E Discovery Reviewer Guide

2016-05-23

: Pdf Ediscovery Reviewer Guide eDiscovery_Reviewer_Guide 5.6 eDiscovery ProductUserGuidesForensics-eDisco

Open the PDF directly: View PDF .
Page Count: 334

Download
Open PDF In Browser	View PDF

| 1

AccessData Legal and Contact Information

Document date: December 30, 2014

Legal Information
©2014 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this
documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make
changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData
software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without
limitation, U.S. export regulations or the laws of the country in which you reside.

AccessData Group, Inc.
1100 Alma Street
Menlo Park, California 94025
USA
www.accessdata.com

AccessData Trademarks and Copyright Information
AccessData®

MPE+ Velocitor™

AccessData Certified Examiner® (ACE®)

Password Recovery Toolkit®

AD Summation®

PRTK®

Discovery Cracker®

Registry Viewer®

Distributed Network Attack®

ResolutionOne™

DNA®

SilentRunner®

Forensic Toolkit® (FTK®)

Summation®

Mobile Phone Examiner Plus®

ThreatBridge™

AccessData Legal and Contact Information

| 2

A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, and
unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner
spells and and capitalizes its product name. Third-party trademarks and copyrights are the property of the
trademark and copyright holders. AccessData claims no responsibility for the function or performance of thirdparty products.
Third party acknowledgements:
FreeBSD

AFF®

and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology
Corp. All rights reserved.

Copyright

BSD License: Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer; Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution; Neither the
name of Andriy Syrov nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
WordNet License

This license is available as the file LICENSE in any downloaded version of WordNet.
WordNet 3.0 license: (Download)
WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by Princeton
University under the following license. By obtaining, using and/or copying this software and database, you agree
that you have read, understood, and will comply with these terms and conditions.: Permission to use, copy,
modify and distribute this software and database and its documentation for any purpose and without fee or
royalty is hereby granted, provided that you agree to comply with the following copyright notice and statements,
including the disclaimer, and that the same appear on ALL copies of the software, database and documentation,
including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 by
Princeton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND
PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY
WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR
WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE
USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University or

AccessData Legal and Contact Information

| 3

Princeton may not be used in advertising or publicity pertaining to distribution of the software and/or database.
Title to copyright in this software, database and any associated documentation shall at all times remain with
Princeton University and LICENSEE agrees to preserve same.

Documentation Conventions
In AccessData documentation, a number of text variations are used to indicate meanings or actions. For
example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in
using the keyboard, the variable data is set apart using [variable_data] format. Steps that require the user to
click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in
the user interface.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, all
third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product
name. Third-party trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party products.

Registration
The AccessData product registration is done at AccessData after a purchase is made, and before the product is
shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your
purchase.

Subscriptions
AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows
you to access technical support, and to download and install the latest releases for your licensed products during
the active license period.
Following the initial licensing period, a subscription renewal is required annually for continued support and for
updating your products. You can renew your subscriptions through your AccessData Sales Representative.
Use License Manager to view your current registration information, to check for product updates and to
download the latest product versions, where they are available for download. You can also visit our web site,
www.accessdata.com anytime to find the latest releases of our products.
For more information, see Managing Licenses in your product manual or on the AccessData website.

AccessData Contact Information
Your AccessData Sales Representative is your main contact with AccessData. Also, listed below are the general
AccessData telephone number and mailing address, and telephone numbers for contacting individual
departments

AccessData Legal and Contact Information

| 4

Mailing Address and General Phone Numbers
You can contact AccessData in the following ways:

AccessData Mailing Address, Hours, and Department Phone Numbers
Corporate Headquarters:

AccessData Group, Inc.
1100 Alma Street
Menlo Park, California 94025 USAU.S.A.
Voice: 801.377.5410; Fax: 801.377.5426

General Corporate Hours:

Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays

State and Local
Law Enforcement Sales:

Voice: 800.574.5199, option 1; Fax: 801.765.4370
Email: Sales@AccessData.com

Federal Sales:

Voice: 800.574.5199, option 2; Fax: 801.765.4370
Email: Sales@AccessData.com

Corporate Sales:

Voice: 801.377.5410, option 3; Fax: 801.765.4370
Email: Sales@AccessData.com

Training:

Voice: 801.377.5410, option 6; Fax: 801.765.4370
Email: Training@AccessData.com

Accounting:

Voice: 801.377.5410, option 4

Technical Support
Free technical support is available on all currently licensed AccessData solutions.
You can contact AccessData Customer and Technical Support in the following ways:
AD Customer & Technical Support Contact Information
AD
SUMMATIONand
AD EDISCOVERY

Americas/Asia-Pacific:
800.786.8369 (North America)
801.377.5410, option 5
Email: legalsupport@accessdata.com

AD IBLAZE and
ENTERPRISE:

Americas/Asia-Pacific:
800.786.2778 (North America)
801.377.5410, option 5
Email: support@summation.com

All other AD
SOLUTIONS

Americas/Asia-Pacific:
800.658.5199 (North America)
801.377.5410, option 5
Email: support@accessdata.com

AD
INTERNATIONAL
SUPPORT

Europe/Middle East/Africa:
+44 (0) 207 010 7817 (United Kingdom)
Email: emeasupport@accessdata.com

AccessData Legal and Contact Information

| 5

AD Customer & Technical Support Contact Information (Continued)
Hours of Support:

Americas/Asia-Pacific:
Monday through Friday, 6:00 AM– 6:00 PM (PST), except corporate holidays.
Europe/Middle East/Africa:
Monday through Friday, 8:00 AM– 5:00 PM (UK-London) except corporate holidays.

Web Site:

http://www.accessdata.com/support/technical-customer-support
The Support website allows access to Discussion Forums, Downloads, Previous
Releases, our Knowledge base, a way to submit and track your “trouble tickets”, and
in-depth contact information.

Documentation
Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation:
documentation@accessdata.com

Professional Services
The AccessData Professional Services staff comes with a varied and extensive background in digital
investigations including law enforcement, counter-intelligence, and corporate security. Their collective
experience in working with both government and commercial entities, as well as in providing expert testimony,
enables them to provide a full range of computer forensic and eDiscovery services.
At this time, Professional Services provides support for sales, installation, training, and utilization of FTK, FTK
Pro, Enterprise, eDiscovery, Lab and the entire Resolution One platform. They can help you resolve any
questions or problems you may have regarding these solutions.

Contact Information for Professional Services
Contact AccessData Professional Services in the following ways:

AccessData Professional Services Contact Information
Contact Method

Number or Address

Phone

North America Toll Free: 800-489-5199, option 7
International: +1.801.377.5410, option 7

services@accessdata.com

AccessData Legal and Contact Information

| 6

Contents

AccessData Legal and Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Part 1: Introducing Resolution1 eDiscovery

. . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 1: Introducing Resolution1 eDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About Resolution1 eDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About This Reviewer Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 2: Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
About the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Web Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

About User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Opening the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . . . . . 21
Installing the Browser Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Installing Components through the Browser . . . . . . . . . . . . . . . . . . . . . 23
Installing Browser Components Manually . . . . . . . . . . . . . . . . . . . . . . 25

Introducing the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
The Project List Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
User Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Using Elements of the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Maximizing the Web Console Viewing Area . . . . . . . . . . . . . . . . . . . . . 33
About Content in Lists and Grids . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Part 2: Reviewing Project Data .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Chapter 3: Introduction to Project Review
About Project Review . . . . . . . .
Workflow for Reviewing Projects .
About Date and Time Information .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

.
.
.
About How Time Zones Are Set .

.
.
.
.
Configuring the Date Format Used in Review .

.
.
.
.
.
Configuring the Date Format Used in Production Sets and Export Sets .

Contents

.
.
.
.

.
.
.
.
.

.
.
.
.
.
.

. 40
. 40
. 41
. 41
. 41
. 45
| 7

Chapter 4: Project Review Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Introducing the Project Review Page . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Project Review Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Project Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Review Page Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 5: Customizing the Project Review Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Working with Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Hiding and Showing Panels . . .
Collapsing and Showing Panels .
Moving Panels . . . . . . . . . . .
Moving Panels to a New Window

.
.
.
.

. 51
. 52
. 52
. 53

Working with Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Selecting a Layout . . . . . . . . .
Resetting Layouts . . . . . . . . . .
Saving Layouts . . . . . . . . . . .
Managing Saved Custom Layouts

.
.
.
.

. 54
. 54
. 54
. 55

Chapter 6: Viewing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Viewing Data in Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Using the Item List Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Viewing Documents in the Item List Panel
Using Columns in the Item List Panel . . .
Using Quick Columns . . . . . . . . . . . .
Using Quick Filters . . . . . . . . . . . . .
Using Views . . . . . . . . . . . . . . . . .
Performing Actions from the Item List . . .

.
.
.
.
.
.

.59
. 60
. 62
. 63
. 63
. 69

Using the Project Explorer Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
The Explore Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
The Navigation Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Using Document Viewing Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Using the Natural Panel . . . . . . . . . . . . . . . . .
Using the Image Panel . . . . . . . . . . . . . . . . . .
Using the Text Panel . . . . . . . . . . . . . . . . . . .
Using the KFF Details and Detail Information Panels .

.
.
.
.

. 76
. 79
. 80
. 81

Using Document Data Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
The Activity Panel . . . .
The Similar Panel . . . .
The Production Panel . .
The Notes Panel . . . .
The Conversation Panel
The Family Panel . . . .
The Linked Panel . . . .

Contents

.
.
.
.
.
.
.

. 82
. 83
. 83
. 84
. 85
.86
.88

| 8

Viewing Timeline Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Viewing Graphics and Videos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Chapter 7: Deleting Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Deleting a Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Part 3: Searching Data . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Chapter 8: Introduction to Searching Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
About Searching Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Search Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 9: Running Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Running a Quick Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Building Search Phrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Using Search Operators . . .
Using Boolean Logic Options
Using ? and * Wildcards . . .
Searching Numbers . . . . . .

.
.
.
.
. . .

.
.
.
.
.

. 99
101
102
103
103

Searching for Virtual Columns
Running a Subset Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Returning to a Previous Search . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Searching in the Natural Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using Global Replace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Committing a Global Replace Job . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Using Dates and Times in Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Using Dates and Times in Searches . . . . . . . . . . . . . . . . . . . . . . . . 107
How Time Zone Settings Affect Searches . . . . . . . . . . . . . . . . . . . . . 107
Viewing the Display Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Using the Search Excerpt View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Using Search Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
About Search Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Generating and Downloading a Search Report . . . . . . . . . . . . . . . . . . 110
About the Search Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Chapter 10: Running Advanced Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Running an Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Advanced Search Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Advanced Search Operators Exceptions . . . . . . . . . . . . . . . . . . . . . . 115

Contents

| 9

Understanding Advanced Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Using the Term Browser to Create Search Strings . . . . . . . . . . . . . . . . . . 118
Importing Index Search Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Chapter 11: Re-running Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
The Search Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Running Recent Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Clearing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Saving a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Sharing a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 12: Using Filters to Cull Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Filtering Data in Case Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
About Filtering Data with Facets .
The Facets Tab . . . . . . . . . .
Available Facet Categories . . .
Examples of How Facets Work .

.
.
.
.

124
127
129
132

Using Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Caching Filter Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Filtering by Column in the Item List Panel . . . . . . . . . . . . . . . . . . . . . . . 139
Clearing Column Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Part 4: Using Visualization

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142

Chapter 13: Using Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Culling Data with Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Files Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Emails Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

143
143
144
147

Chapter 14: Using Visualization Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
About Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Accessing Social Analyzer . . . . . . . . . .
Social Analyzer Options . . . . . . . . . . .
Analyzing Email Domains in Visualization .
Analyzing Individual Emails in Visualization

.
.
.
.

152
153
154
154

Chapter 15: Using Visualization Heatmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Chapter 16: Using Visualization Geolocation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
About Geolocation Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Geolocation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Contents

| 10

Geolocation Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
General Geolocation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 158

Viewing Geolocation EXIF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
Using Geolocation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
The Geolocation Map Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Using the Geolocation Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Filtering Items in the Geolocation Grid . . . . . . . . . . . . . . . . . . . . . . . 163

Using Geolocation Columns in the Item List . . . . . . . . . . . . . . . . . . . . . . 164
Using Geolocation Column Templates . . . . . . . . . . . . . . . . . . . . . . . 165

Using Geolocation Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Using Geolocation Visualization to View Security Data . . . . . . . . . . . . . . . 166
Prerequisites for Using Geolocation Visualization to View Security Data .
Viewing Geolocation IP Locations Data . . . . . . . . . . . . . . . . . . .
Using the Geolocation Network Information Grid . . . . . . . . . . . . . .
Geolocation Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Part 5: Using Litigation and eDiscovery Tools .

.
.
.
.

166
168
168
169

. . . . . . . . . . . . . . . . . . . . .172

Chapter 17: Working with Transcripts and Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Working with Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Formatting Transcripts . . . . . . . . . . . .
The Transcript Panel . . . . . . . . . . . . .
Viewing Transcripts . . . . . . . . . . . . . .
Annotating Transcripts . . . . . . . . . . . .
Searching in Transcripts . . . . . . . . . . .
Displaying Selected Notes . . . . . . . . . .
Displaying Selected Highlights. . . . . . . .
Opening Multiple Transcripts. . . . . . . . .
Generating Reports on Multiple Transcripts

.
.
.
.
.
.
.
.
.

173
176
177
177
180
180
180
181
181

Culling Transcripts and Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Using the Explorer Panel to Cull Transcripts and Exhibits . . . . . . . . . . . . 182
Using Object Type Facets to Cull Transcripts and Exhibits . . . . . . . . . . . . 182

The Exhibits Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
Viewing Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Chapter 18: Imaging Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Converting a Document to an Image . . . . . . . . . . . . . . . . . . . . . . . . . . 184
TIFF on the Fly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 19: Applying Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
The Tags Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Contents

| 11

The Labeling Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Applying Labels to Single Documents . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Removing Labels from a Single Document . . . . . . . . . . . . . . . . . . . . . 193

Applying Labels to Multiple Documents . . . . . . . . . . . . . . . . . . . . . . . . . 194
Removing Labels from Multiple Documents . . . . . . . . . . . . . . . . . . . . 195

Viewing Documents with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Viewing Documents with a Label Applied . . . . . . . . . . . . . . . . . . . . . 196
Viewing Documents with an Issue Coded . . . . . . . . . . . . . . . . . . . . . 196
Viewing Documents with a Category Coded . . . . . . . . . . . . . . . . . . . . 196

Using the Case Organizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
About Case Organizer Categories and Organization . . . . . . . . . . . . . . . 197

Chapter 20: Coding Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
The Review Sets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
The Review Batches Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Checking In/Out a Review Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Coding in the Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Editable Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Using the Coding Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
The Coding Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Coding Single Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Coding Multiple Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Predictive Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Understanding Predictive Coding
Instructing Predictive Coding . .
Obtaining a Confidence Score . .
Applying Predictive Coding . . .
Performing Quality Control . . . .

.
.
.
.
.

209
210
211
212
213

Chapter 21: Annotating Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Annotating Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Prerequisites for Annotating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Generating SWF Files for Annotating . . . . . . . . . . . . . . . . . . . . . .
Accessing SWF Files for Annotating . . . . . . . . . . . . . . . . . . . . . . . . . . .
About Annotating Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Profiles and Markup Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

214
214
214
215
216
217
219

Selecting a Highlight Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Selecting a Markup Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Adding a Note . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Editing a Note. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Adding a Highlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Adding a Text-Based Highlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Contents

| 12

Adding a Drawn Highlight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Adding a Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Adding a Redaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Adding a Text-Based Redaction . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Adding a Drawn Redaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Toggling Redactions On and Off . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

Chapter 22: Bulk Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Bulk Printing Multiple Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Network Bulk Printing . . .
Local Bulk Printing . . . .
General Print Options . . .
Bulk Print Dialog Options .

.
.
.
.
Viewing Print Statuses . . . . . .
Viewing Print Logs . . . . .

.
.
.
.
.
.

227
227
227
228
228
229

Chapter 23: Managing Review Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Creating a Review Set . . . . . . . . . .
Deleting Review Sets . . . . . . . . . . .
Renaming a Review Set . . . . . . . . .
Manage Permissions for Review Sets .

Part 6: Exporting Data . .

. . . . . . . . . . . . . . . . . . . . . . . . . 230
. . . . . . . . . . . . . . . . . . . . . . . . . 232
. . . . . . . . . . . . . . . . . . . . . . . . . 233
. . . . . . . . . . . . . . . . . . . . . . . . . 234

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235

Chapter 24: Introduction to Exporting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
About Exporting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Export Tab . . . . . . . . . .
Production Set History Tab .
Export Set History Tab . . .
Exporting Export Sets . . .

.
.
.
.

237
237
239
240

Chapter 25: Creating Production Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Points to Consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Production Set General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Production Set Files to Include Options . . . . . . . . . . . . . . . . . . . . . . . . . 244
Volume Document Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Production Set Image Branding Options . . . . . . . . . . . . . . . . . . . . . . . . 253
Additional Production Set Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Saving Production Set Options as a Template . . . . . . . . . . . . . . . . . . . 256
Deleting a Production Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Sharing a Production Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Contents

| 13

Chapter 26: Exporting Production Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Exporting a Production Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Export Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 27: Creating Export Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Creating Export Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Creating an AD1 Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

AD1 Export General Options . . . .
Creating a Native Export . . . . . . .
Native Export General Options . . .
Native Export Files to Include . . . .
Export Volume Document Options .
Export Excel Rendering Options . .
Export Word Rendering Options . .
Creating a Load File Export . . . . .
Load File General Options . . . . . .
Load File Options . . . . . . . . . . .
Load File Files to Include Options .

Part 7: Reference . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . 264
. . . . . . . . . . . . . . . . . . . . . . . . . . . 265
. . . . . . . . . . . . . . . . . . . . . . . . . . . 267
. . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . 271
. . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . 274
. . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . 276
. . . . . . . . . . . . . . . . . . . . . . . . . . . 278

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

Chapter 28: Getting Started with KFF (Known File Filter) . . . . . . . . . . . . . . . . . . . . . . . . . . 281
About KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Introduction to the KFF Architecture . . . . . . . . . . . . . . . . . . . . . . . . 282
Components of KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
How KFF Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

About the KFF Server and Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . 286
Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
About Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
About KFF Server Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Installing the KFF Server Service . . . . . . . . . . . . . . . . . . . . . . . . . . 287

Configuring the Location of the KFF Server . . . . . . . . . . . . . . . . . . . . . . 288
Configuring the KFF Server Location on FTK-based Computers . . . . . . . . 288
Configuring the KFF Server Location on Resolution1 and Summation Applications
288

Migrating Legacy KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
About Importing KFF Data . . . . . . . . .
Using the KFF Import Utility . . . . . . . .
Importing Pre-defined KFF Data Libraries
Installing the Geolocation (GeoIP) Data .

Contents

.
.
.
.

291
292
294
297

| 14

About CSV and Binary Formats . .
Uninstalling KFF . . . . . . . . . . . .
Installing KFF Updates . . . . . . . .
KFF Library Reference Information

. . . . . . . . . . . . . . . . . . . . . . . . . . . 298
. . . . . . . . . . . . . . . . . . . . . . . . . . . 301
. . . . . . . . . . . . . . . . . . . . . . . . . . . 302
. . . . . . . . . . . . . . . . . . . . . . . . . . . 303

About KFF Pre-Defined Hash Libraries . . . . . . . . . . . . . . . . . . . . . . . 303

What has Changed in Version 5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Chapter 29: Using KFF (Known File Filter) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About KFF and De-NIST Terminology . . . . . . . . . . . . . . . . . . . . . . . . .
Process for Using KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configuring KFF Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Adding Hashes to the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About the Manage KFF Hash Sets Page . . . . . . .
Importing KFF Data . . . . . . . . . . . . . . . . . . .
Manually Creating and Managing KFF Hash Sets . .
Adding Hashes to Hash Sets Using Project Review.

.
.
.
.

309
309
310
310
311
311
312
314
315

Using KFF Groups to Organize Hash Sets . . . . . . . . . . . . . . . . . . . . . . . 317
About KFF Groups . . . . . . . . . . .
Creating a KFF Group . . . . . . . . .
Viewing the Contents of a KFF Group
Managing KFF Groups . . . . . . . . .
About the Manage KFF Groups Page

.
.
.
.
.

317
318
318
318
319

Enabling a Project to Use KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
About Enabling and Configuring KFF . . . . . . . . . . . . . . . . . . . . . . . . 321
Enabling and Configuring KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Reviewing KFF Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Viewing KFF Data Shown on the Project Details Page
About KFF Data Shown in the Review Item List . . . .
Using the KFF Information Quick Columns. . . . . . .
Using Quick Filters . . . . . . . . . . . . . . . . . . . .
Using the KFF Facets . . . . . . . . . . . . . . . . . .
Viewing Detailed KFF Data . . . . . . . . . . . . . . .

.
.
.
.
.
.

323
323
323
324
325
326

Re-Processing KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Exporting KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
About Exporting KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Exporting KFF Groups and Hash Sets . . . . . . . . . . . . . . . . . . . . . . . 328

Chapter 30: Integrating with AccessData Forensics Products . . . . . . . . . . . . . . . . . . . . . . 330
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Managing User Accounts and Permissions Between
FTK and Summation/Resolution1 eDiscovery . . . . . . . . . . . . . . . . . . 331
Creating and Viewing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Managing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Contents

| 15

Reviewing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Reviewing FTK Data in Summation . . . . . . . . . . . . . . . . . . . . . . . . . 333

Known Issues with FTK Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . 334

Contents

| 16

Part 1

Introducing Resolution1
eDiscovery

This part introduces Resolution1 eDiscovery and includes the following chapters:
Introducing
Getting

AccessData eDiscovery (page 31)

Started (page 19)

| 17

Chapter 1

Introducing Resolution1 eDiscovery

About Resolution1 eDiscovery
Resolution1 eDiscovery helps you to identify and collect relevant data in-house to address electronic discovery

from beginning to end. You can run collections across the entire enterprise Network of a company. The collected
evidence can then be processed, reviewed, and exported.
The reports are enhanced by the use of keyword searches and filters to gather only relevant data that pertains to
a case. The resulting production set can then be exported into an AD1 format, or into a variety of load file
formats such as Concordance, Summation, EDRM, Introspect, and iConect.

About This Reviewer Guide
This Resolution1 Reviewer Guide explains how to use Project Review to analyze the data in your projects.
This guide includes the following parts:
Getting

Started (page 19)

Reviewing

Project Data (page 39)

Searching

Data (page 94)

Using

Visualization (page 142)

Using

Litigation and eDiscovery Tools (page 172)

Exporting

Data (page 235)

Reference

(page 280)

For information about administrating the AccessData Resolution1 eDiscovery product and projects, see the
Resolution1 eDiscovery Admin Guide.
For information about new features, fixed issues, and known issues, see the Resolution1 eDiscovery Release
Notes.
You can download the Admin Guide and Release Notes from the Help/Documentation link.
See User Actions on page 31.

| 18

Chapter 2

Getting Started

Terminology
The Resolution1 platform is a platform of litigation support and cyber security suite of products. To better reflect
how each of AccessData’s applications work within the Resolution1 platform, AccessData has renamed the
individual products of the Resolution1 platform. The following table lists the name changes:

Application Name Changes
Previous Name

New Name

CIRT

Resolution1 CyberSecurity

eDiscovery

Resolution1 eDiscovery

To provide greater compatibility between products, some terminology in the user interface and documentation
has been consolidated. The following table lists the common terminology:

Terminology Changes
Previous Term

New Term

Case

Project

Custodian

Person

Custodians

People

System Console

Work Manager Console

Security Log

Activity Log

Audit Log

User Review Activity

About the AccessData Web Console
The application displays the AccessData web-based console that you can open from any computer connected to
the network.
All users are required to enter a username and password to open the console.

Getting Started

Terminology

| 19

What you can see and do in the application depends on your product license and the rights and permissions
granted to you by the administrator. You may have limited privileges based on the work you do.
See About User Accounts on page 20.

Web Console Requirements
Software Requirements
The following are required for using the features in the web console:
Windows-based
Internet

PC running the Internet Explorer web browser:

Explorer 9 or higher is required for full functionality of most features.

Internet

Explorer 10 or higher is required for full functionality of all features. (Some new features use
HTML5 which requires version 10 or higher.
Note: If you have issues with the interface displaying correctly, view the application in compatibility

view for Internet Explorer.
The
Internet

console may be opened using other browsers but will not be fully functional.
Explorer Browser Add-on Components

Microsoft
Adobe

Silverlight--Required for the console.

Flash Player--Required for imaging documents in Project Review.

AccessData

console components

AD

NativeViewer--Required for viewing documents in the Alternate File Viewer in Project Review.
Includes Oracle OutsideX32.

AD

Bulk Print Local--Required for printing multiple records using Bulk Printing in Project Review.
To use these features, install the associated applications on each users’ computer.
See Installing the Browser Components on page 23.

Hardware Recommendations
Use

a display resolution of 1280 x 1024 or higher.
Press F11 to display the console in full-screen mode and maximize the viewing area.

About User Accounts
Each user that uses the web console must log in with a user account. Each account has a username and
password. Administrators configure the user accounts.
User accounts are granted permissions based on the tasks those users perform. For example, one account may
have permissions to create and manage projects while another account has permissions only to review files in a
project.
Your permissions determine which items you see and the actions you can perform in the web console.
There is a default Administrator account.

Getting Started

About User Accounts

| 20

User Account Types
Depending on how the application is configured, your account may be either an Integrated Windows
Authentication account or a local application account.
The type of account that you have will affect a few elements in the web interface. For example, if you use an
Integrated Windows Authentication account, you cannot change your password within the console. However,
you can change your password within the console if you are using an application user account.

Opening the AccessData Web Console
You use the AccessData web console to perform application tasks.
See About the AccessData Web Console on page 19.
You can launch the console from an approved Web browser on any computer that is connected to the
application server on the network.
See Web Console Requirements on page 20.
To start the console, you need to know the IP address or the host name of the computer on which the application
server is installed.
When you first access the console, you are prompted to log in. Your administrator will provide you with your
username and password.

To open the web console
1.

Open Internet Explorer.
Note: Internet Explorer 7 or higher is required to use the web console for full functionality. Internet
Explorer 10 or 11 is recommended.

Enter the following URL in the browser’s address field:
https:///ADG.map.Web/
where is the host name or the IP address of the application server.
This opens the login page.
You can save this web page as a favorite.

One of two login pages displays:
If you are using Integrated Windows Authentication, the following login page displays.

Integrated Windows Authentication Page

Getting Started

Opening the AccessData Web Console

| 21

Note: If you are using Integrated Windows Authentication and are not on the domain, you will see a
Windows login prompt.
If you are not using Integrated Windows Authentication, the login page displays the product name and
version for the product license that your organization is using and provides fields for your username and
password.

Non-Integrated Windows Authentication Login

On the login page, enter the username and password for your account.
If you are logging in as the administrator for the very first time and have not enabled Integrated Window
Authentication, enter the pre-set default user name and password. Contact your technical support or
sales representative for login information.

Click Sign In.
If you are authenticated, the application console displays.
If you cannot log in, contact your administrator.

The first time the web console is opened on a computer, you may be prompted to install the following
plug-ins:
Microsoft
Adobe
AD

Silverlight

Flash Player

Alternate File Viewer (Native Viewer)

AD

Bulk Print Local
Download the plug-ins. When a pop-up from Internet Explorer displays asking to run or download the
executable, click Run. Complete the install wizard to finish installing the plug-in.
See Web Console Requirements on page 20.
See Installing Browser Components Manually on page 25.

Getting Started

Opening the AccessData Web Console

| 22

Installing the Browser Components
To use all of the features of the web console, each computer that runs the web console must have Internet
Explorer and the following add-ons:
Microsoft
Adobe

Silverlight--Required for the console.

Flash Player--Required for imaging documents in Project Review.

AccessData

NativeViewer--Required for imaging documents in Project Review.
This includes the Oracle OutsideX32 plug-in.

AccessData

Local Bulk Print--Required for printing multiple records using Bulk Printing in Project Review

Important: Each computer that runs the console must install the required browser components. The installations
require Windows administrator rights on the computer.
Upon first login, the web console will detect if the workstation's browser does not have the required versions of
the add-ons and will prompt you to download and install the add-ons.

See Installing Components through the Browser on page 23.
See Installing Browser Components Manually on page 25.

Installing Components through the Browser
Microsoft Silverlight
To install Silverlight
1.

If you need to install Silverlight, click Click now to install in the Silverlight plug-in window.

Click Run in the accompanying security prompts.

On the Install Silverlight dialog, Install Now.
When the Silverlight installer completes, on the Installation successful dialog, click Close.

Getting Started

Installing the Browser Components

| 23

If the web browser does not display the AD logo and then the console, refresh the browser window.

The application Main Window displays and you can install Flash Player from the plug-in installation bar.

Adobe Flash Player
To install Flash Player
1.

If you need to install Flash Player, click the Flash Player icon.

Click Download now.

Click Run in the accompanying security prompts.

Complete the installation.

Refresh the browser.

Once the application is installed, you need to install the Alternate File Viewer and Local Bulk Print software. You
can find the links to download the add-ons in the dropdown in the upper right corner of the application.

AccessData NativeViewer
To install the AD NativeViewer
1.

From the User Actions dropdown, select AD Alternate File Viewer.

Click RUN on the NearNativeSetup.exe prompt.

Click Next on the InstallShield Wizard dialog.

Click Next on the Custom Setup dialog.

Click Install on the Ready to Install the Program dialog.

Allow the installation to proceed and then click Finish.

Close the browser and re-log in.

Click Allow on the ADG.UI.Common.Document.Views.NearNativeControl prompt.

Refresh the browser.

Getting Started

Installing the Browser Components

| 24

AccessData Local Bulk Print
To install the Local Bulk Print add-on
1.

From the User Actions dropdown, select AD Local Bulk Print.

Click Run at the AccessData Local Bulk Print .exe prompt in Internet Explorer.

In the InstallShield Wizard dialog, click Next.

Accept the license terms and click Next.

Accept the default location in the Choose Destination Location dialog and click Next.

Click Install on the Ready to Install the Program dialog.

Click Finish.

Installing Browser Components Manually
You can use EXE files to install the components outside of the browser. You can run these locally or use
software management tools to install them remotely.

Installing AD Alternate File Viewer
To install the Alternate File Viewer add-on, navigate to the following path on the server:

C:\Program Files (x86)\AccessData\MAP\NearNativeSetup.exe
To install the AD Alternate File Viewer add-on
1.

Run the NearNativeSetup.MSI file.

Click Next on the InstallShield Wizard dialog.

Click Next on the Custom Setup dialog.

Click Install on the Ready to Install the Program dialog.

Allow the installation to proceed and then click Finish.

Installing the Local Bulk Print Tool
To install the Local Bulk Print tool, navigate to the following path on the server:

C:\Program Files (x86) \AccessData\MAP\AccessDataBulkPrintLocal.exe
To install the Local Bulk Print add-on
1.

Run the AccessDataBulkPrintLocal.exe . The wizard should appear.

Click Next to begin.

Click Next on the Select Installation Folder dialog.

Click Next. After the installation is complete, click Close.

Installing Adobe Flash Player
Visit http://get.adobe.com/flashplayer/ and follow the prompts to install the flash player.

