Admin_Guide Summation Admin Guide

2016-04-25

: Pdf Summation Admin Guide Summation_Admin_Guide 03 2016

Open the PDF directly: View PDF PDF.
Page Count: 389 [warning: Documents this large are best viewed by clicking the View PDF Link!]

| 1
Draft
AccessData
Summation®
Administration Guide
AccessData Legal and Contact Information | 2
AccessData Legal and Contact Information
Document date: April 25, 2016
Legal Information
©2016 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this
documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make
changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData
software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without
limitation, U.S. export regulations or the laws of the country in which you reside.
AccessData Group, Inc.
588 West 400 South Suite 350
Lindon, UT 84042
USA
AccessData Trademarks and Copyright Information
The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are
the property of their respective owners.
AccessData® DNA® PRTK®
AccessData Certified Examiner® (ACE®) Forensic Toolkit® (FTK®) Registry Viewer®
AD Summation® Mobile Phone Examiner Plus® Summation®
Discovery Cracker® MPE+ Velocitor™ SilentRunner®
Distributed Network Attack® Password Recovery Toolkit®
AccessData Legal and Contact Information | 3
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, and
unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner
spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark
and copyright holders. AccessData claims no responsibility for the function or performance of third-party
products.
Third party acknowledgements:
-FreeBSD ® Copyright 1992-2011. The FreeBSD Project.
-AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology
Corp. All rights reserved.
-Copyright © 2005 - 2009 Ayende Rahien
BSD License: Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer; Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution; Neither the
name of Andriy Syrov nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
WordNet License
This license is available as the file LICENSE in any downloaded version of WordNet.
WordNet 3.0 license: (Download)
WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by Princeton
University under the following license. By obtaining, using and/or copying this software and database, you agree
that you have read, understood, and will comply with these terms and conditions.: Permission to use, copy,
modify and distribute this software and database and its documentation for any purpose and without fee or
royalty is hereby granted, provided that you agree to comply with the following copyright notice and statements,
including the disclaimer, and that the same appear on ALL copies of the software, database and documentation,
including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 by
Princeton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND
PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY
WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR
WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE
USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University or
AccessData Legal and Contact Information | 4
Princeton may not be used in advertising or publicity pertaining to distribution of the software and/or database.
Title to copyright in this software, database and any associated documentation shall at all times remain with
Princeton University and LICENSEE agrees to preserve same.
Documentation Conventions
In AccessData documentation, a number of text variations are used to indicate meanings or actions. For
example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in
using the keyboard, the variable data is set apart using [variable_data] format. Steps that require the user to
click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in
the user interface.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, all
third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product
name. Third-party trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party products.
Registration
The AccessData product registration is done at AccessData after a purchase is made, and before the product is
shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your
purchase.
Subscriptions
AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows
you to access technical support, and to download and install the latest releases for your licensed products during
the active license period.
Following the initial licensing period, a subscription renewal is required annually for continued support and for
updating your products. You can renew your subscriptions through your AccessData Sales Representative.
Use License Manager to view your current registration information, to check for product updates and to
download the latest product versions, where they are available for download. You can also visit our web site,
www.accessdata.com anytime to find the latest releases of our products.
For more information, see Managing Licenses in your product manual or on the AccessData website.
AccessData Contact Information
Your AccessData Sales Representative is your main contact with AccessData. Also, listed below are the general
AccessData telephone number and mailing address, and telephone numbers for contacting individual
departments
AccessData Legal and Contact Information | 5
Mailing Address and General Phone Numbers
You can contact AccessData in the following ways:
Technical Support
Technical support is available on all currently licensed AccessData solutions.
You can contact AccessData Customer and Technical Support in the following ways:
AccessData Support Portal
You can access the Chat, Knowledge Base, Discussion Boards, White Papers and more through the
AccessData Support Portal:
https://support.accessdata.com
E-Mail Support:
support@accessdata.com
Telephone:
Americas/Asia-Pacific:
800-658-5199 (North America)
Support Hours: Mon-Fri, 7:00 AM – 6:00 PM (MST), except corporate holidays.
NOTE: Emergency support is available on weekends:
Saturday and Sunday 8:00am – 6:00pm MST via support@accessdata.com
AccessData Mailing Address, Hours, and Department Phone Numbers
Corporate Headquarters: AccessData Group, Inc.
588 West 400 South Suite 350
Lindon, UT 84042 USA
Voice: 801.377.5410; Fax: 801.377.5426
General Corporate Hours: Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays
State and Local
Law Enforcement Sales:
Voice: 800.574.5199, option 1; Fax: 801.765.4370
Email: Sales@AccessData.com
Federal Sales: Voice: 800.574.5199, option 2; Fax: 801.765.4370
Email: Sales@AccessData.com
Corporate Sales: Voice: 801.377.5410, option 3; Fax: 801.765.4370
Email: Sales@AccessData.com
Training: Voice: 801.377.5410, option 6; Fax: 801.765.4370
Email: Training@AccessData.com
Accounting: Voice: 801.377.5410, option 4
AccessData Legal and Contact Information | 6
Documentation
Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation:
documentation@accessdata.com
Professional Services
The AccessData Professional Services staff comes with a varied and extensive background in digital
investigations including law enforcement, counter-intelligence, and corporate security. Their collective
experience in working with both government and commercial entities, as well as in providing expert testimony,
enables them to provide a full range of computer forensic and eDiscovery services.
At this time, Professional Services provides support for sales, installation, training, and utilization of Summation,
FTK, FTK Pro, Enterprise, eDiscovery, Lab and the entire Resolution One platform. They can help you resolve
any questions or problems you may have regarding these solutions.
Contact Information for Professional Services
Contact AccessData Professional Services in the following ways:
AccessData Professional Services Contact Information
Contact Method Number or Address
Phone North America Toll Free: 800-489-5199, option 7
International: +1.801.377.5410, option 7
Email services@accessdata.com
| 7
Contents
AccessData Legal and Contact Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Part 1: Introducing the Summation Admin Guide
. . . . . . . . . . . . . . . . . . . .20
Chapter 1: Introducing Summation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
About AccessData Summation . . . . . . . . . . . . . . . . . . . . . . . . . 21
About the Audience for this Guide . . . . . . . . . . . . . . . . . . . . . . . . 21
Summation Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Recommended Hardware Specifications . . . . . . . . . . . . . . . . . . . . 22
Chapter 2: Introduction to Application Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Workflows for Administrators . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 3: Getting Started
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
About the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . .25
Web Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
About User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Opening the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . 26
Installing the Browser Components . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Installing Components through the Browser . . . . . . . . . . . . . . . . . . . . .28
Installing Browser Components Manually . . . . . . . . . . . . . . . . . . . . . .30
Introducing the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
The Project List Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
User Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Using Elements of the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Maximizing the Web Console Viewing Area . . . . . . . . . . . . . . . . . . . . .38
About Content in Lists and Grids . . . . . . . . . . . . . . . . . . . . . . . . . . .38
| 8
Part 2: Administrating Summation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Chapter 4: Using the Management Page
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
About the Management Page . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Opening the Management Page. . . . . . . . . . . . . . . . . . . . . . . . . 45
Management Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Chapter 5: Configuring and Managing System Users,
User Groups, and Roles
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
About Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
About User Roles and Permissions . . . . . . . . . . . . . . . . . . . . . . . 47
Planning User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
About Admin Roles and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Creating Admin Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
About the Users Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
About the Admin Roles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Managing Admin Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Creating an Admin Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Adding Permissions to an Admin Role . . . . . . . . . . . . . . . . . . . . . . . .55
Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
About User Account Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Managing the List of Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Adding Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Associating User Groups and Admin Roles to a User. . . . . . . . . . . . . . . .59
Disassociating a User Group or Admin Role from a User . . . . . . . . . . . . .60
Editing the Email Address of a User . . . . . . . . . . . . . . . . . . . . . . . . .60
Resetting a User’s Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Managing Locked User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Unlocking a User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Deleting Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
Deactivating a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Activating a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Configuring and Managing User Groups . . . . . . . . . . . . . . . . . . . . . . . . .64
Opening the User Groups Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
User Groups Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Adding Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Deleting Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Editing Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
Associating Users/Admin Roles to a Group . . . . . . . . . . . . . . . . . . . . .66
Chapter 6: Configuring the System
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
About System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
System Configuration Tab - Standard Settings . . . . . . . . . . . . . . . . . 68
Configuring Active Directory Synchronization . . . . . . . . . . . . . . . . . . . .69
| 9
Configuring the Email Notification Server . . . . . . . . . . . . . . . . . . . . . .73
Configuring Default Project Settings . . . . . . . . . . . . . . . . . . . . . . . . .75
Configuring Export Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Chapter 7: Using the Work Manager Console and Logs
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Using the Work Manager Console. . . . . . . . . . . . . . . . . . . . . . . . 78
Opening the Work Manager Console . . . . . . . . . . . . . . . . . . . . . . . . .78
Work Manager Console Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Validating Activate Work Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Configuring a Work Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Using the System Log and Activity Log . . . . . . . . . . . . . . . . . . . . . . . . . .82
About the System Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
System Log Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
About the Activity Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Activity Log Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Viewing the System Log or Activity Log . . . . . . . . . . . . . . . . . . . . . . .84
Clearing the Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Exporting the Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Chapter 8: Using Language Identification
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Language Identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 9: Getting Started with KFF (Known File Filter)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
About KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Introduction to the KFF Architecture . . . . . . . . . . . . . . . . . . . . . . . . .88
Components of KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
How KFF Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
About the KFF Server and Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . .92
Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
About Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
About KFF Server Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
Process for Installing KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Downloading the Latest KFF Installation Files . . . . . . . . . . . . . . . . . . . .94
Installing the KFF Server Service . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Configuring the Location of the KFF Server . . . . . . . . . . . . . . . . . . . . . . .95
Configuring the KFF Server Location on FTK-based Computers . . . . . . . . .95
Configuring the KFF Server Location on Summation and eDiscovery Applications
95
Migrating Legacy KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
About Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Using the KFF Import Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Importing Pre-defined KFF Data Libraries . . . . . . . . . . . . . . . . . . . . . 100
| 10
Installing the Geolocation (GeoIP) Data . . . . . . . . . . . . . . . . . . . . . . 103
About CSV and Binary Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Uninstalling KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Installing KFF Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
KFF Library Reference Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
About KFF Pre-Defined Hash Libraries. . . . . . . . . . . . . . . . . . . . . . . 109
What has Changed in Version 5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Chapter 10: Using De-NIST (Known File Filter)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
About KFF and De-NIST Terminology . . . . . . . . . . . . . . . . . . . . . .115
Process for Using De-NIST . . . . . . . . . . . . . . . . . . . . . . . . . . .116
Configuring De-NIST Permissions. . . . . . . . . . . . . . . . . . . . . . . .116
Adding Hashes to the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
About the Manage De-NIST Hash Sets Page . . . . . . . . . . . . . . . . . . . 117
Importing De-NIST Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Manually Creating and Managing De-NIST Hash Sets . . . . . . . . . . . . . . 120
Adding Hashes to Hash Sets Using Project Review. . . . . . . . . . . . . . . . 121
Using De-NIST Groups to Organize Hash Sets . . . . . . . . . . . . . . . . . . . . 123
About De-NIST Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Creating a De-NIST Group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Viewing the Contents of a De-NIST Group . . . . . . . . . . . . . . . . . . . . . 124
Managing De-NIST Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
About the Manage De-NIST Groups Page . . . . . . . . . . . . . . . . . . . . . 125
Enabling a Project to Use De-NIST . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
About Enabling and Configuring De-NIST . . . . . . . . . . . . . . . . . . . . . 127
Enabling and Configuring De-NIST . . . . . . . . . . . . . . . . . . . . . . . . . 127
Reviewing De-NIST Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Viewing De-NIST Data Shown on the Project Details Page . . . . . . . . . . . 129
About De-NIST Data Shown in the Review Item List . . . . . . . . . . . . . . . 129
Using the De-NIST Information Quick Columns . . . . . . . . . . . . . . . . . . 129
Using Quick Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Using the De-NIST Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Viewing Detailed De-NIST Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Re-Processing De-NIST . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Exporting De-NIST Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
About Exporting KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Exporting KFF Groups and Hash Sets . . . . . . . . . . . . . . . . . . . . . . . 134
Part 3: Configuring Data Sources
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Chapter 11: Managing People as Data Sources
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
About People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
About Managing People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
| 11
About the Data Sources Person Page. . . . . . . . . . . . . . . . . . . . . . . . . . 139
Data Sources Person Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Adding People. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Adding People Using Active Directory . . . . . . . . . . . . . . . . . . . . . . . 143
Associating a Project to a Person . . . . . . . . . . . . . . . . . . . . . . . . . . 145
Part 4: Managing Projects
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Chapter 12: Introduction to Project Management
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
About Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Workflow for Project/Case Managers . . . . . . . . . . . . . . . . . . . . . 147
Chapter 13: Using the Project Management Home Page
. . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Viewing the Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Introducing the Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
The Project List Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Evidence Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Adding Custom Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Custom Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Managing People for a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
About People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
About Managing People . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
About the Project’s Person Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
Project’s Person Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Adding People. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Associating a Project to a Person . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Chapter 14: Creating a Project
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Creating Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
General Project Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Normalized Time Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Evidence Processing and Deduplication Options . . . . . . . . . . . . . . . . . 166
About Deduplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
About Indexing for Text Searches of Content of Files . . . . . . . . . . . . . . . 173
About Optical Character Recognition (OCR). . . . . . . . . . . . . . . . . . . . 173
Interruption of Evidence Processing . . . . . . . . . . . . . . . . . . . . . . . . 175
Using Project Properties Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Viewing and Editing Project Details . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Project Details Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Chapter 15: Managing Custodians for a Project
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
About Managing Custodians for a Project . . . . . . . . . . . . . . . . . . . 179
| 12
Using the Home Custodians Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Associating an Existing Custodian to a Project . . . . . . . . . . . . . . . . . . 181
Manually Creating Custodians for a Project . . . . . . . . . . . . . . . . . . . . 182
Editing a Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Removing a Custodian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Importing Project Custodians From a File . . . . . . . . . . . . . . . . . . . . . 182
About Associating a Person to an Evidence Item . . . . . . . . . . . . . . . . . 183
Using the Data Sources People Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Chapter 16: Managing Tags
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Managing Labels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Creating Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Deleting Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Renaming a Label. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Managing Label Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Applying Labels to Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Managing Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Creating Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Deleting Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Renaming Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Managing Issue Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Applying Issues to Documents. . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Chapter 17: Setting Project Permissions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
About Project Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . 194
About Project Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Project-level Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Permissions Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Associating Users and Groups to a Project . . . . . . . . . . . . . . . . . . . . . . 200
Disassociate Users and Groups from a Project . . . . . . . . . . . . . . . . . . 200
Associating Project Roles to Users and Groups. . . . . . . . . . . . . . . . . . . . 201
Disassociating Project Roles from Users or Groups. . . . . . . . . . . . . . . . 201
Creating a Project Role. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Editing and Managing a Project Role . . . . . . . . . . . . . . . . . . . . . . . . 203
Chapter 18: Running Reports
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Accessing the Reports Tab . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Basic Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
eDiscovery Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Chapter 19: Configuring Review Tools
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Configuring Markup Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Markup Sets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
| 13
Adding a Markup Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Deleting a Markup Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Editing the Name of a Markup Set . . . . . . . . . . . . . . . . . . . . . . . . . 211
Associating a User or Group to a Markup Set . . . . . . . . . . . . . . . . . . . 212
Disassociating a User or Group from a Markup Set. . . . . . . . . . . . . . . . 212
Configuring Custom Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Custom Fields Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Adding Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Editing Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
Creating Category Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
About Deleting Custom Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Configuring Tagging Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Tagging Layout Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Adding a Tagging Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Deleting a Tagging Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Editing a Tagging Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Associating Fields to a Tagging Layout . . . . . . . . . . . . . . . . . . . . . . . 218
Disassociating Fields from a Tagging Layout . . . . . . . . . . . . . . . . . . . 219
Associate User or Group to Tagging Layout . . . . . . . . . . . . . . . . . . . . 220
Disassociate User or Group to Tagging Layout . . . . . . . . . . . . . . . . . . 220
Configuring Highlight Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Highlight Profiles Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Adding Highlight Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Editing Highlight Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Deleting Highlight Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Add Keywords to a Highlight Profile. . . . . . . . . . . . . . . . . . . . . . . . . 223
Associating a Highlight Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Disassociating a Highlight Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Configuring Redaction Text . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Redaction Text Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Creating a Redaction Text Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Editing Redaction Text Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Deleting Redaction Text Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Chapter 20: Monitoring the Work List
