5. Insight view¶

5.1. Case info¶

Case info section shows the basic case information such as the case folder, case size, creation date, etc.

5.2. Evidence¶

The Evidence section shows important global statistics regarding your data. A detailed description of each category can be found in the Facet panel explaining the Features facet.

5.3. Types¶

The Types section shows a breakdown of the different types of files and other items in the case. It shows the same hierarchical structure as the Type facet described in Facet panel.

5.4. Custodians¶

The Custodians section shows the list of custodians in the case, if any, together with the number of items that are assigned to them. A pie chart showing these amounts is shown to the right of the table.

For detailed information on how to define custodians see the section titled “Custodians” in Facet panel.

5.5. Internet Artifacts¶

The Internet Artifacts section contains information about web browser activity, based on the browser histories detected in the evidence data.

All major browsers are supported: MS Internet Explorer/Edge, Mozilla Firefox, Google Chrome and Apple Safari.

The top chart shows the list of encountered browser histories, listing the following information:

• The path of the browser history in the evidence data.
• The type of browser, represented by the browser’s desktop icon.
• The number of visited URLs in the browser history, both as a number and as a bar showing the amount relative to the total amount of visited URLs in the entire case.
• The last used date of the browser history, i.e. the last time a new URL was added or a visit count was updated. Note that manual deletions of URLs in the history by the end user are not taken into account when determining the last used dates; it is merely indicative of when the regular day-to-day usage of that browser ended.

At the very top of this list is a row that represents the total amount of visited URLs in the case, regardless of location and web browser type.

Beneath the list of browser histories there is a breakdown of the visited URLs:

• The “Top 100 visited URLs” table shows the most visited URLs, with for each URL the number of visits as indicated by the browser history.
• The “Top 100 visited domains” table shows the most visited domains, together with the sum of the visit counts of all URLs in that domain. Subdomains are treated as independent domains.
• The panels “Social media”, “Cloud storage”, “Webmail” and “Productivity” show the number of visits that belong to some commonly used websites, such as Facebook and Twitter for social media, DropBox and OneDrive for cloud storage, Gmail and Yahoo Mail for webmail, etc.

By default, this breakdown covers all visited URLs in the case. By clicking on a row in the list of browser histories one can narrow down on the visited URLs in that particular browser history. The selected browser is indicated by the blue URL count bar.

5.6. Timeline¶

The Timeline shows the timestamps of all items in the case over the years of months. This not only gives a rough overview of events over time, but can also be used to find data anomalies, e.g. unexpected peaks or gaps in the volume of emails, which for example may be caused by an incomplete capture of evidence files, bugs in the custodian’s software, default values entered by client software and actions of malicious custodians (resetting date fields, deleting information).

To the right of the chart are all date fields that Intella currently supports. Each date field shows the number of items that have that date field set. Date fields that do not occur in this case are disabled. (De)selecting one of the checkboxes changes the Timeline to include or exclude the counts for that date field.

This update may take some time, depending on the case size and whether a local or remote case is used. The resulting counts are cached so that afterwards the user can toggle that checkbox and see the chart change instantly. The chart can alternatively show months or years.

5.7. Identities¶

The Identities section consists of three tables with various types of identities, which may be representing users or other entities.

The User accounts table shows a list of user accounts extracted from the evidence data. These can be:

• Windows user accounts, extracted from Windows registry hives.
• Skype user accounts, extracted from Skype databases. These are the database’s local account, not the entire contacts list of that account.
• Pidgin user accounts. Again these are the local accounts, not the entire contact list.
• User accounts in cellphone reports as produced by Cellebrite UFED, Micro Systemation XRY and the Oxygen Forensic suite. See the documentation of the respective product for details on the correct interpretation of such information.

The “Origin” column in this table shows either a machine name extracted from a Windows registry or the location of the evidence file that the account was extracted from.

The Top 10 email addresses table shows the 10 email addresses with the highest number of emails in the case. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts.

The Top 10 host names table shows the host names that have the most emails associated with them. These are essentially the host names that show up when you expand the “All Senders and Receivers” branch in the Email Address facet. Both the raw and deduplicated counts are shown. The top 10 is based on the raw counts.

5.8. Notable Registry Artifacts¶

The Notable Registry Artifacts (NRA) section gives insight into the most important artifacts extracted from the Windows registry hives of the investigated machines/operating systems.