Getting Started

Installing the Browser Components

| 25

Introducing the Web Console
The user interface for the application is the AccessData Web console. The console includes different tabs and
elements.

The items that display in the console are determined by the following:
Your

application’s license

Your

user permissions

The main elements of the application are listed in the following table. Depending on the license that you own and
the permissions that you have, you will see some or all of the following:

Component

Description

Navigation bar

This lets you open multiple pages in the console.

Home page

The Home page lets you create, view, manage, and review projects based on the
permissions that you have. This is the default page when you open the console.
See Using the Project Management Home Page on page 194.

Getting Started

Introducing the Web Console

| 26

Component

Description

Dashboard

(Available in Resolution1 CyberSecurity, Resolution1, and Resolution1 eDiscovery)
The Dashboard allows you to view important event information in an easy-to-read
visual interface.
See Using the Dashboard on page 605.

Data Sources

The Data Sources tab lets you manage people, computers, network shares, evidence,
as well as several different connectors. This tab allows you to manage these data
sources throughout the system, not just by project.
See About Data Sources on page 115.

Lit Hold

(Available in Resolution1 CyberSecurity and Resolution1 eDiscovery)
The Lit Hold tab lets you create and manage litigation holds.
See Managing Litigation Holds on page 376.

Alerts

(Available in Resolution1 CyberSecurity, Resolution1, and Resolution1 eDiscovery)
The Alerts tab allows you to view alerts as they enter the user interface. Viewing Alerts
on page 540

Management
(gear icon)

The Management page lets administrators perform global management tasks.
See Opening the Management Page on page 44.

User Actions

Actions specific to the logged-in user that affects the user’s account.
See User Actions on page 31.

Project
Review

The Project Review page lets you analyze, filter, code and label documents for a
selected project.
You access Project Review from the Home page.
See the Reviewer Guide for more information on Project Review. You can download the
Reviewer Guide from the Help/Documentation link. See User Actions on page 31.

Getting Started

Introducing the Web Console

| 27

The Project List Panel
The Home page includes the Project List panel. The Project List panel is the default view after logging in. Users
can only view the projects for which they have created or been given permissions.

Administrators and users, given the correct permissions, can use the project list to do the following:
Create
View

projects.

a list of existing projects.

Add

evidence to a project.
See Importing Data on page 354.

Launch

Project Review.

If you are not an administrator, you will only see either the projects that you created or projects to which you
were granted permissions.
The following table lists the elements of the project list. Some items may not be visible depending on your
permissions.

Getting Started

The Project List Panel

| 28

Elements of the Project List
Element

Description

Create New Project

Click to create a new project.
See Creating a Project on page 206.

Filter Options

Allows you to search and filter all of the projects in the project list. You can
filter the list based on any number of fields associated with the project,
including, but not limited to the project name.
See Filtering Content in Lists and Grids on page 36.

Filter Enabled

Displayed if you have enabled a filter.

Project Name Column

Lists the names of all the projects to which the logged-in user has permissions.

Action Column

Allows you to add evidence to a project or enter Project Review.
Add Data
Allows you to add data to the selected project.

Project Review
Allows you to review the project using Project Review.
See the Reviewer Guide for more information on using Product Review. You
can download the Reviewer Guide from the Help/Documentation link. See
Changing Your Password on page 32.
Processing Status Column

Lists the status of the projects:
Not Started - The project has been created but no evidence has been added.
Processing - Evidence has been added and is still being processed.
Completed - Evidence has been added and processed.
Note: When processing a small set of evidence, the Processing Status may
show a delay of two minutes behind the actual processing of the evidence.
You may need to refresh the list to see the current status. See Refresh below.

Size Column

Lists the size of the data within the project.

Page Size drop-down

Allows you to select how many projects to display in the list.
The total number of projects that you have permissions to see is displayed.

Total

Lists the total number of projects displayed in the Project List.

Page

Allows you to view another page of projects.
Refresh

If you create a new project, or make changes to the list, you may need to
refresh the project list

Custom Properties

Add, edit, and delete custom columns with the default value that will be listed
in the Project list panel. When you create a project, this additional column will
be listed in the project creation dialog.
See Adding Custom Properties on page 199.

Project Property

Clone the properties of an existing project to another project. You can apply a
single project’s properties to another project, or you can pick and choose
properties from multiple individual projects to apply to a single project.
See Using Project Properties Cloning on page 220.

Cloning

Getting Started

The Project List Panel

| 29

Element
Export to CSV

Description
Export the Project list to a .csv file. You can save the file and open it in a
spreadsheet program.
Add or remove viewable columns in the Project List.

Columns
Highlight project and click Delete Project to delete it from the Project List.
Delete

Getting Started

The Project List Panel

| 30

User Actions
Once in the web console, you can preform user actions that are specific to you as the logged-in user. You access
the options by clicking on the logged-in user name in the top right corner of the console.

User Actions

User Actions
Link

Description

Logged-on user

The username of the logged-on user is displayed; for example, administrator.

Change password

Lets the logged-on user change their password.
See Changing Your Password on page 32.
Note: This function is hidden if you are using Integrated Windows
Authentication.

Help/ Documentation

Lets you to access the latest version of the Release Notes and User Guide.
The files are in PDF format and are contained in a ZIP file that you can
download.

Manage My Notifications

Lets you to manage the notifications that you have created and that you belong
to.
See About Managing Notifications for a Job on page 411.
You can delete notifications, export the notifications list to a CSV file, and filter
the notifications with the Filter Options.
See Filtering Content in Lists and Grids on page 36.

Download Alternate File
Viewer

Lets you to download the Alternate FIle Viewer application.
See AccessData NativeViewer on page 24.

Download Local Bulk
Print software

Lets you to access the latest version of the Local Bulk Print software. See
AccessData Local Bulk Print on page 25.

Logout

Logs you off and returns you to the login page.
Note: This function is hidden if you are using Integrated Windows
Authentication.

Getting Started

User Actions

| 31

Changing Your Password
Note: This function is hidden if you are using Integrated Windows Authentication. You must change your
password using Windows.
Any logged-in user can change their password. You may want to change your password for one of the following
reasons:
You

are changing a default password after you log in for the first time.

You

are changing your password on a schedule, such as quarterly.

You

are changing your password after having a password reset.

To change your own password
1.

In the upper right corner of the console, click Change Password.

Change User Password

In the Change User Password dialog, enter the current password and then enter and confirm the new
password in the respective fields. The following are password requirements:
The

password must be between 7 - 50 characters.

At

least one Alpha character.

At

least one non-alphanumeric character.

Click OK.

Getting Started

User Actions

| 32

Using Elements of the Web Console
Maximizing the Web Console Viewing Area
You can press F11 to display the console in full-screen mode.

About Content in Lists and Grids
Many objects within the console are made up of lists and grids. Many elements in the lists and grids recur in the
panels, tabs, and panes within the interface. The following sections describe these recurring elements.
You can manage how the content is displayed in the grids.
See

Refreshing the Contents in List and Grids on page 33.

See

Managing Columns in Lists and Grids on page 34.

See

Sorting by Columns on page 33.

See

Filtering Content in Lists and Grids on page 36.

See

Changing Your Password on page 32.

Refreshing the Contents in List and Grids
There may be times when the list you are looking at is not dynamically updated. You can refresh the contents by
clicking

Sorting by Columns
You can sort grids by most columns.

To sort a grid by columns
1.

Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.

Click it a second time to sort by descending order.

Sorting By Multiple Columns
In the Item List in Project Review, you can also sort by multiple columns. For example, you can do a primary sort
by file type, and then do a second sort by file size, then a third sort by accessed date.

To sort a grid by columns
1.

Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.

Click it a second time to sort by descending order.

Getting Started

Using Elements of the Web Console

| 33

In the Item List in Project Review, to perform a secondary search on another column, hold Shift+Alt keys
and click another column.
A sort indicator is displayed for that column as well.

You can repeat this for multiple columns.

Moving Columns in a Grid View
You can rearrange columns in a Grid view in any order you want. Some columns have pre-set default positions.
Column widths are also sizable.

To move columns
In the Grid view, click and drag columns to the position you want them.

Managing Columns in Lists and Grids
You can select the columns that you want visible in the Grid view. Project managers can create custom columns
in the Custom Fields tab on the Home page.
See Configuring Custom Fields on page 263.
For additional information on using columns, see Using Columns in the Item List Panel in the Reviewer Guide.

To manage columns
1.

In the grid, click

Columns.

In the Manage Columns dialog, there are two lists:
Available

Columns
Lists all of the Columns that are available to display. They are listed in alphabetical order.
If the column is configured to be in the Visible Columns, it has a
If the column is not configured to be in the Visible Columns, it has a

.
.

If the column is a non-changeable column (for example, the Action column in the Project List), it has
a
.
Visible

Columns
Lists all of the Columns that are displayed. They are listed in the order in which they appear.

Getting Started

Using Elements of the Web Console

| 34

Manage Columns Dialog

To configure columns to be visible, in the Available Columns list, click the
visible.

for the column you want

To configure columns to not be visible, in the Visible Columns list, click the
not visible.

for the column you want

To change the display order of the columns, in the Visible Columns list, select a column name and click
or

to change the position.

Click OK.

Managing the Grid’s Pages
When a list or grid has many items, you can configure how many items are displayed at one time on a page. This
is helpful for customizing your view based on your display size and resolution and whether or not you want to
scroll in a list.

To configure page size
1.

Below a list, click the Page Size drop-down menu.

Select the number of items to display in one page.

Use the arrows by Page n of n to view the different pages.

Getting Started

Using Elements of the Web Console

| 35

Filtering Content in Lists and Grids
When a list or grid has many items, you can use a filter to display a portion of the list. Depending on the data you
are viewing, you have different properties that you can filter for.
For example, when looking at the Activity Log, there could be hundreds of items. You may want to view only the
items that pertain to a certain user. You can create a filter that will only display items that include references to
the user.
For example, you could create the following filter:
Activity

contains BSmith

This would include activities that pertain to the BSmith user account, such as when the account was created and
permissions for that user were configured.
You could add a second filter:
Activity

contains BSmith

OR Username =

BSmith

This would include the activities performed by BSmith, such as each time she logged in or created a project.
In this example, because an OR was used instead of an AND, both sets of results are displayed.
You can add as many filters as needed to see the results that you need.

To use filters
1.

Above the list, click Filter Options.
This opens the filter tool.

Filter Options

Use the Property drop-down to select a property on which to filter.
This list will depend on the page that you are on and the data that you are viewing.

Use the Operator drop-down to select an operator to use.
See Filter Operators on page 37.

Use the Value field to enter the value on which you want to filter.
See Filter Value Options on page 38.

Click Apply.
The results of the filter are displayed.
Once a filter had been applied, the text Filter Enabled is displayed in the upper-right corner of the panel.
This is to remind you that a filter is applied and is affecting the list of items.

To further refine the results, you can add additional filters by clicking

When adding additional filters, be careful to properly select And/Or.
If you select And, all filters must be true to display a result. If you select OR, all of the results for each
filter will be displayed.

Getting Started

Add .

Using Elements of the Web Console

| 36

After configuring your filters, click Apply.

To remove a single filter, click

Delete.

10. To remove all filters, click Disable or Clear All.
11. To hide the filter tool, click Filter Options.

Filter Operators
The following table lists the possible operators that can be found in the filter options. The operators available
depend upon what property is selected.

Filter Operators
Operator

Description

Searches for a value that equals the property selected. This operator is available
for almost all value filtering and is the default value.

Searches for a value that does not equal the property selected. his operator is
available for almost all value filtering.

Searches for a value that is greater than the property selected. This operator is
available for numerical value filtering.

Searches for a value that is less than the property selected. This operator is
available for numerical value filtering.

Searches for a value that is greater than and/or equal to the property selected.
This operator is available for numerical value filtering.

Searches for a value that is less than and/or equal to the property selected. This
operator is available for numerical value filtering.

Contains

Searches for a text string that contains the value that you have entered in the
value field. This operator is available for text string filtering.

StartsWith

Searches for a text string that starts with the value that you have entered in the
value field. This operator is available for text string filtering.

EndsWith

Searches for a text string that ends with a value that you have entered in the
value field. This operator is available for text string filtering.

Getting Started

Using Elements of the Web Console

| 37

Filter Value Options
The following table lists the possible value options that can be found in the filter options. The value options
available depend upon what property is selected.

Filter Value Options
Value Option

Description

Blank field

This value allows you to enter a specific item that you can search for. The
Description property is an example of a property where the value is a blank field.

Date value

This value allows you to enter a specific date that you can search for. You can
enter the date in a m/d/yy format or you can pick a date from a calendar. The
Creation Date property is an example of a property where the value is entered as
a date value.

Pulldown

This value allows you to select from a pulldown list of specific values. The
pulldown choices are dependent upon the property selected. The Priority
property with the choices High, Low, Normal, Urgent is an example of a property
where the value is chosen from a pulldown.

Getting Started

Using Elements of the Web Console

| 38

Part 2

Reviewing Project Data

This part describes how to review project data and includes the following sections:
Introduction
Project

to Project Review (page 40)

Review Page (page 46)

Customizing

the Project Review Layout (page 51)

Viewing

Data (page 56)

Deleting

Documents (page 92)

Reviewing Project Data

| 39

Chapter 3

Introduction to Project Review

This guide is designed to aid reviewers in performing tasks in Project Review.

About Project Review
In Project Review, you can review documents, electronic data, and transcripts in a web-based console. You can

cull and filter the data in a particular project and search for specific terms. The collected evidence can then be
processed, reviewed, and exported.
The resulting production set can then be exported into an AD1 format, or into a variety of load file formats such
as Concordance, Summation, EDRM, Introspect, and iConect. You can also export native files.

Workflow for Reviewing Projects
Although there is no formal order in which you process evidence, you can use the following basic workflow as a
guide.

Basic Workflow
Step

Task

Link to the tasks

After you process a collection, you
open the resulting project in Project
Review

See Introducing the Project Review Page on page 46.

View Data

See Viewing Data in Panels on page 56.

Search Documents

See Searching Data on page 94.

Culling Documents

See Using Filters to Cull Data on page 124.

Imaging Documents

See Imaging Documents on page 184.

Coding Documents

See Coding Documents on page 199.

Annotating Documents

See Annotating Evidence on page 214.

Introduction to Project Review

About Project Review

| 40

Basic Workflow
Step

Task

Link to the tasks

Work with Transcripts

See Viewing Transcripts on page 177.
See Annotating Transcripts on page 177.
See Viewing Exhibits on page 183.
See Searching in Transcripts on page 180.

Deleting Documents

See Deleting Documents on page 92.

About Date and Time Information
When viewing data in Review, most items have dates and times associated with them. For example, you can
see the following:
File

created, accessed, and modified dates and times.

Email

sent and received dates and times.

How dates and times are displayed can be configured.

About How Time Zones Are Set
The dates and times associated with data files in a project are stored, by default, in Coordinated Universal Time
(UTC), also known as Greenwich Mean Time (GMT). The Project Manager can configure a Display Time Zone
for the project. This will offset the times as needed and display them in the desired time zone. For example, a
project can be configured so that all times are displayed in Pacific Time Zone.
For more information, see the Normalized Time Zones topic in the Creating a Project chapter in the Admin
Guide.

Configuring the Date Format Used in Review
Each user of the Web console can configure which date format is used for displaying date fields in Review. For
example, some of the date formats that you can use include the following:
M/d/yyyy

(1/31/2014)

dd.MM.yy

(31.01.14)

yyyy-MM-dd

(2014-01-31)

This only applies to how the dates are displayed in the Web console; it does not affect how the dates are stored
in the database.
The date format that is displayed is controlled by the Windows region date format that is configured on one or
both of the following:
The

Windows computer (server) that is running the Resolution1 or Summation application.

The

Windows client computer (the computer that is accessing the Web Console through a browser)

However, some date fields behave differently and must be configured differently.

Introduction to Project Review

About Date and Time Information

| 41

Configuring the Date Format for File and Email Date Fields
The following dates are stored in the database and are displayed as standard dates:
Review
File:

CreatedDate, AccessedDate, LastModifiedDate, and LastUpdated

Email:

SentDate and RecieivedDate

Event:

EventDate

Home

page:

Project

creation

Evidence
Job

processing

events

Each user can configure their computer's Windows date format to what they want to use. For example, one
person can use M/d/yyyy while another person uses yyyy-MM-dd.
To configure a date format, a user selects the Short date format using the Windows Control Panel > Region and
Language setting.

Note: A console user can select any available Short date format, however, the Language (Country) format on
the client computer must match the Language (Country) format selected on the Windows computer
(server) that is running Summation. Otherwise, you will get a default date format based on the server’s
settings.
For example, if the server is set to English (New Zealand) and the client is also set to English (New

Introduction to Project Review

About Date and Time Information

| 42

Zealand), the client can display any of the New Zealand Short date formats. However, if the server is set
to English (New Zealand) and the client is set to English (United States), the client will display the default
New Zealand format.

To configure the Windows date format
1.

On the client computer that is accessing the Web console, open the Control Panel > Region and
Language.

Select the language/country Format and Short date format that you want to use.

Click OK.

Configuring the Date Format for DocDate and NoteDate fields
When you enter a DocDate or a NoteDate, it is not entered into the database as a standard date value, but
rather as a text string that is masked as a date. Because of this, these two fields will not be affected by the date
format setting on the client computer. Instead, it is controlled by the date format setting on the Windows server
that is running the Resolution1 or Summation application.
Note: If you are using multiple Windows servers, the server running the AccessData Business Services
Common service determines the date format.
When entering a DocDate or a NoteDate, it will only accept a date format that is set on the application server.

DocDate and NoteDate Format Limitations
The

DocDate and NoteDate fields do not support a year-first date format, such as yyyy/MM/dd. If this
format is selected, these two date fields will display the year at the end, for example, MM/dd/yyyy.

Slashes

are always used as separators instead of dashes or dots (MM/dd/yyyy).

Changing the Date Format on the Application Server
If you want to change the date format on the application server (the computer running the Resolution1 or
Summation application), there are a few steps that you must follow in order to have the new date recognized
properly.

To configure the Windows date format
1.

On the Windows computer running the application, you must log in using the Windows Administrator
account that is the “service user”.

Open the Control Panel > Region and Language.

Select the language format and date format that you want to use.

Click OK.

After changing the date format in Windows, you must perform a few manual steps to reset the date format in the
application.
Important: The following process will temporarily disable the Web server making the Web console unavailable to
users. Make sure no one is working in the console before proceeding.

Introduction to Project Review

About Date and Time Information

| 43

To reset the date format in the application
1.

Restart an application service by doing the following:
1a.

On the Windows computer running the application, click Start > Run.

1b.

Enter services.msc.

1c.

Click OK.

1d.

From the list of services, select AccessData Business Services Common.

1e.

Click Restart Service.

1f.

After the service has been restarted, close the Services management console.

Stop the IIS Web server so that you can delete cached settings by doing the following:
2a.

On the Windows computer running the application, click Start > Run.

2b.

Enter cmd.

2c.

Click OK.

2d.

In the command prompt window, type iisreset /stop and press ENTER; type Y and then press
ENTER.
The Web server is stopped.

2e.

Leave this CMD prompt window open so you can re-start IIS later.

Delete cached application settings by doing the following:
3a.

On the Windows computer running the application, browse to the following folder:
\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files.

3b.

While the IIS Web server is stopped, delete the adg.map.web folder.

Re-start the IIS Web server by doing the following:
4a.

In the command prompt window, type iisreset /start and press ENTER.

4b.

After IIS has successfully started, close the CMD prompt window.

Close and re-launch the browser running the Web console.

Introduction to Project Review

About Date and Time Information

| 44

Configuring the Date Format Used in Production Sets and Export Sets
In this version, dates that are in Production Sets and Export Sets do not follow the Windows Regional settings.
Instead, they default to the United States default format.
In order to change the date format in Production Sets and Export Sets, you must change a setting in a
configuration file by doing the following:
1.

On the computer running the Summation application, open the folder where the WorkManager service
is installed.
The default location is C:\Program Files\AccessData\eDiscovery\Work Manager.

Edit the Infrastructure.WorkExecutionServices.Host.exe.config file.

Replace the following keys in the Config section:
DefaultLoadFileDateFormat
DefaultLoadFileTimeFormat
DefaultLoadFileDateTimeFormat

For example, to have dates in the dd-MM-yyyy format, replace the values as follows:

Save the config file.

Restart the WorkManager service.

Introduction to Project Review

About Date and Time Information

| 45

Chapter 4
Project Review Page

Introducing the Project Review Page
You can use the Project Review page to search, analyze, filter, code, annotate, and label evidence for a selected
project. You have access to Project Review for the projects that you have created or that you are associated
with. You can access Project Review by clicking the magnifying glass button next to the project in the Project List
panel.

To access the Project Review page
From the project list on the Home page, click

next to the desired project.

See The Project List Panel on page 28.

Project Review Page

Introducing the Project Review Page

| 46

Project Review Page

At the top of the Project Review page is a project bar and below that are multiple panels that are customizable.

Project Review Page

Introducing the Project Review Page

| 47

Project Bar
The project bar is at the top of the Project Review page.

Elements of the Project Bar
Element

Description

Current Project

The name of the current project.

Return to Project Management

Click this button to return to the Home page.

Current Item ID

Displays the DocID, ObjectID, or Transcript name for the item selected
in the Item List grid. You can download the current document if the Item
ID is underlined. Click the number. When the Do you want to open or
save bar appears at the bottom of the menu, either click
Open or Save and save the file.

Go to Doc ID

Enter a DocID and click Go to go to that document in the Item List
panel.
You can also enter the DocID to open the native file.
Note: If you processed data using evidence processing, you will need
to put the documents into a Document group in order to use this
feature.

Next and Previous Buttons

Click previous page or previous document button to move around in the
Item List panel.
Click next page or next document to move around in the Item List panel.

Layout Button

User Name

Project Review Page

Expand to manipulate panels in the Project Review. Panels can be
hidden, shown, dragged, and/or docked to customize the Project
Review page for your workflow.
See Customizing the Project Review Layout on page 51.
Displays the name of the currently logged in user and allows you to log
out if desired.

Introducing the Project Review Page

| 48

Review Page Panels
The Project Review page is made up of many panels. You select which panels are visible or hidden. The panels
that you can use may depend on the license that you own and the permissions that you have.
You can select which panels to display by doing either of the following:
Manually


selecting panels.

Using the Layout tool. You can choose pre-defined layouts that display certain panels or you can
customize a layout.
See Customizing the Project Review Layout on page 51.

To manually select panels
1.

Open a project in Review.

Click the

Click Panels.

Select the panels that you want to display.

Layouts drop-down.

The following table briefly describes each panel that is available.

Panels in the Project Review
Panel

Description

Activity

Lists the history of actions performed on the selected document.
See The Activity Panel on page 82.

Case Organizer
Details

Lets you view and edit the details of Case Organizer objects.
See Using the Case Organizer Details Panel on page 202.

Coding

Use to select and edit coding layouts.
See The Coding Panel on page 205.

Confidence

Displays Predictive Coding confidence scores.
See Predictive Coding on page 209.

Conversation

Displays email conversation threads.
See The Conversation Panel on page 85.

Detail Information

The Detail Information contains tabs that allow you to view information about the
selected record.
See Using the KFF Details and Detail Information Panels on page 81.

Exhibits

Displays exhibits for the selected transcript.
See The Exhibits Panel on page 183.

Family

Lists the family relationships for email documents.
See The Family Panel on page 86.

Image

Displays the selected document as an image. You can perform annotations, redactions,
and make notes in this view.
See Using the Image Panel on page 79.

Project Review Page

Introducing the Project Review Page

| 49

Panels in the Project Review (Continued)
Panel

Description

Item List

Lists the filtered evidence for the selected project. This panel also includes the search
bar.
See Using the Item List Panel on page 58.

KFF Details

Lets you view KFF Details.
See Using the KFF Details and Detail Information Panels on page 81.

Labels

Lists available labels in the project to apply to evidence. Also displays the selected label
for the document currently being viewed.
See The Labeling Panel on page 192.

Linked

Two types of documents are displayed in this view:
Documents manually linked to other documents of the same project
 Documents linked to other documents during import
See The Linked Panel on page 88.


Natural

This viewer displays a file’s contents as it would appear normally without having to use
the native application.
The first time you use this view, you will need to follow the prompts to install the viewer
application.
See Using the Natural Panel on page 76.

Notes

Use to display the notes for the currently selected document.
See The Notes Panel on page 84.

Production

Displays the history of production.
See The Production Panel on page 83.

Project Explorer

Lets you cull and configure project data.
Contains the following tabs: Facets, Explorer, Tags, Searches, and Review Sets.
See Using the Project Explorer Panel on page 72.

Review Batches

Displays review batches. You can check in and check out batches from this panel.
See The Review Batches Panel on page 200.

Search Excerpt

Lets you generate and view a list of search excerpts.
See Using the Search Excerpt View on page 108.

Similar

Use to set relationships between documents.
See The Similar Panel on page 83.

Text

The Text view displays the file’s content as text.
You can configure the text view so that sentences wrap if they are longer than the
panel’s width.
You can also limit how much text is displayed by setting the Page Depth in characters.
See Using the Text Panel on page 80.

Transcript

Displays transcripts for the project.
See The Transcript Panel on page 176.

Project Review Page

Introducing the Project Review Page

| 50

Chapter 5

Customizing the Project Review Layout

You can customize the Project Review panels for your workflow. Layouts are specific to the logged-in user.
You can save custom layouts for future use.
See Managing Saved Custom Layouts on page 55.
You can customize the layout by doing the following:
Hiding

and Showing Panels (page 51)

Collapsing
Moving

Panels (page 52)

Resetting
Saving

and Showing Panels (page 52)

Layouts (page 54)

Managing

Saved Custom Layouts (page 55)

Working with Panels
All data in Review is shown in various panels.
See Review Page Panels on page 49.
You can show or hide panels.

Hiding and Showing Panels
You can hide and show panels to fit your needs.

To hide a panel
To hide a panel, do one of the following:
Click

the close button (x) on the panel.

Click

Layout > Panes and uncheck the panel you want to hide.

To show a panel
Click Layout > Panes and check the panel from the list.

Customizing the Project Review Layout

Working with Panels

| 51

Collapsing and Showing Panels
You can collapse a panel so that it is still open, but not shown unless you hover your mouse over it. This is useful
for panels that you want to view less frequently.

To collapse a panel
1.

In top-right corner of the panel, click
.
The panel is collapsed and the name of the panel is displayed in a box on the left side.
If the panel was in the top half of the page, the collapsed panel name is displayed in the top-left corner.
If the panel was in the bottom half of the page, it will be displayed in the bottom-left corner.

Collapsed Panels

To view a collapsed panel, mouse over the panel name and the panel will be shown until you move the
mouse away from the panel.

To un-collapse a panel, view the panel, and in the top-right corner of the panel, click

Moving Panels
You can move panels to different locations on the Project Review page. When you move a panel, you can
position it in one of the following ways:

To move Project Review panels
1.

Click and drag the panel that you want to move.
Docking guides appear on the page.

Project Review Page with Docking Guides

Customizing the Project Review Layout

Working with Panels

| 52

Place the panel by doing one of the following:
Floating:

Leave the panel floating on top of the page.

Docking

to a location on the page: Dock the panel by dragging the panel to one of the docking
guide arrows and releasing the mouse button.
There are four page docking guides on the outside of the page.

Docking

as a tab on another panel: Drag the panel on top of another panel and onto the center of
the docking cluster and release the mouse button.
There is a cluster of four page docking guides on the panel.

Moving Panels to a New Window
You can move the Natural, Image, Text, and Transcript panels to a new window from the Project Review page.

To move panels to a new window
In the Project Review, expand the Layouts drop-down and select Move Viewers to New Window.

The Natural, Image, and Text panels open in one window with tabs at the bottom so that you can toggle
between views. The transcript panel opens in its own window.

Customizing the Project Review Layout

Working with Panels

| 53

Working with Layouts
Selecting a Layout
You can use default layouts and custom layouts that you have saved in Project Review. The following are the
available default layouts:
Culling

Layout: Designed to aid reviewers in culling documents

Review

Layout: Designed to aid reviewers in viewing documents

Search

Layout: Designed to aid reviewers in searching documents

Transcript

Layout: Designed to aid reviewers in working with transcripts

CIRT

Layout: Designed to aid reviewers in working with KFF and Security jobs including Cerberus,
threat analysis. Displays the Detail Information panel.

To select a layout
1.

Open a project in Review.

Click the

Click Layouts.

Select the layout that you want to use.
Default layouts appear above the line and custom layouts appear below the line.

Layouts drop-down.

Resetting Layouts
If you have hidden, collapsed, or moved panels, you can return to the original layout.

To reset a layout
Select Layout > Reset Layout.

If you have modified a custom layout, it will reset to the last saved state.

Saving Layouts
If you have customized the default layout, you can save it as a custom layout. You can save multiple layouts.
To create a second custom layout, you must first return to a default layout, modify it, and then save it. If you
make changes to a custom layout, and save it, it will save it as an update.

To save a layout
1.

Customize the layout.

Click Layout > Save Layout.

Customizing the Project Review Layout

Working with Layouts

| 54

Manage Layouts Dialog

Enter the name of the layout and click Save.

Managing Saved Custom Layouts
You can rename and delete custom layouts that you have saved. You cannot delete the currently selected layout
using the Manage Layouts dialog.

To manage a saved custom layout
1.

Select Layout > Manage Layouts.

Manage Layouts Dialog

To rename a layout, select the layout, and enter a new name.

To delete a layout, click the X next to the layout, and click OK.

Click Save.

Customizing the Project Review Layout

Working with Layouts

| 55

Chapter 6

Viewing Data

Viewing Data in Panels
Using Project Review, you can select and examine your data in multiple ways. You can use various panels to
examine the data.
You use the Panels List to select which panels to display. The panels that you can use may depend on the
license that you own and the permissions that you have.
See Review Page Panels on page 49.
Note: Actions completed in a specific panel may affect search results in that panel. Always execute a previous
search in a panel if you have changed the scope of what you are examining in the panel. For example, if
you change the page depth of a document in the Text panel, you should execute any previous searches in
that panel after changing the page depth.
This chapter describes how to use the following panels to view data in Project Review:

Data Viewing Panels
Panel Category

Panel

Project Data Panels

Lets you view and manage the data in your project.
Item List

Provides a list of evidence items in your project. This list may
be filtered.
See Viewing Documents in the Item List Panel on page 59.

Project Explorer

Lets you cull and configure project data.
Contains six tabs: Facets, Explorer, Tags, Searches, and
Review Sets.
See Using the Project Explorer Panel on page 72.

File Data Panels

Lets you view the data about the selected document.
Document Viewing
Panels

Viewing Data

Descriptions

Lets you view document data.
See Using Document Viewing Panels on page 76.
 See Using the Natural Panel on page 76.
 See Using the Image Panel on page 79.
 See Using the Text Panel on page 80.
 See Using the KFF Details and Detail Information Panels
on page 81.

Viewing Data in Panels

| 56

Data Viewing Panels
Panel Category

Panel

Descriptions

Activity

Lists the history of actions performed on the selected
document.
See The Activity Panel on page 82.

