Intella User Manual 2.6.1

Standard technical support is offered free of charge to all Vound customers that have a current support and maintenance contract.

Standard technical support can be requested at the Vound support page, http://support.vound-software.com.

Support is provided on business days, Monday through Friday. We attempt to give you a first answer within 2 business days.

All communication will be remote – e-mail, GoToMeeting, and other means – and not in person unless otherwise arranged.

Standard technical support will only be provided if your computer and operating system meet the minimum recommended specifications listed in the latest version of the Intella™ manual.

Who is eligible for technical support?
Our goal at Vound is to provide our customers high quality and timely technical support. To do this we limit technical support to the registered owners of Intella. Companies that allow a third party to use their Intella licenses must have that third-party channel all technical support through the original registered owner of the software.

To ensure that we support our customers, Vound regrets it cannot support users who are not the original registered owner of Intella.

What technical support is included?

Please note that Vound will make reasonable efforts to correct identified software errors. However, this may not be achievable until a later date or version release. If this is the case, the user should make efforts and take responsibility to achieve the required outcomes via other methods. Where the errors relate to or are caused by corrupt data (within source files), Vound reserves the right to charge for the work needed to rectify the issue.

No support can be provided…

A paid user support contract is offered to those customers that want additional user support. The user support contract provides assistance that falls outside the standard support package (see 3.1.1 Standard technical support).

What can be included in the user support contract?

How to buy to a user support contract?
User support contracts are based on your specific needs. If you want to know more, please contact your nearest Vound representative or your local Intella™ reseller.

Vound offers several paid training courses for its product. These courses are designed to expand your effectiveness and output when using Intella™. It is recommended that all users take a minimum basic training course to ensure they are correctly using the product.

Users who have taken a recent training course for their Intella™ product will be offered a discount on a paid user support contract.

For more information on types of training and available dates please visit http://www.vound-software.com/training.

CPU, memory, and disk space requirements depend on how Intella is intended to be used:

Indexing

Main memory and CPU requirements for indexing:

Using Viewer to connect to cases shared with Intella Connect or Intella Investigator

While technically Intella will work over slow network connections, a local and fast (gigabit) network is preferable, especially when working with large cases or with large reviewer teams.

Main memory and CPU requirements for connecting to a shared case:

Intella is supported on Windows 8/8.1, 10 and 11. Starting with the Intella 2.4 release, it is only available for the 64-bit editions.

Although our products can be installed on a number of Windows Server products such as Server 2012, 2016, 2019 and 2022, our products do not require a server operating system, and they run perfectly well on the listed desktop operating systems. For server installations, we only support our applications. We do not provide support for the server itself. Server security settings may need to be configured, and ports may need to be opened, for our products to operate on a server platform. These settings need to be addressed by your IT team to ensure that security of the system is maintained.

We do not support our products when installed on an operating system deemed end of life by its manufacturer. For example, these would include platforms such as Windows Vista and Windows Server 2008.

The following external applications may also be necessary to use some of Intella’s functionalities:

HCL/IBM Notes
To index NSF files, HCL/IBM Notes 8.5 or higher is required. Only the application files are necessary, HCL/IBM Notes does not have to be fully set up and configured. In principle, all HCL/IBM Notes 8.5.x versions or later can be used, but the following versions will produce a warning:

These versions contain a bug described here that cause emails with multiple “Received” headers to be altered: all Received headers will get the value of the first header. At the time of writing HCL/IBM Notes 9.0.1 was available, in which this bug has been fixed.

To index files made with HCL/IBM Notes 9.x, we recommend installing HCL/IBM Notes 9.x.

Notes 9.0.1FP8 or higher needs to be installed to decrypt messages in a non-encrypted NSF. Other versions will work, but encrypted messages will not be decrypted. In order to use an older version you need to select the Enable using unsupported version of HCL/IBM Notes checkbox.

Microsoft .NET and kCura Relativity SDK
To be able to export directly to a Relativity server, i.e. without having to handle Relativity load files, Microsoft .NET and the kCura Relativity SDK need to be installed.

The following versions of Relativity are supported:

Microsoft .NET can be obtained from the Microsoft website:

The Relativity SDK can be obtained from the Relativity website. This functionality was tested with version 8.2 of the SDK. After running the SDK installer, copy all 20 DLLs from this folder:

to this folder for Relativity 8.2:

In order to install Relativity SDK 10.3, do the following:

Notes on the trial license that is bundled with the software that you have downloaded:

14-Day evaluation period
The trial version runs under a HASP Software License, which gives you the ability to use Intella for 14 days. The
14-day evaluation period cannot be extended. The only way to continue using Intella is to purchase a dongle.

Trial restrictions
Besides the 14 days of usage, the trial only allows 10 GB of evidence files per case. Also, exporting is limited to maximally 1000 items per export.

Continue working with a USB dongle
If you would like to continue using Intella after this 14-day period, you will need to buy a license. After buying the license you will receive a USB dongle that will allow you to continue using the version you already installed. A dongle provides a perpetual license without export restrictions. Evidence size restrictions may still apply, based on the licensed product.

System clock
Changing the clock on your system will cause the trial to automatically expire. When this occurs, the only way to continue using Intella will be to purchase a license.

Virtual Machines, VMware
The evaluation version not work in VMware without a dongle.

RDP (Remote Desktop Protocol) connection
When using RDP, the dongle or trial license must be in/on the computer running the Intella software, not in the computer running the RDP viewer.

Other dongle-protected software must be closed
All other HASP protected software, like EnCase (Guidance), Smart Mount (ASR Data), HBGary and i2 products, must be closed when installing Intella.

The application folder contains an executable called “Intella.exe” that can be used to launch the application. The desktop and menu shortcuts also start this executable. The program will start with the Case Manager window.

“HASP key not found (H0007)”

This error code might be caused by other HASP dongle protected programs. Please close all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella.

“Could not find a valid Intella license, please insert a dongle”

This error message is shown when your trial license has expired, or when you unplug your dongle while Intella is running and it cannot fall back to a non-expired trial license. You can only continue using Intella by inserting a dongle.

“Unable to access HASP SRM Run-Time Environment (H0033)”

This error code may be triggered if you run antivirus software. It is probably due to the antivirus software incorrectly blocking access to the HASP install. Please update your antivirus software to the latest virus definition file.

If this problem persists, reboot your computer, open a Command Prompt, and run (as administrator)

and restart Intella.

