Contact
To learn more about Intella™, please contact us using the contact information below, or contact an Intella Channel Partner.
Office Phone
+1 888-291-7201
Email
sales@vound-software.com
Postal Address
10643 N Frank Lloyd Wright Blvd, Suite 101
Scottsdale, AZ 85259
U.S.A.
Sales Contacts
http://www.vound-software.com/partners
We will be pleased to provide additional information concerning Intella and schedule a demonstration at your convenience.
To become an Intella reseller, please contact us!
For user and technical support please visit our website: https://www.vound-software.com
Vound Colorado (“Vound”).
© 2024 Vound. All rights reserved.
The information in this User Manual is subject to change without notice. Every effort has been made to ensure that the information in this manual is accurate. Vound is not responsible for printing or clerical errors.
VOUND PROVIDES THIS DOCUMENT “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED AND SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS MATERIAL.
Other company and product names mentioned herein are trademarks of their respective companies. It is the responsibility of the user to comply with all applicable copyright laws.
Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Vound assumes no responsibility regarding the performance or use of these products. Under the copyright laws, this manual may not be copied, in whole or in part, without the written consent of Vound.
Your rights to the software are governed by the accompanying software license agreement. The Vound logo is a trademark of Vound. Use of the Vound logo for commercial purposes without the prior written consent of Vound may constitute trademark infringement and unfair competition in violation of federal and state laws.
All rights reserved by Vound. Intella is a trademark of Vound.
1. Preface
1.1. Document conventions
The following section introduces you to conventions used throughout the Intella documentation.
Menu Functions
For functions that can be reached through menus, the different menu levels are illustrated as follows:
Menu > Menu entry
Important Entries
Some text will be shown as follows:
Important information on Intella. |
These entries discuss a key concept or technical information that should, or must, be followed or considered. Please pay special attention to these entries.
Warning Entries
Some text will be shown as follows:
Warning information when using Intella. |
Notes
Some sections provide additional information that will assist your use of Intella. These are displayed as shown below:
Information on function or parameter. |
Keyboard Shortcuts
Some Intella functions can be activated or accessed through keyboard shortcuts. They are shown as follows:
CTRL+E
Tips
Several shortcuts, alternative methods, or general working tips are included throughout the documentation. These may help your workflow or provide additional information on other uses of functions. Tips are shown as below:
Information on Intella. |
Folder and file names
Folder and file names are shown as below:
C:\Program Files\Vound\Intella\
2. An introduction to Intella Backpack
2.1. Supported platforms
We support and test our products on Windows 8/8.1, 10 and 11. A 64-bit operating system is required. The “Home” or “Starter” editions are not recommended as they limit the maximum amount of memory and CPUs. Please use the “Pro”, “Enterprise” or “Ultimate” versions instead.
Intella is tested on the abovementioned operating systems. That said, we have customers who are running Intella on the Windows Server platform, versions 2008, 2012, 2016, 2019 and 2022. Note that there may be security settings that need to be configured on the server to allow Intella to run on it. This needs to be addressed by your IT team; we cannot provide advice on these settings.
For detailed instructions about installing and running Intella, please read section 4: Installation and configuration.
2.2. Strong cryptography
Intella bundles and uses the Java Runtime Environment (JRE). This JRE contains the JCE Unlimited Strength Jurisdiction Policy files for decrypting certain types of encryption. Furthermore, it has been configured to allow the use of unlimited strength cryptography, by enabling this option in the java.security file:
crypto.policy=unlimited
We recommend that you check your local regulations to ensure that the use of encryption is permitted.
2.3. Feedback
We take great care in providing our customers with a pleasant experience, and therefore greatly value your feedback. You can contact us through the form on http://support.vound-software.com/ or by mailing to one of the email addresses on the Contact page.
3. Managing cases
A case is a collection of evidence sources that can be searched by Intella as a single collection. In Intella Backpack, you use Portable cases created and exported by other Intella applications.
When you start Intella Backpack, the Intella Backpack Case Manager will first show up. Here you can add new cases, open existing cases and remove old ones.
Above the case list is a field for entering the Investigator name. This name will be used as the default user name when reviewing cases. The initial value used here is your Windows user name.
Use “Sort by” options to change the order of cases in the list:
-
Last opened - by last opening time (the default)
-
Case name - alphabetically by name
-
Case folder - alphabetically by folder path
-
Created - by creation time
-
Creator - alphabetically by Investigator name of a user who created the case
-
Evidence size - by the total size of evidence files
-
Case version - by Intella version used to create the case
3.1. Adding cases
To add new case from an IPC (Intella Portable Case) file, click “Add IPC file…” button and select the file. The “Add portable case” dialog appears.
In “Password” field enter the password supplied by the Portable case creator. You can click “Validate” button to check if the password is correct for this IPC file.
In “Case folder” field you can enter path to a folder where new case will be created or accept the suggested path. Use “Browse” button to select the folder.
Click “Ok” to add the portable case. If the password is correct, the dialog will be closed and new case will appear in the cases list.
3.2. Opening a case
To open a previously added case, select it in the list and click “Open”. The Case Manager dialog will be closed and the case will be opened in main Intella window.
3.3. Removing a case
To remove the case from the file system and the cases list select it and click “Remove”.
4. Overview of the Intella Backpack interface
Intella Backpack’s main window consists of the following tabs, or "views": Welcome, Insight, Search, Keywords and Identities. Optionally, one or more Review views can be present. Together they give access to all information stored in an Intella case.
Another prominent window is the Previewer, showing detailed information about an item. The Previewer can be opened by clicking or double-clicking on certain elements within the Insight or Search tabs.
This chapter gives a brief overview of these user interface parts. More detailed information is provided in later chapters.
4.1. Welcome view
The Welcome view is the first and default tab in a new case. It shows what features and other improvements have been added in this version of Intella, and offers links to various types of documentation, support, and common actions.
The Welcome view offers a checkbox that lets the user suppress this tab the next time this case is opened. This setting is stored per case, i.e. new cases will again show the Welcome view.
4.2. Insight view
The Insight view shows notable aspects of the indexed evidence files and possible next steps to take. The overview given here can help an investigator get a grasp of the case’s contents, such as the encountered item types and their volumes, date ranges, web browser activity, potentially privacy-sensitive information, etc. This will help formulating follow-up questions for further research.
Most elements in this view can be clicked or double-clicked, which starts a search in the Search tab or opens a corresponding item in the Previewer.
4.3. Search view
The Search view allows for arbitrary searches in the case data using keywords or one of the navigation facets such as date, location, item type, etc.
-
The Keyword Search panel is the place to enter search terms or phrases.
-
The Facet Search panel shows a list of facets for searching and filtering results. Each facet represents a different dimension in which the items can be discerned. Select a facet from the list to see the navigation options offered by that facet, shown beneath the list.
-
The Searches panel shows the user’s keyword and facet queries, together with their result count.
-
The Results panel shows the search result sets of these queries in various ways, by grouping the items in a certain way.
-
The Details panel shows a table, list, thumbnail view, or timeline view of the results in a selected element in the Results view. It is populated by selecting elements in the Cluster Map, Geolocation view, Histogram, Social Graph, or Searches list. Click or double-click (depending on the chosen view) on an item to view in in full detail in the Previewer.
4.4. Keywords view
The Keywords view allows the user to gather statistics on the keywords in a keyword list. After selecting or adding a new keyword list, the user can choose on what document fields the keywords need to be evaluated, e.g. the document text, email headers, authors, etc. Furthermore, the user can choose what statistics need to be calculated: the number of items matching the query, the number of hits (occurrences) of each query, the item count per custodian, etc.
Once all options are configured as desired, the user can click the Calculate button. This will populate the table row by row.
4.5. Identities view
The identities view lets one build an “address book” of the persons of interest in a case. An identity bundles the communication aliases used by a person, such as email addresses, phone numbers and chat accounts, into a single unit. The identity is given a Full Name and can be annotated with other properties. This information is used to enhance the querying and display of items in other parts of the user interface.
4.6. Previewer
The Previewer is typically opened by clicking on elements in the Insight or Search tab, but it can also be opened by clicking on hyperlinks in the Previewer’s own Tree tab, or by using the “Preview item…” option in the View menu and entering the item’s ID.
-
Use the tabs at the top to inspect an item’s contents, headers, properties, attachments, thumbnails, tree structure, extracted terms, comments and performed user actions. The tabs shown for a specific item depends on the item type and its data. Bold tab names indicate the presence of a keyword search hit in the text inside that tab.
-
The Contents tab always starts with a summary of important information of the item, followed by a document or message body, image content, etc.
-
When the Search view shows the results of one or more keyword queries, the status bar at the bottom will show the keywords found in the current item and offer buttons to navigate from hit to hit.
-
The toolbar on the left lets one navigate to and search for related items, annotate the current item in various ways and produce the current item in several formats.
5. Insight view
The Insight tab contains several information panels that together give a concise overview of the information inside the case, revealing suspect behavior, and giving rise to follow-up investigative questions.
The information is extracted from a variety of sources, such as emails and documents, web browser histories, Windows registries and more.
Clicking on entries like a document type or custodian name in the Insight tab will add a relevant search for that item category to the Cluster Map in the Search view. The main window will then automatically switch to the Search view as well.
The entire tab can be exported to HTML by clicking on the Export button in the top right corner.
5.1. Evidence
The Evidence section shows important global statistics regarding your data. A detailed description of each category can be found in the section explaining the Features facet.
5.2. Types
The Types section shows a breakdown of the different types of files and other items in the case. It shows the same hierarchical structure as the Type facet in the Search tab.
5.3. Custodians
The Custodians section shows the list of custodians in the case, if any, together with the number of items that are assigned to them. A pie chart showing these amounts is shown to the right of the table.
For detailed information on how to define custodians see the section titled “Custodians”.
5.4. GDPR
The GDPR section gives an overview of privacy-sensitive information encountered in the case. Examples of such information are person names, email addresses, phone numbers and other communication handles, credit card numbers, etc. Such information is important from a GDPR compliancy perspective, or similar legal frameworks in use around the world.
For each category of personally identifiable information (PII), the number of values found is listed. These values can be exported to a CSV or XLS file. Furthermore, the number of items that contain at least one of these values is listed. This amount is further split up in Documents, Emails, and Other categories.
The PII categories are split into two groups, based on whether the PII was found in the document/email body or in the metadata.
Double-click on a table row to switch to the Search tab and see the items involved in that category.
Some categories are determined during indexing, yet some other categories may require Content Analysis to be run first. To launch the Content Analysis procedure from the Insight tab, click the hyperlink at the bottom of the GDPR panel.
5.5. Internet Artifacts
The Internet Artifacts section contains information about web browser activity, based on the browser histories detected in the evidence data.
All major browsers are supported: MS Internet Explorer/Edge, Mozilla Firefox, Google Chrome and Apple Safari.
The top chart shows the list of encountered browser histories, listing the following information:
-
The path of the browser history in the evidence data.
-
The type of browser, represented by the browser’s desktop icon.
-
The number of visited URLs in the browser history, both as a number and as a bar showing the amount relative to the total amount of visited URLs in the entire case.
-
The last used date of the browser history, i.e. the last time a new URL was added or a visit count was updated. Note that manual deletions of URLs in the history by the end user are not considered when determining the last used dates; it is merely indicative of when the regular day-to-day usage of that browser ended.
At the very top of this list is a row that represents the total amount of visited URLs in the case, regardless of location and web browser type.
Beneath the list of browser histories there is a breakdown of the visited URLs:
-
The “Top 100 visited URLs” table shows the most visited URLs, with for each URL the number of visits as indicated by the browser history.
-
The “Top 100 visited domains” table shows the most visited domains, together with the sum of the visit counts of all URLs in that domain. Subdomains are treated as independent domains.
-
The panels “Social media”, “Cloud storage”, “Webmail” and “Productivity” show the number of visits that belong to some commonly used websites, such as Facebook and Twitter for social media, DropBox and OneDrive for cloud storage, Gmail, and Yahoo Mail for webmail, etc.
By default, this breakdown covers all visited URLs in the case. By clicking on a row in the list of browser histories one can narrow down on the visited URLs in that browser history. The blue URL count bar indicates the selected browser.
The categories and domains that are checked can be configured by editing the common-websites.xml file in the [CASEDIR]\prefs folder.
|
During the development of this functionality we observed that the semantics of a “visited URL” may differ between browsers, possibly even between browser versions. In some cases, it indicates that the user explicitly visited a URL by entering it in the browser’s address bar or by clicking a link. In other cases, all resources loaded as a consequence of displaying that page may also be registered as “visited”, even resources from other domains, without making any distinction between the explicitly entered or clicked URLs on the one hand and the other resources on the other hand. One should therefore carefully look at the operation of a specific browser before drawing any final conclusions. |
5.6. Timeline
The Timeline shows the timestamps of all items in the case over the years of months. This not only gives a rough overview of events over time, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of emails, which for example may be caused by an incomplete capture of evidence files, bugs in the custodian’s software, default values entered by client software and actions of malicious custodians (resetting date fields, deleting information).
To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the timeline to include or exclude the counts for that date field.
This update may take some time, depending on the case size and whether a local or remote case is used. The resulting counts are cached so that afterwards the user can toggle that checkbox and see the chart change instantly.
The chart can alternatively show months or years.
The Timeline’s time axis only shows dates between January 1, 1969 and two years from “now”. This is to prevent obviously incorrect dates that have been extracted from corrupt files from spoiling the graph. |
5.7. Identities
The Identities section consists of three tables with various types of identities, which may be representing users or other entities.
The User accounts table shows a list of user accounts extracted from the evidence data. These can be:
-
Windows user accounts, extracted from Windows registry hives.
-
Skype user accounts, extracted from Skype databases. These are the database’s local account, not the entire contacts list of that account.
-
Pidgin user accounts. Again, these are the local accounts, not the entire contact list.
-
User accounts in cellphone reports as produced by Cellebrite UFED, Micro Systemation XRY and the Oxygen Forensic suite. See the documentation of the respective product for details on the correct interpretation of such information.
The “Origin” column in this table shows either a machine name extracted from a Windows registry or the location of the evidence file that the account was extracted from.
The Top 10 email addresses table shows the 10 email addresses with the highest number of emails in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts.
The Top 10 host names table shows the host names that have the most emails associated with them. These are essentially the host names that show up when you expand the “All Senders and Receivers” branch in the Email Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts.
5.8. Notable Registry Artifacts
You may click on the "Calculate Notable Registry Artifacts" button to begin the analysis process (it might take significant time on larger cases). After the analysis is complete, the Notable Registry Artficats (NRA) section will appear. This section gives insight into the most important artifacts extracted from the Windows registry hives of the investigated machines/operating systems.
A case may contain evidence files (usually in the form of disk images) that relate to multiple operating systems (OSes), simply because multiple machines may be involved, but also because a machine may have multiple operating systems installed. Hence the artifacts are grouped by OS, labeled by the “Computer Name” that was extracted from the registry, and further subdivided in several categories.
The following artifact types are currently extracted and reported:
-
Basic OS information
-
OS time zones
-
OS user accounts
-
Network interfaces
-
Network connections
-
USB mass storage devices that have been connected
-
Recently used files
-
Shellbags
-
Typed URLs registered by web browsers using the registry
A “registry artifact” is a logical concept in Intella that is modeled as an atomic item in the case and that holds important information typically used in digital forensic investigations. This information is specially selected for this purpose by experienced forensic experts. While the properties of a registry artifact may be scattered across different registry hives and backups of these hives, Intella will unify them into a coherent item.
The NRA section is divided into two parts. On the left-hand side, labeled “Overview”, the tree organizing the registry artifacts is shown. The first level nodes represent OSes labeled with the “Computer Name” extracted from the registry. One lever deeper we find sub-nodes for the various registry categories (e.g. “User Accounts”), followed by leaf nodes representing the actual artifacts (e.g. a specific User Account).
One can select a leaf node in this tree, which will show the properties of that registry artifact in the Details view on the right-hand side.
Double-clicking on a leaf node opens the registry artifact item in the Previewer. This shows additional information such as the location of the item and allows for browsing to nearby items in the item hierarchy using the Previewer’s Tree tab. One can also right-click on a leaf node and select “Preview” from the context menu.
Right-clicking on a category node (e.g. a “User Accounts” node) shows a context menu with a Search option. This launches a search for all User Accounts in the Search view. Note that this searches for all user accounts, not just the ones in the currently explored OS.
Besides the regular registry hives, the Windows registry maintains backup files in the form of so-called “RegBack” files. Intella will process these files as well and display the extracted data in the NRA section. Values coming from such backup registry hives are marked with a “RegBack” label and are only displayed when they differ from the corresponding values in the current files. Not doing so would greatly increase the amount of redundant registry information.
5.8.1. Supported registry hives
Intella will process the following registry hives:
Registry Hive Name | Location |
---|---|
SYSTEM |
Windows/System32/config/SYSTEM |
SYSTEM (RegBack) |
Windows/System32/config/RegBack/SYSTEM Windows/repair/SYSTEM |
NTUSER.DAT |
Found under folder Users/<user id> or Documents and Settings |
SOFTWARE |
Windows/System32/config/SOFTWARE |
SOFTWARE (RegBack) |
Windows/System32/config/RegBack/SOFTWARE Windows/repair/SOFTWARE |
SAM |
Windows/System32/config/SAM |
SAM (RegBack) |
Windows/System32/config/RegBack/SAM Windows/repair/SAM |
Registry artifacts can be extracted from disk images and folders only if all relevant files are in the proper folders, e.g. Windows\System32\config\SYSTEM. Support for Windows XP and older is limited. |
5.9. Devices
The Devices section contains a list of all USB mass storage devices that have been connected to the suspect machines. This information is taken from the Notable Registry Artifacts section. It provides the ability to quickly oversee and sort all devices found in the case.
5.10. Networks
The Networks section contains a list of wired and wireless networks that a suspect machine has been connected to. This information is taken from the Notable Registry Artifacts section and from cellphone reports. It provides the ability to quickly oversee and sort all networks found in the case.
5.11. Significant Words
You may click on the "Calculate Significant Words" button to begin the analysis process (it might take significant time on larger cases). After the analysis is complete, the Significant Words panel will appear. It visualizes important words encountered in the item texts in the case, based on a statistical model of term relevance. The bigger the font of a word, the higher the relevance that word may have for the data set at hand.
These results are purely suggestive: though they are based on commonly used information retrieval techniques, they only look at the evidence data. They do not take the investigative research questions into account, or any investigative results such as items tagged as “relevant”.
The Paragraphs section shows statistics on the paragraphs that Intella has registered, when the Analyze Paragraphs setting was set on the source(s) in the case. It lists the number of unique and duplicate paragraphs, both as raw numbers and as percentages. Furthermore, the Paragraphs marked as Seen or Unseen are counted. Finally, the number of Documents, Emails, and Other item types with unique content (i.e. a paragraph that does not occur in any other item) is listed. These groups can be clicked, which shows these item sets in the Search tab.
5.12. Workflow
The Workflow section lists additional tasks that one might consider after the initial indexing is done. These tasks can further refine the case index quality and kick-start the investigation and analysis phases.
-
Add keyword list adds a keyword list to the case, for use in the Keyword Lists facet or Keywords tab in the Statistics view.
-
Add MD5 list adds an MD5 or message hash list, for use in the MD5 and Message Hash facet.
-
Add saved search adds a saved search obtained from another case to this case, for use in the Saved Searches facet and Keywords tab in the Statistics view.
-
Add task adds a post-processing task (e.g. running a keyword list and tagging the results), to be used during post-processing or on-demand via the Tasks option in the File menu.
6. Keyword search
To search for text, enter a query in the Search panel and click the Search button.
For query syntax rules, refer to the “Search query syntax” section below.
When the Search button is clicked and no keyword query has been entered, all items in the case will be returned.