Conversation

Displays email conversation threads.
See The Conversation Panel on page 85.

Family

Lists the family relationships for email documents.
See The Family Panel on page 86.

Linked

Two types of documents are displayed in this view:
Documents manually linked to other documents of the
same project
 Documents linked to other documents during import
See The Linked Panel on page 88.


Notes

Use to display the notes for the currently selected document.
See The Notes Panel on page 84.

Production

Displays the history of production for the project.
See The Production Panel on page 83.

Similar

Use to set relationships between documents.
See The Similar Panel on page 83.

Note: The language identification feature only works in the following categories: documents, spreadsheets, and
email.

Viewing Data

Viewing Data in Panels

| 57

Using the Item List Panel
The Item List panel lists the filtered evidence for the selected project. This panel also includes the search bar
and the ability to perform mass actions.

Item List Panel

Elements of the Item List Panel
Element

Description

Options

Click to use the following options in the Item Grid:
 Cache: See Caching Filter Data on page 138.
 Columns: See Selecting Visible Columns on page 61.
 Quick Columns: See Using Quick Columns on page 62.
 Quick Filters: See Using Quick Filters on page 63.
 Visualization: See Using Visualization on page 142.

Search field

Enter search terms to perform a quick search of documents checked in the Document
Tree. Results appear in the Item Grid.

Go button

Click to execute your quick search.

Viewing Data

Using the Item List Panel

| 58

Elements of the Item List Panel (Continued)
Element

Description

Search Options

Select to perform the following actions:
 Clear Searches
 Advanced Search
 Expansion
 Settings
 Search Report Options

Views

The following views are available: See Using Views on page 63.
 Grid View: See Using the Grid View on page 64.
 Summary View: See Using the Summary View on page 65.
 Timeline View: See Using the Timeline View on page 66.
 Conversation View: See Using Conversation View on page 67.
 Thumbnail View: See Using the Timeline View on page 66.
 Not Cached: See Caching Filter Data on page 138.

Actions

Select the mass action that you want to perform on the documents in the Item List.
See Performing Actions from the Item List on page 69.

Actions Go Button
(bottom of panel)

Click to execute the selected mass action.

Page Size

Select the number of documents you want visible in the Item List.

Page

Lists the page you are on and the number of pages. Click the next arrow to see the next
page.
Click the refresh button to update the Item List.
(Refresh)

Viewing Documents in the Item List Panel
The Item List panel displays documents in the project.
By default, items are displayed using the Grid view. You can use different Views.
See Using Views on page 63.

To view documents in the Item List panel
1.

From the project list on the Home page, click

next to the desired project to enter Project Review.

By default, the Item List and Project Explorer panels are displayed.

Do the following to determine the items displayed in the Item List:
In

the Item List panel, use the Options to use columns, Quick Filters, and Visualization.
See Elements of the Item List Panel on page 58.

In

the Project Explorer panel, use the Facets, Explore, Tags, or Review Sets tabs.
See Using the Project Explorer Panel on page 72.

Viewing Data

Using the Item List Panel

| 59

Using Columns in the Item List Panel
About Columns
You use columns to display specific data properties about evidence items.
You can sort, filter, customize, and reposition the columns of information in the Item List panel in Grid.
See About Content in Lists and Grids on page 33.
There are many pre-configured columns that you can use.
Project managers can also create custom columns in the Custom Fields tab on the Home page.
See Configuring Custom Fields in the Admin Guide.

About Pre-existing Columns
There are many pre-existing columns. Some provide basic information. For example, the following general
columns are displayed by default:
DocID

- Documents are given a DocID when data is added to a document group. Documents are added
to a document group either when data is imported to a project or when document groups are created
manually by a project manager. A document may not be assigned more than one DocID number.

ObjectID

- Add documents are given a DocID when data is added to the project.

ObjectName
ObjectType
[File]

and ObjectSubType (see Object Types page 140)

Extension

FilePath
[Email]

From

[Email]

Subject

[Email]

ReceivedDate

LogicalSize
AccessedDate

Some columns provide information about the file. For example:
ActualFile
Archive
ArchiveType
Attachment
BadExtension
Decrypted
EmailDirectAttachCount

- Shows the direct email attachments to an email. It does not display children
attachments of the direct attachments.

EMailMessage
Encrypted

Viewing Data

Using the Item List Panel

| 60

FromEmail
FromMSOffice
GraphicFile
HasTrackChanges

(for Office files)

Person
System

Some columns provide specific data about certain file types. For example:
HasTrackChanges
Word

documents (This currently only applies to DOCX document formats)

Excel

documents (.XSLX and .XLS documents)

EXIF


lets you to sort and filter the following documents that have Track Changes enabled:

geolocation data (See Using Geolocation Columns in the Item List on page 164.)

OLESubItem

PSTFilePath

and PSTStoreID

Some columns display date related to certain product functions. For example:
BatesNumber
Hash

values

ProductionDocID
KFF

Selecting Visible Columns
You can select the columns that you want visible in the Grid view.
You can also select Quick Columns to use pre-define column templates.
Only the columns and fields related to the features of your licensed product are displayed. For example, columns
related to Resolution1 product features, such as EVTX data, are not shown in Summation.
See Using Quick Columns on page 62.

To select visible columns
1.

In the Item List panel in Grid view, click the Columns button

and select Select

Columns.

Viewing Data

Using the Item List Panel

| 61

Select Columns Dialog

Click the right arrow to add columns to the Grid and the left arrow to remove them from the Grid.

Organize the order of the columns by clicking the up and down arrows.

Columns Tips
The

FilePath column has been changed to display the heading Path in the Item List. This allows the
column to display any path information, not just file paths. Searches for this value should be created by
specifying Path instead of FilePath.

Using Quick Columns
You can use Quick Columns to quickly display columns related to certain types of data. This allows you to make
relevant columns visible without having to manually select them.
The following standard pre-configured Quick Columns are available to choose from.
Case

Organizer

Document
eDocs
eMail
KFF
Notes
Scanned

Paper

Transcripts

Depending on the license that you own, you may have more. For security related products, see the Viewing
Security Data chapter of the Admin Guide.

Viewing Data

Using the Item List Panel

| 62

To apply Quick Columns
1.

For a project, enter Review.

Click Options > Quick Columns.

Select the Quick Columns that you want to use.
The selected Quick Column will be designated with a check.

To remove a Quick Column, select it again and the check will be cleared.

Using Quick Filters
The Item List panel includes Quick Filters that you can use to quickly refine the list of evidence.
You can quickly hide or show the following types of data.

Quick Filters
Filter

Description

Hide/Show Duplicates

By default, the Hide Duplicates Quick Filter is set and duplicate files are hidden.
To view duplicate files, change to Show Duplicates.

Hide/Show eDiscovery
Refinement

By default, the Hide eDiscovery Refinement Quick Filter is set.
Enabling this shows extra files that may not be important. For example, this
includes embedded files, such as XML, RELS, and graphics that are embedded
in office documents.

Hide/Show Folders

By default, the Hide Folders Quick Filter is set and folder items are hidden. To
view folder items, change to Show Folders..

Hide/Show Ignorables

By default, the Hide Ignorable Quick Filter is set and KFF Ignorable files are
hidden. To view Ignorable files, change to Show Ignorables.
See About KFF on page 281.

Depending on the license that you own, you may have more. For security related products, see the Viewing
Security Data chapter of the Admin Guide.

Using Views
You can use different pre-configured views to help you review data.








Grid View: See Using the Grid View on page 64.
Summary View: See Using the Summary View on page 65.
Timeline View: See Using the Timeline View on page 66.
Conversation View: See Using Conversation View on page 67.
Thumbnail View: See Using the Thumbnail View on page 68.
Not Cached

Whenever you change views, the File List is refreshed.
You can perform actions on the documents in the Item Grid.
See Performing Actions from the Item List on page 69.

Viewing Data

Using the Item List Panel

| 63

Using the Grid View
The default view in the Item List panel is the grid view. Grid view is a grid that displays each document.

Grid View

Viewing Data

Using the Item List Panel

| 64

Using the Summary View
The Summary view displays a detail of the documents.

To access Summary view
In the Item List panel, click the Summary View button

Summary View

Viewing Data

Using the Item List Panel

| 65

Using the Timeline View
This view lets you view file actions and the date and time that those actions took place. You can view the
following file action information:
File

(Created, Last Modified, Last Accessed)

Registry

(Modified)

Event

Log (Event Created)

Email

(Sent and Received)

Process

(Start time)

Queried

events (see the Admin Guide)

Each action is listed on it own row in the list.
Note: You can configure the format that dates are displayed in. SeeConfiguring the Date Format Used in
Review page 41
The Timeline View is an extension of the default Grid View with special event columns data added.

The following columns are added:
EventType

- Displays the type of action (created, last accessed, and last modified)

EventDate

- Displays the date and time of the file action.

EventData

- Displays data about the item that evoked the timeline event. For example:

If

the event was file-related, the name of the file is displayed.

If

the event was process-related, the name of the process is displayed.

If

the event was web-related, the name of the URL is displayed.

If

the event was email-related, the email subject is displayed.

If

the event is from an EVTX file, the event data xml is displayed.

When you open the Timeline View, any other columns that you had configured for the Grid View are maintained.
Note: The ActionDate and ActionType columns are only available in the Timeline View.
If you perform a search or filter in the Grid View, and then change to the Timeline View, only the results of the
search or filter are in the list.

Viewing Data

Using the Item List Panel

| 66

A difference between the normal Grid View and the Timeline View is that the Timeline View displays multiple
rows for the same item (ObjectID). Each row will have a different action type but have the same Object ID.
Depending on your data and how your list is sorted, rows for the same file may be on different pages. When you
check an item to perform an action on it, all rows related to ObjectID file are also checked.
From the Timeline View, you can do the following:
Sort

on one or more columns including the ActionDate and ActionType columns.

Use

filters on any column.

Add

columns to the view. (Any added columns persist when returning to the Grid View.)

Perform

mass actions on items in the list.
See Performing Actions from the Item List on page 69.

Export

the list to CSV.
You will get a separate row in the CSV for every Action Type.
See Exporting a List to CSV on page 69.

You

can view, filter, and sort events related to modifying registry keys

You

can view, filter, and sort log2timeline events that come from Add Evidence and Collection jobs.

To access the Timeline view
In the Item List panel, click the Timeline View button

Using Conversation View
Conversation view displays all the conversation threads for emails.

To access the conversation view
In the Item List panel, click the Conversation View button

Conversation View

Viewing Data

Using the Item List Panel

| 67

Using the Thumbnail View
You use the Thumbnails View to see rows of thumbnail images of the graphic files or video files in your project.
See Viewing Graphics and Videos on page 91.
If your project has graphics, such as JPEG, GIF, or PNG, thumbnails of those files are automatically created
during processing.
Note: Image thumbnails are generated only when using the Standard and Forensic processing mode.
To view thumbnails for video files, you must first enable the Generate (Video) Thumbnails processing option
when you create a project. You can use the Thumbnail View to rapidly scan through the visual contents in a
video file, without having to launch and watch the entire video.
See Evidence Processing and Deduplication Options on page 210.

To access the Thumbnail view
In the Item List panel, click the Thumbnail View button

When you click a thumbnail, the item is displayed in the Natural panel.
You can use the slider to change the size of the displayed thumbnail.

Viewing Data

Using the Item List Panel

| 68

Performing Actions from the Item List
You can perform mass actions on items in the list.
There are two drop-downs for performing actions.
In

the first Actions drop-down, you specify whether you want to perform an action on all of the objects in
the grid or only the checked objects.

In

the Action-type drop-down, you select the action that you want to perform.

Actions You Can Perform in the File List
Task

Link

Add to KFF

See Adding Hashes to Hash Sets Using Project Review on page 315.

Add to Summaries

See Using the Case Organizer on page 197.

Bulk Coding

See Coding Multiple Documents on page 207.

Delete Evidence

See Deleting Documents on page 92.

Export List to CSV

See Exporting a List to CSV on page 69.

Global Replace

See Using Global Replace in the Searching documentation.

Imaging

See Imaging Documents on page 184.

Label Assignment

See Applying Labels to Multiple Documents on page 194.

Local Bulk Print

See Local Bulk Printing on page 227.

Network Bulk Print

Reviewers with the Imaging permission can print multiple records.
See Bulk Printing on page 226.

OCR Documents

See Using OCR on page 70.

View Transcripts

Click to view selected transcripts. Only transcripts will be opened in a separate
window. See Viewing Transcripts on page 177.

ThreatLookup

(Resolution1 Platform and Resolution1 CyberSecurity only) Allows you to execute
a ThreatLookup scan against the data to scan for threats. See the ThreatLookup
chapter in the Admin Guide.

Exporting a List to CSV
You can export the Item List to a CSV file. Any field that is available in the list can be exported to a CSV file.
Once exported, you download the exported CSV file from the Work List on the Home page.

To perform an Export to CSV action
1.

Identify the files that you want to perform the action on by doing one of the following:
In

the first Action drop-down, click All.

Check

individual files, and then in the first Action drop-down, click Selected Objects.

In the second Action drop-down, click Export List to CSV.

Click Go.

Viewing Data

Using the Item List Panel

| 69

To view the status of an Export to CSV job
1.

Click

Return to Project Management.

For the project, click

Under Job Type, view the ExportToCSV job.

Work Lists.

To download the CSV file
1.

On the Work List page, select the ExportToCSV job that you want to download the file for.

In the Filter Options pane, click Download.

Select to Open or Save the file.

If you save the file, go to your Downloads folder to access the file.

Using OCR
You can create a job to OCR documents if you did not select to have this done during processing.

About Optical Character Recognition (OCR)
Optical Character Recognition (OCR) is a feature that generates text from graphic files and then indexes the
content so the text can be searched, labeled, and so forth.
OCR currently supports English only.
Some limitations and variables of the OCR process include:
OCR

can have inconsistent results. OCR engines have error rates which means that it is possible to have
results that differ between processing jobs on the same machine with the same piece of evidence.

OCR

may incur longer processing times with some large images and, under some circumstances, not
generate any output for a given file.

Graphical

images that have no text or pictures with unaligned text can generate illegible output.

OCR

functions best on typewritten text that is cleanly scanned or similarly generated. All other picture
files can generate unreliable output.

OCR

is only a helpful tool for you to locate images with index searches, and you should not consider
OCR results as evidence without further review.

You

can only perform OCR from the Item List on .TIFF and .PDF files. If you attempt to OCR a document
that is not a .TIFF or a .PDF, the application skips the document. The action does not error, and only
those documents that had OCR processing appear in the processed count when you view the OCR job in
the Work List.

Documents

that have already been processed for OCR do not process again.

Documents

imported with the @O token cannot be processed for OCR. The OCR tab displays filtered

text.

Viewing Data

Using the Item List Panel

| 70

Performing an Optical Character Recognition (OCR) Action
To perform an OCR action
1.

Identify the files that you want to perform the action on by doing one of the following:
In

the first Action drop-down, click All.

Check

individual files, and then in the first Action drop-down, click Selected Objects.

In the second Action drop-down, click OCR Documents.

Click Go.

About Viewing Optical Character Recognition (OCR) Jobs
After performing an OCR action you can view the the status of the OCR job.

To view the status of an OCR job
1.

Click

For the project, click

Under Job Type, view the OCR Documents job.

Viewing Data

Return to Project Management.
Work Lists.

Using the Item List Panel

| 71

Using the Project Explorer Panel
The Project Explorer provides tools to help you organize and cull your data.

The Project Explorer panel has the following tabs:
Facets

This is the default tab and lets you use facets to cull your data.
See Filtering Data in Case Review on page 124.

Explore

This can be used to organize cull documents.
See The Explore Tab on page 73.

Navigation

This lets you specify the scope of evidence that you want to view in the Item List panel.
(Not available in all products)
See The Navigation Tab on page 74.

Categories

Displays all the existing categories for the project. Right-click to create category values.
See Viewing Documents with a Category Coded on page 196.

Issues

Displays all the existing issues. Right-click to create a new issue for the project.
See Viewing Documents with an Issue Coded on page 196.

Applying Tags

The Tags Tab

| 190

Elements of the Tags Tab
Elements

Description

Labels

Contains all the existing labels. Right-click to create a new label for the project.
See Viewing Documents with a Label Applied on page 196.

Case Organizer

Displays all the existing case organizer objects for the project. Right-click to create new
objects.
See Using the Case Organizer on page 197.

Production Sets

Applying Tags

The Tags Tab

| 191

The Labeling Panel
The Labeling panel in Project Review can be used to apply labels to documents. You can organize your
documents by applying labels using the Labeling panel. The Labeling panel allows you to apply labels to
documents one at a time.
See Applying Labels to Multiple Documents on page 194.

Labeling Panel

Elements of the Labeling Tab
Element

Description

Labels Folder

Expand to see the labels created by the project manager.

Collapse All Button

Click to collapse all the folders.

Expand All Button

Click to expand all the folders.

Refresh

Click to refresh the label list.

Save

Click to apply the selected labels to the selected document.

Reset

Click to reset the labels to their original condition.

Applying Tags

The Labeling Panel

| 192

Applying Labels to Single Documents
You can apply labels to documents one at a time by using the Labeling panel. Labels can be created by the
project manager.
See the Project Manager documentation for more information on creating labels.
Note: Production set records cannot be labeled.

To apply labels to single documents
1.

In the Project Review, ensure the Labeling and Item List panels are showing.

Labeling Panel

In the Item List panel, highlight the document to which you want to apply a label.

In the Labeling panel, check the label(s) that you want to apply and click Save.

Removing Labels from a Single Document
You can remove labels from a single document using the Labeling panel.

To remove labels from a single document
1.

In the Project Review, ensure the Labelling and Item List panels are showing.

In the Item List panel, highlight the document from which you want to remove a label.

In the Labeling panel, uncheck the label(s) that you want to remove and click Save.

Applying Tags

Applying Labels to Single Documents

| 193

Applying Labels to Multiple Documents
You can apply labels to multiple documents at once using the mass actions in the Item List panel. Labels can be
created by the project manager.
See the Project Manager documentation for more information on creating labels.
Note: Production set records cannot be labeled.

To apply labels to multiple documents
1.

In the Project Review, ensure the Item List panel is showing.

Check the documents to which you want to apply labels. If applying labels to all documents, skip this
step.

In the first Actions drop-down at the bottom of the panel, do one of the following:
Select

Checked to apply labels to all the checked documents.

Select

All to apply labels to all documents, including documents on pages not visible.

In the second Actions drop-down, select Label Assignment.

Click Go.

Label Assignment Dialog

Check the labels that you want to assign to the documents.
Note: Boxes with a dash (-) indicate that one or more (but not all) of the documents are already
assigned that label. Click the box until it becomes a check mark to apply the label to all the
selected documents.

Applying Tags

Applying Labels to Multiple Documents

| 194

(Optional) Check the following Keep Together check boxes if desired:
Keep

Families Together: Check to apply the selected label to documents within the same family as
the selected documents.

Keep

Related Documents Together: Check to apply the selected label to all documents related to
the selected documents.

Keep

Linked Documents Together: Check to apply the selected label to all documents linked to the
selected documents.

Click Save.

Removing Labels from Multiple Documents
You can remove labels from multiple documents by using the mass actions in the Item List panel.

To remove labels from multiple documents
1.

In the Project Review, ensure the Item List panel is showing.

Check the documents from which you want to remove labels. If removing labels from all documents,
skip this step.

In the first Actions drop-down at the bottom of the panel, do one of the following:
Select

Checked to remove labels from all the checked documents.

Select

All to remove labels from all documents, including documents on pages not visible.

In the second Actions drop-down, select Label Assignment.

Click Go.

In the Label Assignment dialog, click the check boxes until they are blank on the labels that you want to
remove.

Click Save.

Applying Tags

Applying Labels to Multiple Documents

| 195

Viewing Documents with Tags
Viewing Documents with a Label Applied
You can view all the documents assigned to a specific label using the Tags tab in the Project Explorer.

To view documents assigned a label
1.

In the Project Review, ensure the Project Explorer and Item List panel are showing.

In the Project Explorer, click on the Explore tab. Ensure all the folders are checked.

In the Project Explorer, click on the Tags tab.
See The Tags Tab on page 190.

Uncheck everything on the Tags tab, then expand the Labels and check the label(s) that you want to
see.

Click the Apply check mark button in the Project Explorer panel.
All documents with the selected label appear in the Item List panel.

Viewing Documents with an Issue Coded
You can view all the documents assigned to a specific issue using the Tags tab in the Project Explorer.

To view documents assigned an issue
1.

In the Project Review, ensure the Project Explorer and Item List panel are showing.

In the Project Explorer, click on the Explore tab. Ensure all the folders are checked.

In the Project Explorer, click on the Tags tab.
See The Tags Tab on page 190.

Uncheck everything on the Tags tab, then expand the Issues and check the issue(s) that you want to
see.

Click the Apply check mark button in the Project Explorer panel.
All documents with the selected issue appear in the Item List panel.

Viewing Documents with a Category Coded
You can view all the documents assigned to a specific category using the Tags tab in the Project Explorer.

To view documents assigned an issue
1.

In the Project Review, ensure the Project Explorer and Item List panel are showing.

In the Project Explorer, click on the Explore tab. Ensure all the folders are checked.

In the Project Explorer, click on the Tags tab.
See The Tags Tab on page 190.

Uncheck everything on the Tags tab, then expand the Categories and check the category that you want
to see.

Click the Apply check mark button in the Project Explorer panel.
All documents with the selected category appear in the Item List panel.

Applying Tags

Viewing Documents with Tags

| 196

Using the Case Organizer
You can use the Case Organizer to add reference information to evidence files in your project. To use the case
organizer, you create a Case Organizer object and associate one or more evidence files to it . Within Case
Organizer objects, you can include the following:
Comments,
Reference
Attached
Text

including formatted rich text, numbered and bulleted lists, images, and hyperlinks

details, including Status, Impact, Material, and Date range

supplemental files

snippets from the evidence files

You can generate reports that provide all information related to Case Organizer objects.
You can create as many case organizer objects as needed in a project. Case Organizer objects only apply to the
project that they are created in.
Case Organizer objects are compatible with FTK Bookmarks.
Note: The Case Organizer requires Internet Explorer 9 or higher.

About Case Organizer Categories and Organization
Within the Case Organizer, you use the following categories of Case Organizer objects:
Event
Fact
Pleadings
Research
Summary
People

These Case Organizer categories share the same functionality. The different categories are available to help
you organize your data. You can generate a report for each object category as well as each object.

Applying Tags

Using the Case Organizer

| 197

You organize the Case Organizer objects in the Tags tab in the Project Explorer panel of Project Review.

Case Organizer objects are organized under each category parent. When you create an object, you select the
parent under which you save the Case Organizer object. You can also nest objects, meaning you can create
objects under other objects.
Except for the Summary category, all Case Organizer objects are shared with and can be viewed by all project
reviewers. However, under the Summary category, you have two options:
A

Shared tree that is available to all reviewers

A

tree specific to the logged-in-user that is not shared

Note: Administrators and Case Administrators can see and use all Case Organizer objects in a project.

Additional Informaiton will be available in an updated document.

Applying Tags

Using the Case Organizer

| 198

Chapter 20

Coding Documents

The Review Sets Tab
The Review Sets tab in the Project Explorer panel can be used to create review sets and view review sets in the
Review Batches panel. Review sets are batches of documents that users can check out for coding and then
check back in.
Before you code a set of documents, you can check out a review set so that you can track the documents you
code and to structure your workflow. Project managers can create and associate review sets. When you are
done coding a set of documents, you can check them back in if you have the Check In/Check Out Review
Batches permission.
See Managing Review Sets in the Project Manager documentation for more information.
See Checking In/Out a Review Set on page 201.

Review Sets Tab in Project Explorer

Coding Documents

The Review Sets Tab

| 199

Elements of the Review Sets Tab
Elements

Description

Review Sets

Contains the All Sets and My Batches folders.

All Sets

Displays all the review sets available.

My Batches

Displays review sets that you have checked out.

The Review Batches Panel
The Review Batches panel in Project Review displays review batches. You can check in and check out batches
from this panel.

Review Batch Panel

Elements of the Review Batches Panel
Element

Description

Batch Name
Column

Displays the name of the review set.

Batch Size
Column

Displays the number of documents in review set.

Assigned To
Column

Displays the user that the review set is assigned to.

Batch Status

Displays the status of the review set.

Reviewed

Displays the number of documents reviewed in set.

Actions

Expand the first actions drop-down and select one of the following options:
 All: To include all review sets in the panel in the action
 Checked: To include checked review sets in the action
 Unchecked: To include all the unchecked review sets in the action

Actions Check In/
Out

The second Actions drop-down allows you to select to either Check In or Check Out the
review set.

Coding Documents

The Review Sets Tab

| 200

Elements of the Review Batches Panel
Element

Description

Go Button

Click to execute the selected actions.

Checking In/Out a Review Set
Reviewers with the Check In/Check Out Review Batches permission can check out sets of documents for
coding. Project managers can create and associate review sets for reviewers. When you are done coding a set
of documents, you can check them back in if you have the Check In/Check Out Review Batches permission.

To check out a review set
1.

Click the Project Review button

In the Project Review, ensure that the Review Batches panel is showing.
See The Review Batches Panel on page 200.

In the Review Batches panel, check the batch(es) that you want to check out. Skip this step if you are
checking out all the review batches.

In the first Actions drop-down in the bottom of the panel, select one of the following:
Checked:
All:

in the Project List panel next to the project.

Select this to check out the checked review batches.

Select this to check out all of the review batches, including those not visible on the current page.

In the second Actions drop-down, select one of the following:
Check

Out: Select this to check out the review set. Only one person can have a review set checked
out at a time.

Check

Click Go.

Click OK.

Coding Documents

In: Select this to check in a checked out review set.

The Review Sets Tab

| 201

Coding in the Grid
You change the data of editable columns by using Edit Mode in the Item List panel in Grid View. Only columns
that are editable can be altered in the Item List Grid, just as if you were coding using the coding panel. Data in
the Read-Only and evidence columns cannot be edited. You can edit dates, text, issues, categories, transcripts,
and notes in the Item List Grid. Data cannot be changed for records brought into the application using Evidence
Processing.

To code data in the Item List Grid
1.

In Project Review, select the Item List panel and ensure it is in Grid View.

Do one of the following:
Double
Select

click the field that you want to code.

the field that you want to code and press F2.

Note: Not all fields are editable. You can only edit non-read-only fields, and columns that are not
populated by Evidence Processor.
3.

Enter or select the text, date, or numbers that you want for the field.
See Editable Fields on page 202.

Move the focus away from the field by doing one of the following to save the changes that you have
made:
Click

anywhere else on the screen outside of the field.

Press

Tab to move to the next editable field.

Editable Fields
There are multiple different fields that you can edit, including custom fields created by the project manager. You
can always edit any custom fields that you have added. The following are examples of the kinds of editable fields
that you will see by default in the Item List panel grid:
Authors
Deponents

(transcript records only)

DepositionDate
DocDate

(transcript records only)

(allows fuzzy dates)

DocType
Endorsement
Issues
Mentioned
Note

(Note records only)

NoteDate
OriginalFileName
Recipients
Source
Title

Coding Documents

Coding in the Grid

| 202

UUID
Volume

Text Fields
Text fields can contain numbers, letters, and symbols. Text fields are limited to 250 characters. If you attempt to
exceed 250 characters, your text will be truncated at 250 without warning that you have exceeded the limit.

Text Fields in the Item List Grid

Date Fields
Date fields can only contain numbers and must be a valid date. You can expand the calendar to select a date or
enter a date using your keyboard. If the column allows fuzzy dates, your date does not have to be complete, but
it still must be valid.

Date Fields in the Item List Grid

Number Fields
Number fields can only contain numbers. Numbers may be positive or negative. You can use the spin box in the
field to increase or decrease the number.

Coding Documents

Coding in the Grid

| 203

Number Fields in the Item List Grid

Radio Button Fields
Custom fields that include radio button options were created by the project manager and appear as options in a
drop-down. You may select one of the available options, but you cannot enter your own custom text in the grid
view in a radio button field.

Radio Button Field in the Item List Grid

Check Box Fields
Custom fields that include check boxes were created by the project manager and appear in a drop-down as a
check box. You can check one or multiple boxes if the field contains check box options.

Check Box Field in the Item List Grid

Coding Documents

Coding in the Grid

| 204

Using the Coding Panel
The Coding Panel
Coding is putting values into the fields (columns) of documents. The Coding panel in Project Review allows you
to use coding layouts to change the data of the selected document. Coding layouts can be created on the
Tagging Layout tab of the Home page. Fields with greyed-out text on the Coding tab are read only. Fields in blue
on the Coding tab are required.
Reviewers with View Coding Layout permissions can code the data of a document using the Coding panel and
the mass actions in the Item List panel. Coding allows you to identify descriptive pieces of information that never
had metadata, like images that were loaded and need to have dates manually added into the field. The Coding
panel in Project Review allows you to use coding layouts to code the selected document.
You can code documents and transcripts. Transcripts can be coded for Deponent and Deposition Date as long
as the fields are in the tagging layout.
See Coding Single Documents on page 206.
See Coding Multiple Documents on page 207.
Coding layouts can be created by the project manager in the Tagging Layout tab of the Home page.
See the Project Manager documentation for information on creating coding layouts.

Coding Panel

Coding Documents

Using the Coding Panel

| 205

Elements of the Coding Panel
Element

Description

Save Button

Click to save your changes.

Save and Next

Click to save your changes and move to the next codable record.

Cancel

Click to cancel the coding and leave edit mode.

Apply Previous

Click to apply the changes that you made to the previous record to the current record
you are viewing.

Layout Drop-down

All available layouts for the user are in this drop-down.

Coding Single Documents
Reviewers with the View Coding Layout permission can code the data of documents outlined in a coding layout.
Layouts are defined by the project manager. Layouts include custom fields, categories, and issues. You can
code the data for all of these things as long as they are included in the Layout defined by the project manager.
You can code single documents using the Coding panel. Fields with greyed-out text on the Coding tab are read
only. Fields in blue in the coding layout are required.

To code single documents
1.

Click the Project Review button

In the Project Review, ensure that the Item List, Project Explorer and Coding panel are showing.

If you are coding a checked out review batch, in the Project Explorer, click the Review Batches tab,
expand the My Batches folder, and select the batch that you want to code. The documents for the
selected batch appear in the Item List panel.
See The Review Batches Panel on page 200.

In the Item List panel, select the document that you want to code.
See Using the Item List Panel on page 58.

In the Coding panel, expand the layout drop-down and select the layout that you want to use. You must
be associated with the layout in order to use it. Project managers can associate layouts to users and
groups.
See The Coding Panel on page 205.

In the Coding panel, click Edit.

Edit the data to reflect accurate data. The options available will differ depending on the layout that the
project manager created.

Click one of the following:
Save:
Save

in the Project List panel next to the project.

Click this to save your changes and stay on the same document.

and Next: Click this to save your changes and go to the next document in the Item List panel.