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Accessing the Work List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Work List Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 21: Managing Document Groups
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
About Managing Document Groups . . . . . . . . . . . . . . . . . . . . . . 229
About DocIDs and Object IDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
How DocIDs are Created. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Creating a Document Group During Import . . . . . . . . . . . . . . . . . . . . . . 232
Creating a Document Group in Project Review . . . . . . . . . . . . . . . . 232
| 14
Renumbering a Document Group in Project Review . . . . . . . . . . . . . . . . . 233
Deleting a Document Group in Project Review . . . . . . . . . . . . . . . . 233
Managing Rights for Document Groups in Project Review . . . . . . . . . . . . . 234
Chapter 22: Managing Transcripts and Exhibits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Creating a Transcript Group . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Uploading Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Updating Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
Creating a Transcript Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Capturing Realtime Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
Marking Realtime Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Updating a Realtime Transcript . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Using Transcript Vocabulary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Viewing Details of Words in the Vocabulary Dialog . . . . . . . . . . . . . . . . 245
Uploading Exhibits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Chapter 23: Managing Review Sets
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Creating a Review Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Deleting Review Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Renaming a Review Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Manage Permissions for Review Sets. . . . . . . . . . . . . . . . . . . . . . . . . . 251
Chapter 24: Project Folder Structure
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Project Folder Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Finding the Project Folder Path . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Project Folder Subfolders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Opening Project Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Files in the Project Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Part 5: Loading Summation Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255
Chapter 25: Introduction to Loading Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Importing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Chapter 26: Using the Evidence Wizard
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Using the Evidence Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . 257
About Associating People with Evidence. . . . . . . . . . . . . . . . . . . . . . 259
Using the CSV Import Method for Importing Evidence . . . . . . . . . . . . . . 259
Using the Immediate Children Method for Importing . . . . . . . . . . . . . . . 261
Adding Evidence to a Project Using the Evidence Wizard . . . . . . . . . . . . . 263
Evidence Time Zone Setting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
| 15
Chapter 27: Importing Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
About Importing Evidence Using Import . . . . . . . . . . . . . . . . . . . . 266
About Mapping Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Importing Evidence into a Project . . . . . . . . . . . . . . . . . . . . . . . 267
Chapter 28: Data Loading Requirements
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Document Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Full-Text or OCR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
DII Load File Format for Image/OCR . . . . . . . . . . . . . . . . . . . . . . . . 270
Email & eDocs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Transcripts and Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Exhibits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Work Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Sample DII Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
eDoc DII Load Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
eMail DII Load Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
DII Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Chapter 29: Analyzing Document Content
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Using Cluster Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
About Cluster Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Filtering Documents by Cluster Topic . . . . . . . . . . . . . . . . . . . . . . . . 290
Using Entity Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
About Entity Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Enabling Entity Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Viewing Entity Extraction Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Chapter 30: Editing Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Editing Evidence Items in the Evidence Tab. . . . . . . . . . . . . . . . . . 295
Evidence Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Part 6: Using Lit Holds
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298
Chapter 31: Using Litigation Holds
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
About Litigation Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
About Lit Hold Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
| 16
Basic Workflow of Litigation Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Process for Using Litigation Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Configuring the System for Litigation Holds . . . . . . . . . . . . . . . . . . 302
Configuring IIS for Lit Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Configuring Application Email Settings . . . . . . . . . . . . . . . . . . . . . . . 303
Configuring User Roles and Permissions for Lit Holds . . . . . . . . . . . . . . 303
Configuring Projects and Custodians . . . . . . . . . . . . . . . . . . . . . . . . 305
Configuring Litigation Hold Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Configuring Lit Hold General Settings . . . . . . . . . . . . . . . . . . . . . . . 306
Configuring IT Staff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Configuring LitHold Email Templates . . . . . . . . . . . . . . . . . . . . . . . . 309
Configuring Lit Hold Interview Templates. . . . . . . . . . . . . . . . . . . . . . 311
Configuring Lit Hold Custom Properties . . . . . . . . . . . . . . . . . . . . . . 315
Creating a Litigation Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
General Info Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Approval Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
IT Staff Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
People Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Email Notifications Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Documents Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Interview Questions Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Managing Litigation Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Using the Lit Hold Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Editing a Litigation Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Deactivating and Activating a Litigation Hold. . . . . . . . . . . . . . . . . . . . 327
Deleting a Litigation Hold. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Resubmitting a Litigation Hold . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Viewing Information About Holds . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Viewing the Overall Status of a Litigation Hold. . . . . . . . . . . . . . . . . . . 330
About the Approvals Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
About the Hold Event Log for a Litigation Hold . . . . . . . . . . . . . . . . . . 331
About the Email Distribution History of a Litigation Hold . . . . . . . . . . . . . 331
About Lit Hold Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Searching Litigation Holds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Using Lit Hold Dashboard Widgets . . . . . . . . . . . . . . . . . . . . . . 333
Chapter 32: Using the Dashboard
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
About the Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Configuring Dashboard Widgets. . . . . . . . . . . . . . . . . . . . . . . . 336
The Filter Case Chart Results Pane . . . . . . . . . . . . . . . . . . . . . . . . 336
| 17
Part 7: Configuring and Using the Multi-Tenant Environment
. . . . . . . . .337
Chapter 33: Understanding the Multi-Tenant Environment
. . . . . . . . . . . . . . . . . . . . . . . . . 338
About the Summation Multi-Tenant Environment . . . . . . . . . . . . . . . 338
About SubAdmins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
About Permissions and Security Within a SubAdmin Environment . . . . . . . 339
About Application Features Not Available in SubAdmin Environments. . . . . . 340
About Creating Projects in SubAdmin Environments. . . . . . . . . . . . . . . . . 342
About Creating Projects in a SubAdmin Environment. . . . . . . . . . . . . . . 342
Chapter 34: Administrating a Multi-Tenant Environment
. . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Enabling the Multi-tenant Login Page . . . . . . . . . . . . . . . . . . . . . 343
Creating and Managing SubAdmins . . . . . . . . . . . . . . . . . . . . . . 344
Creating SubAdmins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Viewing and Managing SubAdmins, Users, and User Groups . . . . . . . . . . . 347
Viewing SubAdmins and SubAdmin Users . . . . . . . . . . . . . . . . . . . . . 347
Viewing SubAdmin User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Creating and Managing Projects in SubAdmin Environments . . . . . . . . . . . 349
Creating Projects in SubAdmin Environments . . . . . . . . . . . . . . . . . . . 349
Managing Projects in SubAdmin Environments . . . . . . . . . . . . . . . . . . 349
Chapter 35: Using the Multi-Tenant Environment
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
About Using the Multi-Tenant Environment . . . . . . . . . . . . . . . . . . 351
Performing SubAdmin Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . 351
Accessing the Summation Web-Based Console. . . . . . . . . . . . . . . . . . 351
Creating Your Own SubAdmin Account. . . . . . . . . . . . . . . . . . . . . . . 352
Logging in as a SubAdmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Introduction to the SubAdmin’s User Interface. . . . . . . . . . . . . . . . . . . 353
SubAdmins Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
SubAdmins Creating User Groups . . . . . . . . . . . . . . . . . . . . . . . . . 354
SubAdmins Creating and Managing Projects . . . . . . . . . . . . . . . . . . . 354
SubAdmin Using LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
SubAdmin Performing Exports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Performing User Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Users Logging into a Summation SubAdmin Environment . . . . . . . . . . . . 355
Using the Home Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Using Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Using LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Part 8: Configuring and Using LawDrop
. . . . . . . . . . . . . . . . . . . . . . . . . .357
Chapter 36: Understanding LawDrop™
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
About LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
| 18
Chapter 37: Administrating LawDrop™
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
About Administrating LawDrop . . . . . . . . . . . . . . . . . . . . . . . . 360
About the LawDrop File Storage Folder Structure . . . . . . . . . . . . . . . . . 360
Configuring the System for Using LawDrop . . . . . . . . . . . . . . . . . . 361
Configuring the LawDrop DropSpace Folder. . . . . . . . . . . . . . . . . . . . 361
Configuring the System To Share LawDrop Files with External Users . . . . . 362
Chapter 38: Using LawDrop™
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Getting Started with LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . 365
About the LawDrop Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Creating and Deleting Sub-Folders in LawDrop. . . . . . . . . . . . . . . . . . . . 368
Dropping and Uploading Files to LawDrop . . . . . . . . . . . . . . . . . . . . . . . 369
About Dropping and Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . 369
About Dropping and Uploading Folders . . . . . . . . . . . . . . . . . . . . . . 369
Dropping Files into the File Upload Queue. . . . . . . . . . . . . . . . . . . . . 369
Uploading and Managing Files in the File Upload Queue . . . . . . . . . . . . 370
Viewing and Managing Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . 371
Using the Item List Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Moving and Copying Uploaded Items. . . . . . . . . . . . . . . . . . . . . . . . 372
Performing Actions on LawDrop Items . . . . . . . . . . . . . . . . . . . . . . . 373
Sharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
About Sharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Sharing Files and Folders with other Application Users. . . . . . . . . . . . . . 375
Sharing Files and Folders with External People . . . . . . . . . . . . . . . . . . 376
Unsharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Adding Evidence to Projects Using LawDrop . . . . . . . . . . . . . . . . . . . . . 378
About Adding Evidence to Projects Using LawDrop. . . . . . . . . . . . . . . . 378
Exporting Files to LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Viewing Exported Files in LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . 380
Part 9: Reference
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Chapter 39: Installing the AccessData Elasticsearch Windows Service
. . . . . . . . . . . . . 382
About the Elasticsearch Service . . . . . . . . . . . . . . . . . . . . . . . . 382
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
Installing the Elasticsearch Service . . . . . . . . . . . . . . . . . . . . . . 383
Installing the Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Troubleshooting the AccessData Elasticsearch Windows Service. . . . . . . . 384
Chapter 40: Integrating with AccessData Forensics Products
. . . . . . . . . . . . . . . . . . . . . . 385
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Managing User Accounts and Permissions Between
FTK and Summation/eDiscovery. . . . . . . . . . . . . . . . . . . . . . 386
| 19
Creating and Viewing Projects. . . . . . . . . . . . . . . . . . . . . . . . . 386
Managing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
Reviewing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Reviewing FTK Data in Summation . . . . . . . . . . . . . . . . . . . . . . . . . 388
Known Issues with FTK Compatibility . . . . . . . . . . . . . . . . . . . . . 389
Introducing the Summation Admin Guide | 20
Part 1
Introducing the Summation
Admin Guide
This Summation Admin Guide includes information about administrating AccessData Summation and includes
the following parts and chapters:
-Introducing Summation (page 21)
-Introduction to Application Management (page 23)
-Getting Started (page 24)
-Administrating Summation (page 44)
-Configuring Data Sources (page 136)
-Managing Projects (page 146)
-Loading Summation Data (page 255)
-Using Lit Holds (page 298)
-Configuring and Using the Multi-Tenant Environment (page 337)
-Configuring and Using LawDrop (page 357)
-Reference (page 381)
For information on using Project Review, see the Summation Reviewer Guide that can be downloaded from
http://summation.accessdata.com.
Introducing Summation About AccessData Summation | 21
Chapter 1
Introducing Summation
About AccessData Summation
AD Summation helps you review, documents, electronic data, and transcripts in a web-based console. You can
cull and filter the data in a particular project and search for specific terms. The collected evidence can then be
processed, reviewed, and exported.
The resulting production set can then be exported into an AD1 format, or into a variety of load file formats such
as Concordance, Summation, EDRM, Introspect, and iConect. You can also export native files.
About the Audience for this Guide
This product is intended for use in gathering and processing electronically stored evidence for criminal, civil, and
internal corporate projects.
The audience for this forensic investigation software tool includes legal personnel, as well as corporate security
and IT professionals who need to access and evaluate the evidentiary value of files, folders, computers, and
other electronic data sources. They should be well-versed in the eDiscovery process. They should also have a
good understanding of Chain of Custody and the implications of running the AD Summation process within an
organization. They should also have the following competencies when using this software:
-Basic knowledge of and training in forensic policies and procedures
-Familiarity with the fundamentals of collecting digital evidence and ensuring the legal validity of the
evidence
-Understanding of forensic images and how to acquire forensically sound images
-Experience with project studies and reports
For information about administrating Summation, see the Summation Admin Guide.
For information about new features, fixed issues, and known issues, see the Summation Release Notes.
You can download the Admin Guide and Release Notes from the Help/Documentation link. See User Actions on
page 36.
Introducing Summation Summation Features | 22
Summation Features
PROCESSING
-Process 700+ data types and associated meta-data while maintaining chain of custody
-Distributed processing that harnesses current hardware technology for unmatched speeds
-Automatically identifies and categorizes data, even encrypted files
-De-duplicate email and ESI across the matter or for a specific custodian, de-NiST and OCR
EARLY PROJECT ASSESSMENT/FIRST PASS REVIEW
-Cull data by custodian, data source, document metadata and type
-Advanced email threading and analytics.
-Advanced search with hundreds of unique data filters
-Custom tagging and bookmarking
-Export to all industry standard load files and EDRM XML
FINAL REVIEW AND PRODUCTION
-Next Generation E-Discovery Review Features
Integrated Technology Assisted Review (“TAR” or “Predictive Coding”)
Integrated visualization module with graphic representation of project data relationships and
custodian communication patterns
Advanced search, including concept and ‘4D’
Web based with multi-user, multi-site support
Email threading, related documents, document family views, and linking
New issue coding & tagging panel with customized radio buttons and pick lists
Redact in near native view with word boundary support
-Classic Summation Functionality
Native Concordance database migration for direct loading into Summation
Transcript review with Real Time, notes, color highlighting and reporting
Production tools including bates stamping, burned-in redactions and production history
Offline, mobile capability – take project offline, work on it, then sync up later
Recommended Hardware Specifications
For the recommended hardware specifications, see the Specifications tab on the following Web page:
http://www.accessdata.com/products/ediscovery-litigation-support/summation
Introduction to Application Management Workflows for Administrators | 23
Chapter 2
Introduction to Application Management
This chapter is designed to help application administrators perform management tasks. Application
administration tasks are performed on the Management page. Administrators can perform their tasks as long as
they have been granted the correct permissions.
See About User Roles and Permissions on page 47.
Workflows for Administrators
Administrators and managers configure and manage the global application environment.
Before creating and reviewing projects, you should review and perform the following tasks for configuring the
application.
At regular intervals, administrators should perform the following tasks to manage the overall system health and
performance of the application.
Most of these administrative tasks are performed in the web console in the Management page.
Workflow for Configuring the Application
Step Task Link to the Tasks
1 Decide which authentication
mode to use See Opening the AccessData Web Console on page 26.
2Manage users, groups, and roles See Planning User Roles on page 48.
See Managing Users on page 57.
See Configuring and Managing User Groups on page 64.
3 Configure default project settings See Configuring Default Project Settings on page 75.
Workflow for Managing the Application
Step Task Link to the tasks
1 Monitor system activity using logs See Viewing the System Log or Activity Log on page 84.
2Monitor the performance of the
Distribution Server and the Work
Managers
See on page 78.
Getting Started Terminology | 24
Chapter 3
Getting Started
Terminology
Features and technology are shared across the multiple applications. To provide greater compatibility between
products, some terminology in the user interface and documentation has been consolidated. The following table
lists the common terminology:
Terminology Changes
Previous Term New Term
Case Project
Custodian Person
Custodians People
System Console Work Manager Console
Security Log Activity Log
Audit Log User Review Activity
Getting Started About the AccessData Web Console | 25
About the AccessData Web Console
The application displays the AccessData web-based console that you can open from any computer connected to
the network.
All users are required to enter a username and password to open the console.
What you can see and do in the application depends on your product license and the rights and permissions
granted to you by the administrator. You may have limited privileges based on the work you do.
See About User Accounts on page 26.
Note: Like many applications that you run in a browser, do not click the browser’s Back button. Use the menus
and buttons to navigate in the console.
Web Console Requirements
Software Requirements
The following are required for using the features in the web console:
-Windows-based PC running the Internet Explorer web browser:
Internet Explorer 9 or higher is required for full functionality of most features.
Internet Explorer 10 or higher is required for full functionality of all features. (Some new features use
HTML5 which requires version 10 or higher.
Note: If you have issues with the interface displaying correctly, view the application in compatibility
view for Internet Explorer.
The console may be opened using other browsers but will not be fully functional.
-Internet Explorer Browser Add-on Components
Microsoft Silverlight--Required for the console.
Adobe Flash Player--Required for imaging documents in Project Review.
-AccessData console components
AD NativeViewer--Required for viewing documents in the Alternate File Viewer in Project Review.
Includes Oracle OutsideX32.
AD Bulk Print Local--Required for printing multiple records using Bulk Printing in Project Review.
To use these features, install the associated applications on each users’ computer.
See Installing the Browser Components on page 28.
Hardware Recommendations
-Use a display resolution of 1280 x 1024 or higher.
Press F11 to display the console in full-screen mode and maximize the viewing area.
Getting Started About User Accounts | 26
About User Accounts
Each user that uses the web console must log in with a user account. Each account has a username and
password. Administrators configure the user accounts.
User accounts are granted permissions based on the tasks those users perform. For example, one account may
have permissions to create and manage projects while another account has permissions only to review files in a
project.
Your permissions determine which items you see and the actions you can perform in the web console.
There is a default Administrator account.
User Account Types
Depending on how the application is configured, your account may be either an Integrated Windows
Authentication account or a local application account.
The type of account that you have will affect a few elements in the web interface. For example, if you use an
Integrated Windows Authentication account, you cannot change your password within the console. However,
you can change your password within the console if you are using an application user account.
Opening the AccessData Web Console
You use the AccessData web console to perform application tasks.
See About the AccessData Web Console on page 25.
You can launch the console from an approved web browser on any computer that is connected to the application
server on the network.
See Web Console Requirements on page 25.
To start the console, you need to know the IP address or the host name of the computer on which the application
server is installed.
When you first access the console, you are prompted to log in. Your administrator will provide you with your
username and password.
To open the web console
1. Open Internet Explorer.
Note: Internet Explorer 7 or higher is required to use the web console for full functionality. Internet
Explorer 10 or 11 is recommended.
2. Enter the following URL in the browser’s address field:
https://<host_name>/ADG.map.Web/
where <host_name> is the host name or the IP address of the application server.
This opens the login page.
You can save this web page as a favorite.
Getting Started Opening the AccessData Web Console | 27
3. One of two login pages displays:
If you are using Integrated Windows Authentication, the following login page displays.
Integrated Windows Authentication Page
Note: If you are using Integrated Windows Authentication and are not on the domain, you will see a
Windows login prompt.
If you are not using Integrated Windows Authentication, the login page displays the product name and
version for the product license that your organization is using and provides fields for your username and
password.
Non-Integrated Windows Authentication Login
4. On the login page, enter the username and password for your account.
If you are logging in as the administrator for the very first time and have not enabled Integrated Window
Authentication, enter the pre-set default user name and password. Contact your technical support or
sales representative for login information.
5. Click Sign In.
If you are authenticated, the application console displays.