Other HASP dongle protected software may cause this error. Please close all HASP related programs (i.e. EnCase, Smart Mount) and reinstall Intella.

If this problem persists, open a Command Prompt, and run (as administrator)

and restart Intella.

If problem persists after running this command, please open a Command Prompt as administrator and run

“Your Intella (trial) license has expired (H0041)”

This error will be triggered if Intella is run and your trial license has expired. Once the trial has expired, you can only continue using Intella by inserting a dongle.

“Virtual machine detected, cannot run without a dongle (H0051)”

To protect our intellectual property, the evaluation version of Intella WILL NOT run in a virtual machine (VM) environment. A “stand-alone” machine is required. This is only true for the evaluation version; Intella will run in a VM environment using a dongle.

Solution 1: Reconnect the USB dongle to your computer
Solution 2: Install the Intella evaluation version outside a virtual machine

The Intella process and its child processes (one for each case that you open + additional processes during indexing and exporting) are limited by the amount of RAM that the process can maximally use, despite how much memory is installed in the machine. On some data sets this limitation can cause issues when indexing or reviewing the data. These issues can be recognized by errors in the log files containing the text “OutOfMemoryError” or “java heap space”.

When such errors occur, a workaround may be to increase the automatically managed memory settings, especially when the machine meets the recommended hardware settings (at least 8 GB of RAM).

To increase these limits, select the case in the Case Manager and click Edit… button. Change the “Memory allocation” setting from Auto to Manual and increase the value. Note that you can never specify more than half of the available system RAM. This is to make sure that Intella’s child processes and the OS still have sufficient memory available to them.

When the memory issue relates to the processing of evidence files (you may need to contact tech support for that diagnosis) or to exporting, you can change the “Service memory allocation” setting from Auto to Manual and increase the value as suggested to you by tech support. Make sure that you do not assign more than your machine and OS support, taking into account that the other processes and Windows itself will also need sufficient memory. For the processing of MS Exchange EDB files, a minimum of 3 GB will be necessary for the service memory allocation setting.

By default, Intella will use up to 4 parallel crawlers when processing evidence files. In some cases, the limit can be increased by changing the Crawler Count setting from Auto to Manual. The number of crawlers should never exceed the number of CPU cores on your PC. Setting a too high number might result in non-optimal performance.

By default, Intella will cancel processing of an item if takes an extremely long time. It happens when a crawler does not produce any items in more than one hour. This number can be changed via the Crawler Timeout setting. It is also possible to disable the timeout mechanism completely by setting the value to 0.

There is an Intella data folder in your home folder. Typically, it is in

Intella has two types of log files:

The log files can be opened in any text editor like TextPad or Notepad++. Be aware that Windows’ default text editor Notepad may have issues opening large files.

This section describes situation where Intella was being run under certain user account in the past, but a different user now needs to work on cases and is trying to run Intella under different Windows user account than in the past:

When the client and server are within the same subnet, no network setup is usually necessary. The drivers on both machines will usually find each other automatically and the client will be able to use the licenses on the network dongle.

For example, in the following setup:

the drivers will be able to communicate directly, if port 1947 is not blocked.

When the application is not able to use the network dongle’s licenses, please follow the steps below for setting up usage with different subnets. This may resolve the issue.

Given the following setup:

the drivers will require some configuration for the client and the server to be able to find each other.

Step 1: Make sure that port 1947 (used by the drivers) is not blocked by any firewall. The drivers use this port to communicate with each other and with the application. Both TCP and UDP communication need to be enabled.

Step 2: Ensure that the server and client machines can "ping" each other.

Step 3: Plug the network dongle into the server. Make sure that the key is detected when viewing the Admin Control Center on http://localhost:1947 on the server, like this:

Depending on the exact network dongle type, the value in the Key Type column can vary. E.g., HASP HL Net 10, HASP HL Net 50 or Sentinel HL Net 50.

Step 4: On the server, do the following:

Step 5a: When client and server are on the same subnet, then on the client:

Step 5b: When client and server are on different subnets, then on the client:

Step 6: On the client:

You should now be able to start the application on the client, using a license from the network dongle. You can verify this by checking the Case Manager window; it should list the network dongle’s ID:

Only local cases can be included in a compound case; remote cases shared by Intella Connect or Intella Investigator are not available for inclusion in a compound case.

Evidence data sources cannot be added directly to the compound cases, but they can be added to the sub-cases separately. New data will be available when the compound case is opened next time.

It is not possible to use a compound case and any of its sub-cases at the same time. Opening a compound case will lock all its sub-cases. Similarly, opening a sub-case separately will lock all compound cases with this sub-case.

User annotations (e.g., tags, flags, comments, and custodians) that are added in a compound case are specific to that compound case and do not affect the sub-cases.

The following annotations that are added in the sub cases will be visible (read-only) in the compound case:

The following annotations that are added in the sub cases will NOT be visible in the compound case:

One can perform these actions, but their results stay local to the compound case. The compound case also maintains its own Event Log, independent from its sub-cases.

Thumbnails generated in a sub-case will be visible in the compound case. But thumbnails generated in the compound case will not be visible in the sub-cases.

The following functionalities are not available in compound cases:

Text imported into a sub case via '-importText' command line option will be visible in the compound case.

Notes on item IDs in compound cases:

When a sub-case is deleted, evidence items of this case will no longer be available in a compound case that refers to it. If the compound case had annotations or other review data associated with these items, this data will be unavailable.

Deletion of a compound case will not cause the deletion of any sub-cases. If desired, these need to be deleted individually and separately.

Choose “Create a new case” to create a new local case from scratch. When the Create New Case dialog is displayed, give the case a name, enter an optional description, enter the name of the investigator creating the case and select a location where you want to store the data that belongs to this case.

The selected case folder will be checked for being a hard disk formatted with the NTFS file system. A warning is displayed when this is not the case, e.g. when a FAT file system is used, which has file size limitations unusable for Intella, or when a USB flash drive is detected, which is not recommended for various reasons.

Clicking on the “Advanced” button adds more options that normally are only necessary if you want to apply a case template or when dealing with very large cases (hundreds or GBs or more):

Choose “Create a compound case”. In the “Create new case” dialog, specify creator name, case name, optional description and case folder, as described for a local case above.

In “Include cases:” list, choose one or more local cases to be included in the compound case.

Click on the “Advanced” button to access memory allocation settings for new case. See the “Memory, crawler count and timeout settings” section for instructions on how to use this.