Due to technical limitations a search on the “Comments” field cannot be combined with a search on other fields. |
6.1. Search options
With the search options panel, you can limit keyword searching to specific item parts or attributes:
-
Text
-
Title / Subject
-
Summary & Description
-
Path (= folder and file name)
-
File name
-
Message Headers
-
Raw Data (e.g. low-level data from PST files,
MS Office documents, vCards) -
Comments
-
Authors & E-mail Addresses
-
Each of the From, Sender To, Cc and Bcc fields separately
-
Export IDs
To see the search options, click the Options button under the search text field. The options box will be displayed as a popup menu below the button.
Select the options for properties that you want to include in your search and deselect those you want to exclude. Your selected search options will be stored and used for future searches until you change them.
The Options box also has a checkbox for setting whether the excluded paragraphs should be considered. By default, this is turned on. Uncheck this checkbox to search the entire document text again.
![]() To prevent application instability, the maximum length of a single search query is limited to 16,000 characters. |
To hide the options box, click the Options button again. If you have made any changes, the icon on the Options button will change to a yellow warning sign as a reminder that you have changed options that will affect your searches.
Click the arrows in the Search button to start an Include or Exclude search, rather than a regular search. See the “Including and excluding facet values” section for more information.
6.2. Search query syntax
In the text field of the Search panel you can use special query syntax to perform complex multi-term queries and use other advanced capabilities.
You can also see the list below by clicking on the question mark button in the Search panel. |
6.2.1. Lowercase vs. uppercase
Keyword searches work in a case-insensitive manner: during indexing all characters are lowercased, as are the characters in a keyword query.
This means that the query “john” will match with “john”, “John” and “JOHN”.
6.2.2. Use of multiple terms (AND/OR operators)
By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for:
john johnson
returns all items that contain both “john” and “johnson.” There is no need to add an AND (or “&&”) as searches are performed as such already, however doing so will not negatively affect your search.
If you want to find items containing at least one term but not necessarily both, use one of the following queries:
john OR johnson john || johnson
Note: The operators are case-sensitive. If search text contains "and" it will not be treated as operator, but instead as word to search for.
6.2.3. Minus sign (NOT operator)
The NOT operator excludes items that contain the term after NOT:
john NOT johnson john -johnson
Both queries return items that contain the word “john” and not the word “johnson.”
john -"john goes home"
This returns all items with “john” in it, excluding items that contain the phrase “john goes home.”
The NOT operator cannot be used with a single term. For example, the following queries will return no results:
NOT john NOT "john johnson"
Note: The operators are case-sensitive. If search text contains "not" it will not be treated as operator, but instead as word to search for.
6.2.4. Single and multiple character wildcard searches
To perform a single character wildcard search you can use the “?” symbol. To perform a multiple character wildcard search you can use the “*” symbol.
To search for “next” or “nest,” use:
ne?t
To search for “text”, “texts” or “texting” use:
text*
The “?” wildcard matches with exactly one character. The “*” wildcard matches zero or more characters.
6.2.5. Phrase search
To search for a certain phrase (a list of words appearing right after each other and in that order), enter the phrase within full quotes in the search field:
"john goes home"
will match with the text “John goes home after work” but will not match the text “John goes back home after work.”
Phrase searches also support the use of nested wildcards, e.g.
"john* goes home"
will match both “John goes home” and “Johnny goes home”.
6.2.6. Proximity search
Intella supports finding items based on words or phrases that are within a specified maximum distance from each other in the items text. This is a generalization of a phrase search.
To do a proximity search you place a tilde (“~”) symbol at the end of a phrase, followed by the maximum word distance:
"desktop application"~10
returns items with these two words in it at a maximum of 10 words distance.
It is possible to mix individual words, wildcards and phrases in proximity queries. The phrases must be enclosed in single quotes (' '
) in this case:
"'desktop application' 'user manual'"~10
Nested proximity searches are also possible:
"'desktop application'~2 'user manual'~4"~10
Nested phrase and proximity queries are always use single quotes. Using regular double quotes for them will cause a syntax error. Only one level of nesting is possible. |
6.2.7. Grouping
You can use parentheses to control how your Boolean queries are evaluated:
(desktop OR server) AND application
retrieves all items that contain “desktop” and/or “server,” as well as the term “application.”
6.2.8. Fuzzy search
Intella supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde (“~”) symbol at the end of a single term:
roam~
returns items containing terms like “foam,” “roams,” “room,” etc.
The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this:
roam~0.8
The default value of this parameter is 0.5.
6.2.9. Field-specific search
Intella’s Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search.
title:intella
returns all items that contain the word “intella” in their title.
The following field names are available:
-
text - searches in the item text
-
title - searches in titles and subjects
-
path - searches in file and folder names and locations
-
filename - searches in file names only
-
summary - searches in descriptions, metadata keywords, etc.
-
agent – searches in authors, contributors and email senders and receivers
-
from – searches in email From fields
-
sender – searches in email Sender fields
-
to – searches in email To fields
-
cc – searches in email Cc fields
-
bcc – searches in email Bcc fields
-
headers - searches in the raw email headers
-
rawdata - searches in raw document metadata
-
comment - searches in all comments made by reviewer(s)
-
export - searches in the export IDs of the items that are part of any export set
The summary field can contain a lot of metadata fields:
-
Comments (as originating from the evidence files)
-
Template
-
Organization
-
Location
-
Contact note
-
Generators
-
Keywords
-
Password
-
Certificate
-
Message ID
-
Document ID
-
Native ID
You can mix the use of various fields in a single query:
intella agent:john
searches for all items containing the word “intella” (in one of the fields selected in the Options) that have “john” in their author metadata or email senders and receivers.
6.2.10. Regular expressions
Keyword queries can also be expressed using regular expressions. Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters. Your search expressions should therefore take the tokenization of the text into account.
To search for a regular expression, put it between "/" slash characters:
/.?ext.*/
The result will match tokens like “next”, “text”, “texts”, “texting” and so on.
Please visit http://lucene.apache.org/core/5_2_1/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Regexp_Searches for more information on the regular expression syntax.
For regular expressions evaluated on the raw document text, see the section on the Content Analysis facet.
6.2.11. Tokenization and Special characters
Tokenization underlies the keyword search functionality in Intella. It is the process of dividing texts into primitive searchable fragments, known as "tokens" or "terms". Each token makes a separate entry in the text index, pointing to all items containing this token. Keyword search works by finding matches between the tokens in the user’s query and in the index. Therefore, for effective keyword search, it is vital to have a basic understanding of how tokenization works in Intella.
Tokenization employs different algorithms, but in the most common case it is simply splitting the text around specific characters known as "token delimiters". These delimiters include spaces, punctuation symbols, and other non-alphabetic characters, to produce tokens close to the natural language words.
A side effect of this method is that it is impossible to search for words together with the token delimiters. If these characters are met in the user query, they play their delimiting role, thus being handled the same as simple spaces. This is rarely a problem, although it should be taken into account when doing a keyword search.
A note on acronyms: Period characters in the acronym or abbreviation words do not separate tokens. The entire acronym is indexed as a single token without periods (“U.S.A” → “USA”). This means that the keyword searches with either variant (with or without periods) will return the same result. |
To search for exact text fragments, including all punctuation and special characters, the Content Analysis functions can be used (see the section on the Content Analysis facet for details). |
A list of all search tokens, generated for an item, can be seen in the "Words" tab of the Previewer window. |
There is no specific support for the handling of diacritics. E.g., characters like é and ç will be indexed and displayed, but these characters will not match with 'a' and 'c' in full-text queries. A workaround can be to replace such characters with the '?' wildcard.
The following characters have special meaning in the query syntax and may cause an error message if not used in accordance to the syntax rules:
+ - && || ! ( ) { } [ ] ^ " ~ * ? : / \
To prevent the syntax errors, these characters need to be escaped by the preceding \
character. Please note that if the character is classified as a token delimiter, then escaping it in the query will not make it searchable.
7. Using facets
Besides keyword searching, the indexed items can be browsed by facets, which represent specific item properties. Every facet organizes the items into groups (possibly hierarchical) depending on a specific item property.
Selecting a facet in the Facet panel will give you a list of all values of the selected facet in the lower part of the panel. In the example on the right, the Type facet has a list of file types as values.
To search for items that match a facet value, select the facet value, and click the Search button.
When search results are displayed in the Results panel, and items in that set are associated with a facet value, that value will be highlighted in bold blue text in the facet’s value list. This indicates that that value occurs in the current search results and can be used to further drill-down in those results. Furthermore, the amount of items in the result set that have that value will be shown, followed by the total amount of items in the case that have that value. This feature is called facet highlighting.
To copy the selected facet value to the system clipboard, open the context menu with right mouse click and select “Copy”, or use the Ctrl+C keyboard shortcut.
To export facet information, (1) select a facet, (2) open the context menu - right mouse click - on the facet values, and (3) select Export values…. This will open the Export values dialog. Choose a file name and folder and save the export file. The CSV file will contain the facet values (e.g. file types, email addresses, folder names), their total counts in the case, and their currently shown counts, which represents the overlap with the currently shown search results.
7.1. Available facets
7.1.1. Saved Searches
The Saved Searches is a list of previous sets of searches that the user has stored.
When there are search results displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be enabled. When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. A default name will be suggested based on the current searches. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet.
Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used.
The “Replace current results” checkbox controls what happens with the currently displayed searches when you restore a saved search. When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them.
The “Combine queries” checkbox can be used to combine the result sets of all parts of the saved search into a single result set. This is for example useful when the various parts conceptually are meant to find the same set of items, just in a technically different way. Example are different complex Boolean queries, which could have been combined into a single Boolean OR query but that the user prefers to keep separate in the saved search definition.
Saved searches can be shared across cases. To transfer a saved search, right-click on the saved search in the list and select “Export search…”. The search is then exported as an XML file can then be imported into any other case by right-clicking in this list and selecting “Import searches…”.
Saved searches are grouped by the user who made them. Depending on the Intella version used to create the case, a “Default searches” branch may also be present with pre-defined saved searches.
7.1.2. Features
The Features facet allows you to identify items that fall in certain special purpose categories:
-
Encrypted: all items that are encrypted. Example: password-protected PDF documents. If you select Encrypted and click the search button, you will be shown all items that are encrypted.
Sometimes files inside an encrypted ZIP file are visible without entering a password, but a password still needs to be entered to extract the file. Such files cannot be exported with Intella if the password has not been provided prior to indexing. In this case both the ZIP file and its encrypted entries will be marked as Encrypted, so searching for all encrypted items and exporting those will capture the parent ZIP file. |
-
Decrypted: all items in the Encrypted category that Intella could decrypt using the specified access credentials.
-
Unread: all emails, SMS/MMS messages, chat messages, and conversations that are marked as “unread” in the source file. Note that this status is not related to previewing in Intella.
This property is only available for PST, OST and EDB emails, and some cellphone dumps. If the Unread property is not set, it could mean that either the item was not read or that the property is not available for this item. Some tools allow the user to reset a message’s unread status, so even when the flag is set, it cannot be said with certainty that the message has not been read. |
-
Empty documents: all items that have no text while text was expected. Example: a PDF file with only images.
-
Has Duplicates: all items that have a copy in the case, i.e. an item with the same MD5 or message hash.
-
Has Shadow Copies: all items that have another version located in a shadow copy volume.
-
Has Geolocation: Indicates whether the item has geolocation information.
-
Downloaded from Internet: Indicates items that may have been downloaded from the Internet. Intella determines such items by looking at the Zone.Identifier alternate stream in NTFS file systems. Where possible, Intella will extract the URL the file was downloaded from. This URL can hen be found in the Raw Data tab.
-
OCRed: indicates whether the item has been OCRed after indexing. See the separate chapter on OCRing of documents and images.
-
Has Imported Text: indicates whether the item has text imported via the “-importText” command-line option.
-
Content Analysed: all items for which the Content Analysis procedure has been applied.
-
Images Analysed: all items for which the Image Analysis procedure has been applied.
-
Exception items: all items that experienced processing errors during indexing. This has six subcategories that match the warning codes in the exception report:
-
Unprocessable items: the data cannot be processed because it is corrupt, malformed or not understood by the processor. Retrying will most likely result in the same result.
-
I/O errors: the processing failed due to I/O errors. The processing might succeed in a repeated processing attempt.
-
Decryption failures: the data cannot be processed because it is encrypted and a matching decryption key is not available. The processing might succeed in a repeated processing attempt when the required decryption key is supplied.
-
Timeout errors: the processing took too long and was aborted. See more details on how to configure crawler timeout in "Memory, crawler count and timeout settings" chapter.
-
Out of memory errors: the processing failed due to a lack of memory.
-
Processing errors: the processing failed due to a problem/bug in the processor. The description should contain the stack trace.
-
Truncated text: the extracted text was not processed entirely. See the “Exceptions report” section for more details.
-
Crawler crash: the processing failed due to a crawler crash. This is a more severe error compared to the Processing Error type. When it occurs, Intella will also reject all items that are related to crashed item (e.g. PST file and all of the emails that it contains). More details about why the crawler crashed can usually be found in a hs_err_pid_XYZ.log file which is located in the case logs folder (one file per crash). Crawler crashes will not affect other items and the case integrity.
-
-
Extraction unsupported: all items that are larger than zero bytes, whose type could be identified by Intella, are not encrypted, but for which Intella does not support content extraction. An example would be AutoCAD files: we detect this image type but do not support extraction any content out of it.
-
Text Fragments Extracted: indicates whether heuristic string extraction has been applied on a (typically unrecognized or unsupported) binary item.
-
Irrelevant: all items that fall into one of the “Irrelevant Items” categories and that themselves are often considered to be of little relevance to a review. See the Preferences section for details on this automatic classification.
-
Threaded: all items that have been subjected to email threading processing and that were subsequently assigned to a thread (see the Email Thread facet). Subtypes:
-
Inclusive: all email items marked as inclusive.
-
Non-Inclusive: all email items marked as non-inclusive.
-
Missing Email Referent: Indicates that the threading process has detected that the email item is a reply to another email or a forwarded email, but the email that was replied to or that has been forwarded is not available in the case.
-
-
Recovered: all items that were deleted from a PST, NSF, EDB, disk image, cellphone report, cloud source or volume shadow copy and that Intella could still (partially) recover. The items recovered from PST, NSF and EDB files are the items that appear in the artificial “<RECOVERED>” and “<ORPHAN ITEMS>” folders of these files in the Location facet. The items recovered from volume shadow copies are located in the artificial "<Volume Shadow Copies>" folder of the parent volume in the Location facet. The Recovered branch in the Features facet has the following sub-branches, based on the recovery type and the container type:
-
Recovered from PST.
-
Orphan from EDB.
-
Orphan from NSF.
-
Orphan from PST.
-
Recovered from cellphone.
-
Recovered file metadata from disk images.
-
Recovered entire file content from disk images.
-
Recovered partial file content from disk images.
-
Recovered from cloud source.
-
Recovered from volume shadow copy.
-
Carved from unallocated space.
-
-
Attached: all items that are attached to an email, conversation, or document. Only the direct attachments are reported; any items nested in these attachments are not classified as Attachment. Furthermore, items that are classified as Embedded Image are not classified as Attachment, and vice versa.
-
Has attachments: all emails, documents and user activities that have other items attached to them. Note that it does not include embedded images.
-
Embedded images: all inlined images in emails, documents, spreadsheets, or presentations.
Formally, an image is classified as “embedded image” when it is displayed as part of the native rendering of its direct parent. This happens when the parent is displayed in the Preview tab of the Previewer and when the parent is exported to PDF in “Original view” mode. An embedded image is thus already “visible elsewhere” when the original view is used, which (depending on your policy) may be reason not to export this image item separately as well, saving exporting and/or reviewing time. -
Tagged: all items that are tagged.
-
Flagged: all items that are flagged.
-
Commented: all items that have a comment.
-
Previewed: all items that have been opened in Intella’s previewer.
-
Opened: all items that have been opened in their native application.
-
Exported: all items that have been exported.
-
Redaction: all items that have been subject to one of the redaction procedures. See the section on Redaction for more information.
-
Redacted: all items that have one or more parts blacked out due to redactions. Items on which the Redact function has been used but in which no parts have been marked as redacted are not included in this category.
-
Queued for Redaction: all items that have their “Queued for Redaction” checkbox selected. These will turn to “Redacted” once the user performs the “Process Redaction Queue” function on them.
-
Missing keyword hits: all items that had a redaction issue when Process Redaction Queue was invoked.
-
-
Batched: all items that have been assigned to a coding batch. This can happen when a case is reviewed in Intella Connect, our web-based companion product.
-
Top-level parents: all top-level parent items in the case.
-
Item stubs: when items are exported to a target case without their parents in the export set as well, their parents will be represented by stubs.
-
W4 Delta: new items found by Intella in imported W4 cases.
-
Analyzed for Near-Duplicates: all items that have been analyzed in the last Near-Duplicate Analysis procedure.
-
Has Near-Duplicates: all items that have been positively assessed and included in near-duplicate groups by the last Near-Duplicate Analysis procedure.
-
Has Event Note:: all items that have a note assigned to one of its events
-
All items: all items (non-deduplicated) in the entire case.
In cases in which multiple users have worked, i.e. shared cases, the Previewed, Opened, Exported, Commented, Tagged, and Flagged nodes shown in the Facet panel will have sub-nodes, one node for each user. |
To export the categories and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.
7.1.3. Tags
Tags are labels defined by the user to group individual items. Typically used tags in an example are for example “relevant”, “not relevant” and “legally privileged”.
Tags are added to items by right-clicking in the Results table or the Cluster Map and choosing the Tags > Add Tags… option. Tags can also be added in the Previewer. The exact procedure is described in other sections of this manual.
To search for all items with a certain tag, select the tag from the Tags list and click the Search button below the list.
When tags have been added by different users in the same case, the Tags facet panel will have a drop-down list at the bottom, listing the names of all reviewers that have been active in this case. You can use this list to filter the tags list for taggings made by a selected reviewer only. Select the “all” option to show taggings from all users.
If the same tag has been used by different reviewers, their names and the numbers of tagged items are displayed in the tag statistics line (in the parentheses after the tag name). The list of reviewers can include “You” to indicate taggings made by the current case user. If no reviewer name is mentioned, it means that all taggings with this tag are made by the current user only.
The tags can be organized into a hierarchical system by the creation of sub-tags within an existing (parent) tag group. To create a sub-tag, select an existing tag in the Tags facet and choose “Create new tag inside …” in the context menu. In the dialog box, enter the name and (optionally) the description of the new tag.
To rename a tag or change the tag description, select the tag in the facet and choose “Edit…” in the context menu.
When a tag is renamed, all items associated with this tag will be assigned the new tag name automatically. However, some operations that depend on specific tag names (such as indexing tasks with the Tag condition, see 10.5.1) may need to be corrected manually. |
To delete a tag, select it in the facet and choose “Delete…” in the context menu.
To export the tags and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.
7.1.4. Identities
The Identities facet makes it possible to search for all items related to an identity, as defined in the Identities tab.
When searching for an identity, it queries for all items that have any of the identity’s aliases as sender/receiver/caller/callee/etc. Effectively, it gathers all messages in which the identity is a participant through one of its aliases.
To export the identities and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.
7.1.5. Custodians
Custodians are assigned to items to indicate the owner from whom an evidence item was obtained. The “Custodians” facet lists all custodian names in the current case and allows searching for all items with a certain attribute value.
Custodian name attributes are assigned to items either automatically (see the section on custodian name post-processing) or manually in the Details panel. To assign a custodian to items selected in the Details panel, use the “Set Custodian…” option in the right-click menu. To remove custodian information from selected items, choose the “Clear Custodian…” option.
To change a custodian’s name, select it in the list and choose “Edit custodian name…” in the right-click menu.
To delete a custodian from the case and clear the custodian attribute in all associated items, select the value in the facet panel and choose “Delete” in the right-click menu.
To export the custodians and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.