If you cannot log in, contact your administrator.
6. The first time the web console is opened on a computer, you may be prompted to install the following
plug-ins:
-Microsoft Silverlight
-Adobe Flash Player
-AD Alternate File Viewer (Native Viewer)
-AD Bulk Print Local
Download the plug-ins. When a pop-up from Internet Explorer displays asking to run or download the
executable, click Run. Complete the install wizard to finish installing the plug-in.
See Web Console Requirements on page 25.
See Installing Browser Components Manually on page 30.
Getting Started Installing the Browser Components | 28
Installing the Browser Components
To use all of the features of the web console, each computer that runs the web console must have Internet
Explorer and the following add-ons:
-Microsoft Silverlight--Required for the console.
-Adobe Flash Player--Required for imaging documents in Project Review.
-AccessData Alternate File Viewer (Native Viewer)--Required for imaging documents in Project Review.
This includes the Oracle OutsideX32 plug-in.
-AccessData Local Bulk Print--Required for printing multiple records using Bulk Printing in Project Review
Important:
Each computer that runs the console must install the required browser components. The installations
require Windows administrator rights on the computer.
Upon first login, the web console will detect if the workstation's browser does not have the required versions of
the add-ons and will prompt you to download and install the add-ons.
See Installing Components through the Browser on page 28.
See Installing Browser Components Manually on page 30.
Installing Components through the Browser
Microsoft Silverlight
To install Silverlight
1. If you need to install Silverlight, click Click now to install in the Silverlight plug-in window.
2. Click Run in the accompanying security prompts.
3. On the Install Silverlight dialog, Install Now.
When the Silverlight installer completes, on the Installation successful dialog, click Close.
Getting Started Installing the Browser Components | 29
If the web browser does not display the AD logo and then the console, refresh the browser window.
The application Main Window displays and you can install Flash Player from the plug-in installation bar.
Adobe Flash Player
To install Flash Player
1. If you need to install Flash Player, click the Flash Player icon.
2. Click Download now.
3. Click Run in the accompanying security prompts.
4. Complete the installation.
5. Refresh the browser.
Once the application is installed, you need to install the Alternate File Viewer and Local Bulk Print software. You
can find the links to download the add-ons in the dropdown in the upper right corner of the application.
AccessData Alternate File Viewer (Native Viewer)
To install the AD Alternate File Viewer (Native Viewer)
1. From the User Actions dropdown, select AD Alternate File Viewer.
2. Click RUN on the NearNativeSetup.exe prompt.
3. Click Next on the InstallShield Wizard dialog.
4. Click Next on the Custom Setup dialog.
5. Click Install on the Ready to Install the Program dialog.
6. Allow the installation to proceed and then click Finish.
7. Close the browser and re-log in.
8. Click Allow on the ADG.UI.Common.Document.Views.NearNativeControl prompt.
9. Refresh the browser.
Getting Started Installing the Browser Components | 30
AccessData Local Bulk Print
To install the Local Bulk Print add-on
1. From the User Actions dropdown, select AD Local Bulk Print.
2. Click Run at the AccessData Local Bulk Print.exe prompt in Internet Explorer.
3. In the InstallShield Wizard dialog, click Next.
4. Accept the license terms and click Next.
5. Accept the default location in the Choose Destination Location dialog and click Next.
6. Click Install on the Ready to Install the Program dialog.
7. Click Finish.
Installing Browser Components Manually
You can use EXE files to install the components outside of the browser. You can run these locally or use
software management tools to install them remotely.
Installing AD Alternate File Viewer
To install the Alternate File Viewer add-on, navigate to the following path on the server:
C:\Program Files (x86)\AccessData\MAP\NearNativeSetup.exe
To install the AD Alternate File Viewer add-on
1. Run the NearNativeSetup.MSI file.
2. Click Next on the InstallShield Wizard dialog.
3. Click Next on the Custom Setup dialog.
4. Click Install on the Ready to Install the Program dialog.
5. Allow the installation to proceed and then click Finish.
Installing the Local Bulk Print Tool
To install the Local Bulk Print tool, navigate to the following path on the server:
C:\Program Files (x86) \AccessData\MAP\AccessDataBulkPrintLocal.exe
To install the Local Bulk Print add-on
1. Run the AccessDataBulkPrintLocal.exe. The wizard should appear.
2. Click Next to begin.
3. Click Next on the Select Installation Folder dialog.
4. Click Next. After the installation is complete, click Close.
Installing Adobe Flash Player
Visit http://get.adobe.com/flashplayer/ and follow the prompts to install the flash player.
Getting Started Introducing the Web Console | 31
Introducing the Web Console
The user interface for the application is the AccessData web console. The console includes different tabs and
elements.
The items that display in the console are determined by the following:
-Your application’s license
-Your user permissions
The main elements of the application are listed in the following table. Depending on the license that you own and
the permissions that you have, you will see some or all of the following:
Component Description
Navigation bar This lets you open multiple pages in the console.
Home page The Home page lets you create, view, manage, and review projects based on the
permissions that you have. This is the default page when you open the console.
See Using the Project Management Home Page on page 149.
Getting Started Introducing the Web Console | 32
Dashboard (Available in eDiscovery or with a special Litigation Hold license.)
The Dashboard allows you to view important event information in an easy-to-read
visual interface.
See Using the Dashboard on page 334.
Data Sources The Data Sources tab lets you manage people, computers, network shares, evidence,
as well as several different connectors. This tab allows you to manage these data
sources throughout the system, not just by project.
See About Data Sources on page 110.
Lit Hold (Available in eDiscovery or with a special Litigation Hold license.)
The Lit Hold tab lets you create and manage litigation holds.
See Using Litigation Holds on page 299.
Management
(gear icon) The Management page lets administrators perform global management tasks.
See Opening the Management Page on page 45.
User Actions Actions specific to the logged-in user that affects the user’s account.
See User Actions on page 36.
Project
Review
The Project Review page lets you analyze, filter, code and label documents for a
selected project.
You access Project Review from the Home page.
See the Reviewer Guide for more information on Project Review. You can download the
Reviewer Guide from the Help/Documentation link. See User Actions on page 36.
Component Description
Getting Started The Project List Panel | 33
The Project List Panel
The Home page includes the Project List panel. The Project List panel is the default view after logging in. Users
can only view the projects for which they have created or been given permissions.
Administrators and users, given the correct permissions, can use the project list to do the following:
-Create projects.
-View a list of existing projects.
-Add evidence to a project.
-Launch Project Review.
If you are not an administrator, you will only see either the projects that you created or projects to which you
were granted permissions.
The following table lists the elements of the project list. Some items may not be visible depending on your
permissions.
Getting Started The Project List Panel | 34
Elements of the Project List
Element Description
Create New Project Click to create a new project.
See Creating a Project on page 163.
Filter Options Allows you to search and filter all of the projects in the project list. You can
filter the list based on any number of fields associated with the project,
including, but not limited to the project name.
See Filtering Content in Lists and Grids on page 41.
Filter Enabled Displayed if you have enabled a filter.
Project Name Column Lists the names of all the projects to which the logged-in user has permissions.
Action Column Allows you to add evidence to a project or enter Project Review.
Add Data
Allows you to add data to the selected project.
Project Review
Allows you to review the project using Project Review.
See the Reviewer Guide for more information on using Product Review. You
can download the Reviewer Guide from the Help/Documentation link. See
Changing Your Password on page 37.
Processing Status Column Lists the status of the projects:
Not Started - The project has been created but no evidence has been added.
Processing - Evidence has been added and is still being processed.
Completed - Evidence has been added and processed.
Note: When processing a small set of evidence, the Processing Status may
show a delay of two minutes behind the actual processing of the evidence.
You may need to refresh the list to see the current status. See Refresh below.
Size Column Lists the size of the data within the project.
Page Size drop-down Allows you to select how many projects to display in the list.
The total number of projects that you have permissions to see is displayed.
Total Lists the total number of projects displayed in the Project List.
Page Allows you to view another page of projects.
Refresh If you create a new project, or make changes to the list, you may need to
refresh the project list
Delete Select one or more projects and click Delete Project to delete them from the
Project List.
Project Property
Cloning
Clone the properties of an existing project to another project. You can apply a
single project’s properties to another project, or you can pick and choose
properties from multiple individual projects to apply to a single project.
See Using Project Properties Cloning on page 176.
Getting Started The Project List Panel | 35
Custom Properties
Add, edit, and delete custom columns that will be listed in the Project list
panel. When you create a project, this additional column will be listed in the
project creation dialog.
See Adding Custom Properties on page 156.
Export to CSV Export the Project list to a .CSV file. You can save the file and open it in a
spreadsheet program.
Columns Add or remove viewable columns in the Project List.
Element Description
Getting Started User Actions | 36
User Actions
Once in the web console, you can preform user actions that are specific to you as the logged-in user. You access
the options by clicking on the logged-in user name in the top right corner of the console.
User Actions
User Actions
Link Description
Logged-on user The username of the logged-on user is displayed; for example, administrator.
Change password Lets the logged-on user change their password.
See Changing Your Password on page 37.
Note: This function is hidden if you are using Integrated Windows
Authentication.
Help/ Documentation Lets you to access the latest version of the Release Notes and User Guide.
The files are in PDF format and are contained in a ZIP file that you can
download.
Manage My Notifications Lets you to manage the notifications that you have created and that you belong
to.
See About Managing Notifications for a Job on page 457.
You can delete notifications, export the notifications list to a CSV file, and filter
the notifications with the Filter Options.
See Filtering Content in Lists and Grids on page 41.
Download Alternate File
Viewer Lets you to download the Alternate FIle Viewer application.
See AccessData Alternate File Viewer (Native Viewer) on page 29.
Download Local Bulk
Print software Lets you to access the latest version of the Local Bulk Print software. See
AccessData Local Bulk Print on page 30.
Logout Logs you off and returns you to the login page.
Note: This function is hidden if you are using Integrated Windows
Authentication.
Getting Started User Actions | 37
Changing Your Password
Note: This function is hidden if you are using Integrated Windows Authentication. You must change your
password using Windows.
Any logged-in user can change their password. You may want to change your password for one of the following
reasons:
-You are changing a default password after you log in for the first time.
-You are changing your password on a schedule, such as quarterly.
-You are changing your password after having a password reset.
To change your own password
1. Log in using your username and current password.
See To open the web console on page 26.
2. In the upper right corner of the console, click your logged-in username.
3. Click Change Password.
Change User Password
4. In the Change User Password dialog, enter the current password and then enter and confirm the new
password in the respective fields. The following are password requirements:
-The password must be between 7 - 50 characters.
-At least one Alpha character.
-At least one non-alphanumeric character.
5. Click OK.
Getting Started Using Elements of the Web Console | 38
Using Elements of the Web Console
Maximizing the Web Console Viewing Area
You can press F11 to enable or disable the console in full-screen mode.
About Content in Lists and Grids
Many objects within the console are made up of lists and grids. Many elements in the lists and grids recur in the
panels, tabs, and panes within the interface. The following sections describe these recurring elements.
You can manage how the content is displayed in the grids.
-See Refreshing the Contents in List and Grids on page 38.
-See Managing Columns in Lists and Grids on page 39.
-See Sorting by Columns on page 38.
-See Filtering Content in Lists and Grids on page 41.
-See Changing Your Password on page 37.
Refreshing the Contents in List and Grids
There may be times when the list you are looking at is not dynamically updated. You can refresh the contents by
clicking .
Sorting by Columns
You can sort grids by most columns.
Note: You can set a default column to sort by when you create a project or in the Project Details pane. The
default is ObjectID.
To sort a grid by columns
1. Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.
2. Click it a second time to sort by descending order.
3. Click Search Options > Clear Search to return to the default column.
Sorting By Multiple Columns
In the Item List in Project Review, you can also sort by multiple columns. For example, you can do a primary sort
by file type, and then do a second sort by file size, then a third sort by accessed date.
Getting Started Using Elements of the Web Console | 39
To sort a grid by columns
1. Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.
2. Click it a second time to sort by descending order.
3. In the Item List in Project Review, to perform a secondary search on another column, hold Shift+Alt keys
and click another column.
A sort indicator is displayed for that column as well.
4. You can repeat this for multiple columns.
Moving Columns in a Grid View
You can rearrange columns in a Grid view in any order you want. Some columns have pre-set default positions.
Column widths are also sizable.
To move columns
In the Grid view, click and drag columns to the position you want them.
Managing Columns in Lists and Grids
You can select the columns that you want visible in the Grid view. Project managers can create custom columns
in the Custom Fields tab on the Home page.
See Configuring Custom Fields on page 213.
For additional information on using columns, see Using Columns in the Item List Panel in the Reviewer Guide.
To manage columns
1. In the grid, click Columns.
2. In the Manage Columns dialog, there are two lists:
-Available Columns
Lists all of the Columns that are available to display. They are listed in alphabetical order.
If the column is configured to be in the Visible Columns, it has a .
If the column is not configured to be in the Visible Columns, it has a .
If the column is a non-changeable column (for example, the Action column in the Project List), it has
a .
-Visible Columns
Lists all of the Columns that are displayed. They are listed in the order in which they appear.
Getting Started Using Elements of the Web Console | 40
Manage Columns Dialog
3. To configure columns to be visible, in the Available Columns list, click the for the column you want
visible.
4. To configure columns to not be visible, in the Visible Columns list, click the for the column you want
not visible.
5. To change the display order of the columns, in the Visible Columns list, select a column name and click
or to change the position.
6. Click OK.
Managing the Grid’s Pages
When a list or grid has many items, you can configure how many items are displayed at one time on a page. This
is helpful for customizing your view based on your display size and resolution and whether or not you want to
scroll in a list.
To configure page size
1. Below a list, click the Page Size drop-down menu.
2. Select the number of items to display in one page.
3. Use the arrows by Page n of n to view the different pages.
Getting Started Using Elements of the Web Console | 41
Filtering Content in Lists and Grids
When a list or grid has many items, you can use a filter to display a portion of the list. Depending on the data you
are viewing, you have different properties that you can filter for.
For example, when looking at the Activity Log, there could be hundreds of items. You may want to view only the
items that pertain to a certain user. You can create a filter that will only display items that include references to
the user.
For example, you could create the following filter:
Activity contains BSmith
This would include activities that pertain to the BSmith user account, such as when the account was created and
permissions for that user were configured.
You could add a second filter:
Activity contains BSmith
OR Username = BSmith
This would include the activities performed by BSmith, such as each time she logged in or created a project.
In this example, because an OR was used instead of an AND, both sets of results are displayed.
You can add as many filters as needed to see the results that you need.
To use filters
1. Above the list, click Filter Options.
This opens the filter tool.
Filter Options
2. Use the Property drop-down to select a property on which to filter.
This list will depend on the page that you are on and the data that you are viewing.
3. Use the Operator drop-down to select an operator to use.
See Filter Operators on page 42.
4. Use the Value field to enter the value on which you want to filter.
See Filter Value Options on page 43.
5. Click Apply.
The results of the filter are displayed.
Once a filter had been applied, the text Filter Enabled is displayed in the upper-right corner of the panel.
This is to remind you that a filter is applied and is affecting the list of items.
6. To further refine the results, you can add additional filters by clicking Add.
7. When adding additional filters, be careful to properly select And/Or.
If you select And, all filters must be true to display a result. If you select OR, all of the results for each
filter will be displayed.
Getting Started Using Elements of the Web Console | 42
8. After configuring your filters, click Apply.
9. To remove a single filter, click Delete.
10. To remove all filters, click Disable or Clear All.
11. To hide the filter tool, click Filter Options.
Filter Operators
The following table lists the possible operators that can be found in the filter options. The operators available
depend upon what property is selected.
Filter Operators
Operator Description
= Searches for a value that equals the property selected. This operator is available
for almost all value filtering and is the default value.
!= Searches for a value that does not equal the property selected. his operator is
available for almost all value filtering.
> Searches for a value that is greater than the property selected. This operator is
available for numerical value filtering.
<Searches for a value that is less than the property selected. This operator is
available for numerical value filtering.
>= Searches for a value that is greater than and/or equal to the property selected.
This operator is available for numerical value filtering.
<= Searches for a value that is less than and/or equal to the property selected. This
operator is available for numerical value filtering.
Contains Searches for a text string that contains the value that you have entered in the
value field. This operator is available for text string filtering.
StartsWith Searches for a text string that starts with the value that you have entered in the
value field. This operator is available for text string filtering.
EndsWith Searches for a text string that ends with a value that you have entered in the
value field. This operator is available for text string filtering.
Getting Started Using Elements of the Web Console | 43
Filter Value Options
The following table lists the possible value options that can be found in the filter options. The value options
available depend upon what property is selected.
Filter Value Options
Value Option Description
Blank field This value allows you to enter a specific item that you can search for. The
Description property is an example of a property where the value is a blank field.
Date value This value allows you to enter a specific date that you can search for. You can
enter the date in a m/d/yy format or you can pick a date from a calendar. The
Creation Date property is an example of a property where the value is entered as
a date value.
Pulldown This value allows you to select from a pulldown list of specific values. The
pulldown choices are dependent upon the property selected. The Priority
property with the choices High, Low, Normal, Urgent is an example of a property
where the value is chosen from a pulldown.
Administrating Summation | 44
Part 2
Administrating Summation
This part describes how to administrate Summation and includes the following sections:
-Workflows for Administrators (page 23)
-Using the Management Page (page 45)
-Configuring and Managing System Users, User Groups, and Roles (page 47)
-Configuring the System (page 68)
-Using the Work Manager Console and Logs (page 78)
-Using Language Identification (page 85)
Using the Management Page About the Management Page | 45
Chapter 4
Using the Management Page
About the Management Page
Administrators manage the application through the Management page. You can manage users and users
permissions, configure aspects of the application on a global basis, and monitor activity on the system.