In the Add Case dialog, select “Open a shared case” to open a case on another machine that has been shared by a Intella Connect or Intella Investigator user.

A wizard for creating remote case will open. Depending on the setup, it will ask for a Case URL, investigator name, passphrase and more. This information should be provided to you by the case administrator (typically the Intella Connect or Intella Investigator administrative user).

The first “Case URL” step asks for URL under which the case is shared.

If the case is shared by Intella Connect or Intella Investigator without any Single-Sign-On (SSO) providers configured, then the “Login credentials” step will ask for investigator name and passphrase.

Check the “Remember passphrase” checkbox if you want to store the password locally, so that you don’t have to re-enter it each time you select the case in the Case Manager and click Open.

On the other hand, if SSO providers were configured in the server product, then they will be shown on the top separated from investigator name and passphrase fields.

Your case administrator will let you know whether to use SSO provider button or investigator name and passphrase fields.

Clicking on SSO provider button will show login page of the SSO provider similar to how it is shown in the (Edge, Firefox or Chrome) browser.

You will be asked to provide login credentials which are configured on the SSO provider side.

Alternatively, when logging in via local or LDAP account by providing investigator name and passphrase, then in case of local account you may be asked for "Verification code".

The verification code is required when the account is configured with Two Factor Authentication. Use your device with two factor authentication enabled to obtain the verification code.

To summarize, there are three ways to login to a remote case by using:

Once correct login credentials were provided and verified, then the last step of this wizard will be shown.

On the top, the case name and description will be loaded from the server. These are only for information and to verify that the correct case is being logged into.

Click Suggest or enter a custom data folder for local storage. This folder will hold local log files, user preferences, etc.

The memory allocation settings can typically be left to their default value. See the Memory Settings section for more information on this.

Now the case will be added to the Case Manager list and will open instantly when you keep the “Open case immediately” checkbox selected.

In the Add Case dialog, select “Add an existing case”. This will open a dialog prompting you to choose a case file (case.xml). This file is in the top-level case folder. Choose the case file and click on Open. The case will now be added to the Case Manager’s list and can be opened by selecting the case and clicking the Open button.

In the Add Case dialog, select “Import a case”. This will open a dialog prompting you to choose an Intella case file (.icf file). Choose the case file and click on Import. Once importing has completed, the case will be added to your Case Manager’s case list.

When converting a compound case, Intella will ask to specify new paths for all sub cases and convert them automatically. At the end, all converted sub cases will be added to the newly converted compound case. The procedure is fully automatic.

The process is initiated from the Case Manager window of Intella Professional client, by pressing Upload…​ button. The following dialog will appear.

The Server URL field should specify a full URL point to your Intella Connect or Intella Investigator instance, including a protocol and port (ex. https://connect.mycompany.com:443). User name should match a valid Intella Connect or Intella Investigator user account. That account should have appropriate permissions to either manage the Intella Connect or Intella Investigator instance as an administrator or at minimum manage cases. The Passphrase should match the password used when signing in using Intella Connect or Intella Investigator login form.

In the ICF area, please select the appropriate option depending if you want to use existing *.icf file or create a new one:

After pressing Upload the procedure will start. You can monitor its progress inside the black text area.

Once this operation finishes, you can import the ICF file to extract the contents of the file to a disk on Intella Connect or Intella Investigator server. This feature is available under the Cases / Import / Intella Case File (*.icf) subview.

The process of uploading *.icf files to Intella Connect or Intella Investigator server is delegated to a secure, well known sftp protocol. Therefore in order to make this feature work properly, the Windows operating system installed on the machine where the product is hosted needs to be correctly configured.

First thing which needs to be done is to install Open SSH Server on machine hosting Intella Connect or Intella Investigator. Depending on which operating system you are running, this process may vary. Newer versions of Windows Server allow to install the server using Windows Settings and Optional Features. Older versions may require to install the binaries from a 3rd party repository. The detailed steps for this process are out of scope of this manual, but below is a list of handy resources which may help you through the process:

Once the Open SSH Server is up and running on the default port (22 or other), make sure to allow the network traffic on Windows Firewall. It doesn’t have to be open to the internet, but you must make sure that connections between your server and the machine running Intella Professional are not interrupted.

You can now move to additional configuration of the Open SSH server.

Follow these steps to add a File or Folder source to Intella:

Click "Next" to continue.

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

Follow these steps to add a load file to an Intella case:

Important notes on load file importing

There are several aspects to be aware of when importing a load file into an Intella case:

You can save the specified load file import options as a template for later usage on the last page using the button Save Template. All import templates are stored as XML files in the "<Intella Home Folder>import-templates" folder.

Follow these steps to add a Hotmail Search Warrant Result to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

Follow these steps to add a Disk Image source to Intella:

After you click Next button in the wizard footer, Intella will validate selected disk image. This process may take long time depending on the complexity of the data.

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

Filtering disk image content

A disk image often contains a lot irrelevant files, such as executables, DLLs. These files add to the processing time and disk space that the case will consume. It is possible to define a set of rules to filter out unnecessary files and folders, to save processing time and disk space.

Note that search results can also be filtered after indexing, using the Hide Irrelevant filter option in the Details tab.

Supported disk image formats

The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01 files. Password-protected files are supported and indexed without manual interaction, except for FTK-encrypted files.

DD images are supported, but when a Folder source is used, they need to use the .dd file extension to be detected and processed as DD images. Because of potential issues with DD image detection, we recommend using the Disk Image source directly. This is also required when you want to index a multi-volume DD image

Supported file systems and partition types

The following file systems have been tested: FAT16, FAT32, ExFAT, NTFS, Ext2, Ext3, Ext4, HFS, HFS+, APFS and ISO 9660. Other file systems such as YAFFS2, ISO 13346 (UDF), UFS 1 and UFS 2 may work but have not been tested yet.

MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When an image cannot be indexed, we recommend mounting it manually and indexing the mounted drive using a “File or Folder” source.

APFS and BitLocker encrypted volumes are supported. When an encrypted volume is detected, a dialog will be shown where it’s possible to enter a password or recovery key. BitLocker volumes with suspended protection (also known as "clear key") will be indexed automatically without a password prompt. If a BitLocker volume is protected with multiple keys, you can enter any key.