Custodians in Compound Cases
Custodian names defined and assigned to items in the sub-cases are available in the “Custodians” facet of a Compound Case. If two or more sub-cases define the same custodian name, this name appears in the facet as a single value. The search result of this facet value will be a union of all items assigned to this custodian name in all sub-cases.
Sub-case custodians are read-only in the Compound Cases: it is not possible to edit or delete them, as well as remove the item assignments made in the sub-cases. However, it is possible to reuse the sub-case custodians for new assignments in the Compound Case. These assignments will be specific to the Compound Case and will not affect the sub-cases.
The Compound Cases can also specify the local custodian names that can be assigned, unassigned, edited, or deleted just like custodians in a regular case.
7.1.6. Location
This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder.
When “Search subfolders” is selected, the selected folder, all items in that folder, and all items nested in subfolders will be returned, i.e. all items in that entire sub-tree.
When “Search subfolders” is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned.
When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with “Search subfolders” switched on will therefore return all items in your case.
When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree.
To export the subfolders and their counts of a given location node to a CSV file, right-click on that node and select “Export values…”.
7.1.7. Email Address
This facet represents the names and/or email addresses of persons involved in sending and receiving emails. The names are grouped in the following categories:
-
From
-
Sender
-
To
-
Cc
-
Bcc
-
Addresses in Text
-
All Senders (From, Sender)
-
All Receivers (To, Cc, Bcc)
-
All Senders and Receivers
-
All Addresses
The first five categories list email addresses found in the corresponding message headers. Most emails typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author.
The “All Senders”, “All Receivers” and “All Senders and Receivers” categories group addresses into specific sender or recipient roles, abstracting from the specific header that was used.
The “Addresses in Text” category lists email addresses that are mentioned in message and document bodies.
“All Addresses” group together all other categories and thus contains all email addresses found anywhere in either message headers or textual content.
Sorting and grouping
The contacts can be sorted alphabetically by email addresses (the default order), by the contact name associated with them or by the number of items associated with this contact. To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the “Organize” menu.
The addresses can optionally be grouped by the host name used in the email address. To enable or disable grouping, select the “Group by host name” option in the “Organize” section of the context menu. Enabling this option adds another level of nodes to the tree, representing the host names.
Filtering on text
To quickly find specific email addresses, contact names or host names, it is possible to filter the facet content to only display the values that contain a specific substring. To filter the contacts in a specific category, expand the tree branch and click on the button below the tree. In the text field that appears enter the text. The tree will be filtered to show only those contacts whose contact name or email address matches the entered text.
To cancel filtering and hide the text field, click the filter button again or type Escape.
Filtering on presence in the current search results
To display only the highlighted email addresses, i.e. the addresses that occur in the currently visible or selected search results, click on the button. To return to displaying all addresses, just click this button again.
This type of filtering is removed automatically when a different branch is expanded, the selection in the facet or Cluster Map changes or when the sorting or grouping mode changes.
This filter can be used in combination with the text filter.
Exporting email addresses
To export the email addresses and their counts of a given Email Address facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.8. Phone Number
This facet lists phone numbers observed in phone calls, SMS and MMS messages extracted from cellphone reports. Furthermore, this includes phone numbers listed in PST contacts and vCard files.
The “incoming” and “outgoing” branches are specific to phone calls and SMS/MMS messages. The “All Phone Numbers” branch combines all the above contexts.
Depending on the type of evidence files and their contents, the phone numbers may or may not have a name associated with them.
This facet also supports the filtering options described in the Email Address section.
To export the phone numbers and their counts of a given Phone Number facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.9. Chat Account
This facet lists chat accounts used to send or receive chat messages, such as Skype and WhatsApp account IDs. Phone numbers used for SMS and MMS messages are also included in this facet.
Depending on the type of evidence files and their contents, the chat accounts may or may not have a human-readable name associated with them.
This facet also supports the filtering options described in the Email Address section.
To export the chat account names and their counts of a given Chat Account facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.10. Recipient Count
This facet lets the user search on recipient count ranges by entering the type and the number of recipients (minimum and maximum). The following recipient types are supported:
-
All Recipients: all email, chat, and cellphone recipients.
-
Visible Recipients: visible email, chat, and cellphone recipients (To, Cc).
-
Blind Recipients: blind carbon copy email recipients (Bcc).
7.1.11. Date
This facet lets the user search on date ranges by entering a From and To date. Please note that the date entered in the To field is considered part of the date range.
Besides start and end dates, Intella lets the user control which date attribute(s) are used:
-
Sent (e.g. all email items)
-
Received (e.g. all email items)
-
File Last Modified (e.g. file items)
-
File Last Accessed (e.g. file items)
-
File Created (e.g. file items)
-
Content Created (e.g. file items and email items from PST files)
-
Content Last Modified (e.g. file items and email items from PST files)
-
Primary Date
-
Family Date
-
Last Printed (e.g. documents)
-
Called (e.g. phone calls)
-
Start Date (e.g. meetings)
-
End Date (e.g. meetings)
-
Due Date (e.g. tasks)
A checkbox is provided for easy (de)selection of all attributes at once.
The Date facet will only show the types of dates that occur in the evidence data of the current case.
Furthermore, it is possible to narrow the search to only specific days or specific hours. This makes it possible to e.g. search for items sent outside of regular office hours.
Note that the Preferences dialog has a setting that controls how dates are displayed: by selecting a geographic region, all dates will be displayed in a manner commonly used in that region.
7.1.12. Type
This facet represents the file types (Microsoft Word, PDF, JPEG, etc.), organized into categories like Documents, Spreadsheets, etc. To refine your query with a specific file type, select a type from the list and click “Search”.
Note that you can search for both specific document types like PNG Images, but also for the entire Image category.
Empty (zero byte) files are classified as “Empty files” in the “Others” branch, regardless of their file extension.
To export the types and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.
7.1.13. Author
This facet represents the name(s) of the person(s) involved in the creation of documents. The names are grouped into two categories, as is done in most office formats:
-
Creator
-
Contributor
To refine your query by a specific creator or contributor name, select the name and click the Search button.
This facet also supports the filtering options described in the Email Address section.
To export the author names and their counts of a given Author facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.14. Content Analysis
The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items.
The top three categories are populated automatically during indexing and are available immediately afterwards:
-
Credit Card Numbers – suspected numbers of the major world-wide credit card systems (Visa, MasterCard, American Express and others).
-
Social Security Numbers – suspected SSN numbers issued by the United States Social Security Administration.
-
Phone Numbers – suspected phone numbers.
For credit card numbers, the algorithm looks for a sequence of digits matching the patterns of most common credit card systems (e.g. Visa, MasterCard, American Express, Diners Club). This digit sequence can be arbitrarily mixed with space and dash characters. Additionally, the Luhn checksum is tested for this sequence to make sure that this is a valid credit card number.
The other categories in this facet are empty by default. To populate them, a user needs to perform the automatic content analysis procedure on a selected set of items. Please see the “Content Analysis” section for instructions.
This facet also supports the filtering options that are available in the Email Address facet.
To export the entities and their counts of a given Content Analysis facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.15. Image Analysis
The Image Analysis facet allows you to search items based on the results of the Image Analysis performed on these items.
The categories in this facet are empty by default. To populate them, a user needs to perform the automatic Image Analysis procedure on a selected set of items. Please see the “Image Analysis” section for instructions.
The facet tree contains three branches:
-
Skin tone (sub-categorized as Weak, Medium and Strong based on the presence of human skin colors)
-
Image categories (general types of images, such as Documents, IDs, Photos, etc.)
-
Detected objects (the objects detected by the Image Analysis algorithm, such as Persons, Vehicles, etc.)
Image analysis provides probabilistic confidence score estimations for each result, expressed as a floating point number between 0.0 and 1.0. The “Min. confidence” slider specifies the value of a threshold filter applied to the results in this facet. The image items evaluated with lesser confidence scores than the current threshold will not appear in the search results of this facet. It is possible to execute multiple searches with the same facet value but different confidence thresholds.
The “Min. confidence” setting does not affect the values in the "Skin tone" category. |
This facet also supports the filtering options that are available in the Email Address facet.
To export the entities and their counts of a given Image Analysis facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.16. Email Thread
In the Email Thread facet you can search for emails based on the email thread identified by the email threading procedure. To populate this facet, a user needs to perform the email threading procedure on a selected set of items. Please see the Email Threading section for instructions.
Be default, all threads containing only a single email are hidden from view, as they can greatly increase the length of the list and are typically of little use. To include these threads in the list, uncheck the “Hide threads with one email” checkbox.
To export the email thread names and their counts to a CSV file, right-click anywhere in the facet area and select “Export values…”.
7.1.17. Near-Duplicates
This facet lists all item groups identified by the last near-duplicates analysis. To populate this facet, a user needs to perform near-duplicate analysis on a selected set of items. Please see the "Near-duplicates Analysis" section for instructions.
The names of near-duplicate groups are derived from the titles of their master items. Searching for a group produces a set of items that includes the master item and its near-duplicates that have similarity scores larger than or equal to the threshold specified for near-duplicates analysis.
The groups can be sorted alphabetically by name (the default order) or by size (the number of associated near-duplicate items). To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the “Organize” menu.
To export the near-duplicate group names and their counts to a CSV file, right-click anywhere in the facet area and select “Export values…”.
7.1.18. Keyword Lists
In the Keyword List facet, you can load a keyword list, for automating searching with sets of previously determined queries.
The most basic keyword list is a text file in UTF-8 encoding that contains one search term per line. Once loaded, all the search terms found in the keyword list are shown in the Keyword Lists facet. They are now available for searching: just select one or more queries, or select the name of the keyword list, and click the Search button to search with these queries.
When the “Combine queries” checkbox is selected, and you have multiple queries selected, they will be combined into one query, effectively creating a single Boolean OR query. The matching items are then returned as a single set of results. When the checkbox is deselected, the selected queries will be evaluated separately, resulting in as many result sets as there are selected queries in the list. This may cause the Cluster Map to turn to Sets mode to handle a large amount of result sets.
Keyword lists can also use more advanced queries. The complete keyword search query syntax is supported here, e.g. wildcards, Boolean operators and field names can be used.
Besides searching, keyword lists can also be used to tag items. To do this, select the keyword list and click the Auto-tag button. A window will open that lists the queries in the first column and the proposed tag in the second column. When you click Apply, each query in the first column will be evaluated separately and have its results tagged with the proposed tag.
By default, the proposed tags are the queries itself. You can change this interactively in the table by clicking on the proposed tag and entering a new value. Alternatively, a keyword list can take the form of a CSV file in which the first column specifies the query and subsequent columns specify the tags. Use slashes to denote hierarchical tags. If a line has only one column, the proposed tag will default to the query text itself.
An example keyword list with associated tags could look like this:
confidential,Responsiveness/Privileged,Sensitivity/High patent,Sensitivity/Medium
This will tag all items containing the term “confidential” with the tag “Privileged”, nested beneath the tag “Responsiveness”, and as “High” in the context of the “Sensitivity” parent tag. Furthermore, all items containing the term “patent” will he tagged as “Medium” in the context of the “Sensitivity” parent tag.
As keyword lists are essentially CSV files, it is not recommended to use commas in queries, because they result in a different interpretation of the keyword list. If a comma in a query is required, you can wrap the entire query in quotes.
The tags specified in the CSV file will be mapped to or result in the creation of top-level tags.
7.1.19. MD5 and Message Hash
Intella can calculate MD5 and message hashes to check the uniqueness of files and messages. If two files have the same MD5 hash, Intella considers them to be duplicates. Similarly, two emails or SMS messages with the same message hash are duplicates. With the MD5 and Message Hash facet you can:
-
Find items with a specific MD5 or message hash and
-
Find items that match with a list of MD5 and message hashes.
Specific MD5 or message hash
You can use Intella to search for files that have a specific MD5 or message hash. To do so, enter the hash (32 hexadecimal digits) in the field and click the Search button.
List of MD5 or message hashes
The hash list feature allows you to search the entire case for MD5 and message hash values from an imported list. Create a text file (.txt) with one hash value per line. Use the Add… button in the MD5 Hash facet to add the list. Select the imported text file in the panel and click the Search button below the panel. The items that match with the MD5 or message hashes in the imported list will be returned as a single set of results (one cluster).
Structured vs Legacy message hash
In Intella 2.2.2 a more flexible algorithm for calculating message hashes has been introduced: structured message hashes. Cases that have been created with Intella 2.2.2 or newer will use the structured message hashes by default. Cases that have been created with older versions will keep using the old algorithm until the case is fully re-indexed. That re-index is required to calculate the Body Hash, one of the four components of structured message hashes, for applicable items. You can configure the algorithm for message hashes from the Preferences window.
Structured message hash
Intella’s structured message hash exists of four components: Header, Recipients, Body, and Attachments. By default, the calculated message hash will be based on all four components, but you can deselect any of these to make deduplication of message items less strict. For example, when the Recipients component is deselected, an email with a Bcc header will be considered as a duplicate of an email without that header (assuming all other components are equal).
For email items, the following data is included in the four components of a structured message hash:
-
Header – The sender, subject and sent date.
-
Recipients – The To, Cc and Bcc header values.
-
Body – The email’s text body.
-
Attachments – The combined MD5 hashes of all email attachments.
All upper case/lower case differences of textual data is ignored, and for the email body all whitespace and formatting characters (Unicode categories C and Z) are ignored too. The sent date is rounded down to full minutes. For attachments that are embedded emails, the structured message hash of that email is used, instead of the MD5 hash.
When deduplicating a set of items, Intella will select the item that has the lowest item ID for each set of duplicates. This item may be missing specific details that are present in duplicates. This effect becomes more likely when a less strict message hash configuration is used. |
Legacy message hash
The message hash is calculated by calculating the MD5 hash of a list of concatenated item properties. For emails the following properties are used:
-
From, Sender, To, Cc and Bcc headers.
-
Subject header.
-
Date header.
-
Email body.
-
All other MIME parts (attachments, nested messages, signatures, etc.).
For SMS, MMS, and other types of chat messages such as Skype and WhatsApp messages, the following parts are used:
-
The sender information.
-
The receiver information.
-
The textual content of the message.
When certain headers/properties occur multiple times, all occurrences are used.
A difference between email message hashes and chat message hashes is that the hashing procedure for emails will simply skip missing values, whereas for chat messages all fields need to be present to calculate a hash.
These message hash computation methods have the benefit that they are source-agnostic: a specific email message always gets the same message hash, regardless of whether it is stored in e.g. a PST, NSF, Mbox or EML file. Message hashes can therefore find duplicates across a variety of mail formats and be used to deduplicate such a diverse set of mail formats.
When one of the copies has a minor difference, the email will get a different hash and be treated as different from the other occurrences. A good example is a bcc-ed email, as the bcc is only known by the sender and the recipient listed in the Bcc header. Therefore, these two copies will be seen as identical to each other but different from the copies received by the recipients listed in the To and Cc headers. Another example is an archived email which has one or more attachments removed: it will be seen as different from all copies that still have the full list of attachments.
Install a free tool such as MD5 Calculator by BullZip to calculate the MD5 hash of a file. You can then search for this calculated hash in Intella to determine if duplicate files have been indexed. |
Use the “Export table as CSV” option in the Details table to export all MD5 and message hashes of a selected set of results to a CSV file. |
7.1.20. Item ID Lists
In the Item ID Lists facet, you can load a list of item identifiers, to automate the searching with sets of previously determined items, e.g. obtained by exporting the identifier columns (“Item ID”, “URI”) from the Details table to a CSV file, or by using URI list export (see “Exporting” chapter for details).
An item ID list is a text file in UTF-8 encoding that contains one item identifier per line. Both numeric (as in the “Item ID” column) and URI identifiers are supported.
Once loaded into the case, you can select the list name and click Search. The result will be a single result set consisting of the items with the specified IDs. Invalid item IDs will be skipped.
7.1.21. Language
This facet shows a list of languages that are automatically detected in your items.
To refine your query with a specific language, select the language from the list and click the Search button.
When Intella cannot determine the language of an item, e.g. because the text is too short or mixes multiple languages, then the item will be classified as “Unidentified”. When language detection is not applicable to the item’s file type, e.g. images, then the item is classified as “Not Applicable”.
Language detection is applicable for the following media types (see the "Types" facet):
-
All types in the Documents → Word Processing category
-
All types in the Documents → Presentations category
-
All types in the Documents → Spreadsheets category
-
In the Documents → Other documents category: Plain Text Document, HTML Document, XHTML Document, Comma-separated Values File
-
Communication → E-mail → Email Message
-
Others → Source code → XML Document
To export the detected languages and their counts to a CSV file, right-click anywhere in the facet area and select “Export values…”.
7.1.22. Size
This facet groups items based on their byte size.
To refine your query with a specific size range, select a value from the list and click the Search button.
To export the size ranges and their counts to a CSV file, right-click anywhere in the facet area and select “Export values…”.
7.1.23. Duration
This facet reflects the duration of phone calls listed in a cellphone report, grouped into meaningful categories.
To export the duration ranges and their counts to a CSV file, right-click anywhere in the facet area and select “Export values…”.
7.1.24. Device Identifier
This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items. Please consult the documentation of the forensic cellphone toolkit provider for more information on what these numbers mean.
This facet also supports the filtering options described in the Email Address section.
To export the device identifiers and their counts of a given Device Identifier facet branch to a CSV file, right-click on the node of that branch and select “Export values…”.
7.1.25. Export Sets
All export sets that have been defined during exporting are listed in this facet. Searching for the set returns all items that have been exported as part of that export set.
To export the export set names and their counts to a CSV file, right-click on the node of that branch and select “Export values…”.
7.2. Requiring and excluding facet values
Facet values can be required and excluded. This allows for filtering items on facet values without these values appearing as individual result sets in the Cluster Map visualization.
To require or exclude items based on a facet value, select the value, and click on the arrows in the Search button. This will reveal a drop-down menu with the Require and Exclude options.
7.2.1. Requiring a facet value
Requiring a facet value means that only those search results will be shown that also match with the chosen required facet value.
For example, see the image on the right. The “Enron” search term resulted in 2,752,284 items, but after applying the E-mail category with its 1,668,416 items as a requirement filter, only 1,239,282 items remain.
When multiple required filters are specified, a drop-down list will appear in the Required list:
Depending on the option selected here, the results will differ:
-
Any – the results belong to at least one of the required sets. Filtering uses the union of all required sets.
-
All – the results belong to all of the required sets. Filtering uses the intersection of all required sets.
The "any" option can be of use when filtering on e.g. document types or custodians, where the sets tend not to overlap. The "all" option can be of use when filtering on criteria from multiple facets, where it effectively does a drill-down search without all searches being visualized in the Cluster Map.
7.2.2. Excluding a facet value
Excluding a facet value means that only those search results will be shown that do not match with the chosen excluded facet value.
Example: The user selects the facet value “PDF Document” and excludes this facet value with the drop-down menu of the Search button in the facet panel. The searches panel in the Cluster Map shows that “PDF Document” is excluded. As long as this exclusion remains, all result sets and clusters will not hold any PDF Documents. Empty clusters will be filtered out.
7.2.3. Limitations
Excludes are often used to filter out privileged items before exporting a set of items, e.g. by tagging items that match the privilege criteria with a tag called “Privileged”. This tag can then be used to filter the privileged items from the results. This methodology has a few limitations that one needs to be aware of:
-
The required and excluded sets are applied on the result list shown in the Details view. The original, unfiltered results are still present in the Cluster Map, where they can be selected for review in the Review tab via the right-click menu. In this case, the unfiltered set is reviewed.
-
The items that are filtered out may still be reached through traversal of the item hierarchy (e.g. in the Previewer’s Tree tab) or through other search methods.