See Management Page on page 46.
Opening the Management Page
Administrators, and users with management permissions, use the Management page to configure and manage
the application.
To access the Management page
1. Log in to the web console as administrator or as a user with management permissions.
See Opening the AccessData Web Console on page 26.
See Managing Users on page 57.
2. In the web console, click Management.
Using the Management Page Management Page | 46
Management Page
You can use the Management page to maintain the list of people who use the application, including their specific
usage rights and roles. From Management, you can view system and security logs.
You can also configure Active Directory, agent credentials, a notification email server. The system administration
console area of the Management page lets you view Work Manager status.
Depending on the license that you own and the permissions that you have, you will see some or all of the
following:
Management Page Features and Options
Management Feature Available Options
Users
See About the Users Tab on page 52.
See Managing Users on page 57.
User Groups See Configuring and Managing User Groups on page 64.
See User Groups Tab on page 65.
Admin Roles See About Admin Roles and Permissions on page 49.
See Managing Admin Roles on page 55.
System Jobs See Adding a System Job on page 69.
See System Job Options on page 70.
System Configuration See Configuring Active Directory Synchronization on page 69.
See Configuring Export Options on page 77.
See Configuring Default Project Settings on page 75.
Work Manager Console See Using the Work Manager Console and Logs on page 78.
Site Server Console
See Using the Site Server Console on page 102.
System Log See Using the System Log and Activity Log on page 82.
See System Log Tab on page 82.
KFF Library See Using KFF (Known File Filter) on page 340.
KFF Group Templates See Using KFF (Known File Filter) on page 340.
Activity Log
See Using the System Log and Activity Log on page 82.
See Activity Log Tab on page 83.
Configuring and Managing System Users, User Groups, and Roles About Users | 47
Chapter 5
Configuring and Managing System Users,
User Groups, and Roles
This chapter will help administrators to configure users, user groups, and roles.
About Users
A user is any person who logs in and performs tasks in the web console. Each person should have their own
user account. You can configure accounts to have specific permissions to perform specific tasks. When users
open the console, what they see and do is based on their assigned permissions.
There are two users in the database that do not appear in the user interface. The passwords for these accounts
are unique per system/strong passwords:
-Administrator - This is a different user than the Application Administrator role
-eDiscoveryProcessingUser
Permissions are managed by user roles.
See Adding Users on page 58.
About User Roles and Permissions
You can assign users different permissions based on the tasks that you want them to perform. The permissions
that a user has affects the items that they see and the tasks that they can perform in the web console.
For example, you can have one group of users that can manage the whole application and another group can
create projects and another group can only reviews files in a project.
Changes to permissions for a currently logged-in user take effect when they log out and log back in.
You assign permissions to a user by configuring roles and then associating users, or groups of users, to those
roles.
Configuring and Managing System Users, User Groups, and Roles About User Roles and Permissions | 48
You can configure roles at the following levels:
-Admin roles
-Project roles
Admin roles provide global permissions to a user for the whole application. The following are examples of admin
permissions that you can use:
-Application Administrator
-Mange Users
-Create/Edit Projects
-Manage Admin Roles
-View the System Console
See About Admin Roles and Permissions on page 49.
Project roles only apply to a specific project. The following are examples of global permissions that you can use:
-Project Administrator (for that project only)
-Project Reviewer
-Manage Evidence
-View Project Reports
-Manage Project People
For more information, see Introduction to Project Management on page 147.
Planning User Roles
Before creating users, plan the types of roles your users will be performing. This facilitates the process of
assigning roles and permissions to users.
See Workflows for Administrators on page 23.
Possible things to consider when planning user roles:
-How many and which users should have Administrator permissions for the entire application?
-How many and which users should have application management permissions to perform tasks such as
creating and managing other users, roles, and projects?
-How do you want to distinguish between users who can create and manage projects versus those who
can only review them?
-How many and which users should have project-level permissions to perform tasks such as adding and
managing evidence and creating production sets?
Configuring and Managing System Users, User Groups, and Roles About Admin Roles and Permissions | 49
About Admin Roles and Permissions
An admin role is a set of permissions that you assign to users or groups. Each admin role has specific
permissions that allows users to manage the application, such as managing users, managing roles and
permissions, and creating and managing projects.
See Admin Permissions on page 49.
You can create admin roles or assign one of the default admin roles already created in the system. There are
three default admin roles:
Creating Admin Roles
When you create an admin role, you can grant users Administrator permissions (all permissions) or grant a
combination of individual permissions.
If you want to grant permissions to a user that only allows them to review a project, then use project roles instead
of admin roles.
Note: The admin permissions available depend upon the license that you have.
Admin Permissions
You can configure admin roles with the following admin permissions
Admin Roles Default Roles
Role Description
Application Administrator This role grants all permissions to manage the application.
Power User This role grants the user permissions for create/edit project, manager user
groups, and manage users.
Users This role grants the user permissions for create/edit project.
Admin Permissions
Permissions Description
Administrator:Grants all rights to the user/group for all projects.
SubAdmin Grants rights as a SubAdmin in a multi-tenant environment. (Summation only)
See Understanding the Multi-Tenant Environment on page 338.
Custom
Selection You can select the following individual administrator roles:
Configuring and Managing System Users, User Groups, and Roles About Admin Roles and Permissions | 50
Create/Edit Projects Grants the right to create projects.
Users with this permission are automatic administrators of any
projects that they create.
They can also view properties for all other projects on the Home
page.
See Creating a Project on page 163.
Create/Edit Projects -
Restricted Grants the rights to create projects.
However, users with this permission do not have administrator
status for the projects that they create.
Users with this permission can do the following for the projects
they create:
-Associate users to the projects they create
-Assign permissions for the projects they create
-View people and data sources for the projects they create
They can also view properties for all other projects on the Home
page.
See Creating a Project on page 163.
Delete Project Grants the right to delete projects on the Home page
See Creating a Project on page 163.
.
Manage User Groups Grants the right to add, edit, delete, and assign roles to groups.
See Planning User Roles on page 48.
Manage Users Grants the rights to add, edit, delete, activate, deactivate, reset
passwords, and assign admin roles to users.
See About Users on page 47.
See Adding Users on page 58.
See Editing the Email Address of a User on page 60.
See Deleting Users on page 62.
See Deactivating a User on page 63.
See Activating a User on page 63.
See Resetting a User’s Password on page 61.
See Associating User Groups and Admin Roles to a User on
page 59.
Create People Grants the right to create and manage People.
See Configuring and Managing System Users, User Groups,
and Roles on page 47.
Delete People Grants the right to delete People.
See Deleting Users on page 62.
Create Nodes Grants the right to create job targets.
See Managing People, Groups, Computers and Network
Shares on page 112.
Delete Nodes Grants the right to delete job targets.
See Managing People, Groups, Computers and Network
Shares on page 112.
Admin Permissions
Permissions Description
Configuring and Managing System Users, User Groups, and Roles About Admin Roles and Permissions | 51
Global ID Admin Grants the right to access and change the permissions of any
user in any project.
See Associating User Groups and Admin Roles to a User on
page 59.
Manage Project
Permissions Grants the right to manage project permissions.
See Setting Project Permissions on page 194.
System Console Grants the right to view and use the Work Manager Console
and Site Server Console on the Management page.
See on page 78 and Using the Site Server Console on
page 102.
LitHold Manager Grants the right to manage Litholds.
Evidence Admin Grants the right to add, delete, and associate the evidence.
See Using the Evidence Wizard on page 257.
Manage Admin Roles Grants the right to add, edit, delete and assign admin roles.
See About Admin Roles and Permissions on page 49.
See Creating an Admin Role on page 55.
See Managing Admin Roles on page 55.
See Adding Permissions to an Admin Role on page 55.
Manage KFF Grants the right to create and manage KFF libraries, sets,
templates, and groups.
See Using KFF (Known File Filter) on page 340.
System Jobs Grants the right to view and use the System Jobs tab on the
Management page.
See Using System Jobs on page 67.
View Activity Log Grants the right to view the Activity Log on the Management
page.
See Viewing the System Log or Activity Log on page 84.
Purge Activity Log Grants the right to purge the Activity Log.
See Activity Log Tab on page 83.
Manage Job
Templates Grants the right to manage the following:
-Job Templates
-Filter Templates
-System Job Templates
See Managing Templates on page 91.
Admin Permissions
Permissions Description
Configuring and Managing System Users, User Groups, and Roles About the Users Tab | 52
About the Users Tab
The Users tab on the Management page can be used by administrators to add, edit, delete, and associate users
on a global scale. Users are people who are logging in and working in the application.
From the Users list, you can also add, edit, or delete the application’s users. You can set users as active or
inactive, reset user passwords, and set global and group permissions.
The Users tab is the default page when you click Management on the menu bar. The User Groups tab below the
Users list pane allows you to associate and remove associations to users. The Admin Roles tab below the Users
list pane identifies the admin roles that are associated with a highlighted user.
Changes to permissions for a currently logged-in user take effect after they log out of the system and log back in.
Elements of the Users Tab
Element Description
Filter Options Allows you search and filter all of the items in the list. You can filter the list based
on any number of fields.
See Filtering Content in Lists and Grids on page 41.
Users List Displays all users. Click the column headers to sort by the column.
Refresh
Refreshes the Users list.
See Refreshing the Contents in List and Grids on page 38.
Columns
Adjusts what columns display in the Users list.
See Sorting by Columns on page 38.
Delete
Deletes the selected user. Only active when a user is selected.
See Deleting Users on page 62.
Add Users
Adds a user.
See About Users on page 47.
Edit User
Edits the selected user. You can add or change a selected user’s email address
that is used for notifications of the application’s events.
See Editing the Email Address of a User on page 60.
Delete User
Deletes the selected user(s).
See Deleting Users on page 62.
Reset a User’s Password Assigns a new password for the selected user.
See Resetting a User’s Password on page 61.
Deactivate Users
Makes selected user(s) inactive in the application.
See Deactivating a User on page 63.
Activate Users
Reactivates selected user.
See Activating a User on page 63.
User Groups Tab
Allows you to associate or disassociate groups to users.
See Associating Users/Admin Roles to a Group on page 66.
Configuring and Managing System Users, User Groups, and Roles About the Users Tab | 53
Admin Roles Tab
Allows you to associate or disassociate admin roles to users.
See Associating User Groups and Admin Roles to a User on page 59.
Add Association
Associates a user to a group or admin role.
Remove Association Disassociates a user from a group or admin role.
Elements of the Users Tab (Continued)
Element Description
Configuring and Managing System Users, User Groups, and Roles About the Admin Roles Tab | 54
About the Admin Roles Tab
The Admin Roles tab on the Management page can be used to add, edit, delete, and associate admin roles.
Admin roles are a set of global permissions that you can associate with a user or a group.
Elements of the Admin Roles Tab
Element Description
Filter Options Allows you search and filter all of the items in the list. You can filter the list
based on any number of fields.
See Filtering Content in Lists and Grids on page 41.
Admin Roles List Displays all admin roles. Click the column headers to sort by the column.
Refresh
Refreshes the Admin Roles List.
See Refreshing the Contents in List and Grids on page 38.
Columns
Adjusts what columns display in the Admin Roles List.
See Sorting by Columns on page 38.
Delete
Deletes the selected admin roles. Only active when an admin roles is
selected.
See About Admin Roles and Permissions on page 49.
Add Admin Roles
Adds an admin role.
See Creating an Admin Role on page 55.
Edit Admin Roles
Edits the selected admin roles.
Delete Admin Roles
Deletes the selected admin roles.
Users Tab
Allows you to associate or disassociate users to an admin role.
Groups Tab
Allows you to associate or disassociate groups to an admin role.
Features Tab
Allows you to add administrator permissions to an admin role.
See Adding Permissions to an Admin Role on page 55.
Configuring and Managing System Users, User Groups, and Roles Managing Admin Roles | 55
Managing Admin Roles
Creating an Admin Role
Before you can assign permissions to an admin role, you have to create the role.
To create an admin role
1. Log in to the web console using administrator rights.
2. Click the Management tab.
3. Click the Admin Roles tab.
See About Admin Roles and Permissions on page 49.
4. Click the Add button .
Admin Roles Details
5. Enter a name for the admin role and a description.
6. Click OK.
The role is added to the Admin Role list.
Adding Permissions to an Admin Role
After you have created an admin role, you need to add permissions to it before you assign it to a user or a group.
To add permissions to an admin role
1. Log in to the web console using administrator rights.
2. Click the Management tab.
3. Click the Admin Roles tab.
4. Select the role from the Admin Roles List.
5. Click the Features tab .
6. Select the permissions.
See About Admin Roles and Permissions on page 49.
Configuring and Managing System Users, User Groups, and Roles Managing Admin Roles | 56
Note: Users with the Manage Admin Roles, Manage Users, or Manage User Groups permission have
the ability to upgrade themselves or other users to system administrators.
7. Click Save.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 57
Managing Users
Administrators, and users assigned the Manage Users permission, manage users by doing the following:
-Managing the List of Users on page 57
-Adding Users on page 58
-Editing the Email Address of a User on page 60
-Resetting a User’s Password on page 61
-Deleting Users on page 62
-Deactivating a User on page 63
-Activating a User on page 63
-Associating User Groups and Admin Roles to a User on page 59
About User Account Types
You can configure the application to use one of two user types:
-Integrated Windows Authentication (IWA) account (uses synced Active Directory user accounts)
-Local application account (forms authentication - you create all application users)
The type of user that you use changes some elements of creating and managing users. For example, if you use
an Integrated Windows Authentication account, you can either manually create application users based on AD
users or import them directly from AD. Also, you cannot manage a user’s password.
Managing the List of Users
You create and manage users from the Users tab on the Management page.
To open the Users tab
1. Log in as an administrator or a user that has the Manage Users permission.
See Opening the AccessData Web Console on page 26.
2. Click Management.
3. Click Users .
The users list lets you view all the users, including the following columns of information about them:
-Username
-Email Address of the user
-Date that the user was created
-Date of last login for the user
-Active status of a user
-First and Last name of the user
-Description
Configuring and Managing System Users, User Groups, and Roles Managing Users | 58
From the users list, you can also do the following:
-Add users
-Edit users
-Delete users
-Set users as active or inactive
-Reset user passwords (forms authentication only)
-Associate users to User Groups and Admin roles
When you create and view the list of users, they are displayed in a grid. You can do the following to modify the
contents of the grid:
-Control which columns of data are displayed in the grid.
-If you have a large list, you can apply a filter to display the items that you want.
See Filtering Content in Lists and Grids on page 41.
Adding Users
Each person that uses the console must log in with a username and password. Each person should have their
own user account.
Administrators, and users assigned the Manage Users permission, can add new user accounts.
When a user is created, an entry for that user is created in the system databases.
How you add users differs depending on whether you use Integrated Windows Authentication or Forms
Authentication.
See About User Account Types on page 57.
If you are using Forms Authentication, you need to configure both the username and password. In this mode, a
password is required, and the Password field is bolded.
If you are using Integrated Windows Authentication, you can do one of the following:
-Manually add a domain use - enter the domain username but do not enter a password. In this mode, the
Password field is hidden.
-Import users from Active Directory
To manually add a user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the User Details pane, click Add.
3. In the Username field, enter a unique username.
If you are using forms authentication, the name must be between 7 - 32 characters and must contain
only alphanumeric characters.
If you are using Integrated Windows Authentication, enter the user’s domain and username. For
example, <domain>\<username>.
4. Enter the First and Last name of the user.
5. (Optional) In the Email Address field, enter the email address of the user.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 59
6. If you are using forms authentication, enter a password in the Password and the Reenter Password
fields.
The password must be between 7 - 20 characters.
7. Click OK.
To import users from Active Directory (IWA mode only)
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the User Details pane, Import From AD.
3. Search for users that you want to add.
For example, usernames that start with A.
You can search using the following:
-Starts With
-Match Exact
-Ends With
-Contains
3a. Select a search operator.
3a. Enter a value to search on.
3b. Click Search.
3c. Check the names that you want to import.
3d. Click Add to Import List.
3e. (Optional) Perform another search.
4. In the Import List, review the list of users.
5. (Optional) Select and delete any users you do not want to import.
6. Click Continue.
7. Check for any conflicts and verify the list that you want to import.
8. Click Import.
9. View the list of users that were imported.
10. (Optional) Click Add more to add import more users.
11. Click Close.
12. Verify the user list.
Associating User Groups and Admin Roles to a User
Administrators, and users assigned the Manage Users permission, can associate User Groups and Admin Roles
to users.
See About User Roles and Permissions on page 47.
See Configuring and Managing User Groups on page 64.
To associate Users Groups or Admin Roles to user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, select a user to associate to an admin role.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 60
3. In the bottom pane, select the User Groups or Admin Roles tab.
4. Click the Add Association button .
Associate Admin Roles Dialog
5. Click to add the group or role to the user.
6. Click OK.
Disassociating a User Group or Admin Role from a User
Administrators, and users assigned the Manage Users permission, can disassociate User Groups and Admin
Roles from users.
See About User Roles and Permissions on page 47.
To disassociate User Groups or Admin Roles from a user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, select a user who you want to disassociate from an admin role.
3. In the bottom pane, click the User Groups or Admin Roles tab.
4. Check the group or role that you want to remove.
5. Click the Remove Association button .
Editing the Email Address of a User
If you are using Forms Authentication, administrators, and users assigned the Manage Users permission, can
change the email address of an existing user. If you need to make more than an email change (such as
changing the username), you must delete the user and then recreate the user with the correct information.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 61
To edit the email address of a user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, select the user whose email address you want to edit.
