EDiscovery_Reviewer_Guide Summation Reviewer Guide

2016-04-25

: Pdf Summation Reviewer Guide Summation_Reviewer_Guide 03 2016

Open the PDF directly: View PDF PDF.
Page Count: 383 [warning: Documents this large are best viewed by clicking the View PDF Link!]

| 1
Draft
AccessData
AD eDiscovery®
Reviewer Guide
AccessData Legal and Contact Information | 2
AccessData Legal and Contact Information
Document date: April 25, 2016
Legal Information
©2016 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this
documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any
particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make
changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData
software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without
limitation, U.S. export regulations or the laws of the country in which you reside.
AccessData Group, Inc.
588 West 400 South Suite 350
Lindon, UT 84042
USA
AccessData Trademarks and Copyright Information
The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are
the property of their respective owners.
AccessData® DNA® PRTK®
AccessData Certified Examiner® (ACE®) Forensic Toolkit® (FTK®) Registry Viewer®
AD Summation® Mobile Phone Examiner Plus® Summation®
Discovery Cracker® MPE+ Velocitor™ SilentRunner®
Distributed Network Attack® Password Recovery Toolkit®
AccessData Legal and Contact Information | 3
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. With few exceptions, and
unless otherwise notated, all third-party product names are spelled and capitalized the same way the owner
spells and capitalizes its product name. Third-party trademarks and copyrights are the property of the trademark
and copyright holders. AccessData claims no responsibility for the function or performance of third-party
products.
Third party acknowledgements:
-FreeBSD ® Copyright 1992-2011. The FreeBSD Project.
-AFF® and AFFLIB® Copyright® 2005, 2006, 2007, 2008 Simson L. Garfinkel and Basis Technology
Corp. All rights reserved.
-Copyright © 2005 - 2009 Ayende Rahien
BSD License: Copyright (c) 2009-2011, Andriy Syrov. All rights reserved. Redistribution and use in source and
binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, this list of conditions and the following
disclaimer; Redistributions in binary form must reproduce the above copyright notice, this list of conditions and
the following disclaimer in the documentation and/or other materials provided with the distribution; Neither the
name of Andriy Syrov nor the names of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE
COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
WordNet License
This license is available as the file LICENSE in any downloaded version of WordNet.
WordNet 3.0 license: (Download)
WordNet Release 3.0 This software and database is being provided to you, the LICENSEE, by Princeton
University under the following license. By obtaining, using and/or copying this software and database, you agree
that you have read, understood, and will comply with these terms and conditions.: Permission to use, copy,
modify and distribute this software and database and its documentation for any purpose and without fee or
royalty is hereby granted, provided that you agree to comply with the following copyright notice and statements,
including the disclaimer, and that the same appear on ALL copies of the software, database and documentation,
including modifications that you make for internal use or for distribution. WordNet 3.0 Copyright 2006 by
Princeton University. All rights reserved. THIS SOFTWARE AND DATABASE IS PROVIDED "AS IS" AND
PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY
WAY OF EXAMPLE, BUT NOT LIMITATION, PRINCETON UNIVERSITY MAKES NO REPRESENTATIONS OR
WARRANTIES OF MERCHANT- ABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE
USE OF THE LICENSED SOFTWARE, DATABASE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD
PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. The name of Princeton University or
AccessData Legal and Contact Information | 4
Princeton may not be used in advertising or publicity pertaining to distribution of the software and/or database.
Title to copyright in this software, database and any associated documentation shall at all times remain with
Princeton University and LICENSEE agrees to preserve same.
Documentation Conventions
In AccessData documentation, a number of text variations are used to indicate meanings or actions. For
example, a greater-than symbol (>) is used to separate actions within a step. Where an entry must be typed in
using the keyboard, the variable data is set apart using [variable_data] format. Steps that require the user to
click on a button or icon are indicated by Bolded text. This Italic font indicates a label or non-interactive item in
the user interface.
A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc. trademark. Unless otherwise notated, all
third-party product names are spelled and capitalized the same way the owner spells and capitalizes its product
name. Third-party trademarks and copyrights are the property of the trademark and copyright holders.
AccessData claims no responsibility for the function or performance of third-party products.
Registration
The AccessData product registration is done at AccessData after a purchase is made, and before the product is
shipped. The licenses are bound to either a USB security device, or a Virtual CmStick, according to your
purchase.
Subscriptions