-
When exporting an email to e.g. Original Format or PST format, it is exported with all its attachments embedded in it. The same applies to a Word document: it is exported intact, i.e. with all embedded items. Therefore, when an attachment is tagged as “privileged” and “privileged” is excluded from all results, but the email holding the attachment is in the set of items to export, the privileged attachment will still end up in the exported items. The solution is to also tag both the parent email and its attachment as “privileged”. The tagging preferences can be configured so that all parent items and the items nested in them automatically inherit a tag when a tag is applied to a set of items.
When filtering privileged information with the intent to export the remaining information, we recommend that you verify the results by indexing the exported results as a separate case and checking that there are no items matching your criteria for privileged items.
8. Cluster Map
The Cluster Map shows search results in a graphical manner, grouping items by the queries that they match. This chapter will help you understand how this visualization works.
8.1. Understanding a Cluster Map
The figure above shows a graph with two labels and three clusters. The larger, colored spheres are called clusters. They represent groups of items such as emails and files. The queries entered by the user are shown as labels and are used to organize the map.
Every cluster is connected to one or more labels. In this Cluster Map, we see that the user has evaluated two keyword searches: one for the word “buy” and one for the word “sell”. The Cluster Map shows these two result sets, using the search terms as their labels:
-
“buy” returned 128 items and is represented by the red edges.
-
“sell” returned 67 items and is represented by the blue edges.
The colored edges connect the clusters of items to their search terms, indicating that these items are returned by that search term. For example, this Cluster Map shows that there are 16 items that were returned by both the “sell” and “buy” queries, 51 items that contain “sell” but not “buy”, and 112 items that contain “buy” but not “sell”.
It is important to understand that the set of results for “buy” are split across two clusters: one that also matches “sell” and another that only matches “buy”. The same split happens for the “sell” results.
When a third keyword search for “money” is added, the graph changes as follows on our data set:
In the middle is a single cluster of 6 items that is connected to all three labels. This represents the 6 items that match all three search terms. There are three clusters of 9, 10 and 20 items, each connecting to two labels but not a third. They represent the items that match two out of the three search terms. Finally, three large clusters at the periphery represent all items that only match the search term that it is connected to.
A Cluster Map can always draw a reasonable picture of up to three search terms: the above map shows the maximum complexity that such a graph may have. Beyond three search terms the graph may become too complex and cluttered to be meaningful. That is why the Cluster Map has a second visualization mode called Sets. This mode can be chosen by clicking on the Sets mode in the toolbar. When the user enters more than seven queries, the Cluster Map will automatically switch to that mode.
In Sets mode, the three result sets are visualized like this:
Here, each result set is depicted as a single rounded square shape with the label and number of items on top. The size of the square is related to the number of items in the set: bigger means more items. Furthermore, all sets are grouped by their order of magnitude indicated on the left – in this case all result sets are of the same order of magnitude. The overlap between sets is no longer visualized until the user selects one of the sets.
Sets mode can scale to a much larger amount of result sets. The following image is a visualization of 16 result sets, divided among four different orders of magnitude. Adjacent groups get alternating colors for better separation. Note that the visual size of the result sets, indicating the number of items in each set, is only comparable within the group.
8.2. Manipulating Cluster Maps
The result sets created with the current query are listed in the box at the top right corner of the Cluster Map panel. To remove a result set from the Cluster Map, click on the remove icon (red X) in the list.
To clear the Cluster Map - remove all result sets - and start a new search, click the Clear button in the terms list.
If the Cluster Map regeneration takes too long, you can stop the process by clicking the Stop button.
To view and open the individual items in a cluster or result set, first click on the cluster or label. This will list the items in that set in the Details view below. From there the items can be opened by a single or double click, depending on the currently selected view mode of the Details view.
8.3. Options
When the Cluster Map is in Clusters mode, the Filters button in the toolbar will be enabled. When this toggle button is selected, the graph is filtered to show only the clusters with the most connections. These could be seen as the most relevant result clusters. This filtering has no equivalent in Sets mode and therefore is disabled in that mode.
The last button in the toolbar indicates whether the graph should be shown at normal size (with scrollbars if necessary) or be scaled to fit in the visible space. For Clusters mode, the fit to size mode makes the most sense. For Sets mode, showing at normal size is often preferable, especially when dealing with lots of result sets (tens or more).
The current visualization can be exported as a transparent, 24-bit PNG image. To do so, choose the “Cluster Map…” option in the Export menu.
9. Histogram
The Histogram shows how a set of search results is spread over time. This tells the user when certain communications or other activities took place.
Another important use case of this visualization is to find anomalies in the data. Any gaps in the chart may indicate shortcomings in the data collection process, e.g. due to a device or disk that should have been included. However, it can also indicate custodians intentionally or unintentionally withholding data, e.g. by deleting emails prior to the collection.
The image below shows the results of a keyword search for “invoice”, grouped by year:
This histogram immediately tells you that the timestamps of the items matching “invoice” range from 1980 to 2016, with the majority between 2000 and 2009, and peaking in 2007.
The date range that Intella looks for ranges from 1969 to the current year plus two years. This will filter out bogus dates that are far in the past or future. Large, real-life data sets will often show items on specific dates like January 1st, 1970, January 1st, 1980 or similar “round” dates. These are typically caused by default date values used in some applications. Future versions may make it possible to filter out such dates.
Initially the Histogram will show the items grouped by year. It is possible to toggle between years and months by using the supplied toggle buttons.
9.1. Date attributes
The date attribute used to create the chart is configurable. By default, the Family Date is used. This typically gives a good sense of the “when” of an evidence set, without dates in older email attachments and files giving a warped sense of the relevant dates.
To use a different date, click on the button showing Family Date (if the default has not been altered yet) and use the checkboxes in the popup to indicate the desired date attribute(s).
Multiple date attributes may be used, e.g. “Sent” and “Received”. In this case it may occur that an item is represented in multiple bars in the histogram, because one date attribute may be in one bar’s date interval and another date attribute falls into a different bar’s date interval. To get a sense of the volume of the data, it is best to use a single date attribute.
9.2. Selections
To see the items in a specific year or month, simply click on the bar representing that year or month. This will list the items in the Details view below.
To see all items in a range of years or months, drag the mouse cursor across the chart. This will show a marker in the background, indicating the selected date range. All bars overlapping with that date range will be selected.
10. Geolocation
The Geolocation view shows the (estimated) locations of all search results that have geolocation information on the world map.
This chapter will help you understand how this visualization works.
10.1. Basics
Currently, geolocation data is extracted from the following sources:
-
Images – GPS coordinates in the EXIF metadata.
-
Cellphone reports – available information depending on the device model, extraction utility and extraction method.
-
Emails – through geolocation lookup of the sender IP.
-
Google Maps URLs – e.g. from browser histories and bookmarks.
Using this information, a set of search results can be mapped to a set of geographic coordinates, roughly representing the “where” of the found items.
Any items that do not have any geolocation information associated with them are omitted in this view.
Showing each item’s estimated location on the map would make the view very cluttered. Items laying in the same area are therefore grouped into clusters, shown as a blue circle in the screenshot above. The number in a cluster represents the number of items whose geolocation falls in that area.
When zooming in, the geographic size of what constitutes the “same area” will be reduced, resulting in clusters getting split up into smaller clusters. Zooming out of the map consolidates clusters into fewer and larger clusters again. This cluster management allows the user to inspect specific locations in detail.
Zoom in Zoom out
The clustering is determined by imposing an invisible grid on the map and bundling all items in a grid cell into a cluster. When a grid cell contains only a single item, an icon will be placed on the map instead, representing that single item. For image items, this icon will be a thumbnail of the image. This gives the user a quick overview of the images located in a specific area. For all other items, the item’s file type icon will be shown.
10.2. Interaction
Zooming can be done using the control buttons in the top-right toolbar or by using the mouse wheel.
To pan (move sideways) in a zoomed map, move the mouse while holding down the left mouse button.
To inspect the content of clusters, the user can select:
-
A single cluster, by clicking on it.
-
Multiple clusters, by clicking on them while holding down the CTRL key.
-
Multiple clusters, by dragging in the map while holding down the right mouse button.
The contents of the selected cluster(s) will be displayed in the Details view below the Geolocation view.
The view also responds to facet selections. The image below shows the Geolocation view, showing all images in a specific case. Selecting the “500 KB – 1 MB” category in the Size facet has turned all cluster discs into pie charts. The solid, dark blue areas in the pie charts represent the items that match this Size facet category. This way, the user can quickly identify the geographic spread of the matching items in the map without having to change the set of queries. This works for every available facet that supports value selections.
In the figure below, the map is shown after an “Include search” is added using the same Size facet query:
10.3. Resources
Intella may need two resources to make the most out of the Geolocation visualization.
10.3.1. Tile server
By default, Intella uses tiles (images containing parts of the map) that are embedded in Intella to construct the world map. This makes it possible to use the Geolocation view without any configuration and without requiring an Internet connection to download these tiles.
Due to the enormous size of a complete tile set covering all zoom levels of the entire world map, the embedded tile set is limited to the first 6 zoom levels. As a rule of thumb, this usually shows the major cities in most countries, but it will not let you zoom in to see where in the city an item is located.
To zoom in beyond that zoom level, a connection to a tile server is needed. This can be a public tile server or one located in your network. See the Preferences section on how to configure a tile server.
A tile server may not only let you zoom in and create more fine-grained maps, it can also let you apply a different map rendering, e.g. a map containing elevation data, infrastructural information, etc. |
10.3.2. IP geolocation database
To determine the geolocation of emails, Intella uses the chronologically first IP address in the Received email headers (i.e. the one nearest to the bottom of the SMTP headers). Next, a geolocation lookup of that IP address is done using MaxMind’s GeoIP2 or GeoLite2 database. These databases are not distributed with Intella and therefore one needs to be installed manually.
See the Preferences section on how to acquire and install an IP Geolocation database.
10.4. Caveats
While the Geolocation view can quickly give a unique and insightful overview of a data set, there are some aspects of geolocation visualization to be aware of. Geolocation data is approximative by nature and manual verification of the findings will always be required. This is not an Intella limitation; it is inherent to the complexity and unreliability of the systems producing the geolocation information. Make sure that you are fully aware of these aspects and their consequences before relying on the findings.
10.4.1. GPS coordinates
GPS coordinates, such as obtained from the EXIF metadata of images or location-bound items extracted from cellphones, are usually quite accurate. However, they are subject to the limitations of GPS:
-
In the best-case scenario, the accuracy is typically in the range of several meters. The accuracy can be lower or coordinates can even be completely wrong when the GPS hardware cannot receive a good signal (e.g. in the direct vicinity of buildings), due to hardware limitations of the GPS device (the theoretical maximum precision possible varies between devices) or simply due to bugs and hardware faults in the device.
-
The same applies to comparable satellite-based navigation systems such as GLONASS.
-
Geolocation coordinates may also have been determined using other techniques, e.g. based on geolocation information about nearby Wi-Fi networks and cell towers.
-
Some devices combine several of these techniques to improve accuracy and coverage. Therefore, what is commonly referred to as “GPS coordinates” may not have been established through GPS at all.
-
Coordinates may have been edited after the fact by a custodian using an image metadata editor. A set of different images with the precise same coordinates may point in that direction. This may be harmless, e.g. to fill in the coordinates of images taken with a camera that does not have GPS functionality.
10.4.2. IP geolocation
The determination of an email’s geolocation by using its sender’s IP address is imprecise by nature, typically even more so than GPS coordinates. First, the determined Source IP address may be incorrect due to several reasons:
-
Some email servers mask such IP addresses. Instead, it may in fact be the second IP address of the transport path that is being used.
-
A web email client (e.g. Gmail used through a web browser) may have been used to send the email.
-
The IP address may have been spoofed.
-
The IP address may not reflect the sender’s location due to the use of a VPN, Tor, etc.
Second, IP geolocation databases are typically never 100% accurate and the accuracy varies by region. See MaxMind’s website for statistical information on their accuracy. Reasons for this imprecision are:
-
The geolocation of an IP address may change over time.
Take this into account when indexing an older data set! -
Some IP addresses may only be linked to a larger area like a city or even a complete country, yet the precise coordinates may give a false sense of GPS-style precision.
-
The techniques behind the collection process for creating this database introduces a certain amount of imprecision.
10.4.3. Tile servers
Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs.
To use a public tile server, you need to ensure that you comply with the tile server’s usage policy. This is your responsibility, not Vound’s. |
10.5. Attribution
We are grateful for obtaining the data we have used for the embedded tiles generation from the OpenStreetMap project, © OpenStreetMap contributors. See http://www.openstreetmap.org/copyright for more information on this project.
The tile set is made available under the Open Database License: http://opendatacommons.org/licenses/odbl/1.0/. Any rights in individual contents of the database are licensed under the Database Contents License: http://opendatacommons.org/licenses/dbcl/1.0/.
11. Social Graph
The Social Graph is another visualization of search results, showing who participated in the emails, phone calls and instant messages in the search results.
11.1. Basics
The social graph is revealed by clicking on the Social Graph button in the Results toolbar. Next, just enter any type of query and the results will be displayed as a social graph. When switching from a populated Cluster Map to the Social Graph, the graph will start loading immediately with these results.
When multiple searches have been evaluated, the graph is based on the union of all search results, with the Includes and Excludes applied. In other words, the social graph is based on the same items that are visible in the Cluster Map at the same moment.
To see the conversation items in this result set that relate to a specific contact, i.e. that have that contact as sender or recipient, click on the node representing that contact. To see the items in this result set that have been sent between two contacts, click on the edge between those nodes. In both cases the Details panel below the Social Graph will display these items.
note that the Timeline view is a natural fit to display the items associated with a node or edge in the Social Graph. All items are sorted by their natural date, and you can easily see the participants involved in the individual items. |
When a person sends a message to several people, this will result in several edges in the graph. Therefore, you may encounter the same item several times when browsing the graph and selecting edges.
11.2. Interaction
The toolbar at the top left offers four buttons for managing the zoom level of the graph:
-
Zoom in.
-
Zoom out.
-
Reset zoom level to the default value.
-
Change the zoom level to make the graph fit the available screen space.
The fifth button shows or hides all node labels. When set to “hide”, only the labels of selected nodes and their connected nodes are displayed.
Finally, the sixth button collapses the toolbar and the Searches panel, revealing any graph structures beneath it. Click on the button that appears in the top-right corner to expand these panels again.
The lower parts of the toolbar are used to control the information shown in the graph.
The Edges filter filters out edges, and nodes with no remaining edges, based on identities. See the Identities section for a description of how to model and use identities. The Edges filter has three possible values:
-
All – leaves all edges in the graph.
-
At least one Identity – filters out edges that are not connected to an Identity.
-
Only Identities – only preserves edges that have Identity nodes on both ends.
The Node labels drop-down list controls what should be shown as node labels:
-
Name – Show only the contact name; use the address (e.g. the email address) if there is no contact name.
-
Network – Show only the address; use the contact name if there is no address.
-
Name and Network – Show both the contact name and address.
By default, only contact names are shown, as these are typically shorter than (email) addresses and lead to less cluttered displays.
The following mouse operations are supported:
-
Drag a node to improve readability.
-
Click on a node to highlight that node and the nodes connected to it.
-
Use Ctrl-clicking to select and highlight multiple nodes.
-
Hold down the right mouse button while dragging to scroll (pan) the graph.
-
Right-click on a node to add that email address to an Identity.
-
Right-click on a node or edge to review the corresponding items in the Review tab.
The graph can be exported to a PNG file by using Export Social Graph…
11.3. Limitations
The graph displays a warning when your result set contains more than 700 unique emails, as this may take considerable time to create. Future versions will address this in various ways.
As the Edge filter is applied during rendering, not during graph construction and layout calculation, the chosen filter has no impact on the calculation speed. This may also be addressed in a future version.
12. Details panel
To inspect the contents of the visualization, the user can select a cluster or result set by clicking on it. Its contents will be displayed in the “Details” panel below the map. This panel contains a list of the items that can be presented in four modes:
-
Table view
-
List view
-
Thumbnails view
-
Timeline view
12.1. Table view
The table view displays the results as a table in which each row represents a single item and the columns represent the attributes such as title, date, location etc.
The set of attributes to display can be customized with “Toggle visible table columns” button - the right button of the Details Panel Control.
Click on a table column header to sort the table by specific item attributes.
Toggle the table row icon to control the presence of separators between rows that have different values in the column that is being sorted on, thereby grouping rows that have the same value. Note that not all columns support this separator.
12.1.1. Adding and removing columns
With the “Toggle visible table columns” button in the Details toolbar you can add and remove columns in the table, by (de)selecting column names in the popup that shows when you click the button.
To add or remove columns in the table, select or deselect the checkboxes in the “Available columns” list. Selected columns are indicated in the “Selected columns” list in the center of the window. You also can remove columns using the red remove buttons in this list, or by selecting one or more columns and pressing the Delete key.
To add or remove an entire column group, (de)select the group header checkbox in the “Available columns” list.
To add all available columns, select the “Check / uncheck all” checkbox. Unselect this checkbox to clear the selected columns list.
To search for a specific column or column group by name, type the first few letters of the name in the “Filter column names…” field. The “Available columns” list will be filtered to show only the matching columns and groups. Clear the search field to remove the filtering in the list.
Click “Ok” to confirm the changes and close the Column Chooser window. Press “Cancel” to close the window box without making any changes in the table.
For contacts, e.g. email senders and receivers, this window lets the user choose whether to display the contact name, the email address or both. The chosen setting will affect the table sorting when the involved columns are used to sort the table.
The contents of the date columns can be adjusted to show their time zones:
-
When set to “Always”, an explicit time zone always accompanies each date and time value.
-
When set to “For different sources”, time zones are only shown when items from different sources are being shown in the table.
-
“Do not show” suppresses all time zones.
12.1.2. Available columns
General columns:
-
All Locations: The locations of all duplicate items in the case (including this item).
-
Certificate: The certificate with which an encrypted item could be decrypted.
-
Contact name: The name of a contact encountered in a PST file or as a vCard file.
-
Content Analysed: Shows whether the item has been subjected to analysis by at least one of the Content Analysis categories.
-
Custom ID: The Custom ID of the item, assigned to it by a Generate Custom IDs task.
-
Custom Family ID: The Custom Family ID of the item, assigned to it by a Generate Custom IDs task.
-
Decrypted: Shows if an item is encrypted and Intella has decrypted it.
-
Direct Child IDs: The item IDs of the direct children of this item.
-
Direct Parent ID: The ID of the item’s direct parent item.
-
Document ID: The ID as imported from a load file. This ID is maintained for cross-reference purposes.
-
Duplicate Locations: The locations of all duplicate items in the case (excluding this item).
-
Duplicates: Shows the number of duplicates of an item within the case.
-
Embedded Image: Indicates whether the item is an embedded image extracted from an email, Microsoft Office document, XPS document, or PDF document. See the Features facet section for a precise definition of this category.
-
Encrypted: Shows if an item is encrypted.
-
Exception: Shows if an item had one or more issues indexing properly.
-
File Name: The name of a file in the file system, in an archive or used as an attachment name.
-
Geolocation: The geolocation (longitude, latitude) of an item, if any.
-
Has Geolocation: Indicates whether the item has geolocation information associated with it.
-
Item ID: The ID used internally in Intella’s database to refer to this item.
-
Language: The language of the item’s text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be “unidentified”. Item types that inherently do not have a language, e.g. images or archives, show the “not applicable” value.
-
Location: Name of the location in the original evidence data where the item is stored. For example, an email in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file.
-
MIME type: The type of an item per the MIME standard.
-
Native ID: The native ID of the item. Currently only HCL/IBM Notes UNID (Universal Notes ID) are listed here. This column may be used for other native ID types in the future.
-
Near-Duplicate Group: The name of the near-duplicate group that the item belongs to.
-
Near-Duplicate Master Item: The ID of the master item of the near-duplicate group that the item belongs to.
-
Near-Duplicate Score: The similarity score of the item in its near-duplicate group.