Multi-volume files

When using a Folder source to index multiple image files, Intella will rely on the following file name convention to determine which files together make up a single image:

Volume shadow copies

Volume shadow copies (VCS) is a mechanism in Windows OS that preserves previous versions of files in a special hidden area on the disk. A new VSC snapshot is often created automatically by Windows when installing major system updates or drivers.

When Intella detects that the disk image contains VCS, the Specify Volume Shadow Copies page will be shown. On this page you can select specific snapshots that need to be processed.

By default, Intella will only extract the files that were changed between snapshots. That allows to save a lot of processing time and disk space by not indexing the same file several times:

Intella uses the last modified date of the file to determine whether it has changed. It is also possible to take the last access date into account.

The "Has Shadow Copies" option in the Features facet can be used to see all items that have other versions in shadow copy volumes.

To see all items extracted from all volume shadow copies, use the "Recovered → Recovered from volume shadow copy" option in the Features facet.

The currently supported MS Exchange versions are 2003, 2007, 2010, 2013 and 2016.

Follow these steps to add a MS Exchange EDB Archive source to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

When an EDB source has been added and not all mailboxes were selected, it is still possible to index additional mailboxes in that EDB file at a later stage. To do that, the following steps should be performed: 1. Click on the "Edit" button for the respective source on Sources page. 2. Indicate which mailboxes should be processed. Note that you cannot unselect or remove already processed mailboxes. Click OK. 4. Use the "Index new data" button option to index the new mailboxes.

This source type lets one import an entire case created with the Vound W4 application into the current Intella case.

Follow these steps to add and process a W4 case source:

The last steps in the definition of a source are almost the same for all types. They are described in the section "Last steps in a source definition".

Follow these steps to add an IMAP Account source to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

A Dropbox source reconstructs the entire folder tree in a Dropbox account and downloads current and past revisions of the files in the account.

The official Dropbox REST API used by Intella limits this to a maximum of 10 revisions per file. All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional Dropbox-specific metadata is retrieved for both files and folders. These are displayed in the Previewer’s Raw Data tab and are subject to full-text indexing.

Intella uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account.

This process is described in detail in the following Knowledge Base Article: Collecting data from a DropBox source.

Next, follow these steps to add a Dropbox source to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

A Google source allows to download items from the following Google services:

More Google services will be added in the next versions.

Different services require different APIs to be enabled:

Optionally, the set of retrieved items can be restricted to a certain date range.

Benefits of using the Google/Gmail source over the generic IMAP source are: faster performance, more accurate data representation (e.g. folders vs. Gmail’s Labels, threads), and a read-only data connection ensuring that no data is altered on the server.

Intella uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account. The token will be downloaded as a JSON file, which Intella can use to access the account. This process is described in detail in the following Knowledge Base Article: Collecting data from a Google source.

Next, follow these steps to add a Google source to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

SharePoint is organized as a recursive hierarchical tree of sites. A SharePoint source will reflect all subsites, document libraries, discussion boards containing posts and Microfeed posts. Furthermore, a SharePoint source extract all user accounts, including both system accounts and regular user accounts. What information is required to retrieve information from a SharePoint instance depends on whether it is an on-premise instance or an instance hosted in the Azure Cloud (as a separate Microsoft 365 service). For both types, a server URL, username and password are required. For SharePoint instances in the Azure Cloud, a client ID token is additionally required.

This process is described in detail in the following Knowledge Base Article: Collecting data from a Microsoft 365 or a SharePoint Source.

Next, follow these steps to add a SharePoint source to Intella:

A connection will be established and the token will be validated. If the token validation is successful, basic information about the account will be shown in the wizard.

The following authentication methods are supported: OAuth2 (for cloud instances), Kerberos, NTLM and basic authentication.

Click Next to continue.

In this version, only entire sites can be retrieved. A future version may add retrieval of parts of a site.

Click Next to continue.

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition] .

The Microsoft 365 source types allows for retrieving both user account and user groups. For each user account, used to access Microsoft 365, the source can retrieve data from Outlook, OneDrive and SharePoint. For each user group, the source retrieves titled conversations containing emails.

Before a source can be added, the Microsoft 365 account must be properly configured. This process is described in detail in the following Knowledge Base Article: Collecting data from a Microsoft 365 or a SharePoint Source.

Once the credentials are established, follow these steps to add a Microsoft 365 source to Intella:

A connection will be established and the credentials will be validated. If credentials validation is successful, basic information about the account such as the tenant name and location will be shown beneath the configuration fields.

Note the Help button at the top of the screen. Clicking it will display the steps required to create the client ID.

Click Next to continue.

Selective indexing of part of the account data is not possible at this moment.

Click Next to continue.

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition] .

The iCloud source type is used for indexing the contents of an iCloud account, such as emails, photos and notes.

Prior to defining an iCloud source, the investigator must obtain the Apple ID and password used by the account owner. When the account has been configured to use two-factor authentication (2FA), iCloud additionally sends a verification token. The verification token is sent only if a valid phone number is set for the Apple ID. Hence, the investigator needs to have access to one of the physical device (an iPhone or an iPad) associated with the account, including the passcode to unlock the device.

Intella supports the retrieval of the following data from an iCloud account:

Follow these steps to add an iCloud source to Intella:

When this account requires two-factor authentication, Intella will extend the form with an option to choose the verification delivery method: SMS or Idmsa.

Both methods are equally capable of providing access to the account’s data. When the account is linked to an iPhone and/or iPad, the Idmsa method is recommended. When the account is linked to a non-Apple device (e.g. a cellphone or tablet from a different vendor), SMS is the only way to obtain the verification code. Even when using an Apple device, SMS can be selected as the preferred method for delivering the verification code. In that case, the registered device may receive multiple notifications from Apple’s identify management service (IDMSA). Such notifications should then be ignored and the code from the SMS message should be used.

Choose the desired delivery method and click Get Verification Code. A six-digit verification code will be either sent as an SMS or show up as a native iOS notification on the Apple device. The controls for choosing the delivery method will be replaced by a Verification Code field. Enter the received verification code in this field. Click Connect to iCloud.

When the credentials and the verification code are all valid, Intella will list some account info such as the Full Name of the account owner. Click Next to continue.

The last steps in the definition of a source are almost the same for all types. They are described in the section [last-steps-in-a-source-definition] .

When Intella establishes a connection to iCloud using the account credentials, it will obtain a trust token. This token allows Intella to connect to iCloud at a later point in time without requiring the user to re-enter the credentials and perform any two-factor authentication steps. The trust token has a limited validity period. iCloud sources can be indexed and re-indexed during the validity period of the token. Once the token has expired, the source must be re-created; there is no way to refresh the token of an existing source.

