Intella Connect Reviewer Manual 2.6.1

The Insight view shows notable aspects of the indexed evidence files and possible next steps to take. The overview given here can help an investigator get a grasp of the case’s contents, such as the encountered item types and their volumes, date ranges, web browser activity, etc. This will help formulate follow-up questions for further research. Most elements in this view can be clicked or double-clicked, which adds a search in the Search sub-view or opens the corresponding item in the Previewer.

To learn more about this view please refer to the Insight view section.

Search view interface consists of the following panels:

When Intella Connect opens the case for the first time, the Cluster Map, Selections and Details panels will all be empty. The investigative work can be started by using one of the available Facets.

The first facet is a text search facet which consists of:

The right part of the Images view is basically a thumbnails view along with action options. Each item can be right-clicked to show a list of options.

This subview offers a good overview of batches created in this case. It also the view selected by default when users clicks on the "Review" button in the main navigation.

Batches are organized in a form of a table. Each column is sortable by clicking on its name. The first column allows user to select one or multiple rows. Please note that user may also use CTRL or SHIFT buttons while selecting more, to easily select more batches at once.

Please refer to the Batching and Coding section for more information about batches.

The second subview of the Review UI is the Coding View presented below.

It consists of the three main UI parts:

It’s important to understand that these tree components are closely tied together. The list on the left gives a nice overview of what kind of items this batch contains, and which one is currently reviewed (active). It also allows to quickly jump between items and it reflects the state of the coding for each item individually. Simplified Previewer makes it easy to evaluate the contents of the active item, see its native Preview (if the current item supports it) or redact it. The Coding Panel reflects the state of coding in the context of the active item.

Each of these components is described in more detail in the Batching and Coding section.

Intella Connect will process the following registry hives:

By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for:

John Johnson

returns all items that contain both “John” and “Johnson.” There is no need to add an AND (or “&&”) as searches are performed as such already, however doing so will not negatively affect your search.

If you want to find items containing at least one term but not necessarily both, use one of the following queries:

John OR Johnson

John || Johnson

The NOT operator excludes items that contain the term after NOT:

John NOT Johnson

John -Johnson

Both queries return items that contain the word “John” and not the word “Johnson.”

John -“John goes home”

This returns all items with “John” in it, excluding items that contain the phrase “John goes home.” The NOT operator cannot be used with a single term. For example, the following queries will return no results:

NOT John

NOT “John Johnson”

To search for a certain phrase (a list of words appearing right after each other and in that particular order), enter the phrase within full quotes in the search field:

“John goes home”

will match with the text “John goes home after work” but will not match the text “John goes back home after work.” Phrase searches also support the use of nested wildcards, e.g.

“John* goes home”

will match both “John goes home” and “Johnny goes home”.

You can use parentheses to control how your Boolean queries are evaluated:

(desktop OR server) AND application

retrieves all items that contain “desktop” and/or “server,” as well as the term “application.”

To perform a single character wildcard search you can use the “?” symbol. To perform a multiple character wildcard search you can use the “*” symbol.

To search for “next” or “nest,” use:

ne?t

To search for “text”, “texts” or “texting” use:

text*

The “?” wildcard matches with exactly one character. The “*” wildcard matches zero or more characters.

Intella Connect supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde (“~”) symbol at the end of a single term:

roam~

returns items containing terms like “foam,” “roams,” “room,” etc.

The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this:

roam~0.8

The default value of this parameter is 0.5.

Intella supports finding items based on words or phrases that are within a specified maximum distance from each other in the items text. This is a generalization of a phrase search.

To do a proximity search you place a tilde (“~”) symbol at the end of a phrase, followed by the maximum word distance:

returns items with these two words in it at a maximum of 10 words distance.

It is possible to mix individual words, wildcards and phrases in proximity queries. The phrases must be enclosed in single quotes (' ') in this case:

Nested proximity searches are also possible:

Intella’s Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search.

title:intella

returns all items that contain the word “intella” in their title.

The following field names are available:

You can mix the use of various fields in a single query:

intella agent:john

searches for all items containing the word “intella” (in one of the fields selected in the Options) that have “john” in their author metadata or email senders and receivers.

Tokenization underlies the keyword search functionality in Intella. It is the process of dividing texts into primitive searchable fragments, known as "tokens" or "terms". Each token makes a separate entry in the text index, pointing to all items containing this token. Keyword search works by finding matches between the tokens in the user’s query and in the index. Therefore, for effective keyword search, it is vital to have a basic understanding of how tokenization works in Intella.

Tokenization employs different algorithms, but in the most common case it is simply splitting the text around specific characters known as "token delimiters". These delimiters include spaces, punctuation symbols, and other non-alphabetic characters, to produce tokens close to the natural language words.

A side effect of this method is that it is impossible to search for words together with the token delimiters. If these characters are met in the user query, they play their delimiting role, thus being handled the same as simple spaces. This is rarely a problem, although it should be taken into account when doing a keyword search.

There is no specific support for the handling of diacritics. E.g., characters like é and ç will be indexed and displayed, but these characters will not match with 'a' and 'c' in full-text queries. A workaround can be to replace such characters with the '?' wildcard.

The following characters have special meaning in the query syntax and may cause an error message if not used in accordance to the syntax rules:

To prevent the syntax errors, these characters need to be escaped by the preceding \ character. Please note that if the character is classified as a token delimiter, then escaping it in the query will not make it searchable.

This release contains experimental support for searching with regular expressions. This may be extended, refined and documented in a future release. For now, please visit http://lucene.apache.org/core/4_3_0/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Regexp_Searches for more information.

Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters! Your search expressions should therefore take the tokenization of the text into account.

The Saved Searches is a list of previous sets of searches that the user has stored.

When search results are displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be shown.

When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet.

Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used.

Additional options are shown or hidden when using the gear icon:

The "Replace current results" checkbox controls what happens with the currently displayed searches when you restore a saved search. When turned on, the Cluster Map and Searches list will be emptied first. When selected, the contents of the saved search will be appended to them.

When the 'Combine queries' checkbox is selected, searches contained in the selected saved search will be combined to search for items matching any of the contained searches (Boolean OR operator). The items will be returned as a single set of results (one cluster).

The Features facet allows you to identify items that fall in certain special purpose categories:

Additional option is shown or hidden when using the gear icon:

Filter can be used to quickly find relevant feature entry from the list by a potion of feature name.

Tags are labels defined by the user to group individual items. Typically used tags in an example are for example "relevant", "not relevant" and "legally privileged". Tags are added to items by right-clicking in the Details panel and choosing the Add or edit tags…​ menu option. Tags can also be added in the Previewer or by applying a Coding decision to an item via Coding Form.

To search for all items with a certain tag, select the tag from the Tags list and click the Search button above the list.

When clicking on options button (gear icon), then the Tags facet panel will have the following options:

Select the "All users" option to show taggings from all users as well as tags with zero taggings.

If the same tag has been used by different reviewers, their names and the numbers of tagged items are displayed in modal which shows tagging breakdown per user when clicked on "Show user tags" button.

The tags can be organized into a hierarchical system by the creation of sub-tags within an existing (parent) tag group. You can create a sub-tag, from "Add or edit tags…​" dialog by specifying a parent tag in a drop down list.

To rename a tag or change the tag description, select the tag in the facet and choose "Edit…​" in the context menu which appears after clicking on more options icon (3 dots icon).

To delete a tag, select it in the facet and choose "Delete…​" in the context menu which appears after clicking on more options icon (3 dots icon). This might require a special permission being assigned to your user.

To see a pivot report showing how many items were tagged by each user, select some tags and click on the Show tag users button. A modal dialog will appear showing selected tags in separate rows and users contributing to particular tag in columns.

The Identities facet makes it possible to query for all items linked to an identity. An identity query combines the results of the queries for the individual email addresses, phone numbers and chat accounts into a single item set. The result is a holistic view of the communication of that person, regardless of the media and aliases used for that communication.

In case of email addresses, an Identity query also finds items where the email address occurs in the item text. It therefore casts a wider net than merely looking at senders and receivers.

Custodians are assigned to items to indicate the owner from whom an evidence item was obtained. The "Custodians" facet lists all custodian names in the current case and allows searching for all items with a certain attribute value. Custodian name attributes are assigned to items either automatically (as part of post-processing) or manually in the Details panel. To assign a custodian to items selected in the Details panel, use the "Set Custodian…​" option in the right-click menu.

To remove custodian information from selected items, choose the "Clear Custodian…​" option.

To delete a custodian name from the case and clear the custodian attribute in all associated items, select the value in the facet panel and choose "Delete" in the context menu which appears after clicking on more options icon (3 dots icon).

This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder.

Additional options are shown or hidden when using the gear icon:

When "Search subfolders" is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned.

When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with "Search subfolders" switched on will therefore return all items in your case.

When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree.

By default Location facet will expand all root sources so that their children are immediately visible. This behavior can be changed using Facets .

This facet represents the names of persons involved in sending and receiving emails. The names are grouped in ten categories:

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

Most emails typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author.

This facet lists phone numbers observed in phone calls from cellphone reports as well as phone numbers listed in PST contacts and vCard files.

