Intella Investigator Administrator Manual 2.7.2

This section outlines the minimum specs for hardware and software to run Intella Investigator and Intella Node.

Hardware

Software

We do not support our products when installed on an operating system deemed end of life by its manufacturer. For example, these would include platforms such as Windows Vista and Windows Server 2008.

Intella Investigator setup options:

Simple setup (Green dotted line in the diagram)

This setup is relatively easy to complete and helps with getting the platform operational in the least amount of time. A simple setup consists of a single computer for your Intella Investigator and Intella Node systems, and a reviewer system. The Intella Investigator and Intella Node applications are installed on the same system with minimum configuration, and you are then basically up and running ready to create and review cases.

Generally, this is for use within a company where security requirements are not high.

The general idea is that Intella Node accesses case and evidence files over a shared folder when indexing. Intella Investigator also accesses case files over a shared folder when sharing. Simply share the folder (using the SMB protocol) on one of them and use that when indexing or sharing cases.

Intermediate setup (Green plus blue dotted lines in the diagram)

An intermediate setup also includes secure access by implementing SSL, and streamlined account management by implementing LDAP.This type of setup is also generally used internally, but when a higher level of security is required.

It is optional to add NAS/SAN storage and have both the Intella Investigator and Intella Node servers to access the files located on the additional storage when indexing or sharing cases. The protocol used depends on the storage solution. In this case, Intella Investigator and Intella Node will again need to access files over a mounted drive or shared folder.

Advanced setup (Green plus blue and orange dotted lines in the diagram)

The advanced setup includes both the simple and intermediate configurations. It goes a step further to include access for remote users. In this setup, SSO and 2FA are implemented for added security. This type of setup is used when you have internal and external users who require access to shared cases.

Further services can be implemented on the platform to enhance security and ease of use. These services can include the following:

This section makes the following assumptions:

Intella Investigator can be installed on the following operating systems:

Although our products can be installed on a number of Windows Server products such as Server 2012, 2016 and 2019, our products do not require a server operating system, and they run perfectly well on the listed desktop operating systems. For server installations, we only support our applications. We do not provide support for the server itself. Server security settings may need to be configured, and ports may need to be opened, for our products to operate on a server platform. These settings need to be addressed by your IT team to ensure that security of the system is maintained.

Intella Investigator uses an accompanying instance of Intella Node for indexing evidence sources. Those two products together constitute the ecosystem required to easily create and share cases for investigation. Intella Investigator has been designed with simplicity in mind and therefore the default installation procedure will install Intella Node along with Intella Investigator. This is in contrast to our other flagship product, Intella Connect, where we discourage running two products on the same physical server.

If you are striving for a higher scalability, it’s certainly possible to have Intella Investigator and Intella Node running on separate machines. This option may be favourable where the volume and size of cases increases, and you don’t want the server load increased while ingesting data to impact the experience of investigators working on existing cases.

Before starting Intella Investigator/Intella Node for the first time you may want to change the default port it is running on.

Below you will find a table listing default ports for all the Vound server products.

To change default port of Intella Connect or Intella Node please look for user.prefs file located in: %USERPROFILE%\AppData\Roaming\Intella Connect\prefs then open it with a text editor and find ServerPort or NodePort property respectively.

For Intella Investigator you need to edit the file located in the following directory: %USERPROFILE%\AppData\Roaming\Intella Investigator\prefs

For example, if you would like to change the default port for Intella Connect or Intella Investigator to "1234" you should add the following line to the properties file: ServerPort=1234

Similarily, for Intella Node you would add: NodePort=1234

Obviously, two products running on the same physical machine cannot use the same port, and an attempt in doing so would report a port conflict error and prevent one of applications from starting.

How to choose the best port for Intella Investigator/Intella Node:

If you do not wish to use the default port for you may select a port of your own choosing. One option is to use port 80, a common port that is usually open in the firewall for at least outbound connections already. Using port 80 removes the need to add a port to the Case URL when typing it into a web browser as well. Like all ports, port 80 must not be presently occupied. If you wish to choose another port, you can select one from 1…​65535 although it is best to choose a port greater than 1023 as low range ports are registered ports and may be in use already. No matter what port you select, you should confirm whether or not it is in use on the host already.

Intella Investigator uses port 9999 by default. This port must be open on the local firewall in order for the product to work correctly. To configure the local firewall for Server 2008 R2, go to Start – Administrator Tools – Windows Firewall with Advanced Security.

To enable or disable the Windows Local Firewall, click on Windows Firewall Properties.

There are three separate profiles contained within the Windows Firewall. They are:

Select the Profile you want to configure and select On or Off. If the firewall is turned on you may select either Block (default), Block all connections or Allow for Inbound Connections. You may select Allow (default) or Block for Outgoing connections.

Although you can configure the firewall at large, in most situations you probably just want to configure the firewall for the designated port only. To do so, right click either Inbound or Outbound Rules and select "New Rule".

In the New Rule Wizard, select Port.

Select TCP as the Protocol and 9999 as the Port or the port you have chosen as described in Changing the default port.

Select "Allow the connection".

If you wish to designate only designated users to this port, you may select those users in "Authorized Users".

You can also select designated computers as well.

Then select the profile you wish to use.

Finally, name the Rule appropriately.

The Rule will now appear in the list of rules.

To access the Windows Firewall in Server 2012, click on the Server Manager icon in the task bar.

Then select Local Server in the left hand menu.

Then select Windows Firewall and Advanced Security from the Tools menu in the right hand corner.

The procedure to configure the Windows Firewall is identical to that of Server 2008 R2. You can also access the Windows Firewall through Control Panel just like any of the Windows Workstation operating systems.

Depending on the products you have installed, the application folder contains an executable called IntellaConnect.exe, IntellaInvestigator.exe or IntellaNode.exe. This files can be used to launch the application. The desktop and menu shortcuts also start this executable.

Double-click on one of the executables or select Intella Investigator/Intella Node from the Start menu.

If you are receiving this error after starting Intella Investigator/Intella Node for the first time, please look at section Troubleshooting port conflicts.

Based on the product installed proceed with those steps:

Locate the Intella Investigator logo in the system tray and either:

This will open the Intella Investigator Dashboard in your web browser. When requested for a user account, enter admin as username and admin as password. These are the default values. How to change the admin password is explained in the User management section.

It is recommended to go to the Admin Dashboard and select Systems Notifications which will inform you of any critical alerts or potential issues.

Before or after a case has been shared, you can define which users can access it. By default no user can connect to a shared case. To allow users to participate in a review you can click on the Authorizations button. This will open a modal window where you can assign users to various roles.

The purpose of this view is to list the roles defined in the RBAC (Role-Based Access Control) model and indicate which users are assigned what roles in this ase. Roles are emphasised by labels with a bright green color. Underneath each role there is a long input box that lists all the users who are assigned that role in this case. Each user can be associated with zero or more roles.

To learn more about users and roles, please refer to the User management section.

Assigning roles to users is quite straightforward. Click on the input box for a particular role (e.g. "Investigator" ) and start typing the desired user name (e.g. "John"). An autocompletion box will appear with hints about names available among your user accounts.

To remove a role for a given user click on the little x button next to the user name.

Case alias can optionally be changed in order to change the URL on which the case is being shared.

Case can optionally be shared with the Auto-start option enabled. The purpose of this function is to specify which cases should be automatically shared after the Intella Connect server starts. It is a good way of making sure that a certain set of cases is always available for a review, even when Intella Investigator is restarted often.

If the case will fail to start, there should be a trace of this fact left in the Case Logs.