An AWS S3 source reconstructs the entire folder tree in the selected S3 buckets and downloads current and past revisions of the files.

All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional S3-specific metadata is retrieved for both files and folders. These are displayed in the Previewer’s Raw Data tab and are subject to full-text indexing.

Prior to defining the source, the investigator needs to obtain an access key for the account. This process is described in detail in the following Knowledge Base Article: Creating AWS access keys.

Next, follow these steps to add an S3 source to Intella:

The last steps in the definition of a source type are almost the same for all types. They are described in the section [last-steps-in-a-source-definition].

The sheets described in the following sections are the same for all source types.

The following file formats can be decrypted by Intella when the credentials are specified before indexing:

Furthermore, password-protected PST files can be automatically decrypted without specifying any passwords.

To let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first. Click File > Key Store and follow the instructions below. Afterwards you can (re)index your data and let the items be decrypted automatically.

All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type.

After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such.

Password-protected files
Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives.

You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file.

HCL/IBM Notes NSF files
To decrypt HCL/IBM Notes NSF files, so-called ID files need to be added to the key store. Go to the "HCL/IBM Notes ID Files" tab and click "Add…​". Enter the location of an ID file and the password associated with the file. Click OK to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files.

Intella will also try to decrypt encrypted messages in non-encrypted NSF files using the provided ID files.

S/MIME-encrypted emails
To decrypt emails with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click Import, then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys.

Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the emails.

PGP-encrypted emails
To index PGP-encrypted emails you will need to import the PGP private keys. Go to the "PGP Keys" tab and click Import. Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format.

An ASCII armored PGP private key usually starts with the following text:

Importing multiple .p12 files
At the moment it is not possible to enter multiple .p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development.

Please note that .p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single .p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once.

Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well.

Encrypted volumes in disk images
To decrypt BitLocker and APFS volumes in disk images, a correct password, recovery key, or recovery file needs to be added. Passwords can be added via the "Passwords" tab. "BitLocker Recovery Keys" and "BitLocker Recovery File" tabs should be used to add BitLocker-specific credentials.

Note that BitLocker images protected with other methods, such as a Smart Card or TPM, are not supported.

Intella allows for the definition of "tasks". These are essentially compound processing steps such as searching for all items that match a certain keyword or keyword list and tag or export the results. These tasks can be defined and selected during source creation, which will run these tasks right after indexing. The tasks editor can also be reached by selecting Tasks from the File menu, which allows for defining and running the tasks at any point in time after index creation.

Each task consists of conditions, post-conditions, and actions. A task must have at least one condition and one action.

A condition (Step 1 in the task dialog) defines a search query that select items from the case. Currently the following conditions can be defined:

A task may combine any number of conditions. The match option controls if the items should match all specified criteria or at least one of them, i.e. a Boolean AND or OR of the specified conditions.

An optional list of post-conditions (Step 2) specify how to transform the item set retrieved in the previous step. Possible post-condition steps are:

It is possible to define multiple post-conditions for a single task. The first post-condition is applied on the set of items resulting from the conditions in Step 1. Subsequent post-conditions are applied on the outcome of the preceding post-condition.

Finally, task actions (Step 3) define the operations that will be applied to the items resulting from the previous steps. The following actions can be defined:

Every task may define multiple actions that will be applied sequentially to the determined item set.

Tasks can be exported to a file so that they can be reused in other cases. These files are self-contained, i.e. when the task involves MD5 hash lists or keyword lists, these lists are embedded in the task file.

Tasks are executed in the order they have in the task list. This makes it possible to "pipeline" tasks, e.g. use one task to assign specific tags to a subset of the items and use a subsequent task that is based on those tags. The order can be changed by selecting a task and using the "Move Up" and "Move Down" buttons.

The Custodian attribute can be assigned to items after indexing. This can be used to represent the custodian of the evidence items. To enable automated assigning of multiple custodians in a folder source (10.2.1), the root folder should organize the evidence in subfolders, one subfolder for every custodian.

If the evidence folder is structured in this way, the "Indexing Tasks" sheet in the Source Wizard will contain a "Configure custodians…​" button that opens the below dialog:

By default, the custodian names are set to equal the subfolder names. It is possible to alter the used custodian names by double-clicking the values in the table. This Custodian value will be assigned to all items obtained from the evidence files within the respective subfolder.

For other types of sources, the "Indexing Tasks" tab contains a text field for setting a single custodian name.

Besides the above method, the Custodian attributes can also be set or changed using the "Set Custodian" indexing task with an arbitrary condition, or edited manually in the Details…​ right-click menu.

OCRing, or applying Optical Character Recognition techniques, is a common way to make the text inside bitmap images responsive to keyword searches. Intella’s OCR support is documented in the next chapter.

Cases that rely heavily on viewing collections of images in the Thumbnail view will benefit from pre-creating the thumbnail images in advance.

Especially when dealing with digital camera images that each are multiple megabytes in size, the time needed to generate the thumbnail image can make the Thumbnails view appear sluggish. When the thumbnails have been pre-generated, the time needed to populate the view will be a lot faster and it will be constant regarding the number of visible images, i.e. the file size of the original image is no longer a factor.

To pre-generate the thumbnail images, select the "Generate Thumbnails…​" option from the File menu. The thumbnail generation process will start immediately and show its progress in the main window.

The thumbnail generation process can be cancelled at any point. The thumbnail images that have been generated will be kept. When the user starts the process once more at a later point in time, it will reuse the existing thumbnails and only create the missing thumbnails.

An overlay file is a file that contains additional information about the current items in a case. By importing the overlay file, the metadata of these items can be extended.

Intella currently only supports the importing of tags, tag columns, comments, and metadata columns (both regular and custom). Importing overlay images, texts, and natives may be added in a future release.

The following file formats are supported for overlay files:

To import an overlay file, select File > Import Load File…​ in the main menu. Next, set the Import operation to Overlay and specify the location of the file. You can optionally use a previously saved template.

On the "Configure Delimiters" page you can set the file encoding, delimiter settings and date formats. Please see the "Adding a load file source" section for a description of these options.

On the "Map Fields" page you need to specify the identifier field and type. This is how Intella will match items in the overlay file with the existing items in the case. There are four options for matching items:

The "Also overlay metadata shared with duplicates" option is used to control whether the imported metadata will be applied to all duplicates as well (see the limitations below for this setting).