The "incoming" and "outgoing" branches are specific to phone calls. The "All Phone Numbers" branch combines all of the above contexts.

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

This facet lists chat accounts used to send or receive chat messages, such as Skype and WhatsApp account IDs. Phone numbers used for SMS and MMS messages are also included in this facet.

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

This facet lets the user search on recipient count ranges by entering the type and the number of recipients (minimum and maximum). The following recipient types are supported:

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

This facet lets the user search on date ranges by entering a From and To date. Please note that the date entered in the To field is considered part of the date range.

Besides start and end dates, Intella Connect lets the user control which date attribute(s) are used:

All fields can be de/selected with "Check / uncheck all" checkbox.

The Date facet will only show the types of dates that actually occur in the evidence data of the current case.

Furthermore it is possible to narrow the search to only specific days or specific hours. This makes it possible to e.g. search for items sent outside of regular office hours.

Primary and Family dates

While processing the dates of all items, Intella Connect will try to pick a matching date rule based on the item’s type and use it to determine the Primary Date attribute for that item. The rules affecting this process are configurable with desktop versions of Intella and currently cannot be changed in Intella Connect. Reindexing the case or modifying rules used to compute Primary Dates may also affect values of Family Date attribute for items, as those two attributes are tightly related. To learn more about those attributes please refer to Details panel section of the manual.

This facet represents the file types (Microsoft Word, PDF, JPEG, etc.), organized into categories (Communication, Documents, Media etc.) and in some cases further into subcategories. To refine your query with a specific file type, select a type from the list and click the Search button.

Note that you can search for both specific document types like PNG Images, but also for the entire Image category.

Empty (zero byte) files are classified as "Empty files" in the "Others branch".

Additional option is shown or hidden when using the gear icon:

Filter can be used to quickly find relevant type entry from the list by a potion of type name.

This facet represents the name(s) of the person(s) involved in the creation of documents. The names are grouped into two categories:

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

To refine your query by a specific creator or contributor name, select the name and click the Search button.

The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are:

The other categories are more computationally expensive to calculate and therefore require an explicitly triggered post-processing step. These categories are:

When opening the facet you will be presented with all available Content Analysis categories. After clicking on a category, the panel will slide and values matching this category will be presented in a form of a table. You can query for a specific value using the Search button at the top, or by double clicking on one of the rows. Clicking on the Back button will present a list of categories again.

To learn more about how to conduct Content Analysis please refer to section Content Analysis .

In the Email Thread facet you can search for emails based on the email thread identified by the email threading procedure. To populate this facet, a user needs to perform the email threading procedure on a selected set of items. Please see the Email Threading section for instructions.

Additional options are shown or hidden when using the gear icon:

Be default, all threads containing only a single email are hidden from view, as they can greatly increase the length of the list and are typically of little use. To include these threads in the list, disable the “Hide threads with one email” switch.

Email threads shown in this facet can be sorted by name, item count or node count. The difference between item and node is that items can be counted in details table and nodes are counted in email thread tab in previewer. Thread can have different item and node count if some items are duplicated in that thread.

This facet lists all item groups identified by the last near-duplicates analysis. To populate this facet, a user needs to perform the near-duplicates analysis procedure on a selected set of items. Please see the Administrator’s manual > Near-duplicates Analysis section for instructions.

The names of near-duplicate groups are derived from titles of their master items. Searching for a group produces a set of items which include a master item and its near-duplicates with similarity scores within the threshold specified for near-duplicates analysis. Additionally, after expanding facet options you can sort near-duplicate groups either by the name (default) or the group size.

In the Keyword Lists facet you can load a keyword list, to automate the searching with sets of previously determined search terms.

A keyword list is a text file in UTF-8 encoding that contains one search term per line. Note that a search term can also be a combination of search terms, like "Paris AND Lyon".

Once loaded, all available keywords lists are shown in the Keyword Lists facet. They are now available for search. You can also explore searches defined in each list by hovering the mouse over it and selecting Explore…​ from the contextual menu.

Additional options are shown or hidden when using the gear icon:

When the 'Combine queries' checkbox is selected, multiple keywords selected from a specific keyword list will be combined to search for items matching any of the selected terms (Boolean OR operator). The items will be returned as a single set of results (one cluster). If the checkbox is not selected, the selected terms will be searched separately, resulting in as many result sets as there are selected queries in the list.

The other two options displayed here are working the same as in context of a regular Text Search and are used to limit the scope of your query to selected fields or to enable paragraphs exclusion.

Intella can calculate MD5 and message hashes to check the uniqueness of files and messages. If two files have the same MD5 hash, Intella considers them to be duplicates. Similarly, two emails or SMS messages with the same message hash are considered to be duplicates. With the MD5 and Message Hash facet you can:

Specific MD5 or message hash

You can use Intella Connect to search for files that have a specific MD5 or message hash. To do so, enter the hash (32 hexadecimal digits) in the field and click the Search button.

List of MD5 or message hashes

The hash list feature allows you to search the entire case for MD5 and message hash values from an imported list. Create a text file (.txt) with one hash value per line. Use the Add…​ button in the MD5 Hash facet to add the list. Select the imported text file in the panel and click the Search button below the panel. The items that match with the MD5 or message hashes in the imported list will be returned as a single set of results (one cluster).

Structured vs Legacy message hash

In Intella 2.2.2 a more flexible algorithm for calculating message hashes has been introduced: structured message hashes. Cases that have been created with Intella 2.2.2 or newer will use the structured message hashes by default. Cases that have been created with older versions will keep using the old algorithm until the case is fully re-indexed. That re-index is required to calculate the Body Hash, one of the four components of structured message hashes, for applicable items. The algorithm for message hashes cannot be configured in Intella Connect - this needs to be done in desktop version of Intella.

Structured message hash

The structured message hash exists of four components: Header, Recipients, Body, and Attachments. By default, the calculated message hash will be based on all four components, but you can deselect any of these to make deduplication of message items less strict. For example, when the Recipients component is deselected, an email with a Bcc header will be considered as a duplicate of an email without that header (assuming all other components are equal).

For email items, the following data is included in the four components of a structured message hash:

All upper case/lower case differences of textual data is ignored, and for the email body all whitespace and formatting characters (Unicode categories C and Z) are ignored too. The sent date is rounded down to full minutes. For attachments that are embedded emails, the structured message hash of that email is used, instead of the MD5 hash.

Legacy message hash

The message hash is calculated by calculating the MD5 hash of a list of concatenated item properties. For emails the following properties are used:

For SMS, MMS, and other types of chat messages such as Skype and WhatsApp messages, the following parts are used:

When certain headers/properties occur multiple times, all occurrences are used.

A difference between email message hashes and chat message hashes is that the hashing procedure for emails will simply skip missing values, whereas for chat messages all fields need to be present to calculate a hash.

These message hash computation methods have the benefit that they are source-agnostic: a specific email message always gets the same message hash, regardless of whether it is stored in e.g. a PST, NSF, Mbox or EML file. Message hashes can therefore find duplicates across a variety of mail formats and be used to deduplicate such a diverse set of mail formats.

When one of the copies has a minor difference, the email will get a different hash and be treated as different from the other occurrences. A good example is a bcc-ed email, as the bcc is only known by the sender and the recipient listed in the Bcc header. Therefore, these two copies will be seen as identical to each other but different from the copies received by the recipients listed in the To and Cc headers. Another example is an archived email which has one or more attachments removed: it will be seen as different from all copies that still have the full list of attachments.

List missing on server

Intella stores processed MD5 list files in hash-lists subfolder of case folder. Due to factors external to Intella Connect if these files will be lost, then such list will be marked as such with label "List missing on server".

The missing files can be restored from a backup of the case - contact IT administrator to resolve this issue.

In the Item ID Lists facet you can load a list of item IDs, to automate the searching with sets of previously determined item IDs.

An item ID list is a text file in UTF-8 encoding that contains one item ID per line.

Once loaded into the case, you can select the list name and click Search. The result will be a single result set consisting of the items with the specified IDs. Invalid item IDs will be ignored.

This facet shows a list of languages that are automatically detected in your item texts.

To refine your query with a specific language, select the language from the list and click the Search button.

This facet groups items based on their size in bytes.

To refine your query with a specific size range, select a value from the list and click the Search button.

This facet reflects the duration of phone calls listed in a cellphone report, grouped into meaningful categories.

This facet groups items from cellphones by the IMEI and IMSI identifiers associated with these items. Please consult the documentation of the forensic cellphone toolkit provider for more information on what these numbers mean.

When clicking on options button (gear icon), then the facet provides filtering option by above mentioned categories.

All export sets that have been defined during exporting are listed in this facet. Searching for the set returns all items that have been exported as part of that export set.

Requiring a facet value means that only those search results will be shown that also match with the chosen required facet value.

Example

The user selects the facet value "PDF Document" and includes this facet value with the drop-down menu of the Search button in the facet panel. The Searches list shows that "PDF Document" is now a required term. This means that from now on all result sets and clusters will only hold PDF Documents. Empty clusters will be filtered out.

See the image below for an example: the "letter" search term resulted in 2,132 items, but after applying the PDF Documents category with its 466 items as a require filter, only 214 items remain.