Coding Documents

Using the Coding Panel

| 206

Note: You will only be able to save your changes if all the required fields (blue fields) are populated. If
all required fields are not populated, you will get an error message when you attempt to save the
record.

Coding Multiple Documents
Reviewers with the View Coding Layout permission can code the data of documents outlined in a coding layout.
Layouts are defined by the project manager. Layouts include custom fields, categories, and issues. You can
code the data for all of these things as long as they are included in the Layout defined by the project manager.
You can code multiple documents using the mass actions in the Item List panel. Fields with greyed out text in the
coding layout are read only. Fields in blue in the coding layout are required.

To code multiple documents
1.

Click the Project Review button

In the Project Review, ensure that the Item List and Project Explorer panel are showing.

In the Item List panel, check the documents that you want to code. Skip this step if you are coding for all
the documents.
See Using the Item List Panel on page 58.

In the first Actions drop-down at the bottom of the panel, select one of the following:
Checked:

in the Project List panel next to the project.

Select this to code only the documents that you checked.

All:

Select this to code all the documents in the Item List panel, including those on pages not
currently visible.

In the second Actions drop-down, select Bulk Coding.

Coding Documents

Using the Coding Panel

| 207

Bulk Coding Dialog

In the Bulk Coding dialog, select the layout in the layout drop-down.

Edit the data to reflect accurate data. The options available will differ depending on the layout that the
project manager created. Check boxes with a dash (-) indicates that some of the documents have the
box checked. Click the check box until it becomes a check mark to apply it to all the selected
documents.

10. (Optional) Check the following Keep Together check boxes if desired:
Include

Family: Check to apply the same coding to documents within the same family as the
selected documents.

Include

SImilar Documents: Check to apply the same coding to all documents related to the
selected documents.

Include

Linked Documents: Check to apply the same coding to all documents linked to the selected
documents.

11. Click Save.

Once you have completed the Bulk Coding action, return to the Work List on the Home page. If there were any
Document IDs that failed to code, they will be listed by their number under the Work List. You can then resubmit
Bulk Coding for those failed IDs.

Coding Documents

Using the Coding Panel

| 208

Predictive Coding
You can automatically code documents by applying Predictive Coding to the document set. With Predictive
Coding, the system “learns” how you want certain documents coded and apply that coding to future documents.
This allows you to automatically code documents throughout the project.
In order to use Predictive Coding, you need to create a learning session from a subset of documents in the
project and code these documents with the appropriate responsive coding within that learning session. As the
system learns coding methodology, the system’s overall confidence level increases. This tells you how confident
the system is in learning how future documents should be coded. Once you have reached an acceptable
confidence score with the predictive coding, you can apply the predictive coding to the rest of the documents
within the project.
Note: Due to the conjecturable nature of predictive coding, any results from the predictive coding should be
considered an estimate and is not guaranteed to produce 100% accurate results. All results from
predictive coding should be verified against the data set.
The decision tree used by the system to perform Predictive Coding is generated by the Iterative Dichotomiser3
(ID3) algorithm. For more information on the ID3 algorithm, see http://www.cse.unsw.edu.au/~cs9417ml/DT1/
decisiontreealgorithm.html#A0.0 or http://en.wikipedia.org/wiki/ID3_algorithm .

A document that has Predictive Coding applied to it will be marked as responsive or non-responsive to the
subject matter that the reviewer has determined in the learning set. The reviewer has the ability to review the
Predictively Coded documents to ensure that the Predictive Coding was applied correctly. Any document that
has Predictive Coding applied to it can have the coding decision overridden. Also, any document that has had
manual coding applied to it will retain that manual coding.
There are four types of documents that are coded with predictive coding:
Email
Presentations
Excel

spreadsheets

Word

documents

All other document types will not be automatically coded.

The workflow of predictive coding occurs in three phases:
Instructing Predictive Coding (page 210)
Applying Predictive Coding (page 212)
Performing Quality Control (page 213)

Understanding Predictive Coding
In order for the system to learn the parameters of the predictive coding, a set of documents must be defined by
the reviewer. These documents would be selected by either applying filters, facets, or search results to the
documents. You can also select documents from the Item List.

Coding Documents

Predictive Coding

| 209

When a new project is created, by default that project has a standard coding/tagging layout associated with it
named Predictive Coding. You can find this tagging layout under Tagging Layouts in the Home tab.
See The Project Manager Guide for more information on tagging layouts.

Instructing Predictive Coding
Because predictive coding is based on statistical analysis of the data, the subset of the data used for coding
should be selected using the following parameters. Data selected with these parameters will assist in achieving
greater success with predictive coding:
You

should code a minimum of 10% of the documents in a project. The more documents that are coded
within a project, the more likely predictive coding will be successful in determining how to code the rest of
the documents in a project.

You

should apply the Predictive Coding layout to documents scattered randomly throughout the project,
not to just the first 10% of the documents that are listed in a project.

The

subset of documents used for predictive coding should contain a combination of documents marked
as either Responsive and Non Responsive.

At

least ten documents must be coded Responsive and at least ten additional documents must be coded
Non Responsive. These documents must be native documents that contain text.
Note: If you do not code at least ten documents Responsive and ten documents Non Responsive, the

Confidence Score and Predictive Coding Job will fail.
You can code the documents with the Predictive Coding layout in order to teach the system.

To code a learning set of documents with Predictive Coding
1.

Click the Project Review button

In the Project Review, ensure that the Item List, Project Explorer and Coding panel are showing.

In the Item List panel, select the document that you want to code.
See Using the Item List Panel on page 58.

In the Coding panel, expand the layout drop-down and select the Predictive Coding layout. You must be
associated with the layout in order to use it. Project managers can associate layouts to users and
groups.

Click Edit.

Coding Documents

in the Project List panel next to the project.

Predictive Coding

| 210

Predictive Coding Panel

Mark whether a document is responsive or not responsive for the subset that you are creating.
Add

any additional keywords, separated by commas.

The

SetBy and CodingLog fields are not editable. SetBy displays whether a document has been
manually coded or predictively coded, and the CodingLog field displays data for predictively coded
documents.

Click one of the following:
Save:
Save

Click this to save your changes and stay on the same document.

and Next: Click this to save your changes and go to the next document in the Item List panel.

10. Code as many documents as you feel is necessary for the Predictive Coding subset.

See Instructing Predictive Coding on page 210.
Once you have completed manually coding the documents to be used in Predictive Coding, you should test the
system and obtain a confidence score of how well the system has learned.

Obtaining a Confidence Score
In order to determine if the system has received enough information in order to perform a successful coding, a
reviewer must run a confidence scoring job and generate a confidence score. The confidence score is a
percentage-based score. The higher the score, the greater the confidence that the system has in coding the rest
of the documents in the project correctly.
The confidence score is determined by using the F1 score statistical calculation. This score is calculated using
the precision rate (true positive count over total positive labeled) and recall rate (true positive count over total
positive count). For more information on the F1 score statistical calculation, see http://www.cs.odu.edu/~mukka/
cs795sum10dm/Lecturenotes/Day3/F-measure-YS-26Oct07.pdf or http://en.wikipedia.org/wiki/F1_score .

Cross-validation is the process used to determine the confidence level of the system. In this process, the original
learning set of manually coded documents is randomly partitioned into subsamples. These subsamples are
called validations folds, and the quantity of the subsamples in a given learning set is represented by the variable
k. From the k subsamples, a certain quantity of subsamples, represented by the variable n, is retained as the
validation data for testing the model. The remaining k - n subsamples are used as training data. The validation
process is then repeated k times (the folds), with different sets of n subsamples used as the validation data. The
results from the validation folds are then averaged to produce a single estimation.

Coding Documents

Predictive Coding

| 211

For more information about cross-validation, see http://www.cs.cmu.edu/~schneide/tut5/node42.html or http://
en.wikipedia.org/wiki/Cross-validation_%28statistics%29 .

In order to obtain the confidence score, you need to perform a confidence score job after the learning set has
been coded with Predictive Coding.
Note: You must code at least ten documents as responsive and ten other documents as non-responsive before
running a confidence score job. If not, the confidence score job will fail. You will be notified of the failed
job in the Job List.

To perform a confidence score job
1.

From Project Review, open the Confidence panel by going to Layouts > Panels > Confidence.

From the Actions pull-down, select Confidence Score Calculation and click Go.

Go to the Work List under the Home tab to view the status of the Confidence Scoring job. Once the job
has completed, return to Project Review.

The confidence score will appear in the Confidence panel.

Confidence Panel

Field

Name - indicates the field that was tested against in the cross-validation.

Confidence

Score - the higher the score, the more confidence that the system has in applying the
Predictive Coding.

Count

- the count of the documents in the learning set.

Note: The Confidence Panel will display only the last confidence score that was calculated for the

learning set.

Applying Predictive Coding
After achieving a confidence score that sufficiently shows that the system can code the rest of the documents in
the project, you can apply the Predictive Coding to the rest of the documents in the project.

Coding Documents

Predictive Coding

| 212

Note: Only one Predictive Coding job may be executed at any one time per project.

To apply Predictive Coding to the project
1.

From Project Review, open the Confidence panel by going to Layouts > Panels > Confidence.

From the Actions pull-down, select Predictive Coding and click Go.

Go to the Work List under the Home tab to view the status of the Predictive Coding job. Once the job
has completed, return to Project Review.

Performing Quality Control
Once the Predictive Coding job has completed, the reviewer can evaluate whether or not Predictive Coding was
applied successfully to the documents in the project. The reviewer can filter the documents to display only those
documents which have been predictively coded, and evaluate individual documents. If the coding for a
document is incorrect, the reviewer can override the Predictive Coding, and code the document manually. If the
reviewer has determined that the predictive coding was not accurate in coding the documents properly, the
reviewer can create a new Predictive Coding learning set, and reapply the Predictive Coding to the documents.

To check the Predictive Coding
1.

In the Item List under Project Review, select Columns.

Add the SetBy column to the selected columns. The SetBy column displays whether a document has
been manually coded or predictively coded. Click Ok.

Filter the SetBy column to display only predictively coded documents.

In the Coding panel, expand the layout drop-down and select the Predictive Coding layout.

Click Edit.

Examine whether a document has been coded correctly. If not, mark the correct coding and click one of
the following:
Save:
Save

Click this to save your changes and stay on the same document.

and Next: Click this to save your changes and go to the next document in the Item List panel.

The manual override will appear in the SetBy column in the Item List.

Coding Documents

Predictive Coding

| 213

Chapter 21

Annotating Evidence

About Annotating Evidence
Reviewers with the Add Annotations permission can annotate documents and emails.
The following annotation options are available:
Adding

a Note (page 220)

Adding

a Highlight (page 222)

Adding

a Drawn Highlight (page 222)

Adding

a Redaction (page 224)

Adding

a Drawn Redaction (page 224)

Adding

a Link (page 223)

Selecting

a Highlight Profile (page 219)

Selecting

a Markup Set (page 219)

You can use the Natural Panel to perform all annotation options.
See Using the Natural Panel on page 76.
You can use the Image Panel to create redactions, highlights, and markup sets is also available on the.
See Using the Image Panel on page 79.

Prerequisites for Annotating
In order to Select Text, Draw Highlight Text, Draw Redaction Text, Draw Highlight, Draw Redaction, Create Note,
or Create Link, you must select an existing Markup Set.
See Selecting a Markup Set on page 219.
Markup Sets are created for the project on the Home page.

Annotating Evidence

About Annotating Evidence

| 214

About Generating SWF Files for Annotating
Before annotating a file, the file must first be converted to a format that can be annotated or redacted.
AccessData generates an Adobe’s SWF file for files that you can annotate.
You can generate SWF for the following file types: TXT, DOC, PPT, PDF, MSG, HTM, GIF, and so forth.
You can generate a SWF in the following ways:

Method

Description

Generate SWF files when
processing the project

There is a Enable Standard Viewer processing option that will automatically
convert many files to SWF and make the Standard Viewer the default viewer.
This option is checked as the default for the Summation license, but can be
enabled in other products.
When this option is enabled, during processing, a SWF file will be generated for
any document that can be generated as a SWF and that is also 1 MB or larger.
Some documents are not converted to SWF, such as PST, ZIP, DLL, and EXE
files.
For files that are smaller than 1 MB, the SWF file is generated “on-the-fly” when
the document is loaded into the Standard Viewer.
Microsoft Excel files are not automatically converted into SWF, neither during
processing nor “on-the-fly”, but can be done manually later.

Have SWF files
automatically generated
in Review

If you view a file that has not had a SWF file generated for it in the Alternate File
Viewer, then change to the Standard Viewer, and a SWF can be generated, it will
be converted “on-the-fly”.

Generate SWF files
manually

You can generate SWF files with the Annotate Native or Create Image features.
See Using the Image Panel on page 79.

Annotating Evidence

About Generating SWF Files for Annotating

| 215

Accessing SWF Files for Annotating
You can annotate files using one of the following:
The

Standard Viewer in the Natural Panel

The

Image Panel
You cannot annotate files using the Alternate File Viewer in the Natural Panel.

How you access SWF files in the Standard Viewer depends on whether you enabled the Enable Standard
Viewer processing option for the project.
If

If

To access a file to annotate it
1.

Click the Project Review button

In the Project Review, ensure that the Item List and Natural panel are showing.

Select a document in the Item List panel that has a native application.

Do one of the following:
Verify

in the Project List panel next to the project.

that the file is displayed in the Standard Viewer.

If

the file is displayed in the Alternate Viewer, either click the Standard Viewer, or click the Annotate
Native or Create Image button.

Annotating Evidence

Accessing SWF Files for Annotating

| 216

About Annotating Tools
Standard Viewer

Elements of the Standard Viewer
Element

Description

Standard Viewer

Format that allows you to create annotations on the file.
See Using the Natural Panel on page 76.

Alternate File Viewer

Format that allows you to view a native representation of the file.
See Using the Natural Panel on page 76.

Toggle Annotation
Tools
Redaction Reasons
Save Annotations
Show/Hide Redactions
Markup Sets

Annotating Evidence

Toggles the annotation tools on and off.

Click to select a redaction reason to apply to the document.
Save the annotations to file.
Click to show and hide the redactions in the document.
Click to show the Markup Sets that are available to apply to the document.
Note: An existing Markup Set is required for using Annotation Tools.

About Annotating Tools

| 217

Elements of the Standard Viewer (Continued)
Element

Description

Annotation Tools

Note: An existing Markup Set is required for using Annotation Tools.

Pan Mode
Text Selection Mode
Text Highlight
Text Redaction

Click to move within a document page. Navigate by clicking and dragging with
the hand icon.
Click to select text within the document to highlight or redact.
Click to highlight selected text. See Adding a Highlight on page 222.
Click to redact selected text. See Adding a Redaction on page 224.

Drawn Highlight

Click to create a drawn or coordinate-based rectangle highlight. You can use
this tool for creating highlights on documents that are graphics based, rather
than text based. See Adding a Drawn Highlight on page 222.

Drawn Redaction

Click to create a drawn or coordinate-based rectangle redaction. You can use
this tool for creating redactions on documents that are graphics based, rather
than text based. See Adding a Drawn Redaction on page 224.

Create Note
Create Link

Click to add a note to the document. See Adding a Note on page 220.
Click to add a link to another document in the project. See Adding a Link on
page 223.

Navigation Icons
Thumbnails
Fit to Page
Fit to Width
Rotate All
Rotate Page

Page Navigation

Click to view thumbnails of the pages in the document.
Click to fit the document to the Natural pane.
Click to fit the document to the width of the Natural pane.
Click to rotate the document clockwise in 90 degree increments.
Click to rotate a page of the document clockwise in 90 degree increments.
Navigate through the document with either the arrows or by entering a page
number in the field. When documents are generated as PDFs, the page
navigation bar will not be available. You can still navigate through the PDF by
using the vertical scroll bar.
Zoom in and out of the document. Use either the magnifying glass or enter a
percentage in the field.

Zoom

Annotating Evidence

About Annotating Tools

| 218

Profiles and Markup Sets
Selecting a Highlight Profile
Persistent highlighting profiles are defined by the project/case manager and can be toggled on and off using the
Highlight Profile drop-down in Natural panel in the Project Review.

To select a highlight profile
1.

In the Project Review, ensure that the Item List and Natural panel are showing.

Expand the Highlight Profile drop-down and select a profile.

Selecting a Markup Set
Markup sets are a set of annotations performed by a specified group of users. For example, you can create a
markup set for paralegals, then when paralegal reviewers perform annotations on documents in the Project
Review, all of their markups will only appear when Paralegal is selected as the markup for the document in the
Natural or Image panel.
Having an existing Markup Set is required for using Annotation tools.
See Prerequisites for Annotating on page 214.
Note: Only redactions and highlights are included in markup sets.
Markup sets are created by the project/case manager on the home page. Markup Sets are only accessible in the
Standard Viewer of the Natural or Image Panel.

To select a markup set
1.

In the Project Review, ensure that the Item List and Natural or Image panel are showing.

Access the file in the Standard Viewer.

Expand the Markup Set drop-down and select a markup set.

Annotating Evidence

Profiles and Markup Sets

| 219

Adding a Note
Reviewers with the Add Notes permission can add notes to documents in the Natural panel of Project Review.
Notes can be viewed and deleted from the Notes panel for users with the View Notes and Delete Notes
permission.
See The Notes Panel on page 84.

To add a note
1.

Click the Project Review button

Access the file in the Standard Viewer.

Select an existing Markup Set.
See Prerequisites for Annotating on page 214.

Click on the Create Note tool button

Highlight the text in the body of the document to which you want to add a note. The Create Note dialog
appears.

in the Project List panel next to the project.

Create Note View Dialog
7.

Enter a note in the Note field.

Set a Date for the note. The date does not have to be exact, but can be just a month or year.

(Optional) Check issues related to the note.
Note: If you check an issue that has a color associated with it, the selected text will be highlighted that
color.

10. Check the groups with which you want to share the note.
11. Click Save.

Annotating Evidence

Adding a Note

| 220

Editing a Note
Reviewers with the Edit Notes permission can edit notes to documents in the Natural panel of the Project
Review.

To edit a note
1.

Click the Project Review button

Access the file in the Standard Viewer.

In the document, locate the red marker in the text that indicates a note in the document. Double-click
the marker. The Edit Note dialog appears.

Edit the fields that you want to change.

Click Save.

Annotating Evidence

in the Project List panel next to the project.

Editing a Note

| 221

Adding a Highlight
Adding a Text-Based Highlight
Reviewers with the Add Annotations permission can add highlights to documents in the Natural panel of Project
Review.

To add a text-based highlight
1.

Click the Project Review button

In the Project Review, ensure that the Item List and Natural panel are showing.

Access the file in the Standard Viewer.

Select an existing Markup Set.
See Prerequisites for Annotating on page 214.

Click the Text Highlight

(Optional) To delete a text highlight, click on the highlight and press Delete.

in the Project List panel next to the project.

tool button.

Adding a Drawn Highlight
Reviewers with the Add Annotations permission can add a drawn or coordinate-based highlights to documents
in the Natural or Image panel of Project Review. The following steps describe how to add a drawn highlight in the
Natural panel. These steps will also work in the Image panel.

To add a drawn highlight
1.

Click the Project Review button

In the Project Review, ensure that the Item List and Natural panel are showing.

Access the file in the Standard Viewer.

Select an existing Markup Set.
See Prerequisites for Annotating on page 214.

Click the Drawn Highlight tool button

Click and drag the rectangle onto the body of the document.

(Optional) To delete a drawn highlight, click on the highlight and press delete.

Annotating Evidence

in the Project List panel next to the project.

Adding a Highlight

| 222

Adding a Link
Reviewers with the Add Annotations permission can add links to documents in the Natural panel of Project
Review.

To add a link
1.

Click the Project Review button

Access the file in the Standard Viewer.

Select an existing Markup Set.
See Prerequisites for Annotating on page 214.

Click on the Create Link

Highlight the area in the body of the document to which you want to add a link. The Add Document
Link dialog appears.

in the Project List panel next to the project.

tool button.

Add Document Link Dialog

In the Search field, enter the DocID of the document you want to link to.

Press the tab button to activate the Go button and click Go.

Select the document you want to link to from the search results.

10. Click OK.

Annotating Evidence

Adding a Link

| 223

Adding a Redaction
Adding a Text-Based Redaction
Reviewers with the Add Annotations permission can add redactions to documents in the Natural panel of Project
Review.
Note: If you hover over a redaction while in ADViewer mode, the redaction will become transparent, and you
can view the text underneath the redaction.
Redaction color tips:
You

can change the color block for redacting documents to any color.

If

the redaction block color is a darker shade such as black or navy blue, the redaction reason will be set
to white. If the redaction color block is a lighter color such as yellow or white, the redaction reason will be
set to black.

To add a text-based redaction
1.

Click the Project Review button

Access the file in the Standard Viewer.

Select an existing Markup Set.
See Prerequisites for Annotating on page 214.

Click the Text Redaction

Drag over the text that you want to redact.

(Optional) To delete a text redaction, click on the redaction and press Delete.

in the Project List panel next to the project.

tool button.

Adding a Drawn Redaction
Reviewers with the Add Annotations permission can add a drawn or coordinate-based redactions to documents
in the Natural or Image panel of Project Review. The following steps describe how to add drawn redactions in the
Natural panel. These steps will also work in the Image panel.
Note: When using Draw Redaction, text that is very close to the Draw Redaction box may be included in the
redaction.

To add a coordinate-based redaction
1.

Click the Project Review button

Access the file in the Standard Viewer.

Click the Drawn Redaction tool button

Click and drag the rectangle onto the body of the document.

(Optional) To delete a drawn redaction, click on the redaction and press Delete.

Annotating Evidence

in the Project List panel next to the project.

Adding a Redaction

| 224

Coordinate-Based Redactions Boundaries
After drawing a coordinate-based redaction, red square boxes may appear on the redacted text, above the
redacted text, and/or below the redacted text. These red square boxes are the application’s attempt to insure
that all of a character is redacted. The application accomplishes this by indicating all characters that will be
redacted, including font boundaries defined in the file that the user cannot view. Any characters that are bound
by these red boxes will be redacted. If the application is indicating text that you do not want redacted, you can
adjust your redaction so that application will only redact the characters that you want.

Toggling Redactions On and Off
You can toggle redactions on and off in the Natural and Image panels so that you can view or hide them without
deleting redactions.

To toggle redactions on and off
1.

In the Project Review, ensure that the Item List and Natural panel are showing.

Access the file in the Standard Viewer.

Click the Show/Hide Redactions button

Click the button again to turn them back on.

Annotating Evidence

Adding a Redaction

| 225

Chapter 22

Bulk Printing

Reviewers with the Imaging permission can print multiple records using the Bulk Printing mass action in the Item
List panel. You can print to printers that are on the server or to a local machine. You can also brand printed
documents. Bulk printing will print the source documents and include annotations or redactions on the
documents.
You can perform other actions (except for starting another print job) while the system is running a bulk print job.
Note: Before you can print to a printer, you need to download and install the Bulk Print Local plug-in. Upon initial
installation of the application, a prompt appears after logging in asking if you want to install the plug-in. If
this plug-in was not installed at login, the system will prompt you to install when running Local Bulk
Printing for the first time. See the Admin guide for more information.
You can print highlights and redactions on printed documents without needing to create a production set. In the
Bulk Printing dialog, you can select which type of markup sets to print.
In the
Note: For documents that contain both Native and Image redactions, only Image redactions print. Image
redactions take precedence over Native redactions.

Bulk Printing Multiple Documents
To print multiple documents at one time
1.

Click Project Review

in the Project List panel next to the project.

In the Project Review window, verify that the Item List panel is showing.

In the Item List panel, select the documents that you want to print. Skip this step if you are printing all
the documents in the panel.

In the first Actions drop-down menu at the bottom of the panel, do one of the following:
Select

Checked to print all the checked documents.

Select

All to print all documents, including documents on pages not visible.

Bulk Printing

Bulk Printing Multiple Documents

| 226

In the second Actions drop-down menu, select either Network Bulk Printing to print to a network
printer that has been set up by your IT or Administrator or Local Bulk Print to print to a local printer that
has been set up on you local workstation that has been set up by your IT staff or Administrator.
See Network Bulk Printing on page 227.
See Local Bulk Printing on page 227.

Network Bulk Printing
To print to a network printer
1.

Click Go.

Enter options in the General Print Options tab. See General Print Options on page 227.

Click Print.

Local Bulk Printing
To print to a local printer
1.

Click Go.

Enter options in the General Print Options tab. See General Print Options on page 227.

A dialog box appears, asking if the file BulkPrintLocal.WPF may be opened on your system.
Click Allow.
Note: If you start another print job when the dialog window from a previous Local Bulk Printing job is
already open, a new Bulk Printing window will appear. Close the initial Local Bulk Print window
before starting a new local print job.

The Bulk Print Application dialog window appears. See Bulk Print Dialog Options on page 228.

Choose your printer from the drop down box in the Printer Selection area and click Print.
Note: This process may take longer than typical network print operations due in part to document image
conversion processes.

(optional) To cancel a printing job, click Cancel Print Job or close the Bulk Printing dialog box.

General Print Options
The following table shows the options available in the General Print Options screen.

General Print Screen Options
Option

Description

Include Markups

Allows you to print redactions on the printed documents. In the Markup Sets tab,
select which markup set(s) that you want to print.
Note: For a document with both native and image redactions, image redactions
will print, but not native redactions. Image redactions take precedence over
native redactions.

Bulk Printing

Bulk Printing Multiple Documents

| 227

General Print Screen Options
Option

Description

Image Branding

Allows you to brand the printed documents. In the Image Branding Options tab,
select the options that you want for the branding. For more information, see the
Exporting Guide.
Note: Branding the document with the DocID in Local Bulk Printing will brand the
document with the existing DocID. Branding the document in the Export Wizard
will brand the document with the original DocID.

Bulk Print Dialog Options
The following table shows the options available in the Local Bulk Print dialog.

Bulk Printing Dialog Options
Option

Description

Job Details

Displays the job details of the print job, including the Project ID, Project Name,
User Name, Job ID, and number of documents in the print job.

Printer Selection

Select a printer to print the documents to.
Note: You can also select a virtual printer, such as a PDF creation tool, to
print the documents to.

Cancel Print Job

Click to cancel a print job. You can also cancel a print job by closing the Bulk
Printing Dialog window.

Progress Report




Status Report

Docs Printed: Shows the number of documents that have already printed,
and the documents remaining to be printed.
Pages Printed: Shows the number of pages that have been printed in a document sent to the printer. It does not show the total amount of pages printed in
a job.

Displays the status of the print job.
Note: You can also monitor the status of the print job from the Printing/
Export tab of the Home page.

Viewing Print Statuses
You can view the status of bulk printing jobs on the Printing/Export tab of the Home page. You can view the
status of your local bulk print job in the Bulk Print dialog window.

To view the status of your bulk print job
1.

Select the project in the Project List panel.

Click the Printing/Export tab on the Home page.

Click the Printer Status tab.

Bulk Printing

Viewing Print Statuses

| 228

Viewing Print Logs
You can access and view the logs from local bulk printing jobs. The logs are stored in a folder on the server.

To view the log of your bulk print job
1.

In the Windows Start menu, enter Run.

In the Open field, enter %public%.

Open the folder and select the log that you want to view.

Bulk Printing

Viewing Print Statuses

| 229

Chapter 23

Managing Review Sets

Review sets are batches of documents that you can check out for coding and then check back in. Review sets
aid in the work flow of the reviewer. It allows the reviewer to track the documents that have been coded and still
need to be coded. Project/case managers with Create/Delete Review Set permissions can create and delete
review sets.

Creating a Review Set
Project/case managers with Create/Delete Review Set permissions can create and delete review sets.

To create a review set
1.

Click the Project Review

Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.

Right-click the Review Sets folder and click Create Review Set.

button next to the project in the Project List.

Create Review Set Dialog

Enter a Name for the review set.

Managing Review Sets

Creating a Review Set

| 230

Select a Review Column that indicates the status of the review. New columns can be created in the
Custom Fields tab of the Home page.
See Custom Fields Tab on page 263.

Enter a prefix for the batch that will appear before the page numbers of the docs.

Increase or decrease the Batch Size to match the number of documents that you want to appear in the
review set.

Check the following options if desired:
Keep

Families together: Check this to include documents within the same family as the selected
documents in the batch.

Keep

Similar document sets together: Check this to include documents related to the selected
documents in the batch.

Note: Any “Keep” check box selected will override the restricted Batch Size.
10. Click Next.

Create Review Sets Dialog Second Screen

11. Expand Labels and check the labels that you want to include in the review set. All documents with that

label applied will be included in the review set. This is only relevant if the documents have already been
labeled by reviewers.
12. Expand the Document Groups and check the document groups that you want to include in the review

set.
13. Click Next.
14. Review the summary of the review set to ensure everything is accurate and click Create.
15. Click Close.

Managing Review Sets

Creating a Review Set

| 231

Deleting Review Sets
Project/case managers with Create/Delete Review Set permissions can create and delete review sets.

To create a review set
1.

Click the Project Review

Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.

Expand the All Sets folder.

Right-click the review set that you want to delete and click Delete.

Click OK.

Managing Review Sets

button next to the project in the Project List.

Deleting Review Sets

| 232

Renaming a Review Set
Project/case managers with Manage Review Set permissions can rename review sets.

To rename a review set
1.

Click the Project Review

Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.

Expand the All Sets folder.

Right-click the review set that you want to rename and click Rename.

Enter a name for the review set.

Managing Review Sets

button next to the project in the Project List.

Renaming a Review Set

| 233

Manage Permissions for Review Sets
Project/case managers with Manage Review Set permissions can manage the permissions for review sets.

To rename a review set
1.

Click the Project Review

Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.

Expand the All Sets folder.

Right-click the review set that you want to manage permissions for and click Manage Permissions.

button next to the project in the Project List.

Assign Security Permissions Dialog

Check the groups that you want to grant permissions to the review set. Groups granted the Check In/
Check Out Review Batches permission will be able to check out the review sets to which they are
granted permission.

Click Save.

Managing Review Sets

Manage Permissions for Review Sets

| 234

Part 6

Exporting Data

This part describes how to export data and includes the following sections:
Introduction
Creating

Production Sets (page 241)

Exporting
Creating

Exporting Data

to Exporting Data (page 236)

Production Sets (page 257)

Export Sets (page 260)

| 235

Chapter 24

Introduction to Exporting Data

This document contains information about creating and exporting production sets for a project. Exporting data, in
most projects, is performed by the project/case manager. You need the correct permissions to create and export
production sets.

About Exporting Data
When you sort through data, organization remains the key to preparing a streamlined set of data to include in a
report that is delivered to the attorney for the criminal project, civil project, or corporate authorities for a corporate
security project . To prepare data for the final report, you can create sets of filtered data that you can export in
various formats.
After applying labels to the evidence set, you can create either a production set or an export set of data.
When you create production or export sets of data, you can only use one label per set.
Note: Production set records cannot be labeled. Creating a production set results in new items being created.
These resulting items cannot be labeled.

Note: There are certain native formats that do not work for imaging and TIFF operations. These are: PST, NSF,
FC, DAT, DB, EXE, DLL, ZIP, and 7zip
See Export Tab on page 259.
See Exporting Production Sets on page 257.
See Creating Export Sets on page 260.
The following table describes the export formats that you can use for your production and export sets.