Current limitations of the overlay functionality are:

Please see the "Adding a load file source" section for a description of the remaining options on this page.

The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are:

The other categories are more computationally expensive to calculate and therefore require an explicitly triggered post-processing step. These categories are:

To start the content analysis procedure, select one or more items in the Details view and select "Content Analysis…​" in the context menu. This will open a dialog like the one below:

Select the desired entity categories in the list by clicking the checkboxes. Click the "Select text fields" button to specify which item fields should be analysed, e.g. the header, title, and summary fields. By default, only the document text is analysed.

Check the "Replace existing facet values" option selected if you want to clear the results of the previous analysis or keep it unselected to add new results to the existing content of the selected categories.

Select the "Ignore excluded paragraphs" option if you don’t want the content of excluded paragraphs to be processed by the content analyzer.

Click the Run button to start the analysis. The results of the analysis will appear in the Content Analysis facet.

The content analysis procedure will open a separate window showing the progress of the procedure. The procedure can be stopped at any time by clicking on the Cancel button. In this case, the categories will contain information from the items processed up to the moment of cancellation. You can continue the processing later by repeating the steps above on the same set of items and choose not to clear the existing results (unselect the "Replace existing facet values" option).

The items that have been analysed can be found by using the "Content Analysed" category in the Features facet.

Content analysis also supports doing a test run, without storing the results in the facet database. To use this mode, click the Preview button. After the analysis has completed, the Content Analysis Preview window will appear where the extracted entities and associated items can be reviewed. This mode can be especially useful for testing and refinement of the custom regular expression-based categories (see below).

There are some important caveats and disclaimers concerning Content Analysis:

When opting for an upgrade, the new Content Analysis results will not be available in older Intella versions. If this is not what you want, you can click the "Continue…​" button to skip the upgrade. In this case, backward compatibility with older versions will be preserved, but Content Analysis results cannot be shown as columns in the Details table.

To start the image analysis procedure, select one or more items in the Details view and select Process > Image Analysis in the context menu. This will open a dialog like the one below:

Select the desired categories of entities in the list by clicking the checkboxes.

Check the "Replace existing facet values" option selected if you want to clear the results of the previous analysis or keep it unselected to add new results to the existing content of the selected categories.

Click the Run button to start the analysis. The results of the analysis will appear in the Image Analysis facet.

The content analysis procedure will open a separate window showing the progress of the procedure. The procedure can be stopped at any time by clicking on the Cancel button. In this case, the categories will contain information from the items processed up to the moment of cancellation. You can continue the processing later by repeating the steps above on the same set of items and choose not to clear the existing results (unselect the "Replace existing facet values" option).

The items that have been analysed can be found by using the “Images Analysed” category in the Features facet.

There are some important caveats and disclaimers concerning Image Analysis:

The linear review of emails is often a time-consuming and expensive task to perform. One factor is that emails may quote the text of previous emails in the thread, resulting in a lot of redundant text. Take for example these three emails:

Marked in red is the redundant text. The text of the first two emails is quoted in full in the last email. When a reviewer reads the last email, he or she has read everything there is to read in this thread. The reality is often more complex, e.g. because people respond to the same root email, remove part of the quoted text, forward it to new recipients, or even alter the quoted text to cover up certain facts. Therefore, it is not always as simple as reading the last email in the thread.

Intella helps with this type of review through the process of email threading. First, it identities the emails that belong to the same thread. Within each thread, it links the replies and forwards to their parent emails, constructing a graph of how the conversation unfolded. All duplicates of a mail will be represented by the same node in this graph. Next, it compares the emails within the thread and determines the set of "inclusive" and "non-inclusive" emails. By default, a mail will be marked as inclusive. When Intella detects that one of the follow-ups of a mail (a reply or a forward) contains all its text and attachments, it will be marked as non-inclusive, as reading the latter email implies having read the first as well. Reading all the inclusive emails and their attachments in a thread implies having read everything there is to read in the thread. This can greatly reduce the time needed to review a large collection of emails.

Besides separating inclusive from non-inclusive emails, email threading enables several other functionalities:

Each email item that was processed by the Email Threading analysis is assigned the following properties:

Furthermore, the algorithm establishes for each follow-up email if it is a Reply, Reply All, or Forward. This status is derived from the sender and receiver information, rather than from e.g. the Subject line. A loose but conceptually practical definition is:

As email threading is a computationally expensive algorithm, it requires an explicitly triggered post-processing step. To start the Email Threading procedure, select one or more items in the Details view and select Process > Email Threading…​ in the right-click menu. This will open the dialog shown below:

Select "Discard existing email threading data" if you want to clear the Email Thread facet and all the data generated as part of previous runs of Email Threading procedure.

Select "Analyze headers embedded in email body" if you want the algorithm to take the headers embedded in the email body into account. Such headers are typically placed above the quoted text, referencing the original author and time of the quoted text and sometimes other metadata. This can be used to link emails together when the SMTP or mail container-specific metadata is missing or incomplete. This option may produce better results but is computationally expensive. When speed is not of the essence, we recommend turning this feature on.

Click the "Run" button to start the email threading process.

Once the process is done, the Email Thread facet will be populated and the email items that were part of the threading analysis will be augmented with the threading-related information.

Besides processing the selected items, Intella will automatically process all duplicate items and parent items as well.

A technique to reduce the reviewing time is Near-duplicates Analysis. It splits a selected set of items into groups based on the similarity of their text content. Every group is centered around a "master item" which is the most common near-duplicate for other items in the group (usually, an item with the largest text size). Other items are included in the group if they are determined to have an appropriately high similarity score to the master item. The similarity score is based on an amount of co-occurrent text fragments and is a number between 0.0 and 1.0. The master item and its exact duplicates are assigned a score of 1.0. The rest of the group items have scores between 1.0 and a threshold value specified by the user before the analysis.

To start the Near-duplicates Analysis process, select multiple items in the Details view and select "Process > Near-Duplicate Detection" in the right-click menu. In the dialog window, move the "Similarity threshold" slider to set the desired minimum similarity score for items to be included in near-duplicate groups. Select the "Ignore excluded paragraph" option if you don’t want the content of excluded paragraphs to be considered by the similarity calculation algorithm.