When multiple required are used, additional option will be available in Searches list:

Depending on require option selected, the results can differ.

For example, the above image with require any filter shows items, which contain the "letter" search term and they are either PDF documents or they have had OCR done on them. Looking at results - first item is a PDF document with "letter" in the content and second item is a PNG image that had OCR done and contains "letter" in properties.

Below image is an example of require all filter showing items, which contain the "letter" search term and they are a PDF document and have had OCR done on them. Looking at results - first item is a PDF document with "letter" in the content and second item is also a PDF document with "letter" in the content. Images are not present in the results.

Excluding a facet value means that only those search results will be shown that do not match with the chosen excluded facet value.

Example

The user selects the facet value "PDF Document" and excludes this facet value with the drop-down menu of the Search button in the facet panel. The searches panel in the Cluster Map shows that "PDF Document" is excluded. As long as this exclusion remains, all result sets and clusters will not hold any PDF Documents. Empty clusters will be filtered out.

In this scenario it is important to realize that when exporting an email to e.g. Original Format or PST format, it is exported with all its attachments embedded in it. The same applies to a Word document: it is exported intact, i.e. with all embedded items. Therefore, when an attachment is tagged as "privileged" and "privileged" is excluded from all results, but the email holding the attachment is in the set of items to export, the privileged attachment will still end up in the exported items.

The solution is to also tag both the parent email and its attachment as "privileged". The tagging preferences can be configured so that all parent items and the items nested in them automatically inherit a tag when a tag is applied to a set of items. When filtering privileged information with the intent to export the remaining information, we recommend that you verify the results by indexing the exported results as a separate case and checking that there are no items matching your criteria for privileged items.

The result sets created with the current query are listed in the Results panel.

By default, Intella Connect uses tiles (images containing parts of the map) that are embedded in Intella Connect to construct the world map. This makes it possible to use the Geolocation view without any configuration and without requiring an Internet connection to download these tiles.

Due to the enormous size of a complete tile set covering all zoom levels of the entire world map, the embedded tile set is limited to the first 6 zoom levels. As a rule of thumb, this usually shows the major cities in most countries, but it will not let you zoom in to see where in the city an item is located.

To zoom in beyond that zoom level, a connection to a tile server is needed. This can be a public tile server or one located in your network. An administrator of Intella Connect can configure a tile server and the configuration steps are described in Administrator manual.

To determine the geolocation of emails, Intella Connect uses the chronologically first IP address in the Received email headers (i.e. the one nearest to the bottom of the SMTP headers). Next, a geolocation lookup of that IP address is done using MaxMind’s GeoIP2 or GeoLite2 database. These databases are not distributed with Intella and therefore one needs to be installed manually.

An administrator of Intella Connect can acquire and install an IP Geolocation database. The configuration steps are described in Administrator manual.

GPS coordinates, such as obtained from the EXIF metadata of images or location-bound items extracted from cellphones, are usually quite accurate. However, they are subject to the limitations of GPS:

The determination of an email’s geolocation by using its sender’s IP address is imprecise by nature, typically even more so than GPS coordinates. First, the determined Source IP address may be incorrect due to several reasons:

Second, IP geolocation databases are typically never 100% accurate and the accuracy varies by region. See MaxMind’s website for statistical information on their accuracy. Reasons for this imprecision are:

Using a public tile server may reveal the locations that are being investigated to the tile server provider and anyone monitoring the traffic to that server, based on the tile requests embedded in the retrieved URLs.

Intella Connect always puts feature richness and stability of a review on the pedestal, so that is why we have introduced Hit Highlighting into List View component. It allows quickly seeing the first occurrence of a hit accompanied with the nearest text, which gives a reviewer an additional context and often is enough to determine if an item is important or not. However, in few rare cases Hit Highlighting can have considerable and undesired influence on the server which can impact negatively the reviewing experience. Therefore we added a simple way to turn off Hit Highlighting in List View, which should relieve the server from additional workload and improve the reviewing speed.

It’s possible to toggle visible table columns in Preferences Table view section by (de)selecting column names. The selected columns are stored: every time you connect to the case, these columns will be shown until you select a different set of columns.

This option is only available for the Table view. The following columns are available:

General columns:

Email-specific columns:

Cellphone-specific columns:

File and document-specific columns:

Columns containing dates:

Review-specific columns:

Analysis-specific columns:

The columns in this group represent built-in and custom Content Analysis categories. See the “Content analysis” section for more information on their meaning.

By default, these include:

Tag groups (optional) - These columns are created for every top-level tag with sub-tags. If selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag.

Export (optional) - When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set.

Custom Columns (optional) - The custom columns are created during the load file import.

This tab shows the body of an item, e.g. the message in an email or the text inside a Word document. The Contents shows a limited set of stylistic elements such as bold, italic and underlined text, tables and lists. However, text is always drawn as black text on a white background, as to reveal all extracted text. For a native rendering of the item use the Preview tab (when available).

If the item text is too long, it is truncated in the previewer for performance purposes. Click on the here hyperlink to view the complete item text. Note though that there is also a limit on the maximum amount of text that is subjected to full-text indexing. See the note on the ItemTextMaxCharCount setting in the Source Types section.

When the item is an image, this tab will show the image’s content.

When the item is a video, this tab will show a video player allowing to watch the video inside a browser, without having to download it to a local disk.

If the image has extracted text, it will be shown in a separate tab called "Extracted Text" next to the Contents tab.

Handling paragraphs

When the “Analyze paragraphs” option was selected during source creation, extra UI elements will be shown in the right margin. These UI elements indicate the start and end of the paragraphs that Intella Connect has detected. The UI elements are omitted for very short paragraphs (typically one-liners).

Furthermore a popup menu will be shown when the user hovers the mouse cursor on a paragraph, offering the following options:

Detected Objects

When the "Image Analysis" was executed on this item, this item is an image and objects have been detected in it, then extra UI elements will be shown in the image itself. These UI elements indicate the detected objects in this image with a rectangle at coordinates where the object was found and a description of the object. Transparency of the rectangle and label depend on the detected object’s confidence score.

The objects that have been searched for in Search tab will be highlighted with different color.

Highlighting of detected objects can be turned off completely by unchecking the "Highlight Detected Objects" checkbox.

Text that was imported using importText option in Intella Command-line interface can be viewed in this tab.

Imported images from load files can be viewed in this tab.

Shows the text extracted by running Optical Character Recognition on this item. The searchable version of the document will be shown in an OCR Preview tab.

This tab shows the item as if it was opened in its native application. The Preview tab is only shown when the format of the current item is supported and the Contents tab is not already showing it in its native form. The following file formats are supported:

Starting with Intella Connect 2.3, spreadsheets (MS Excel, Open Office Spreadsheet, CSV and TSV) will be shown in their native form by default. The native view closely resembles how it looks in native application. If you would like to see to see the PDF rendering of the spreadsheet instead, click on the PDF radio button. When previewing spreadsheets in native view, the sheets available for current item will be shown at the bottom. Clicking on sheet name will change the view to the selected sheet.

This tab shows the complete SMTP headers of an email item. This tab is only shown when you open an email item and it had any headers (e.g. drafts may not have any headers).

The content of this tab depends on the item type. For example, in case of PST emails the low-level information obtained from the PST is listed here. This typically includes the SMTP headers (shown in the Headers tab) and the email body, but also a lot more PST-specific properties.

All this information is also searched through when using a keyword search. This may lead to additional hits based on information in obscure areas that Intella Connect does not process any further.

This tab shows a list of properties connected to the item. Examples are Size, MIME Type, Creator and Character Set. The list of properties shown depends on the type of the item and what data is available in that particular item.

This tab lists the attachments of an item.

When you click on the attachment title, it will be opened in a new browser tab.

This tab shows thumbnails of the images (jpg, png, gif etc.) attached to an item or embedded in a document, e.g. the images embedded in a MS Word document.

When you click on a thumbnail, you will be able to open it in a new browser tab for full resolution of the image or open it in another Previewer tab.

This tab shows the location of the reviewed item in the item hierarchy (entire path from root to descendants), as well as all its child items.

The file names and subjects are clickable, which will open the item in a new browser tab.

This tab visualizes the email thread in which the currently previewed email is located. A blue border indicates the current email.

Each type of icon in this visualization has a special meaning. To see a basic explanation of the icons, click the Legend icon. The icons have the following meaning:

The user can double-click on the nodes in the visualization. This opens that email in a separate Previewer. When the node represents a set of duplicates, one of these duplicates is opened.

To tag all items represented in the visualization, click the Tag Thread button.

This tab shows the list of items found in an archive file, e.g. a ZIP or RAR file.

When you click an item in the list, it will be opened in a new browser tab.

This tab lists the reviewer comments attached to the item. Every comment shows the reviewer name and time stamp, and the options to Edit or Delete the comment.

Multi-line comments can be written by using SHIFT+ENTER or CTRL+ENTER combination to add new line separator.

Note that this is not related to the comments such as found in the MS Word document metadata.

The Words tab lists all words/terms extracted from this item, together with the following information:

This list can be used to diagnose why a certain document is or is not returned by a certain query.

