8. Details panel

In order to inspect the contents of the Cluster Map visualization, the user can select a cluster or result set by clicking on it. Its contents will then be displayed in the Details panel below the map.

The Details panel contains a list of the items that can be presented in three modes:

• List view - can be selected by clicking on the list tab.
• Table view - can be selected by clicking on the table tab.
• Thumbnails view - can be selected by clicking on the thumbnails tab.

Note: Use Shift+? shortcut to show help menu with keyboard shortcuts associated with the currently selected view.

Actions that can be performed in all three views are:

• Deduplicate the results in the selected view by clicking on the deduplication icon.
• Removes all items marked as Irrelevant during indexing.
• Double-click on the item to open it up in the previewer.
• Right-click on the selected item(s) to show a pop-up window with additional actions:

For more information on:

• Create Batches action, see section Batching and Coding.
• Content Analysis action, see section Content analysis.

As query evaluation is processing intensive task all result sets shown in any of the result views are cached. Because memory space is limited, the number of cached entries is limited so they might be evicted in some point in time - in that case user will be presented with such message: Oooooppps! The results you have just seen here are no longer valid, therefore page refresh is needed. Please click here to refresh your results.

Note: Up to 1500 result sets can be cached by default - when this limit is exceeded the oldest result sets will be evicted and the user will be presented with the mesasge above.

Cache eviction policy can be tuned by changing following two properties inside [CASE]/prefs/case.prefs properties file:

• IdSnapshotsCacheSize - specifies the maximum number of result set entries the cache may contain (default: 1500)

• IdSnapshotsCacheMaxAgeInHours - specifies that each result set entry should be automatically removed from the cache once a fixed duration has elapsed after the entry’s was accessed last. (default: not set)

  
  

  Note: If above two properties are not present, append them to the end of the case.prefs properties file.

  
  

8.1. List view

The List view displays the results as a typical search engine-like list:

Each row represents a single item:

This view shows basic information about the item:

• Flagging status.
• Item ID.
• Title or subject of the item.
• Tags, if any.
• Location of the item.
• Content summary, including text fragments with keyword hit highlighting.

Buttons available in the toolbar are:

• Select-all checkbox - Select all items in list view.
• Preview - Preview the currently selected item.
• Flagging - Add/remove flags of the selected items.
• Tagging - Add/remove tags of the selected items.
• Order by [item attribute] - Order the list by a specific item attribute.
• Ascending/Descending - Sort order.

8.2. Hit Highlighting performance with List View

8.2.1. Foreword

Hit Highlighting is a very complex operation which can take considerable amount of hardware resources. It highly depends on following factors:

1. The amount of text associated with an Item.
2. The amount and complexity of keyword searches.

Intella Connect always puts feature richness and stability of a review on the pedestal, so that is why we have introduced Hit Highlighting into List View component. It allows quickly seeing the first occurrence of a hit accompanied with the nearest text, which gives a reviewer an additional context and often is enough to determine if an item is important or not. However, in few rare cases Hit Highlighting can have considerable and undesired influence on the server which can impact negatively the reviewing experience. Therefore we added a simple way to turn off Hit Highlighting in List View, which should relieve the server from additional workload and improve the reviewing speed.

8.2.2. Turning off Hit Highlighting completely

By default Hit Highlighting will only work for items of less than 10MBs in size. Depending on the nature of your data (especially when dealing with large files), you might want to turn it off entirely. To do that, please follow those simple steps:

1. Click on the Settings gearbox icon placed in the Secondary Navigation Bar to open the Preferences window.

2. Make sure to select the appropriate option to never show Hit Highlighting.

3. Click OK to save your settings.

8.3. Table view

The Table view displays the results as a table in which each row represents a single item and the columns represent selected attributes such as title, date, location etc.

The set of attributes to display can be customized in Preferences which can be accessed by clicking on the gear icon in the Secondary Navigation Bar.

Actions that can be performed in the Table view are:

• Click on a table column header to sort the table by that item attribute. Sorting by multiple columns can be achieved by holding the Ctrl button while clicking on the column names. Any additional clicked column will be added to the list of sorting criterions. When two items cannot be sorted using the values from the first column (because the values are identical), the second column will be used, and so on.
• The first column is used for items selection.
  • Select one item to preview it by clicking on the preview button.
  • Select one or more items to flag, tag or export the items.

8.3.1. Adding and removing columns

It’s possible to toggle visible table columns in Preferences‘s Table view section by (de)selecting column names. The selected columns are stored: every time you connect to the case, these columns will be shown until you select a different set of columns.