-
Near-Duplicates: The number of near-duplicates of this item (other items in the near-duplicate group that the item belongs to).
-
BegAttach / Parent ID: The ID of a parent document (or first ID in the family) as imported from a load file. This ID is maintained for cross-reference purposes.
-
EndAttach: The last ID in the family as imported from a load file. This ID is maintained for cross-reference purposes.
-
Password: The password with which an encrypted item could be decrypted.
-
Recovered: Indicates whether the item has been recovered. See the Features facet section for the definition of the Recovered status.
-
Size: The item’s size in bytes.
-
Source: The name of the Intella source that holds the item. Typically, this is the root folder name or the name of the mail container file (e.g. PST or NSF file).
-
Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files – the name of the evidence file and the derived source name may not hold enough information to easily discern the origin of the information.
-
Subject: The subject of an email or document item – note that some document formats can have both a title and a subject.
-
Title: The title of a document item.
-
Text Snippet: Text summary containing at max first 1000 characters of item’s content. This column is especially usable for reviewing Chat message item types as it makes it possible to examine communication from different channels side by side in the Details view.
-
Top-Level Parent: Indicates whether the item is a top-level parent.
-
Type: The item’s human-readable type, e.g. “MS PowerPoint Document” or “Email Message.”
-
URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID.
Email-specific columns:
-
All Receivers: The combined list of To, Cc and Bcc agents.
-
All Senders: The combined list of From and Sender agents.
-
Attached: Whether this item is an attachment to an email, conversation, or document.
-
Attachments: Shows the file names of an email’s attachments.
-
Bcc: The addresses in the Bcc header.
-
Bcc Count: The total number of unique blind carbon copy email recipients (Bcc).
-
Cc: The addresses in the Cc header.
-
Conversation Index: The value of the ConversationIndex field of the item (the PR_CONVERSATION_INDEX MAPI property commonly used in PST, EDB and MSG files), or the value of the Thread-Index header.
-
EDRM Message Hash: Shows the EDRM Message Identification Hash (MIH) for emails. It is generated according to the standard described at https://edrm.net/edrm-projects/dupeid-2/. It can be used for cross-platform email duplicate identification.
-
Email Thread ID: When the item has been subjected to email thread analysis, this shows the ID assigned to the email thread in which the item has been placed.
-
Email Thread Name: When the item has been subjected to email thread analysis, this shows the thread name assigned to the email thread in which the item has been placed. Often this is the “root” of the subject line that is common between the emails in the thread.
-
Email Thread Node Count: When the item has been subjected to email thread analysis, this shows the number of nodes in the email thread in which the item has been placed.
-
From: The addresses in the From header.
-
Has Attachments: Emails that are marked as having attachments.
-
Has Internet Headers: Emails that have regular SMTP headers. When this is not the case, information about e.g. the sender, receiver and dates may still be obtained from other fields, depending on the source format.
-
Inclusive: When the item has been subjected to email thread analysis, this shows whether the item has been marked as inclusive.
-
Message Hash: Shows the Message Hash for emails and SMS messages. This hash is used for deduplicating emails and SMS messages in a manner that works across different mail formats and phone data source types.
-
Message ID: Shows the Message ID extracted from email messages.
-
Missing Email Referent: When the item has been subjected to email thread analysis, this flag indicates that the threading process has detected that the email item is a reply to another email or a forwarded email, but the email that was replied to or that has been forwarded is not available in the case.
-
Non-Inclusive: When the item has been subjected to email thread analysis, this shows whether the item has been marked as non-inclusive.
-
Recipient Count: The total number of unique email, chat, and cellphone recipients.
-
Sender: The addresses in the Sender header.
-
Source IP: the determined source IP of the email.
-
Threaded: Shows whether the item has been subjected to email thread analysis.
-
To: The addresses in the To header.
-
Unread: Shows if an email item was unread at the time of indexing.
-
Visible Recipient Count: The total number of unique visible email, chat, and cellphone recipients (To, Cc).
Cellphone-specific columns:
-
All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts.
-
Chat Accounts: all instant messaging accounts (Skype, WhatsApp, but also SMS and MMS phone numbers) that have been used to send or receive a chat message.
-
Chat Protocol: all chat protocols used in a message or conversation (e.g. SMS, MMS, Skype, Teams).
-
Chat Receivers: all instant messaging accounts used to receive a chat message.
-
Chat Senders: all instant messaging accounts used to send a chat message.
-
Conversation ID: ID associated with conversation as found in the evidence data.
-
Duration: how long the phone call took.
-
IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained.
-
IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item.
-
Incoming Phone Numbers: phone numbers used for incoming phone calls.
-
Intella Conversation ID: uniquely generated Conversation ID (changes on each indexing attempt)
-
Message Count: shows the number of messages in conversation items, i.e. items that bundle all messages between two or more participants in a single day.
-
Outgoing Phone Numbers: phone numbers used for outgoing phone calls.
File- and document-specific columns:
-
Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents.
-
Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document.
-
Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images.
-
File Extension: the file extension of a file, e.g. “doc”, “pdf”.
-
Irrelevant: Indicates whether the item is classified as “Irrelevant”. See the Preferences section for the definition of the “Irrelevant” category.
-
MD5 Hash: The MD5 hash that uniquely identifies the item.
-
OCRed: Shows whether an OCR method has been applied on this file.
-
Page Count: the number of pages of the item, as reported by the metadata found in the original evidence item. I.e., this is not a verified value, and is only available for certain document formats that support such a metadata attribute.
-
Shadow Copies: the number of other versions of the item located in volume shadow copies.
Columns containing dates:
-
Called: The date a phone call was made.
-
Content Created: The date that the content was created, per the document metadata.
-
Content Last Modified: The date that the content of the item was last modified, per the document-internal last modified date.
-
Due: The due date of a task.
-
End Date: The end date of an appointment, task or journal item.
-
Family Date: The family date of the item. Family dates build on primary dates and take the item hierarchy into account. The family date of an item is defined as the primary date of its top-level parent, i.e. all items in an item family have the same family date. Sorting on Family Date sorts by this date, but also puts attachments and nested items right behind their parent. This is strictly enforced, i.e. two item families with the same family date are not intertwined. This makes it possible to review items in chronological order while maintaining a sense of their context. Certain types of items are skipped when determining the family root, namely all folders, mail containers, disk images, load files and cellphone reports.
-
File Created: The date a file was made, according to the file system.
-
File Last Accessed: The date a file was last accessed, according to the file system.
-
File Last Modified: The date of the last time the file was modified, according to the file system.
-
Last Printed: The date a document was last printed, according to the document-internal metadata.
-
Primary Date: The date that is the best match for the given item. Default or user-defined rules are used to pick the most appropriate date attribute based on the item’s type.
-
Received: The date the item was received.
-
Sent: The date the item was sent.
-
Start Date: the start date of an appointment, task or journal item.
-
Visited: The last visited date of an item obtained from a browser history or Windows registry.
Review-related columns:
-
All Custodians: The custodians of all duplicate items in the case (including this item).
-
Batches: Shows the batches an item has been put it. This can happen when a case is reviewed in Intella Connect, our web-based companion product.
-
Comments: Shows if an item has comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item.
-
Custodian: shows the name of the custodian associated with this item.
-
Duplicate Custodians: The custodians of all duplicate items in the case (excluding this item).
-
Exported: Shows if an item has been exported.
-
Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item.
-
Opened: Shows if an item has been opened in its native application.
-
Previewed: Shows if an item has been opened in the previewer.
-
Queued for redaction: Shows if an item has been queued for mass redaction.
-
Redacted: Indicates whether the item has been redacted.
-
Tags: Shows the tags connected to an item.
Analysis columns:
-
The columns in this group represent built-in and custom Content Analysis categories. See the “Content analysis” section for more information on their meaning.
Note that the Location branch in the Content Analysis facet corresponds with the “Geographical Location” column in the table. This naming difference is to distinguish it from the other Location column indicating the location of the evidence items.
Tag groups (optional):
-
These columns are created for every top-level tag with sub-tags. When selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag.
For example, when a tag named “Relevancy” has been created with subtags “Relevant”, “Non-Relevant” and “Privileged”, the tag group in the column chooser would be called “Relevancy”. Enabling it would add a column named “Relevancy” to the table, with the “Relevant”, “Non-Relevant” and “Privileged” tags as possible values for those items that have been tagged as such.
Export (optional):
-
When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set.
Custom columns (optional):
-
Custom columns are created either during load file import or in the Custom Columns dialog. See the “Custom Columns” section for more details.
12.1.3. Reorganizing table columns
The columns can be reorganized by dragging a column header to a different location in the table.
Alternatively, you can use the Column Chooser window to reorder the columns:
-
To move a column to a different location, drag and drop it in the “Selected columns” list. You can use this method for multiple columns selected in the list.
-
To move a column to one position up or down in the “Selected columns” list (left or right in the table), use the “Move Up” and “Move Down” buttons. This also can be applied to multiple selected columns
12.1.4. Table presets
When clicking the “Ok” button, all changes made to the table configuration are stored in the current table preset, selected in the Column Chooser window.
Every case has its own set of presets. When a new case is created, it contains two presets with predefined column sets for regular table display (“Default”) and for CSV exporting (see the “Export to a CSV file” section). You can create as many presets as needed and switch between them using the drop-down list in the Column Chooser.
To save the current state of the Column Chooser as a new preset, click the “Save As…” button and enter the preset name. You can enter an existing preset name to overwrite it.
To undo all changes made in currently opened Column Chooser window and revert it to the original state of a selected preset, click the “Reset” button.
To remove an existing preset, select it in the drop-down list and click the “Delete” button. This operation is available only if there are two or more presets defined in the case.
12.1.5. Sorting the list
By clicking on a column header, the search results will be sorted alphabetically, numerically, or chronologically, depending on the type of information shown in that column. By clicking the header once more, the sort order will be reversed. Clicking one more time will remove the sorting, letting the results be displayed in their original order.
Sorting on the Family Date column is implemented as a compound sorting on two columns. Items are first sorted by the Family Date itself and next by the Hierarchy criterion. This process is transparent to the user and results in attachments and embedded items always getting placed directly after their parent item, which can greatly simplify the review of the items.
Sorting by multiple columns can be achieved by holding the Ctrl button while clicking on the column names. Any additional clicked column will be added to the list of sorting criterions. When two items cannot be sorted using the values from the first column (because the values are identical), the second column will be used, and so on.
Besides clicking on column headers, you can alter the sorting with the “Sort table” button. This opens a dialog that lets you select the sorting columns and the sort order per column (ascending/A-Z or descending/Z-A). This dialog lets you use all the columns available, regardless of whether the column is currently present in the table.
Furthermore, this dialog offers a sort criterion called “Hierarchy”, which is not available as a table column. Sorting on this criterion puts the items in hierarchical order, e.g. an email is directly followed by its attachments.
12.1.6. Showing a conversation
Right-clicking a message item and selecting the Show > Conversation option will display a new result set in the Cluster Map, showing all messages that are part of the conversation. This includes replies and forwarded messages.
The messages in a conversation set are determined by matching keywords in their subject lines and by inspecting values in the “In-Reply-To” and “References” email headers. More specifically:
-
The algorithm takes the item’s subject and reduces this to the “base subject” by stripping all prefixes like “Re:”, “Fwd:”. It supports common prefixes for several languages.
-
Next, it determines the set of Message IDs mentioned in the item’s “Message-ID”, “In-Reply-To” and “References” email headers.
-
It does a Boolean AND query for the words in the base subject, restricting the search to the “title” field.
-
It narrows this set down to all items that have at least one of the Message IDs in the determined set in their headers, i.e. regardless of the specific header name it is associated with.
Due to how this method is implemented, Show Conversation may find a different set of items than the Email threading method. For example, single thread emails that have the same subject are typically returned using Show Conversation. A future Intella release may unify these two functionalities.
12.1.7. Showing the family items
To determine all family items of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show > Family menu item. This will add a new result set in the Searches panel containing all family items of the selected items.
The family of an item is defined as its top-level parent and all descendants of that parent in the item hierarchy, including folders. The definition of a family used by the “Show family” option is the same as used in the Keywords tab and the Family Date attribute.
12.1.8. Showing the unique families
This operation finds the families with their top-level items deduplicated. This is identical to performing the following steps on a given set of items:
-
Find all top-level parents of the items.
-
Deduplicate these parents.
-
Extend the resulting set with their direct and indirect children.
To determine all items belonging to unique families of selected items, select two or more items in the Details table, right-click on one of them and click the Show > Unique Families… menu item.
In the dialog box, you can configure the following options:
-
Deduplicate by custodian: If selected, the top-level parents of families are deduplicated for each custodian separately, thus allowing duplicates in different custodian sets.
-
Include folders: If selected, folder items are included in the produced families.
Clicking on the OK button will add a new result set in the Searches panel.
12.1.9. Showing the child items
To determine all items nested in an item, right-click on the item and select Preview > Item. Next, switch to the Tree tab to see the full hierarchy, including all child items.
To determine the children of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show > Children option. This will open a dialog that asks you what children to put in the result set, as child items may also again contain child items.
12.1.10. Showing the parent items
Right‑click an email attachment and select the option Preview > Parent E-mail to view the email message that contains the selected item. This feature looks up the parent item recursively until it reaches an email item.
To determine the parent of a set of selected items, select all relevant items in the Details table, right-click on one of them and click the Show > Parents… option. This will open a dialog that asks you whether to produce the top-level or direct parents, and what to do with items that have no parent.
See the search preferences for settings related to how the top-level and direct parents are determined.
12.1.11. Showing native ID duplicates
To determine all items that have the same Native ID as a specific item, right-click on the item and select Show > Native ID Duplicates. See the “Adding and removing columns” for the definition of the Native ID column.
12.1.12. Showing shadow copies
To determine all items that are other versions of a specific item extracted from volume shadow copies, right-click on the item and select Show > Shadow Copies.
12.1.13. Showing statistics
To show the statistics of a set of items, select the items in the table, right-click on the selection and choose the option Show > Statistics. The following statistics can be shown:
-
Cumulative file size. This estimates the storage space required to export these items in their native format.
-
Total number of document pages. Note that this only includes items that have a page count in their metadata (e.g. PDF and Word documents). Further note that this metadata may be unreliable.
-
Number of OCRed items.
-
Number of redacted items.
-
Number of encrypted items.
12.2. List view
The List view displays the results in a form similar to conventional web search engines. Select the third button in the Details toolbar to switch to this view.
For each item, the title and other important metadata will be displayed, as well as a fragment of the document text, if any text has been extracted from this item. When Intella currently is displaying keyword search results, the selected text fragment will show the keyword matches and their context.
The title is normally displayed in a light green color; dark green indicates that the item has been previewed before by the current user.
If the item has any tags applied to it, these will be shown on the right as blue labels. To flag an item, use the checkbox on the left.
Items can be selected by clicking, Ctrl-clicking and right-clicking. Right-clicking on any item reveals the same popup as used in the Table view.
12.3. Thumbnails view
The Thumbnails view displays the thumbnails of the image and video items detected within a selected cluster.
By default, the thumbnails include images embedded in email bodies, email attachments and images inside documents. Select "Hide Embedded Images" option to show only direct selected items.
Use the zoom slider or "Ctrl+mouse wheel" action to change the thumbnail size.
Hover over the thumbnails with your mouse cursor to see a summary of the data connected to the image. You can flag an image with the checkbox below the thumbnail.
When the mouse cursor is hovered over a thumbnail, the small zoom button becomes visible. Click on that button to activate the quick image preview in a pop-up panel. Click anywhere to close the quick preview panel.
When you double-click a thumbnail, the image will open in the previewer.
The Thumbnails view will work a lot smoother when you let it pre-generate the thumbnail representation of all images in the case in advance. This can be done by selecting “Generate Thumbnails” from the File menu. |
12.4. Timeline view
The Timeline view shows a chronological representation of email communications, phone calls and SMS/MMS messages.
The left pane shows the senders and receivers, i.e. email addresses or phone numbers, with their communication plotted chronologically. Every edge in the timeline view represents a communication and points to the receiver of that communication.
The node color represents the role a contact (i.e. an email address or phone number) has in a communication, e.g. sender or caller. Click the Legend button to see an explanation of all node colors that can occur.
When displaying emails, it may occur that an email appears to have two senders. That happens when the email has both a From and a Sender header. As in most circumstances the From header is of primary interest, the visualization of the Sender headers is by default disabled. It can be enabled by clicking on the Options button and checking the “Display the Sender header in addition to the From header” checkbox.
When you click an arrow, the arrow, the connected arrows, and the connected squares will be highlighted. When you double click an arrow, the email will show in a preview window. TIP: Export a timeline by choosing Export > Timeline… from the menu. The timeline will be saved as a PNG image. |
12.5. Deduplication, irrelevant and non-inclusive items
With the Deduplicate button, duplicates are removed from the search results. This is based on the MD5 and message hashes of the results: when two items have an MD5 or message hash in common, only one of them is shown.
If one or more custodians are defined in the current case, the Deduplicate button has two deduplication options:
-
Global: Default behaviour; all items in the case are deduplicated against each other.
-
By Custodian: Deduplicate each custodian’s item set separately. Duplicate items belonging to different custodian sets will all be shown.
When deduplicating a set of items, Intella Backpack will select the item that has the lowest item ID for each set of duplicates. This item may be missing specific details that are present in duplicates. This effect becomes more likely when a less strict message hash configuration is used. |
Similarly, the Hide Irrelevant button removes all items marked as Irrelevant during indexing. See the Preferences section for information on the Irrelevant Items category.
Finally, the Hide Non-Inclusive button filters out items marked as non-inclusive by the email thread analysis.
When used in the Thumbnails view, which shows both the images in the selected results as well as any images nested in those results, the result is filtered. In other words: first the set of images in the item set is determined, then it is extended with the set of nested images, and finally the deduplication and irrelevant item filters are applied on this combined set.
13. Previewing results
13.1. Overview of the Previewer
When you double-click an item, it will display in a separate Previewer window - unless you specify in the Preferences that the file should be opened in its native application instead.
The Previewer allows you to inspect, flag, and tag the item, to explore its relations with other items, and to export the item for later use.
The Previewer will show several tabs, presenting differ aspects of the item, such as Contents, Preview, Headers, Raw Data, Properties, Attachments, etc. The set of tabs will differ from item to item, depending on the type of item that you selected and what information is available for that item.
13.2. The Toolbar
The toolbar on the right of the window contains options for producing and annotating the current item, as well as navigating to other items and starting new searches that use this item as a starting point.
-
Previous and Next buttons
Go to the next or previous item in a list. Alternatively, you can also use the keyboard shortcuts Alt+right-arrow to go to the next item, and Alt+left-arrow to go to the previous item.
This functionality is not available when the Previewer was launched by clicking in the Cluster Map, from the Tree tab of another Previewer, etc.
The next two panels are for annotating the current item:
-
Tag button
Opens the tag space where you can add new tags to your case and select a tag from a list of existing tags. -
Quick tag buttons
You can assign a tag to a quick tag button, or remove an existing tag. If no tag is pinned to a Quick tag button, it is randomly associated with one of the recently used tags by default. -
“Go to next item after tagging” check box
When this check box is selected, clicking the quick tag buttons will switch the Previewer to the next item in the list (if there is one). -
Flagged
Select this check box to flag the previewed item. You might want to flag an item for organizational reasons. For example, to keep track of the items that you have reviewed in the case.