This tab shows the list of actions performed on the item. The action, the user that triggered the action and the time at which the action occurred are shown in the list.

Actions listed are:

See the Redaction section for a detailed explanation of the functionality in this tab.

This tab is only visible for items included in a near-duplicate groups (see the Administrator’s manual > Near-duplicates Analysis section), except for the group’s master items and their exact duplicates in those groups.

The tab visualizes the differences between the text content of the current item and the master item in its near-duplicate group. Information about the near-duplicate group (name, master item ID, and the current item score) is visible on the top panel.

Different text blocks (paragraphs) are marked with red and green colors, indicating occurrences specific to the current and to the master items, respectively. Visibility of the different blocks is controlled with two checkboxes ("Occurs only in this item" and "Occurs only in the Master item"). The regular black-on-white text represents the text blocks that the two items have in common.

When a Conversation item is opened in the Previewer, there are a number of differences with how other item types are displayed:

There are a few additional conversation-related properties reported in the Properties tab: Number of recipients, Number of visible recipients, Protocol, Messages count

More information about these can be found by hovering the mouse over the question mark icon next to the property.

The below image shows how a Chat Message item is previewed:

Note that there is no checkbox in front of the message text, as Chat Message items can be flagged by using the Flagged checkbox in the previewer’s toolbar on the left. Another reason for this is to make a visual distinction between Conversation items and Chat Message items.

If you want to preview the Conversation item that this Chat Message item corresponds to, you can use the “Preview Parent Conversation” action in Previewer, or navigate to it through the Tree tab.

In the case of Chat Messages items, the Properties tab contains the following chat message-related information: Recipients Count, Visible Recipient Count, Chat protocol

When exporting as PDF, the Conversation item or Chat Message item will be exported as it is rendered in the Previewer.

In the case of Conversation items, the whole conversation fragment covered by this Conversation item will be exported. There is no way to export only specific chat messages this way, but you will be able to redact it as you would with any other item.

In the case of Chat Message items, each individual chat message gets exported as a PDF.

The overall process of exporting to PDF is not explained here, as it is identical to exporting any other type of item to PDF.

The main difference of exporting as an Item Report, compared to the PDF export type, is that one can export either the whole conversation or just particular chat messages in it.

To export all messages in a specific conversation, one needs to select the Conversation item and export it using

Report export type. Make sure that Display as: Conversation is used in the Report – Sections step. A report created this way will contain all messages in that conversation.

To export specific messages in a conversation, you just need to select the desired Chat Message items and use the same export options as above. Intella Connect will export the related conversation but restricted to the messages present in the export set:

When Indicate gaps of omitted messages is checked at the Report-sections step, Intella will add the following information the Report:

Creating and assigning tags in Intella Connect is bundled together into one visual component called Tags Editor. It allows to:

After desired items have been selected in the Details Panel, one can invoke the Tags Editor in one of two ways:

This will cause the Tags Editor being shown in its default state illustrated below:

To browse existing tags click on search box located underneath Assign tab. A dropdown will appear allowing you to see a hierarchical structure of existing tags.

You can also start typing some search query in this box, allowing you to filter this structure in order to quickly find tags of your interest.

Once you find tags you’d like to be added to items you selected, click on checkbox next to the tag’s name. Then click anyway on the screen to dismiss the dropdown showing tags structure.

You will notice that the tag you selected appeared under the search box. This part of Tags Editor will always show you the final state of tags for selected items, including the changes that you are making at the moment. This is a convenient way of understanding what taggings are set for items as they are always in front of your eyes. It is also synchronized with checkboxes rendered next to each tag in the search box dropdown, so any changes you will make there will always be reflected here.

Removing tags from items is very similar to the process of adding them. You can simply deselect tag in the tags structure dropdown. There is also a faster way to do it, though. If you hover your mouse over an existing tag additional icon will appear. Clicking on it has exactly the same effect as deselecting a tag would have.

In order to create tags, you need to select Create tab in the top of the Tags Editor. The view will be updated and the following tag creation form will be shown:

Fields:

Below the form two buttons are rendered. THey have the following function:

We already explained that tags rendered underneath the search box will show you the state of the tags which will be committed after you apply your changes.

Besides that the Tags Editor will also render a detailed (collapsible) list of changes which will be the result of your actions. The Apply button will also change its label to reflect that. See the picture below:

If you’d like to discard just a few changes, simply restore them in the tags structure. You can also click on Cancel to dismiss them all and close Tags Editor.

Tags Editor can be invoked for a single item, as well as for the set of items. Doing the latter will cause it to analyze existing tags currently applied for selected items and extend the functionality of rendering current tags state with two features:

This is best illustrated in a real life example. Say we have 10 items in our selection, with existing tags:

Invoking the Tags Editor on this selection will show the following state:

Say we decided that all 10 items are actually Responsive, so we remove Non-Responsive tag and then click on the 'tick' icon for Responsive tag.

This changes the state to the one illustrated on the following picture:

See how Responsive tag is now entirely filled with color because it was added to 7 items. The Non-Responsive tag is fully gone because it was removed from 2 items. Requires further review stays unchanged. All those changes are listed in the Changes section and ready to be applied.

Tags Editor allows you to change a few settings controlling how tags are being applied to items. These are affecting tagging scope described in one of the next sections. Besides modifying the scope, privileged users can also select Delete taggings from other reviewers option. This option affects tags removal only and allows to cleanup tags created by other users.

To import one or more sub-case tags to the Compound case:

The tags are copied to the Compound case with their content, i.e. the associated items.

If a tag with an existing name is imported, you will see a dialog window to either create a new tag in the Compound case or merge the imported tag with the existing one:

After selecting an option, press the "Import" button to proceed.

As soon as the batch is opened the Items List will start populating with information about items inside current batch. On top it will render the total count of items inside this batch. Each item has an icon associated with it which changes it’s color based on the item’s type. It makes it easy to distinguish items of common file types. Each entry will also render item’s best title and an information about associated custodian, if available.

When the mouse icon hovers over an item then a menu icon will be shown on the right side of item’s list entry. When clicked it will open a menu allowing to:

Items List keeps track of currently opened item. This active item entry will be highlighted with a darker gray. Also, if any coding errors will apply to an active item, then it will be highlighted with red color. This makes it easy for the user to notice that he must take additional actions in order to fix this problem.

The first item in the screenshot located above has also been coded in this batch. This can be easily noticed by a thick, gray check mark located on the right side. As soon as other items are properly coded similar check marks will be rendered for them too.

Clicking on any item in the list will cause Simplified Previewer to load item’s data and Coding Panel load taggings for given item. Based on those taggings Coding Panel will populate its fields. This will happen only if active item is properly coded. If user has CAN_SKIP_CODING_OF_ITEMS permission, then this validation is skipped and user can navigate between items freely.

If Custom IDs have been generated for items inside a batch, then it is possible to copy existing coding decision to the rest of items inside the same family in this batch. This helps to avoid inconsistencies in family coding, as well as speed up this process. When the scope of coding is expanded to cover duplicates, then duplicates within the same batch will be coded (duplicates outside of the batch are skipped).

To further customize the appearance of this list, you can click on the menu icon (located on the right of label informing about the number of items in the batch). This will open a modal window with additional options:

Items list can also render family relationships between items. This is illustrated on the following picture:

Note how each parent is represented by few visual cues:

Simplified Previewer is a close counterpart to our regular Previewer used to inspect items closely. To remove unnecessary clutter from the sight, we decided to support these tabs only:

These tabs work the same as their counterparts in regular Previewer.

Simplified Previewer allows reviewers to apply their own custom keywords to be highlighted in Contents and Redaction tabs. It’s possible to create a custom list of keyword searches and/or use one of Keyword Lists created in the main Search View. The full search syntax is supported.

On the screenshot above one can see three custom keyword queries being highlighted and none Keyword Lists being used.

If currently previewed item has any attachments, then they will be displayed in a separate panel in the bottom of Contents section. Clicking on any of the buttons representing individual attachments will open up a new Previewer for this item. One can also see all attachments in a form of a list by clicking on See all button.

Coding Panel is the centerpiece of the entire Review View. It consists of few main components:

Coding Form allows user to code items by switching appropriate Coding Fields ON or OFF. Whenever new item from batch is loaded this panel will automatically fetch all taggings from the server and initialize fields based on that information.

Changes in Coding Fields are not automatically sent to server. User must always make an explicit decision to apply these changes. This is where Actions Panel come in handy.

Actions Panel has several controls illustrated below:

Any action that would commit changes to Coding Fields triggers a coding layout validation first. Validation is a very simple process - it goes through every required field in the current coding layout and checks if such fields have been properly coded. A required Coding Field is considered coded properly if it has been set, in case it has no Coding Options assigned, or if at least one of its Coding Options is set.

In case the Coding Form validation fails, the Coding Fields containing errors will be highlighted in red and additional warning will be presented in the Notifications Panel. This is illustrated below:

Another case of error you might encounter happens when Coding Form detects that tags have been assigned to currently displayed in an invalid way. It may be a result of tagging an item outside of Coding Form in a way which is not supported by one of Coding Fields. A typical example of this is to have a Coding Field of Radio type, which supports only mutually exclusive choices (ex. 'correct' or 'incorrect'), but item was tagged with both ('correct' AND 'incorrect'). In this case Coding Form cannot know which coding decision was right, and will render an error notification illustrated below. To get around this situation one must open a regular Previewer for item in question and manually fix tags causing problem. After going back to Review the message should be gone.