This option is only available for the Table view. The following columns are available:

General columns:

• Certificate: The certificate with which an encrypted item could be decrypted.
• Contact name: The name of a contact encountered in a PST file or in a vCard file.
• Decrypted: Shows if an item is encrypted and Intella was able to decrypt it.
• Direct Child IDs: The item IDs of the direct children of this item.
• Direct Parent ID: The ID of the item’s direct parent item.
• Document ID: The ID as imported from a load file. This ID is maintained for cross-reference purposes.
• Duplicates: Shows the number of duplicates of an item within the case.
• Embedded Image: Indicates whether the item is an embedded image extracted from an email, Microsoft Office or PDF document. See the Features facet section for a precise definition of this category.
• Encrypted: Shows if an item is encrypted.
• Exception: Shows if an item had one or more issues indexing properly.
• File Name: The name of a file in the file system, in an archive or used as an attachment name.
• Has Geolocation: Indicates whether the item has geolocation information associated with it.
• Item ID: The ID used internally in Intella’s database to refer to this item.
• Language: The language of the item’s text. The language field is left blank when the language cannot be detected automatically. When the language could not be determined, e.g. because the text is too short or mixes various languages, the value shown will be “unidentified”. Item types that inherently do not have a language, e.g. images or archives, show the “not applicable” value.
• Location: Name of the location in the original evidence data where the item is stored. For example, an email in a PST file would have a location that would start with the folder and file name of the PST file, followed by the mail folder path inside that PST file.
• MIME type: The type of an item according to the MIME standard.
• Native ID: The native ID of the item. Currently only IBM Notes UNID (Universal Notes ID) are listed here. This column may be used for other native ID types in the future.
• Parent Document ID: The ID of a parent document as imported from a load file. This ID is maintained for cross-reference purposes.
• Password: The password with which an encrypted item could be decrypted.
• Recovered: Indicates whether the item has been recovered. See the Features facet section for the definition of the Recovered status.
• Size: The item’s size in bytes.
• Source: The name of the Intella source that holds the item. Typically this is the root folder name or the name of the mail container file (e.g. PST or NSF file).
• Source Path: The path to the evidence, e.g. the PST or NSF file, or the root folder of a Folder source. This helps reviewing items when dealing with a lot of evidence files – the name of the evidence file and the derived source name may not hold enough information to easily discern the origin of the information.
• Subject: The subject of an email or document item – note that some document formats can have both a title and a subject.
• Title: The title of a document item.
• Type: The item’s human-readable type, e.g. “MS PowerPoint Document” or “Email Message”.
• URI: Uniform Resource Identifier, the identifier used internally by Intella for the item in addition to the Item ID.

Email-specific columns:

• All Receivers: The combined list of To, Cc and Bcc agents.
• All Senders: The combined list of From and Sender agents.
• Attached: Whether or not this item is an attachment to an email, conversation or document.
• Attachments: Shows the file names of an email’s attachments.
• Bcc: The addresses in the Bcc header.
• Bcc Count: The total number of unique blind carbon copy email recipients (Bcc).
• Cc: The addresses in the Cc header.
• From: The addressed in the From header.
• Has Attachments: Emails that are marked as having attachments.
• Has Internet Headers: Emails that have regular SMTP headers. When this is not the case, information about e.g. the sender, receiver and dates may still be obtained from other fields, depending on the source format.
• Message Hash: Shows the Message Hash for emails and SMS messages. This hash is used for deduplicating emails and SMS messages in a manner that works across different mail formats and phone data source types.
• Message ID: Shows the Message ID extracted from email messages.
• Recipient Count: The total number of unique email, chat and cellphone recipients.
• Sender: The addresses in the Sender header.
• Source IP: the determined source IP of the email.
• To: The addresses in the To header.
• Unread: Shows if an email item was unread at the time of indexing.
• Visible Recipient Count: The total number of unique visible email, chat and cellphone recipients (To, Cc).

Cellphone-specific columns:

• All Phone Numbers: phone numbers relevant to a phone call, regardless of whether it is an incoming or outgoing call, combined with phone numbers found in contacts.
• Chat Accounts: all instant messaging accounts (Skype, WhatsApp, but also SMS and MMS phone numbers) that have been used to send or receive a chat message.
• Chat Receivers: all instant messaging accounts used to receive a chat message.
• Chat Senders: all instant messaging accounts used to send a chat message.
• Duration: how long the phone call took.
• IMEI: The International Mobile Station Equipment Identity (IMEI) number of the phone from which the item was obtained.
• IMSI: The International Mobile Subscriber Identity (IMSI) associated with the item.
• Incoming Phone Numbers: phone numbers used for incoming phone calls.
• Outgoing Phone Numbers: phone numbers used for outgoing phone calls.