3. In the User Details pane, click Edit.
4. In the Email Address field, enter the email address of the user.
5. Click OK.
Resetting a Users Password
If you are using Forms Authentication, and of a user has forgotten their password, administrators and users
assigned the Manage Users permission can reset passwords for users.
Note: This function is hidden if you are using Integrated Windows Authentication. Reset a password using
Windows methods.
You cannot reset the password of the Service Account.
See Changing the Password of the Service Account on page 61.
When you reset a user’s password, a new password is automatically created. You can then give the new
password to the user. After they log in with the new password, they can change the password themselves.
You cannot reset your own password. To change your own login password, use the Change Password dialog,
not the User page.
See Changing Your Password on page 37.
To reset the password of an administrator or user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, select a user.
3. Click .
A new password for the user is generated and displayed.
4. Copy the password and email it to the user, informing them that they can change the password after
logging in.
Changing the Password of the Service Account
This only applies if you are using Forms Authentication. The service account password can only be changed by
the user who is logged in as the master administrator. This person is typically the one who initially performed the
installation. The username cannot be changed.
See Changing Your Password on page 37.
You can use the same process as you do for a user.
See Resetting a User’s Password on page 61.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 62
Managing Locked User Accounts
If you are using Forms Authentication, if a user logs into the application with an invalid password, after six
incorrect attempts, the user will be locked out of the account.
Note: If you are using Integrated Windows Authentication, domain user accounts are not locked out.
On the Users tab, you can add the Is Locked column to see which user accounts are locked. The value will
display either True or False.
A locked user account be unlocked in the following ways:
-An administrator can unlock the account
-The account will be unlocked after a configured period of time (see below).
Changing the Lockout setting
When a user’s account is locked, there is a time period where the user is locked out. After the time period, the
user can attempt to log into the account again. You can change the Lockout timeout setting and specify how long
the timeout session is. You change the Lockout timeout setting by editing a value in the C:\Program
Files\AccessData\Common\FTK Business Services\AdgWindowsServiceHost.exe.config file.
To change the lockout setting
1. Navigate to C:\Program Files\AccessData\Common\FTK Business
Services\AdgWindowsServiceHost.exe.config file.
2. Locate the key <add key="FailedAuthenticationLockoutPeriodInMinutes" value=" "/> .
3. The value is the number of minutes that you want the timeout period to be.
4. Save the file and close.
Unlocking a User Account
When a user’s account is locked, an administrator can unlock the account.
To unlock a locked account
1. As a User administrator, click Management > Users.
2. Select the user account that is locked.
3. Click the (unlock) icon.
Deleting Users
Users can be deleted by an administrator or a user with the right to delete users.
If you try to recreate a deleted user, you receive a warning that the user already exists in the application and was
marked as deleted. You can continue to create the user and assign user rights as a new user.
Configuring and Managing System Users, User Groups, and Roles Managing Users | 63
To delete users
1. Open the Users tab.
See Managing the List of Users on page 57.
2. Do one of the following:
-In the users list, select the user that you want to delete. In the User Details pane, click Delete.
-In the users list, select one or more users that you want to delete. Click Delete.
3. In the Confirm Deletion dialog box, click OK.
Deactivating a User
You can deactivate users as needed to make the console unavailable to them. When you deactivate a user, that
user remains in the users list of the Users tab, and has the status of False in the Active column. The user’s data
remains in the database; however, the user cannot log in, and they are not available for any other assignments
or work. The user remains inactive until an administrator reactivates them. You can activate or deactivate users
individually or collectively.
See Activating a User on page 63.
To deactivate a user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, check one or more users whose Active status is True.
3. Click Deactivate.
4. In the Deactivate user message box, click Yes.
Activating a User
You can activate users as needed. When a user is activated, they can log in and be available for work. An
activated user remains active until an administrator deactivates them. You can activate or deactivate users
individually or collectively.
See Deactivating a User on page 63.
To activate a user
1. Open the Users tab.
See Managing the List of Users on page 57.
2. In the user list pane, check one or more users whose Active status is False.
3. In the bottom of the middle pane, click .
4. In the Activate user frame, click Yes.
Configuring and Managing System Users, User Groups, and Roles Configuring and Managing User Groups | 64
Configuring and Managing User Groups
Groups are a set of users grouped together. Groups allow you to put sets of users together who perform the
same tasks. Putting users into groups makes it easier to assign and manage project permissions for users.
The project permissions that you assign to users define the tasks that they can perform. Therefore, if you have a
group of users who all are going to review documents, you can put them in a group and grant them permissions
to review, code, and label documents.
Administrators, and users assigned the Manage Groups permission, can manage groups.
Opening the User Groups Tab
To open the User Groups tab
1. Log in as an administrator or a user with the Manage Groups admin role.
See Opening the AccessData Web Console on page 26.
2. Click Management.
3. Click User Groups .
The users list lets you view all the groups, including the following columns of information about them:
-User Group Name
-Description
From the group list, you can also add, edit, or delete groups. You can associate groups to users and admin roles.
When you create and view the list of groups, they are displayed in a grid. You can do the following to modify the
contents of the grid:
-Control which columns of data are displayed in the grid.
-If you have a large list, you can apply a filter to display the items that you want.
Configuring and Managing System Users, User Groups, and Roles Configuring and Managing User Groups | 65
User Groups Tab
The User Groups tab on the Management page can be used to add, edit, delete, and associate user groups on a
global scale. Groups are collections of users who perform the same tasks in the application.
Elements of the User Groups Tab
Element Description
Filter Options Allows you search and filter all of the items in the list. You can filter the list
based on any number of fields.
See Filtering Content in Lists and Grids on page 41.
Groups List Displays all groups. Click the column headers to sort by the column.
Refresh
Refreshes the Groups List.
See Refreshing the Contents in List and Grids on page 38.
Columns
Adjusts what columns display in the Groups List.
See Sorting by Columns on page 38.
Export to CSV
Exports the user group list to a CSV file.
Delete
Deletes the selected group. Only active when a group is selected.
See Deleting Groups on page 66.
Add Groups
Adds a group.
See Adding Groups on page 66.
Edit Groups
Edits the selected group.
See Editing Groups on page 66.
Delete Groups
Deletes the selected group.
See Deleting Groups on page 66.
Users Tab
Allows you to associate or disassociate users to groups.
See Associating Users/Admin Roles to a Group on page 66.
Admin Roles Tab
Allows you to associate or disassociate admin roles to groups.
See Associating Users/Admin Roles to a Group on page 66.
Add Association
Associates a group to a user or admin role.
Remove Association
Disassociates a group from a user or admin role.
Configuring and Managing System Users, User Groups, and Roles Configuring and Managing User Groups | 66
Adding Groups
To add a group
1. Open the User Groups tab.
See Opening the User Groups Tab on page 64.
2. In the Groups Details pane, click Add.
3. In the User Group Name field, enter a unique username.
The name must be between 7 - 32 characters and must contain only alphanumeric characters.
4. Enter a Description.
5. Click OK.
Deleting Groups
To delete a group
1. Open the User Groups tab.
See Opening the User Groups Tab on page 64.
2. Do one of the following:
-In the groups list, highlight the group that you want to delete. In the Groups Details pane, click
(delete).
-In the users list, check one or more users that you want to delete. Click Delete.
3. In the Confirm Deletion dialog box, click OK.
Editing Groups
To edit a group
1. Open the User Groups tab.
See Opening the User Groups Tab on page 64.
2. In the Groups Details pane, click (edit).
3. In the User Group Name field, enter a unique username.
The name must be between 7 - 32 characters and must contain only alphanumeric characters.
4. Enter a Description.
5. Click OK.
Associating Users/Admin Roles to a Group
From the User Groups tab, you can associate users and admin roles to the selected group.
To associate users/admin roles to a group
1. Open the User Groups tab.
See Opening the User Groups Tab on page 64.
2. In the user list pane, select a group to which you want to add an association.
Configuring and Managing System Users, User Groups, and Roles Configuring and Managing User Groups | 67
3. In the bottom pane, do one of the following:
-Select the Users tab to associate users to the group.
-Select the Admin Roles tab to associate roles to the group.
4. Click Add Association .
5. Click to add users/roles.
6. Click OK.
All User Groups Dialog
7. Click to associate the user to the group.
8. Click OK.
Configuring the System About System Configuration | 68
Chapter 6
Configuring the System
This chapter will help administrators configure the system to their preferences.
About System Configuration
You can configure many settings for the application system. These are global settings that affect the entire
system.
System Configuration Tab - Standard Settings
The System Configuration tab on the Management page allows you to configure multiple items. This section
describes each item.
Depending on the license that you own and the permissions that you have, you will see some or all of the
following:
Elements of the System Configuration Tab
Element Description
Active Directory Allows you to configure Active Directory to synchronize and import Active Directory
users. Synchronization is from Active Directory to the application only.
See Configuring Active Directory Synchronization on page 69.
Email Server Allows you to configure the Email Notification Server so that you can send notification
emails to specified users for certain events. This configuration is also necessary for
sending Litigation Hold emails to appropriate recipients.
See Configuring the Email Notification Server on page 73.
Create
Notifications Allows you to configure email notifications for the project and user related events.
See Creating Notifications on page 73.
Manage
Certificates Allows you to manage certificates used for encrypting AD1 files.
Configuring the System System Configuration Tab - Standard Settings | 69
Configuring Active Directory Synchronization
Depending on your product license, you can sync with Active Directory in order to import some AD objects into
your environment.
You can import the following AD objects:
-Summation (Using forms authentication mode):
Domain users as People (This is Data Sources People, not as application users.)
-eDiscovery (Using forms authentication mode):
Domain users as People (This is Data Sources People, not as application users.)
Computers as Data Sources
Groups as Data Sources
Shares as Data Sources
-Summation or eDiscovery (IWA mode only):
Domain users as application users on the Users tab.
When configuring AD sync, you must provide the address of the AD server and credentials for that server.
After performing an initial sync, you can sync on a recurring schedule.
Project Defaults Allows you to configure the following settings that will be used every time you create a
project:
-Default paths for project data
-Default options for processing evidence in projects
See Default Evidence Processing Options on page 76.
Export Options Allows you to set the application to include Australian numbering.
Processing
Priority Options Allows you to configure how much of the available CPU will be used for processing. If
not configured, the evidence processing engine will use all available CPUs.
Notes
Certificates Allows you to manage certificates used for encrypting Lotus Notes files.
KFF
Allows you to configure KFF.
See Using KFF (Known File Filter) on page 340.
Other Advanced
Options Depending on the license that you own and the permissions that you have, you may
see other advanced options.
See Configuring Advanced System Settings on page 86.
Elements of the System Configuration Tab
Element Description
Configuring the System System Configuration Tab - Standard Settings | 70
You can also select to import one or more types of objects. For example, you can select to only sync Users on a
recurring schedule. This can be helpful to easily add new users only.
When you sync with Active Directory, all objects of that type are imported. Synchronization only occurs from
Active Directory to the application. Changes made to the application do not sync back to Active Directory.
You can also configure the system to send an email notification when a value in Active Directory is changed and
synced with Summation or eDiscovery. This can be helpful when you have a custodian in a Litigation Hold and
the status of that user changes. For example, they may move locations or may no longer be employed. You
configure the email notifications as part of the Active Directory sync setting. You can select which Active
Directory fields you want to be notified about when changes occur and which application users to send an email
to. The notification email contains a time stamp, the name of the user that the change occurred for, the
properties that changed, and the old and new values of the changed properties.
Note: After migrating from an earlier version of the application, you must re-enter the Active Directory
password. If not, the Active Directory data does not appear in the application. See Active Directory
Configuration Options on page 72.
To configure Active Directory synchronization
1. Log in as an administrator.
See Opening the AccessData Web Console (page 26).
2. Click Management.
3. Click System Configuration.
4. If you want to use email notifications, configure the email server.
See Configuring the Email Notification Server on page 73.
5. Click Active Directory.
6. In the Active Directory Configuration dialog, set all options and click Next.
See Active Directory Configuration Options on page 72.
7. Click Next.
8. Select which Active Directory fields to import into User information.
In the Active Directory Fields dialog box, in the Active Directory Fields list box, select an alias attribute
and click the green arrow next to the user field that you want associated with the attribute.
Bold user field names are required fields.
The following are examples of fields that you can use:
Active Directory Fields
Active Directory
Field Person Field
givenname First Name (Required)
sn Last Name (Required)
samaccountname Username (Required)
displayname Notes Username
mail Email
Configuring the System System Configuration Tab - Standard Settings | 71
9. Click Next.
10. To configure Active Directory object change notification, do the following:
10a. In the Active Directory Fields list, select a field that you want to be notified about if they change
and click the right arrows.
10b. Repeat for all desired fields.
10c. Select the application users that you want to be notified. (Each will receive an email.)
You can filter on the list of application users.
11. Click Next.
12. Do one of the following:
-To save the settings, but not perform a sync, click Save.
-If you have completed all the settings and are ready to sync, click Save and Sync.
13. View the imported user in the Users tab.
Configuring the System System Configuration Tab - Standard Settings | 72
Active Directory Configuration Options
Elements of the Active Directory Configuration Dialog
Element Description
Server Enter the server name of a domain controller in the enterprise.
Use Global
Catalog Select to use the global catalog.
Port Enter the connection port number used by Active Directory.
The default port number is 389.
If you want to support synch with an entire Active Directory forest, set the port as 3268.
Otherwise, the synch only collects information from one domain instead of the entire
forest.
The default ports for communicating with Active Directory are:
LDAP: 389
Secure LDAP(SSL): 636
Global Catalog: 3268
Secure Global Catalog(SSL): 3269
Base DN Enter the starting point in the Active Directory hierarchy at which the search for users
and groups begins.
The Base DN (Distinguished Name) describes where to load users and groups.
For example, in the following base DN
dc=domain,dc=com
you would replace domain and com with the appropriate domain name to search for
objects such as users, computers, contacts, groups, and file volumes.
User DN Enter the distinguished name of the user that connects to the directory server.
For example
-tjones or <domain>\tjones
Password Enter the password that corresponds to the User DN account. This is the same
password used when connecting to the directory server.
Active Directory
Authentication Select to enable authentication against Active Directory on login.
AD Sync Objects You can select which types of objects to include or not include: Users, Groups,
Computers, or Shares. All objects are selected by default. If you want to exclude
objects from being synced, de-select those objects.
This can be helpful to easily add new users only.
AD Sync
Recurrence Configure a daily recurrence by selecting or entering the time of day to start the sync. If
a sync is in progress when the interval occurs, the interval is skipped to allow the
current sync to complete.
Test Configuration Click to test the current configuration to ensure proper communication exists with the
Active Directory server.
AD
Synchronization Set to inactive by default.
Configuring the System System Configuration Tab - Standard Settings | 73
Configuring the Email Notification Server
You can configure the Email Notification Server so that when you create a litigation hold, your notification emails
are sent successfully.
To configure an email notification server
1. Click Management.
2. Click System Configuration.
3. Click Email Server.
4. In the Email Server Configuration dialog box, set the email options that you want. See Email Server
Configuration Options on page 73.
5. Click Save.
Email Server Configuration Options
Creating Notifications
About Event Notifications
You can configure event notifications for when certain system events occur. You select which type of event for
which you want a notification and the users to whom the notification is sent.
You can create notifications for the following events:
-Project Created
-Project Deleted
Email Server Configuration Options
Option Description
SMTP Server Address Specifies the address of the SMTP mail server (for example,
smtpserver.domain.com or server1) on which you have a valid account. You
must have an SMTP-compliant email system, such as a POP3 mail server, to
receive notification messages from the application.
SMTP Port Specifies the SMTP port to use. Port 25 is the standard non-SSL SMTP port.
However, if a connection is not established with default port 25, contact the email
server administrator to get the correct port number.
SMTP SSL? Allows you configure the use of SSL by the SMTP server. The default SSL port is
465.
Default from Address Specifies the name of the default email account from which alerts and
notifications are sent.
Domain Specifies the sender’s domain.
Username Specifies the sender’s name. The default credentials (Username, Password,
Domain) are optional.
Password Specifies the sender’s password.
Confirm Password Confirms the sender’s password that had been entered in the Password field.
Configuring the System System Configuration Tab - Standard Settings | 74
-User Created
-User Deleted
Note: For eDiscovery, you can also create notifications for job events.
Creating Event Notifications
To create an email event notification
1. Click Management.
2. Click System Configuration.
3. Click Create Notifications.
4. Click Select Event Type and select the event type for which you want a notification.
5. Select the user or users that you want to receive the notification.
6. Click Create Event Notification.
7. Click Close.
Viewing and Deleting Job Notifications
You can view and delete either the job notifications that you created or the job notifications to which you are
subscribed.
To view and delete event notifications
1. In the console, click your logged-in name (top-right corner) to open the user actions menu.
2. Click Manage My Notifications.
For information on managing list columns or filtering items in the list, see Managing Columns in Lists
and Grids (page 39).
3. Do one or more of the following:
-In the Notifications I Created group box, under the Notification Type column header, select the job
notifications that you want to delete.
-In the Notification I Belong To group box, under the Notification Type column header, select the job
notifications that you want to delete.
4. Click Delete.
5. In the Confirm Deletion dialog box, click OK.
Configuring the System System Configuration Tab - Standard Settings | 75
Configuring Default Project Settings
About Default Project Settings
You can configure the following settings to use every time you create a project:
-Default paths for project data
-Default options for processing evidence in projects
In most cases, you are not required to configure defaults.
Note: The exception is if you use LawDrop™, then you must set a default LawDrop folder path.
See Configuring the System for Using LawDrop on page 361.
For processing options, there are defaults that are pre-configured.
If no default project paths are configured, the person creating the project provides this information.
If you configure default settings, you can have the application display those settings when a project is created. If
you allow the values to display, the user creating the project can view and/or change the values.