The Intella Investigator main process and its child processes (one for each case that you share) are limited by the amount of RAM that the process can maximally use, despite how much memory is installed in the machine. In some cases this limitation can cause issues when reviewing or exporting the data. These issues can be recognized by errors in the log files containing the text "OutOfMemoryError" or "java heap space".

Setting memory allocation manually might help in this case. To increase these thresholds, select the case in the Case Dashboard and change the “Memory allocation” setting from Auto to Manual and increase the value. The value is in mega bytes.

Note that you can never specify more than half of the available system RAM. This is to make sure that when more then one case is shared, those processes and the OS still have sufficient memory available to them.

The memory setting for the Crawler processes is calculated automatically based on the amount of RAM minus the memory used for the main process, and the number of crawlers that will be used. By default Intella Node calculates the number of crawlers based on the number of CPU cores in the system. However, this number is capped at 4 as assigning more crawlers without other considerations can adversely affect performance.

When the amount of memory per crawler is set automatically by Intella Node, it will be capped at a maximum of 2GB per crawler. Again, this is a setting that usually does not need any changes, but it can be changed manually if required. The job for the Crawler is only to extract and collect information; they don’t index the data right away. The indexing takes place later in the post-processing steps which are done in the Main process.

The user can manually adjust these memory and crawler settings to better suit their hardware specifications and the data which they are processing.

To change the amount of memory allocated to crawler process, select the case in the Case Dashboard and change the Service memory allocation setting from Auto to Manual and set the value in megabytes. Make sure that you do not use larger values than what your machine and OS supports. For processing of EDB files, a minimum of 3 GB will be necessary.

To change the amount of crawler processes, select the case in the Case Dashboard and change the Crawler count setting from Auto to Manual and set the value. The number of crawlers should never exceed the number of CPU cores on your PC. Setting a too high number might result in nonoptimal performance.

By default, Intella Node will cancel processing of an item if takes an extremely long time. It happens when a crawler does not produce any items in more than one hour. This number can be changed via the `Crawler Timeout `setting. It is also possible to disable the timeout mechanism completely by setting the value to 0.

It should be noted that "Software Maintenance And Support Agreement" for Intella Investigator defines a hard limit on the amount of active cases that can be concurrently shared by every Intella Investigator server. The definition of an active case is that it is shared with a reviewer logged in or reviewing that case. Currently that number should be no more than two at any given time.

Intella Investigator does not have any built-in limitations on the amount of cases defined in the system. However, if you share more than 30 cases at a time, then a warning will be shown to administrators, informing them that this is not recommended. That is because each shared case will occupy some hardware resources, which would be best to use elsewhere. In future releases this scenario will be replaced by a different, on-demand sharing mechanism.

Excessive case sharing can lead to a situation where on some occasions more users log in to different cases, thus promoting them to being active. When this happens and the limit of two active cases has been reached, Intella Investigator will start to show warnings to Administrator informing him of this fact. That should be a clear signal to Administrator that some actions need to be taken - either ask reviewers to delay review until other reviewers complete theirs; unshare cases which are not critical; or consider installing another server to offload some cases there. If Intella Investigator decides that it needs to take an action to reduce the number of active cases, it may temporarily disable the review of some case, informing users about this fact. All types of warnings are presented below.

Admin notification when the limit has been reached:

Reviewer notification when review has been temporarily disabled due to the limit being reached:

Let’s explain this in more details on a typical, real-life example: Let’s say that one company has created around twenty five cases in Intella Investigator. Fifteen have already been completed, so they do not require instant access - administrator decided not to share them. The remaining ten must be available for on-demand access so they have been shared. This means that we have 10 shared cases, but none of them are active yet. When the first reviewer signs in to a shared case, then the case becomes active (1 of 4). Next three other cases can also be activated. Once you have four active cases, activating any other case will cause Intella Investigator to start issuing warnings visible to administrator. At this point administrator contacts the reviewer and determines that review will end shortly. After some time has passed after user logged out, the case was deactivated and the limit went down to acceptable level (four active cases). However, if during that time more cases would get activated, then Intella Investigator could block the review for one of active cases (see screenshot above).

Once you have installed Intella Investigator or Intella Node as a service on your system, it will run as a service in the background. However, given how running applications as a service works, there is nothing on the screen to show or indicate that the service is actually running.

To check whether the Intella Investigator/Intella Node service is running, you can look at the status of the IntellaInvestigatorService , or the IntellaNodeService (for Intella Node), in the Services tab of the Windows Task Manager. The Status should show the service as Running.

A Intella Investigator shortcut icon is placed on the desktop once the installation process is complete. This shortcut is different from shortcut placed on desktop when installing Intella Investigator as a standalone program. If you have installed Intella Investigator as a service, then this shortcut will run Intella Investigator Service Utility which helps to troubleshoot the Intella Investigator installation.

The Intella Investigator Service Utility needs to be run as an administrator. It will run the following commands:

Note that trying to run the IntellaInvestigator.exe executable file when Intella Investigator is running as a service will result in following error:

In this example the error is saying that Intella Investigator is already running as a service. Note that only one instance of Intella Investigator can be run at a time on a single system.

To verify that your installation has completed properly, you should make sure that Intella Investigator/Intella Node are being started by the correct account. More information regarding the Intella Investigator/Intella Node service can be seen in the Windows Services panel (e.g. go to Administrative tools/Services). In this example you can see that the Status for the Intella Investigator Service shows that the service as running and it also shows which account was used to start the service. Note that the Intella Node service would show ‘Intella Node Service’ under the Name column. As mentioned, you should verify that this is the dedicated service account which you have setup to start Intella Node or Intella Node as a service.

If the user account shown in the ‘Log On As’ column of Windows Services is not the service account that you want to use, then it is likely that the service account was not setup properly during the installation process. For example, if you specified the wrong account (or password to the account) during the install process, this will be detected and you will see the following message.

Note that the installation process does allow you to continue with the installation if the account cannot be found, or the account details are not correct. If you choose to continue then the Local system account will be used, and Intella Investigator or Intella Node will not be able to be started as a service.

If this has occurred, you can fix the issue by assigning the correct account for the service. You can do this by:

If you have the correct account credentials, but running Intella Investigator/Intella Node as a service still does not work, it may be that there was an issue during the installation of the Intella Investigator/Intella Node instance, and it was not installed as a Windows service properly. When you install Intella Investigator/Intella Node to run as a service, the description field in the Windows Services should be populated as shown below.

If the description field is blank, this may indicate corrupted installation. In such case we recommend that you reinstall Intella Investigator/Intella Node on the system. Note that you do not have to remove the old installation. You can simply install the product into a different folder. Please ensure that the Windows account you select has full administrator permissions and access to the system.

Prior to Intella Investigator version 2.7, in some cases it was necessary to add service dependency to Sentinel LDK License Manager in order for Intella Investigator to be able to get license when Windows start up.

The command to do that was:

sc config <service name> depend= Tcpip/Afd/hasplms

Where <service name> is IntellaConnectService in case of Intella Connect, IntellaInvestigatorService in case of Intella Investigator and IntellaNodeService in case of Intella Node.

From version 2.7, it is not needed to add this dependency to the service, because it will be done automatically when the service is installed.

When the client and server are within the same subnet, no network setup is usually necessary. The drivers on both machines will usually find each other automatically and the client will be able to use the licenses on the network dongle.

For example, in the following setup:

the drivers will be able to communicate directly, if port 1947 is not blocked.

When the application is not able to use the network dongle’s licenses, please follow the steps below for setting up usage with different subnets. This may resolve the issue.