The dialog window allows the user to select a text analysis method. We recommend choosing the "Word-based" option for documents written in languages in which the representation of meanings is contained in words. The “Character-based” option is intended for languages in which the semantic representation is represented by morphemes (Chinese, Japanese, Vietnamese, Korean). Typically, these are languages in which the use of white space characters is optional. Choosing the appropriate algorithm for a data set will improve the quality of the analysis results.

After the analysis is complete, a window with basic information about the results (such as number of groups or average similarity) will appear. This data can be exported to a .pdf or .docx report file by clicking on the "Generate report" button.

Upon completion, near-duplicate groups are available for search in the "Near-duplicates" facet (see the "Near-duplicates" section for details). Additionally, "Near-Duplicate Group", "Near-Duplicate Master Item" and "Near-Duplicate Score" columns can be made visible in the Details table to show the group names, master item IDs and similarity scores of items included in near-duplicate groups.

To query for Near-Duplicates of specific items that are subject to Near-duplicates Analysis, select the item in the Details view , right-click, and choose "Show Near-Duplicates". This option will be enabled only when the selected item has at least one Near-Duplicate.

The total set of analyzed items and items included in near-duplicate groups can be retrieved via the "Analyzed for Near-Duplicates" and "Has Near-Duplicates" nodes in the Features facet.

The "Generate Custom IDs" task lets one assign each item a unique custom ID that takes the item families into account. Such IDs are often used in load file exports. It can also help with identifying an item’s position or role in its family.

Items are processed in hierarchical order, starting from the roots and exploring as far as possible along each branch before backtracking (i.e. a depth-first search). Sibling items, i.e. items that are on the same level in the hierarchy, are processed in the order defined by the Sort Order setting. If the selected items do not contain complete families, this task will add the remaining items automatically.

Click the Configure button on the task action panel to configure the numbering settings:

Generated Custom IDs can be used in load file exports and can be imported from a load file. Custom IDs do not change when the case is re-indexed, provided that the case is re-indexed using the same Intella version.

The "Generate duplicate custodians and locations" task generates values for the following duplicates-related columns:

Intella will process the following registry hives:

Keyword searches work in a case-insensitive manner: during indexing all characters are lowercased, as are the characters in a keyword query.

This means that the query “john” will match with “john”, “John” and “JOHN”.

By default, a query containing multiple terms matches with items that contain all terms anywhere in the item. For example, searching for:

returns all items that contain both “john” and “johnson.” There is no need to add an AND (or “&&”) as searches are performed as such already, however doing so will not negatively affect your search.

If you want to find items containing at least one term but not necessarily both, use one of the following queries:

The NOT operator excludes items that contain the term after NOT:

Both queries return items that contain the word “john” and not the word “johnson.”

This returns all items with “john” in it, excluding items that contain the phrase “john goes home.”

The NOT operator cannot be used with a single term. For example, the following queries will return no results:

To perform a single character wildcard search you can use the “?” symbol. To perform a multiple character wildcard search you can use the “*” symbol.

To search for “next” or “nest,” use:

To search for “text”, “texts” or “texting” use:

The “?” wildcard matches with exactly one character. The “*” wildcard matches zero or more characters.

To search for a certain phrase (a list of words appearing right after each other and in that order), enter the phrase within full quotes in the search field:

will match with the text “John goes home after work” but will not match the text “John goes back home after work.”

Phrase searches also support the use of nested wildcards, e.g.

will match both “John goes home” and “Johnny goes home”.

Intella supports finding items based on words or phrases that are within a specified maximum distance from each other in the items text. This is a generalization of a phrase search.

To do a proximity search you place a tilde (“~”) symbol at the end of a phrase, followed by the maximum word distance:

returns items with these two words in it at a maximum of 10 words distance.

It is possible to mix individual words, wildcards and phrases in proximity queries. The phrases must be enclosed in single quotes (' ') in this case:

Nested proximity searches are also possible:

You can use parentheses to control how your Boolean queries are evaluated:

retrieves all items that contain “desktop” and/or “server,” as well as the term “application.”

Intella supports fuzzy queries, i.e., queries that roughly match the entered terms. For a fuzzy search, you use the tilde (“~”) symbol at the end of a single term:

returns items containing terms like “foam,” “roams,” “room,” etc.

The required similarity can be controlled with an optional numeric parameter. The value is between 0 and 1, with a value closer to 1 resulting in only terms with a higher similarity matching the specified term. The parameter is specified like this:

The default value of this parameter is 0.5.

Intella’s Keyword Search searches in document texts, titles, paths, etc. By default, all these types of text are searched through. You can override this globally by deselecting some of the fields in the Options, or for an individual search by entering the field name in your search.

returns all items that contain the word “intella” in their title.

The following field names are available:

The summary field can contain a lot of metadata fields:

You can mix the use of various fields in a single query:

searches for all items containing the word “intella” (in one of the fields selected in the Options) that have “john” in their author metadata or email senders and receivers.

Keyword queries can also be expressed using regular expressions. Be aware that these regular expressions are evaluated on the terms index, not on the entire document text as a single string of characters. Your search expressions should therefore take the tokenization of the text into account.

To search for a regular expression, put it between "/" slash characters:

The result will match tokens like “next”, “text”, “texts”, “texting” and so on.

Please visit http://lucene.apache.org/core/5_2_1/queryparser/org/apache/lucene/queryparser/classic/package-summary.html#Regexp_Searches for more information on the regular expression syntax.

For regular expressions evaluated on the raw document text, see the section on the Content Analysis facet.

Tokenization underlies the keyword search functionality in Intella. It is the process of dividing texts into primitive searchable fragments, known as "tokens" or "terms". Each token makes a separate entry in the text index, pointing to all items containing this token. Keyword search works by finding matches between the tokens in the user’s query and in the index. Therefore, for effective keyword search, it is vital to have a basic understanding of how tokenization works in Intella.

Tokenization employs different algorithms, but in the most common case it is simply splitting the text around specific characters known as "token delimiters". These delimiters include spaces, punctuation symbols, and other non-alphabetic characters, to produce tokens close to the natural language words.

A side effect of this method is that it is impossible to search for words together with the token delimiters. If these characters are met in the user query, they play their delimiting role, thus being handled the same as simple spaces. This is rarely a problem, although it should be taken into account when doing a keyword search.

There is no specific support for the handling of diacritics. E.g., characters like é and ç will be indexed and displayed, but these characters will not match with 'a' and 'c' in full-text queries. A workaround can be to replace such characters with the '?' wildcard.