You can also hide the default values. If hidden, the person creating the project cannot view the options and/or
change them.
See Setting Default Project Settings on page 75.
See Default Evidence Folder Options on page 76.
See Default Evidence Processing Options on page 76.
Setting Default Project Settings
You can configure default project evidence settings.
See About Default Project Settings on page 75.
To set default project options
1. Log in as an administrator.
See Opening the AccessData Web Console (page 26).
2. Click Management.
3. Click System Configuration.
4. Click Project Defaults.
5. On the Info tab, set the default path settings.
See Default Evidence Folder Options on page 76.
6. On the Processing Options tab, set the default evidence processing options.
See Default Evidence Processing Options on page 76.
7. Click Save.
Configuring the System System Configuration Tab - Standard Settings | 76
Default Evidence Folder Options
When you create a project, you must configure the following:
(see General Project Properties (page 164))
-Project Folder Path
-Job Data Path
On this page, you can define default locations so that you do not have to set them manually each time you
create a project. If you configure paths here, when you create a project these default paths are populated.
However, they are only defaults and can be changed.
On this page, you can also set the location for the LawDrop DropSpace path.
When setting these paths, be aware of the following:
-Local paths only work on single box installations.
-If a network UNC path is specified, you can validate the path to ensure that the application can access
the location. If the path is not validated, you may need to re-enter the path correctly or specify a new path.
To verify the path, click .
Default Evidence Processing Options
The processing options configured here are the default options used by a project when it is created.
See About Default Project Settings on page 75.
See Evidence Processing and Deduplication Options on page 166.
If you configure default settings, you can have the application display those settings when a project is created. If
you allow the values to display, the user creating the project can view and/or change the values.
Note: After upgrading the application, Enable Standard Viewer Processing Option is turned off by default
because it is a slower performing processing option. If you want this functionality, you need to enable it
manually in System Configuration > Project Defaults > Processing Options.
You can also hide the default values. If hidden, the person creating the project cannot view the options and/or
change them.
Paths
Project Folder Path Allows you to specify a local path or a UNC network path to the project folder.
This path is the location where most project data is stored.
Job Data Path Allows you to specify a default job data path.
-When used with Summation, this sets the path used to store some reports.
-When used with eDiscovery, this sets the responsive folder path for data from
jobs. Under this path, a folder is created for each job. The job sub-folders contain
job reports and ad1 files for collected files.
See Job Options Tab on page 429.
LawDrop DropSpace
Path If you use LawDrop, you must set a default folder path for the DropSpace. This is an
application- level setting separate from project settings.
See Configuring the System for Using LawDrop on page 361.
Configuring the System System Configuration Tab - Standard Settings | 77
Hover the mouse over the information icon to get information about each item.
Configuring Export Options
You can configure Export Options to specify the document ID numbering when exporting an export set to a load
file.
For more information on production sets, see the Exporting documentation.
To configure export settings
1. Log in as an administrator.
See Opening the AccessData Web Console (page 26).
2. Click Management.
3. Click System Configuration.
4. Click Export Options. The option available is described in the following table.
5. If you want to change from the default U.S. numbering scheme, select a different option.
6. Click Save.
Default Evidence Processing Options
Option Description
Hide Processing Options Allows you to hide the processing options dialog when a user creates a
project. This forces the project to use the default values set here.
The default is off.
Individual Processing Options. See Evidence Processing and Deduplication Options on page 166.
Show All Time zones When selected, allows you to select any time zone recognized by the
operating system when adding evidence.
Alternative Numbering
Option Description
Use Australian
Numbering Scheme This option is specific to what options are available when exporting to a load file
format.
The same underlying technology performs both U.S. and Australian numbering.
For example, the Box level in the Australian scheme corresponds to the Volume
level in the U.S. scheme, and the Folder level is the same in both schemes.
Changes the Volume/Document Options page in Export to include the
numbering elements that are needed for Australian document IDs.
For example, the U.S. numbering scheme uses volumes and folders in the load
file.
The Australian numbering scheme uses a party code, boxes, and folders for their
volume structure in the load file.
See the Exporting documentation for more information on Australian numbering.
Using the Work Manager Console and Logs Using the Work Manager Console | 78
Chapter 7
Using the Work Manager Console and Logs
Using the Work Manager Console
From Work Manager Console, the Administrator can monitor the performance of the Distribution Server and
the Work Managers. Click any work manager node by name to view specific server details.
As an administrator, you can use the Work Manager Console to view pending, active, or completed work orders.
You can also view the performance of the entire system or specific Work Managers.
Opening the Work Manager Console
To open the Work Manager Console page
1. Log in as an administrator.
See Opening the AccessData Web Console (page 26).
2. Click Management.
3. Click Work Manager Console.
Work Manager Console Tab
The Work Manager Console tab, on the Management page, allows administrators to monitor the performance of
the Distribution Server and the Work Managers. Click on any work manager node by name to view specific
server details.
As an administrator, you can use the System Administration Console to view pending, active, or completed work
orders. You can also view the performance of the entire system or specific Work Managers.
Elements of the Work Manager Console Tab
Element Description
Overall System
Status Pane Allows you to view the performance of the entire system or specific Work Managers.
Queued Work
Orders Displays work orders waiting to execute.
Using the Work Manager Console and Logs Work Manager Console Tab | 79
See Validating Activate Work Orders on page 80.
See Viewing the System Log or Activity Log on page 84.
See Configuring a Work Manager on page 81.
Active Work
Orders Displays active work orders.
Completed Work
Orders Displays completed work orders.
Overall System
Performance Displays overall system performance. You can access the Overall System Performance
panel by expanding the Performance pane on the right side of the page. On the Overall
System Performance panel, the displayed time range indicates the time frame in which
the status information was collected.
Elements of the Work Manager Console Tab
Element Description
Using the Work Manager Console and Logs Validating Activate Work Orders | 80
Validating Activate Work Orders
Validate Active Work Orders allows you to remove orphaned work orders from the Active Work Orders table.
Work orders can become orphaned when the work manager handling the work order shuts down his/her
computer or in some other way loses contact with the Distribution server. When this happens, however, it does
not change the status of the associated job in the Jobs list.
To validate active work orders
1. In the Work Manager Console, click a work manager name to view active work orders.
2. At the bottom of the left pane, click Validate Active Work Orders to confirm and update current work
orders and their status.
Using the Work Manager Console and Logs Configuring a Work Manager | 81
Configuring a Work Manager
You can configure a selected Work Manager by setting various property values.
To configure a Work Manager
1. Open the Work Manager Console.
See Opening the Work Manager Console (page 78).
2. In the left pane of the Work Manager Console, under Overall System Status, click a work manager
name.
3. In the right pane, click the Configuration tab.
4. In the Configuration pane, click Edit.
5. When completed, click OK.
Using the Work Manager Console and Logs Using the System Log and Activity Log | 82
Using the System Log and Activity Log
About the System Log
When certain internal events occur in the system, it is recorded in the System Log. This can be used in
conjunction with the activity log to monitor the work and status of your system.
The following are examples of the types of events that are recorded:
-Completion of evidence processing for an individual project
-Exports started and finished
-Starting of internal services
-Job failures
-System errors
-Errors accessing computers and shares
You can filter the log information that is displayed based on the following different types of criteria:
-Date and time of the log message
-Log type such as an error, information, or warning
-Log message contents
-Which component caused the log entry
-Which method caused the log entry
-Username
-Computer name
System Log Tab
The System Log tab on the Management page is only accessible to the administrator. This log maintains an
historical record of the events that take place in the application. The administrator can view, clear, and export the
log file.
Elements of the System Log Tab
Element Description
Filter Options Allows you to filter the items in the System Log.
See Filtering Content in Lists and Grids on page 41.
System Log Displays all the events. Click the column headers to sort by the column.
Clear Log
Deletes all the events in the log.
See Clearing the Log on page 84.
Export Log
Exports the log. It is recommended that you export and save logs before you clear
them.
See Exporting the Log on page 84.
Using the Work Manager Console and Logs Using the System Log and Activity Log | 83
About the Activity Log
When certain internal activities occur in the system, it is recorded in the Activity log. This can be used in
conjunction with the System Log to monitor the work and status of your system.
See About the System Log on page 82.
The following are examples of the types of activities that are recorded:
-A user logged out
-A user is forced to log out due to inactivity
-Processing started on the project
-A project is opened
You can filter the log information that is displayed based on the following different types of criteria:
-Category
-Activity Date
-Activity
-Username
Activity Log Tab
The Activity Log tab on the Management page can only be accessed by the administrator. The Activity Log can
help you detect and investigate attempted and successful unauthorized activity in the application and to
troubleshoot problems.
The Activity Log event columns include the activity date, username, activity, and category.
Only an administrator can view, clear, and export the Activity Log file.
Elements of the Activity Log Tab
Element Description
Filter Options Allows you to filter the items in the activity log.
See Filtering Content in Lists and Grids on page 41.
Activity Log Displays all the events. Click the column headers to sort by the column.
Clear Log
Deletes all the events in the log.
Export Log
Exports the log. It is recommended that you export and save logs before you clear
them.
Refresh
Refreshes activity log.
See Refreshing the Contents in List and Grids on page 38.
Columns
Adjusts what columns display in the activity log.
See Sorting by Columns on page 38.
Using the Work Manager Console and Logs Using the System Log and Activity Log | 84
Viewing the System Log or Activity Log
An administrator can view, clear, and export the log file.
Event lists are displayed in a grid. You can modify the contents of the grid as follows:
-You can control which columns of data are displayed in the grid.
-If you have a large list, you can apply a filter to display only the items you want.
To open the Log page
1. Log in as an administrator.
2. Click Management.
3. Click System Log or Activity Log.
4. To refresh the log view, click (refresh).
Clearing the Log
As an Administrator, you can clear the log. When you clear the log, you delete all log entries across all pages. A
new entry is created stating that the log was cleared and who cleared it. Before clearing the log, consider
exporting the log file to keep a historical record.
To clear the log
1. Open the Logs page.
2. In the bottom left corner, click Clear Log.
3. Click Yes to confirm the deletion.
Exporting the Log
Exporting the log lets you maintain a historical record of events in the software and saves a copy of the log for
future use, even after the log is cleared. Only an administrator can view, clear, and export the log file. You can
export the log to a CSV file to allow others, who may not have view log access, the ability to query and access
the saved events.
To export the log
1. Open the Logs page.
See Activity Log Tab (page 83).
2. In the bottom left corner of the View Log pane, click Export Log.
3. In the Save As dialog box, specify a file name and file location.
4. Click Save.
Using Language Identification Language Identification | 85
Chapter 8
Using Language Identification
Language Identification
When selecting Evidence Processing, you can identify documents based on the language they were created in.
See Default Evidence Processing Options on page 76.
With Language Identification, you can identify and isolate documents that have been created in a specific
language. Because Language Identification extends the processing time, only select the Language Identification
needed for your documents. There are three levels of language identification to choose from:
None
The system will perform no language identification. All documents are assumed to be written in English. This is
the faster processing option.
Basic
The system will perform language identification for the following languages:
-Arabic
-Chinese
-English
-French
-German
-Japanese
-Korean
-Portuguese
-Russian
-Spanish
If the language to identify is one of the ten basic languages (except for English), select Basic when choosing
Language Identification. The Extended option also identifies the basic ten languages, but the processing time is
significantly greater.
Using Language Identification Language Identification | 86
Extended
The system will perform language identification for 67 different languages. This is the slowest processing option.
The following languages can be identified:
-Afrikaans
-Albanian
-Amharic
-Arabic
-Armenian
-Basque
-Belarusian
-Bosnian
-Breton
-Bulgarian
-Catalan
-Chinese
-Croatian
-Czech
-Danish
-Dutch
-English
-Esperanto
-Estonian
-Finnish
-French
-Georgian
-German
-Greek
-Hawaiian
-Hebrew
-Hindi
-Hungarian
-Icelandic
-Indonesian
-Irish
-Italian
-Japanese
-Korean
-Latin
-Latvian
-Lithuanian
-Malay
-Manx
-Marathi
-Nepali
-Norwegian
-Persian
-Polish
-Portuguese
-Quechua
-Romanian
-Rumantsch
-Russian
-Sanskrit
-Scots
-Scottish Gaelic
-Serbian
-Slovak
-Slovenian
-Spanish
-Swahili
-Swedish
-Tagalong
-Tamil
-Thai
-Turkish
-Ukrainian
-Vietnamese
-Welsh
-Yiddish
-West Frisian
Getting Started with KFF (Known File Filter) About KFF | 87
Chapter 9
Getting Started with KFF (Known File Filter)
This document contains the following information about understanding and getting started using KFF (Known
File Filter).
-About KFF (page 87)
-About the KFF Server and Geolocation (page 92)
-Installing the KFF Server (page 93)
-Configuring the Location of the KFF Server (page 95)
-Migrating Legacy KFF Data (page 96)
-Importing KFF Data (page 97)
-About CSV and Binary Formats (page 104)
-Installing KFF Updates (page 108)
-Uninstalling KFF (page 107)
-KFF Library Reference Information (page 109)
-What has Changed in Version 5.6 (page 114)
Important:
AccessData applications versions 5.6, 6.0, and later use a new KFF architecture. If you are using one
of the following applications version 5.6 or later, you must install and implement the new KFF
architecture:
FTK-based products (FTK, FTK Pro, AD Lab, AD Enterprise)
Summation
eDiscovery
See What has Changed in Version 5.6 on page 114.
About KFF
KFF (Known File Filter) is a utility that compares the file hash values of known files against the files in your
project. The known files that you compare against may be the following:
-Files that you want to ignore, such as operating system files
-Files that you want to be alerted about, such as malware or other contraband files
The hash values of files, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or
extension. The helps you identify files even if they are renamed.
Getting Started with KFF (Known File Filter) About KFF | 88
Using KFF during your analysis can provide the following benefits:
-Immediately identify and ignore 40-70% of files irrelevant to the project.
-Immediately identify known contraband files.
Introduction to the KFF Architecture
There are two distinct components of the KFF architecture:
-KFF Data - The KFF data are the hashes of the known files that are compared against the files in your
project. The KFF data is organized in KFF Hash Sets and KFF Groups. The KFF data can be comprised
of hashes obtained from pre-configured libraries (such as NSRL) or custom hashes that you configure
yourself.
See Components of KFF Data on page 88.
-KFF Server - The KFF Server is the component that is used to store and process the KFF data against
your evidence. The KFF Server uses the AccessData Elasticsearch Windows Service. After you install
the KFF Server, you import your KFF data into it.
Note: The KFF database is no longer stored in the shared evidence database or on the file system in EDB
format.
Components of KFF Data
Item Description
Hash The unique MD5 or SHA-1 hash value of a file. This is the value that is compared
between known files and the files in your project.
Hash Set A collection of hashes that are related somehow. The hash set has an ID, status,
name, vendor, package, and version. In most cases, a set corresponds to a
collection of hashes from a single source that have the same status.
Group KFF Groups are containers that are used for managing the Hash Sets that are
used in a project.
KFF Groups can contains Hash Sets as well as other groups.
Projects can only use a single KFF Group. However, when configuring your
project you can select a single KFF Group which can contains nested groups.
Status The specified status of a hash set of the known files which can be either Ignore
or Alert. When a file in a project matches a known file, this is the reported status
of the file in the project.
Library A pre-defined collection of hashes that you can import into the KFF Serve.
There are three pre-defined libraries:
-NSRL
-NDIC HashKeeper
-DHS
See About Pre-defined KFF Hash Libraries on page 90.
Getting Started with KFF (Known File Filter) About KFF | 89
About the Organization of Hashes, Hash Sets, and KFF Groups
Hashes, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or extension.
You can also import hashes into the KFF Server in .CSV format.
For FTK-based products, you can also import hashes into the KFF Server that are contained in .TSV, .HKE,
.HKE.TXT, .HDI, .HDB, .hash, .NSRL, or .KFF file formats.
You can also manually add hashes.
Hashes are organized into Hash Sets. Hash Sets usually include hashes that have a common status, such as
Alert or Ignore.
Hash Sets must be organized into to KFF Groups before they can be utilized in a project.
Index/Indices When data is stored internally in the KFF Library, it is stored in multiple indexes
or indices.
The following indices can exist:
-NSRL index
A dedicated index for the hashes imported from the NSRL library.
-NDIC index
A dedicated index for the hashes imported from the NDIC library.
-DHC index
A dedicated index for the hashes imported from the DHC library.
-KFF index
A dedicated index for the hashes that you manually create or import from
other sources, such as CSV.
These indices are internal and you do not see them in the main application. The
only place that you see some of them are in the KFF Import Tool.
See Using the KFF Import Utility on page 98.
The only time you need to be mindful of the indices is when you use the KFF
binary format when you either export or import data.
See About CSV and Binary Formats on page 104.
Item Description
Getting Started with KFF (Known File Filter) About KFF | 90
About Pre-defined KFF Hash Libraries
All of the pre-configured hash sets currently available for KFF come from three federal government agencies
and are available in KFF libraries.
See About KFF Pre-Defined Hash Libraries on page 109.
You can use the following KFF libraries:
-NIST NSRL
See About Importing the NIST NSRL Library on page 101.
-NDIC HashKeeper (Sept 2008)
See Importing the NDIC Hashkeeper Library on page 102.
-DHS (Jan 2008)
See Importing the DHS Library on page 103.
It is not required to use a pre-configured KFF library in order to use KFF. You can configure or import custom
hash sets. See your application’s Admin Guide for more information.
How KFF Works
The Known File Filter (KFF) is a body of MD5 and SHA1 hash values computed from electronic files. Some pre-
defined data is gathered and cataloged by several US federal government agencies or you can configure you
own. KFF is used to locate files residing within project evidence that have been previously encountered by other
investigators or archivists. Identifying previously cataloged (known) files within a project can expedite its
investigation.