Introduction to Exporting Data

About Exporting Data

| 236

Export Formats
Format

Description

AD1

Creates an AD1 forensic image of the documents included in the Export Set.
AD1 is a forensic file format that integrates with FTK.
An AD1 contains the logical structure of the original files and the original files
themselves. The AD1 file is hashed and verifiable to ensure that no changes
have occurred to it.

Image Load File Export

Converts the native documents to a graphic format such as TIFF, JPG, or PDF.
It creates a load file in the IPRO LFP or the Opticon OPT formats.
This is similar to Load File Export except that it does not contain any metadata.

Native Export

Exports the native documents in their original format and optionally rendered
images into a directory of your choosing. This export does not provide a load file.

Load File Export

Exports your choice of Native, Filtered text (includes the OCR text that was
created during processing), rendered images of the native document, and
optionally OCR text of the rendered images.
If the recipient intends to use third-party software to review the export set, select
Load File Export.
You have the option of exporting rendered documents in the following formats:
 Concordance
 EDRM (Electronic Discovery Reference Model) XML
 Generic
 iCONECT
 Introspect
 Relativity
 Ringtail (MDB)
 Summation eDII
 CaseVantage
Some programs have load file size limits. If needed, you can split load files into
multiple files.
If you use the Concordance, Generic or Relativity exports, and include rendered
images, you will also get an LFP and OPT file.

Export Tab
The Export tab on the Home page can be used to manage production sets and export sets.

Production Set History Tab
The Production Set History can be used to export or delete production sets and view the history of the
production set.

Introduction to Exporting Data

About Exporting Data

| 237

Production Set History Tab Elements
Element

Description

Production Set
History Search
Field

Enter text to search by production set name.

Click to Show/Hide Filtering options. You can add and delete filters, and specify
whether the filter is ascending or not. Field options that you can filter on include:
 Created By
 Description
 Email Count
 Export Path
 Item Count
 Total Size
Production Set List

Lists the production set details and the status of the production sets.
Shows the status of the production set creation. During the creation process, the tab
displays blue, and displays the percentage of the process as it is being created. When
the tab turns green, the production set creation is complete.
Note: Even if the percentage counter shows 100%, the production set is not
complete until the status tab turns green.
Expand the tab to view the Status of the Production Set.

Cancel Button

Click to cancel the creation of a production set.

Export Button

Click to export the production set to a load file. This option is not available until the
production set has been created.

Delete Button

Click to delete the production set. This option is not available until the production set
has been created.
Click to expand all expanders. Once the production set has been created, you can
expand the pane to access the reports for the production set, as well as Load File
Generations if the job is a load file.
Click to collapse all expanders.

Click to refresh the production set history list.

Show/Hide
Reports

Expand to access reports.

Show/Hide Load
File Generations

Expand to access the load file generations.

Introduction to Exporting Data

About Exporting Data

| 238

Export Set History Tab
The Export Set History Tab can be used to export or delete export sets and view the history of the export set.

Export Set History Set Elements
Element

Description

Export Set History
Search Field

Enter text to search by export set name.
Click to Show/Hide Filtering options. You can add and delete filters, and specify
whether the filter is ascending or not. Field options that you can filter on include:
 Created By
 Email Count
 Export Path
 Item Count
 Total Size

Export Set List

Lists the export set details and the status of the export sets.
Shows the status of the export set creation. During the creation process, the tab
displays blue, and displays the percentage of the process as it is being created. When
the tab turns green, the production set creation is complete.
Note: Even if the percentage counter shows 100%, the production set is not
complete until the status tab turns green.
Expand the tab to view the Status of the Export Set.

Cancel Button

Click to cancel the creation of a export set.

Export Button

Click to export the export set to either an AD1 file, Native file, or Load File. This option
is not available until the export set has been created. See Exporting Export Sets on
page 240.

Delete Button

Click to delete the export set. This option is not available until the export set has been
created.
Click to expand all expanders. Once the export set has been created, you can expand
the pane to access the reports for the export set, as well as Load File Generations if the
job is a load file.
Click to collapse all expanders.

Click to refresh the export set history list. You can delete the load file generation.
Expand the status tab to view the status of the load file generation.
Show/Hide
Reports

Expand to access reports. You can download the following reports:
Renaming: Export Renaming Report
Image Conversion Exception: Image Conversion Exception Report
Summary: This report must be generated before it can be downloaded. Allow a few
minutes to generate the report.

Show/Hide Load
File Generations

Expand to access the load file generations.

Introduction to Exporting Data

About Exporting Data

| 239

Exporting Export Sets
Export Sets can be exported from the Export History Set as an AD1 file, Native file, or a Load file. Export Sets
can be exported more than one time.
The status of a successful export that contains any errors or warnings logged to the CSV log file now displays as
Export Completed With Warnings. The status display in the Export History tab displays the status as yellowgreen to differentiate the status from a successful export without errors or warnings logged. (13329)
Note: If slipsheets have been generated upon the initial export of the export set, the slipsheet will be counted as
the main image for the object. On any subsequent export set export, the slipsheet generated is counted
as an image for the object. No new images are generated for that object, and a currently-selected
slipsheet is not placed.

Introduction to Exporting Data

About Exporting Data

| 240

Chapter 25

Creating Production Sets

When you create a production set, you include all of the evidence to which you have applied a given label. After
you create the production set, you export the set to a load file.
Case/project managers with the Create Production Sets permission can create production sets.

Points to Consider
Once

you've created a production set you cannot add documents to that set even if you use the same
labels. You will need to label the additional documents and then create a new set using the same label.

When

you create production sets with the PDF option selected, large files will take a long time to create
and may appear to stall.

The

ThreatLookup column is not copied when objects are copied as part of production set creation. Even
if a ThreatLookup was computed for an object that is labeled and included in a production set, then the
object copied from the labeled object will initially have no ThreatLookup score. If desired, you can initiate
ThreatLookup on any selected items by executing a ThreatLookup as a mass action in Review. See
Using the Item List Panel on page 58.

To create a production set
1.

Before you create a production set, be sure you have applied at least one label to evidence files that
you want to filter into the export set.
See Applying Tags on page 190.

Click the Project Review

In the Project Explorer, select the Tags tab, right-click the Production Sets folder, and select Create
Production Set.

Configure the General Options.
See Production Set General Options (page 243) for information on how to fill out the options in the
General Options screen.

Click Next.

Configure the Files To Include.
See Production Set Files to Include Options (page 244) for information on the option in the Files to
Include screen.

Click Next.

Configure the Columns to Include.

Creating Production Sets

button next to the project in the Project List.

| 241

10. In the Columns to Include, click the right arrow to add a column to the production set and the left arrow

to remove a column from the production set. You can rearrange the order of the columns by clicking the
up and down arrows.
Note: Only columns added at this time will be available for exporting. Any columns not added will not be
available in the production set. Also, for a field to be available for branding, it must be included in
the Columns to Include. Field Branding for a production set fails if the field is not included in the
production columns.
11. Click Next.
12. Configure Volume Document Options.

See Volume Document Options (page 246) for information on the options in the Volume Document
Options screen.
13. Configure Image Branding Options.

See Production Set Image Branding Options (page 253) for information on the options in the Image
Branding Options screen.
14. In the Summary screen, review the options that you have selected for the production set and click the

Edit (pencil) button if you want to make any changes.
15. Click Save.

After your production set is created, it will appear in the Export tab of the Home page and under the
Production Sets folder in the Project Explorer of the Project Review.
See Export Tab on page 259.

Creating Production Sets

| 242

Production Set General Options
The following table describes the options that are available on the General Options screen of the production set
wizard.
See Export Tab on page 259.

General Export Options
Option

Description

Name

Enter the name of the production set job you are creating.
This does not need to be a unique name, but it is recommended that you make all names
unique to avoid confusion.

Label

Select the label that has the documents you want to include in the production set.

Description

Enter a description for the production set if desired.

Templates

Select a previously created template to populate all the fields of the production set wizard
using the options selected in a previous production set.

Creating Production Sets

Production Set General Options

| 243

Production Set Files to Include Options
The following table describes the options that are available on the Files to Include screen of the production set
wizard.
See Export Tab on page 259.

Files to Include Options
Option

Description

Include Text Files

Select this to include all filtered text files in the production set. This does not
include redacted text. This will not re-extract text from native files.

Export Native Files

Select this option if you want to include the native documents with the production
set. This will only include native files that have not been redacted. If the native file
has been redacted, a PDF of the file will be included.

Output Email in
Archives

Select this option if there are emails that were originally in a PST or an NSF
format and you want to put them into a PST or NSF container.

Output Email as HTML

Select this option if there are emails that were originally in a PST or NSF and you
want to make them HTML files.
This option will not take loose MSG files and put them into a PST.

Output email as MSG

Select this option if there are emails that were originally in a PST or an NSF that
you want to make into MSG files.

Include Rendered and
Redacted Images

Select this option to include images that have been created in the Project Review.
Additionally, if an image has not yet been created, this option will convert the
native document to an image format.

Excluded Extensions

Enter the file extensions of documents that you do not want to be converted. File
extensions must be typed in exactly as they appear and separated by commas
between multiple entries. This field does not allow the use of wild card characters.
The default values are:
EXE, DLL, and COM

File Format

Compression



RLE (Color) - Produces a color image with RLE compression.




large image).
DPI
Page Format

Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).
Select the page size for the image. The available page sizes are:
Letter – 8 ½” x 11”
 A3 – 29.7 cm x 42 cm
 A4 – 29.7 cm x 21 cm


Creating Production Sets

Production Set Files to Include Options

| 244

Files to Include Options (Continued)
Option

Description

Normalize images

Select this option to obtain consistent branding sizes throughout the entire
production.
Any image that is less than the chosen size will not be resized or rescaled to fit the
chosen page size but will be placed inside of the chosen size frame and will be
oriented to the upper left corner of the page.
Any document determined to be landscape in orientation will produce a proper
landscape image.

Produce color JPGs for
provided extensions

To JPG Extensions

Lets you specify file extensions that you want exported to JPG images.

JPG Quality

Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.

OCR TIFF Images

Creates a page by page OCR text file from the rendered images.
By default, the text file uses a TXT extension.
As a best practice, you would not create both Filtered Text files and OCR text files.
However, if you do both, the Filtered Text files use a TXT extension and the OCR
text files use an OCR.TXT extension.
If you create only OCR text files and not Filtered Text files, the OCR text files use
a TXT extension.

OCR Text Encoding






Redactions Markups

Creating Production Sets

ANSI - Encodes text files using ANSI.

ANSI encoding has the advantage of producing a smaller text file than a Unicode file (UTF). ANSI-encoded text files process faster and save space. The
ANSI encoding includes characters for languages other than English, but it is
still limited to the Latin script.
If you are exporting documents that contain languages written in scripts other
than Latin, you need to choose a Unicode encoding form. Unicode encoding
forms contain the character sets for all known languages.
UTF- 16 Encodes load files using UTF-16.
UTF - 8 (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see the following web site
http://www.unicode.org/standard/principles.html\

Check the Markup Sets that you want included in the production set. Markups will
be burned into the images that are created.

Production Set Files to Include Options

| 245

Volume Document Options
This section describes the options available in the Volume Document Options screen of the production set
wizard if you have US numbering enabled. US numbering is default. The following table describes the options
available in the following screen.

Volume Document Options Screen
Option Type

Option

Naming Options

Description
Choose a naming option:

New
Production
DocID

(Default) This file naming allows you to determine what the name of
the files will be, based on the document ID numbering scheme. This
option is used with the Document Numbering Options below.
In Project Review, you can view the ProductionDocID that is created
for exported files. This is useful in associating an exported file with the
original file.

Original DocID

This naming is based on the original DocID.
Documents that were imported were put into a document group and
will have a DocID. Documents that were added through the evidence
wizard, will not.
This option lets you re-use that original DocID for the produced record.
If the documents do not have an existing DocID, you can assign one
by placing the documents in a document group or by providing a
DocID naming schema using the Document Numbering Options
below.

Original File
Name

This file naming uses the original file name as the name of the
document rather than a numbered naming convention.
If the files were brought into the project by way of importing a DII or
CSV file, the file name may not be present and therefore the file will be
put into the Production Set using the original DocID that it was
imported with. With this option, the files when exported will be put into
a standard volume directory structure.

Original File
Path

This option uses both the original file name and the original file path
when the production set is exported. The file path will be recreated
within the export folder.

Volume Partition Sorting

(Volume
Partition
Sorting)

You can sort the documents before they are converted and named.
This allows you to choose one or more meta data field values to sort
the documents in ascending or descending order.
You can choose any combination of fields by which to sort, however, it
is not recommended to choose more than 3 fields to sort by.
Add volume partition sorting filters based on specified ascending or
descending fields.

Delete the selected sorting option.
(Volume
Partition
Sorting)

Creating Production Sets

Production Set Files to Include Options

| 246

Volume Document Options Screen (Continued)
Option Type

Option

Description

Sorting

Specify the order that the files are listed in each volume. Sorting
occurs on the parent document.
For example, you might sort by Ascending on the field FILESIZE. In
such project, the first volume contains the largest file sizes, and the
last volume contains the smallest file sizes.

Field

Set the column heading by which you want to sort.

Add

Add the sorting options that you have selected. You can add one or
more sorting filters.

Volume Sample

Provides a sample of the volume directory structure that will be
created when the production set is exported.

Volume Options

Select a volume folder structure for the output files. The selections will
determine how much data is put into each folder before a new folder is
created and the folder structure in which the output is placed.
See About the U.S. Volume Structure Options on page 249.
Partition Type

Select the type of partition you would like to create.

Partition Limit

Set the size of the partition based on the partition type that you have
selected.

Prefix

Specify the prefix-naming convention you want to use for the root
volume of the production set.

Starting
Number

Set the starting number of the first partition in the production set.

Padding

Specify the number of document counter digits that you want. The
range is 1 to 21. 0 padding is not available.

Folder Limit

Create a new numbered volume when the specified folder limit is
reached inside the volume.

Folder

Lets you name and limit the size or the number of items that are
contained in a folder. An export can have one or more folders.
Prefix

Specifies the prefix-naming convention that you want to use for the
folders within the volume of the export.

Suffix

Specifies the suffix-naming convention that you want to use for the
folders within the volume of the export.

Starting
Number

Sets the starting number of the first folder within the volume of the
export.

Padding

Specify the number of document counter digits that you want. The limit
is 21.

File Limit

Creates a new numbered folder when the specified file limit is reached
inside the folder.

Native Folder

Lets you set the name of the Natives folder.
See Files to Include Options on page 244.

Image Folder

Lets you set the name of the Image folder.
See Files to Include Options on page 244.

Creating Production Sets

Production Set Files to Include Options

| 247

Volume Document Options Screen (Continued)
Option Type

Option

Description

Text Folder

Lets you set the name of the Text folder where text files go that are
generated by the OCR engine.
See Files to Include Options on page 244.

Document

This pane is only available if the New Production Doc ID or Original
Doc ID option is selected in the Naming Options.
Use these setting to determine how to generate new names of
produced records. (Some files may retain an original DocID.
See Naming Options above.)
Numbering
Options

See About U.S. Document Numbering Options on page 250.

Prefix

Specifies the prefix-naming convention that you want to use for the
document and page numbering within the folders of the export.

Suffix

Specifies the suffix-naming convention that you want to use for the
document and page numbering within the folders of the export.

Starting
Number

Sets the starting number of the first document or image within the
volume of the export.

Padding

Specify the number of document counter digits that you want. The limit
is 21.

Creating Production Sets

Production Set Files to Include Options

| 248

About the U.S. Volume Structure Options
You can specify the volume folder structure for the output files. The selections will determine how much data is
put into each folder before a new folder is created and the folder structure in which the output is placed.
See Volume Document Options on page 246.
The output files will be contained within the following hierarchy:
Volume

folder - Contains two levels of subfolders for organizing the files. A new volume will be created
when a specified limit is reached.
You can choose from the following limits.

Limits
Limit

Description

Documents

Output will be placed into a volume until the specified number of documents has
been reached, then a new volume will be created.
For example, if you export 2000 files and you set the partition limit to 1000, you
will have two document volumes.

Images

Output will be placed into a volume until the specified number of images has
been reached, then a new volume will be created.
This option is useful because a single, large document may create hundreds or
thousands of single page images.

Megabyte

Output will be placed into a volume until the specified megabyte size of all of the
files has been reached, then a new volume will be created.
For example, you can set a partition limit of 4000 MB if you intend to burn the
files to DVD media.

Single

All output will be placed into one volume.

You can also specify a volume folder limit. In order to prevent issues with Microsoft Windows Explorer,
you can specify an additional limit of the number of folders in a volume. This works in addition to the
selected limit type. If the specified volume limit is not reached, but the folder limit is, a new volume will be
created.
File

type folder - The first level subfolders within each volume are separated by the file types of the
exported files. By default, the folders are named by file type, for example, native documents, images, or
text files. You can name these file type folders anything you want. This allows you to put your image and
text files into the same folder. While you can name all of the file type folders the same; thereby placing
the natives, images, and text files into a single folder; it is not recommended because there could be
naming conflicts if your native file and image or text file have the same name.

Level

2 folder - The second level folders contain the actual files being exported. You can specify a limit of
the total number of files per folder. This limit, once reached, will create a new folder within the same file
type folder until the volume maximum or number of folders has been reached.

Using the Partition Type, Partition Limit, and Folder limit values together, you can create the volume structure
that meets your needs. The following graphic is an example of a volume structure.

Creating Production Sets

Production Set Files to Include Options

| 249

Note: No document that has been rendered will have its rendered pages divided into more than one folder.
If a folder limit is about to be reached, but the next document that should go into that folder will exceed the
maximum, a new folder will be started automatically for the new document. The same applies to document
families, if the volume maximum is about to be reached and the next document family will exceed the limit, a new
volume will be started and the next document family will be placed into that new volume.

About U.S. Document Numbering Options
If you have chosen to use a DocID naming scheme for the output files, you can specify the method for creating
Doc IDs. This section describes the Numbering options found in the Volume Document Options screen of the
Production Set wizard.
See Volume Document Options on page 246.

Production Set Numbering Options

You will choose from the document numbering options:
Document And Page Numbering Uniquely Sequenced (page 251)
Document Numbering Tied To Page Numbering (page 251)
Document Numbering With Page Counter Suffix (page 252)

Creating Production Sets

Production Set Files to Include Options

| 250

Document And Page Numbering Uniquely Sequenced
This option generates a sequential number that is applied to the document without regard to the rendered pages
that may or may not be produced. The images will also be numbered sequentially without regard to the
document number.
For example, if you have two documents each that produce two images during conversion, the output would be:

Example Output
Native Documents

Image Output

ABC00001.doc

IMG00001.tif
IMG00002.tif

ABC00002.doc

IMG00003.tif
IMG00004.tif

You can optionally specify a prefix- and a suffix-naming convention.

Document Numbering Tied To Page Numbering
This option generates a sequential number for every document and the pages produced for that document will
carry the document's name with a counter as a suffix that represents which page is represented by the image.
For example, if you have two documents each that produce two images during conversion, the output would be:

Example Output
Native Document

Image Output

ABC00001.doc

ABC00001.001.tif
ABC00001.002.tif

ABC00002.doc

ABC00002.001.tif
ABC00002.002.tif

Considerations for Document Numbering Tied to Page Numbering
If creating production sets with a dot (.) in the DocID and page branding, you must choose the option Document
Numbering with Page Counter Suffix, not Document Numbering Tied to Page Numbering in order to
ensure that each page has a unique page ID.
For example, if the original DocIDs are:
JXT.001.0001
JXT.001.0002
JXT.001.0003 and so on.
If you chooses Document Numbering Tied to Page Numbering as the numbering option, then the last numeric
part of the DocID is used as the page ID, and it is incremented for each page. Suppose that each document has

Creating Production Sets

Production Set Files to Include Options

| 251

five pages, and that the Page ID is branded on each page. In this example, the DocID of the first document will
be JXT.001.0001. The first page is branded as JXT.001.0001, the second page as JXT.001.0002, and so forth.
The second document's doc ID will be JXT.001.0002. The first page will be branded as JXT.001.0002, the
second page as JXT.001.0003, and so on.
In this example, you can see that the page IDs are not unique, since JXT.001.0003 will be branded on:
The

third page of the first document

The

second page of the second document

The

first page of the third document

In order for the page IDs to be unique, the Document Numbering with Page Counter Suffix must be chosen.
Continuing with the same DocIDs as in the first example and with this numbering option, the DocID of the first
document will still be JXT.001.0001, but the first page will be branded as JXT.001.0001.0001, the second page
as JXT.001.0001.0002, and so on. This will ensure that each page has a unique page ID.

Document Numbering With Page Counter Suffix
This option generates a sequential number for every page created. The corresponding document name will be
the same as its first page generated for each document.
For example, if you have two documents each that produce two images during conversion, the output would be:

Example Output
Native Documents

Image Output

ABC00001.doc

ABC00001.tif
ABC00002.tif

ABC00003.doc

ABC00003.tif
ABC00004.tif

You can optionally specify a prefix- and a suffix-naming convention.

Creating Production Sets

Production Set Files to Include Options

| 252

Production Set Image Branding Options
You can brand the PDF or TIFF image pages with several different brands and in several different locations on
the page using the Production Set wizard.
See Export Tab on page 259.

Image Branding Options
Option Group

Options

Description

Sample

Displays a sample of the image branding
options selected.

Watermark

Set options to brand a watermark to the middle
of the document.
Watermark
Opacity

Sets the visibility of the watermark text.

Watermark
Type

There are multiple types of image branding
available. The options in the Watermark group
box will differ depending on the Type that you
select.
None

No branding on the image.
Font

Sets the font style for the text.

Font Size

Sets the font size for the text.

Bates

Creating Production Sets

Bates numbering is a term used for placing an
identifying number on every page of evidence
files that are presented in court.
Bates numbering in this project is not driven by
the document or page numbering that was
assigned in the Volume/Document Options
panel.
Prefix

Specify up to any 25 alphanumeric characters
except the forward slash or backward slash.
You can use a separator to create a visual
break between the different sections of the
Bates number.

Starting
Number

Sets the starting number to a value from 1-100.

Padding

Specify the number of document counter digits
that you want. The limit is 42.

Font

Sets the font style for the text.

Font Size

Sets the font size for the text.

Production Set Image Branding Options

| 253

Image Branding Options (Continued)
Option Group

Options

Doc ID

Description
Brands each page with the Doc ID in the
designated location. For example, if you have a
single document that was assigned a DocID of
ABC00005.doc, each image representing that
document will have ABC00005 branded in the
specified location.
Note: This brands the document with the
original DocID.

Font

Sets the font style for the text.

Font Size

Sets the font size for the text.

Global
Endorsem
ent

Brands each page with the entered text in the
designated location.
Text

Enter the text that you want to appear in the
designated location.

Font

Sets the font style for the text.

Font Size

Sets the font size for the text.

Page ID

Brands each page with the name that was
provided during the Production Set creation in
the designated location.
For example if you have a document that
produced three image pages named
ABC00001.tif, ABC00002.tif, and
ABC00003.tif, the images will be branded with
ABC00001, ABC00002, and ABC0003
respectively.
Font

Sets the font style for the text.

Font Size

Sets the font size for the text.

Near Header

Displays the branding options for a header on
the upper-left side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.

Center Header

Displays the branding options for a header on
the upper-center side of the page. These
options are based on the Header Type
selected. See the Watermark Type options
above for more information on the Header Type
options as they are the same options.

Far Header

Displays the branding options for a header on
the upper-right side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.

Creating Production Sets

Production Set Image Branding Options

| 254

Image Branding Options (Continued)
Option Group

Options

Description

Near Footer

Displays the branding options for a header on
the lower-left side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.

Center Footer

Displays the branding options for a header on
the lower-center side of the page. These
options are based on the Header Type
selected. See the Watermark Type options
above for more information on the Header Type
options as they are the same options.

Far Footer

Displays the branding options for a header on
the lower-right side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.

Creating Production Sets

Production Set Image Branding Options

| 255

Additional Production Set Options
Saving Production Set Options as a Template
After configuring the production set options, you can save the settings as a template. The template can be
reused for future production sets with the current project or other projects.

To save options as a template
1.

Access the production set wizard and set the options for the production set.
See Export Tab on page 259.

In the production set wizard, click Save As.

Enter a name for the template.

Click Save.

Deleting a Production Set
Users with production set rights can delete production sets from Project Review.

To delete a production set from Project Review
1.

Click the Project Review

In the Project Explorer, select the Explore tab, expand the Production Sets folder, right-click the
production set that you want to delete and select Delete.

Click OK.

button next to the project in the Project List.

To delete a production set from the Home page
1.

Select the project in the Project List panel.

Click the Print/Export tab on the Home page.

Click the Delete button next to the production set.

Sharing a Production Set
Users with production set rights can share production sets that they have created with other groups of users.

To share a production set
1.

Click the Project Review

In the Project Explorer, select the Explore tab, expand the Production Sets folder, right-click the
production set that you want to share and select Manage Permissions.

Check the groups that you want to have access to the production set that you created and click Save.

Creating Production Sets

button next to the project in the Project List.

Additional Production Set Options

| 256

Chapter 26

Exporting Production Sets

Exporting a Production Set
After you create a production set, you can export it containing only the files needed for presentation to a law firm
or corporate security professional.

To export a production set
1.

On the Home Page, select a project and click the

Export tab.

Next to the production set that you want to export, click Export.

Enter or browse to the path where you want to save the export.

Enter a name for the Load File.

Select a format that you want to use for the export. The following formats are available:
Briefcase - Generates an HTML format that provides links to the native documents, images,
and text files.
You can have multiple links for image, native, and text documents.

Browser

- Generates a DII file specifically formatted for use with the AD Summation
CaseVantage program.

CaseVantage

Concordance
EDRM

- Generates a DAT file that can be used in Concordance.

- Generates an XML file that meets the EDRM v1.2 standard.

Generic

- Generates a standard delimited text file.

iCONECT

- Generates an XML file formatted for use with the iConect program.

Introspect

(IDX file) - Generates an IDX file specifically formatted for use with the Introspect

program.
Relativity
Ringtail

- Generates a DAT file that can be used in Relativity.

(MDB) - Generates a delimited text file that can be converted to be used in Ringtail.

eDII - Generates a DII file specifically formatted for use with the AD Summation iBlaze or
Enterprise programs.

Summation

Exporting Production Sets

Exporting a Production Set

| 257

Note: If you are outputting a Concordance, Relativity, or Generic load file, and include rendered
images, you will also get an OPT and LFP file in the export directory.
6.

Depending on the load file format you choose, you may need to check whether or not to show the row
header for the columns of data. The Show Row Header option is only available for the following load file
formats:
Concordance
Generic
Introspect
Relativity
Ringtail

(MDB)

Select an option for Load File Encoding. The following options are available:
- Encodes load files using ANSI (for text written in the Latin script).
ANSI encoding has the advantage of producing a smaller load file than a Unicode file (UTF). ANSIencoded load files process faster and save space. The ANSI encoding includes characters for
languages other than English, but it is still limited to the Latin script.
If you are exporting documents that contain languages written in scripts other than Latin, you need to
choose a Unicode encoding form. Unicode encoding forms contain the character sets for all known
languages.

ANSI

- (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see the following website:
http://www.unicode.org/standard/principles.html
Most commonly used for text written in Chinese, Japanese, and Korean.

UTF-8

- Encodes load files using UTF-16.
Similar to UTF-8 this option is used for text written in Chinese, Japanese, and Korean.

UTF-16

Select a Field Mapping character. This delimiter is the character that is placed between the columns of
data. The default delimiters are recommended by the program to which the load file was intended.
However, you can change these defaults by selecting the drop-down and choosing an alternative.
Field Mapping is available for the following load file formats:
Concordance
Generic
Introspect
Relativity
Ringtail

(MDB)

Select a Text Identifier character. This delimiter is the character that is placed on either side of the
value within each of the columns. All of the text that follows the character and precedes the next
occurrence of the same character is imported as one value.
The default delimiters are recommended by the program to which the load file was intended. However,
you can change these defaults by selecting the drop-down and choosing an alternative. If you do not
wish to use a delimiter, you can choose the (none) option.
Text Identifier is available for the following load file formats:
Concordance
Generic
Introspect
Relativity
Ringtail

(MDB)

Exporting Production Sets

Exporting a Production Set

| 258

10. Select a Newline character. This is a replacement character for any newline (carriage return/line feed)

character. The default delimiters are recommended by the program to which the load file was intended.
However, you can change these defaults by selecting the drop-down and choosing an alternative. If you
do not wish to use a delimiter, you can choose the (none) option.
Newline is available for the following load file formats:
Concordance
Generic
Introspect
Relativity
Ringtail

(MDB)

11. Select the Available Fields of metadata to be included in the load file and click the right arrow to add

the field.
12. Some load file applications require that certain fields be in the load file. In such projects, you can click
the Custom plus button to add a custom field entry that is not already listed in the Available Fields list.
13. Click Export.

Export Tab
The Export tab on the Home page can be used to export or delete production sets and view the history.

Export Tab Elements
Element

Description

Production Set
History Search
Field

Enter text to search by production set name.

Production Set List

Lists the production sets and the status of the production sets.

Export Button

Click to export the production set to a load file.

Delete Button

Click to delete the production set.

Exporting Production Sets

Export Tab

| 259

Chapter 27

Creating Export Sets

Creating Export Sets
You can export documents without creating a production set. To do this, create an Export Sets of labelled
documents, and then export the created Export Sets. Unused Export Sets can also be deleted.
When you create a set, you include all of the evidence to which you have applied a given label. After you create
the export set, you export the set to an AD1 image file, an image load file, a native export, or a load file.
Note: Once you've created an export set you cannot add documents to that set even if you use the same labels
used previously. You can label additional documents and then create a new set using the same label.

See Creating an AD1 Export on page 260.
See Creating a Native Export on page 264.
See To create a load file export on page 274.

Creating an AD1 Export
Choose to create an AD1 forensic image of the document included in the Export Set if you want to load the AD1
files into AD Forensic Toolkit (FTK) for further investigation. An AD1 contains the logical structure of the original
files and the original files themselves.

To create an AD1 export
1.

Before you create an AD1 export, be sure that you have applied at least one label to evidence files that
you want to filter into the export set.

Click the Project Review

In the Project Explorer, click

Right-click the Export Sets folder, and select Create AD1 Export.

See AD1 Export General Options on page 262. for information on how to fill out the options in the
General Option screen.

Click Export.

Creating Export Sets

button next to the project in the Project List.
Explore.

Creating Export Sets

| 260

After your export is created, it appears in the Export tab of the Home page and under the Export Sets
folder in the Project Explorer of the Project Review. A Summary report generates and saves to the
export folder.

Creating Export Sets

| 261

AD1 Export General Options
The following table describes the options that are available on the General Options screen of the AD1 export set
wizard.