The next panel holds actions for navigating to and searching for related items:
-
Preview Parent
Use this button to open the parent item in a previewer window. A parent item contains one or more items. Example: Pictures found in a Microsoft Word document are separate items in Intella. The Word document is the parent item for these pictures. The same is true for items found in archive file, such as a ZIP file: The archive file is the parent item for these items. -
Preview Parent Mail
Use this button to open the parent email item in a previewer window. A parent email item contains one or more items. Example: A picture attached to an email is a separate item in Intella. The email is the parent for the picture. This button is visible only when one of the parents of previewed item is email. -
Preview Parent Conversation
Use this button to open the parent conversation item in a previewer window. A parent conversation contains one or more message. Example: A chat message which is part of conversation is a separate item in Intella. The conversation is the parent for the chat message. This button is visible only when one of the parents of previewed item is conversation. -
Show Family
Use this button to search for all items in the same family as the current item. -
Show Children
Use this button to search for and display the children associated with the item being viewed in the previewer. When selected, a search result with the associated children of the selected items will be available in the Cluster Map panel. The label of the cluster will be “Children of [file name]” or “Children of [subject].”
An example of a child item would be an attachment of an email. Intella views emails and attachments as separate items. The attachment would be the child of the parent email.
Child items can have child items of their own. Depending on the option that you select, the Show Children shows either only the directly nested children or all children in the tree.
-
Show Conversation
Based on the Subject of an email and certain other email headers, Intella can find items that are part of a conversation. Click the button Show Conversation to show all these items in the Cluster Map panel.
The label of this cluster will be “Conv: [email subject].” The email subject is the email subject of the item in the previewer.
-
Show Duplicates
When an item has duplicates in the case, click Show duplicates to display these duplicates in the Cluster Map. The label of this cluster will be “Duplicates of [file name]” or “Duplicates of [subject]”. -
Smart Search
Smart search lets one search for items that are similar to a selected item.It determines a set of keywords in the selected item that have a high information value. Typically, these are keywords that occur often in the selected document but are not common words across the case or in any of the supported languages, which makes them representative for the content of the selected document.
Using the Smart Search dialog one can then find other documents that share these keywords and therefore have a good statistical chance of being related to the selected document.
A slider is provided that the user can use to set a threshold: the lower the threshold, the more documents are returned but at the cost of less relevance to the set of keywords.
Checkboxes are provided to control which item fields should be used when determining the set of keywords. This way one can restrict the search for similar items to e.g. the document or message body only.
Finally, the last panel contains options related to the Contents tab:
-
Hide seen paragraphs
When selected, paragraphs that have been marked as Seen by the user are removed from the text, only leaving an “eye” icon in the left margin as an indication that a paragraph has been removed there. Click on the eye to bring back the text. -
Colorize paragraphs
When selected, paragraphs marked as Seen by the user are displayed as grayed out text. -
Highlight Content Analysis results
When selected, entities from Content Analysis categories are emphasized with color highlighting.
13.3. Tabs
The tabs show the various aspects of the current item. The set of tabs shown for an item can differ from item to item, depending on the item type and which information that item holds.
When moving from one item to the next using the Next and Previous buttons, the current tab will stay selected – if that tab is also available for the next or previous item.
When a specific tab is never used in a case, its visibility can be toggled using the Previewer’s View menu. The benefit of this is a less crowded user interface and shorter loading time.
Keyword matches
When the current item has any keyword matches, the tabs containing one or more of the keywords change their appearance:
-
The tab name will show with a bold blue font and contain a number indicating the number of hits.
-
When the tab contains text (not metadata properties), like the document text or email headers, it will get a status bar at the bottom listing the found keywords and providing buttons to jump from one match to another.
-
When the tab contains text and has a scrollbar, the location of the keyword matches will be marked in the scrollbar using yellow indicators.
Hit highlighting in the Preview and Redaction tabs may be overzealous in highlighting the matching terms when using phrase or proximity queries. Generally, all occurrences of the individual terms are highlighted, not just the text parts that resulted in these query matches. E.g. the query "big car" will result in all occurrences of "big" and "car" being highlighted. This is a limitation of the technologies used to render these tabs. This limitation is not present in the other tabs that support hit highlighting (Contents, Headers, Raw Data, Properties and Comments).
|
Next, we explain which tabs can occur.
13.3.1. Contents
This tab shows the body of an item, e.g. the message in an email or the text inside a Word document. The Contents shows a limited set of stylistic elements such as bold, italic, and underlined text, tables and lists. However, text is always drawn as black text on a white background, as to reveal all extracted text. For a native rendering of the item use the Preview tab (when available).
If the item text is too long, it is truncated in the previewer for performance purposes. Click on the “Show full text” button to view the complete item text. Note though that there is also a limit on the maximum amount of text that is subjected to full-text indexing. See the note on the “ItemTextMaxCharCount” setting in the Source Types section.
When the item is an image, this tab will show the image’s content. An extra toolbar is then provided, allowing for zooming, rotating, and flipping the image. If the image has extracted text, it will be shown in a separate tab called “Extracted Text”, next to the Contents tab.
When the item is a video, this tab contains the thumbnails of static frames extracted from the video content.
When an item is encrypted and could not be decrypted, the Contents tab will show an image of a lock, to explain why no text could be shown.
Handling paragraphs
When the “Analyze paragraphs” option was selected during source creation, extra UI elements will be shown in the left margin. These UI elements indicate the start and end of the paragraphs that Intella has detected. They can be used to collapse and expand the paragraph. The UI elements are omitted for very short paragraphs (typically one-liners).
Furthermore, a popup menu will be shown when the user right-clicks on a paragraph, offering the following options:
-
Mark the paragraph as Seen, or back to Unseen. This grays out all occurrences of this paragraph in all items, facilitating the review of large amounts of long and overlapping documents such as email threads with lots of quoted paragraphs.
-
Mark all paragraphs above or below the current paragraph as Seen or Unseen.
-
Search for all items in which this paragraph occurs. All items that contain the selected paragraph will be returned, ignoring small variances such as white spaces.
-
Mark the paragraph for exclusion from keyword search. This can be used to suppress information present in lots of items but with little relevance to the investigation, such as email signatures and legal disclaimers. Consequently, keyword queries containing terms such as “confidential” and “legal” are more likely to return meaningful results.
Detected Objects
When the "Image Analysis" was executed on this item, this item is an image and objects have been detected in it, then extra UI elements will be shown in the image itself. These UI elements indicate the detected objects in this image with a rectangle at coordinates where the object was found and a description of the object. Transparency of the rectangle and label depend on the detected object’s confidence score.
The objects that have been searched for in Search tab will be highlighted with different color (see "Persons" on the picture above).
The “Min. confidence” slider on the Previewer toolbar specifies the value of a threshold filter applied to the detected objects on the current image preview. The objects evaluated with lesser confidence scores than the current threshold will not be highlighted in the preview.
Highlighting of detected objects can be turned off completely by unchecking the "Highlight Content Analysis results" checkbox.
13.3.2. OCR and OCR Preview
When the item has been OCR-ed by any of the supported methods, the OCR text will be shown in an OCR tab. The searchable version of the document will be shown in an OCR Preview tab.
Cases that were originally made with Intella 2.0.x versions or older and that have been transformed to a 2.1.x case or newer may still show the OCR text as part of the document text in the Contents tab. |
13.3.3. Preview
This tab shows the item as if it was opened in its native application. The Preview tab is only shown when the format of the current item is supported, and the Contents tab is not already showing it in its native form. The following file formats are supported:
-
Emails (when the email contains an HTML body; excluding MSG emails)
-
Legacy MS Office formats (doc, xls, ppt)
-
New MS Office formats (docx, xlsx, pptx)
-
RTF
-
HTML
-
PDF
-
XPS
-
CSV and TSV files
-
WordPerfect
-
Open Office (Writer, Calc, Impress)
When previewing emails, only images that are already bundled with the email are shown. Any images that a mail client would load from a web server are shown as static icons. When there are any such missing images, a “Show external images” button appears. Clicking this button will load the images from the servers and show them embedded in the email representation. Note that loading these images may constitute a violation of investigation policies. |
13.3.4. Headers
This tab shows the complete header of the email item. This tab is only shown when you open an email item.
13.3.5. Raw Data
The content of this tab depends on the item type. For example, in case of PST emails the low-level information obtained from the PST is listed here. This typically includes the transport headers (shown on the Headers tab) and the email body, but also a lot more. In case of vCard files the raw vCard contents is displayed here.
All this information is also searched through when using a keyword search. This may lead to additional hits based on information in obscure areas that Intella does not process any further.
13.3.6. Properties
This tab shows a list of properties connected to the item. Examples are Size, MIME Type, Creator and Character Set. The list of properties shown depends on the type of the item and what data is available in that item.
To copy all the text to the clipboard click Copy all.
Hover over the question marks at the right-hand side with your mouse and see a short definition of each property. |
13.3.7. Attachments
This tab lists the attachments of an item.
When you double-click an attachment, or select it and click View, it will be opened in new Previewer window.
Attachments will be reported also in the case of conversations despite they are not representing direct children of Conversation item but are instead attachments of Message items consisting previewed conversation. |
13.3.8. Thumbnails
This tab shows thumbnails of the images (jpg, png, gif etc.) attached to an item or embedded in a document, e.g. the images embedded in a MS Word document.
Select the checkbox below the image to flag a thumbnail.
When you double-click a thumbnail, the image will be opened in a new previewer window.
Thumbnails will be reported also in the case of conversations despite they are not representing direct children of Conversation item but are instead attachments of Message items consisting previewed conversation. |
13.3.9. Tree
This tab shows the location of the reviewed item in the item hierarchy (entire path from root to descendants), as well as all its child items.
The file names and subjects are clickable. You can also right-click and choose to either select all above or select all below, or simply select items manually, to assign them to a tag.
The Tree tab can optionally display Custom ID and Custom Family ID columns. That can be useful to determine an item’s role in the item family. The presence of these columns can be toggled in the Preferences window.
13.3.10. Email Thread
This tab visualizes the email thread in which the currently previewed email is located. A blue border indicates the current email.
Each type of icon in this visualization has a special meaning. To see a basic explanation of the icons, click the Legend icon. The icons have the following meaning:
-
Inclusive Email – this email is part of the set of emails that a reviewer should read, in order to read everything in the thread.
-
Non-Inclusive Email – all content of this email is also present in at least one of the replies or forwards.
-
Missing Email – indicates that the existence of an email could be derived from references found in other emails, though the email itself could not be found in the case.
-
Duplicate Emails – indicates that one or more duplicates exist of this email.
-
Reply – indicates that the email was sent as a “Reply” to another email.
-
Reply All – indicates that the email was sent as a “Reply all” to another email.
-
Forward – indicates that the email contains a forwarded email.
-
Attachment – indicates that the email has one or more attachments.
The user can double-click on the nodes in the visualization. This opens that email in a separate Previewer. When the node represents a set of duplicates, one of these duplicates is opened.
To tag all items represented in the visualization, click the Tag Thread button.
To export the graph as a PNG image, click the Export button.
13.3.11. Entries
This tab shows the list of items found in an archive file, e.g. a ZIP or RAR file.
When you double-click an item in the list or select it and click View, it will be opened in a new Previewer window. However, when the entry is a sub-folder inside the archive, its content will be opened in the same 'Entries' tab. Double-click the '..' entry at the top of the list to return to the parent folder.
13.3.12. Comments
This tab lists the reviewer comments attached to the item. Every comment has an author name and time stamp, and the option to Edit or Delete the comment.
Note that this is not related to the comments such as found in the MS Word document metadata.
13.3.13. Words
The Words tab lists all words/terms extracted from this item, together with the following information:
-
The search field the term belongs to: text, title, path, etc.
-
The frequency of the word in this document and document field.
-
The number of documents having this term in the same field.
This list can be used to diagnose why a certain document is or is not returned by a certain query.
The list can be exported as a CSV file by right-clicking anywhere in the table. Right-clicking also lets you evaluate a query with the right-clicked term.
13.3.14. Actions
This tab shows the list of actions performed on the item. The action’s date and the user that triggered the action are shown in the list. Actions listed are:
-
Previewed – the item was opened in the previewer.
-
Opened – the item was opened in its native application.
-
Exported – the item was exported.
-
Tagged with – the item was tagged with the specified tag.
-
Flagged – the item was flagged.
-
Commented – the item was commented.
-
OCRed – the item has text content imported from OCR.
-
Redacted – the item was redacted.
-
Imported text – additional text was imported to the item via the “-importText” command-line option.
13.3.15. Geolocation
This tab shows the item’s geographic location on the world map. It is only present when the item has geolocation information (Longitude and Latitude properties) associated with it.
See the section on the Geolocation view for the correct interpretation of this information, including its caveats.
13.3.16. Analysis
This tab is visible if one or more entities from Content Analysis or Image Analysis categories are identified in this item’s content. The tab lists all entities found in the item content, organized by category.
Click the Search button to query for other items containing the selected entity.
13.3.17. Near-Duplicates
This tab is only visible for items included in a near-duplicate groups (see the section), except for the group’s master items and their exact duplicates in those groups.
The tab visualizes the differences between the text content of the current item and the master item in its near-duplicate group. Information about the near-duplicate group (name, master item ID, and the current item score) is visible on the top panel.
Different text blocks (paragraphs) are marked with red and green colors, indicating occurrences specific to the current and to the master items, respectively. Visibility of the different blocks is controlled with two checkboxes ("Occurs only in this item" and "Occurs only in the Master item"). The regular black-on-white text represents the text blocks that the two items have in common.
The Near-Duplicates tab uses simplified text formatting with the most of the text styling stripped out. Therefore, the view may differ from what one can see in the Contents and Preview tabs. |
14. Reviewing results
Users can open a Review tab on a specific set of items. This top-level tab combines the functionality of the Details view and the Previewer. On the left of the tab is the item list, either as a Table, List, Thumbnails, or Timeline view. On the right of the tab is an embedded Previewer. Selecting items in the list on the left displays them in the Previewer on the right. This makes a quick and efficient review of a list of items possible within a single window.
To open a Review tab, the user can:
-
Right-click on a cluster or result set in the Cluster Map and select Review > Review n items.
-
Right-click on a result set in the Searches list and select Review > Review n items.
-
Right-click on a selected item range in the Table, List or Thumbnails view and select Review > Review n items.
It is possible to have an unlimited number of Review tabs. Note that it is even possible to open a new Review tab by selecting items in an existing Review tab, right-clicking and selecting the Review option. Likewise, it is also possible to open a Previewer by double-clicking on an item in a Review tab.
A Review tab can be closed by clicking on the Close icon next to the tab’s name.
Currently, the set of Review tabs is not persisted: closing Intella will close all Review tabs.
The embedded Previewer features all features of the standalone Previewer, i.e. one can tag, flag, comment, redact, etc. Clicking on any of the search links, e.g. Show Conversation, will let Intella switch automatically to the Search tab.
15. Identities
The Identities functionality lets one build an “address book” of the persons of interest in a case. An identity bundles the communication aliases used by a person, such as email addresses, phone numbers and chat accounts, into a single unit. The identity is given a Full Name and can be annotated with other properties. This information is used to enhance the querying and display of items in other parts of the user interface.
The Identities tab lists the currently defined identities and offers various options for adding and editing identities. This way, investigators can enter the information they know about suspects and other people involved in a case.
The Identities facet makes it possible to query for all items linked to an identity. An identity query combines the results of the queries for the individual email addresses, phone numbers and chat accounts into a single item set. The result is a holistic view of the communication of that person, regardless of the media and aliases used for that communication.
In case of email addresses, an Identity query also finds items where the email address occurs in the item text. It therefore casts a wider net than merely looking at senders and receivers.
Other facets and displays that use identities to improve their content and presentation:
-
The Email address facet bundles the email addresses of an identity into a single node.
-
The Chat Accounts and Phone Number facets do the same with their values.
-
The Social Graph groups nodes representing aliases of the same identity into a single node.
The result is both a simpler and more accurate presentation of the information. Future Intella releases will extend this to other parts as well, such as the Timeline and Email Thread views.
This unit of information is called an “identity” rather than a “person”, even though in practice it often will correspond on-one-one with a person. This was chosen because linking an identity to an actual person is still an important investigative step to make. For example, people may use pseudonyms to hide their identity, use different names in different languages, or may use different names to indicate different cultural roles. Also, the same or similar name may not necessarily imply the same person. How identities relate to persons and what their aliases are is therefore for the investigator to determine.
15.1. Adding identities
The simplest way of creating a new identity is by clicking the Create Identity button on the left side of the Identities tab. A form opens in the middle where the information of the new identity can be entered.
The Full Name will be used to display the identity in the displays mentioned above. Optionally, a Role, Organization and Note can be added.
Beneath these fields are three lists of identity aliases:
-
Email addresses
-
Chat accounts
-
Phone numbers
-
Authors
For a manually created identity, these lists will initially be empty. There are two ways of populating the lists:
-
Click the Add button above the respective list. A dialog will open that lets the user add several aliases at once, one on each line. The values can also be copied from the Clipboard.
-
Click the Suggestions button above the respective list. A dialog will open that shows suggestions derived from the Full Name and any aliases that have already been added manually. For example, after adding “John Smith” as the Full Name, email addresses with “john” and “smith” or similar names may be shown.
The suggestions are sorted by their estimated relevancy, so usually the best matches are located at the beginning of the list. Please note that these are only suggestions; manual verification of the addresses is always required.
After editing the identity, click Save Identity to make the additions or changes persistent. This will also update the information in the left side of the Identity Details box with the following statistics:
-
Emails – the number of emails that this identity is involved in. This includes occurrences of the email address facet in the document text.
-
Chats – the number of chats items that this identity is involved in.
-
Phone calls – the number of phone calls that this identity is involved in.
-
Case coverage – the number of all items associated with this identity, relative to the total number of items in the case.
Each of these statistics can be clicked, resulting in a query for these items being launched in the Search tab.
Once an identity has been saved, it can also be assigned an avatar image. Click on the circle with the person icon and select an image in the file chooser that opens. To remove the avatar image, right-click on it and select “Remove avatar”.
To remove an identity from the Identities list, right-click on it and select Remove. After confirming the deletion, the Identity will be permanently removed. There is no way to undo this operation.
15.2. Identity suggestions
As an alternative to the manual definition of identities, offers a suggestions mechanism. Using patterns found in the evidence data such as similarly looking email addresses, it will suggest identities. These can be reviewed by the user and added to the Identities list, or merged into an existing identity. Only explicitly added or merged identities will be used in the other displays.
To see Intella’s identity suggestions, click the button in the lower right corner of the Identity tab. This operation may take some time depending on the case size, typically seconds to minutes. After completion, the Suggestions list on the right will be populated with the top 40 suggested identities derived from the evidence data. The suggested identities are sorted by the number of items that they cover, with the identity covering the largest number of items being at the top of the list.
Click on a suggested identity to expand that node and see the aliases associated with that identity.
15.3. Importing / Exporting identities
The ability to import and export Identities allows you to transfer defined Identities between cases or to use them with third-party software.
Currently, supported format is CSV with:
-
comma (
,
) as separator -
double quote (
"
) as enclosure character for multiple values -
double quote(
"
) as escape character inside enclosure
15.3.1. Importing identities
Choose CSV file containing identities that adhere to one of the following formats:
Inlined multiple values
Identity name, Organization, Role, Note, Email address, Chat account, Phone number , Author
John Doe, Vound LLC, Forensics expert., Note 1, john.doe@vound-software.com, "johnd, john-doe, jd1984", "555-1212, 555-1234", jd
In this case all multiple values are enclosed with "
and separated with comma.
Multiple values in separate rows
Identity name, Organization , Role , Note, Email address, Chat account, Phone number , Author
John Doe , Vound LLC, Forensics expert., Note 1, john.doe@vound-software.com, johnd,555-1212, jd
John Doe,,, , john.doe@vound-software.com, john-doe, 555-1234,
John Doe,,, ,, jd1984, 555-1234,
In this case multiple values are listed in multiple rows. Note that these will be merged, as Identity name is same for all of these.