When evidence is processed with the MD5 Hash (and/or SHA-1 Hash) and KFF options, a hash value for each
file item within the evidence is computed, and that newly computed hash value is searched for within the KFF
data. Every file item whose hash value is found in the KFF is considered to be a known file.
Note: If two hash sets in the same group have the same MD5 hash value, they must have the same metadata.
If you change the metadata of one hash set, all hash sets in the group with the same MD5 hash file will be
updated to the same metadata.
The KFF data is organized into Groups and stored in the KFF Server. The KFF Server service performs lookup
functions.
Status Values
In order to accelerate an investigation, each known file can labeled as either Alert or Ignore, meaning that the file
is likely to be forensically interesting (Alert) or uninteresting (Ignore). Other files have a status of Unknown.
The Alert/Ignore designation can assist the investigator to hone in on files that are relevant, and avoid spending
inordinate time on files that are not relevant. Known files are presented in the Overview Tab’s File Status
Container, under “KFF Alert files” and “KFF Ignorable.”
Getting Started with KFF (Known File Filter) About KFF | 91
Hash Sets
The hash values comprising the KFF are organized into hash sets. Each hash set has a name, a status, and a
listing of hash values. Consider two examples. The hash set “ZZ00001 Suspected child porn” has a status of
Alert and contains 12 hash values. The hash set “BitDefender Total Security 2008 9843” has a status of Ignore
and contains 69 hash values. If, during the course of evidence processing, a file item’s hash value were found to
belong to the “ZZ00001 Suspected child porn” set, then that file item would be presented in the KFF Alert files
list. Likewise, if another file item’s hash value were found to belong to the “BitDefender Total Security 2008 9843”
set, then that file would be presented in the KFF Ignorable list.
In order to determine whether any Alert file is truly relevant to a given project, and whether any Ignore file is truly
irrelevant to a project, the investigator must understand the origins of the KFF’s hash sets, and the methods
used to determine their Alert and Ignore status assignments.
You can install libraries of pre-defined hash sets or you can import custom hash sets. The pre-defined hash sets
contain a body of MD5 and SHA1 hash values computed from electronic files that are gathered and cataloged by
several US federal government agencies.
See About KFF Pre-Defined Hash Libraries on page 109.
Higher Level Structure and Usage
Because hash set groups have the properties just described, and because custom hash sets and groups can be
defined by the investigator, the KFF mechanism can be leveraged in creative ways. For example, the
investigator may define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files and then apply only those groups while processing.
Getting Started with KFF (Known File Filter) About the KFF Server and Geolocation | 92
About the KFF Server and Geolocation
In order to use the Geolocation Visualization feature in various AccessData products, you must use the KFF
architecture and do the following:
-Install the KFF Server.
See Installing the KFF Server on page 93.
-Install the Geolocation (GeoIP) Data (this data provide location data for evidence)
See Installing the Geolocation (GeoIP) Data on page 103.
From time to time, there will be updates available for the GeoIP data.
See Installing KFF Updates on page 108.
If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.
Getting Started with KFF (Known File Filter) Installing the KFF Server | 93
Installing the KFF Server
About Installing the KFF Server
In order to use KFF, you must first install and configure a KFF Server.
For product versions 5.6.x and 6.0.x and later, you install a KFF Server by installing the AccessData
Elasticsearch Windows Service.
Where you install the KFF Server depends on the product you are using with KFF:
-For FTK and FTK Pro applications, the KFF Server must be installed on the same computer that runs the
FTK Examiner application.
-For all other applications, such as AD Lab, Summation, or eDiscovery, the KFF Server can be installed on
either the same computer as the application or on a remote computer. For large environments, it is
recommended that the KFF Server be installed on a dedicated computer.
Once the KFF components are installed, they will be accessible via the Windows Start Menu, as well as through
FTK in the Manage menu.
Note: KFF components will only be available in the Windows Start Menu on the computer where they are
physically installed.
After installing the KFF Server, you configure the application with the location of the KFF Server.
See Configuring the Location of the KFF Server on page 95.
About KFF Server Versions
The KFF Server (AccessData Elasticsearch Windows Service) may be updated from time to time. It is best to
use the latest version.
For applications 5.5 and earlier, the KFF Server component was version 1.2.7 and earlier.
AccessData
Elasticsearch
Windows Service
Released Installation Instructions
Version 1.3.2.x -November 2014 with
5.6 versions of
FTK-based products
Summation
eDiscovery
-November 2015 with
6.0 versions of
FTK-based products
Summation
eDiscovery
See Installing the KFF Server Service on page 94.
Getting Started with KFF (Known File Filter) Installing the KFF Server | 94
About Upgrading from Earlier Versions
If you have used KFF with applications versions 5.5 and earlier, you can migrate your legacy KFF data to the
new architecture.
See Migrating Legacy KFF Data on page 96.
Process for Installing KFF
The process for installing KFF is as follows:
1. Downloading the Latest KFF Installation Files (page 94)
2. Installing the KFF Server Service (page 94)
3. Configuring the KFF Server location:
-Configuring the KFF Server Location on FTK-based Computers (page 95)
-Configuring the KFF Server Location on Summation and eDiscovery Applications (page 95)
4. (Optional) Upgrading or importing KFF data.
-See Migrating Legacy KFF Data on page 96.
-About Importing KFF Data (page 97)
-Importing Pre-defined KFF Data Libraries (page 100)
-Installing the Geolocation (GeoIP) Data (page 103)
Downloading the Latest KFF Installation Files
You can download ISO files which has the latest KFF files. Files may be updated from time to time.
To download the latest KFF Installation Files
1. Go to the AccessData Current Releases - Digital Forensics product download page.
You can also download the file from the FTK or AD Lab product download pages.
2. Click Known File Filter (KFF) Compatible with 5.6 and above.
3. Do one of the following:
-To download the KFF Server files, utilities, and NSRL data, click KFF for all 6.0 products.
-To download the DHS library, click KFF DHS.
-To download the NDIC library, click KFF NDIC.
4. Click Download Now.
Installing the KFF Server Service
The KFF Server Service is install by installing the AccessData Elasticsearch Windows Service
For instructions on installing the AccessData Elasticsearch Windows Service, see Installing the Elasticsearch
Service (page 383).
Getting Started with KFF (Known File Filter) Configuring the Location of the KFF Server | 95
Configuring the Location of the KFF Server
After installing the KFF Server, on the computer running the application, such as FTK, AD Lab, Summation, or
eDiscovery, you configure the location of the KFF Server.
Do one of the following:
-Configuring the KFF Server Location on FTK-based Computers (page 95)
-Configuring the KFF Server Location on Summation and eDiscovery Applications (page 95)
Configuring the KFF Server Location on FTK-based Computers
Before using KFF with FTK, FTK Pro, Lab, or Enterprise, with KFF, you must configure the location of the KFF
Server.
Important:
To configure KFF, you must be logged in with Admin privileges.
To view or edit KFF configuration settings
1. In the Case Manager, click Tools > Preferences > Configure KFF.
2. You can set or view the address of the KFF Server.
-If you installed the KFF Server on the same computer as the application, this value will be localhost.
-If you installed the KFF Server on a different computer, identify the KFF server.
3. Click Test to validate communication with the KFF Server.
4. Click Save.
5. Click OK.
Configuring the KFF Server Location on Summation and eDiscovery
Applications
When using the KFF Server with Summation or eDiscovery applications, two configuration files must point to the
KFF Server location.
These setting are configured automatically during the KFF Server installation. If needed, you can verify the
settings.
However, if you change the location of the KFF Server, do the following to specify the location of the KFF Server.
1. Configure AdgWindowsServiceHost.exe.config:
1a. On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\Common\FTK Business Services.
1b. Open AdgWindowsServiceHost.exe.config.
1c. Modify the line <add key="KffElasticSearchUrl" value="http://localhost:9200" />.
1d. Change localhost to be the location of your KFF server (you can use hostname or IP).
1e. Save and close file.
1f. Restart the business services common service.
2. Configure AsyncProcessingServices web.config:
Getting Started with KFF (Known File Filter) Migrating Legacy KFF Data | 96
2a. On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\AsyncProcessingServices.
2b. Open web.config.
2c. Modify the line <add key="KffElasticSearchUrl" value="http://localhost:9200" />.
2d. Change localhost to be the location of your KFF server (you can use hostname or IP).
2e. Save and close file.
2f. Restart the AsyncProcessing service.
Migrating Legacy KFF Data
If you have used KFF with applications versions 5.5 and earlier, you can migrate that data from the legacy KFF
Server to the new KFF Server architecture.
Important:
Applications version 5.6 and later can only use the new KFF architecture that was introduced in 5.6.
If you want to use KFF data from previous versions, you must migrate the data.
Important:
If you have NSRL, NDIC, or DHS data in your legacy data, those sets will not be migrated. You must
re-import them using the 5.6 versions or later of those libraries. Only legacy custom KFF data will be
migrated.
Legacy KFF data is migrated to KFF Groups and Hash Sets on the new KFF Server.
Because KFF Templates are no longer used, they will be migrated as KFF Groups, and the groups that were
under the template will be added as sub-groups.
You migrate data using the KFF Migration Tool. To use the KFF Migration Tool, you identify the following:
-The Storage Directory folder where the legacy KFF data is located.
This was folder was configured using the KFF Server Configuration utility when you installed the legacy
KFF Server. If needed, you can use this utility to view the KFF Storage Directory. The default location of
the KFF_Config.exe file is Program Files\AccessData\KFF.
-The URL of the new KFF Server (the computer running the AccessData Elastic Search Windows Service)
This is populated automatically if the new KFF Server has been installed.
To install the KFF Migration Tool
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
2. Click the 64 bit or 32 bit Install KFF Migration Utility.
3. Complete the installation wizard.
To migrate legacy KFF data
1. On the legacy KFF Server, you must stop the KFF Service.
You can stop the service manually or use the legacy KFF Config.exe utility.
2. On the new KFF Server, launch the KFF Migration Tool.
3. Enter the directory of the legacy KFF data.
4. The URL of Elasticsearch should be listed.
5. Click Start.
6. When completed, review the summary data.
Getting Started with KFF (Known File Filter) Importing KFF Data | 97
Importing KFF Data
About Importing KFF Data
You can import hashes and KFF Groups that have been previous configured.
You can import KFF data in one of the following formats:
KFF Data sources that you can import
Source Description
Pre-configured KFF libraries You can import KFF data from the following pre-configured libraries
-NIST NSRL
-NDIC HashKeeper
-DHS
To import KFF libraries, it is recommended that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 98.
See Importing Pre-defined KFF Data Libraries on page 100.
See KFF Library Reference Information on page 109.
Custom Hash Sets and KFF
Groups
You can import custom hashes from CSV files.
See About the CSV Format on page 104.
For FTK-based products, you can also import custom hashes from the
following file types:
-Delimited files (CSV or TSV)
-Hash Database files (HDB)
-Hashkeeper files (HKE)
-FTK Exported KFF files (KFF)
-FTK Supported XML files (XML)
-FTK Exported Hash files (HASH)
To import these kinds of files, use the KFF Import feature in your
application.
See Using the Known File Feature chapter.
KFF binary files You can import KFF data that was exported in a KFF binary format, such as
an archive of a KFF Server.
See About CSV and Binary Formats on page 104.
When you import a KFF binary snapshot, you must be running the same
version of the KFF Server as was used to create the binary export.
To import KFF binary files, it is recommend that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 98.
Getting Started with KFF (Known File Filter) Importing KFF Data | 98
About KFF Data Import Tools
When you import KFF data, you can use one of two tools:
About Default Status Values
When you import KFF data, you configure a default status value of Alert or Ignore. When adding Hash Sets to
KFF Groups, you can configure the KFF Groups to use the default status values of the Hash Set or you can
configure the KFF Group with a status that will override the default Hash Set values.
See Components of KFF Data on page 88.
About Duplicate Hashes
If multiple Hash Set files containing the same Hash identifier are imported into a single KFF Group, the group
keeps the last Hash Set’s metadata information, overwriting the previous Hash Sets’ metadata. This only
happens within an individual group and not across multiple groups.
Using the KFF Import Utility
About the KFF Import Utility
Due to the large size of some KFF data, a stand-alone KFF Import utility is available to use to import the data.
This KFF Import utility can import large amounts of data faster then using the import feature in the application.
It is recommend that you install and use the KFF Import utility to import the following:
-NSRL, DHC, and NIST libraries
-An archive of a KFF Server that was exported in the binary format
After importing NSRL, NDIC, or DHS libraries, these indexes are displayed in the Currently Installed Sets list.
See Components of KFF Data on page 88.
You can also use the KFF Import Utility to remove the NSRL, NDIC, or DHS indexes that you have imported.
An archive of a KFF Server, which is the exported KFF Index, is not shown in the list.
KFF Data Import Tools
The application’s Import
feature
The KFF management feature in the application lets you import both .CSV and
KFF Binary formats. Use the application to import .CSV files.
See Using the Known File Feature chapter.
Even though you can import KFF binary files using the application, it is
recommend that you use the KFF Import Utility.
KFF Import Utility It is recommended that you use the KFF Import Utility to import KFF binary files.
See Using the KFF Import Utility on page 98.
Getting Started with KFF (Known File Filter) Importing KFF Data | 99
Installing the KFF Import Utility
You should use the KFF Import Utility to import some kinds of KFF data.
To install the KFF Import Utility
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
2. Click the 64 bit or 32 bit Install KFF Import Utility.
3. Complete the installation wizard.
Importing a KFF Server Archive Using the KFF Import Utility
You can import an archive of a KFF Server that you have exported using the binary format.
If you are importing a pre-defined KFF Library, see Importing Pre-defined KFF Data Libraries (page 100).
To import using the KFF Import Utility
1. On the KFF Server, open the KFF Import Utility.
2. To test the connection to the KFF Server’s Elasticsearch service at the displayed URL, click Connect.
If it connects correctly, no error is shown.
If it is not able to connect, you will get the following error: Failed after retrying 10 times: ‘HEAD
accessdata_threat_indicies’.
3. To import, click Import.
4. Click Browse.
5. Browse to the folder that contains the KFF binary files.
Specifically, select the folder that contains the Export.xml file.
6. Click Start.
7. Close the dialog.
Removing Pre-defined KFF Libraries Using the KFF Import Utility
You can remove a pre-defined KFF Library that you have previously imported.
You cannot see or remove existing custom KFF data (the KFF Index).
To remove pre-defined KFF Libraries
1. On the KFF Server, open the KFF Import Utility.
2. Select the library that you want to remove.
3. Click Remove.
Getting Started with KFF (Known File Filter) Importing KFF Data | 100
Importing Pre-defined KFF Data Libraries
About Importing Pre-defined KFF Data Libraries
After you install the KFF Server, you can import pre-defined NIST NSRL, NDIC HashKeeper, and DHS data
libraries.
See About Pre-defined KFF Hash Libraries on page 90.
In versions 5.5 and earlier, you installed these using an executable file. In versions 5.6 and later, you must import
them. It is recommend that you use the KFF Import Utility.
After importing pre-defined KFF Libraries, you can remove them from the KFF Server.
See Removing Pre-defined KFF Libraries Using the KFF Import Utility on page 99.
See the following sections:
-About Importing the NIST NSRL Library (page 101)
-Importing the NDIC Hashkeeper Library (page 102)
-Importing the DHS Library (page 103)
Getting Started with KFF (Known File Filter) Importing KFF Data | 101
About Importing the NIST NSRL Library
You can import the NSRL library into your KFF Server. During the import, two KFF Groups are created:
NSRL_Alert and NSRL_Ignore. In FTK-based products, these two groups are automatically added to the Default
KFF Group.
The NSRL libraries are updated from time to time. To import and maintain the NSRL data, you do the following:
Process for Importing and Maintaining the NIST NSRL Library
1. Import the complete
NSRL library.
You must first install the most current complete NSRL library. You can later add
updates to it.
To access and import the complete NSRL library, see
Importing the Complete NSRL Library (page 102)
2. Import updates to the
library
When updates are made available, import the updates to bring the data up-to
date.
See Installing KFF Updates on page 108.
Important: In order to use the NSRL updates, you must first import the complete
library. When you install an NSRL update, you must keep the previous NSRL
versions installed in order to maintain the complete set of NSRL data.
Available NRSL library files (new format)
NSRL Library
Release Released Information
Complete library
version 2.45
(source .ZIP file)
Nov 2014 For use only with applications version 5.6 and later.
Contains the full NSRL library up through update 2.45.
See Importing the Complete NSRL Library on page 102.
Available Legacy NRSL library files
Legacy NSRL
Library Release Released Information
version 2.44
(.EXE file)
Nov 2013 For use with the legacy KFF Server that was used with
applications versions 5.5 and earlier.
Contains the full NSRL library up through update 2.44.
Install this library first.
Note: NSRL updates for the legacy KFF format will end in the
2nd quarter of 2015. From that time, NSRL updates will only
be provided in the new format.
Getting Started with KFF (Known File Filter) Importing KFF Data | 102
Importing the Complete NSRL Library
To add the NSRL library to your KFF Library, you import the data. You start by importing the full NSRL library.
You can then import any updates as they are available.
See About Importing the NIST NSRL Library on page 101.
See Installing KFF Updates on page 108.
Important:
The complete NSRL library data is contained in a large (3.4 GB) .ZIP file. When expanded, the data
is about 18 GB. Make sure that your file system can support files of this size.
Important:
Due to the large amount of NSRL data, it will take 3-4 hours to import the NSRL data using the KFF
Import Utility. If you import from within an application, it will take even longer.