The "Review later" option allows skipping coding an item for the time being. When user reloads the batch, the items will retain their original sort order. User will simply be navigated to the next uncoded item as per the usual workflow. The "Review later" flag does not change the item sorting in any way. So when user opens the batch again to review it, then it will be automatically positioned at the first item that has not yet been coded. Once this item gets coded, then it will automatically move to the next uncoded item.

The simulation of applying latest coding decision onto current item is illustrated below. Note the semi-transparent overlay over Coding Form and the fact that some of controls become selected to reflect latest coding decision.

Comments can be added to item directly from Comments Panel. This works exactly the same as with regular Previewer, however editing or deleting comments is not allowed. In case it was needed one can still do that from Previewer.

Coding Layouts are stored globally in Intella Home folder and may be optionally reused between multiple cases. You can control if layout should be shared when creating it in Preferences window. Note that since Coding Fields are closely tied to the Tags model (which is specific to each case), one must perform one additional step to reuse a layout created in a different case. This step is called "Importing". Coding Editor and the batch creation process will instruct you if layout needs to be imported. This is illustrated below:

When user presses the Import button or "import it" link then Intella Connect will read fields from the selected Coding Layout and create appropriate tags in the current case. From now on this Coding Layout can be used like if it were created for this case.

While creating batches one must always specify a Coding Layout. However, there is one special layout called "Default". This one is automatically generated on the fly and it always contains fields mapped to all tags created in the current case. None of these fields are required.

Batch progress is initially computed based on the state of taggings applied to items. Therefore it might happen that the batch is already showing some progress right after it has been created. That is deliberate behavior, as it sometimes might happen that part of the review was already done prior to batches creation. Appropriate setting in batch creation dialog allows to suppress this initial calculation.

After batches have been created batch progress recalculation happens only after item is coded or when user invokes "Recalculate progress" action. So if tags were applied externally (via regular Previewer or Search View) then Coding Panel will reflect these changes, however batch progress will not pick this up automatically.

In order to understand Predictive Coding it seems justified to answer what Coding is in the first place.

Coding is the process of applying Tags to Items, using a pre-defined set of UI controls (a.k.a. Coding Layout). In most cases coding is performed to separate important items (usually called Responsive or Relevant) from the ones that are not important for your case (Non-Responsive or Not-Relevant).

Predictive Coding is a process in which Intella Connect analyzes how human reviewers code items. This lets it detect patterns common between Relevant items. It will then start pushing items likely to be Relevant to the case to the front of the review queue, and less likely or irrelevant items to the end of the queue. The items on which Intella Connect is uncertain remain in the middle, but over time the separation between those two categories will grow larger.

The process usually ends when the review queue no longer supplies Relevant items to the reviewer, when certain statistical criteria have been met, or when a satisfying number of Relevant items have already been identified. Intella Connect offers advanced statistics helping case managers in making that decision, but it is always up to the case manager to decide when is the right time to do so.

There are many benefits of using Predictive Coding, comparing to other possible types of reviews.

The biggest advantages are cutting down on time and cost related to reviewing of all items in your dataset. Very often only small portion of items is Relevant for the case (ex. 8%, 10%, 15%, etc.), so it seems natural to employ some processes that would help to ignore or filter out Non-Relevant items from review. Predictive Coding helps you to do that by prioritizing and focusing the review on finding Relevant items first, allowing for the items of less interest to be ignored.

Predictive Coding can also help to identify and fix inconsistencies in coding decision applied to items. For example, if an item is scored very high by the engine, yet it was coded as Non-Relevant it may indicate that reviewer has made a mistake, either unintentionally (ex. clicked the wrong button) or his notion of responsiveness for that case is incorrect. In that sense Predictive Coding engine works like an independent arbiter, which may improve the overall quality of your review.

Predictive Coding can also be beneficial if you need to code new data set, ingested to the case just prior to the deadline. If the volume is too large to be handled by human reviewers, you could use Predictive Coding to train the engine using existing coding decisions and then reapply that knowledge to the new data.

Predictive Coding is an ideal solution for eDiscovery projects, where statistical significance matters. Although it hasn’t been created to find the "smoking gun", to some extent it could also do well in more forensic type of investigations.

It can be used on any case created with Intella or Intella Connect (older cases may need to be re-indexed, more details is provided later) that contains some textual content. Therefore it will work on documents, emails, OCRed images (like scanned documents), SMS messages, chats, etc.

Engine uses advanced language and text processing techniques to understand the contents of a document and then it tries to find patterns similar among Relevant items. Therefore it will work the best on items where certain terms, their combinations, co-occurrence contributes to relevancy.

Since those advanced processing techniques demand high computational power, running Predictive Coding on larger sets may be limited and will certainly require more culling and care. Read the rest of this manual for more details.

As state before, avoid running one large Predictive Coding review on very large datasets. This is especially true if the expected or measured prevalence is low (< 5%). Low prevalence may not be a problem if Relevant and Non-Relevant items can be easily distinguished, but if relevancy is based on subtle nuances in how words were used, then the engine may have difficulties in separating those categories if the number of Relevant samples is low.

It is never a subject of trust, but rather a careful analysis. The tool is giving you many statistical metrics, which should aid with making that decision.

The best case scenario is that it learns how to separate items quickly and will allow you to automatically code non-reviewed items with perfect accuracy. The worst case scenario is that the engine will appear to make random decisions on relevancy and that it never learns anything valuable. Statistical analysis (including a so-called Elusion Test) can help you to meet certain crucial criteria, with an acceptable level of confidence.

The most typical kind of review in eDiscovery projects is the linear review. Documents are being reviewed one after another, usually in chronological order, until all of them have been designated responsive or non-responsive.

This approach works well if you have small set of items, excessive time to finish your project, sufficiently large team of reviewers or you need to guarantee that every item in your set has been seen by a human. In practice this is rarely the case. Despite that, Intella Connect contains all the features needed for running a successful linear review project.

Since usually cases contain small amount of responsive items, an obvious downside of the linear review is that often reviewer will get to see many non-responsive items in a row before seeing any item of true significance. This is clearly not efficient way of reviewing large quantities of items, therefore a need for a more elegant workflow emerges.

Predictive Coding can help you to drive your project to success by optimizing the queue of items presented to reviewer, so that he gets to see items likely being more relevant sooner. It can also help you to finish your review faster when operating under limited time or strict deadlines.

Batch review is an extension of the concept of a linear review. Instead of all reviewers having access to one shared queue of items, each one of them is assigned with a smaller subset of this queue called a batch. Batches are created by the eDiscovery software and each one has an independent lifecycle. When the review of all batches has been completed, then the entire review is considered finished. Intella Connect contains all the features needed for running a successful batch review project.

Batch review is usually a faster and much more reviewer friendly way to handle your project. By dividing review into smaller batches you get all the psychological benefits of solving few smaller problems instead of a single large one. You also have a finer control over parts of the review.

However, batch review is still not ideal solution when it comes to efficiency, as there may be batches that contain hardly any relevant items and they still need to be reviewed entirely before one can consider them complete.

You may also run into problems if different reviewers having different concepts of what relevancy truly means. This may lead to a situation where coding decisions are inconsistent and more frequent situations where a senior reviewer needs to step in.

Once again, the Predictive Coding can help you to put the focus on likely relevant documents first, saving the time and improving the efficiency of the review in its early stages. The engine should also be immune to small mistakes in coding decisions applied by different reviewers, helping you to identify and fix coding mistakes early.

By newcomers the Predictive Coding engine is often considered being a magic black box, thus not completely trustworthy. On top of that - it is a complex, state-of-the-art, Artificial Intelligence mechanism, driven by human input and data, both of which change from case to case. Therefore we recommend learning how it works by testing it on existing cases first. This should eliminate the problem of potential initial lack of trust, help to learn the processes, advantages and its limitations. Follow the instructions below to make this process as safe and efficient as possible.

This experiment can and should be repeated on different cases, where different notion of relevancy is present. If you find that the model has not learnt well enough, you can try using the "more accurate" version of the algorithm. This, along with scenarios which describe how to assess the quality of your model, is described in the rest of this document.

It was mentioned already that the success of the Predictive Coding review will depend on the data you run it on. The engine will self-tune itself to give you the best possible results in a reasonable period of time. That being said, there may be cases where it doesn’t learn well enough.

It is important to Vound to work on extending the quality and performance of this tool and for that to happen we will need to receive a lot of feedback from our clients. Please stay engaged on our official Support Portal as well as Community Forum. Let us know if your tests were successful, what limitations you run into and what more features and extension you need.

Each Predictive Coding project goes through different lifecycle phases. Concretely:

The full workflow along with different transitions possible between phases is illustrated on the picture below:

At certain stage in every project, there is a time to identify items which will require human review and coding. In a typical eDiscovery case this is the outcome of various filtering/culling procedures which vary on case-by-case basis and are outside of the scope of this guide.

