2. An introduction to Intella Connect

Intella Connect is a web-based investigation and eDiscovery tool. It is ideally suited for use by enterprise, law enforcement and regulatory agencies in civil, criminal or policy-related investigations. It allows you to share any case that has been made with Intella 100, Intella 250, Intella Professional (Pro) or Intella TEAM Manager. The case can then be reviewed using any of the supported web browsers.

Cases can also be created directly in Intella Connect and its sources can be indexed using Intella Node. If a case already exists, it is however not required to have Intella Node in order to share such case.

Intella Connect’s unique visual presentation will let you quickly and easily search and review email and electronically stored information to find critical evidence and visualize relevant relationships. The birds-eye view helps you gain insight in information that is available on combinations of keywords. In each step of your search it shows the number of emails or files that match your search (and of course a link to the e-mails and files themselves) so that you can effectively zoom in to find what you are looking for.

With Intella Connect, you can…

  • Gain deeper insight through visualizations.
  • Search email, attachments, archives, headers, and metadata.
  • Drill deeply into the data using Intella Connect’s unique facets.
  • Group and trace email conversations.
  • Preview, cull, and deduplicate email and data.
  • Export results.

2.1. Supported web browsers

  • Google Chrome (most recent version)
  • Mozilla Firefox (most recent version)
  • Microsoft Edge
  • Internet Explorer 10 and newer

Note

As Microsoft has officially announced ending support for versions 8-10 of Internet Explorer on January 12th 2016, we decided to gradually stop supporting them too. Starting with Intella Connect 2.0.0 versions prior to IE 10 will no longer be supported, redirecting users to a static page where an appropriate error message is shown. Versions 10 will no longer be actively tested, however we intend to support it as long as all 3rd party software libraries that we are using will do that too. We may end support for it if we determine that potential problems cannot be easily fixed and are directly related to using this outdated browser.

Warning

Google Chrome and MS Edge will not delete session cookies after they are closed. That means that logged in user will not be logged out. With this in mind it’s always best to log out manually when you finish using Intella Connect.

2.2. System Requirements

Hardware

  • Intel Core i7 2600
  • 32 GB or more of main memory
  • 1 hard disk for case folder
  • 1 hard disk for evidence data

Hint

The use of SSD disks can further enhance performance.

Software

  • Windows 7 or Windows 8 are recommended.
  • For Windows Server, please see support for full details.
  • MS Office 2007 or above is required for exporting to PST.

2.3. Supported file formats

Intella Node can extract contents and metadata of the following file formats:

  • Mail formats:
    • Microsoft Outlook PST/OST. Versions: 97, 98, 2000, 2002, 2003, 2007, 2010, 2013, 2016, 365.
    • Microsoft Outlook Express DBX, MBX. Versions: 4, 5 and 6
    • Microsoft Exchange EDB files. Versions: 2003, 2007 and 2010
    • IBM Notes NSF (formerly known as Lotus Notes or IBM Lotus Notes). Notes 8.5.x or higher needs to be installed on the computer running Intella Node to process the NSF files. Intella Node supports all NSF files that can be processed by the installed IBM Notes version
    • Mbox (e.g. Thunderbird, Foxmail, Apple Mail)
    • Windows 10 Mail (POP accounts).
    • Saved emails (.eml, .msg)
    • Apple Mail (.emlx). Versions: 2 (Yosemite), 3 (El Capitan), 4 (Sierra), 5 (High Sierra) and 6 (Mojave). Testing concentrated mostly on versions 2, 5 and 6.
    • TNEF-encoded files (“winmail.dat” files)
    • Bloomberg XML dump
  • Cellphone extraction formats:
    • Cellebrite UFED XML export or UFDR file.
    • Micro Systemation XRY XML and Extended XML exports (Extended XML is strongly recommended).
    • Oxygen Forensic Suite XML export.
    • iTunes backups. iOS versions 8, 9 and 10 backed up with iTunes 12. Other versions may work but have not been tested.
  • Disk image formats:
    • EnCase images (E01, Ex01, L01, Lx01 and S01 files)
    • FTK images (AD1 files), version 3 and 4
    • DD images
    • MacQuisition images (RAW, .00001 files)
    • ISO images (ISO 9660 and UDF formats)
    • VMware images (VMDK files). Supported types are RAW (flat), COWD version 1 (sparse) and VMDK version 1, 2 and 3 (sparse). Not supported are images that use a physical storage device.
    • VHD disk images. Supported type is VHD version 1.
  • Document formats:
    • MS Office: Word, Excel, PowerPoint, Visio, Publisher, OneNote, both old (e.g., .doc) and new (.docx) formats, up to MS Office 2016 and MS Office 365. MS OneNote 2007 is not supported
    • OpenOffice: both OpenDocument and legacy OpenOffice/StarOffice formats
    • Hangul word processor (.hwp files)
    • Corel Office: WordPerfect, Quattro, Presentations
    • MS Works
    • Plain text
    • HTML
    • RTF
    • PDF (incl. entered form data)
    • XPS
  • Archives:
    • Zip. Supported compression methods: deflate, deflate64, bzip2, lzma and ppmd.
    • 7-Zip. Supported compression methods: lzma, lzma2, bzip2 and ppmd.
    • Gzip
    • Bzip2
    • ZipX
    • Tar
    • Rar
    • RPM Package Manager (RPM)
    • Cpio
    • ARJ
    • Cabinet (CAB)
    • DEB
    • XZ
  • Web-browser artifacts:
    • Google Chrome: history, keyword search, typed URLs, cookies, form history, bookmarks, logins, downloads
    • Mozilla Firefox: history, keyword search, typed URLs, cookies, form history, bookmarks, downloads
    • Microsoft Internet Explorer (6-11): history, keyword search, typed URLs, cookies (partial support)
    • Microsoft Edge: history, keyword search, typed URLs
    • Apple Safari: history
  • Search Warrant Results:
    • Hotmail (uses a HTML-based collection of files)
    • Gmail and Yahoo (uses an Mbox variant)
  • Instant Messaging:
    • Skype SQLite databases, versions 7.x (stable), 8.x, 11.x and 12.x (experimental).
    • IBM Notes Sametime chats
    • Pidgin account stores
    • Note that cellphone extraction reports typically also contain instant messaging fragments that Intella Node may pick up during indexing.
  • Databases:
    • SQLite databases, version 3. Note that Skype SQLite databases get processed differently.
    • Mac OS property lists (.plist and .bplist files), in ASCII, XML or binary form.
  • Cryptocurrency (detection only):
    • Bitcoin wallets and blockchains
    • Dogecoin wallets and blockchains
    • Litecoin wallets and blockchains
    • Multibit Classic wallets and blockchains
    • Multibit HD wallets and blockchains
  • Miscellaneous formats:
    • iCal
    • vCard
    • XML
    • IBM Notes deletion stubs