Given the following setup:

the drivers will require some configuration for the client and the server to be able to find each other.

Step 1: Make sure that port 1947 (used by the drivers) is not blocked by any firewall. The drivers use this port to communicate with each other and with the application. Both TCP and UDP communication need to be enabled.

Step 2: Ensure that the server and client machines can "ping" each other.

Step 3: Plug the network dongle into the server. Make sure that the key is detected when viewing the Admin Control Center on http://localhost:1947 on the server, like this:

Depending on the exact network dongle type, the value in the Key Type column can vary. E.g., HASP HL Net 10, HASP HL Net 50 or Sentinel HL Net 50.

Step 4: On the server, do the following:

Step 5a: When client and server are on the same subnet, then on the client:

Step 5b: When client and server are on different subnets, then on the client:

Step 6: On the client:

You should now be able to start the application on the client, using a license from the network dongle.

Creating a new case in Intella Investigator is straightforward.

After pressing Create case button located at the top of the cases list the Create case dialog will be shown.

Please populate the form with case name, case description (optional) and desired path to the case folder.

You can paste the case location from clipboard or click on the browse button to open a file system browser which allows for manual selection of case folder. If case folder cannot be used (ex. due to lack of file system permissions), detailed validation warnings will be presented. An empty folder is expected when creating a new case, which can be created by clicking on New folder button, if it was not created beforehand.

Optionally, you can specify the case template which will be used to initialize the case.

By expanding Advanced panel you can get access to additional configuration options. Setting the optimization folder can be used to speed up indexing by distributing certain database files during indexing across the case folder drive and the optimization folder drive.

After you’ve entered all data, press Create button. You will be presented with Sources page of a newly created case where you will be able to add and index newly added sources.

Click Create compound case button. In the Create a new compound case modal window, specify case name, optional description and case folder, as described for a local case above.

In Include cases list, choose one or more local cases to be included in the compound case.

For more information about compound cases, see Compound cases

If you have existing case on the disk which is accessible to Intella Investigator, then you can manually import it to the available cases list. This action is available in the Existing case panel located in Cases / Import sub-view.

Please provide an absolute path to the case folder (parent folder of a case.xml file). It’s the best to copy and paste it directly from Windows Explorer window. You can also browse the file system to select the case folder manually. The server will then analyze provided path and if the case is found in that location, it will render basic details about the case. This is presented on the image below. If provided path is invalid, then appropriate message will be shown.

After you click on the Add case button, it will be added to the cases list.

Intella Investigator can also be configured to add cases automatically. For more information see General settings section.

Regular versions of Intella (ex. Intella Professional) offer an option of exporting an entire case into a single archive file called Intella Case File (using .icf file extension). Such case archives can later be imported in Intella Investigator.

This action is available in the `Intella Case File (*.icf) ` panel located in Cases / Import sub-view.

In the first field please provide an absolute path to the Intella Case File. You can also browse the file system to select that file manually. In the second field you need to provide the location of where the case files should be extracted. Using the last checkbox (selected by default) allows you to automatically add a case to the cases list after it has been successfully imported from ICF.

After you click on the Start import button, the extraction process will start and you will be able to track its progress in the panel on the right hand side.

Click on the Delete case button located at the bottom of the selected case details panel. In the modal window, leave the checkbox empty if the case should only be removed from cases list. Check the checkbox if the case should be removed from cases list as well as from disk.

If the case was a part of a compound case, it would also be removed from the compound case.

To convert a Compound Case to a newer version, follow this procedure:

After you create a new case you will be presented with a screen which allows to manage evidence sources. You can also always navigate to this view by clicking on Sources button in the case details panel.

Using this view it’s possible to:

To learn more about sources management please refer to the Sources management section.

A case template is a collection of configuration settings, preferences and case metadata that can be exported from an existing Intella case and re-used for the creation of other cases. Case templates allow for initializing new cases quickly with predefined sets of tags, keyword lists, tasks, column settings, etc.

You can manage case templates in a dedicated view accessible under Cases / Templates. It allows for:

Creating a case template

To create a new template click on the Create button. This opens a modal window where you can specify for which case you want to create template, as well as the path and name of the Intella Case Template file. Please note that you can only select cases which are not currently shared. If you want to create a case for currently shared case, please unshare it first. This modal also allows you to choose components to include in the template. This is illustrated below:

The available template components are:

Press the Create template button to create the template and add it to list of available case templates.

Using a case template

To apply a template when creating a new case select it in the Case template dropdown in the Create case dialog.

Importing a case template from file

Press the Import button to open the Import existing case template modal window. Provide a name of the template and select the Intella Case Template file from local file system. After pressing Import button, the file will be uploaded to server and this template will be added to the list of available templates.

Deleting a case template

To delete existing case template first select it in the dropdown of available templates. Then press Delete button. The following dialog will ask you for confirmation if you want to proceed with deletion, as this action cannot be undone.

Browsing contents of a case template

To see what case template contains, simply select it from the dropdown list. This will automatically populate the view with components included in this template.

You can merge two cases in a dedicated view accessible under Cases / Merge, as illustrated below:

Items in a case can be exported to another case. We refer to these as the source case and target case, respectively. This functionality supports several use cases:

When items are exported to another case, Intella Investigator will add the related sources to the target case, and the items will be added to those new sources. However, when the target case is a copy of the source case, or if items from the source case were exported to the target case before, then the target case can already contain these sources. In such cases Intella Investigator will add the exported items to the existing sources. Any items that already exist in the target case will not be added again. Subject to the selected export options, the associated data like tags and comments will be copied though.

Exporting items to a case will increase the registered case size of the target case. Intella Investigator calculates the increase based on the size of the selected items and their (recursive) parent items, as far as these contributed to the case size of the source case. For example, exporting a set of email items from a PST file that was stored in a crawled file system folder will increase the size of the target case with the size of that PST file. When the to-be-exported items were indexed with Intella 2.1.1 or older, the required information is not available though, and Intella will add the full size of the source case to the target case instead.

You can export either a subset or all items from a selected case. To export a subset of items to another case, use the following procedure (if you want to export all items skip to next list of steps):

This view allows scheduling a new case merging operation. In order to do this:

Case Merging Options

This modal window allows you to specify which information should be included in the export, along with the item content:

Locking and closing cases

During case merging Intella Investigator will open and lock both Source and Target cases. Once the operation finishes (either with success or error) both cases will be closed and the Target will get unlocked. However, the Source case will still be locked. In order to unlock it you need to click on the Finish case merging in the case details panel.

Item stubs

When exporting items to an Intella Investigator case, Intella Node will export only the items that are in the current selection. If you want to export emails with their attachments, you must include the emails and all their attachments in the selection for exporting.

This functionality therefore allows for specific items to be excluded. E.g., if an email has an attachment and that attachment is privileged (should not be included in the export), the email can be exported without the attachment by simply exporting only the email itself. Note that the binary file associated with that email will still contain the attachment in binary form though! This is therefore not a secure way of filtering out all privileged information.

When items are exported without their parents, their parents will still be represented in the target case by item stubs. These stubs are necessary to show the context of the exported item. An item stub contains a minimal set of metadata of the original parent item, such as its name, location and type.

Intella Investigator will record the start and end of the export process in the event logs of both the source case and the target case. Besides the user and timestamp, these events record:

Tracking case merging progress

Once case merging operation starts you will be able to track its progress in the details panel on the right. This panel, once expanded by clicking on the arrow icon, will show detailed progress of each step of case merging operation.