In order to achieve success in Predictive Coding project one needs to take further actions to filter and prepare the data.

Although the Predictive Coding engine is designed to self-recover whenever it can, we cannot stress enough how important it is to be thorough with this filtering, as the more harmful documents end up in your review set, the more it can affect the quality of results or the time it takes to process them.

It might seem that this would require a lot of manual labor at first, but Intella Connect has many useful features which could expedite this process (like Faceted search, fast Previewer, various item specific fields, etc.).

Rule 1: exclude non-textual content

The first step should be exclusion of all items, which do not have valuable textual content. This includes both items which do not have textual content at all (for example: images, empty documents, archives, binary files, etc.) as well as documents that are not well suited for language processing (for example: spreadsheets, HTML or XML files, CSV files, source code, etc.). A rule of thumb is – if a document contains large quantity of text terms (words) that seem like a "noise" and you feel like you wouldn’t be able point any of those terms to be relevant to you, then likely this item (and similar) should be suppressed from the Predictive Coding review.

Rule 2: exclude items which are too big or complicated

We advise to scan your data and identify items which are very large documents or may be small in size but contain a lot of textual content. Such items can be usually quickly reviewed manually outside of the Predictive Coding review, but would generate a lot of extra work to the engine, if included.

Obviously how complicated an item is can be hard to judge and depends on the nature of data in your review. To get some intuition of how this works, think what time would it take to you to compare each sentence from particular document to every other sentence in the rest of documents. But sometimes just having a quick look at the name or header of the document could already tell you that it won’t be relevant in a particular case.

Rule 3: suppress other items in families

If you can, make sure that your review baseline contains only items which themselves may be responsive. If you later want to expand the scope of those items to families, it is best to accommodate this in a flow outside of Predictive Coding.

Once you have prepared your dataset according to instructions from the previous chapter, you can now create a new review by selecting your items and clicking on Predictive Coding button located next to Create Export button.

You can also invoke this action by right clicking on your selection in items table and selecting Predictive Coding from the contextual menu.

The following dialog will appear.

Required fields:

You can also configure the engine using following advanced settings:

Once you press Start in background button, the Predictive Coding engine will prepare your review as well as create and persist the model which will be responsible for making future relevancy predictions.

You can track the progress of your review being created under Review > Predictive Coding view, as well as in Preferences > Background Tasks view. Both are illustrated below:

After the initial processing has been completed, a new panel in Review > Predictive Coding view will appear representing the newly created Review and informing you about its current state:

Each panel for an ongoing review contains the following information:

In the panel’s footer one can see the following four buttons:

After a new review has been created, every reviewer can join it by clicking on Start review button or by selecting the review in secondary navigation tabs in the application header.

The review console should already be familiar to any Intella Connect user, who has previously used Batching & Coding UI. It is illustrated on the picture below:

Although the UIs for the batch & Predictive Coding reviews are similar, there are few subtle differences worth pointing out.

Review queue on the left side is much more dynamic and allows for free navigation between items. It will be updated more often, when the model is changing relevancy scores for items or when other reviewers are coding items in the same review. The engine keeps track of which item is currently being reviewed by someone else, so it makes sure that the same item will not be presented to two reviewers. It will also render coding swatches, showing what kind of decision has been applied to an item. See an example below, where first item has been coded as Non Responsive and the second as Responsive:

On the right hand side, above the coding layout, there is a panel which renders the current state of the review. It offers some brief explanation of what you may expect at this stage of the review. That panel can also be collapsed, hidden or snoozed. Snoozing will hide it temporarily until the model changes its phase again.

The rest of that panel, including how to apply coding decisions, work the same way as with Batching & Coding functionality, so feel free to read that section for more details.

After the very first item in the review has been coded, the model will change its phase to Initial learning.

As soon as the first item in the review queue is coded, our model starts meandering through the items space. It will present you items that are significantly different from one another and ask you to code them. If you find any relevant items, it will try to focus its search around those items as they are the most valuable learning material for the future.

It is worth mentioning that it is perfectly acceptable to see many Non-Relevant items at this point, as it highly depends on the ratio of relevant items in your case. However, there is already much more going on than just selecting random items for review. You get the benefits of artificial intelligence soon after the very first item has been reviewed.

After you have coded the 10th item, the first iteration of the learning process will take place. The model will self-assess if it already can give you any items that are likely to be Relevant. If it can - it will move to the next stage of the review. If not, then it may remain in Initial learning state for a few iterations.

Once the model is accepted and its state cannot be changed, another option in the UI will unlock - you will be able to apply the model’s predictions to the remainder of the review queue.

Applying the model to non-coded items is a pretty straightforward process. Since our model can tell us the relevancy score of each item in that pile, your job is to indicate what the threshold value is above which we qualify everything as relevant, and below which we qualify items as non-relevant. The UI built for this will help you to select the right value and explain the resulting item counts. See the picture below:

In this example 12 items had a relevancy score higher than 15% and 2, 605 were below it.

After you click Apply all codings will be applied and the review is Completed.

Statistics presented here always relate to the last training performed on the model.

The biggest question arising during the review is always – has the model learnt well enough already? Therefore we are focusing on this one first.

As stated before, there are few indicators which may help in judging that the model is of good quality.

The first one is – the model has rather quickly moved from Initial learning to Active learning phase. It may take a few iterations to get this done (depending on the prevalence and the structure of your dataset), but it should eventually happen. If that is not the case, then the model is not even sure how to start categorizing items.

The next thing to expect is that model is starting to suggest more Relevant items, comparing to what one could expect based on the expected prevalence in this case. As an example if expected prevalence rate is around 10% then for 1000 items you should see one item every 100th being relevant (on average). If the model is giving you one every 60 then one every 40 then almost all relevant, that is a clear indication that it is learning well. Obviously, sometimes you don’t know even the expected prevalence. But the general rule should hold – the more items you code, the better the model should be in presenting Relevant items first.

A common pattern to observe is that when model is retrained, the review queue is updated and after you code an item, the engine will sometimes select an item in the top of the queue among other Relevant ones. That is a good indication that model has found some items which were not coded yet, but they have a high relevancy score and therefore should be reviewed now.

After a few iterations you should see that the front of the queue does not change that radically and majority of updates happen in the middle and bottom part of it. This is a good sign that the model is stabilizing slowly.

You will likely start getting more Non-Relevant items too. This usually means that most of the Relevant items may already be discovered. The "Iterations histogram" is a nice way to spot such patterns. See on the example below how a huge spike in Relevant items can be observed for iterations #5 and #6, then there were none found in next five:

This can be a good indication that we may have found everything which was Relevant. At this point you should scan your review queue and focus on items relevancy scores. The better the model gets, the larger the score gap between Relevant and Non-Relevant item should become. Here is an example:

As you can see the last Relevant item has a score of 81% (with its predecessors being scored as high as 92%-98%) and immediately after it we have a long list of Non-Relevant items scored 3% or less. This can be considered an ideal situation, as the there is a clear separation between those two categories of items. In most of the cases, the gap won’t be that large, but it should definitely be visible.

What if it’s not? Then it’s likely too early to talk about a well-trained model and more human review is justified.

So at this point we have established that we are no longer given anything which seems to be Relevant and also the gap seems to indicate that the model is separating categories nicely. But we may still have a large portion of items not coded yet at all. What if some "patterns" are also present there, and we were unlucky enough to miss those? In such case all items where this "pattern" can be observed could be missed, because the model hasn’t seen any of them yet. To guarantee that this doesn’t happen – we should now run the elusion test. It will make sure (with certain level of confidence) that the remaining portion of documents doesn’t have anything which would drastically change the state of our model. If that is true, you could apply the model’s predictions to the rest of the review queue.

There are also few indicators that can help you to assess that a model is struggling to separate Relevant and Non-Relevant items.

The first warning sign can be the fact that the model constantly stays in "Initial learning" phase, despite having plenty of items coded using both categories. This is illustrated on the following picture:

One can tell that each iteration has contributed a good mix of Relevant (34 in total) as well as Non-Relevant (102) items. Yet, the model remains in the "Initial learning" phase. Usually there are three explanations of such behavior:

One potential solution of this situation may be to rely on the variant of the algorithm, which is "more accurate" (see: "Creating a review" chapter). This one is more thorough in finding subtle differences between textual structure of documents, so it may perform better. You should also check if coding decisions are applied consistently by your human reviewers. Also, you can try to adjust one of engine’s settings described in a different chapter.

Another example of a model which has not learnt well is when model reached "Active learning" stage, but you see a lot of mixed Relevant and Non-Relevant items in the front of the queue. This is illustrated below:

There are few other warning signs here:

This situation can happen during initial few iterations and may be normal temporarily, but it should clearly not be the case further into the review.

A potential solution would be to run few more iterations to see if it starts straightening itself out, but if that’s not the case then it may be better to use more accurate algorithm or modify engine’s settings.

For now we have established two scenarios where the model is performing good or poorly in separating Relevant and Non-Relevant items, but there is also a chance it may not be created at all.