AD1 Export General Options Screen

AD1 Export General Option Screen
Option

Description

Export Path

Enter the UNC path to the export set. You can browse to the server and path,
and validate the path before exporting the load file. This path must be accessible
to the logged in user. A new folder will be created if the folder you specify does
not exist.

Job Name

Specify the name for your export set. For example, you can organize export sets
by using the person’s name for ease of examination. This naming method is
particularly useful if there are multiple people.

Label

This field is required. Before you create an AD1 export, be sure that you have
applied at least one label to evidence files that you want to filter into the export
set.

Generate Exclusion
Report

Lets you create a report of all the documents within the selected collection that
were not included in the export.

Include Duplicates

Mark to include duplicates. Includes unlabeled documents that are flagged as
secondary (duplicates) to the labeled primary documents. These duplicate files
will not be labeled as part of the export set, however, so the file count in the load
file will be different that what is listed in the export set.

Creating Export Sets

AD1 Export General Options

| 262

AD1 Export General Option Screen
Option

Description

Organize by Person

Creates a folder for each person to place the output into.

Email Contained in PST/
NSF

Select to either output a reduced version of the original PST/NSF file, the emails
as individual MSG files, or as individual HTML/RTF files.
Note: In order to view the PST file after export, make sure to have Outlook
installed on the environment.

AD1 File Name

Specifies the name of the exported AD1 file. If you are also selecting to organize
by person, each person’s folder will contain its own AD1 image file with this
name.

Encryption

Select to encrypt the AD1 file, either with a certificate or password, or choose not
to encrypt it.

Creating Export Sets

AD1 Export General Options

| 263

Creating a Native Export
Choose to create a Native Export if you want to export the native documents in their original format and
optionally rendered images into a directory of your choosing. This export does not provide a load file.

To create a native export
1.

Before you create an export, be sure that you have applied at least one label to evidence files that you
want to filter into the export set.

Click the Project Review

In the Project Explorer, click

Right-click the Export Sets folder, and select Create Native Export.

See Native Export General Options on page 265. for information on how to fill out the options in the
General Option screen.

Click Next.

See Native Export Files to Include on page 267. for information on how to fill out the options in the Files
to Include screen.

Click Next.

button next to the project in the Project List.
Explore.

10. See Export Volume Document Options on page 269. for information on how to fill out the options in the

Volume Document Options screen.
11. Click Next.
12. See Export Excel Rendering Options on page 271. on how to fill out the options in the Excel Rendering

Options screen.
13. Click Next.
14. See Export Word Rendering Options on page 273. for information on how to fill out the options in the

Word Rendering Options screen.
15. Click Next.
16. On the Summary page, review your options before saving to export.

After your export is created, it will appear in the Export tab of the Home page and under the Export Sets folder in
the Project Explorer of the Project Review.

Creating Export Sets

Creating a Native Export

| 264

Native Export General Options
The following table describes the options that are available on the General Options screen of the Native Export
set wizard.

Native Export General Options Screen

Native Export General Options Screen
Option

Description

Export Path

Job Name

Specify the name for your export set. For example, you can organize export sets
by using the person name for ease of examination. This naming method is
particularly useful if there are multiple people.

Label

This field is required. Before you create an AD1 export, be sure that you have
applied at least one label to evidence files that you want to filter into the export
set.

Generate Exclusion
Report

Lets you create a report of all the documents within the selected collection that
were not included in the export..

Include Duplicates

Organize By Person

Creates a folder for each person to place the output into.

Creating Export Sets

Native Export General Options

| 265

Native Export General Options Screen
Option

Description

Export Templates

If you have saved an export template you can apply it to the current export set.
By applying a template, all current settings will be replaced.
You can also delete and rename a template.
By clicking Save As in the wizard, you can save the export options as a template.

Creating Export Sets

Native Export General Options

| 266

Native Export Files to Include
You can select how you want to export native files and rendered images. Select the graphics images that you
want to use for slipsheets in the load file. The following table describes the options that are available on the
Native Files screen of the Native Export set wizard.

Export Files to Include Options
Options

Description

Include Native Files

Select this option if you want to include the native documents with the export set.
This will only include native files that have not been redacted. If the native file
has been redacted, a pdf of the file will be included.

Output a Reduced
Version of the Original
PST/NSF file

Select this option if you want to output a reduced version of the PST/NSF file.

Output messages as
individual HTML/RTF

Select this option if you are exporting emails that were originally in a PST or NSF
and you want to export them as HTML or RTF files.
Uses the FTK object ID instead of the file name of the email message.
Note: MSG files exported as HTML format are output in MSG format instead
of HTML/RTF format.

Output messages as
individual MSG

Select this option if you want to save the email as individual MSG files.

Include Rendered
Images

Select this option to include images that have been created in the Project
Review. Additionally, if an image has not yet been created, this option will convert
the native document to an image format. If selected, you will have the option to
set rendering options for Excel and Word documents.
See Export Excel Rendering Options on page 271.
See Export Word Rendering Options on page 273.

Excluded Extensions

File Format

Select which format you want the native file converted to:
Multi-page - one TIFF image with multiple pages for each document.
 PDF - one PDF file with multiple pages for each document.
 Single Page - a single TIFF image for each page of each document. For
example, a 25 page document would output 25 single-page TIFF images.


Compression



RLE (Color) - Produces a color image with RLE compression.





large image).
DPI

Creating Export Sets

Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).

Native Export Files to Include

| 267

Export Files to Include Options
Options

Description

Page Format

Select the page size for the image. The available page sizes are:
 Letter – 8 ½” x 11”
 A3 – 29.7 cm x 42 cm
 A4 – 29.7 cm x 21 cm

Normalize images

Select this option to obtain consistent branding sizes throughout the entire
production.
Any image that is less than the chosen size will not be resized or rescaled to fit
the chosen page size but will be placed inside of the chosen size frame and will
be oriented to the upper left corner of the page.
Any document determined to be landscape in orientation will produce a proper
landscape image.

Produce color JPGs for
provided extensions

To JPG Extensions

Lets you specify file extensions that you want exported to JPG images.

JPG Quality

Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.

Slipsheet

Select this option to upload a slipsheet image to the server for use in the exports.
Slipsheets are an image that you can use when certain files cannot be converted
to an image, such an .exe file, or a .dll file. The slipsheet image is substituted in
place of the unconverted file.
A copy of this file is placed in the export image folder for every document that
you have chosen to exclude from conversion and will be named in accordance
with your file naming selection.
You need to select a file that matches the export file type. For example, if you are
exporting TIFFs, you must select a TIFF file as a slipsheet.
Enter the path to the slipsheet. You can browse to the server and path, and
validate the slipsheet path.
Note: You can have only one custom slipsheet per project.

Creating Export Sets

Native Export Files to Include

| 268

Export Volume Document Options
This section describes the options available in the Volume Document Options screen of the Export set wizard if
you have US numbering enabled. US numbering is the default. If you click Original in Naming Options, this panel
becomes disabled. The following table describes the options available.

Export Volume Document Options
Options

Description

Naming Options

Choose a naming option.

New Production DocID

(Default) This file naming allows you to determine what the name of the files will
be, based on the document ID numbering scheme. This option is used with the
Document Numbering Options on this tab.
In Project Review, you can view the ProductionDocID that is created for exported
files. This is useful in associating an exported file with the original file.

Original DocID

This naming is based on the original DocID.
Documents that were imported were put into a document group and will have a
DocID. Documents that were added through the evidence wizard, will not.
This option lets you re-use that original DocID for the produced record.
If the documents do not have an existing DocID, you can assign one by placing
the documents in a document group or by providing a DocID naming schema
using the Document Numbering Options on this tab.

Original File Name

This file naming uses the original file names in the name of the documents rather
than a numbered naming convention.

Original File Path with
Original Path

This uses the original file path folder structure rather than an auto-generated,
numbered folder structure. Clicking this option disables the Doc ID Numbering
pane

Append Object ID’s

Allows you to use the name of your choice (Original or Original File Name with
Original Path), but also include the FTK Object ID as part of the native file
names. This option is not available for Doc ID

Volume Partition
Sorting

You can sort the documents before they are converted and named. This allows
you to choose one or more metadata field values to sort the documents in
ascending or descending order.
You can choose any combination of fields by which to sort, however, it is not
recommended to choose more than 3 fields to sort by.
 Plus sign - Add volume partition sorting filters based on specified ascending
or descending fields.
 Minus sign - Delete the selected sorting option.

Sorting

Specifies the order that the files are listed in each volume. Sorting occurs on the
parent document.
For example, you might sort by Ascending on the field FILESIZE. In such project,
the first volume contains the largest file sizes, and the last volume contains the
smallest file sizes.

Field

Sets the FTK column heading by which you want to sort.

Volume Sample

Provides a sample of the volumes.

Doc ID Numbering

Creating Export Sets

Export Volume Document Options

| 269

Export Volume Document Options
Options

Description

Volume Partition
Options

Select a volume folder structure for the output files. The selections will determine
how much data is put into each folder before a new folder is created and the
folder structure in which the output is placed.

Folder

Lets you name and limit the size or the number of items that are contained in a
folder. An export can have one or more folders.

Prefix

Specifies the prefix-naming convention that you want to use for the folders within
the volume of the export.

Suffix

Specifies the suffix-naming convention that you want to use for the folders within
the volume of the export.

Starting Number

Sets the starting number of the first folder within the volume of the export

File Limit

Creates a new numbered folder when the specified file limit is reached inside the
folder.

Native Folder

Lets you set the name of the Natives folder.

Image Folder

Lets you set the name of the Image folder.
See Native Export Files to Include on page 267.

Text Folder

Lets you set the name of the Text folder where text files go that are generated by
the OCR engine. See Native Export Files to Include on page 267.

Document

This pane is only available if the New Production Doc ID or Original Doc ID
option is selected in the Naming Options.
Use these setting to determine how to generate new names of produced records.
(Some files may retain an original DocID. See the Naming Options on this tab.)

Numbering Options

See About U.S. Document Numbering Options on page 250.

Prefix

Specifies the prefix-naming convention that you want to use for the document
and page numbering within the folders of the export.

Suffix

Specifies the suffix-naming convention that you want to use for the document
and page numbering within the folders of the export.

Starting Number

Sets the starting number of the first document or image within the volume of the
export.

Padding

Specify the number of document counter digits that you want. The limit is 21.

Creating Export Sets

Export Volume Document Options

| 270

Export Excel Rendering Options
You can set the options to format any Microsoft Excel spreadsheet prior to converting it to a graphic format. In
order for any of the options within this tab to be applied, you must first deselect the Use Original Document
Settings option check box. When this option is selected, the other formatting options will not be applied and the
document will be converted using the fromatting that it was last saved with. The following table describes the
options that are available on the Excel Rendering Options screen.

Export Excel Rendering Options
Options

Description

General

Set to determine how the spreadsheet is rendered.

Use Original Document
Settings

Specifies that the original settings for Excel spreadsheets, such as paper size,
orientation, and margins, be maintained on the converted output.

Paper Size

Choose to render the spreadsheet in the following paper sizes. The default paper
size is Letter:
 10 x 14
 11 x 17
 A3
 A4
 A5
 B4
 B5
 Custom
 Envelope DL
 Executive
 Folio
 Ledger
 Legal
 Letter
 Quarto
 Statement
 Tabloid

Orientation

Select either Letter or Landscape for the paper size of the spreadsheet.

Header, Footer, and
Page Margins

Set the margins of the spreadsheet. The default is 1 inch.

Formula Substitutions

Substitute the formulas for the Date, Time, and Path fields. You can choose to
substitute the original formula, the original metadata, or custom text string.

Printing

Specify how the spreadsheet comments are printed

Printing Comments

Print comments on either Print Sheet End, Print in Place, or Print No Comments

Print Order

For use with Excel spreadsheets that may not fit on the rendered page. If the
spreadsheet is too wide to fit on the rendered page, you can choose to print in
the following ways:
Down Then Over - Choose to print top to bottom first and then print left to right.
Over Then Down - Choose to print left to right first and then print top to bottom.

Creating Export Sets

Export Excel Rendering Options

| 271

Export Excel Rendering Options
Options

Description

Page

Mark the following options:
 Center Sheets Horizontally
 Center Sheets Vertically
 Fit Image To Page
 One Page Per Sheet
 Show Hidden Data - This is checked by default

Fix To X Pages

Converts an Excel document and attempts to fit the resulting output image into a
specified number of pages.

Scaling

Scales the output image to a specified percentage of the original size. The
maximum scale is 100%.

Creating Export Sets

Export Excel Rendering Options

| 272

Export Word Rendering Options
You can set the page size, orientation, and margins of a word processing document on the converted output.
The following table describes the options that are available on the Word Rendering Options screen of the Native
Export set wizard.

Export Word Rendering Options
Options

Description

General

Set to determine how the word processing is rendered.

Use Original Document
Settings

Specifies that the original settings for Word documents, such as paper size,
orientation, and margins, be maintained on the converted output.

Paper Size

Choose to render the word processing document in the following paper sizes.
The default paper size is Letter:
 10 x 14
 11 x 17
 A3
 A4
 A5
 B4
 B5
 Custom
 Envelope DL
 Executive
 Folio
 Ledger
 Legal
 Letter
 Quarto
 Statement
 Tabloid

Orientation

Select either Letter or Landscape.

Header, Footer, and
Page Margins

Set the margins of the spreadsheet. The default is 1 inch.

Field Substitutions

Substitute the fields for the Date, Time, and Path fields. You can choose to
substitute the original formula, the original metadata, or custom text fields.

Page




Creating Export Sets

Show Hidden Text - this is checked as default
Print Endnotes At End Of Next Section

Export Word Rendering Options

| 273

Creating a Load File Export
When creating a load file export, you can export your choice of Native, Filtered text (includes the OCR text that
was created during processing), rendered images of the native document, and optionally OCR text of the
rendered images.
If the recipient intends to use third-party software to review the export set, select Load File Export.

To create a load file export
1.

Before you create an export, be sure that you have applied at least one label to evidence files that you
want to filter into the export set.

Click the Project Review

In the Project Explorer, click

Right-click the Export Sets folder, and select Create Load File Export.

See Load File General Options on page 275. for information on how to fill out the options in the General
Option screen.

Click Next.

See Load File Options on page 276. for information on how to fill out the options in the Load File
Options screen.

Click Next.

button next to the project in the Project List.
Explore.

10. See Load File Files to Include Options on page 278. for information on how to fill out the options in the

Include screen.
11. Click Next
12. See Export Volume Document Options on page 269. for information on how to fill out the options in the

Volume Document Options screen.
13. Click Next.
14. See Export Excel Rendering Options on page 271. on how to fill out the options in the Excel Rendering

Options screen.
15. Click Next.
16. See Export Volume Document Options on page 269. for information on how to fill out the options in the

Word Rendering Options screen.
17. Click Next.
18. On the Summary page, review your options before saving to export.

After your export is created, it will appear in the Export tab of the Home page and under the Export Sets folder in
the Project Explorer of the Project Review.

Creating Export Sets

Creating a Load File Export

| 274

Load File General Options
The following table describes the options that are available on the Load FIle General Options screen of the Load
FIle Export set wizard.

Load File General Options
Options

Descriptions

Export Path

Job Name

This field is required.

Label

This field is required. Before you create a load file, be sure that you have applied
at least one label to evidence files that you want to filter into the export set.

Generate Exclusion
Report

Lets you create a report of all the documents within the selected collection that
were not included in the export.

Include Duplicates

Generate Load File

This is marked as default.

Export Templates

Creating Export Sets

Load File General Options

| 275

Load File Options
The following table describes the options that are available on the Load File Options screen of the Load FIle
Export set wizard.

Load File Export Options
Options

Descriptions

Load File Export
Load File Name
Load File Encoding

Enter the name for the Load File.
The following options are available for load file encoding:
ANSI - Encodes load files using ANSI (for text written in the Latin script).
ANSI encoding has the advantage of producing a smaller load file than a Unicode file (UTF). ANSI-encoded load files process faster and save space. The
ANSI encoding includes characters for languages other than English, but it is
still limited to the Latin script.
If you are exporting documents that contain languages written in scripts other
than Latin, you need to choose a Unicode encoding form. Unicode encoding
forms contain the character sets for all known languages.
 UTF-8 - (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see the following website:
http://www.unicode.org/standard/principles.html
Most commonly used for text written in Chinese, Japanese, and Korean.
 UTF-16 - Encodes load files using UTF-16.
Similar to UTF-8 this option is used for text written in Chinese, Japanese, and
Korean.


Selected Format

The following formats are available for export:
 Browser Briefcase - Generates an HTML format that provides links to the
native documents, images, and text files.
You can do the following:
Have multiple links for image, native, and text documents.
Work with production sets exported previously in iBlaze Browser Briefcase
format. This allows you to have greater control over the production set.
 caseVantage - Generates a DII file specifically formatted for use with the AD
Summation caseVantage program.
 Concordance - Generates a DAT file that can be used in Concordance.
 EDRM - Generates an XML file that meets the EDRM v1.2 standard.
 Generic - Generates a standard delimited text file.
 iCONECT - Generates an XML file formatted for use with the iConect program.
 Introspect (IDX file) - Generates an IDX file specifically formatted for use with
the Introspect program.
 Relativity - Generates a DAT file that can be used in Relativity.
 Ringtail (MDB) - Generates a delimited text file that can be converted to be
used in Ringtail.
 Summation eDII - Generates a DII file specifically formatted for use with the
AD Summation iBlaze or Enterprise programs.
Note: If you are outputting a Concordance, Relativity, or Generic load file, and
include rendered images, you will also get an OPT and LFP file in the export
directory.

Multi-Entry Separator

Choose which character to separate multi-entries. The default character is ;.

Creating Export Sets

Load File Options

| 276

Load File Export Options
Options

Descriptions

Available Fields

Select from the available fields.
There is an ORIGINALDOCID field available. This allows you to include a field to
reflect the original DocID when exporting with new DocIDs.
You can select FTK metadata to be included in the load file. Select columns of
metadata to be included in the load file and click the right arrow to add the
Selected Mapping field.

Selected Mapping

In addition to the columns of metadata, you can also add Custom fields to be
included in the load file.

Field Mapping Templates

Additionally, you may need a placeholder field. Use the plus button to add a field
mapping template. You can also edit and delete the templates.

Creating Export Sets

Load File Options

| 277

Load File Files to Include Options
The following table describes the options that are available on the Load File Export Files to Include Options
screen.

Load File Export Files to Include Options
Options

Description

Include Native Files

Output a Reduced
Version of the Original
PST/NSF file

Select this option if you want to output a reduced version of the PST/NSF file.

Output messages as
individual HTML/RTF

Output messages as
individual MSG

Include Rendered
Images

Select this option to include images that have been created in the Project
Review. Additionally, if an image has not yet been created, this option will convert
the native document to an image format.

Excluded Extensions

File Format

Compression



RLE (Color) - Produces a color image with RLE compression.





large image).
DPI

Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).

Page Format

Select the page size for the image: A3, A4, Letter.

Normalize images

Select this option to normalize the image n to the same size so that
endorsements appear to be the same size on all pages.

Creating Export Sets

Load File Files to Include Options

| 278

Load File Export Files to Include Options
Options

Description

Produce color JPGs for
provided extensions

To JPG Extensions

Lets you specify file extensions that you want exported to JPG images.

JPG Quality

Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.

Slipsheet

OCR TIFF Images

Mark to OCR TIFF Images.

OCR Text Encoding

Encode the text in the OCR with either ANSI, UTF-16, or UTF-8. See Load File
Options on page 276.

Creating Export Sets

Load File Files to Include Options

| 279

Part 7

Reference

Getting
Using

Started with KFF (Known File Filter) (page 281)

KFF (Known File Filter) (page 309)

Integrating

Reference

with AccessData Forensics Products (page 330)

| 280

Chapter 28

Getting Started with KFF (Known File Filter)

This document contains the following information about understanding and getting started using KFF (Known
File Filter).
About

KFF (page 281)

About

the KFF Server and Geolocation (page 286)

Installing

the KFF Server (page 287)

Configuring

the Location of the KFF Server (page 288)

Migrating

Legacy KFF Data (page 289)

Importing

KFF Data (page 291)

About

CSV and Binary Formats (page 298)

Installing

KFF Updates (page 302)

Uninstalling
KFF

KFF (page 301)

Library Reference Information (page 303)

What

has Changed in Version 5.6 (page 308)

Important: AccessData applications versions 5.6 and later use a new KFF architecture. If you are using one of
the following applications version 5.6 or later, you must install and implement the new KFF
architecture:
Resolution1

(Resolution1 Platform, Resolution1 CyberSecurity, Resolution1 eDiscovery)

Summation
FTK-based

products (FTK, FTK Pro, AD Lab, AD Enterprise)

See What has Changed in Version 5.6 on page 308.

About KFF
KFF (Known File Filter) is a utility that compares the file hash values of known files against the files in your
project. The known files that you compare against may be the following:
Files

that you want to ignore, such as operating system files

Files

that you want to be alerted about, such as malware or other contraband files

The hash values of files, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or
extension. The helps you identify files even if they are renamed.
Using KFF during your analysis can provide the following benefits:

Getting Started with KFF (Known File Filter)

About KFF

| 281

Immediately

identify and ignore 40-70% of files irrelevant to the project.

Immediately

identify known contraband files.

Introduction to the KFF Architecture
There are two distinct components of the KFF architecture:
KFF

Data - The KFF data are the hashes of the known files that are compared against the files in your
project. The KFF data is organized in KFF Hash Sets and KFF Groups. The KFF data can be comprised
of hashes obtained from pre-configured libraries (such as NSRL) or custom hashes that you configure
yourself.
See Components of KFF Data on page 282.

KFF

Server - The KFF Server is the component that is used to store and process the KFF data against
your evidence. The KFF Server uses the AccessData Elasticsearch Windows Service. After you install
the KFF Server, you import your KFF data into it.

Note: The KFF database is no longer stored in the shared evidence database or on the file system in EDB
format.

Components of KFF Data
Item

Description

Hash

The unique MD5 or SHA-1 hash value of a file. This is the value that is compared
between known files and the files in your project.

Hash Set

A collection of hashes that are related somehow. The hash set has an ID, status,
name, vendor, package, and version. In most cases, a set corresponds to a
collection of hashes from a single source that have the same status.

Group

KFF Groups are containers that are used for managing the Hash Sets that are
used in a project.
KFF Groups can contains Hash Sets as well as other groups.
Projects can only use a single KFF Group. However, when configuring your
project you can select a single KFF Group which can contains nested groups.

Status

The specified status of a hash set of the known files which can be either Ignore
or Alert. When a file in a project matches a known file, this is the reported status
of the file in the project.

Library

A pre-defined collection of hashes that you can import into the KFF Serve.
There are three pre-defined libraries:
 NSRL


NDIC HashKeeper



DHS

See About Pre-defined KFF Hash Libraries on page 284.

Getting Started with KFF (Known File Filter)

About KFF

| 282

Item

Description

Index/Indices

When data is stored internally in the KFF Library, it is stored in multiple indexes
or indices.
The following indices can exist:
 NSRL index


A dedicated index for the hashes imported from the NSRL library.
NDIC index



A dedicated index for the hashes imported from the NDIC library.
DHC index



A dedicated index for the hashes imported from the DHC library.
KFF index

A dedicated index for the hashes that you manually create or import from
other sources, such as CSV.
These indices are internal and you do not see them in the main application. The
only place that you see some of them are in the KFF Import Tool.
See Using the KFF Import Utility on page 292.
The only time you need to be mindful of the indices is when you use the KFF
binary format when you either export or import data.
See About CSV and Binary Formats on page 298.

About the Organization of Hashes, Hash Sets, and KFF Groups
Hashes, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or extension.
You can also import hashes into the KFF Server in .CSV format.
For FTK-based products, you can also import hashes into the KFF Server that are contained in .TSV, .HKE,
.HKE.TXT, .HDI, .HDB, .hash, .NSRL, or .KFF file formats.
You can also manually add hashes.
Hashes are organized into Hash Sets. Hash Sets usually include hashes that have a common status, such as
Alert or Ignore.
Hash Sets must be organized into to KFF Groups before they can be utilized in a project.

Getting Started with KFF (Known File Filter)

About KFF

| 283

About Pre-defined KFF Hash Libraries
All of the pre-configured hash sets currently available for KFF come from three federal government agencies
and are available in KFF libraries.
See About KFF Pre-Defined Hash Libraries on page 303.
You can use the following KFF libraries:
NIST

NSRL
See About Importing the NIST NSRL Library on page 294.

NDIC

HashKeeper (Sept 2008)
See Importing the NDIC Hashkeeper Library on page 296.

DHS

(Jan 2008)
See Importing the DHS Library on page 296.

It is not required to use a pre-configured KFF library in order to use KFF. You can configure or import custom
hash sets. See your application’s Admin Guide for more information.

How KFF Works
The Known File Filter (KFF) is a body of MD5 and SHA1 hash values computed from electronic files. Some predefined data is gathered and cataloged by several US federal government agencies or you can configure you
own. KFF is used to locate files residing within project evidence that have been previously encountered by other
investigators or archivists. Identifying previously cataloged (known) files within a project can expedite its
investigation.
When evidence is processed with the MD5 Hash (and/or SHA-1 Hash) and KFF options, a hash value for each
file item within the evidence is computed, and that newly computed hash value is searched for within the KFF
data. Every file item whose hash value is found in the KFF is considered to be a known file.
Note: If two hash sets in the same group have the same MD5 hash value, they must have the same metadata.
If you change the metadata of one hash set, all hash sets in the group with the same MD5 hash file will be
updated to the same metadata.
The KFF data is organized into Groups and stored in the KFF Server. The KFF Server service performs lookup
functions.

Status Values
In order to accelerate an investigation, each known file can labeled as either Alert or Ignore, meaning that the file
is likely to be forensically interesting (Alert) or uninteresting (Ignore). Other files have a status of Unknown.
The Alert/Ignore designation can assist the investigator to hone in on files that are relevant, and avoid spending
inordinate time on files that are not relevant. Known files are presented in the Overview Tab’s File Status
Container, under “KFF Alert files” and “KFF Ignorable.”

Getting Started with KFF (Known File Filter)

About KFF

| 284

Hash Sets
The hash values comprising the KFF are organized into hash sets. Each hash set has a name, a status, and a
listing of hash values. Consider two examples. The hash set “ZZ00001 Suspected child porn” has a status of
Alert and contains 12 hash values. The hash set “BitDefender Total Security 2008 9843” has a status of Ignore
and contains 69 hash values. If, during the course of evidence processing, a file item’s hash value were found to
belong to the “ZZ00001 Suspected child porn” set, then that file item would be presented in the KFF Alert files
list. Likewise, if another file item’s hash value were found to belong to the “BitDefender Total Security 2008 9843”
set, then that file would be presented in the KFF Ignorable list.
In order to determine whether any Alert file is truly relevant to a given project, and whether any Ignore file is truly
irrelevant to a project, the investigator must understand the origins of the KFF’s hash sets, and the methods
used to determine their Alert and Ignore status assignments.
You can install libraries of pre-defined hash sets or you can import custom hash sets. The pre-defined hash sets
contain a body of MD5 and SHA1 hash values computed from electronic files that are gathered and cataloged by
several US federal government agencies.
See About KFF Pre-Defined Hash Libraries on page 303.

Higher Level Structure and Usage
Because hash set groups have the properties just described, and because custom hash sets and groups can be
defined by the investigator, the KFF mechanism can be leveraged in creative ways. For example, the
investigator may define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files and then apply only those groups while processing.

Getting Started with KFF (Known File Filter)

About KFF

| 285

About the KFF Server and Geolocation
In order to use the Geolocation Visualization feature in various AccessData products, you must use the KFF
architecture and do the following:
Install

the KFF Server.
See Installing the KFF Server on page 287.

Install

the Geolocation (GeoIP) Data (this data provide location data for evidence)
See Installing the Geolocation (GeoIP) Data on page 297.
From time to time, there will be updates available for the GeoIP data.
See Installing KFF Updates on page 302.

If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.

Getting Started with KFF (Known File Filter)

About the KFF Server and Geolocation

| 286

Installing the KFF Server
About Installing the KFF Server
In order to use KFF, you must first configure an KFF Server.
For product versions 5.6 and later, you install a KFF Server by installing the AccessData Elasticsearch Windows
Service.
Where you install the KFF Server depends on the product you are using with KFF:
For

FTK and FTK Pro applications, the KFF Server must be installed on the same computer that runs the
Examiner.

For

all other applications, such as AD Lab, Resolution1, or Summation, the KFF Server can be installed
on either the same computer as the application or on a remote computer. For large environments, it is
recommended that the KFF Server be installed on a dedicated computer.

After installing the KFF Server, you configure the application with the location of the KFF Server.
See Configuring the Location of the KFF Server on page 288.

About KFF Server Versions
The KFF Server (AccessData Elasticsearch Windows Service) may be updated from time to time. It is best to
use the latest version.
AccessData
Elasticsearch
Windows Service

Released

Installation Instructions

Version 1.3.2

November 2014 with 5.6
versions of
 Resolution1

See Installing the KFF Server Service on page 287.



Summation



FTK-based
products

For applications 5.5 and earlier, the KFF Server component was version 1.2.7 and earlier.

About Upgrading from Earlier Versions
If you have used KFF with applications versions 5.5 and earlier, you can migrate your legacy KFF data to the
new architecture.
See Migrating Legacy KFF Data on page 289.

Installing the KFF Server Service
For instructions on installing the AccessData Elasticsearch Windows Service, see Installing the Elasticsearch
Service (page 611).

Getting Started with KFF (Known File Filter)

Installing the KFF Server

| 287

Configuring the Location of the KFF Server
After installing the KFF Server, on the computer running the application, such as FTK, Lab, Summation, or
Resolution1, you configure the location of the KFF Server.
Do one of the following:
Configuring

the KFF Server Location on FTK-based Computers (page 288)

Configuring

the KFF Server Location on Resolution1 and Summation Applications (page 288)

Configuring the KFF Server Location on FTK-based Computers
Before using KFF with FTK, FTK Pro, Lab, or Enterprise, with KFF, you must configure the location of the KFF
Server.

Important: To configure KFF, you must be logged in with Admin privileges.

To view or edit KFF configuration settings
1.

In the Case Manager, click Tools > Preferences > Configure KFF.

You can set or view the address of the KFF Server.
If

you installed the KFF Server on the same computer as the application, this value will be localhost.

If

you installed the KFF Server on a different computer, identify the KFF server.

Click Test to validate communication with the KFF Server.

Click Save.

Click OK.

Configuring the KFF Server Location on Resolution1 and Summation
Applications
When using the KFF Server with Summation or Resolution1 applications, two configuration files must point to
the KFF Server location.
These setting are configured automatically during the KFF Server installation. If needed, you can verify the
settings.
However, if you change the location of the KFF Server, do the following to specify the location of the KFF Server.
1.

Configure AdgWindowsServiceHost.exe.config:
1a.

On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\Common\FTK Business Services.

1b.

Open AdgWindowsServiceHost.exe.config.

Getting Started with KFF (Known File Filter)

Configuring the Location of the KFF Server

| 288

1c.

Modify the line .

1d.

Change localhost to be the location of your KFF server (you can use hostname or IP).

1e.