Memory allocation

Use case memory settings to increase the memory allocation value in the source case in order to avoid out of memory errors. For more information, see Memory settings and Crawlers section. If you are merging items from Case A to Case B, then you need to increase the memory of Case A.

Only local cases can be included in a compound case; remote cases shared by Intella Connect or Intella Investigator are not available for inclusion in a compound case.

Evidence data sources cannot be added directly to the compound cases, but they can be added to the sub-cases separately. New data will be available when the compound case is opened next time.

It is not possible to use a compound case and any of its sub-cases at the same time. Opening a compound case will lock all its sub-cases. Similarly, opening a sub-case separately will lock all compound cases with this sub-case.

User annotations (e.g., tags, flags, comments, and custodians) that are added in a compound case are specific to that compound case and do not affect the sub-cases.

The following annotations that are added in the sub cases will be visible (read-only) in the compound case:

The following annotations that are added in the sub cases will NOT be visible in the compound case:

One can perform these actions, but their results stay local to the compound case. The compound case also maintains its own Event Log, independent from its sub-cases.

Thumbnails generated in a sub-case will be visible in the compound case. But thumbnails generated in the compound case will not be visible in the sub-cases.

The following functionalities are not available in compound cases:

Text imported into a sub case via '-importText' command line option will be visible in the compound case.

Notes on item IDs in compound cases:

When a sub-case is deleted, evidence items of this case will no longer be available in a compound case that refers to it. If the compound case had annotations or other review data associated with these items, this data will be unavailable.

Deletion of a compound case will not cause the deletion of any sub-cases. If desired, these need to be deleted individually and separately.

If you are running more than one Intella Investigator servers then likely you could benefit from configuring them as a part of the same Grid. This feature allows reviewers to have a single point of entry to all Intella Investigator servers. This simplifies case management in larger organizations, as reviewers do not need to be aware which Intella Investigator server is hosting the case.

For this feature to work, each server forming a Grid must have LDAP integration enabled. This is required to establish a consistent user base for each of the servers.

It’s imperative to manually pick one server which will act as a single point of entry for the Grid and apply any configuration there. Other Grid servers do not need to be further configured (assuming that LDAP configuration was already applied).

It’s common in networking to identify servers interchangeably by their IP, domain or network name (ex. IP 1.1.1.1 matching pc1.mycompany.com). However when Intella Investigator server is being added to the Grid only one URL will have to be provided and will be used as a unique identifier of the server. For security reasons these URLs will be used internally to validate the origin of requests accepted by Grid servers. Therefore the grid might not work properly if you set up a server using it’s IP address and then later are accessing it using its domain name.

The same rule applies to the server which acts as a single point of entry. You must make sure to apply any grid configuration using the URL which will later be used to access user dashboards.

Example

This example will walk you through the hypothetical use case of setting up Grid in a company distributed across three continents. It gives you some general guidelines how to approach this task and stresses points which should be discusses with your IT department.

Let’s say that we have three Intella Investigator servers running in our company. Here are their details:

Until now there was no strict policy as to how to access those servers so users were using different mix of IPs or domains. The first step is to define a scheme of addressing our servers. We decided to rely on domain/subdomain names as IPs are too fragile to rely upon them. We also decided to promote the Intella Investigator server located in London to become our single point of entry. We also asked our IT department to disallow direct access to server by IP (as an additional precaution).

In the next step we went through all three servers and made sure that each one of them is using the same LDAP provider. It turned out that the one in New York had a bunch of local accounts which were interfering with LDAP (username clashes) so we decided to clean this up and create LDAP accounts for those people.

After that we logged in to main.mycompany.com (entry point) to set up Grid there. Under Servers > Grid > Known servers we added the remaining two servers. The first one as:

And the second one as:

Right after that they were added to Known Servers list with the online status.

We then validated the setup by sharing 1 case on each of the servers and logged in to User Dashboard on the server which we chose as single point of entry (http://main.mycompany.com). User was successful presented with a list of cases showing three entries.

Intella Investigator can make use of unlimited number of remote Intella Nodes to perform remote indexing. For installing and setting up an Intella Node please see Getting started section.

Using this view it’s possible to add/edit/remove remote Intella Nodes that can be used to perform remote indexing.

Make sure that remote Intella Node server is properly running and is directly accessible via network on particular IP and port.

Intella Node’s local status page shows detected host name and port, which can be used when adding new Intella Node.

The IP address that is being detected by Intella Node can be just one of addresses on which that computer can be reached and it might not be always the best one to use. There are few examples that come to mind:

Please note that these are only simple scenarios and there can be much more complex network topologies and configurations. It really depends on what network you have and how it is built and configured. The detected IP address is being read from system configuration, it is not an algorithm that would detect your network and perform speed and reliability measurements to determine what exact address to use. It is meant to be a hint rather than anything else. When in doubt about which IP address to use, please consult your IT/network administrator.

When you have gathered all relevant data (host, port) you can add new remote Intella Node by clicking on the plus sign when hovering mouse over UNUSED remote Intella Node slot.

The Intella Node can now be added in place of the UNUSED slot.

Enter name, description (optional), host, port and enable the use of HTTPS if SSL is configured for this Intella Node. After pressing Add Node the Intella Node will show up in the remote Intella Nodes list with status Connecting…​ which indicates that there is a check being made whether remote Intella Node is up and running and is reachable.

If all entered data were correct and remote Intella Node server was reachable the status of the newly added Intella Node should be Idle which indicates that it is ready to be used for remote indexing. Connection error status indicates that server is not reachable. If that happens you should check whether:

Click on Configure button to show configuration that can be changed on selected Intella Node.

It consists of following sections:

Shared folders management is actually a way of logically organizing shared folders that are based on UNC paths.

Each defined folder represents specific type of location:

When such Shared folders are defined, the user is able to access them in a file selection tree under Shared folders branch next to Local Server disks.

To add a new shared folder, click Add shared folder

Enter name, description, UNC path and select type of the location that folder represents. After pressing Add the folder will be added to the list.

This section lets the administrator configure these two aspects of the login page:

Intella Investigator can be partially or fully branded with a custom logo of your choice. The process of setting this up is pretty straightforward. It’s just the matter of uploading image files. You can also optionally align the logo appearing in the Intella Investigator header, so that it appears in the correct location.

You can find more details on this topic in Branding section.

On login page

This logo appears on the login page, where user signs in to application.

In application headers

This logo will be shown in the Intella Investigator header (top of the screen), as well as in various places inside the application’s User Interface.

Header logo alignment

By adjusting the value in this field you can control the vertical alignment of the logo located in the header.

Intella Investigator supports protecting your server with a secure HTTPS communication layer. The details on how to set it up is a part of a separate guide available in SSL setup guide section.

Intella Assist is an AI-driven tool integrated into Intella Investigator, designed to enhance the review process. It assists users by providing advanced functionalities such as summarization, translation, inspection of items, and enables searching for specific items using natural language queries through the Intella Assist facet.

Configuration Requirements:

To leverage Intella Assist, a Large Language Model (LLM) provider service must be configured. Currently, the following providers are supported:

This chosen service will facilitate Intella Investigator’s integration with Intella Assist.

Important Considerations:

Please note that using this feature involves sending non-redacted item data and metadata to the selected external service for analysis.

Due to the following considerations:

…​it is mandatory for users to be granted the "Can use Intella Assist" permission to enable its usage.

Service Configuration Details:

This section describes configuration fields which needs to be filled in for the service to work properly.

Service The backend service that Intella Assist utilizes for performing AI-supported tasks.