File- and document-specific columns:

• Contributor: The name(s) of the contributor(s) of a document. These are typically authors that edited exiting documents.
• Creator: The name(s) of the creator(s) of a document item. These are typically the initial authors of a document.
• Empty document: Shows that the item has no text while text was expected. Example: a PDF file that contains only images.
• File extension: the file extension of a file, e.g. “doc”, “pdf”.
• Irrelevant: Indicates an item classified as “Irrelevant”.
• MD5 Hash: The MD5 hash that uniquely identifies the item.
• OCRed: Shows whether an OCR method has been applied on this file.
• Page Count: the number of pages of the items as reported by the metadata present in the original evidence item. I.e., this is not a verified and is only possible for certain document formats that support such a metadata attribute.

Columns containing dates:

• Called: The date a phone call was made.
• Content Created: The date that the content was created, according to the document metadata.
• Content Last Modified: The date that the content of the item was last modified, according to the document-internal last modified date.
• Due: The due date of a task.
• Ended: The end date of an appointment, task or journal item.
• Family Date: The family date of the item. Family dates build on primary dates and also take the item hierarchy into account. The family date of an item is defined as the primary date of its top-level parent, i.e. all items in an item family have the same family date. Sorting on Family Date sorts by this date, but also puts attachments and nested items right behind their parent. This is strictly enforced, i.e. two item families with the same family date are not intertwined. This makes it possible to review items in chronological order while maintaining a sense of their context. Certain types of items are skipped when determining the family root, namely all folders, mail containers, disk images, load files and cellphone reports.
• File Created: The date a file was made, according to the file system.
• File Last Accessed: The date a file was last accessed, according to the file system.
• File Last Modified: The date of the last time the file was modified, according to the file system.
• Last Printed: The date a document was last printed, according to the document-internal metadata.
• Primary Date: The date that is the best match for the given item. Default or user-defined rules are used to pick the most appropriate date attribute based on the item’s type.
• Received: The date the item was received.
• Sent: The date the item was sent.
• Started: the start date of an appointment, task or journal item.
• Visited: The last visited date of an item obtained from a browser history or Windows registry.

Review-specific columns:

• Batches: The batches which the item is assigned to.
• Coded: The batches in which the item was coded.
• Comments: Shows if an item has reviewer comments. When this is the case, a yellow note icon is shown in the table. Hover over the icon to see a tooltip with the comments attached to the item.
• Custodian: The custodian associated with the item.
• Exported: Shows if an item has been exported.
• Flagged: Shows a column at the left side of the table that indicates if an item is flagged. Click the checkbox if you want to flag an item.
• Opened: Shows if an item has been opened in its native application.
• Previewed: Shows if an item has been opened in the previewer.
• Redacted: Indicates whether the item has been redacted.
• Tags: Shows the tags connected to an item.

Tag groups (optional) - These columns are created for every top-level tag with sub-tags. If selected, the corresponding column shows the tags within that part of the tag tree. The column will be named after the top-level tag.

Export (optional) - When items have been exported using the export set functionality, a column will be made available for every export set, holding the export IDs within that export set.

8.4. Thumbnails view

The Thumbnails view displays the thumbnails of the images detected within a selected cluster. This includes images embedded in e-mail attachments and images inside documents.

Actions that can be performed in the Thumbnails view are:

• Hover over the thumbnails with your mouse pointer to see a summary of the information associated with the image.
• You can flag an image with the checkbox below the thumbnail.
• When you double-click a thumbnail, the image will open in the previewer.

8.5. Content analysis

The Content Analysis facet allows you to search items based on specific types of entities that have been found in the textual content of these items. Three of the categories in this facet are populated automatically during indexing and are available immediately afterwards. These are: credit card numbers, social security numbers (SSNs) and phone numbers. Three other categories are more computationally expensive to calculate and therefore require a post-processing step. These categories are: person names, organizations, locations and skin tone.

To start the content analysis procedure:

• Select one or more items in the Details view.
• Right-click on one of the selected items and select “Content Analysis” from the popup menu.
• In the dialog window that appears, click “Yes” if you want to clear the results of the previous analysis or “No” to add new results to the existing content of these four categories.

The content analysis procedure will open a separate window that shows the progress of the procedure. The items that have been analyzed can be found by using the “Content Analyzed” category in the Features facet.

Important: please realize the following aspects of the content analysis procedure:

• Content analysis is a heuristic procedure based on knowledge of certain patterns and correlations that occur in natural language texts. Therefore, the quality of the results may vary within a broad probability range.
• Content analysis works best on English texts. The quality of the results may be poor on texts in other languages.
• Content analysis works best on texts containing properly formulated natural language sentences. Unstructured texts (e.g. spreadsheets) usually lead to poor quality of the results.
• Content analysis is both CPU- and memory-intensive. For adequate performance, please make sure that your computer meets the system requirements and that no other processes are taxing your system at the same time. In our experiments the amount of time needed for processing an entire case was roughly similar to the amount of time it took to index the case.