To install the NSRL complete library
1. Extract the NSRLSOURCE_2.45.ZIP file from the KFF Installation disc.
See Downloading the Latest KFF Installation Files on page 94.
2. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 99.
3. Click Import.
4. Click Browse.
5. Browse to and select the NSRLSource_2.45 folder that contains the NSRLFile.txt file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
6. Click Select Folder.
7. Click Start.
8. When the import is complete, click OK.
9. Close the Import Utility dialog and the NSRL library will be listed in the Currently Installed Sets.
Importing the NDIC Hashkeeper Library
You can import the Hashkeeper 9.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.
To import the Hashkeeper library
1. Have access the NDIC source files by download the ZIP file from the web:
See Downloading the Latest KFF Installation Files on page 94.
2. Extract the ZIP file.
3. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 99.
4. Click Import.
5. Click Browse.
6. Browse to and select the NDIC source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
7. Click Select Folder.
Getting Started with KFF (Known File Filter) Importing KFF Data | 103
8. Click Start.
9. When the import is complete, click OK.
10. Close the Import Utility dialog and the NDIC library will be listed in the Currently Installed Sets.
Importing the DHS Library
You can import the DHS 1.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.
To import the DHS library
1. Have access the NDIC source files by download the ZIP file from the web:
See Downloading the Latest KFF Installation Files on page 94.
2. Extract the ZIP file.
3. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 99.
4. Click Import.
5. Click Browse.
6. Browse to and select the DHS source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
7. Click Select Folder.
8. Click Start.
9. When the import is complete, click OK.
10. Close the Import Utility dialog and the DHS library will be listed in the Currently Installed Sets.
Installing the Geolocation (GeoIP) Data
Geolocation (GeoIP) data is used for the Geolocation Visualization feature of several AccessData products.
See About the KFF Server and Geolocation on page 92.
You can also check for and install GeoIP data updates.
If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.
The Geolocation data that was used with versions 5.5 and earlier is version 1.0.1 or earlier.
The Geolocation data that is used with versions 5.6 and later is version 2014.10 or later.
To install the Geolocation IP Data
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
See Downloading the Latest KFF Installation Files on page 94.
2. Click the 64 bit or 32 bit Install Geolocation Data.
3. Complete the installation wizard.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 104
About CSV and Binary Formats
When you export and import KFF data, you can use one of two formats:
-CSV
-KFF Binary
About the CSV Format
When you use the .CSV format, you use a single .CSV file. The .CSV file contains the hashes that you import or
export.
When you export to a CSV file, it contains the hashes as well as all of the information about any associated Hash
Sets and KFF Groups. You can only use the CSV format when exporting individual Hash Sets and KFF Groups.
When you import using a CSV file, it can be a simple file containing only the hashes of files, or it can contain
additional information about Hash Sets and KFF Groups.
However, CSV files will usually take a little longer to export and import.
To view the sample of a .CSV file that contains binaries and Hash Sets and KFF Groups, perform a CSV export
and view the file in Excel.
You can also use the format of CSV files that were exported in previous versions.
To import .CSV files, use the application’s KFF Import feature.
About the KFF Binary Format
When you use the KFF binary format, you use a set of files that are in an internal KFF Server (Elasticsearch)
format that is referred to as a Snapshot. The binary format is essentially a snapshot of one of the indices
contained in the KFF Server. You can only have one binary format snapshot for each index.
See Components of KFF Data on page 88.
The benefit of the binary format is that it is able to support larger amounts of data than the CSV format. For large
data sets, the binary format will export and import faster than the CSV format.
For example, when you import the DHC or NDIC Hashkeeper libraries, they are imported from a KFF binary
format.
If you export your custom Hash Sets or KFF Groups using the KFF binary format, everything in the KFF Index is
included.
See About Choosing to Export in CSV or KFF Binary Format on page 105.
When exporting in a Binary format, you specify an existing parent folder and then the name of a new sub-folder
for the binary data. The new sub-folder must not previously exist and will be created by the export process.
After export, the binary export folder contains the following:
-Indices sub-folder - The folder contains the exported KFF data
-Export.xml - This file is the only file that is not an Elasticsearch file and is created by the export feature
and contains the KFF Group and Hash Set definitions for the index.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 105
-Index - an index file generated by Elasticsearch
-metadata-snaphot file with the data and time it was created
-snapshot-snaphot file with the data and time it was created
Note: The binary format is dependent on the version of the KFF Server. When exporting and importing the
binary format, the systems must be using the same version of the KFF Server.
When new versions of the KFF Server are released in the future, an upgrade process will also be
provided.
About Choosing to Export in CSV or KFF Binary Format
When you export your own KFF data, you have the option of using either the CSV or the binary format. The
results are different based on the format that you use:
CSV format
Exporting in
CSV format
When you export KFF data using the CSV format, you can export specific pieces
of KFF data, such as one or more Hash Sets or one or more KFF Groups.
The exported data is contained in one .CSV file.
The benefits of the CSV format are that CSV files can be easily viewed and can
be manually edited. They are also less dependent on the version of the KFF
Server.
Importing
from CSV
format
When you import a CSV file, the data in the file is data is added to your existing
KFF data that is in the KFF Index.
See Components of KFF Data on page 88.
For example, suppose you started by manually created four Hash Sets and one
KFF Group. That would be the only contents in your KFF Index. Suppose you
import a .CSV file that contains five hash sets and two KFF Groups. They will be
added together for a total of nine Hash Sets and three KFF Groups.
To import .CSV files, use the KFF Import feature in your application.
See Using the Known File Feature chapter.
KFF binary format
Exporting in
KFF binary
format
If you export your KFF data using the KFF binary format, all of the data that you
have in the KFF Index will be exported together. You cannot use this format to
export individual Hash Sets or KFF Groups.
See Components of KFF Data on page 88.
You will only want to use this format if you intend to export all of the data in the
KFF Index and import it as a whole. This can be useful in making an archive of
your KFF data or copying KFF data from one KFF Server to another.
Because NSRL, NIST, and DHC data is contained in their own indexes, when you
do an export using this format, those sets are not included. Only the data in the
KFF Index is exported.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 106
Importing KFF
binary format
IMPORTANT: When you import a KFF binary format, it will import the complete
index and will replace any data that is currently in that index on the KFF Server.
For example, if you import the DHC library, and then later you import the DHC
library again, the DHC index will be replaced with the new import.
If you have a KFF binary format snapshot of custom KFF data (which would have
come from a binary format export) it will replace all KFF data that already exists in
your KFF Index.
For example, suppose you manually created four Hash Sets and one KFF Group.
Suppose you then import a binary format that has five hash sets and two KFF
Groups. The binary format will be imported as a complete index and will replace
the existing data. The result will be only be the imported five Hash Sets and two
KFF libraries.
When importing KFF binary files, it is recommend that you use the KFF Import
Utility.
See Installing the KFF Import Utility on page 99.
Getting Started with KFF (Known File Filter) Uninstalling KFF | 107
Uninstalling KFF
You can uninstall KFF application components independently of the KFF Data.
Main version Description
Applications 5.6
and later
For applications version 5.6 and later, you uninstall the following components:
-AccessData Elasticsearch Windows Service (KFF Server) v1.2.7 and later
Note: Elasticsearch is used by multiple features in various applications, use caution
when uninstalling this service or the related data.
-AccessData KFF Import Utility (v5.6 and later)
-AccessData KFF Migration Tool (v1.0 and later)
-AccessData Geo Location Data (v2014.10 and later)
Note: This component is not used by the KFF feature, but with the KFF Server for the
geolocation visualization feature.
The location of the KFF data is configured when the AccessData Elasticsearch Windows
Service was installed. By default, it is lactated at
C:\Program Files\AccessData\Elacticsearch\Data.
Applications 5.5
and earlier
For applications version 5.5 and earlier, you can uninstall the following components:
-KFF Server (v1.2.7 and earlier)
Note: The KFF Server is also used by the geolocation visualization feature.
-AccessData Geo Location Data (1.0.1 and earlier)
This component is not used by the KFF feature, but with the KFF Server for the geolo-
cation visualization feature.
The location of the KFF data was configured when the KFF Server was installed. You can
view the location of the data by running the KFF.Config.exe on the KFF Server.
If you are upgrading from 5.5 to 5.6, you can migrate your KFF data before uninstalling the
KFF Server.
Getting Started with KFF (Known File Filter) Installing KFF Updates | 108
Installing KFF Updates
From time to time, AccessData will release updates to the KFF Server and the KFF data libraries.
Some of the KFF data updates may require you to update the version of the KFF Server.
To check for updates, do the following:
1. Go to the KFF product download page.
See Downloading the Latest KFF Installation Files on page 94.
2. Check for updates.
-See About KFF Server Versions on page 93.
-See About Importing the NIST NSRL Library on page 101.
3. If there are updates, download them.
4. Install or import the updates.
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 109
KFF Library Reference Information
About KFF Pre-Defined Hash Libraries
This section includes a description of pre-defined hash collections that can be added as AccessData KFF data.
The following pre-defined libraries are currently available for KFF and come from one of three federal
government agencies:
-NIST NSRL (The default library installed with KFF)
-NDIC HashKeeper (An optional library that can be downloaded from the AccessData Downloads page)
-DHS (An optional library that can be downloaded from the AccessData Downloads page)
Note: Because KFF is now multi-sourced, it is no longer maintained in HashKeeper format. Therefore, you
cannot modify KFF data in the HashKeeper program. However, the HashKeeper format continues to be
compatible with the AccessData KFF data.
Use the following information to help identify the origin of any hash set within the KFF
-The NSRL hash sets do not begin with “ZZN” or “ZN”. In addition, in the AD Lab KFF, all the NSRL hash
set names are appended (post-fixed) with multi-digit numeric identifier. For example: “Password Manager
& Form Filler 9722.”
-All HashKeeper Alert sets begin with “ZZ”, and all HashKeeper Ignore sets begin with “Z”. (There are a
few exceptions. See below.) These prefixes are often followed by numeric characters (“ZZN” or “ZN”
where N is any single digit, or group of digits, 0-9), and then the rest of the hash set name. Two examples
of HashKeeper Alert sets are:
“ZZ00001 Suspected child porn
 “ZZ14W”
An example of a HashKeeper Ignore set is:
“Z00048 Corel Draw 6”
-The DHS collection is broken down as follows:
 In 1.81.4 and later there are two sets named “DHS-ICE Child Exploitation JAN-1-08 CSV” and
“DHS-ICE Child Exploitation JAN-1-08 HASH”.
In AD Lab there is just one such set, and it is named “DHS-ICE Child Exploitation JAN-1-08”.
Once an investigator has identified the vendor from which a hash set has come, he/she may need to consider
the vendor’s philosophy on collecting and categorizing hash sets, and the methods used by the vendor to gather
hash values into sets, in order to determine the relevance of Alert (and Ignore) hits to his/her project. The
following descriptions may be useful in assessing hits.
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 110
NIST NSRL
The NIST NSRL collection is described at: http://www.nsrl.nist.gov/index.html. This collection is much larger than
HashKeeper in terms of the number of sets and the total number of hashes. It is composed entirely of hash sets
being generated from application software. So, all of its hash sets are given Ignore status by AccessData staff
except for those whose names make them sound as though they could be used for illicit purposes.
The NSRL collection divides itself into many sub-collections of hash sets with similar names. In addition, many of
these hash sets are “empty”, that is, they are not accompanied by any hash values. The size of the NSRL
collection, combined with the similarity in set naming and the problem of empty sets, allows AccessData to
modify (or selectively alter) NSRL’s own set names to remove ambiguity and redundancy.
Find contact info at http://www.nsrl.nist.gov/Contacts.htm.
NDIC HashKeeper
NDIC’s HashKeeper collection uses the Alert/Ignore designation. The Alert sets are hash values contributed by
law enforcement agents working in various jurisdictions within the US - and a few that apparently come from
Luxemburg. All of the Alert sets were contributed because they were believed by the contributor to be connected
to child pornography. The Ignore sets within HashKeeper are computed from files belonging to application
software.
During the creation of KFF, AccessData staff retains the Alert and Ignore designations given by the NDIC, with
the following exceptions. AccessData labels the following sets Alert even though HashKeeper had assigned
them as Ignore: “Z00045 PGP files”, “Z00046 Steganos”, “Z00065 Cyber Lock”, “Z00136 PGP Shareware”,
Z00186 Misc Steganography Programs”, “Z00188 Wiping Programs”. The names of these sets may
suggest the intent to conceal data on the part of the suspect, and AccessData marks them Alert with the
assumption that investigators would want to be “alerted” to the presence of data obfuscation or elimination
software that had been installed by the suspect.
The following table lists actual HashKeeper Alert Set origins:
A Sample of HashKeeper KFF Contributions
Hash Contributor Location Contact Information Case/Source
ZZ00001
Suspected child
porn
Det. Mike McNown
& Randy Stone
Wichita PD
ZZ00002
Identified Child
Porn
Det. Banks Union County
(NJ) Prosecutor's
Office
(908) 527-4508 case 2000S-0102
ZZ00003
Suspected child
porn
Illinois State Police
ZZ00004
Identified Child
Porn
SA Brad Kropp,
AFOSI, Det 307
(609) 754-3354 Case # 00307D7-
S934831
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 111
ZZ00000,
suspected child
porn
NDIC
ZZ00005
Suspected Child
Porn
Rene Moes,
Luxembourg Police
rene.moes@police.eta
t.lu
ZZ00006
Suspected Child
Porn
Illinois State Police
ZZ00007b
Suspected KP
(US Federal)
ZZ00007a
Suspected KP
Movies
ZZ00007c
Suspected KP
(Alabama 13A-12-
192)
ZZ00008
Suspected Child
Pornography or
Erotica
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
suspected child
pornogrpahy from
20010000850
ZZ00009 Known
Child
Pornography
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
200100004750
ZZ10 Known Child
Porn
Detective Richard
Voce CFCE
Tacoma Police
Department
(253)594-7906,
rvoce@ci.tacoma.wa.u
s
ZZ00011
Identified CP
images
Detective Michael
Forsyth
Baltimore County
Police
Department
(410)887-1866,
mick410@hotmail.com
ZZ00012
Suspected CP
images
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
ZZ0013 Identified
CP images
Det. J. Hohl Yuma Police
Department
928-373-4694 YPD02-70707
A Sample of HashKeeper KFF Contributions (Continued)
Hash Contributor Location Contact Information Case/Source
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 112
The basic rule is to always consider the source when using KFF in your investigations. You should consider the
origin of the hash set to which the hit belongs. In addition, you should consider the underlying nature of hash
values in order to evaluate a hit’s authenticity.
ZZ14W Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41929134
ZZ14U Sgt Chris Walling
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41919887
ZZ14X Sgt Jeff Eckert
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG Internal
ZZ14I Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041908476
ZZ14B Robert Britt, SA,
FBI
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
031870678
ZZ14S Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041962689
ZZ14Q Sgt Cody Smirl
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041952839
ZZ14V Sgt Karen McKay
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41924143
ZZ00015 Known
CP Images
Det. J. Hohl Yuma Police
Department
928-373-4694 YPD04-38144
ZZ00016 Marion County
Sheriff's
Department
(317) 231-8506 MP04-0216808
A Sample of HashKeeper KFF Contributions (Continued)
Hash Contributor Location Contact Information Case/Source
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 113
Higher Level KFF Structure and Usage
Since hash set groups have the properties just described (and because custom hash sets and groups can be
defined by the investigator) the KFF mechanism can be leveraged in creative ways. For example:
-You could define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files. Then, you would apply only those groups while processing.
-You could also use the Ignore status. You are about to process a hard drive image, but your search
warrant does not allow inspection of certain files within the image that have been previously identified.
You could do the following and still observe the warrant:
4a. Open the image in Imager, navigate to each of the prohibited files, and cause an MD5 hash value
to be computed for each.
4b. Import these hash values into custom hash sets (one or more), add those sets to a custom group,
and give the group Ignore status.
4c. Process the image with the MD5 and KFF options, and with AD_Alert, AD_Ignore, and the new,
custom group selected.
4d. During post-processing analysis, filter file lists to eliminate rows representing files with Ignore
status.
Hash Set Categories
The highest level of the KFF’s logical structure is the categorizing of hash sets by owner and scope. The
categories are AccessData, Project Specific, and Shared.
Important:
Coordination among other investigators is essential when altering Shared groups in a lab
deployment. Each investigator must consider how other investigators will be affected when Shared
groups are modified.
Hash Set Categories
Category Description
AccessData The sets shipped with as the Library. Custom groups can be created from these sets, but
the sets and their status values are read only.
Project
Specific
Sets and groups created by the investigator to be applied only within an individual project.
Shared Sets and groups created by the investigator for use within multiple projects all stored in the
same database, and within the same application schema.
Getting Started with KFF (Known File Filter) What has Changed in Version 5.6 | 114
What has Changed in Version 5.6
WIth the 5.6 release of eDiscovery, Summation, and FTK-based products, the KFF feature has been updated.
If you used KFF with applications version 5.5 or earlier, you will want to be aware of the following changes in the
KFF functionality.
Changes from version 5.5 to 5.6
Item Description
KFF Server KFF Server now runs a different service.
-In 5.5 and earlier, the KFF Server ran as the KFF Server service.
-In 5.6 and later, the KFF Server uses the AccessData Elasticsearch Windows
Service.
For applications version 5.6 and later, all KFF data must be created in or
imported into the new KFF Server.
KFF Migration Tool This is a new tool that lets you migrate custom KFF data from 5.5 and earlier to
the new KFF Server.
NIST NSRL, NDIC HashKeeper, or DHS library data from 5.5 will not be
migrated. You must re-import it.
See Migrating Legacy KFF Data on page 96.
KFF Import Utility This is a new utility that lets you import large amounts of KFF data quicker than