Endpoint URL Specifies the completion endpoint URL for the Azure OpenAI or Custom LLM provider. This field is applicable only when the Azure OpenAI or Custom LLM provider is chosen.

Model (id) Identifies the AI model to be used for processing.

API Key The necessary API key for authentication with the chosen LLM provider.

Test integration There you can initiate a test request by pressing this button to ensure proper integration setup.

Logging

All prompts that are send to the external LLM provider are stored in the [CASE]/logs/prompts folder.

All conversations with Intella Assist supported features will be archived in the internal database for later retrieval by administrator.

Data capping

Intella Assist in the case of previewer will send out the following sensitive data to the LLM provider:

…​in addition to user’s prompt and other instructions.

Maximum size of each of these is capped at 16,000 characters. The main reason for this is to cut the API usage costs.

Should these limits not suffice for you for any particular reason you could change these by setting these properties:

…​respectively in the user.prefs file located in: %USERPROFILE%\AppData\Roaming\Intella Investigator\prefs

Please be aware that this will affect the usage costs as more/fewer tokens will be consumed on each API call.

Intella Investigator can be integrated with an LDAP server. This integration allows for the user base available in LDAP being used by Intella Investigator. The details on how to set it up is a part of a separate guide available in the LDAP setup guide section.

When you have access to an ABBYY Recognition Server, or its successor ABBYY FineReader Server, you can utilize it to OCR selected items in the case fully automatically. The configuration specified here will apply to all cases shared by this Intella Investigator server.

Before attempting to configure this section, please make sure that your ABBYY Recognition Server is configured correctly:

C:\Program Files (x86)\ABBYY Recognition Server 3.5\RecognitionWS\web.config

Parameters:

Host

IP address of machine hosting ABBYY Recognition Server. The Service URL field will be populated automatically based on the entered value.

Version

The version of ABBYY Recognition Server installed. The Service URL field will be populated automatically based on the entered value.

Use custom service url

If you know that your server uses a different URL, you can override it by checking the Use custom service URL check box. This will cause the Service URL field to become editable.

Service URL

The value of this field will be automatically generated based on input in other fields. It should point to the appropriate SOAP service of the ABBYY Recognition Service.

Workflow name

Specify the workflow name that should be used. Alternatively, you can press the Get list from server button to select a value from all available workflows on that server. This button can also be used to validate connection to ABBYY -Recognition Server.

Number of workers

Specify the number of workers to let the Recognition Server process more than one document at a time. The optimal number of workers depends on the Server capabilities (in particular the number of CPU cores on the server) and is also restricted by the server’s license (the number of CPU cores allowed to be used by the Recognition Server license). The number cannot exceed 64.

See OCR section for more information about OCR.

If the password for admin user is not available, then it can be reverted to default state with file system access.

To revert to default password, do the following steps:

As a precaution, copy the users.enc file to a backup file. Open the users.enc file with a text editor.

admin=qLSwQDbkNE_kwviCVkT4EQ

The default password for admin user equals to 'admin'.

New users can be added by clicking on the Create account button.

Once the user name and password fields are filled in, click on the Create button to create a new user and add it to the list.

Revoking/deletion of a user account will clear any case-specific roles assignments which were registered for that account. If a new account with the same username would be later created again, then it will not retain previous assignments. Revoking of a user account is a terminal operation. It may take a few minutes before that fact is propagated to active, shared cases.

Select the user for whom you want to revoke access and click on the Delete account button.

After confirmation, the selected user will no longer have access to any part of the Intella Investigator system.

Intella Investigator uses case insensitive comparison for usernames. This means, that "Admin", "admin" and "aDmIn" are essentially the same user. In various places in the user interface the username will be rendered using a lowercase. The current set of acceptable characters in usernames contains of:

Usernames should be at least 3 characters long.

Select the user whose password you would like to change and click on the Set password button.

Once the password fields are filled in, click on the Set button to change the user’s password.

The feature of two-factor authentication (2FA) for local Intella Investigator users has been added in version 2.4.2.

With 2FA, an extra security layer is added to the user account. After setting it up correctly, when logging in to Intella Investigator , then the user will be asked to login in two steps:

Due to the second step being time-based, it is required for the server on which Intella Investigator is running as well as a device on which authenticator is running to have system clocks synchronized.

Please make sure to enable "Set time automatically" option on Windows so that the system clock is synchronized with the internet time server.

The same applies to phones and other devices on which authenticator is running.

Select the user whose 2FA will be configured and click on Setup 2FA button.

This will open a modal window which shows the current status of 2FA and allows to enable or disable it.

By default, the 2FA is disabled as is shown when opening the modal window for the first time:

To start the process of enabling the 2FA, click on Enable 2FA button. This will activate TOTP generation on Intella Investigator side for the user. At this point, 2FA is still disabled and further steps are required:

To finish 2FA setup, do the following:

If the six digit number from your device will match the six digit number generated in Intella Investigator , then 2FA will be enabled for this user.

The modal window can now be closed. When logging in, you will be prompted to enter username and password as well as a six digit number generated by your authenticator.

It is recommended to use 2FA to strengthen security of all local user accounts.

Accounts can be locked, which will prevent those users from logging in. Locked accounts can be unlocked by an administrator.

To lock one or more accounts, select them and then click on Lock button.

Modal window will be shown to confirm the locking action. After confirming, selected account(s) will become locked.

Similarly, to unlock one or more accounts, select them and then click on Unlock button.

Modal window will be shown to confirm the unlocking action. After confirming, selected account(s) will become unlocked.

If you are migrating from a previous versions of Intella Investigator, then it may happen that the RBAC model will be upgraded to a newer format. Some permissions may be added, some others may get removed. The details about each migration is always added to the Release Notes document published with each version.

This automatic conversion affects the auth.xml file located in the product’s home directory. A backup file with the name auth.xml.bak-* will be created automatically and it could be used to revert RBAC model to a state prior to migration. This should almost never be required, though.

To add a new role, click on the Create role button. You will be asked for a name for the new role. Roles names should be unique. Additionally, it is possible to choose an existing role from which permissions will be copied to this new role. When choosing Blank role to copy from, then this will create a new role without any permissions.

The new role will be immediately visible in the table.

Roles can be deleted by clicking on Delete role button and then selecting them in the list. You will be asked for confirmation, after which the role will be removed from the table. Deleting a role does not mean that this deletes the permissions associated with it, as those are defined by Intella Investigator itself.

Granting (or adding) and revoking permissions works very similar to roles management. Remember that permissions are always managed in a context of a role, so the permissions assigned to it will be shown as checked in the role’s column.

Permissions have their own unique internal IDs which are hidden from the view, so in the first column you can see a more human-readable description that should immediately let you know what that permission stands for. Clicking on checkbox to make it checked in row of a desired permission in column of desired role will assign that permission to the role.

Some permissions can be added to a role just once (like case access), other can be assigned multiple times (like reducing access to tagged items). In the latter case, you will be asked to add additional data which is needed by the permission to fulfil its purpose. Again, for the example of limiting access to tagged items, you will be asked to supply the tag name so that Intella Investigator knows which tagged items are considered off-limits for users with that role. The user interface should render some hints as you proceed, making the process fairly straightforward.

Granting a new permission for the mentioned example is illustrated below:

Revoking a permission works similar to deleting a role. You will be asked for a confirmation, after which the permission should disappear from the permission column. This will have an immediate impact on the role that it was assigned to.

Below is the list of permissions currently available in Intella Investigator. We intend to add more permission types to this list in future releases.

Analysis:

Case access:

Case management:

Collaboration:

Exporting:

Identities:

Server administration:

Tags:

UI tabs:

This permission must be used with an extreme caution because in case of any user error it can lead to disclosing of privileged items.

One must observe that the data is always organized in a tree-like hierarchy, where child items are linked to their parents. This tightly relates to the data consistency and opens an interesting question. If only the parent of an item is hidden, where to Location Facet should place its children?

To avoid such purely theoretical debates Intella Investigator will hide an item along with all of its descendants when using "Cannot see items tagged with…​" permission.

Consider this: user A is granted with this permission (for "Privileged" tag) in a data set of 100 items. 10 of those items are tagged with the "Privileged" tag. One of these privileged items has 5 children, e.g. attachments or nested items. This means that user A will be able to see 85 items from this data set (10 + 5 = 15 items are hidden). The privileged 15 items will not show up in the cluster map, search results, facets, etc. If tagged items contain child items, they will be filtered from the results as well. User A will also have no access to the "Privileged" tag in the Tags facet, so he cannot himself modify it to change what he can or cannot see.

Introduction of hierarchical tags in Intella Investigator has caused for this mechanism to be extended as well. Since now "Privileged" tag can be anywhere in the tag tree structure, then all tags (and items tagged with them) in a tag subtree starting with this tag will also be considered hidden. Also, tag names are no longer guaranteed to be unique in the entire tag tree. Therefore if there are several tags called "Privileged", all of them will be managed by this set of rules.

It is important to understand that Roles can be assigned in 3 ways:

The assignments tab provides an overview of users assigned to roles in particular cases. In addition to showing an overview, it also allows searching, filtering and narrowing down the view to see how particular case, user or role is assigned:

The above filters can be used in combination with each other.

To assign roles to users per case, click on any accounts box in row of given case:

Shows basic information about occupied seats:

There you can find detailed information about current status of occupied seats.

Each row represents user/client occupying a seat. Essentially that means that number of rows will always be equal to the number of occupied seats. First column contains username including IP of the machine from where Intella Investigator was accessed. Second column represent current length of the session. All additional columns represent cases which are being accessed. The green marker is used to indicate which case is accessed by which user representing matrix view of all occupied seats/cases.

The users/clients are ordered by the length of the session ascending.

This section makes it possible to forcefully log out another user effectively freeing a seat.

Follow these steps to add a File or Folder source to Intella Investigator:

Click "Next" to continue.

The last steps in the definition of a source type are almost the same for all types. They are described in section Last steps in a source definition.

Follow these steps to add a load file to an Intella Investigator case:

Important notes on load file importing

There are several aspects to be aware of when importing a load file into an Intella Investigator case:

You can save the specified load file import options as a template for later usage on the last page using the button Save Template. All import templates are stored as XML files in the "<Intella Home Folder>import-templates" folder.

Follow these steps to add a Hotmail Search Warrant Result to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

Follow these steps to add a Disk Image source to Intella Investigator:

Select "Verify hashes for AFF4 images" to verify hashes in AFF4 physical disk images during the disk image validation. If a hash mismatch is detected in a physical image, the disk image validation will fail and an error message will be shown. Please note that AFF4 physical image hash verification may take some extra time.

Note that the hashes for AFF4-L logical images are always verified during indexing. If a hash mismatch is detected in a logical image, it will be reported as an indexing error and can be found in the Exception report or Exception items facet.

Select "Carve unallocated space" to enable file carving. File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata. Intella Investigator uses Testdisk and Photorec to recover deleted files from unallocated areas of the disk image. See https://www.cgsecurity.org/wiki/PhotoRec for more details.

These are some important details about file carving in Intella Investigator:

After you click Next button in the wizard footer, Intella Investigator will validate selected disk image. This process may take long time depending on the complexity of the data.

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

Filtering disk image content

A disk image often contains a lot irrelevant files, such as executables, DLLs. These files add to the processing time and disk space that the case will consume. It is possible to define a set of rules to filter out unnecessary files and folders, to save processing time and disk space.

Note that search results can also be filtered after indexing, using the Hide Irrelevant filter option in the Details tab.

Supported disk image formats

The Disk image source type supports EnCase E01, Ex01, L01, Lx01 and S01 files. Password-protected files are supported and indexed without manual interaction, except for FTK-encrypted files.

DD images are supported, but when a Folder source is used, they need to use the .dd file extension to be detected and processed as DD images. Because of potential issues with DD image detection, we recommend using the Disk Image source directly. This is also required when you want to index a multi-volume DD image

Supported file systems and partition types

The following file systems have been tested: FAT16, FAT32, ExFAT, NTFS, Ext2, Ext3, Ext4, HFS, HFS+, APFS and ISO 9660. Other file systems such as YAFFS2, ISO 13346 (UDF), UFS 1 and UFS 2 may work but have not been tested yet.

MBR and GUID partition tables (GPT) partitions are supported. Apple Partition Maps (APM) have been tested but results were mixed. When an image cannot be indexed, we recommend mounting it manually and indexing the mounted drive using a “File or Folder” source.

APFS and BitLocker encrypted volumes are supported. When an encrypted volume is detected, a dialog will be shown where it’s possible to enter a password or recovery key. BitLocker volumes with suspended protection (also known as "clear key") will be indexed automatically without a password prompt. If a BitLocker volume is protected with multiple keys, you can enter any key.

Multi-volume files

When using a Folder source to index multiple image files, Intella Investigator will rely on the following file name convention to determine which files together make up a single image:

Volume shadow copies

Volume shadow copies (VCS) is a mechanism in Windows OS that preserves previous versions of files in a special hidden area on the disk. A new VSC snapshot is often created automatically by Windows when installing major system updates or drivers.

When Intella Investigator detects that the disk image contains VCS, the Specify Volume Shadow Copies page will be shown. On this page you can select specific snapshots that need to be processed.

By default, Intella Investigator will only extract the files that were changed between snapshots. That allows to save a lot of processing time and disk space by not indexing the same file several times:

Intella Investigator uses the last modified date of the file to determine whether it has changed. It is also possible to take the last access date into account.

The "Has Shadow Copies" option in the Features facet can be used to see all items that have other versions in shadow copy volumes.

To see all items extracted from all volume shadow copies, use the "Recovered → Recovered from volume shadow copy" option in the Features facet.

The currently supported MS Exchange versions are 2003, 2007, 2010, 2013 and 2016.

Follow these steps to add a MS Exchange EDB Archive source to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

When an EDB source has been added and not all mailboxes were selected, it is still possible to index additional mailboxes in that EDB file at a later stage. To do that, the following steps should be performed: 1. Click on the "Edit" button for the respective source on Sources page. 2. Indicate which mailboxes should be processed. Note that you cannot unselect or remove already processed mailboxes. Click OK. 4. Use the "Index new data" button option to index the new mailboxes.

This source type lets one import an entire case created with the Vound W4 application into the current Intella Investigator case.

Follow these steps to add and process a W4 case source:

The last steps in the definition of a source are almost the same for all types. They are described in the section "Last steps in a source definition".

Follow these steps to add an IMAP Account source to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

A Dropbox source reconstructs the entire folder tree in a Dropbox account and downloads current and past revisions of the files in the account.

The official Dropbox REST API used by Intella Investigator limits this to a maximum of 10 revisions per file. All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional Dropbox-specific metadata is retrieved for both files and folders. These are displayed in the Previewer’s Raw Data tab and are subject to full-text indexing.

Intella Investigator uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account.

This process is described in detail in the following Knowledge Base Article: Collecting data from a DropBox source.

Next, follow these steps to add a Dropbox source to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

A Google source allows to download items from the following Google services:

More Google services will be added in the next versions.

Different services require different APIs to be enabled:

Optionally, the set of retrieved items can be restricted to a certain date range.

Benefits of using the Google/Gmail source over the generic IMAP source are: faster performance, more accurate data representation (e.g. folders vs. Gmail’s Labels, threads), and a read-only data connection ensuring that no data is altered on the server.

Intella Investigator uses the OAuth2 (Open Authorization) protocol to access the account. Prior to defining the source, the investigator needs to obtain an OAuth2 token for the account. The token will be downloaded as a JSON file, which Intella Investigator can use to access the account. This process is described in detail in the following Knowledge Base Article: Collecting data from a Google source.

Next, follow these steps to add a Google source to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

The Microsoft 365 source types allows for retrieving both user account and user groups. For each user account, used to access Microsoft 365, the source can retrieve data from Outlook, OneDrive and SharePoint. For each user group, the source retrieves titled conversations containing emails.

Before a source can be added, the Microsoft 365 account must be properly configured. This process is described in detail in the following Knowledge Base Article: Collecting data from a Microsoft 365 or a SharePoint Source.

Once the credentials are established, follow these steps to add a Microsoft 365 source to Intella Investigator:

A connection will be established and the credentials will be validated. If credentials validation is successful, basic information about the account such as the tenant name and location will be shown beneath the configuration fields.

Note the Help button at the top of the screen. Clicking it will display the steps required to create the client ID.

Click Next to continue.

Selective indexing of part of the account data is not possible at this moment.

Click Next to continue.

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

The iCloud source type is used for indexing the contents of an iCloud account, such as emails, photos and notes.

Prior to defining an iCloud source, the investigator must obtain the Apple ID and password used by the account owner. When the account has been configured to use two-factor authentication (2FA), iCloud additionally sends a verification token. The verification token is sent only if a valid phone number is set for the Apple ID. Hence, the investigator needs to have access to one of the physical device (an iPhone or an iPad) associated with the account, including the passcode to unlock the device.

Intella Investigator supports the retrieval of the following data from an iCloud account:

Follow these steps to add an iCloud source to Intella Investigator:

When this account requires two-factor authentication, Intella Investigator will extend the form with an option to choose the verification delivery method: SMS or Idmsa.

Both methods are equally capable of providing access to the account’s data. When the account is linked to an iPhone and/or iPad, the Idmsa method is recommended. When the account is linked to a non-Apple device (e.g. a cellphone or tablet from a different vendor), SMS is the only way to obtain the verification code. Even when using an Apple device, SMS can be selected as the preferred method for delivering the verification code. In that case, the registered device may receive multiple notifications from Apple’s identify management service (IDMSA). Such notifications should then be ignored and the code from the SMS message should be used.

Choose the desired delivery method and click Get Verification Code. A six-digit verification code will be either sent as an SMS or show up as a native iOS notification on the Apple device. The controls for choosing the delivery method will be replaced by a Verification Code field. Enter the received verification code in this field. Click Connect to iCloud.

When the credentials and the verification code are all valid, Intella Investigator will list some account info such as the Full Name of the account owner. Click Next to continue.

The last steps in the definition of a source are almost the same for all types. They are described in the section Last steps in a source definition.

When Intella Investigator establishes a connection to iCloud using the account credentials, it will obtain a trust token. This token allows Intella Investigator to connect to iCloud at a later point in time without requiring the user to re-enter the credentials and perform any two-factor authentication steps. The trust token has a limited validity period. iCloud sources can be indexed and re-indexed during the validity period of the token. Once the token has expired, the source must be re-created; there is no way to refresh the token of an existing source.

An AWS S3 source reconstructs the entire folder tree in the selected S3 buckets and downloads current and past revisions of the files.

All revisions except for the last one have their file names decorated with the revision identifier. Furthermore, additional S3-specific metadata is retrieved for both files and folders. These are displayed in the Previewer’s Raw Data tab and are subject to full-text indexing.

Prior to defining the source, the investigator needs to obtain an access key for the account. This process is described in detail in the following Knowledge Base Article: Creating AWS access keys.

Next, follow these steps to add an S3 source to Intella Investigator:

The last steps in the definition of a source type are almost the same for all types. They are described in the section Last steps in a source definition.

In version 2.7 of Intella Investigator, some new source wizard sheets have been moved to "Additional options" section. This change streamlines new source creation as only some required options are necessary for source creation. Additional options will have defaults set and can be changed by simply clicking on the sheet and changing the option. Additional options will appear once completed source definition sheet is reached, by settings required options and clicking on next button.

The following final steps are the same for all source types.

While an indexing operation takes place, the case remains opened and locked by Intella Node. During that time, running a different indexing operation is not possible. The case also cannot be opened for sharing. After the indexing operation is completed, the case will be automatically unlocked and can be shared by case administrators.

There may be circumstances when you want to re-index individual sources or the entire case, e.g. to use extraction features offered by a newer Intella Investigator/Intella Node version or fix a broken index.

To rebuild the case index from scratch, choose one or more sources in the Sources view, click on "Indexing" button and use the Re-index option either for selected sources or entire case. Intella Investigator/Intella Node will remove all indices it has previously created and create new ones.

In order for this to work, all evidence files have to be present at the location they had during the initial indexing.

Alternatively, there may be times when you want to update an index, e.g. in the following scenarios:

In these cases the "Index new data" option, shown when clicking on "Indexing" button in the Sources view will scan either the selected sources or all sources for new evidence items depending on what is chosen. Items that have already been indexed are not changed, also when their original evidence items are no longer available.

The following file formats can be decrypted by Intella when the credentials are specified before indexing:

Furthermore, password-protected PST files can be automatically decrypted without specifying any passwords.

To let Intella automatically decrypt the encrypted items that it encounters, their keys (passwords, certificates, etc.) need to be added to the Key Store first. Navigate to Sources page and click on Key Store button and follow the instructions below. Afterwards you can (re)index your data and let the items be decrypted automatically.

All credentials that you enter will be tried on all encrypted files to which they can apply. It is therefore not necessary to specify e.g. which password applies to which file or file type.

After indexing you can see which items were successfully decrypted by using the "Decrypted" category in the Features facet or by using the "Decrypted" column in the Details table. Note: due to technical reasons, decrypted NSF files will not be marked as such.

Password-protected files
Passwords are the simplest type of key. They are used for decrypting PDF and MS Office documents and archives.

You can either add passwords one by one, or load them in batch from a text file: specify a password per line and use UTF-8 encoding for the file.

HCL/IBM Notes NSF files
To decrypt HCL/IBM Notes NSF files, so-called ID files need to be added to the key store. Go to the "HCL/IBM Notes ID Files" tab and click "Add…​". Enter the location of an ID file and the password associated with the file. Click OK to add it to the store. Intella will validate the ID file to make sure you entered the password correct. Repeat this for all ID files.

Intella will also try to decrypt encrypted messages in non-encrypted NSF files using the provided ID files.

S/MIME-encrypted emails
To decrypt emails with S/MIME encryption, one or more X.509 certificates and private keys need to be added. Go to the "X.509 Certificates" tab and click Import, then select a PKCS12 archive file (*.p12 or *.pfx file) that contains the keys. Intella will analyze the key file and import all found certificates and keys.

Usually you can export the certificates and keys from a mail client in this format. Do not forget to include private keys as they are critical for decrypting the emails.

PGP-encrypted emails
To index PGP-encrypted emails you will need to import the PGP private keys. Go to the "PGP Keys" tab and click Import. Intella can import ASCII armored PGP private keys (*.asc files), but it is also possible to import key in binary format.

An ASCII armored PGP private key usually starts with the following text:

Importing multiple .p12 files
At the moment it is not possible to enter multiple .p12 files in a single action, they need to be entered one by one. We have put this feature request on our roadmap for future development.

Please note that .p12 files can contain multiple certificates. Therefore, if your environment is able to export multiple certificates into a single .p12 file, or you can find a third party tool that merges them, you can effectively import multiple certificates at once.

Furthermore, note that you can copy the keystore files to another case. That way you can reuse the entered credentials if they apply to other cases/evidence sets as well.

Encrypted volumes in disk images
To decrypt BitLocker and APFS volumes in disk images, a correct password, recovery key, or recovery file needs to be added. Passwords can be added via the "Passwords" tab. "BitLocker Recovery Keys" and "BitLocker Recovery File" tabs should be used to add BitLocker-specific credentials.

Note that BitLocker images protected with other methods, such as a Smart Card or TPM, are not supported.

Intella Investigator/Intella Node allows for the definition of "tasks". These are essentially compound processing steps such as searching for all items that match a certain keyword or keyword list and tag or export the results. These tasks can be defined and selected during source creation, which will run these tasks right after indexing. Tasks panel can be opened by clicking on the Tasks icon (three vertical progress bars) inside the Secondary Navigation Bar, which allows for defining and running the tasks at any point in time after index creation. See the tasks section for more details.

Each task consists of conditions, post-conditions and actions. A task must have at least one condition and one action.

A condition (Step 1 in the task dialog) defines a search query that select items from the case. Currently the following conditions can be defined:

A task may combine any number of conditions. The match option controls if the items should match all specified criteria or at least one of them, i.e. a Boolean AND or OR of the specified conditions.

An optional list of post-conditions (Step 2) specify how to transform the item set retrieved in the previous step. Possible post-condition steps are:

It is possible to define multiple post-conditions for a single task. The first post-condition is applied on the set of items resulting from the conditions in Step 1. Subsequent post-conditions are applied on the outcome of the preceding post-condition.

Finally, task actions (Step 3) define the operations that will be applied to the items resulting from the previous steps. The following actions can be defined:

Every task may define multiple actions that will be applied sequentially to the determined item set.

Tasks can be exported to a file so that they can be reused in other cases. These files are self-contained, i.e. when the task involves MD5 hash lists or keyword lists, these lists are embedded in the task file.

Tasks are executed in the order they have in the task list. This makes it possible to "pipeline" tasks, e.g. use one task to assign specific tags to a subset of the items and use a subsequent task that is based on those tags. The order can be changed by selecting a task and using the "Move Up" and "Move Down" buttons.

The Custodian attribute can be assigned to items after indexing. This can be used to represent the custodian of the evidence items. To enable automated assigning of multiple custodians in a folder source, the root folder should organize the evidence in subfolders, one subfolder for every custodian. If the evidence folder is structured in this way, the "Indexing Tasks" step in the Source Wizard will contain a "Custodians" tab that opens the settings panel for automated assigning of multiple custodians. By default the custodian names are set to equal the subfolder names. It is possible to alter the used custodian names in the table. This Custodian value will be assigned to all items obtained from the evidence files within the respective subfolder. For other types of sources, the "Indexing Tasks" tab contains a text field for setting a single custodian name. Besides the above method, the Custodian attributes can also be set or changed using the "Set Custodian" indexing task with an arbitrary condition, or edited manually in the Details’ right-click menu.

To improve the images loading speed you can pre-generate thumbnails after processing case sources. You can learn more about this in Reviewer’s manual > Preferences > Thumbnails Pre Generation .

An overlay file is a file that contains additional information about the current items in a case. By importing the overlay file, the metadata of these items can be extended.

Intella Investigator currently only supports the importing of tags, tag columns, comments and metadata columns (both regular and custom). Importing overlay images, texts, and natives may be added in a future release.

The following file formats are supported for overlay files:

To import an overlay file you need to add another Load file source. Set the Import operation to Overlay and specify the location of the file. You can optionally use a previously saved template.

On the "Configure delimiters" page you can set the file encoding, delimiter settings and date formats. Please see the Load files section for a description of these options.

On the "Map fields" page you need to specify the identifier field and type. This is how Intella Investigator will match items in the overlay file with the existing items in the case. There are four options for matching items:

The “Also overlay metadata shared with duplicates” option is used to control whether the imported metadata will be applied to all duplicates as well (see the limitations below for this setting).

Current limitations:

Please see the Adding sources > Load file section for a description of the remaining options on this page.

Content analysis can be scheduled to run either as an indexing Task or by a reviewer directly from a shared case. The later procedure is described in Reviewer’s manual > Details panel > Content analysis .

Email threading can be scheduled to run either as an indexing Task or by a reviewer directly from a shared case. The latter procedure is described in Reviewer’s manual > Email threading .

A technique to reduce the reviewing time is Near-duplicates Analysis. It splits a selected set of items into groups based on the similarity of their text content. Every group is centered around a "master item" which is the most common near-duplicate for other items in the group (usually, an item with the largest text size). Other items are included in the group if they are determined to have an appropriately high similarity score to the master item. The similarity score is based on an amount of co-occurrent text fragments and is a number between 0.0 and 1.0. The master item and its exact duplicates are assigned a score of 1.0. The rest of the group items have scores between 1.0 and a threshold value specified by the user before the analysis.

To start the Near-duplicates Analysis process, select multiple items in the Details table and select "Near-Duplicate Detection" in the right-click menu. In the dialog window, move the "Similarity threshold" slider to set the desired minimum similarity score for items to be included in near-duplicate groups. Select the "Ignore excluded paragraph" option if you don’t want the content of excluded paragraphs to be considered by the similarity calculation algorithm.

The dialog window allows the user to select a text analysis method. We recommend choosing the "Word-based" option for documents written in languages in which the representation of meanings is contained in words. The “Character-based” option is intended for languages in which the semantic representation is represented by morphemes (Chinese, Japanese, Vietnamese, Korean). Typically, these are languages in which the use of white space characters is optional. Choosing the appropriate algorithm for a data set will improve the quality of the analysis results.

Upon completion, near-duplicate groups are available for search in the "Near-duplicates" facet (see Reviewer’s manual > Near-duplicates section for details). Additionally, "Near-Duplicate Group", "Near-Duplicate Master Item" and "Near-Duplicate Score" columns can be made visible in the Details table to show the group names, master item IDs and similarity scores of items included in near-duplicate groups.

To query for Near-Duplicates of specific items that are subject to Near-duplicates Analysis, select the item in the Details table , right-click, and choose "Show Near-Duplicates". This option will be enabled only when the selected item has at least one Near-Duplicate.

The total set of analyzed items and items included in near-duplicate groups can be retrieved via the "Analyzed for Near-Duplicates" and "Has Near-Duplicates" nodes in the Features facet.

“Generate Custom IDs” task allows to assign each item a unique custom ID taking families into account. Such IDs can often then be used in load file exports. Or it can help to easier identify item position or role in its family.

Items are processed in hierarchical order starting from the roots and exploring as far as possible along each branch before backtracking (Depth-first search). Items that are on the same level of hierarchy are processed in the order defined by Sort Order setting. If the selected items don’t contain complete families, the task will add the remaining items automatically.

Click Configure button on the task action panel to configure the numbering settings:

Generated custom IDs can be used in load file export and can be imported from a load file.

Custom IDs don’t change when the case is re-indexed, provided that the case is re-indexed using the same version.