The following characters have special meaning in the query syntax and may cause an error message if not used in accordance to the syntax rules:

To prevent the syntax errors, these characters need to be escaped by the preceding \ character. Please note that if the character is classified as a token delimiter, then escaping it in the query will not make it searchable.

The Saved Searches is a list of previous sets of searches that the user has stored.

When there are search results displayed in the Cluster Map and the Searches list, the Save button beneath the Searches list will be enabled. When the user clicks this button, a dialog opens that lets the user enter a name for the saved search. A default name will be suggested based on the current searches. After clicking on the OK button, the chosen name will appear in the list in the Saved Searches facet.

Click on the name of the saved search and then on the Restore button to bring the Cluster Map and the Searches list back into the state it had when the Save option was used.

The “Replace current results” checkbox controls what happens with the currently displayed searches when you restore a saved search. When turned on, the Cluster Map and Searches list will be emptied first. When turned off, the contents of the saved search will be appended to them.

The “Combine queries” checkbox can be used to combine the result sets of all parts of the saved search into a single result set. This is for example useful when the various parts conceptually are meant to find the same set of items, just in a technically different way. Example are different complex Boolean queries, which could have been combined into a single Boolean OR query but that the user prefers to keep separate in the saved search definition.

Saved searches can be shared across cases. To transfer a saved search, right-click on the saved search in the list and select “Export search…”. The search is then exported as an XML file can then be imported into any other case by right-clicking in this list and selecting “Import searches…”.

Saved searches are grouped by the user who made them. Depending on the Intella version used to create the case, a “Default searches” branch may also be present with pre-defined saved searches.

The Features facet allows you to identify items that fall in certain special purpose categories:

To export the categories and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.

Tags are labels defined by the user to group individual items. Typically used tags in an example are for example “relevant”, “not relevant” and “legally privileged”.

Tags are added to items by right-clicking in the Results table or the Cluster Map and choosing the Tags > Add Tags… option. Tags can also be added in the Previewer. The exact procedure is described in other sections of this manual.

To search for all items with a certain tag, select the tag from the Tags list and click the Search button below the list.

When tags have been added by different users in the same case, the Tags facet panel will have a drop-down list at the bottom, listing the names of all reviewers that have been active in this case. You can use this list to filter the tags list for taggings made by a selected reviewer only. Select the “all” option to show taggings from all users.

If the same tag has been used by different reviewers, their names and the numbers of tagged items are displayed in the tag statistics line (in the parentheses after the tag name). The list of reviewers can include “You” to indicate taggings made by the current case user. If no reviewer name is mentioned, it means that all taggings with this tag are made by the current user only.

The tags can be organized into a hierarchical system by the creation of sub-tags within an existing (parent) tag group. To create a sub-tag, select an existing tag in the Tags facet and choose “Create new tag inside …​” in the context menu. In the dialog box, enter the name and (optionally) the description of the new tag.

To rename a tag or change the tag description, select the tag in the facet and choose “Edit…​” in the context menu.

To delete a tag, select it in the facet and choose “Delete…​” in the context menu.

To export the tags and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.

The Identities facet makes it possible to search for all items related to an identity, as defined in the Identities tab.

When searching for an identity, it queries for all items that have any of the identity’s aliases as sender/receiver/caller/callee/etc. Effectively, it gathers all messages in which the identity is a participant through one of its aliases.

To export the identities and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.

Custodians are assigned to items to indicate the owner from whom an evidence item was obtained. The “Custodians” facet lists all custodian names in the current case and allows searching for all items with a certain attribute value.

Custodian name attributes are assigned to items either automatically (see the section on custodian name post-processing) or manually in the Details panel. To assign a custodian to items selected in the Details panel, use the “Set Custodian…” option in the right-click menu. To remove custodian information from selected items, choose the “Clear Custodian…” option.

To change a custodian’s name, select it in the list and choose “Edit custodian name…” in the right-click menu.

To delete a custodian from the case and clear the custodian attribute in all associated items, select the value in the facet panel and choose “Delete” in the right-click menu.

To export the custodians and their counts to a CSV file, right-click anywhere in the facet’s values area and select “Export values…”.

This facet represents the folder structure inside your sources. Select a folder and click Search to find all items in that folder.

When “Search subfolders” is selected, the selected folder, all items in that folder, and all items nested in subfolders will be returned, i.e. all items in that entire sub-tree.

When “Search subfolders” is not selected, only the items nested in that folder will be returned. Items nested in subfolders will not be returned, nor will the selected folder itself be returned.

When your case consists of a single indexed folder, then the Location tree will show a single root representing this folder. Selecting this root node and clicking Search with “Search subfolders” switched on will therefore return all items in your case.

When your case consists of multiple mail files that have been added separately, e.g. by using the PST and NSF source types in the New Source wizard, then each of these files will be represented by a separate top-level node in the Location tree.

To export the subfolders and their counts of a given location node to a CSV file, right-click on that node and select “Export values…”.

This facet represents the names and/or email addresses of persons involved in sending and receiving emails. The names are grouped in the following categories:

The first five categories list email addresses found in the corresponding message headers. Most emails typically only have a From header, not a Sender. The Sender header is often used in the context of mailing lists. When a list server forwards a mail sent to a mailing list to all subscribers of that mailing list, the message send out to the subscribers usually has a From header representing the conceptual sender (the author of the message) and a Sender header representing the list server sending the message to the subscriber on behalf of the author.

The “All Senders”, “All Receivers” and “All Senders and Receivers” categories group addresses into specific sender or recipient roles, abstracting from the specific header that was used.

The “Addresses in Text” category lists email addresses that are mentioned in message and document bodies.

“All Addresses” group together all other categories and thus contains all email addresses found anywhere in either message headers or textual content.

Sorting and grouping
The contacts can be sorted alphabetically by email addresses (the default order), by the contact name associated with them or by the number of items associated with this contact. To change the sorting method, right-click anywhere in the facet and choose the desired sorting method from the “Organize” menu.

The addresses can optionally be grouped by the host name used in the email address. To enable or disable grouping, select the “Group by host name” option in the “Organize” section of the context menu. Enabling this option adds another level of nodes to the tree, representing the host names.

Filtering on text
To quickly find specific email addresses, contact names or host names, it is possible to filter the facet content to only display the values that contain a specific substring. To filter the contacts in a specific category, expand the tree branch and click on the button below the tree. In the text field that appears enter the text. The tree will be filtered to show only those contacts whose contact name or email address matches the entered text.