. Solution 1. Disconnect, pause a few seconds, then reconnect. If the LED lights up, the application should be able to access the dongle. You may need to wait a few seconds for the dongle to be completely installed by the operating system. 2. The required HASP HL key drivers are not installed. If you are running HASP SRM on a Windows platform, check for an entry for HASP SRM in the Device Manager utility. If there is no entry, you must install the drivers. 3. Check if the USB port is functioning correctly. Disconnect all other USB devices from their respective ports. Connect the HASP dongle to a different USB port. Try using a different USB device in the port from which the dongle was not accessible to test if the port is actually working. Possible cause 2: HASP License Manager Service is not running. Solution 1. Check if the HASP License Manager Service is running by opening a Command Prompt (Start > All Programs > Accessories > Command Prompt) 2. Enter: sc query hasplms 3. Check the result. It should show like this... Page 155 Intella User Manual 2014 Vound

156 SERVICE_NAME: hasplms TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 If you see RUNNING the hasplms is running Hardware problems No dongle detected Problem: The computer does not detect the dongle. There are several potential causes, listed below. Cause 1:Conflict with other USB devices On occasion, the presence of other USB devices may cause problems with the HASP dongle. Solution: Remove conflicting USB device/devices Cause 2:Incorrect device driver installed The HASP dongle may not function if an incorrect version driver is installed. Solution: see section Installation problems, HASP dongle drivers do not install. Cause 3:USB port is defective or HASP dongle not properly inserted Solution: Check that the LED light is lit on the dongle. If not, remove and reinsert. Wait for the operating system to detect the dongle. If it still does not light up, try another USB port or use a USB hub. Cause 4:Faulty dongle On rare occasions one may get a faulty dongle. The dongle neither lights nor is detected in Device Manager, even with proper driver installed. Request a replacement Firewall & anti-virus problems Unable to access HASP SRM RunTime Environment (H0033) Problem: The error message: "Unable to access HASP SRM RunTime Environment (H0033)" might be caused by too restrictive firewall settings. Possible causes: C:\WINDOWS\system32\hasplms.exe is blocked by firewall or antivirus application. Port 1947 is blocked by a firewall application. HASP License Manager Service is stopped. Page 156 Intella User Manual 2014 Vound

157 Preliminary test: 1. Disable all antivirus and firewall applications. Note that some applications such as Norton, McAfee, and AVG have both antivirus and firewall settings that may need to be individually disabled. 2. If the HASP License Manager Control Center does not appear in the browser at then we know that the anti-virus or firewall application will have to be configured. 3. If the Control Center still does not appear, check for other firewall or antivirus applications that may be running and disable them or turn them off. Solution: 1. Add C:\WINDOWS\system32\hasplms.exe in the Exception list of the antivirus and firewall application 2. Add port 1947 to the Exception list 3. Restart the HASP License Manager Service (Control Panel > Administrative Tools > Services) An example of a firewall exception is shown in the image on the right. Important: You must perform an installation Reinstall of Intella as the antivirus software may have blocked components during the first install. The following information is adapted from the SafeNet Sentinel HASP knowledgebase. Message: "Unable to access HASP SRM RunTime Environment (H0033)" Problem: This error means that there is a communication error between the program and the local license manager. This error can be triggered by a number of causes, including (1) improper installation of the HASP RTE software, (2) personal firewall software blocking communication with the HASP LMS service, or (3) other software using the same port that the HASP License Manager uses (i.e. port 1947). Solution: To troubleshooting the error follow the steps below until the cause for the error is found: 1. Open a web browser and connect to This is the HASP SRM Admin Control Center. If it's possible to connect to this page, then the HASP SRM Runtime is installed properly. The problem lies elsewhere and you can disregard the rest of this document. Page 157 Intella User Manual 2014 Vound

158 If you get a message Page cannot be displayed then it's possible that HASP SRM Runtime is not installed (go to step 2) or blocked (go to step 3 and 4). 2. Go to Start > Run, enter services.msc and click OK. The list is alphabetical. Search for HASP License Manager in the table and then check if its status is Started If this entry is not listed, then the HASP SRM Runtime is not installed. Please reinstall it. If the status is not Started check the event log for entries relating to the HASP License Manager service that will give an error message and further diagnostic information. 3. Check your personal firewall software. There are many types of personal firewall software including Norton Internet Security (the Firewall is one component of this software), ZoneAlarm and others. By default most personal firewall software will request permission to allow access for the HASP License Manager the first time it is run. If access is allowed there should be no problems. If access is denied you will encounter communication problems. To resolve such problems either disable the firewall completely (Note: this option has risks. Please contact your firewall vendor for details) or create a rule or exception in the firewall to allow the HASP License Manager communication. If there is an option to create a rule/exception based on a port number, allow port As there are many personal firewall products on the market it is not possible to list all the ways to configure each piece of software here. Please contact your firewall vendor for details on how to create exceptions or rules as detailed above. 4. Check that there aren't any applications that use HASP registered port (Port 1947). If you find such a program, disable it and run the HASP application again Normal operation Dongle installation Intella is shipped with the latest SafeNet HASP dongles. Intella is packaged with the SafeNet HASP RTE installer. When correctly installed, the Windows Device Manager reports three items in the Universal Serial Bus controllers section: SafeNet HASP HL Key SafeNet HASP Key SafeNet USB Key. Page 158 Intella User Manual 2014 Vound

When incorrectly or incompletely installed, warning icons appear on the device.

$runs as a system service: C:\WINDOWS\system32\hasplms.exe The HASP License Manager Service hasplms.$ When this application is running you should be able to load the HASP License Manager Admin Control

When this application is running you should be able to load the HASP License Manager Admin Control

HASP SL is the trial version license. HASP HL will only show when the dongle is plugged in.

159 When incorrectly or incompletely installed, warning icons appear on the device. HASP License Manager Service The HASP installer includes the HASP License Manager application that runs as a system service: C:\WINDOWS\system32\hasplms.exe The HASP License Manager Service hasplms.exe must be running to allow Intella to open. When this application is running you should be able to load the HASP License Manager Admin Control Center by entering in an internet browser. HASP SL is the trial version license. HASP HL will only show when the dongle is plugged in. Windows system services A good indication that the License Manager Service is running properly, is that the entry is flagged as Started in the table of Windows system services: Page 159 Intella User Manual 2014 Vound

160 26.7 Installation flowchart Page 160 Intella User Manual 2014 Vound

Intella User Manual Intella evidence made visible

Intella User Manual Intella evidence made visible Vound email investigation and ediscovery software Version 1.7.3 Contact To learn more about Intella, please contact us using the contact information below,