Both formats will create the same 'John Doe' Identity when imported. |
Note that it’s also possible to import CSV with just particular data - like:
Identity name | Email address
John Doe, john-doe@vound-software.com
Column names in header are required in order for Intella Backpack to identify which data is being imported. Available column names are:
-
Identity name
-
Organization
-
Role
-
Note
-
Email address
-
Chat account
-
Phone number
-
Author
15.3.2. Exporting identities
On the dialog you will be presented with the following export options:
Scope of the export which is either: - Selected identities - All identities
Data to be exported:
-
Identity name
-
Organization
-
Role
-
Note
-
Email address
-
Chat account
-
Phone number
-
Author
Multiple values format:
-
Inline with double quotes
-
Separate of rows
Example CSV below will reflect any of these export options in real time giving you opportunity to see how resulted CSV will look like.
15.4. Facets
The Identities facet makes it possible to search for all items related to an identity. When searching for an identity, it queries for all items that have any of the identity’s aliases as sender/receiver/caller/callee/etc. Effectively, it gathers all messages in which the identity is a participant through one of its aliases.
Several other facets use the identity information to optimize their content and presentation.
Both the identity nodes and their email address sub-nodes can be used as query parameters. When searching using an identity node, the query effectively searches for all email addresses listed as sub-nodes in the tree. Note that this does not search for other types of aliases such as phone numbers and chat accounts; that is what the Identity facet is for.
The Chat Account, Phone Number and Author facets optimize their content and presentation in a way that is conceptually similar to what the Email Address facet does.
15.5. Social Graph
The Social graph uses identities to bundle address nodes together that belong to the same identity. This can greatly improve the graph’s readability.
To simplify the graph even further, an Edges filter is available with three options:
-
All – shows all edges, regardless of what types of nodes they connect.
-
At least one Identity – shows edges that are connected to at least one identity.
-
Only identities – shows only edges that connect identities.
This can have an enormous effect on the graph complexity. Consider this original social graph:
Restricting the graph to only those edges that connect at least one Identity results in this graph:
Further restricting it to edges connecting only identities results in this image:
The Social graph can also be used to edit identities on the fly. Right-click on a non-identity node (e.g. an email address node) and select “Add to Identity”. The dialog that opens can be used to pick an existing identity to assign the address to. The graph will be updated accordingly.
Note that changes to the identities made in the facets or in the Identity tab do NOT lead to an automatic update of the Social Graph.
15.6. Caveats
Saved searches involving identities are not portable.
The identity functionality is a recent addition to Intella. We anticipate making refinements and extensions to this functionality in future releases and welcome your feedback.
16. Chat messages
16.1. Overview
This section describes the processing and rendering of chat messages, and how it differs from the way other artifacts are handled.
Let’s look at an example of how chat conversations are processed. Suppose that we have a chat message database, holding a conversation called “Main Chat” that spans over three years. In such a case Intella Backpack will create artificial Conversation items, based on the Indexing Options that control how such Conversation items are to be constructed. Let’s say that these were set like this:
-
Present chat messages as: Conversations and Messages
-
Split chat conversations: Per year
-
Limit number of messages per conversation: 100
Each of these three Conversations items will contain chat messages that were sent in the same calendar year. The start and end dates of conversations will be set to the sent date of the first and last chat messages respectively.
Furthermore, children Chat Message items will be produced for each individual chat message in this conversation. The conversation item will contain the message texts of all its child Chat Message items.
When the maximum number of messages per conversation item is reached, the conversation will be split further into additional conversation items.
Constructing conversations items out of the individual chat messages has following benefits:
-
The presentation of Conversation items inside the previewer makes reviewing chat data effective and efficient, as it mimics how a chat client will display the chat messages.
-
Having Conversation items make it possible to use AND and OR search operators and proximity queries when searching for text across chat message boundaries.
Producing separate Chat Message items has the following benefits:
-
Chat Message items can be individually tagged, flagged, and exported.
-
Chat Message items can be listed inside the Details view, making it possible to see how they relate to other item events in the case. For example, website visits, emails, phone calls, etc. that took place right before or after the moment that chat message was sent or received.
The Text snippet column can be especially useful when reviewing Chat Message items inside the Details view, as it shows the first 1,000 characters of each item. |
The Present chat messages as indexing option controls whether: 1. Both Conversation items and Chat message items will be produced 2. Only Conversation items will be produced 3. Only Chat message items will be produced
The Split chat conversation controls how chat messages are bundled into Conversation items:
-
Per Hour
- conversations are split by calendar hour -
Per 12 Hours
- conversations are split at noon and midnight -
Per Day
- conversations are split by calendar day -
Per Week
- conversations are split by calendar week -
Per Month
- conversations are split by calendar month -
Per Year
- conversations are split by calendar year
The maximum number of messages bundled in a single Conversation item can be controlled through the Limit the number of messages per conversation . The maximum value is 1,000 messages per conversation.
Altering these values will affect reviewing and exporting to PDF at the later stage. A reasonable default setting is “Per day” splitting, capped by a maximum of 100 chat messages per conversation item. When exporting such a Conversation item, the exported document will contain at most 100 chat messages, thereby not producing unnecessarily large PDF documents. Reviewing such Conversations in the Previewer is also more straightforward, as the reviewer is not overwhelmed with many messages inside the previewed conversation.
Note that (re-)indexing of the chat data is needed to let changes in these options take effect.
All attachments associated with Chat Message items will also be reported as attachments in the Conversation item. The number of attachments can thus be large if there are many Chat Message items with attachments present in the data.
The Number of recipients property of the Conversation item will be set as |
In chat conversations extracted from a Cellebrite phone dump, the amount of participants is derived from the entire conversation (all days) and then applied to all daily parts. This is different from Skype chat, which may have a different amount of participants per day. |
For Teams conversations extracted from pst archive, the number conversation reply recipients are derived from all channel conversation recipients present in archive. |
16.2. Previewing
One can preview both the Conversation items and the Chat Message items nested in them. In the case of previewing a Conversation item, the whole conversation thread will be rendered, with links to the preceding and succeeding Conversation items. When previewing a Chat Message item, only that single message will be rendered.
The Raw Data tab will contain the raw data based on which the conversation and message preview representation was constructed. The data that is shown here depends on the type of evidence data, e.g., a Skype SQLite database, a Cellebrite UFDR report, etc.
16.2.1. Previewing of Conversation items
When a Conversation item is opened in the Previewer, there are a number of differences with how other item types are displayed:
-
A checkbox is rendered in front of each chat message. This makes it possible to flag the corresponding Chat Message item straight from within the conversation view. This is useful if only specific messages in the conversation are to be exported.
-
Double-clicking on the Chat Message body (the gray area) will open the corresponding Chat Message item in a separate Previewer window.
-
The attachments of all Chat Message items contained in the conversation will be reported in the Attachment tab of the Conversation item as well.
-
Thumbnails of all Chat Message attachments contained in the conversation will be reported in the Thumbnails tab.
-
Additional info shown in the Contents tab:
-
Start Date: indicates the date of the first chat message covered in this Conversation item.
-
End Date: indicates the date of the last chat message covered in this Conversation item (i.e., not necessarily the end date of the entire conversation).
-
Chat Accounts: shows all chat account that were participating in this particular conversation
-
When an attachment is an image and its binary content is present, it will be rendered as an inline image in the Conversation item’s preview for easier review. |
There are a few additional conversation-related properties reported in the Properties tab: Number of recipients, Number of visible recipients, Protocol, Messages count
More information about these can be found by hovering the mouse over the question mark icon next to the property.
16.2.2. Previewing Chat Message items
The below image shows how a Chat Message item is previewed:
Note that there is no checkbox in front of the message text, as Chat Message items can be flagged by using the Flagged checkbox in the previewer’s toolbar on the left. Another reason for this is to make a visual distinction between Conversation items and Chat Message items.
If you want to preview the Conversation item that this Chat Message item corresponds to, you can use the “Preview Parent Conversation” action in Previewer, or navigate to it through the Tree tab.
In the case of Chat Messages items, the Properties tab contains the following chat message-related information: Recipients Count, Visible Recipient Count, Chat protocol
16.3. Exporting of Chat conversation and Chat Message items
One should be aware that there are two ways of exporting styled chat messages / conversations.
-
Export as PDF
-
Export as Report
16.3.1. Export as PDF
When exporting as PDF, the Conversation item or Chat Message item will be exported as it is rendered in the Previewer.
In the case of Conversation items, the whole conversation fragment covered by this Conversation item will be exported. There is no way to export only specific chat messages this way, but you will be able to redact it as you would with any other item.
In the case of Chat Message items, each individual chat message gets exported as a PDF.
The overall process of exporting to PDF is not explained here, as it is identical to exporting any other type of item to PDF.
16.3.2. Export as Report
The main difference of exporting as an Item Report, compared to the PDF export type, is that one can export either the whole conversation or just particular chat messages in it.
To export all messages in a specific conversation, one needs to select the Conversation item and export it using
Report export type. Make sure that Display as: Conversation is used in the Report – Sections step. A report created this way will contain all messages in that conversation.
To export specific messages in a conversation, you just need to select the desired Chat Message items and use the same export options as above. Intella Backpack will export the related conversation but restricted to the messages present in the export set:
When Indicate gaps of omitted messages is checked at the Report-sections step, Intella will add the following information the Report:
-
[x skipped messages]
, inserted between two chat messages, and indicating how many messages are present in the conversation in between these two chat messages that were not included in the report. This message is omitted if there are no chat messages in between the two exported messages. -
[Total: y skipped messages]
, indicating the total number of skipped messages in the related conversation.
17. Tagging
Tagging is the process where you connect a descriptive word to an item or a group of items. For example, one of your items is a PDF document containing valuable information. You decide to tag the item with the word “Important.” Tagging helps you to organize results, for example by separating important and unimportant information.
Tagging can be done in several ways in Intella. This chapter gives you an overview of the possibilities:
-
Tagging in the main window
-
Tagging in the previewer
-
Letting other items inherit tags automatically
-
Pin a tag to a button
-
See all tagged items
-
Searching with tags
-
Deleting a tag
-
Tagging in Compound cases
Tag names may contain letters, numbers, spaces and punctuation characters, except for:
|
17.1. Tagging in the main window
17.1.1. Adding or removing tags
To add tags:
-
Select one or more items from the table, the thumbnail view or the timeline.
-
Open the context menu (right mouse click), and select “Add or edit tags”
-
In the “Edit tags of x items” dialog you can select already defined tags, or define a new tag with optional description and tag color. When you click OK, the marked tags will be linked to the selected items.
The “Edit Tags” dialog can also be used to remove tags from selected items. After unmarking the checkboxes and clicking OK, the tags will no longer be connected to selected items.
In general, when selecting more than one item, there are three symbols that can be displayed in the checkbox next to a tag name:
-
An empty checkbox means that none of the selected items are connected to the tag.
-
A minus sign in a checkbox means that some of the selected items, but not all of them, are connected to the tag.
-
A marked checkbox means that all of the selected items are connected to the tag.
The Edit Tags menu option is also available in the Cluster Map: right-click on a cluster or label to open a popup menu with this and other options.
When you start typing the name of a new tag, the list of tags is filtered to show existing tags whose name contain the entered text. This can be used to check whether the intended tag already exists or to quickly navigate to the tag in a long list of tags.
When creating a new tag, a parent tag can be specified. Parent tags can be used to logically group tags, e.g. grouping custodian names, reviewers, locations, or priorities.
Parent tags can also be used to tag items. For example, when you have tags called Europe and Asia with subtags representing specific countries, you can choose whether to tag an item with a continent or a country.
The tag color is used as a background color for the tag name in many places where it appears, including the Tags facet and the Previewer. The default tag color is white, which doesn’t stand out from the background, but you can select a different color by clicking on the square button under “Tag Color” to open the color chooser. When adding a new tag, if you select the tag’s parent before choosing the custom color, the tag color will be automatically set to the parent tag’s color.
17.2. Tagging in the previewer
If you want to tag or remove a tag in the previewer, please take the following steps:
-
Open the previewer
-
Click the Tag button to open the tag space
-
Enter a new tag or select an existing tag. To remove a tag (to remove the connection between an item and a tag) just deselect the tag from the list.
Three, six or nine tags can be shown as button in the previewer. When a tag is listed as a button, clicking the button results in the tag being assigned to the current item. You can set the desired amount of these quick-tag buttons in the File > Preferences > Results tab > Previewer section.
You can also use Ctrl+1, Ctrl+2, Ctrl+3, etc. to quick-tag an item. The numbers correspond with the button positions.
When the “Go to next item after tagging” toggle button is selected, the previewer will automatically switch to the next item in the list.
17.3. Automatic tag inheritance
When tagging items, the policy of your investigation may be that some related items should be tagged as well. One use case is when tagging items as irrelevant: all nested items may then be considered as irrelevant as well. Another use is tagging items as privileged; depending on your policy, this may then be extended to all other items within the same mail as well.
Intella offers mechanisms that let these additional tags to be set automatically. For more information, see the section on tagging preferences.
17.4. Pin a tag to a button
In File > Preferences > Tagging tab > Previewer section you can select the number of quick tag buttons: three, six or nine. The default value is three quick tag buttons.
You can pin a tag to a button and keyboard shortcut (Ctrl+1, Ctrl+2, Ctrl+3) with the following steps:
-
Select Tags in the facet panel
-
Right-click on a tag in the list to open the context menu.
-
Select “Pin tag to button” and select a number from the submenu.
Now you can use the buttons in the previewer and the keyboard shortcuts to tag an item.
Tags that are pinned to a button are marked with a small blue pin in both the Tag facet and previewer.
To unpin a tag from a button, select 'Unpin tag' in the context menu of Tags. |
17.5. See all tagged items
To get an overview of all items that are tagged in your case, please take the following steps:
-
Select Features in the facet panel.
-
Select Tagged from the list and click Search
Now you can see all the items that have a tag in the Cluster Map panel.
17.6. Searching with tags
To search with tags, please take the following steps:
-
Select Tags in the facet panel.
-
Select a tag and click Search.
Now you can see the items that have the selected tag in the Cluster Map panel.
When querying for a parent tag, the result set will contain all items tagged with that tag or with any of its child tags.
17.7. Editing a tag
To edit a tag, please take the following steps:
-
Select Tags in the facet panel.
-
Right-click on a tag in the list.
-
Use the dialog that opens to either:
-
Change the tag name.
-
Relocate the tag by choosing a different parent tag.
-
Alter the tag’s description.
-
Change the tag color.
-
17.8. Deleting a tag
To delete a tag from your case, please take the following steps:
-
Select Tags in the facet panel.
-
Right-click on a tag in the list.
-
Select “Delete” and confirm.
Now this tag is no longer in your case.
When you delete a parent tag and confirming the operation, the tag and all its child tags are removed.
17.9. Annotations History
To revert a tagging or other type of annotation, open the Annotations History dialog by selecting File > Annotations History… This dialog represents a chronological list of all changes in tags, flags, comments, and custodians made on the case.
In the top panel, it is possible to set the start and end dates of the events to show. To include only events of specific case users, click the Select button and choose their names in the pop-up list. Click the Refresh button to update the events list.
To revert a specific change, select the annotation in the list and click the “Undo selected action” button. The reverted changes are marked with a strikethrough font. To restore a previously reverted change, click “Redo selected action”.
Note that some actions cannot be reverted directly. For instance, the creation of a tag cannot be undone without undoing or removing all associated item taggings that depend on it beforehand. The actions that cannot be undone at the moment are grayed out in the list.
18. Keyword Statistics
The Keywords tab gives detailed statistics about the keywords in a keyword list. The workflow is as simple as choosing a keyword list, specifying several calculation options, and clicking Calculate. This will produce a table showing the keyword list and several statistics for every keyword query in the list.
The nature of the information shown here potentially goes beyond what can be established in the Search tab.
18.1. Configuration
All controls for configuring the calculation are placed on the left side of the tab. The options are divided into four groups:
-
The keyword list to use.
-
The filter(s) to be applied.
-
The document fields to search in.
-
The statistics to be calculated.
At the top, the user can choose a previously uploaded keyword list or add one here. This uses the same collection of keyword lists as the Keyword Lists facet in the Search tab. Any list added in the facet can be used here and vice versa.
The second panel allows the search results to be filtered. When a saved search is chosen as a filter, the saved search is evaluated and its result is intersected with the result of each keyword search. For example, when searching for the keyword "letter" and filtering using a saved search for OCRed items, requiring PDF documents, and excluding a custodian, this would result in an item set containing OCR-ed items that contain the keyword "letter", are PDF documents, and that does not come from that custodian.
Although we call this functionality “keyword statistics”, the user can use the complete full-text search syntax here: wildcards, Boolean operators, phrase queries etc. are all available. Field-specific searches are also possible. When used in a query, these overrule the field settings set in the third panel.
The third panel offers the available search fields. These are the same as offered in the Search tab. By default, all fields are searched, but the user can choose to restrict searches to e.g. the document text, email headers, etc. Any combination of fields can be used.
The last panel offers five checkboxes that determine what information the table will contain:
-
The Items option adds columns indicating:
-
the number of items containing the keyword,
-
the corresponding percentage of items,
-
the deduplicated number of items, and
-
the exclusive items of a keyword, i.e. the deduplicated amount of items that are not returned by any of the other keywords. It shows how many extra items are returned when a keyword is added, or how many items are lost when it is removed. This can e.g. be used to measure the impact of a search keyword on the length of the review process.
-
-
The Hits option counts the number of occurrences of the search term in the texts.
For example, when a keyword produces a document that contains the keyword 3 times and another document that contains the keyword 5 times, this column will show 8.
The hits are counted across all the selected search fields, but only on the deduplicated items.
If you use keyword lists with advanced search query syntax, please be aware that hits counting is supported for a limited set of query types. |
-
The Custodians option adds a column for every custodian in the case. Each custodian column indicates how many of the matching items originate from that custodian.
-
The Families option adds two columns: “Families” and “Family items”. As described elsewhere in this manual, a family is an item set consisting of a top-level item (e.g. a mail in a PST file) and all its nested items (e.g. attachments, embedded images, archive entries). See the Preferences window for how families are determined in the case. The meaning of the two columns is then as follows:
-
The Families column shows in how many families the keyword occurs. For example, if a mail and two of its attachments all contain the keyword, that counts as a single family.
-
The Family Items column shows the total number of items that are contained in these families. This may (and usually will) include items that do not contain the keyword at all; they just belong to a family that has a hit in one of its other items.
In cases where you are not directly exporting search results but rather their top-level parents (i.e. the default setting when exporting to PST), this will tell you how much of the case is conceptually being exported this way. This may give an indication of how well a certain search filters items in a case.
-
18.2. Calculation
When the Calculate button is clicked, Intella will populate the table row by row.
The time required for the calculation is dependent on several factors, including the size of the keyword list, the hardware, the chosen search options and the storage location and size of the case. While most options can benefit from indices that make the calculation fast regardless of case size, the Hits option will have a considerable impact on the search speed.
The progress of the calculation will be shown in the status panel above the table.
During calculation, the Calculate button will change into a Stop button, allowing for manually terminating the process.
When clicking Calculate again, the previous results will be discarded and the table will be populated from scratch, using the (possibly changed) configuration options.
18.3. Results
The table order is the same as the order in the keyword list.
The last row shows the total amounts for each column. For the Exclusive and Hits columns, this is equal to the sum of the values in that column. For the other columns, the total amounts are calculated from the union of the item sets. Note that they are typically not the sum of all rows, as items may occur in multiple result sets.
Each table header also shows the total value that can appear in that column on that case. These maximums are not yet filtered by any saved searches that may have been selected. Only the totals at the bottom of the table take the saved searches into account.
The table can be sorted by clicking on one of the headers. This lets you find the queries with the most or the fewest item counts, the queries that involved the most families, etc. By default, the table order is the same as the order in the keyword list.
One can double-click on a row in the table and see the matching items from that result set in the Details view in the Search tab. It is also possible to select multi rows using Ctrl-clicking or Shift-clicking. Then, right-click in the table and select “Query”, to query for all these rows. A dialog will open, asking whether to evaluate the rows as separate queries or combine them into a single Boolean OR query.
