Will Paraben be able to break a .pst file into one or more pdf's that e.g. investigators can study on their own machines?
If yes, what will happen with attachments such as media files?
This looks very interesting from the perspective of "making data available to investigators".
If you're looking to make the data available to investigators, I should mention another product Intella from Vound Software.
With the full version of Intella, you can load in e-mails and documents, index and search them while preserving all parent and child relationships in a nice graphical interface. Then you can get Intella Viewer licenses for your investigators to look through your case file, search on their own terms, and tag more items of interest to them. All the attachments will be preserved and viewable.
I use Intella now to do just that. I load the e-mails in to Intella, index the case, and do some initial searching to see if there's anything useful in the e-mails. If there is, I will hand the case off to an associate who is not necessarily trained in computer forensics and they can do the searching and tagging at a much lower hourly rate.
The price for Intella depends on what version you buy, but I believe the 250GB version (max case size 250GB) is about $4,000. Each Viewer license is an additional $400. Licenses are controlled by dongles. You can also get a fully-functional 14 day demo of Intella 10GB to evaluate.
These sizes sound limiting, but remember you normally only load your e-mails and documents into Intella. I have the 100GB version, and I have had no trouble with that limitation so far.
Intella can also export everything to PDF if you're really set on using PDFs.
Also, the slickest PDFs created from OST or PST files are done using Acrobat Standard or Pro. The plug-in for Outlook can print everything in a folder to a PDF with an index for individual e-mails and all the attachments preserved.
Actually - I have the 100GB version of Intella with reviewer dongles available.
We are using it from time to time, but I have not gotten fully acquainted with the software yet.
Paraben is a name I have encountered many times over, and if there is an export mail to pdf functionality, I know that investigators would like that. They like pdf's. I don't, but that is beside the point.
How long have you been using Intella, and how happy are you with the software?
If you have Intella, that can do the PDF export for you. Whether it includes attachments is a setting, I think. For a whole PST, you're looking at many, many thousands of pages. Really not the best solution.
Using Intella as it was intended is a much better solution than simply exporting to PDF and searching through PDFs. I bet if you showed the investigators how to use Intella, they would suddenly prefer that over PDFs. You do have to be careful that it's on a computer that's excluded from your internal network as the PST files will be on that computer and you don't want those opened in the investigator's instance of Outlook.
I have been happy with Intella. I got it about 8 months ago–completely out of the blue showed up on my desk. The other C.F. person in the firm ordered it for me without informing me. When I looked at it, I thought it was useless. I can search in EnCase, thank you. But as cases came, I found more and more uses for it and found it was much easier than searching in EnCase. It also helps find relationships between items and people that a strictly-forensic tool like EnCase would have difficulty revealing.
I've got a case now–the one I mentioned–with 170,000 e-mails. Without Intella, finding relevant e-mails would be a bit like looking for a particular piece of hay in a whole hay stack. With Intella, I can have an associate (read newbie) sit through a quick 4 hour class and turn her loose on the e-mails. She's already turned up some great results. The field personnel are feeding her search terms and she's turning those into intellegent searching and queries and finding results. I couldn't be happier with it, and for the price, it's a no-brainer if you have document or e-mail intensive cases.
Thanks for the good feedback on your usage!
I attended an EnCase training appx 3 years ago in Slough, and a fellow student mentioned Intella - and I ordered it for testing.
We have been using it from time to time, but have not established it as a standard tool in our unit yet.
Part of that might be from the fact that none of us have attended any training, and thus feel a bit insecure about the functions of the software.
But, my gameplan would be to have some training from a analyst perspective, and then let the investigators from e.g. financial crime have a course / training to be able to search and build reports better.
So - what kind of training do you have, and what kind of training does the investigators get?
I actually used Intella for many months before I had any training. It's a piece of cake to use effectively. I learned a little in the training, but nothing earth-shattering for me.
Just last week, a few of us (me plus 3 non-computer forensics people) attended the 4 hour webinar Intella offers every month or so. That four hour class was enough to give them a good idea of how to use Intella effectively for searching and tagging. It's $495 plus four hours of their time, so I feel like that's a very good deal. There's another class on April 25. I really think that's enough to get your investigators up to speed on Intella.
Of course, if you find something particularly damning and will go to court with it, you'll probably want to verify everything with EnCase so you can point out things like where on the hard drive the item appears. But, once the investigators find it on their own, it should be pretty easy for you to find it in EnCase (or a similar tool).
I will say this–Intella is a young tool. Each new version has oddities about how it searches. If you use 1.6.3 and do a particular search, you'll get slightly different results than using 1.6.2. This is one of the reasons you'll want to fall back on an EnCase-like tool to verify Intella results for anything you plan to use at trial.
The only issue I have with Intella is that mindmap searching is their only discriminator. The graphical front end wraps around a whole bunch of open source backend processing.
Take a look at the licenses folder and you'll see what I mean. I do not know how much code verification the folks at Vound do before adopting updates to these open source/free libraries.
Will Paraben be able to break a .pst file into one or more pdf's that e.g. investigators can study on their own machines?
If yes, what will happen with attachments such as media files?
This looks very interesting from the perspective of "making data available to investigators".
Yes, you can break the .pst file by any number of ways such as keyword, sender/receiver, date, folder, etc. for export. If you export to .pst or another email format for others to review, the attachments will stay with the original message.
The only issue I have with Intella is that mindmap searching is their only discriminator. The graphical front end wraps around a whole bunch of open source backend processing.
Take a look at the licenses folder and you'll see what I mean. I do not know how much code verification the folks at Vound do before adopting updates to these open source/free libraries.
You could apply this concern to a bunch of other software.
IEF for example pulls in a whole bunch of open source stuff (about 10 packages), check out the licenses.txt file in its program files folder.
And NUIX IIRC is also sitting on the open source, Apache Derby database.
You could apply this concern to a bunch of other software.
IEF for example pulls in a whole bunch of open source stuff (about 10 packages), check out the licenses.txt file in its program files folder.
And NUIX IIRC is also sitting on the open source, Apache Derby database.
Exactly… good examples.