As described in the following chapters, model creation is rather complex and resource intensive operation. Therefore there is a risk it may fail in the preparation stage. Possible reasons are:

If the process has failed and you can still navigate the case, then try opening "Preferences > Background Tasks" and see if the preparation of your review is still there. If it is, it’s best to remove it from there, if the UI allows it. You can also delete the review from "Review > Predictive Coding" view, as described in earlier chapters.

Most of the crashes are related to lack of hardware resources due to running Predictive Coding on sets of items which are too big for current machine to handle. In such cases there are few things you can do to troubleshoot that:

The last mentioned alternative is certainly not an ideal solution, but it may sometimes be the only choice for running Predictive Coding on larger sets.

If you run into such issues, please contact support, as your feedback may help us improve this tool in the future.

Intella Predictive Coding engine is combined from state-of-the-art data processing tools and techniques, which take its origin in Machine Learning and Artificial Intelligence. It uses a unique, proprietary mechanism which extracts valuable information from cases created with Intella and Intella Connect and then builds a prediction model which is able to classify items into selected categories, based on the human input. Internally the model uses Support Vector Machine, an industry standard Machine Learning classifier to make its predictions. It is also equipped with self-tuning machinery, which tries to make this process scalable to larger sets while sustaining top level quality.

Here is the process of creating a new prediction model, in a nutshell:

After the model has been created, it’s ready for training. The input is provided by reviewers in form of coding decisions they are applying to items. Once appropriate number of inputs is recorded, a training iteration occurs. Several parameters are evaluated and selected to fine tune the model, so that it can express the newly acquired knowledge to the best of its capabilities. Then it is persisted and used to update the review queue of items presented to the reviewer. This training-prediction process is repeated until user decides that the quality of the model is sufficient for its purposes.

As stated before, the engine will analyze the set of provided items and analyze their textual profile to select some features it thinks are the most representative. To visualize this step, one can think of a large table, where rows are items feed into the engine and the columns are features contributed by each of those items. This is illustrated below:

Predictive Coding engine will run sophisticated Machine Learning algorithms to discover patterns in this table and that process requires a lot of sophisticated mathematical calculations.

Predictive Coding engine has been optimized so that it can self-tune itself so that it runs efficiently while not sacrificing too much of its quality. However, in its initial version there are few limitations that one has to take into account.

After understanding how features table is constructed (see the previous section for details) it should be apparent that adding another item to the Predictive Coding review makes the table grow in two dimensions:

This is not a linear growth, as even a single item can introduce many new features, previously unknown to the model. It is especially true for large documents, or "junk items" that may accidentally slip into the review. This is also why proper culling and sanitizing of your data set is so important before the Predicting Coding review is created – it helps to eliminate a lot of features that may pollute or bloat the model.

To give you some context – our test showed that running Predictive Coding on complex documents (large PDFs and DOCs) can make the model to require 2-5 times more calculations, comparing to running this on same amount of items, all being emails of an average size.

Creation and model training will require considerable amount of hardware resources (more details are provided in following chapters) and requirements will grow with larger reviews being conducted. It should be perfectly fine to run Predictive Coding reviews of 5-10k items on a standard class PC with 20-32GBs of RAM, but scaling it up to larger sets will require more powerful machines, or longer processing times.

Taking all this into account, you may see a decrease in performance or model creation taking excessively long time, when you run Predictive Coding on larger item sets. Our test were successful on sets as large as 40.000 items, but as pointed out before this highly depends on the dataset you are processing and may require some customization through settings.

Intella Predictive Coding engine can be configured with many settings, which may affect its performance and quality. Some of them are configurable directly in the User Interface, and some of them have to be set in case preferences file. Below we are providing a table covering all possible settings:

The first wizard page lets you choose an export format:

Only one format can be chosen per export run.

The current configuration can be stored as a user-named template in the last wizard sheet. In the first sheet all stored templates are listed in a drop-down list. Selecting one restores the state of the Export wizard to the one stored in the selected template.

Administrator’s note

Export templates are stored in the following folder:

C:\Users\<USERNAME>\AppData\Roaming\Vound\Intella\export-templates

You can use the "Suppress irrelevant items" checkbox to automatically exclude all items from the export that have been classified as “Irrelevant” during indexing. See the Features facet section for a definition of irrelevant items. The number of irrelevant items in the current item set will be shown in parentheses.

When a set of items is exported, they can optionally be added to an export set. This is a named set that captures information about the export. When a specific item is about to be exported, the file name and number is recorded in the export set. Furthermore the current export settings are stored as part of a set. When the export set is later selected again when exporting another set of items, this will affect that export run in the following ways:

When an export set is specified, the resulting export ID (typically based on subject, file name and/or consecutive number) can be made visible in the Details column by adding desired Export set column. The Export IDs can also be searched for using keyword search and keyword list search.

The options in this sheet allow to select the preferred content type for the original format items. Intella Connect will export the first available content in the order specified in the table. The following content types are available:

The first wizard sheet on PDF options lets you decide whether to export to individual PDF files, one for every selected item, or to export all items into one single concatenated PDF file. When exporting to a concatenated PDF, the resulting PDF can optionally be split in chunks of a given size. This is recommended for performance and stability reasons.

This wizard sheet consists of three sections:

File naming

By default, exported files will be named using the original evidence file’s name or the subject of an email. Alternatively, you can choose to number the files using consecutive numbers. These options can also be combined: a number followed by the file name or subject.

Load file naming offers more elaborate numbering style, whose parts can be further configured in the File Numbering section.

When using a numbering style, you can also define a prefix. Anything you type here will be added to the beginning of the filename. E.g. the prefix “export-” will result in the first email being named export-00000001.eml, when you combine it with consecutive numbering.

Use Custom ID option can be used to use custom IDs generated via Generate Custom IDs task. If page numbering is used, each page will be numbered based on the custom ID plus a page number suffix. Number of digits for page option determines the number format that will be used to number pages.

Using "Advanced" mode you can define a file name template that will be a base for exported file name. The template may include the following fields:

In order to insert any field in the template you can either type it manually or select the field from the drop-down list and press Add field.

File numbering

Using the "Start at" option you can define the number to start counting with. By default exporting will start counting at 1. A typical reason to use a different start number is when you want to combine the exported results with another set of already exported files.

Numbers are always 8 digits long.

“Folder”, “Page rollover” and “Box” are only relevant when using load file naming.

When exporting to PDF the "Number pages" option can be used to number individual pages instead of files. So the numbering would work the same way as when exporting to a load file.

File grouping

Select the option "All in one folder" to put all exported files in one folder.

Select the option "Keep location structure" to preserve the original folder structure that the items have in the evidence files. A folder will be created for every source, in which the original folder structure of that source (as shown in the Location facet) will be recreated.

File name examples

On the right side you can see a live preview of how the exported file names would look based on the current settings, using items from your current item set as examples.

The options in this sheet only apply to non-redacted items; the exporting of redacted items is governed by the “Redacted items” sheet.

For all types of items, you can indicate whether to include a basic item header, properties, raw data and comments in the PDF:

Furthermore, the item’s content can be exported in its original format, as the extracted text, or both. The following file formats can be exported in their original view:

When you select "Original view", you will also be able to define a list of item types that should be skipped for this. You can use this to e.g. prevent native view generation of spreadsheets, which often are hard to read in PDF form. An optional placeholder text can be added to make clear that original view generation has been skipped on purposes for this item.

Select the "Append file type to placeholder text" option to add the type of a skipped file to the end of the placeholder text, so it would look like: "Document rendering skipped (Microsoft Excel 97-2003 Workbook)".

When you also select the "Export skipped item as native file" option during load file export, the resulting load file will not contain the corresponding native file. By selecting "Also skip extracting text" you can skip generating the extracted text as well. This includes extracted text added to the resulting PDF and extracted text exported as a separate file as part of a load file.

The Configure Original view button allows to configure which content type needs to be included in the Original view of the item. See the section Preferred content type options for more details about which content types are available.

If you uncheck "Include item metadata", the resulting PDF will not contain any additional information except for the actual item content (in its original format and/or as extracted text), the document title/subject and the headers and footers defined in the next sheet. Most of the options on this sheet will then be disabled.

For emails, the following information can optionally be included:

For loose files and attachments that are not emails, the following options are available:

It is possible not to include the lines that separate the headers and footers from the content by unchecking the "Draw header and footer line separators" checkbox. Section names such as "Image", "Original view", "Extracted text" etc. can also be excluded from the resulting PDF by unchecking "Include section names".

Enter a file name to use for the generated PST.

Enter a display and folder name. After opening the exported PST file in MS Outlook, you will see the names you entered. They help you to locate the PST file and its contents in MS Outlook. When a folder name is not specified, the items will be exported directly to the PST root folder.

Select the option “Keep location structure” to preserve the original folder structure during the export.

The resulting file can optionally be split into chunks of a given size. This is highly recommended for larger result sets that would make the PST grow beyond the default suggested file size, as Outlook may become unstable with very large PST files. The produced files will have a file size that is close to the specified maximum file size (usually smaller). The export report will list for every item to which PST it was added.

Item types that can be exported directly to a PST file
Besides emails, the following item types can be exported directly to a PST file:

Limitations:

These limitations may be removed in a future release.