To query the exclusive items of single or multiple keywords, select single or multiple rows using Ctrl-clicking or Shift-clicking, right-click on the selected rows and select “Query Exclusive”. The exclusive query will be shown in the Search tab. Note that the results table needs to be in deduplicating mode to see the exact same set of items as in the Keywords tab’s table.
18.4. Exporting
The table contents can be exported by clicking on the Export button in the top right corner. This opens a dialog that lets the user choose the desired format(s) and, for the PDF and DOCX formats, a description to add to the report.
-
CSV and XLSX - exports the table as a comma-separated values file or as a table in an Excel spreadsheet.
-
PDF and DOCX - creates a document containing a keyword statistics report.
Keyword statistics report
This reports builds on the information in the results table.
Each page has a header composed of the case name, the keyword list’s name, the date and time the report was created, and an optional description that was entered in the export dialog.
The page following the cover page contains an overview in the form of bar chart, showing how the keyword list compares to all items in the case. It contains the following values:
-
All items that contain any of the keywords in the list.
-
The deduplicated amount of all items that contain any of the keywords.
-
The deduplicated amount of all items that contain any of the keywords, extended with their family items.
-
All items without any hits.
The following pages contain bar charts showing the Deduplicated and Exclusive values for each keyword in the list.
The last pages in the report contain a table showing for each keyword:
-
The number of items containing the keyword.
-
The deduplicated number of items.
-
The number of items containing the keyword, extended with their family items.
-
The deduplicated amount of items not returned by any of the other keywords.
19. Preferences
To open the Preferences dialog, select the File > Preferences menu option.
To apply changes of the settings, click the Apply button. To apply changes and close the dialog box, click the OK button. The Cancel button will close the dialog box and discard all unapplied changes.
The specific settings per tab are explained below.
19.1. General
The Startup section controls how Intella behaves when a user opens a case. When the Check for availability of original evidence files option is on, Intella will check for the presence of evidence files at their original locations every time a case is opened. If any of the evidence files are missing, the user will be warned and directed to the Sources tab, where the missing evidence paths can be corrected.
The Check for updates on start-up option lets Intella look online for new versions of the software during startup. This lookup will be done once in every 24 hours. New versions will be shown in the upper right corner of the application. A message will also be shown here when this option is turned off or when fetching the last version information has failed.
The Temp Folder controls where Intella stores its temporary files, e.g. for opening an item in its native application. By default, the used folder is inherited from the operating system, but it can be modified here, e.g. to accommodate a system with a small operating system drive or for performance or security reasons.
The Shutdown section controls how case backups are handled when the user closes the case. The three options control whether a backup of the case needs to be made when the case is closed, or whether this needs to be asked on every occasion. This setting is set for each case individually. The Backups folder is shared by all cases though. When a case is backed up, a copy of the entire case folder is made and placed in this folder. A previous backup is removed, if the backup has succeeded – note that this will have consequences for the disk space that needs to be available. The default location of this backup folder is next to the cases folder. We recommend changing this to a location that is located on a physical disk, so that disk malfunctions do not damage both the actual case and the backup.
When connecting to a shared case, then the backup is only created from local case folder, not the remote case. In order to have proper backup of case that is shared, it needs to be unshared first and then made a backup of the case on server from which it was shared. |
19.2. Display and Locale
The Display splash screen while loading a case option controls whether a splash screen will be displayed after you have selected a case in the Case Manager for opening in Intella.
The Language selection option lets you select the display language used for Intella. The set of values in the list depends on which language profiles are detected in the "translations" subfolder, located in the folder where Intella is installed.
Intella checks online whether new language profiles are available for the current Intella version and the currently used language. When this is the case, a message is displayed in the upper right corner of the main window. Clicking on that message will open a web browser and download the new language profile. The Browse… button in this panel can then be used to install the new profile.
The Date format setting lets the user select how dates and times will be displayed. The dropdown menu allows for various formats selected by country. This setting is not dependent on the display languages and allows for all generally used formats, regardless of which language profiles are available.
The Draw border around white redactions option generates a thin black border around those redaction marks that have a white color. Such redactions would otherwise not be visible as redacted areas in documents with a white background.
Finally, the Page format lets you select which paper size to use when exporting to PDF or printing items. Available options are ISO A4 and US Letter.
19.3. Dates
The Primary Date option controls how Primary Dates are determined for each item, based on a set of rules holding preferred attributes.
While processing the dates of all items, Intella will try to pick a matching date rule based on the item’s type and use it to determine the primary date attribute for that item.
-
First, it will first look for a rule that has the same MIME type as the item has, e.g. the MS Word MIME type.
-
When no such rule exists, it looks for a more general rule covering the type group that holds this MIME type, e.g. the Documents group. See the Type facet for how item types are grouped.
-
If no such rule exists either, it will fall back on the default rule to compute the Primary Date.
Each rule holds a prioritized list of all the date attributes that Intella supports. Once a primary date rule is selected for the item, the first date in this list that occurs in that item’s metadata is used to set the item’s primary date.
You can define many date rules for different MIME types or groups. You can add or remove rules from the set, but it must always contain the default rule. By clicking the Reorder dates button, you can change the priorities of the date attributes for the selected rules.
Because of the way rule selection works, the order of the rules does not affect the outcome. Only the order of attributes in a rule matters.
Note that the Primary Date settings also affect the Family Date attributes, as the Family Date of an item is defined as the Primary Date of its top-level parent.
When a change is made to the Primary Date settings, Intella will ask whether you want to rebuild the indices for those two dates. These indices are used for displaying and sorting the Primary Date and Family Date columns and for any Date facet searches on these attributes. Updating these indices can be a lengthy operation on large data sets. In case you wish to cancel this update operation, you can click the Cancel button in the progress dialog. This will revert your Primary Date settings back to the previous configuration and leave the indices unaltered. Note that it is not possible to alter the Primary Date settings without updating the relevant indices.
19.4. Message Hash
You can switch between the legacy message hash that was used in Intella 2.2.1 and older, and the structured message hash that has been introduced in Intella 2.2.2.
The structured message hash allows you to use a less strict algorithm for deduplicating email, SMS and chat items, by deselecting components. For example, when "Include recipients" is deselected, an email with a Bcc header will be considered as a duplicate of an email without that header (assuming all other things are equal).
The structured message hash can only be used in cases created with Intella 2.2.2 or newer. Older cases will first need to be re-indexed with 2.2.2 or newer. |
19.5. Irrelevant Items
Intella automatically classifies certain items as "Irrelevant" during indexing. These are items that are generally regarded as non-relevant from a review point of view. Note that this only applies to the item itself, not its child items. One can think of this category as containing those items that you would likely not review when they show up as part of a keyword search result, unless in certain types of deep forensic analysis.
This classification has no effect on the processing of the affected items, other than storing the classification. It can be used to suppress items during searching and exporting, e.g. by toggling the Hide Irrelevant button, using the Features facet category or setting the corresponding options during export. This reduces the time needed for reviewing and exporting. If such filtering is not desirable, all one has to do is leave these options to their default, unselected state.
The following items are classified as Irrelevant:
-
Folders – regardless of origin
-
Email containers – e.g., PST, NSF, Mbox, …
-
Disk images – e.g., E01, L01, DD, …
-
Cellphone reports – e.g., UFDR, XRY XML, …
-
Archives – e.g., ZIP, RAR, …
-
Executables – e.g., EXE, BAT, …
-
Load files – e.g., DII, DAT, …
-
Empty – i.e., zero-byte files
-
Embedded images – see the Features facet section for a definition of this category
Note that the flag is not automatically inherited by child items. Child items are only classified as Irrelevant if they match any of the criteria by themselves.
Currently, the criteria for classifying items as Irrelevant are hardcoded and fixed; the disabled checkboxes in the Irrelevant Items tab are only there to explain the process. We may make these options configurable in a future release.
19.6. Search
The Enable Search History option allows you turn off the search history. The main use of this is when you do not wish these search terms to be recorded – be aware that they are still being added to the audit trail and may leave traces in the log file. This setting is also a workaround for character sets (e.g. Korean characters) that cannot be entered properly when the history functionality is active.
The Restore the queries that were shown last option results in the current queries being stored during shutdown and restores them the next time the case is opened.
The Show Children options allow you to specify what children are returned when you click on Show Children in the Previewer or in the search results popup menu. You can specify the level by including only directly nested children (direct children only) or directly and indirectly nested children (all children). When you select the Ask every time option, you will be prompted for the desired level every time you use Show Children.
The Show Parents options control what items are ignored when the top-level or direct parent is selected for an item. This operation affects what the Show Parents, Show Top-level Parents and Show Family functions produce, what items are tagged when the Also tag all other items nested in the same top-level item option is selected in the Tagging tab, and what items are shown under the Top-Level Parents feature facet and column. Note that changing any of the Show Parents options will trigger a database update that might take some time to complete, depending on the number of items in the case
19.7. Results
The Opening results option controls what happens when a result is double-clicked: open it in Intella’s internal Previewer, or in the native application registered with that file type.
The Following HTML links option relates to the links and externally linked images that can be found in HTML-based emails. Both can be dangerous to download automatically, e.g. because they can tip-off suspects that their emails are being read by another party. This panel lets you control how these link types are handled. By default, links are blocked and external images are not loaded automatically. This can be managed per individual email in the Previewer window or for all items at once in this preferences panel.
The Cluster Map options let you specify whether transitions on the Cluster Map should be animated and if so, how long that animation may take. You may want to disable animation if it causes performance problems on your system.
Furthermore, you can specify whether or not the Cluster Map should automatically be scaled when it does not fit inside the window. You can also change this option using the Cluster map toolbar button, or go to View > Cluster Map > Scale to fit window.
The Details View setting controls the amount of values that are shown or exported when using Content Analysis columns. The values after the threshold are filtered out and replaced with ellipsis. To export all values, simply set this threshold high enough for all values to be exported.
The Thumbnails View group controls the aspects of thumbnail generation:
-
Thumbnail minimum size specifies which thumbnails are shown based on the size of the original image in kilobytes. Images that are below this threshold are filtered out.
-
The three video thumbnail options select an algorithm for extracting static frames to compose thumbnails for video items:
-
Fixed number of frames: The specified number of frames in equal time intervals is extracted.
-
Any number of frames every X seconds: The frames are extracted in the specified time intervals. The total number of frames depends on the length of the video item. Use this option with caution, as it can make the process of thumbnail generation substantially slower.
-
First X frames every Y seconds: The fixed amount of frames in the specified time intervals is extracted and the rest of the video is skipped. Note that the actual number of extracted frames can be less than this limit, depending on the length of the video item.
-
Changing the settings in the Thumbnails View group will cause clearing the cache of previously generated thumbnails. This operation can also be performed separately using the Clear thumbnails cache now button. |
The Previewer Window setting controls the maximum size of the files that will be presented in their native rendering in the Preview tab. Rendering of this tab may trigger a conversion from the document format at hand (e.g. an MS Word document) to PDF. This can take a long time for large and complex documents. By default, this limit is set to 10 MB.
Furthermore, the paragraph controls shown in the left margin of the Contents tab can be disabled using the Enable paragraph features checkbox. This only has an effect when the Analyze paragraph setting has been used during source creation.
19.8. Tagging
When tagging items, the policy of your investigation may be that some related items should be tagged as well, e.g. tagging items in a mail as privileged may require that all other items in that same mail are also tagged as privileged. The settings in this tab can make that happen automatically.
The three radio buttons specify how other items in the hierarchy need to be handled:
-
Only tag the selected item is self-explanatory.
-
Also tag all attached/nested items results in all attached or nested items being tagged with the same tag as well. This works recursively, i.e. all children in the hierarchy are tagged.
-
Also tag all other items nested in the same top-level item means that everything from the top-level item down to the most deeply nested child gets the tag.
In addition to these three settings, you can also specify that all duplicates should also be tagged. When this setting is enabled, all items in the case with the same MD5 or message hash will inherit the tag. Furthermore, their children or siblings may also be tagged automatically, according to the settings described above.
The top-level parent of an item is determined per the Show Parents settings in the Search preferences. |
The settings described above can also be accessed directly from the dialog where tagging dialog. That will allow you to (temporarily) override the default settings that you specify here. |
The Previewer setting controls the maximum number of quick tag buttons that are shown in the Previewer.
The Expand top-level tag groups in item properties setting controls how hierarchical tags are shown. By default, hierarchical tags will all show their hierarchical path, e.g. "Parent/Child1" and "Parent/Child2". When enabling this option, the parent tag will be shown as a properties line, followed by all child tags, e.g. "Parent: Child1 Child2". This can improve overview when items typically tend to have multiple tags in the same branch of the tag hierarchy.
19.9. Geolocation
The Tile preferences section defines how the world map gets rendered in the Geolocation results view and the Previewer’s Geolocation tab.
Intella embeds a set of tiles for rendering this map. By default, this tile set is used. This embedded tile set enables use of the Geolocation views without requiring any configuration and/or network connection. The drawback of using this tile set is that the user can only zoom in six levels.
Another option is to integrate with a custom tile server. To enable use of such a server, select the Integrate with the tile server option. The Geolocation tab will then expand to offer additional settings.
In the example shown here, MapBox’s tile server is used. You can use any tile server you wish by typing its address into the Tile server integration URL field. The format for the URL is dependent on the chosen tile server.
To use a public tile server, you need to ensure that you comply with the tile server’s usage policy. This is your responsibility, not Vound’s. |
The Min. zoom option defines the desired minimum zoom level in the user interface. This should be in the range of supported zoom levels of the chosen tile server.
The Max. zoom option defines the desired maximum zoom level in the user interface. This should be in the range of supported zoom levels of the chosen tile server.
The Tile Size (pixels) option defines the size of a single square tile. This value should match the size of the tiles which are returned by the tile server.
The Reverse X tile numbering and Reverse Y tile numbering options should be used when the tile numbering order used by the tile server is reversed. Usually there will be no need to use these two options.
Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs. |
If the investigation system has no internet connection, a custom tile server can be set up on the local network. One way of how this can be achieved can be found at http://osm2vectortiles.org/docs/serve-raster-tiles-docker/. This is out of the scope of this manual and Vound’s technical support. |
Email geolocation allows one to estimate the geographic location of an email’s sender using the sender IP address. This process takes place during indexing. See the Geolocation chapter for a description of the process and its caveats.
Determination of the geographic location of an IP address requires the presence of MaxMind’s GeoIP2 or GeoLite2 database. These databases associate IP addresses with geographic locations. The databases can be found here:
-
GeoIP2 database (commercial) – https://www.maxmind.com/en/geoip2-city
-
GeoLite2 database (free) – http://dev.maxmind.com/geoip/geoip2/geolite2/
See the MaxMind website for a description of their differences, beyond price. Please note that when using either of these databases, you will need to register and generate a license key, as described here - https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
The chosen database can be installed by placing it in the following folder:
C:\Users\[USER]\AppData\Roaming\Intella\ip-2-geo-db
Alternatively, when you are on an Internet-connected machine, you can let Intella download and install the GeoLite2 database automatically by putting your license key in the Your license key field and clicking the Download GeoLite2 database button. After clicking this button, a dialog opens that states that proceeding with this download implies that you agree with the GeoLite2 license terms. After clicking Proceed, the download will start. The download progress will be shown in the Status field. Once the download has completed successfully, a green validation message will be shown here.
To use the Email geolocation feature, check the Determine the geographic location of an email sender’s IP address option when adding a new source.
20. Menu, mouse, and keyboard shortcuts
20.1. Main Menus
Below is a description of all menu items in the main window. Not all options appear in all products.
20.1.1. File
- Preferences
-
Open the Preferences window (see Preferences).
- Annotations History
-
Open the Annotations History window (see Annotations History).
- Restore Annotations…
-
The user can restore the annotations from a copy of this case, e.g. when the working copy has been damaged beyond repair.
- Excluded Paragraphs (Ctrl+Shift+F)
-
Opens a window that shows all paragraphs explicitly excluded from keyword search and let the user search for them or remove them from the list of excluded paragraphs.
- Exit (Ctrl+Q)
-
Exit the application
20.1.2. View
- Cluster Map Animate Changes
-
Turn cluster map animation on or off.
- Cluster Map Scale to Fit Window
-
Turn cluster map size scaling on or off.
- Details
-
Use the four sub-items to switch the Details panel to Table, List, Thumbnail or Timeline mode.
- Preview Item… (CTRL+O)
-
Lets the user open a specific item. See the Item ID column in the Details table for these numbers.
- Close All Previews (Ctrl+Shift+W)
-
Closes all open Previewer windows.
- Full screen
-
Toggles full-screen mode.
20.1.3. Export
- Cluster Map…
-
Exports the current Cluster Map as a PNG image.
- Social Graph…
-
Exports the current Social Graph as a PNG image.
- Timeline…
-
Exports the current timeline as a PNG image.
20.1.4. Help
- User Manual (F1)
-
Opens the bundled user manual (this document).
- Release Notes
-
Opens the bundled release notes.
- Forum
-
Opens the Intella forum in a web browser.
- Open Log Folder
-
Opens the folder where Intella stores logging information.
- Scan logs for errors
-
Runs the Log Analysis tool (see "Using the Log Analysis tool" section of the "Reading your log files" chapter)
- Open Export Templates Folder
-
Opens the folder where the user-defined export templates are stored. These files are .xml files that can be shared and copied to other case folders.
- About Intella <product edition>
-
Shows a dialog with three tabs. (1) The first tab contains the version number of Intella. (2) The second tab contains system information. (3) The third tab shows license information such as ID, type and restrictions.
20.2. Mouse actions
20.2.1. Table and thumbnail view
- Click and drag
-
Select multiple items.
- Ctrl+click
-
Select/deselect items.
- Double click on item
-
Depending on the preferences, this opens the clicked item in Intella’s internal Previewer, the registered native application, or opens a dialog asking the user what to do.
- Right click on item
-
Opens the popup or context menu.
20.2.2. Timeline
- Click on email
-
Opens the email in the Previewer.
- Double-click on email
-
Depending on the preferences, this opens the clicked item in Intella’s internal Previewer, the registered native application, or opens a dialog asking the user what to do.
- Right click on email
-
Opens the popup or context menu on that email.
20.2.3. Cluster Map
- Click on cluster or on label
-
Select a cluster or result set and shows its items in the Details panel below.
- Click and drag
-
Move cluster to reorganize the Cluster Map.
- Right click on cluster, label or on the selections panel
-
Open the popup or context menu on that item.
20.2.4. Social Graph
- Click on a node
-
Select a node and show its items in the Details panel below.
- Click on an edge
-
Select an edge and show its items in the Details panel below.
- Click and drag
-
Move nodes to reorganize the graph.
- Drag with right-mouse button pressed
-
Scroll (pan) the graph.
20.2.5. Histogram
- Click and drag
-
Zoom in on a specific area in the chart.
- Ctrl-click and drag
-
Pan (scroll) the chart.
- Click and move up
-
Restore zoom level.
- Mouse wheel
-
Zoom in and out of the chart.
20.3. Keyboard shortcuts
20.3.1. Main window
- Ctrl+N
-
Add new source
- Ctrl+R
-
Re-index all sources
- Ctrl+O
-
Open a specific numbered item
- Ctrl+Q
-
Exit the application
- Ctrl+Shift+W
-
Closes all open preview windows
- F1
-
Open Intella help file (requires PDF-viewer, like Adobe Acrobat)
- Spacebar (in thumbnail view)
-
Flag selected item
- Ctrl+A
-
Select all items or text
20.3.2. Previewer window
- Alt+Right Arrow
-
Move to next item
- Alt+Left Arrow
-
Move to previous item
- Ctrl+C
-
Copy selected text
- Ctrl+V
-
Paste copied text
- Ctrl+A
-
Select all text
- Ctrl+1, Ctrl+2, or Ctrl+3
-
Tag an item with the tag assigned to button 1, 2 or, 3 in the previewer