Save and close file.

1f.

Restart the business services common service.

Configure AsyncProcessingServices web.config:
2a.

On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\AsyncProcessingServices.

2b.

Open web.config.

2c.

Modify the line .

2d.

Change localhost to be the location of your KFF server (you can use hostname or IP).

2e.

Save and close file.

2f.

Restart the AsyncProcessing service.

Migrating Legacy KFF Data
If you have used KFF with applications versions 5.5 and earlier, you can migrate that data from the legacy KFF
Server to the new KFF Server architecture.
Important: Applications version 5.6 and later can only use the new KFF architecture that was introduced in 5.6.
If you want to use KFF data from previous versions, you must migrate the data.
Important: If you have NSRL, NDIC, or DHS data in your legacy data, those sets will not be migrated. You must
re-import them using the 5.6 versions or later of those libraries. Only legacy custom KFF data will be
migrated.
Legacy KFF data is migrated to KFF Groups and Hash Sets on the new KFF Server.
Because KFF Templates are no longer used, they will be migrated as KFF Groups, and the groups that were
under the template will be added as sub-groups.
You migrate data using the KFF Migration Tool. To use the KFF Migration Tool, you identify the following:
The

Storage Directory folder where the legacy KFF data is located.
This was folder was configured using the KFF Server Configuration utility when you installed the legacy
KFF Server. If needed, you can use this utility to view the KFF Storage Directory. The default location of
the KFF_Config.exe file is Program Files\AccessData\KFF.

The

URL of the new KFF Server ( the computer running the AccessData Elastic Search Windows
Service)
This is populated automatically if the new KFF Server has been installed.

To install the KFF Migration Tool
1.

On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.

Click the 64 bit or 32 bit Install KFF Migration Utility.

Complete the installation wizard.

To migrate legacy KFF data
1.

On the legacy KFF Server, you must stop the KFF Service.
You can stop the service manually or use the legacy KFF Config.exe utility.

Getting Started with KFF (Known File Filter)

Migrating Legacy KFF Data

| 289

On the new KFF Server, launch the KFF Migration Tool.

Enter the directory of the legacy KFF data.

The URL of Elasticsearch should be listed.

Click Start.

When completed, review the summary data.

Getting Started with KFF (Known File Filter)

Migrating Legacy KFF Data

| 290

Importing KFF Data
About Importing KFF Data
You can import hashes and KFF Groups that have been previous configured.
You can import KFF data in one of the following formats:

KFF Data sources that you can import
Source

Description

Pre-configured KFF libraries

You can import KFF data from the following pre-configured libraries
 NIST NSRL


NDIC HashKeeper



DHS

To import KFF libraries, it is recommended that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 292.
See Importing Pre-defined KFF Data Libraries on page 294.
See KFF Library Reference Information on page 303.
Custom Hash Sets and KFF
Groups

You can import custom hashes from CSV files.
See About the CSV Format on page 298.
For FTK-based products, you can also import custom hashes from the
following file types:
 Delimited files (CSV or TSV)


Hash Database files (HDB)



Hashkeeper files (HKE)



FTK Exported KFF files (KFF)



FTK Supported XML files (XML)



FTK Exported Hash files (HASH)

To import these kinds of files, use the KFF Import feature in your
application.
See Using the Known File Feature chapter.
KFF binary files

You can import KFF data that was exported in a KFF binary format, such an
an archive of a KFF Server.
See About CSV and Binary Formats on page 298.
When you import a KFF binary snapshot, you must be running the same
version of the KFF Server as was used to create the binary export.
To import KFF binary files, it is recommend that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 292.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 291

About KFF Data Import Tools
When you import KFF data, you can use one of two tools:

KFF Data Import Tools
The application’s Import
feature

The KFF management feature in the application lets you import both .CSV and
KFF Binary formats. Use the application to import .CSV files.
See Using the Known File Feature chapter.
Even though you can import KFF binary files using the application, it is
recommend that you use the KFF Import Utility.

KFF Import Utility

It is recommended that you use the KFF Import Utility to import KFF binary files.
See Using the KFF Import Utility on page 292.

About Default Status Values
When you import KFF data, you configure a default status value of Alert or Ignore. When adding Hash Sets to
KFF Groups, you can configure the KFF Groups to use the default status values of the Hash Set or you can
configure the KFF Group with a status that will override the default Hash Set values.
See Components of KFF Data on page 282.

About Duplicate Hashes
If multiple Hash Set files containing the same Hash identifier are imported into a single KFF Group, the group
keeps the last Hash Set’s metadata information, overwriting the previous Hash Sets’ metadata. This only
happens within an individual group and not across multiple groups.

Using the KFF Import Utility
About the KFF Import Utility
Due to the large size of of some KFF data, a stand-alone KFF Import utility is available to use to import the data.
This KFF Import utility can import large amounts of data faster then using the import feature in the application.
It is recommend that you install and use the KFF Import utility to import the following:
NSRL,
An

DHC, and NIST libraries

archive of a KFF Server that was exported in the binary format

After importing NSRL, NDIC, or DHS libraries, these indexes are displayed in the Currently Installed Sets list.
See Components of KFF Data on page 282.
You can also use the KFF Import Utility to remove the NSRL, NDIC, or DHS indexes that you have imported.
An archive of a KFF Server, which is the exported KFF Index, is not shown in the list.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 292

Installing the KFF Import Utility
You should use the KFF Import Utility to import some kinds of KFF data.

To install the KFF Import Utility
1.

On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.

Click the 64 bit or 32 bit Install KFF Import Utility.

Complete the installation wizard.

Importing a KFF Server Archive Using the KFF Import Utility
You can import an archive of a KFF Server that you have exported using the binary format.
If you are importing a pre-defined KFF Library, see Importing Pre-defined KFF Data Libraries (page 294).

To import using the KFF Import Utility
1.

On the KFF Server, open the KFF Import Utility.

To test the connection to the KFF Server’s Elasticsearch service at the displayed URL, click Connect.
If it connects correctly, no error is shown.
If it is not able to connect, you will get the following error: Failed after retrying 10 times: ‘HEAD
accessdata_threat_indicies’.

To import, click Import.

Click Browse.

Browse to the folder that contains the KFF binary files.
Specifically, select the folder that contains the Export.xml file.

Click Start.

Close the dialog.

Removing Pre-defined KFF Libraries Using the KFF Import Utility
You can remove a pre-defined KFF Library that you have previously imported.
You cannot see or remove existing custom KFF data (the KFF Index).

To remove pre-defined KFF Libraries
1.

On the KFF Server, open the KFF Import Utility.

Select the library that you want to remove.

Click Remove.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 293

Importing Pre-defined KFF Data Libraries
About Importing Pre-defined KFF Data Libraries
After you install the KFF Server, you can import pre-defined NIST NSRL, NDIC HashKeeper, and DHS data
libraries.
See About Pre-defined KFF Hash Libraries on page 284.
In versions 5.5 and earlier, you installed these using an executable file. In versions 5.6 and later, you must import
them. It is recommend that you use the KFF Import Utility.
After importing pre-defined KFF Libraries, you can remove them from the KFF Server.
See Removing Pre-defined KFF Libraries Using the KFF Import Utility on page 293.
See the following sections:
About

Importing the NIST NSRL Library (page 294)

Importing

the NDIC Hashkeeper Library (page 296)

Importing

the DHS Library (page 296)

About Importing the NIST NSRL Library
You can import the NSRL library into your KFF Server. During the import, two KFF Groups are created:
NSRL_Alert and NSRL_Ignore. In FTK-based products, these two groups are automatically added to the Default
KFF Group.
The NSRL libraries are updated from time to time. To import and maintain the NSRL data, you do the following:

Process for Importing and Maintaining the NIST NSRL Library
1. Import the complete
NSRL library.

You must first install the most current complete NSRL library. You can later add
updates to it.
To access and import the complete NSRL library, see
Importing the Complete NSRL Library (page 295)

2. Import updates to the
library

When updates are made available, import the updates to bring the data up-to
date.
See Installing KFF Updates on page 302.
Important: In order to use the NSRL updates, you must first import the complete
library. When you install an NSRL update, you must keep the previous NSRL
versions installed in order to maintain the complete set of NSRL data.

Available NRSL library files (new format)
NSRL Library
Release
Complete library
version 2.45
(source .ZIP file)

Released

Information

Nov 2014

For use only with applications version 5.6 and later.
Contains the full NSRL library up through update 2.45.
See Importing the Complete NSRL Library on page 295.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 294

Available Legacy NRSL library files
Legacy NSRL
Library Release
version 2.44
(.EXE file)

Released

Information

Nov 2013

For use with the legacy KFF Server that was used with
applications versions 5.5 and earlier.
Contains the full NSRL library up through update 2.44.
Install this library first.
Note: NSRL updates for the legacy KFF format will end in the
2nd quarter of 2015. From that time, NSRL updates will only
be provided in the new format.

Importing the Complete NSRL Library
To add the NSRL library to your KFF Library, you import the data. You start by importing the full NSRL library.
You can then import any updates as they are available.
See About Importing the NIST NSRL Library on page 294.
See Installing KFF Updates on page 302.
Important: The complete NSRL library data is contained in a large (3.4 GB) .ZIP file. When expanded, the data
is about 18 GB. Make sure that your file system can support files of this size.
Important: Due to the large amount of NSRL data, it will take 3-4 hours to import the NSRL data using the KFF
Import Utility. If you import from within an application, it will take even longer.

To install the NSRL complete library
1.

Extract the NSRLSOURCE_2.45.ZIP file from the KFF Installation disc.

On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 293.

Click Import.

Click Browse.

Browse to and select the NSRLSource_2.45 folder that contains the NSRLFile.txt file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)

Click Select Folder.

Click Start.

When the import is complete, click OK.

Close the Import Utility dialog and the NSRL library will be listed in the Currently Installed Sets.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 295

Importing the NDIC Hashkeeper Library
You can import the Hashkeeper 9.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.

To import the Hashkeeper library
1.

Have access the NDIC source files by download the ZIP file from the web:
1a.

Go to http://www.accessdata.com/product-download.

1b.

Click Known File Filter (KFF).

1c.

For KFF Hash Sets, click Download Page .

1d.

Click the KFF NDIC library that you want to download.

Extract the ZIP file.

On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 293.

Click Import.

Click Browse.

Browse to and select the NDIC source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)

Click Select Folder.

Click Start.

When the import is complete, click OK.

10. Close the Import Utility dialog and the NDIC library will be listed in the Currently Installed Sets.

Importing the DHS Library
You can import the DHS 1.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.

To import the DHS library
1.

Have access the NDIC source files by download the ZIP file from the web:
1a.

Go to http://www.accessdata.com/product-download.

1b.

Click Known File Filter (KFF).

1c.

For KFF Hash Sets, click Download Page .

1d.

Click the KFF DHS library that you want to download.

Extract the ZIP file.

On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 293.

Click Import.

Click Browse.

Browse to and select the DHS source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 296

Click Select Folder.

Click Start.

When the import is complete, click OK.

10. Close the Import Utility dialog and the DHS library will be listed in the Currently Installed Sets.

Installing the Geolocation (GeoIP) Data
Geolocation (GeoIP) data is used for the Geolocation Visualization feature of several AccessData products.
See About the KFF Server and Geolocation on page 286.
You can also check for and install GeoIP data updates.
If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.
The Geolocation data that was used with versions 5.5 and earlier is version 1.0.1 or earlier.
The Geolocation data that is used with versions 5.6 and later is version 2014.10 or later.

To install the Geolocation IP Data
1.

On the copmuter where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.

Click the 64 bit or 32 bit Install Geolocation Data.

Complete the installation wizard.

Getting Started with KFF (Known File Filter)

Importing KFF Data

| 297

About CSV and Binary Formats
When you export and import KFF data, you can use one of two formats:
CSV
KFF

Binary

About the CSV Format
When you use the .CSV format, you use a single .CSV file. The .CSV file contains the hashes that you import or
export.
When you export to a CSV file, it contains the hashes as well as all of the information about any associated Hash
Sets and KFF Groups. You can only use the CSV format when exporting individual Hash Sets and KFF Groups.
When you import using a CSV file, it can be a simple file containing only the hashes of files, or it can contain
additional information about Hash Sets and KFF Groups.
However, CSV files will usually take a little longer to export and import.
To view the sample of a .CSV file that contains binaries and Hash Sets and KFF Groups, perform a CSV export
and view the file in Excel.
You can also use the format of CSV files that were exported in previous versions.
To import .CSV files, use the application’s KFF Import feature.

About the KFF Binary Format
When you use the KFF binary format, you use a set of files that are in an internal KFF Server (Elasticsearch)
format that is referred to as a Snapshot. The binary format is essentially a snapshot of one of the indices
contained in the KFF Server. You can only have one binary format snapshot for each index.
See Components of KFF Data on page 282.
The benefit of the binary format is that it is able to support larger amounts of data than the CSV format. For large
data sets, the binary format will export and import faster than the CSV format.
For example, when you import the DHC or NDIC Hashkeeper libraries, they are imported from a KFF binary
format.
If you export your custom Hash Sets or KFF Groups using the KFF binary format, everything in the KFF Index is
included.
See About Choosing to Export in CSV or KFF Binary Format on page 299.
When exporting in a Binary format, you specify an existing parent folder and then the name of a new sub-folder
for the binary data. The new sub-folder must not previously exist and will be created by the export process.
After export, the binary export folder contains the following:
Indices

sub-folder - The folder contains the exported KFF data

Export.xml

- This file is the only file that is not an Elasticsearch file and is created by the export feature
and contains the KFF Group and Hash Set definitions for the index.

Getting Started with KFF (Known File Filter)

About CSV and Binary Formats

| 298

Index

- an index file generated by Elasticsearch

metadata-snaphot

file with the data and time it was created

snapshot-snaphot

file with the data and time it was created

Note: The binary format is dependent on the version of the KFF Server. When exporting and importing the
binary format, the systems must be using the same version of the KFF Server.
When new versions of the KFF Server are released in the future, an upgrade process will also be
provided.

About Choosing to Export in CSV or KFF Binary Format
When you export your own KFF data, you have the option of using either the CSV or the binary format. The
results are different based on the format that you use:
CSV format
Exporting in
CSV format

When you export KFF data using the CSV format, you can export specific specific
pieces of KFF data, such as one or more Hash Sets or one or more KFF Groups.
The exported data is contained in one .CSV file.
The benefits of the CSV format are that CSV files can be easily viewed and can
be manually edited. They are also less dependent on the version of the KFF
Server.

Importing
from CSV
format

When you import a CSV file, the data in the file is data is added to your existing
KFF data that is in the KFF Index.
See Components of KFF Data on page 282.
For example, suppose you started by manually created four Hash Sets and one
KFF Group. That would be the only contents in your KFF Index. Suppose you
import a .CSV file that contains five hash sets and two KFF Groups. They will be
added together for a total of nine Hash Sets and three KFF Groups.
To import .CSV files, use the KFF Import feature in your application.
See Using the Known File Feature chapter.

KFF binary format
Exporting in
KFF binary
format

If you export your KFF data using the KFF binary format, all of the data that you
have in the KFF Index will be exported together. You cannot use this format to
export individual Hash Sets or KFF Groups.
See Components of KFF Data on page 282.
You will only want to use this format if you intend to export all of the data in the
KFF Index and import it as a whole. This can be useful in making an archive of
your KFF data or copying KFF data from one KFF Server to another.
Because NSRL, NIST, and DHC data is contained in their own indexes, when you
do an export using this format, those sets are not included. Only the data in the
KFF Index is exported.

Getting Started with KFF (Known File Filter)

About CSV and Binary Formats

| 299

Importing KFF
binary format

IMPORTANT: When you import a KFF binary format, it will import the complete
index and will replace any data that is currently in that index on the KFF Server.
For example, if you import the DHC library, and then later you import the DHC
library again, the DHC index will be replaced with the new import.
If you have a KFF binary format snapshot of custom KFF data (which would have
come from a binary format export) it will replace all KFF data that already exists in
your KFF Index.
For example, suppose you manually created four Hash Sets and one KFF Group.
Suppose you then import a binary format that has five hash sets and two KFF
Groups. The binary format will be imported as a complete index and will replace
the existing data. The result will be only be the imported five Hash Sets and two
KFF libraries.
When importing KFF binary files, it is recommend that you use the KFF Import
Utility.
See Installing the KFF Import Utility on page 293.

Getting Started with KFF (Known File Filter)

About CSV and Binary Formats

| 300

Uninstalling KFF
You can uninstall KFF application components independently of the KFF Data.

Main version

Description

Applications 5.6
and later

For applications version 5.6 and later, you uninstall the following components:


AccessData Elasticsearch Windows Service (KFF Server) v1.2.7 and later



Note: Elasticsearch is used by multiple features in various applications, use caution
when uninstalling this service or the related data.
AccessData KFF Import Utility (v5.6 and later)



AccessData KFF Migration Tool (v1.0 and later)



AccessData Geo Location Data (v2014.10 and later)

Note: This component is not used by the KFF feature, but with the KFF Server for the
the geolocation visualization feature.
The location of the KFF data is configured when the AccessData Elasticsearch Windows
Service was installed. By default, it is lactated at
C:\Program Files\AccessData\Elacticsearch\Data.
Applications 5.5
and earlier

For applications version 5.5 and earlier, you can uninstall the following components:


KFF Server (v1.2.7 and earlier)



Note: The KFF Server is also used by the geolocation visualization feature.
AccessData Geo Location Data (1.0.1 and earlier)

This component is not used by the KFF feature, but with the KFF Server for the the
geolocation visualization feature.
The location of the KFF data was configured when the KFF Server was installed. You can
view the location of the data by running the KFF.Config.exe on the KFF Server.
If you are upgrading from 5.5 to 5.6, you can migrate your KFF data before uninstalling the
KFF Server.

Getting Started with KFF (Known File Filter)

Uninstalling KFF

| 301

Installing KFF Updates
From time to time, AccessData will release updates to the KFF Server and the KFF data libraries.
Some of the KFF data updates may require you to update the version of the KFF Server.
To check for updates, do the following:
1.

Go to the AccessData Product Download website at http://www.accessdata.com/product-download.

On the Product Downloads page, click Known File Filter (KFF).

Open the Download page.

Check for updates.
See

About KFF Server Versions on page 287.

See

About Importing the NIST NSRL Library on page 294.

If there are updates, download them.

Install or import the updates.

Getting Started with KFF (Known File Filter)

Installing KFF Updates

| 302

KFF Library Reference Information
About KFF Pre-Defined Hash Libraries
This section includes a description of pre-defined hash collections that can be added as AccessData KFF data.
The following pre-defined libraries are currently available for KFF and come from one of three federal
government agencies:
NIST

NSRL (The default library installed with KFF)

NDIC

HashKeeper (An optional library that can be downloaded from the AccessData Downloads page)

DHS

(An optional library that can be downloaded from the AccessData Downloads page)

Note: Because KFF is now multi-sourced, it is no longer maintained in HashKeeper format. Therefore, you
cannot modify KFF data in the HashKeeper program. However, the HashKeeper format continues to be
compatible with the AccessData KFF data.

Use the following information to help identify the origin of any hash set within the KFF
The

NSRL hash sets do not begin with “ZZN” or “ZN”. In addition, in the AD Lab KFF, all the NSRL hash
set names are appended (post-fixed) with multi-digit numeric identifier. For example: “Password Manager
& Form Filler 9722.”

All

HashKeeper Alert sets begin with “ZZ”, and all HashKeeper Ignore sets begin with “Z”. (There are a
few exceptions. See below.) These prefixes are often followed by numeric characters (“ZZN” or “ZN”
where N is any single digit, or group of digits, 0-9), and then the rest of the hash set name. Two examples
of HashKeeper Alert sets are:
“ZZ00001

Suspected child porn”

“ZZ14W”
An example of a HashKeeper Ignore set is:



“Z00048
The


Corel Draw 6”

DHS collection is broken down as follows:

In 1.81.4 and later there are two sets named “DHS-ICE Child Exploitation JAN-1-08 CSV” and
“DHS-ICE Child Exploitation JAN-1-08 HASH”.

In

AD Lab there is just one such set, and it is named “DHS-ICE Child Exploitation JAN-1-08”.

Once an investigator has identified the vendor from which a hash set has come, he/she may need to consider
the vendor’s philosophy on collecting and categorizing hash sets, and the methods used by the vendor to gather
hash values into sets, in order to determine the relevance of Alert (and Ignore) hits to his/her project. The
following descriptions may be useful in assessing hits.

Getting Started with KFF (Known File Filter)

KFF Library Reference Information

| 303

NIST NSRL
The NIST NSRL collection is described at: http://www.nsrl.nist.gov/index.html. This collection is much larger than
HashKeeper in terms of the number of sets and the total number of hashes. It is composed entirely of hash sets
being generated from application software. So, all of its hash sets are given Ignore status by AccessData staff
except for those whose names make them sound as though they could be used for illicit purposes.
The NSRL collection divides itself into many sub-collections of hash sets with similar names. In addition, many of
these hash sets are “empty”, that is, they are not accompanied by any hash values. The size of the NSRL
collection, combined with the similarity in set naming and the problem of empty sets, allows AccessData to
modify (or selectively alter) NSRL’s own set names to remove ambiguity and redundancy.
Find contact info at http://www.nsrl.nist.gov/Contacts.htm.

NDIC HashKeeper
NDIC’s HashKeeper collection uses the Alert/Ignore designation. The Alert sets are hash values contributed by
law enforcement agents working in various jurisdictions within the US - and a few that apparently come from
Luxemburg. All of the Alert sets were contributed because they were believed by the contributor to be connected
to child pornography. The Ignore sets within HashKeeper are computed from files belonging to application
software.
During the creation of KFF, AccessData staff retains the Alert and Ignore designations given by the NDIC, with
the following exceptions. AccessData labels the following sets Alert even though HashKeeper had assigned
them as Ignore: “Z00045 PGP files”, “Z00046 Steganos”, “Z00065 Cyber Lock”, “Z00136 PGP Shareware”,
“Z00186 Misc Steganography Programs”, “Z00188 Wiping Programs”. The names of these sets may
suggest the intent to conceal data on the part of the suspect, and AccessData marks them Alert with the
assumption that investigators would want to be “alerted” to the presence of data obfuscation or elimination
software that had been installed by the suspect.
The following table lists actual HashKeeper Alert Set origins:

A Sample of HashKeeper KFF Contributions
Hash

Contributor

Location

ZZ00001
Suspected child
porn

Det. Mike McNown
& Randy Stone

Wichita PD

ZZ00002
Identified Child
Porn

Det. Banks

Union County
(NJ) Prosecutor's
Office

ZZ00003
Suspected child
porn

Illinois State Police

ZZ00004
Identified Child
Porn

SA Brad Kropp,
AFOSI, Det 307

ZZ00000,
suspected child
porn

NDIC

Getting Started with KFF (Known File Filter)

Contact Information

Case/Source

(908) 527-4508

case 2000S-0102

(609) 754-3354

Case # 00307D7S934831

KFF Library Reference Information

| 304

A Sample of HashKeeper KFF Contributions (Continued)
Hash

Contributor

ZZ00005
Suspected Child
Porn

Rene Moes,
Luxembourg Police

ZZ00006
Suspected Child
Porn

Illinois State Police

Location

Contact Information

Case/Source

rene.moes@police.eta
t.lu

ZZ00007b
Suspected KP
(US Federal)
ZZ00007a
Suspected KP
Movies
ZZ00007c
Suspected KP
(Alabama 13A-12192)
ZZ00008
Suspected Child
Pornography or
Erotica

Sergeant Purcell

Seminole County
Sheriff's Office
(Orlando, FL,
USA)

(407) 665-6948,
dpurcell@seminoleshe
riff.org

suspected child
pornogrpahy from
20010000850

ZZ00009 Known
Child
Pornography

Sergeant Purcell

Seminole County
Sheriff's Office
(Orlando, FL,
USA)

(407) 665-6948,
dpurcell@seminoleshe
riff.org

200100004750

ZZ10 Known Child
Porn

Detective Richard
Voce CFCE

Tacoma Police
Department

(253)594-7906,
rvoce@ci.tacoma.wa.u
s

ZZ00011
Identified CP
images

Detective Michael
Forsyth

Baltimore County
Police
Department

(410)887-1866,
mick410@hotmail.com

ZZ00012
Suspected CP
images

Sergeant Purcell

Seminole County
Sheriff's Office
(Orlando, FL,
USA)

(407) 665-6948,
dpurcell@seminoleshe
riff.org

ZZ0013 Identified
CP images

Det. J. Hohl

Yuma Police
Department

928-373-4694

ZZ14W

Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

ZZ14U

Sgt Chris Walling
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

ZZ14X

Sgt Jeff Eckert

YPD02-70707
TXOAG
41929134

TXOAG
41919887

TXOAG Internal
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

Getting Started with KFF (Known File Filter)

KFF Library Reference Information

| 305

A Sample of HashKeeper KFF Contributions (Continued)
Hash

Contributor

ZZ14I

Sgt Stephen May

Location

Contact Information

Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
ZZ14B

Robert Britt, SA,
FBI

ZZ14S

Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

ZZ14Q

Sgt Cody Smirl
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

ZZ14V

Sgt Karen McKay
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898

ZZ00015 Known
CP Images

Det. J. Hohl

ZZ00016

Marion County
Sheriff's
Department

Yuma Police
Department

Case/Source
TXOAG
041908476

TXOAG
031870678

TXOAG
041962689

TXOAG
041952839

TXOAG
41924143

928-373-4694

YPD04-38144

(317) 231-8506

MP04-0216808

The basic rule is to always consider the source when using KFF in your investigations. You should consider the
origin of the hash set to which the hit belongs. In addition, you should consider the underlying nature of hash
values in order to evaluate a hit’s authenticity.

Higher Level KFF Structure and Usage
Since hash set groups have the properties just described (and because custom hash sets and groups can be
defined by the investigator) the KFF mechanism can be leveraged in creative ways. For example:
You

could define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files. Then, you would apply only those groups while processing.

You

could also use the Ignore status. You are about to process a hard drive image, but your search
warrant does not allow inspection of certain files within the image that have been previously identified.
You could do the following and still observe the warrant:
6a.

Open the image in Imager, navigate to each of the prohibited files, and cause an MD5 hash value
to be computed for each.

6b.

Import these hash values into custom hash sets (one or more), add those sets to a custom group,
and give the group Ignore status.

6c.

Process the image with the MD5 and KFF options, and with AD_Alert, AD_Ignore, and the new,
custom group selected.

Getting Started with KFF (Known File Filter)

KFF Library Reference Information

| 306

6d.

During post-processing analysis, filter file lists to eliminate rows representing files with Ignore
status.

Hash Set Categories
The highest level of the KFF’s logical structure is the categorizing of hash sets by owner and scope. The
categories are AccessData, Project Specific, and Shared.

Hash Set Categories
Category

Description

AccessData

The sets shipped with as the Library. Custom groups can be created from these sets, but
the sets and their status values are read only.

Project
Specific

Sets and groups created by the investigator to be applied only within an individual project.

Shared

Sets and groups created by the investigator for use within multiple projects all stored in the
same database, and within the same application schema.

Important: Coordination among other investigators is essential when altering Shared groups in a lab
deployment. Each investigator must consider how other investigators will be affected when Shared
groups are modified.

Getting Started with KFF (Known File Filter)

KFF Library Reference Information

| 307

What has Changed in Version 5.6
WIth the 5.6 release of Resolution1, Summation, and FTK-based products, the KFF feature has been updated.
If you used KFF with applications version 5.5 or earlier, you will want to be aware of the following changes in the
KFF functionality.

Changes from version 5.5 to 5.6
Item

Description

KFF Server

KFF Server now runs a different service.
 In 5.5 and earlier, the KFF Server ran as the KFF Server service.


In 5.6 and later, the KFF Server uses the AccessData Elasticsearch
Windows Service.
For applications version 5.6 and later, all KFF data must be created in or
imported into the new KFF Server .

KFF Migration Tool

This is a new tool that lets you migrate custom KFF data from 5.5 and earlier to
the new KFF Server.
NIST NSRL, NDIC HashKeeper, or DHS library data from 5.5 will not be
migrated. You must re-import it.
See Migrating Legacy KFF Data on page 289.

KFF Import Utility

This is a new utility that lets you import large amounts of KFF data quicker than
using the import feature in the application.
See Using the KFF Import Utility on page 292.

KFF Libraries, Templates,
and Groups

In 5.5, all Hash Sets were configured within KFF Libraries. KFF Libraries could
then contain KFF Groups and KFF Templates.
KFF Libraries and Templates have been eliminated. You now simply create or
import KFF Groups and add Hash Sets to the groups.
You can now nest KFF Groups.

NIST NSRL, NDIC
HashKeeper, or DHS
libraries

In 5.5 and earlier, to use these libraries, you ran an installation wizard for each
library. You now import these libraries using the KFF Import Utility.
See About Importing Pre-defined KFF Data Libraries on page 294.

Import Log

FTK-based products no longer include the Import Log.
Resolution1 and Summation products did not have it previously.

Export

When you export KFF data you can now choose two formats:
CSV

format which replaced XML format

A new binary format
See About CSV and Binary Formats on page 298.

Getting Started with KFF (Known File Filter)

What has Changed in Version 5.6

| 308

Chapter 29

Using KFF (Known File Filter)

This chapter explains how to configure and use KFF and has the following sections:
See

About KFF and De-NIST Terminology on page 309.

See

Process for Using KFF on page 310.

See

Configuring KFF Permissions on page 310.

See

Adding Hashes to the KFF Server on page 311.

See

Using KFF Groups to Organize Hash Sets on page 317.

See

Exporting KFF Data on page 328.

See

Enabling a Project to Use KFF on page 321.

See

Reviewing KFF Results on page 323.

See

Re-Processing KFF on page 327.

About KFF and De-NIST Terminology
You can configure the interface to display either the term “KFF” (Known File Filter) or “De-NIST”. For example,
this can change references of a “KFF Group” to a “De-NIST Group.”
This does not affect the functionality of KFF, but only the term that is displayed. This allows users in forensic
environments to see the term “KFF” while users in legal environments can see the term “De-NIST.”
By default, the KFF term is used in the interface.
This setting only affects text in the interface. The following new icon is used with either setting:

In this manual, the KFF term is used.

To change the KFF and De-NIST terminology
1.

In the web.config file, in the section, add or modify the following entry:

To change the setting to use De-NIST terminology, change the value= from “KFF” to “De-NIST”.

Using KFF (Known File Filter)

About KFF and De-NIST Terminology

| 309

Process for Using KFF
To use the KFF feature, you perform the following steps:

Process for using KFF
Step 1.

Install and configure the KFF Server.
See Installing the KFF Server on page 287.

Step 2.

Configure KFF permissions.
Configuring KFF Permissions (page 310)

Step 3.

Add and manage KFF hashes on the KFF Server.
See Adding Hashes to the KFF Server on page 311.

Step 4.

Add and manage KFF Groups to organize KFF Hash Sets.
Using KFF Groups to Organize Hash Sets (page 317)

Step 5.

Configure a project to use KFF.
See Enabling a Project to Use KFF on page 321.

Step 6.