Please note that non-email items will be exported to a regular PST folder under the Mail section, so not in e.g. the Contact section.

How to export other item types to a PST file
Items such as Word and PDF documents cannot be exported directly to a PST file. As such items may be attached to an email, Intella Connect can be configured to export the parent email instead.

You can choose to either include the top-level email parent or the direct email parent. An example would be an attachment contained within an email message within another email message. With the top-level parent selected all parent items of the attachment (both emails) would be included in the PST, one nested within the other. The second option exports the nested email to the PST. You can also choose to simply skip non-email attachments.

Although this option only mentions parent emails, it also applies to e.g. PDF files attached to a meeting request or any of the other exportable items. In this case, enabling this option will export the meeting request instead. This option may therefore be renamed in the future.

How to export attached emails
The last setting controls what happens with emails that are selected for export and that also happen to be attachments. These are typically forwarded messages. Such emails can technically be exported to a PST without any restrictions, but the investigation policy may require that the parent email is exported instead, to completely preserve the context in which this email was found. That can be done by choosing the Replace with its top-level parent email option. Alternatively, use the Export attached email option to export the attached email directly to the PST.

At the moment the Analyst’s Notebook and iBase export does not provide any configuration options.

Templates, import specifications and instructions are provided for Analyst’s Notebook and iBase. Please contact support@vound-software.com for more information.

You can select one of the following load file formats:

Each load file export consists of several parts:

The first part is mandatory; the others can be turned off.

The main load file name can be changed using the “File name” text field. It is also possible to specify the main file encoding when the Summation format is selected.

The "Export native chat content as PDF" option can be used to export native content of chat conversations and messages in PDF format instead of plain text. This was primarily designed for direct Relativity export due to certain limitations of that platform.

By selecting “Use custom date/time formats” you can override the date and time format used in the load file. Please see this document for the date/time format syntax details: http://docs.oracle.com/javase/8/docs/api/java/text/SimpleDateFormat.html

The Size column can be optionally exported in kilobytes, megabytes or gigabytes instead of bytes, by using the “Size unit” option.

To control the quality of the exported images, one can use the “Image DPI” parameter. It defines the number of dots (pixels) per inch. A higher DPI setting results in higher quality images, but these will take more time to produce and consume more disk space.

It is also possible to adjust the TIFF compression type. Note that the image will be converted into black-and-white variant if one of the “Group Fax Encoding” compression type is selected.

The “Also include PDF version of images” option can be used to additionally export PDF version of images if the image format is different from PDF. The PDFs will be exported to the folder specified in the Folder option.

If the “Opticon Page Count field contains number of pages of entire document” option is turned on, in the Opticon file the 7^th field of the first page record (NEW_DOC_BREAK=Y) will contain the total number of pages of the entire document. The 7^th field of all the other page records will contain an empty value. If the option is turned off, the 7^th field will contain the number of pages of the current page record only. That means it will always be “1” for any single page format like JPEG or PNG.

The extracted text can be configured by clicking the “Configure” button. In the “Configure extracted text” dialog you can choose which components to include and change their order. Different components can be configured for emails (including email-like items: instant messages, conversations and phone calls) and files. The Properties component can be configured by clicking the “Configure” button below the table. You can choose which properties to include.

When you need to embed the extracted text directly into the load file itself (the DII, DAT or CSV file) instead of exporting it into a separate file, you can use the checkbox “Embed extracted text into load file”. A custom field of type EXTRACTED_TEXT should be used to insert the text as a field in this case.

When exporting to Summation the checkbox “Include Summation control list file (.LST)” can be used to generate a plain text file that lists all document IDs along with the extracted text files. The “OCR Base” field controls the prefix used for the extracted text files.

The “Exclude content” option can be used to completely exclude the items tagged with a specified tag. For every excluded item, only the metadata will be added to the load file. The text and the images will contain the text specified in the “Placeholder text” field. Native files will also not be generated for such items.

Numbering with load files
The numbering used for load files differs from the other export formats. When exporting to a load file, every exported page has its own unique number. The number of the first page is usually used as a number of the document. Please note that pages are numbered only if image files are included in the export.

On the “Headers and footers” sheet you may choose a special field PAGE_NAME which is available only with load file export. This will put the current page name as it was configured on the “Naming and numbering” sheet.

Another difference is that by default all export files are grouped into folders and optionally boxes. The “Page rollover” option defines a maximum number of pages that a folder can contain. The maximum number of folders in a box is fixed to 999 (at the moment, it can be changed via an export template XML file only). Additionally, you can set a starting number for the page (“Start at”), folder and box.

By default, the page counter starts over when switching to the next folder, so the first page in the next folder will have the number “1”. This approach can be changed when using the “Continue page numbers from previous folder” option. When it is selected, the page counter will continue page numbering from the last page of the previous folder. In other words, page numbers will be unique among the entire export set.

Additionally, the “Advanced” numbering mode can be selected when exporting to a load file. In this case, you will be able to set a custom file name template. Please see the file naming and numbering section for details. Note that %num% means a page number, not a document number in this case. Also, there are two new fields that can be used:

You can also use the %000group1% syntax to define the number of leading zeroes in the counter (similar to the %000num% syntax). Thus, the default load file numbering schemes can be expressed using the following templates:

When using the “Advanced” mode it is important to set a file grouping: “All in one folder” or “Load file mode”. When the “Load file” grouping mode is selected, the exported files will be grouped by folders and, optionally, boxes in exactly the same way as it is described above.

Field chooser
The “Field chooser” sheet contains a table of the fields that will be included in the load file. By default, the starting set of fields depends on the selected load file format.

The “Name” and “Comment” columns in this table are used only for managing the fields within Intella and are not included in the load file. The “Label” column value is used as a column label in the load file. The “Type” column can be one of the following:

You can include an additional custom field by pressing the “Add custom field…​” button. Next, enter the name, label, and comment. Select one of the following types:

When exporting to a load file, all documents are grouped by their parent-child relationship. For example, an email and its attachments form a single group. The columns “RECORD_ID_GROUP_BEGIN” and “RECORD_ID_GROUP_END” denote the start and end page numbers of such a group.

When adding a date column as a custom field, it is possible to choose the way how the date is formatted: show date only, show time only, show full date and time, timezone offset, or timezone name. Note that you can add the same date field more than once and use different formatting options. For example, you can add two custom fields: DATE_SENT (“Sent” column, show date only) and TIME_SENT (“Sent” column, show time only).

Click the “Select default fields” button to select only those fields that are part of the default field set for the selected load file format.

Intella can export items directly into a Relativity database, i.e. without the need to manually handle load files. Note that this functionality requires Microsoft .NET and the Relativity SDK to be installed. See the Installation section for further details.

On the “Relativity options” page you can specify a service URL, user name and password. Please ask your Relativity administrator for the correct settings. The Relativity service URL usually looks like this: https://host/relativitywebapi. You should use the same service URL as you use in Relativity Desktop Client.

Click the “Get list from server” button to get a list of Relativity workspaces. Select the workspace you want to export the items to. You should also choose an identity field which is used as a key field in the selected workspace (it’s usually “Control Number”).

The rest of the settings are the same as you can use during an export to a load file. You can include natives, images, and texts.

Please note that when you use a field chooser, you can choose an existing field from the selected workspace. The field editor will also show a little warning icon near the field label if you enter an incorrect field name.

Current limitations:

You can set headers and footers for the generated PDFs and images. For each corner you can select one of the following fields to display:

Also you can type any static text instead of selecting one of the fields.

This wizard sheet controls what the cover page of the report will look like. The options are divided into two sections:

In this wizard sheet, the sections that make up most of the report can be defined. Each section is defined through a row in the table. The table columns have the following meaning:

To add a new section, click the Add section button to the right of the table. A dialog will be shown where you can select either a type or a tag of items. The items corresponding with that type or tag will appear in the newly defined section.

To change the type or tag of an existing section, click the Change category button.

After clicking the Ok button, a new section will be added to the Sections table. It will be automatically selected. The selected section can now be further configured in the Section details section:

The ordering of the sections can be modified by dragging sections in the Sections table.

Setting that can be configured on this wizard sheet are:

Headers and footers

Table of contents

Summary

Errors

Output format
The item report can be exported to these two formats:

This wizard sheet controls how Redacted items are to be handled when they are part of the set of items to export.

The options below depend on the chosen export format.

When exporting to Original format or PDF:

Note that for Original format export a PDF will then be generated, rather than the item being exported in its original file format.

When exporting to Original format, PST or i2 iBase/ANB:

When exporting to Load file or Relativity:

You can indicate whether you want to create an export report for this export. The report can be formatted as a PDF, RTF, CSV and/or HTML file.

For PDF, RTF and HTML reports you can also add a comment that will be displayed on the first page of the report.

Export reports link the original files to the exported files, by listing identifying information about the original item (e.g. source evidence file, MD5 hash) and linking to the exported file. Also the export report may contain information that is lost during export, such as the evidence file’s last modification date; like any copy, the export file has the date of export as its last modification date.

Additionally, you can specify in what order the items are to be exported:

Not all items are inherently exportable to the chosen export format(s). Examples are: