7. Details panel¶

In order to inspect the contents of the Cluster Map visualization, the user can select a cluster or result set by clicking on it. Its contents will then be displayed in the Details panel below the map.

The Details panel contains a list of the items that can be presented in three modes:

List view - can be selected by clicking on the list tab.
Table view - can be selected by clicking on the table tab.
Thumbnails view - can be selected by clicking on the thumbnails tab.

Note: Use Shift+? shortcut to show help menu with keyboard shortcuts associated with the currently selected view.

Actions that can be performed in all three views are:

Deduplicate the results in the selected view by clicking on the deduplication icon.
Removes all items marked as Irrelevant during indexing.
Double-click on the item to open it up in the previewer.
Right-click on the selected item(s) to show a pop-up window with additional actions:

As query evaluation is processing intensive task all result sets shown in any of the result views are cached. Because memory space is limited, the number of cached entries is limited so they might be evicted in some point in time - in that case user will be presented with such message: Oooooppps! The results you have just seen here are no longer valid, therefore page refresh is needed. Please click here to refresh your results.

Note: Up to 1500 result sets can be cached by default - when this limit is exceeded the oldest result sets will be evicted and the user will be presented with the mesasge above.

Cache eviction policy can be tuned by changing following two properties inside [CASE]/prefs/case.prefs properties file:

IdSnapshotsCacheSize - specifies the maximum number of result set entries the cache may contain (default: 1500)
IdSnapshotsCacheMaxAgeInHours - specifies that each result set entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s was accessed last. (default: not set)

Note: If above two properties are not present append them to the end of the case.prefs properties file.

7.1. List view¶

The List view displays the results as a typical search engine-like list:

Each row represents a single item:

This view shows basic information about the item:

Flagging status.
Item ID.
Title or subject of the item.
Tags, if any.
Location of the item.
Content summary, including text fragments with keyword hit highlighting.

Buttons available in the toolbar are:

Select-all checkbox - Select all items in list view.
Preview - Preview the currently selected item.
Flagging - Add/remove flags of the selected items.
Tagging - Add/remove tags of the selected items.
Order by [item attribute] - Order the list by a specific item attribute.
Ascending/Descending - Sort order.

List mode - Toolbar

7.2. Hit Highlighting performance with List View¶

7.2.1. Foreword¶

Hit Highlighting is a very complex operation which can take considerable amount of hardware resources. It highly depends on following factors:

The amount of text associated with an Item.
The amount and complexity of keyword searches.

Intella Connect always puts feature richness and stability of a review on the pedestal, so that is why we have introduced Hit Highlighting into List View component. It allows quickly seeing the first occurrence of a hit accompanied with the nearest text, which gives a reviewer an additional context and often is enough to determine if an item is important or not. However, in few rare cases Hit Highlighting can have considerable and undesired influence on the server which can impact negatively the reviewing experience. Therefore we added a simple way to turn off Hit Highlighting in List View, which should relieve the server from additional workload and improve the reviewing speed.

7.2.2. Turning off Hit Highlighting completely¶

By default Hit Highlighting will only work for items of less than 10MBs in size. Depending on the nature of your data (especially when dealing with large files), you might want to turn it off entirely. To do that, please follow those simple steps:

Click on the Settings gearbox icon placed in the Secondary Navigation Bar to open the Preferences window.

Make sure to select the appropriate option to never show Hit Highlighting.

Click OK to save your settings.

7.3. Table view¶

The Table view displays the results as a table in which each row represents a single item and the columns represent selected attributes such as title, date, location etc.

The set of attributes to display can be customized in Preferences which can be accessed by clicking on the gear icon in the Secondary Navigation Bar. Table view settings

Actions that can be performed in the Table view are:

Click on a table column header to sort the table by that item attribute. Sorting by multiple columns can be achieved by holding the Ctrl button while clicking on the column names. Any additional clicked column will be added to the list of sorting criterions. When two items cannot be sorted using the values from the first column (because the values are identical), the second column will be used, and so on.
The first column is used for items selection.
- Select one item to preview it by clicking on the preview button.
- Select one or more items to flag, tag or export the items.

7.3.1. Adding and removing columns¶

It’s possible to toggle visible table columns in Preferences‘s Table view section by (de)selecting column names. The selected columns are stored: every time you connect to the case, these columns will be shown until you select a different set of columns.

This option is only available for the Table view. The following columns are available:

General columns:

Child IDs: The list of direct child item IDs.
Contact name: The name of a contact encountered in a PST file or in a vCard file.
Decrypted: Shows if an item is encrypted and Intella was able to decrypt it.
Duplicates: Shows the number of duplicates of an item within the case.
Encrypted: Shows if an item is encrypted.
Exception: Shows if an item had one or more issues indexing properly.
File Name: The name of a file in the file system, in an archive or used as an attachment name.
Import ID: The ID imported from a load file.
Item ID: The ID used internally in Intella’s database to refer to this item.
Language: The language of the item’s text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be “unidentified”. Item types that inherently do not have a language, e.g. images or archives, show the “not applicable” value.
Location: Name of the location in the original evidence data where the item is stored. For example, an email in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file.
MIME type: The type of an item according to the MIME standard.
Native ID: The native ID of an item. Currently this shows the IBM Notes UNID (Universal Notes ID) values from an NSF file. In the future this column may show the “native” IDs from other formats as well.
Parent ID: The ID of the parent item.
Recovered: Indicates whether the item has been recovered
Size: The item’s size in bytes.
Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files – the name of the evidence file and the derived source name may not hold enough information to easily discern the origin of the information.
Source: The name of the Intella source that holds the item. Typically this is the root folder name or the name of the mail container file (e.g. PST or NSF file).
Subject: The subject of an email or document item – note that some document formats can have both a title and a subject.
Title: The title of a document item.
Type: The item’s human-readable type, e.g. “MS PowerPoint Document” or “Email Message.”
URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID.

Email-specific columns:

All Receivers: The combined list of To, Cc and Bcc agents.
All Senders: The combined list of From and Sender agents.
Attached: Indicates whether the item is an email attachment
Attachments: Shows the file names of an email’s attachments.
Bcc: The addresses in the Bcc header.
Cc: The addresses in the Cc header.
From: The addressed in the From header.
Has Attachments: Emails that are marked as having attachments.
Has Internet Headers: Emails that did not have regular SMTP headers. Still information about e.g. sender, receiver and dates may be obtained from other fields, depending on the source format.
Message Hash: Shows the Message Hash of emails and SMS messages. This hash is used for deduplicating these messages in a manner that works across different mail and cellphone storage formats.
Message ID: Shows the Message ID extracted from email messages.
Sender: The name and email address of the sender(s) of an email item.
To: The addresses in the To header.
Unread: Shows if an email item was unread at the time of indexing.

Cellphone-specific columns:

All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts.
Chat Accounts: all instant messaging accounts (Skype, WhatsApp, but also SMS and MMS phone numbers) that have been used to send or receive a chat message.
Chat Receivers: all instant messaging accounts used to receive a chat message.
Chat Senders: all instant messaging accounts used to send a chat message.
Duration: how long the phone call took.
IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained.
IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item.
Incoming Phone Numbers: phone numbers used for incoming phone calls.
Outgoing Phone Numbers: phone numbers used for outgoing phone calls.

File- and document-specific columns:

Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents.
Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document.
Embedded: Indicates whether the item is embedded into a document
Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images.
Irrelevant: Indicates an item classified as “Irrelevant”.
MD5 Hash: The MD5 hash that uniquely identifies the item.
OCRed: Shows whether an OCR method has been applied on this file.

Columns containing dates:

Called: The date a phone call was made.
Content Created: The date that the content was created, according to the document metadata.
Content Last Modified: The date that the content of the item was last modified, according to the document-internal last modified date.
Due Date: The due date of a task.
End Date: The end date of an appointment, task or journal item.
Family Date: The family date of the item. Family dates build on primary dates and also take the item hierarchy into account. The family date of an item is defined as the primary date of its top-level parent, i.e. all items in an item family have the same family date. Sorting on Family Date sorts by this date, but also puts attachments and nested items right behind their parent. This is strictly enforced, i.e. two item families with the same family date are not intertwined. This makes it possible to review items in chronological order while maintaining a sense of their context. Certain types of items are skipped when determining the family root, namely all folders, mail containers, disk images, load files and cellphone reports.
File Created: The date a file was made, according to the file system.
File Last Accessed: The date a file was last accessed, according to the file system.
File Last Modified: The date of the last time the file was modified, according to the file system.
Last Printed: The date a document was last printed, according to the document-internal metadata.
Primary Date: The date that is the best match for the given item. Default or user-defined rules are used to pick the most appropriate date attribute based on the item’s type.
Received: The date the item was received.
Sent: The date the item was sent.
Start Date: the start date of an appointment, task or journal item.
Visited: the date the item was visited

Review-specific columns:

Batches: The batches which the item is assigned to.
Coded: The batches in which the item was coded.
Comments: Shows if an item has reviewer comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item.
Custodian: The custodian associated with the item.
Exported: Shows if an item has been exported.
Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item.
Opened: Shows if an item has been opened in its native application.
Previewed: Shows if an item has been opened in the previewer.
Redacted: Indicates whether the item has been redacted.
Tags: The tags set on the item.

Tag group columns: - These columns are created for every top-level tag with sub-tags. If selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag.

Export columns: - When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set.

7.4. Thumbnails view¶

The Thumbnails view displays the thumbnails of the images detected within a selected cluster. This includes images embedded in e-mail attachments and images inside documents.

Actions that can be performed in the Thumbnails view are:

Hover over the thumbnails with your mouse pointer to see a summary of the information associated with the image.
You can flag an image with the checkbox below the thumbnail.
When you double-click a thumbnail, the image will open in the previewer.