A case may contain evidence files (usually in the form of disk images) that relate to multiple operating systems (OSes), simply because multiple machines may be involved, but also because a machine may have multiple operating systems installed. Hence the artifacts are grouped by OS, labeled by the “Computer Name” that was extracted from the registry, and further subdivided in a number of categories.

The following artifact types are currently extracted and reported:

• Basic OS information
• OS time zones
• OS user accounts
• Network interfaces
• Network connections
• USB mass storage devices that have been connected
• Recently used files
• Shellbags
• Typed URLs registered by web browsers using the registry

A “registry artifact” is a logical concept in Intella Connect that is modeled as an atomic item in the case and that holds important information typically used in digital forensic investigations. This information is specially selected for this purpose by experienced forensic experts. While the properties of a registry artifact may be scattered across different registry hives and backups of these hives, Intella Connect will unify them into a coherent item.

The NRA section is divided into two parts. On the left hand side, labeled “Overview”, the tree organizing the registry artifacts is shown. The first level nodes represent OSes labeled with the “Computer Name” extracted from the registry. One lever deeper we find sub-nodes for the various registry categories (e.g. “User Accounts”), followed by leaf nodes representing the actual artifacts (e.g. a specific User Account).

One can select a leaf node in this tree, which will show the properties of that registry artifact in the Details view on the right hand side. Clicking on button “Open in previewer” in the Details view opens the registry artifact item in the Previewer.

This shows additional information such as the location of the item and allows for browsing to nearby items in the item hierarchy using the Previewer’s Tree tab.

Besides the regular registry hives, the Windows registry maintains backup files in the form of so-called “RegBack” files. Intella Connect will process these files as well and display the extracted data in the NRA section. Values coming from such backup registry hives are marked with a “RegBack” label and are only displayed when they differ from the corresponding values in the current files. Not doing so would greatly increase the amount of redundant registry information.

5.9. Network connections¶

The Network Connections category contains all connections to networks stored and extracted from the Windows registry. Information about registered network connections is obtained from a single place: SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\<ProfileName>.

5.10. Devices¶

The Devices section contains a list of all USB mass storage devices that have been connected to the suspect machines. This information is taken from the Notable Registry Artifacts section. It provides the ability to quickly oversee and sort all devices found in the case.

5.11. Networks¶

The Networks section contains a list of wired and wireless networks that a suspect machine has been connected to. This information is taken from the Notable Registry Artifacts section and from cellphone reports. It provides the ability to quickly oversee and sort all networks found in the case.

5.12. Significant Words¶

The Significant Words panel visualizes important words encountered in the item texts in the case, based on a statistical model of term relevance. The bigger the font of a particular word, the higher the relevance that word may have for the data set at hand.

These results are purely suggestive: though they are based on commonly used information retrieval techniques, they only look at the evidence data. In particular, they do not take the investigative research questions into account, or any investigative results such as items tagged as “relevant”.

The Paragraphs section shows statistics on the paragraphs that Intella Connect has registered, when the Analyze Paragraphs setting was set on the source(s) in the case. It lists the number of unique and duplicate paragraphs, both as raw numbers and as percentages. Furthermore, the Paragraphs marked as Seen or Unseen are counted. Finally, the number of Documents, Emails and Other item types with unique content (i.e. a paragraph that does not occur in any other item) is listed. These groups can be clicked, which shows these item sets in the Search tab.

5.13. Workflow¶

The Workflow section lists additional tasks that one might consider after the initial indexing is done. These tasks can further refine the case index quality and kick-start the investigation and analysis phases.

Additional Processing category:

• The Export encrypted items link opens up the Export wizard for all items that are encrypted but have not been decrypted.

Export encrypted items list exports the metadata of these items to a CSV file.

• The Export unprocessed items link opens up the Export wizard for all items that fall into the “Extraction Unsupported” category in the Features facet.

Export unprocessed items list exports the metadata of these items to a CSV file.

• The Export exception items link opens up the Export wizard for all items that fall into the “Exception Items” category in the Features facet.

Search & Analysis category:

• The Run content analysis link initiates the content analysis procedure for all items in the case. This detects person, organization and location names used in the item texts and reports them in the Content Analysis facets.
• Add keyword list adds a keyword list to the case, for use in the Keyword Lists facet or Keywords tab in the Statistics view.
• Add MD5 list adds an MD5 or message hash list, for use in the MD5 and Message Hash facet.
• Add saved search adds a saved search obtained from another case to this case, for use in the Saved Searches facet and Keywords tab in the Statistics view.

Report category:

There are currently no tasks available in this category.