Review KFF results in Project Review.
See Reviewing KFF Results on page 323.

Step 7.

(Optional) Re-process the KFF data using different hashes.
See Re-Processing KFF on page 327.

Step 8.

(Optional) Archive or export KFF data to share with other KFF Servers.
See Exporting KFF Data on page 328.

Configuring KFF Permissions
In order to create and manage KFF libraries, sets, templates, and groups, you must have one of the following
permissions:
Administrator
Manage

KFF

You assign the Manage KFF permission to an Admin Role and then associate that role with users.
See Configuring and Managing System Users, User Groups, and Roles on page 46.
A user with project management permissions does not require the Manage KFF permission in order to enable
KFF for a new project.

Using KFF (Known File Filter)

Process for Using KFF

| 310

Adding Hashes to the KFF Server
You must add the hashes of the files that you want to compare against your evidence data. When adding hashes
to the KFF Serer, you add them in KFF Hash Sets.
See Components of KFF Data on page 282.
You can use the following methods to add hashes to the KFF Library:
Migrate legacy KFF Server
data

You can migrate legacy KFF data that is in a KFF Server in applications
versions 5.5 and earlier.
See Migrating Legacy KFF Data on page 289.

Import hashes

You can import previously configured KFF hashes from .CSV files.
See Importing KFF Data on page 312.

Manually create and manage
Hash Sets

You can manually add hashes to a Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 314.

Create hashes from evidence
files in Review

You can add hashes from the files in your evidence using Review.
See Adding Hashes to Hash Sets Using Project Review on page 315.

About the Manage KFF Hash Sets Page
To configure KFF data, you use the KFF Hash Sets and KFF Groups pages.

To open the KFF Hash Sets page
1.

Click Management >

Hash Sets

If the feature does not function properly, check the following:
The

KFF Server is installed.
See Installing the KFF Server on page 287.

The

application has been configured for the KFF Server.
See Configuring the Location of the KFF Server on page 288.

The

KFF Service is running.
In the Windows Services manager, make sure that the AccessData Elasticsearch service is started.

Elements of the KFF Hash Sets page
Element

Description

Hash Sets

Displays all of the Hash Sets that have been imported or created in the KFF Server.
Lets you create a Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 314.

Using KFF (Known File Filter)

Adding Hashes to the KFF Server

| 311

Elements of the KFF Hash Sets page
Element

Description
Lets you edit the active Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 314.
Lets you delete the active Hash Set.
Warning: You are not prompted to confirm the deletion.
See Manually Creating and Managing KFF Hash Sets on page 314.
Lets you delete one or more checked Hash Sets.

Delete

Lets you view and manage the hashes in the Hash Set.
View Hashes
Import File
Export

See Searching For, Viewing, and Managing Hashes in a Hash Set on page 315.
Lets you import KFF data.
See Importing KFF Data on page 312.
Lets you export KFF data.
See Exporting KFF Data on page 328.
Refreshes the Hash Sets list.

Importing KFF Data
About Importing KFF Data
To understand the methods and formats for importing KFF data, first see About Importing KFF Data (page 291).
This chapter explains how to import KFF data using the application’s management console.

Importing KFF Hashes
You can import KFF data from the following:
KFF

export CSV files

KFF

binary files
Warning: Importing KFF binary files will replace your existing KFF data.
See About CSV and Binary Formats on page 298.
It is recommended that you use the external KFF Import Utility to import KFF binary files.
See Using the KFF Import Utility on page 292.

When importing KFF data, you can enter default values for the following fields:
Default

Status

Default

Vendor

Default

Version

Using KFF (Known File Filter)

Adding Hashes to the KFF Server

| 312

Default

Package

These are default values that will be used if they import file does not contain the information.
When importing hash lists using the CSV import, each hash within the CSV can have the same, different or no
status. During the import process you must choose a default status of Alert or Ignore. This default status will
have no affect on any hash in your CSV that already contains a status, however, any hash that does not have a
pre-assigned status will have this default status assigned to them.
The override status for the hash sets that you import will be automatically set to No Override. This is to ensure
that if your hash set contains both Alert and Ignore hashes, the program will not override the original status. You
can, however, choose to override the individual hash status within a set by choosing to set the whole set to Alert
or Ignore.
You can use these value to organize your hashes. For example, you can filter or sort data based on these
values.

To import KFF hashes from files
1.

Click Management >

Click

On the KFF Import File dialog, click

Browse to and select the file.

Click Select.

Specify a Default Status.
This sets a default status only for the hashes that do not have a status specified in the file.

(Optional) Specify a default Vendor, Version, and Package.
This sets values only for the hashes that do not have a value specified in the file.

(Optional) Add other files.

Hash Sets.

Import File.
Add File.

10. Click Import.
11. View the Import Summary to see the results of the Import.
12. Click Close.

To import KFF data from a binary format
Warning: This process may replace your existing KFF data.
See About the KFF Binary Format on page 298.
1.

Click Management >

Click

On the KFF Import File dialog, click Binary Import.

Browse to the folder that contains the binary files (specifically the Export.xml file) and click Select.

Click Import.

Hash Sets.

Import File.

Using KFF (Known File Filter)

Adding Hashes to the KFF Server

| 313

Manually Creating and Managing KFF Hash Sets
You can manually create Hash Sets and then add hashes to them. You can also edit and delete Hash Sets.
You can also add, edit, or delete the hashes in Hash Sets.
Note: You cannot manually add, edit, and delete hash values that were imported from NSRL, NDIC
HashKeeper, and DHS libraries.

To manually create a Hash Set
1.

Click Management >

On the KFF Hash Sets page, in the right pane, click Add

Enter a name for the Hash Set.

Select the status for the Hash Set: Alert, Ignore, or No Override.

(Optional) Enter a package, vendor, or version.
These are not required, but you can use these values for sorting and filtering results.

Click Save.

Hash Sets.
.

To manually manage Hash Sets
1.

Click Management >

Do one of the following:

Hash Sets.

To

edit a Hash Set, select a set a set, and click Edit

To

delete a single Hash Set, select a set, and click Delete

To

delete a multiple Hash Sets, select the sets, and click Delete

.
.

To manage hashes in a hash set
1.

On the KFF Hash Sets page, select a Hash Set.

Click View Hashes.

To add hashes to a hash set
1.

On the KFF Hash Sets page, select a Hash Set.

Click View Hashes.

In the KFF Hash Finder dialog, click Add

Enter the KFF hash value.

Enter the filename for the hash.

(Optional) Enter other reference information about the hash.

Click Save.
The new hash is displayed.

Using KFF (Known File Filter)

Adding Hashes to the KFF Server

| 314

Searching For, Viewing, and Managing Hashes in a Hash Set
Due to the large number of hashes that may be in a Hash Set, a list of hashes is not displayed. (However, you
can export a KFF Group that contains the Hash Set and view the hashes in the export file.)
You can use the KFF Hash Finder dialog to search for hash values within a hash set. You search by entering a
complete hash value. You can only search within one hash set at a time.
While the the KFF Hash Finder does not display a list of hashes, it does display the number of hashes in the set.

To search for hashes in a hash set
1.

On the KFF Hash Sets page, select a Hash Set.

Click View Hashes.

In the KFF Hash Finder dialog, enter the complete hash value that you want to search for.

Click Search.
If the has is found, it is displayed in the hash list.
If the hash is not found a message is displayed.

To edit hashes in a hash set
1.

In the KFF Hash Finder dialog, search for the hash that you want to edit.

Click Edit

Enter the hash information.

Click Save.
The edited hash is displayed.

To delete hashes from a hash set
1.

In the KFF Hash Finder dialog, search for the hash that you want to delete.

Click Delete

Adding Hashes to Hash Sets Using Project Review
You may identify files that in exist in a project as files that you want to add to your KFF hashes. For example, you
may find a graphics file that you want to either alert for or ignore in this or other projects. Using Project Review,
you can select files and then add them to existing or new KFF Hash Sets.
When you add hashes using Project Review, it starts a job that adds the hashes to the KFF Library.

To use Project Review to add hashes to Hash Sets
1.

Select a project and enter Project Review.

Select the files that you want to add to a hash set.

In the Actions drop-down, select Add to KFF.

Click Go.

In the Add Hash to Set dialog, select a status for the hash.

Using KFF (Known File Filter)

Adding Hashes to the KFF Server

| 315

Specify a Hash Set.
You can select an existing set or create a new set.
To

create a new set, do the following:

7a.

Select [Add New].

7b.

Enter the name of the new set.

7c.

Enter a name for the hash set.

7d.

(Optional) Add other information.

7e.

Click Save.

To

use an existing set, do the following:

7a.

Select the existing set.
By default, you will only see the sets that match the status that you select.
To see Hash Sets that have a No Override status as well, enable the Display hash sets with no
override status option.

7b.

Click Save.

To verify that hashes were added to the KFF Server
1.

Click

to exit Review.

On the Home page, select the project that you are using.

Click Work List

See Monitoring the Work List on page 277.
Click Refresh

to see the current status.

View the Add Hash to KFF job types.

Click Refresh

When the jobs are completed, at the bottom of the page, you can view the results.
It will show the number of files that were added or any errors generated.

From the KFF Hash Sets tab on the Management page, you can view the Hash Sets.
See Searching For, Viewing, and Managing Hashes in a Hash Set on page 315.

Using KFF (Known File Filter)

to see the current status.

Adding Hashes to the KFF Server

| 316

Using KFF Groups to Organize Hash Sets
About KFF Groups
KFF groups are containers for one or more Hash Sets. When you create a group, you then add Hash Sets to the
group. KFF Groups can also contain other KFF Groups.
When you enable KFF for a project, you select which KFF Group to use during processing.
Within a KFF group, you can manually edit custom Hash Sets.

About KFF Groups Status Override Settings
When you create a KFF Group, you can choose to use the default status of the Hash Set (Alert or Ignore) or
override it. You do this by setting one of the following Status Override settings:
Alert

- All Hash Sets within the KFF Group will be set to Alert regardless of the status of the individual
Hash Sets.

Ignore

- All Hash Sets within the KFF Group will be set to Ignore regardless of the status of the individual
Hash Sets.

No

Override - All Hash Sets will maintain their default status.

For example, if you have a Hash Set with a status of Alert, if you set the KFF Group to No Override, then the
default status of Alert is used. If you set the KFF Group with a status of Ignore, the the Hash Set Alert status is
overridden and Ignore is used.
As a result, use caution when setting the Status Override for a KFF Group.

About Nesting KFF Groups
KFF Groups can contain Hash Sets or they can contain other KFF Groups. When one KFF Group includes
another KFF Group, it is called nesting.
The reason that you may want to nest KFF Groups is that you can use multiple KFF Groups when processing
your data. When you enable KFF for a case, you can only select one KFF Group. By nesting, you can use
multiple KFF Groups.
For example, you may have one KFF Group that contains Hash Sets with an Alert status. You may have a
second KFF Group that contains Hash Sets with an Ignore status. When processing a case, you may want to
use both of those KFF Groups. To accomplish this, you can create another KFF Group as a parent and then add
the other two KFF Groups to it. When processing, you would select the parent KFF Group.
When nesting KFF Groups you must be mindful of the Status Override of the parent KFF Group. The Status
Override for the highest KFF Group in the hierarchy is used when nesting KFF Groups. In most cases, you will
want to set the parent KFF Group with a status of None. That way, the status of each child KFF Group (or their
Hash Sets) is used. If you select an Alert or Ignore status for the parent KFF Group, then all child KFF Groups
and their Hash Sets will use that status.

Using KFF (Known File Filter)

Using KFF Groups to Organize Hash Sets

| 317

Creating a KFF Group
You create KFF groups to organize your Hash Sets. When you create a KFF Group, you add one ore more Hash
Sets to it. You can later edit the KFF Group to add or remove Hash Sets.

To create a KFF Group
1.

Click Management >

Click Add

Enter a Name.

Set the Status Override.

See About KFF Groups Status Override Settings on page 317.

(Optional) Enter a Package, Vendor, and Version.

Click Save.

Groups.

To add a Hash Sets to a KFF Group
1.

Click Management >

Groups.

In the Groups list, select the group that you want to add Hash Sets to.

In the Groups and Hash Sets pane, click

Select the Hash Sets that you want to add to the group.

You can filter the list of Hash Sets to help you find the hash sets that you want.

After selecting the sets, click OK.

Add.

Viewing the Contents of a KFF Group
On the KFF Groups page, you can select a KFF Group and in the Groups and Hash Sets pane, view the Hash
Sets and child KFF Groups that are contained in that KFF Group.

Managing KFF Groups
You can edit KFF Groups and do the following:
Rename
Change
Add

the group
the Override Status

or remove Hash Sets and KFF Groups

You can also do the following:
Delete

the group

Export

the group
See Exporting KFF Data on page 328.

Using KFF (Known File Filter)

Using KFF Groups to Organize Hash Sets

| 318

To manage a KFF Group
1.

Click Management >

In the Groups list, select a KFF Group that you want to manage.

Do one of the following:
Click

Edit.

Click

Delete.

Groups.

Click

Export.
See Exporting KFF Data on page 328.

About the Manage KFF Groups Page
To configure KFF Groups, you use the KFF Groups page.

To open the KFF Groups page
1.

Click Management >

Groups

If the feature does not function properly, check the following:
The

KFF Server is installed.
See Installing the KFF Server on page 287.

The

application has been configured for the KFF Server.
See Configuring the Location of the KFF Server on page 288.

The

KFF Service is running.
In the Windows Services manager, make sure that the AccessData Elasticsearch service is started.

Elements of the KFF Groups page
Tab

Element

Description

KFF Groups pane

KFF Groups

Displays all of the KFF Groups that have been
imported or created in the KFF Server.
Lets you create a KFF Group.
See Creating a KFF Group on page 318.
Lets you edit the active KFF Group.
See Managing KFF Groups on page 318.
Lets you delete the active KFF Group.
See Managing KFF Groups on page 318.

Delete

Using KFF (Known File Filter)

Lets you delete one or more checked KFF Groups.

Using KFF Groups to Organize Hash Sets

| 319

Elements of the KFF Groups page
Tab

Element

Description

Export

Lets you export KFF data.
See Exporting KFF Data on page 328.
Refreshes the KFF Groups list.

Groups and Hash
Sets Pane

Lets you add and remote Hash Sets from KFF Groups.
See Managing KFF Groups on page 318.
Add

Remove
View Hashes

Using KFF (Known File Filter)

Displays the list of Hash Sets that you can add to a
KFF Group.
See Managing KFF Groups on page 318.
Lets you remove Hash Sets from a KFF Group.
See Managing KFF Groups on page 318.
Lets you view and manage the hashes in the Hash
Set.
See Searching For, Viewing, and Managing Hashes
in a Hash Set on page 315.

Using KFF Groups to Organize Hash Sets

| 320

Enabling a Project to Use KFF
When you create a project, you can enable KFF and configure the KFF settings for the project.

About Enabling and Configuring KFF
To use KFF in a project you do the following:

Process for enabling and configuring KFF
1. Create a new Project

If you want to use KFF you must enable it when you create the project. You
cannot enable KFF for a project after it has been created.

2. Enable KFF

Enable the KFF processing option.
See Enabling and Configuring KFF on page 321.

2. Configure how to
process ignorable files

You can choose how to process ignorable files:
 Skip Ignorable Files - This option will not process any files determined to be
Ignorable. Any files that are ignorable will not be included or visible in the
project.
This is the default option.
 Process and Flag Ignorable Files - This option will process ignorable files, but
flag them as Ignorable. Any files that are Ignorable will be included and visible in the project, but can be filtered.
See Using Quick Filters on page 324.

4. Select a KFF Group

When enabling KFF for a project, you select one KFF Group that you want to
use. You do not create KFF Group at that time. You can only select an existing
group. Because of this, you must have at least one KFF Group created before
creating a project.
See Using KFF Groups to Organize Hash Sets on page 317.
However, after processing, you can re-process the data using a different KFF
template. This lets you create and use different templates after you initially
process the project.
See Re-Processing KFF on page 327.

Enabling and Configuring KFF
To enable and configure KFF for a project
1.

Create a new project.

In Processing Options, select Enable KFF.
A

Options tab option displays.

In Processing Options, select how to handle ignorable files.

Click

Options.

The KFF Options window displays.

Using KFF (Known File Filter)

Enabling a Project to Use KFF

| 321

In the drop-down menu, select the KFF Group that you want to use.
See Using KFF Groups to Organize Hash Sets on page 317.

In the Hash Sets pane, verify that this template has the hash sets that you want. Otherwise select a
different template.

Click Create Project and Import Evidence or click Create Project and add evidence later.

Using KFF (Known File Filter)

Enabling a Project to Use KFF

| 322

Reviewing KFF Results
KFF results are displayed in Project Review.
You can use the following tools to see KFF results:
Project

Details page

Project

Review

KFF

Information Quick Columns

KFF

Quick Filters

KFF

facets

KFF

Details

You can also create and modify KFF libraries and hash sets using files in Review.
See Adding Hashes to Hash Sets Using Project Review on page 315.

Viewing KFF Data Shown on the Project Details Page
To View KFF Data on the Project Details page
1.

Click the Home tab.

Click the

In the right column, you can view the number of KFF known files.

Project Details tab.

About KFF Data Shown in the Review Item List
You can identify and view files that are either Known or Unknown based on KFF results.
Depending on the KFF configuration options, there are two or three possible KFF statuses in Project Review:
Alert

(2) - Files that matched hashes in the template with an Alert status

Ignore

(1) - Files that matched hashes in the template with an Ignore status (not shown in the Item List by
default)

Unknown

(0) - Files that did not match hashes in the template

If you configured the project to skip ignorable files, files configured to be ignored (Ignore status) are not included
in the data and are not viewable in the Project Review.
See Enabling and Configuring KFF on page 321.

Using the KFF Information Quick Columns
You can use the KFF Information Quick Columns to view and and sort and filter on KFF values. For example,
you can sort on the KFF Status column to quickly see all the files with the Alert status.
See Using Document Viewing Panels on page 76.
To see the KFF columns, activate the KFF Information Quick Columns.

Using KFF (Known File Filter)

Reviewing KFF Results

| 323

To activate the KFF Information Quick Columns
1.

From the Item List in the Review window, click Options.

Click Quick Columns > KFF > KFF Information.
The KFF Columns display.

Item List with KFF Tabs displayed

KFF Columns
Column

Description

KFF Status

Displays the status of the file as it pertains to KFF. The three options are
Unknown (0), Ignore (1), and Alert (2).
 If you configured the project to skip Ignorable files, these files are not
included in the data.
 If you configured the project to flag Ignorable files, and the Hide Ignorables
Quick Filter is set, these files are in the data, but are not displayed.
See Using Quick Filters on page 324.

KFF Set

Displays the KFF Hash Set to which the file belongs.

KFF Group Name

Displays the name created for the KFF Group in the project.

KFF Vendor

Displays the KFF vendor.

See Filtering by Column in the Item List Panel on page 139.

Using Quick Filters
You can use Quick Filters to quickly show or hide KFF Ignorable files.
You can toggle the quick filter to do the following:
Hide

Ignorables - enabled by default

Show

Ignorables

The Hide Ignorables Quick Filter is set by default. As a result, even if you selected to process and flag Ignorable
files for the project, they are not included in the Item List by default.
To show ignorable files in the Item list, change the Quick Filter to Show Ignorables.

Using KFF (Known File Filter)

Reviewing KFF Results

| 324

Note: If you configured the project to skip ignorable files, files configured to be ignored (Ignore status) will not
be shown, even if you select to Show Ignorables.

To change the KFF Quick Filters
1.

From the Item List in the Review window, click Options.

Click Quick Filters > Show Ignorables.

Using the KFF Facets
You can use the KFF facets to filter data based on KFF values. For example, you can apply a facet to only
display items with an Alert status or with a certain KFF set.
See About Filtering Data with Facets on page 124.
Note: If you configured the project to skip Ignorable files, these files are not included in the data and the Ignore
facet is not available. If you configured the project to flag Ignorable files, and the Hide Ignorables Quick
Filter is set, the Ignore facet is available, but the files will not be displayed.
See Using Quick Filters on page 324.
You can use the following KFF facets:
KFF

Vendors

KFFGroups
KFF

Statuses

KFF

Sets

Within a facet, only the filters that are available in the project are available. For example, if no files with the Alert
status are in the project, the Alter filter will not be available in the KFF Statuses facet.

To apply KFF facets
1.

From the Item List in the Review window, open the facets pane.

Expand KFF.

Select the facets that you want to apply.

Using KFF (Known File Filter)

Reviewing KFF Results

| 325

Viewing Detailed KFF Data
You can view KFF results details for an individual file.

To view the KFF Details
1.

For a project that you have run KFF, open Project Review.

Under Layouts, select the CIRT Layout.
See Managing Saved Custom Layouts on page 55.

In Project Review, select a file in the Item List panel.

In the view panel, click the Detail Information view tab.

Click the KFF Details tab.

Using KFF (Known File Filter)

Reviewing KFF Results

| 326

Re-Processing KFF
After you have processed a project with KFF enabled, you can re-process your data using an updated or
different KFF Group. This is useful in re-examining a project after adding or editing hash sets.
See Adding Hashes to Hash Sets Using Project Review on page 315.
If you want to re-process KFF with updated hash sets, be sure that the selected KFF Group has the desired sets.
You can only select from existing KFF Groups.

To re-process KFF
1.

From the Home page, select a project that you want to re-process.

Click the

tab.

The currently selected group is displayed along with its corresponding hash sets.
3.

(Optional) If you want to change the KFF Group, in the the drop-down menu, select a different KFF
Group and click Save.

In the Hash Sets pane, verify that the desired sets are included.

Click Process KFF.

(Optional) On the Home page, for the project, click Work Lists

, and verify that the KFF job starts

and completes.
See Monitoring the Work List on page 277.
7.

Click Refresh

Review the KFF results.
See Reviewing KFF Results on page 323.

Using KFF (Known File Filter)

to see the current status.

Re-Processing KFF

| 327

Exporting KFF Data
About Exporting KFF Data
You can share KFF Hash Sets and KFF Groups with other KFF Servers by exporting KFF data on one KFF
Server and importing it on another. You can also use export as a way of archiving your KFF data.
You can export data in one of the following ways:
Exporting

Hash Sets - This exports the selected Hash Sets with any included hashes. (CSV format only)

Exporting

KFF Groups - This exports the selected KFF Groups with any included sub-groups and any
included hashes. (CSV format only)

Exporting

an archive of all custom KFF data - This exports all the KFF data except NSRL, NIST, and DHC
data (in a binary format).

When exporting KFF Groups or Hash Sets, you can export in the following formats:
CSV

file

Binary

format
Important: Even though it appears that you can select and export one Hash Set or one KFF Group, if
you export using the KFF binary format, all of the data that you have in the KFF Index will be exported
together. You cannot use this format to export individual Hash Sets or KFF Groups. Use the CSV format
instead.

See About CSV and Binary Formats on page 298.

Exporting KFF Groups and Hash Sets
You can share KFF hashes by exporting KFF Hash Sets or KFF Groups. Exports are saved in a CSV file that can
be imported.

To export a one or more KFF Groups or Hash Sets
1.

Do one of the following:
Click

Management >

Hash Sets.

Click

Management >

Groups.

Select one or more KFF Groups or Hash Sets that you want to export.

Click Export.

Select CSV (do not select Export Binary).

Browse to and select the location to which you want to save the exported file.

Click Select.

Enter a name for the exported file.

Click OK.

In the Export Summaries dialog, view the status of the export.

10. Click Close.

Using KFF (Known File Filter)

Exporting KFF Data

| 328

To create an archive of all your custom Hash Sets and Groups
1.

Do one of the following:
Click

Management >

Hash Sets.

Click

Management >

Groups.

Select a KFF Group or Hash Set.

Click Export.

Select Export Binary.

Browse to and select the location to which you want to save the exported files.

Click Select.

Enter a name for the folder to contain the binary files (This is a new folder created by the export).

Click OK.

In the Export Summaries dialog, view the status of the export.

10. Click Close.

To view the Export History
1.

Do one of the following:
Click

Management >

Hash Sets.

Click

Management >

Groups.

Click Export.

Select View Export History.

In the Export Summaries dialog, view the status of the export.

Click Close.

Using KFF (Known File Filter)

Exporting KFF Data

| 329

Chapter 30

Integrating with AccessData Forensics
Products

Web-based products (Summation, Resolution1, Resolution1 eDiscovery, and Resolution1 CyberSecurity) can
work collaboratively with FTK-based forensics products, (FTK, Lab, FTK Pro, and Enterprise).
Note: For brevity, in this chapter, all FTK-based products will be referenced as FTK and all Summation and
Resolution1 applications will be referenced as Summation.
You can access the same project data on the same database to perform legal review and forensic examination
simultaneously. The benefit of this compatibility is that FTK provides some features that are not available in the
web-based products. For example, you can create projects in Summation and then open, review, and perform
additional tasks in FTK and then continue your work in Summation.
Using FTK, you can do the following with Summation projects:
Open

and review a project

Backup
Add

and restore a project

and remove evidence

Perform

Additional Analysis after the initial processing

Search,

index, and label data

View

graphics and videos

Export

data

Important: For compatibility, the version of the web-based product and the version for FTK must be the same-both must be 5.0.x or be 5.1.x. For example:
Summation 5.2.x must be used with FTK 5.2.x
Resolution1 5.5 must be used with FTK 5.5

Integrating with AccessData Forensics Products

| 330

Installation
You can install FTK and Summation on either the same computer or on different computers. The key is that they
share a common database. The database that the data is stored in is unified so that the data can be shared
between products.
It is recommended that you install the web-based product first, configure the database, and then install FTK and
point FTK to that database. The administrator account for the web-based product is the administrative account
for the database for FTK.
When launching FTK and logging into the database, you use the administrator credentials from the web-based
product.
Important: For compatibility, the version for Summation and the version for FTK must be the same.
Important: Note that FTK and Summation may use different versions of the processing engine. If this is the case
there will be information in the Release Notes.

Managing User Accounts and Permissions Between
FTK and Summation/Resolution1 eDiscovery
You can create a user account in either product and then use that user name in the other product.

Permissions
When users are assigned permissions in one application, such as Summation, the permissions of the user in
FTK are not affected.

Creating and Viewing Projects
Using either product, you can create projects and add evidence to that project. You can then use either product
to open the project and perform tasks on the project data.
You can have users in each program reviewing the data at the same time.

Managing Evidence in FTK
Adding Evidence using FTK
You can use FTK to add evidence to a project that was created in Summation. Reviewers in Summation can
then review the new evidence. Using FTK, you can add live evidence and static evidence. When you add
evidence, you can add image files (such as AD1, E01), individual files, physical drives, and logical drives.
Important: When you collect volatile data in FTK, you cannot see it in Summation.

Integrating with AccessData Forensics Products

Installation

| 331

Processing Evidence using FTK
FTK provides processing options that are not available in Summation. You can utilize the processing abilities of
FTK and then review the data in Summation/Resolution1 eDiscovery. You can do all processing in FTK or you
can perform an Additional Analysis in FTK after an initial processing.
The following are examples of additional processing options that are available in FTK:
Processing
Known

File Filter (KFF)

Automatic
Create

File Decryption

Thumbnails for Video

Generate
Explicit

Profiles

Common Video File

Image Detection

PhotoDNA
Cerberus

Analysis

When you create a project with specific processing options, those options are maintained when the project is
viewed in the other product. (15940)
Important: If you create a project in Summation, process the evidence, then add more evidence using FTK, if
you compare the JobInformation.log files, the processing options applied by FTK are different from
Summation.

Managing Evidence Groups in FTK and People in Summation
It is important to note that FTK does not use people, but rather has evidence groups. Evidence groups let you
create and modify groups of evidence. In FTK, you can share groups of evidence with other projects, or make
them specific to a single project.
When you create people in a project in Summation, and then look at the project in FTK, the people will be listed
as evidence groups. The opposite is also true. If you create an evidence group in FTK, it will be listed as a
person in Summation.
Important: When you use FTK to add data to an evidence group that was an existing Summation person, two
child entries of the same person are created for the data. When you look at the person data in
Summation, there will be two child objects under the person with the same name, one with
Summation data and the other with FTK data.

Reviewing Evidence in FTK
Searching Evidence using FTK
You can use FTK to search evidence in Summation projects. The search capabilities in FTK are more robust
than Summation. In FTK, you can perform an index search as well as a live search. Live search includes options
such as text searching, pattern searching, and hexadecimal searching.
Important: Note the following issue:

Integrating with AccessData Forensics Products

Creating and Viewing Projects

| 332

Issue:

The search results counts for the same project may be different when viewed in the different
products due to the way search options are executed in the respective products. For example:
Summation

only search columns that are visible to the user. FTK will search columns that are not
visible to a Resolution1 user.

Re-indexing
Because

the data will change the search results.

of FTK’s Live Search feature, FTK will return more search results hits than in Summation.

Labeling Evidence Using FTK
After searching and identifying data in FTK, you can label the data and then review the project in Summation and
see the labeled data. You can then perform additional review, culling, and export tasks.

Viewing Labeled Evidence in FTK
When reviewing data in Summation, you can label data, and then that labeled data is viewable in FTK. This can
be useful in workflow management. For example, when reviewing the data, you can label data indicating that it
needs additional analysis. When the project is opened in FTK, the labeled data is visible.

Exporting Data using FTK
You can review and cull data in Summation and then export the data from FTK using its export capabilities.
The following are examples of what you can export using FTK:
Export
Save

files to an AD1 Image file

file list information

Export

the contents of the project list to a word list

Export

hashes from a project

Export

search hits

Export

emails to PST or MSG

Viewing Documents Groups and Review Sets in FTK
Important: In Summation, there are separate views and permissions defined for Document Groups and Review
Sets. In FTK, Document Groups and Review Sets that were created in Summation are displayed within the
Manage Labels dialog.

Reviewing FTK Data in Summation
You can use the following review features in Summation to help manage the workflow of working with data that
was added and processed using FTK.
Review
Cull

the data by reviewers in the Web console.

the data and get the desired data set.

Export

the data using Summation using its export capabilities.

Integrating with AccessData Forensics Products

Creating and Viewing Projects

| 333

Known Issues with FTK Compatibility
See the product’s and FTK Release Notes for a list of known issues with FTK Compatibility.

Integrating with AccessData Forensics Products

Known Issues with FTK Compatibility

| 334

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : Yes
Author                          : 
Create Date                     : 2014:12:30 12:49:36Z
Modify Date                     : 2014:12:30 12:49:36Z
XMP Toolkit                     : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:08:04
Creator Tool                    : FrameMaker 9.0
Producer                        : Acrobat Distiller 9.5.5 (Windows)
Format                          : application/pdf
Creator                         : 
Title                           : 
Document ID                     : uuid:5d07a11d-9bc6-4ffa-9eb7-1540d8753fa0
Instance ID                     : uuid:29eb7ba6-2254-4e83-8a97-c31c3f80b7e3
Page Mode                       : UseOutlines
Page Count                      : 334

EXIF Metadata provided by EXIF.tools

E Discovery Reviewer Guide

Navigation menu

Versions of this User Manual:

Views

Navigation