The following types of encrypted files and items can be decrypted, if the required access keys (passwords, certificates, ID files) are provided in the Key Store:

  • PST/OST
  • NSF*
  • PDF
  • DOC
  • XLS
  • PPT
  • OpenXML (.docx, .xlsx, .pptx)
  • PDF
  • ZIP
  • RAR
  • 7-Zip
  • S-MIME-encrypted emails
  • PGP-encrypted emails

Encrypted fields of NSF items are only decrypted if the NSF as a whole is encrypted too.

When indexing plain text file formats, Intella Node can essentially handle all character encodings supported by the Java 8 platform. This relates to regular text files and to email bodies encoded in plain text format. See http://docs.oracle.com/javase/8/docs/technotes/guides/intl/encoding.doc.html for a complete listing.

When the encoding is not specified, Intella Node will try to heuristically determine the encoding. The following encodings are then supported:

  • UTF-7
  • UTF-8
  • UTF-16BE
  • UTF-16LE
  • UTF-32BE
  • UTF-32LE
  • Shift_JIS Japanese
  • ISO-2022-JP Japanese
  • ISO-2022-CN Simplified Chinese
  • ISO-2022-KR Korean
  • GB18030 Chinese
  • Big5 Traditional Chinese
  • EUC-JP Japanese
  • EUC-KR Korean
  • ISO-8859-1 Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish
  • ISO-8859-2 Czech, Hungarian, Polish, Romanian
  • ISO-8859-5 Russian
  • ISO-8859-6 Arabic
  • ISO-8859-7 Greek
  • ISO-8859-8 Hebrew
  • ISO-8859-9 Turkish
  • windows-1250 Czech, Hungarian, Polish, Romanian
  • windows-1251 Russian
  • windows-1252 Danish, Dutch, English, French, German, Italian, Norwegian, Portuguese, Swedish
  • windows-1253 Greek
  • windows-1254 Turkish
  • windows-1255 Hebrew
  • windows-1256 Arabic
  • KOI8-R Russian
  • IBM420 Arabic
  • IBM424 Hebrew

Several file formats are processed by applying heuristic string extraction algorithms, rather than proper parsing and interpretation of the binary contents of the file. This is due to a lack of proper libraries for interpreting these file formats. Experiments with these heuristic algorithms have shown that their output is still useful for indexing and full-text search. It typically will produce a lot of extra gibberish data, visible in the Previewer, and there is no guarantee that the extracted text is complete and correct. The affected formats are:

  • Corel Office: WordPerfect, Quattro, Presentations
  • Harvard Graphics Presentation
  • Microsoft Project
  • Microsoft Publisher
  • Microsoft Works
  • StarOffice

2.4. Supported sources

  • File or Folder

Files on local and network file systems can be indexed by Intella Node. Please check the list of supported file formats.

  • Load files

Intella can index load files that are stored in Concordance, Relativity and CSV format.

  • Hotmail Search Warrant Result

Intella can index the mail packages delivered by Microsoft when responding to a search warrant.

  • Disk images

Intella can open disk image files in formats listed above and index their contents as if they were mounted and indexed as a regular Folder source. No recovery of items from unallocated or slack space is performed.

  • IMAP account

Intella Node is able to access an email accounts on an IMAP email server and index emails and attachments. Versions: Intella Node was tested on several IMAP servers with good results. However, we cannot guarantee that Intella Node is able to create IMAP account sources for every IMAP email server.

  • MS Exchange EDB Archive

Use this option for index an MS Exchange EDB files and restrict indexing to a specific set of mailboxes. Indexing an EDB file in its entirety can be done by using the File or Folder source type.

  • Dropbox

Intella Node can access a personal Dropbox or DropBox? for Business account and index all folders and files stored in that account.

  • Gmail

Intella Node can access a Gmail account and index the emails and attachments in that account.

  • SharePoint

Intella Node can access a SharePoint instance and can index one or more of the sites in that instance.

  • Office 365

Intella Node can index the complete contents of an Office 365 account, incl. the Outlook, OneDrive?, and SharePoint? services of that account.

  • iCloud

Intella Node can access an Apple iCloud account and retrieve all information synced to that account from an associated device or entered on icloud.com.

2.5. Feedback

We take great care in providing our customers with a pleasant experience, and therefore greatly value your feedback. You can contact us through the form on http://support.vound-software.com/ or by mailing to one of the email addresses on the Contact page.