AccessData provides a one-year licensing subscription with all new product purchases. The subscription allows
you to access technical support, and to download and install the latest releases for your licensed products during
the active license period.
Following the initial licensing period, a subscription renewal is required annually for continued support and for
updating your products. You can renew your subscriptions through your AccessData Sales Representative.
Use License Manager to view your current registration information, to check for product updates and to
download the latest product versions, where they are available for download. You can also visit our web site,
www.accessdata.com anytime to find the latest releases of our products.
For more information, see Managing Licenses in your product manual or on the AccessData website.
AccessData Contact Information
Your AccessData Sales Representative is your main contact with AccessData. Also, listed below are the general
AccessData telephone number and mailing address, and telephone numbers for contacting individual
departments
AccessData Legal and Contact Information | 5
Mailing Address and General Phone Numbers
You can contact AccessData in the following ways:
Technical Support
Technical support is available on all currently licensed AccessData solutions.
You can contact AccessData Customer and Technical Support in the following ways:
AccessData Support Portal
You can access the Chat, Knowledge Base, Discussion Boards, White Papers and more through the
AccessData Support Portal:
https://support.accessdata.com
E-Mail Support:
support@accessdata.com
Telephone:
Americas/Asia-Pacific:
800-658-5199 (North America)
Support Hours: Mon-Fri, 7:00 AM – 6:00 PM (MST), except corporate holidays.
NOTE: Emergency support is available on weekends:
Saturday and Sunday 8:00am – 6:00pm MST via support@accessdata.com
AccessData Mailing Address, Hours, and Department Phone Numbers
Corporate Headquarters: AccessData Group, Inc.
588 West 400 South Suite 350
Lindon, UT 84042 USA
Voice: 801.377.5410; Fax: 801.377.5426
General Corporate Hours: Monday through Friday, 8:00 AM – 5:00 PM (MST)
AccessData is closed on US Federal Holidays
State and Local
Law Enforcement Sales:
Voice: 800.574.5199, option 1; Fax: 801.765.4370
Email: Sales@AccessData.com
Federal Sales: Voice: 800.574.5199, option 2; Fax: 801.765.4370
Email: Sales@AccessData.com
Corporate Sales: Voice: 801.377.5410, option 3; Fax: 801.765.4370
Email: Sales@AccessData.com
Training: Voice: 801.377.5410, option 6; Fax: 801.765.4370
Email: Training@AccessData.com
Accounting: Voice: 801.377.5410, option 4
AccessData Legal and Contact Information | 6
Documentation
Please email AccessData regarding any typos, inaccuracies, or other problems you find with the documentation:
documentation@accessdata.com
Professional Services
The AccessData Professional Services staff comes with a varied and extensive background in digital
investigations including law enforcement, counter-intelligence, and corporate security. Their collective
experience in working with both government and commercial entities, as well as in providing expert testimony,
enables them to provide a full range of computer forensic and eDiscovery services.
At this time, Professional Services provides support for sales, installation, training, and utilization of Summation,
FTK, FTK Pro, Enterprise, eDiscovery, Lab and the entire Resolution One platform. They can help you resolve
any questions or problems you may have regarding these solutions.
Contact Information for Professional Services
Contact AccessData Professional Services in the following ways:
AccessData Professional Services Contact Information
Contact Method Number or Address
Phone North America Toll Free: 800-489-5199, option 7
International: +1.801.377.5410, option 7
Email services@accessdata.com
Contents | 7
Contents
AccessData Legal and Contact Information
. . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Part 1: Introducing eDiscovery
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Chapter 1: Introducing eDiscovery
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
About eDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
About This Reviewer Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Chapter 2: Getting Started
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
About the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Web Console Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
About User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Opening the AccessData Web Console . . . . . . . . . . . . . . . . . . . . . . . . .21
Installing the Browser Components . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Installing Components through the Browser . . . . . . . . . . . . . . . . . . . . .23
Installing Browser Components Manually . . . . . . . . . . . . . . . . . . . . . .25
Introducing the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
The Project List Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
User Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Changing Your Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Using Elements of the Web Console . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Maximizing the Web Console Viewing Area . . . . . . . . . . . . . . . . . . . . .33
About Content in Lists and Grids . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Part 2: Reviewing Project Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Chapter 3: Introduction to Project Review
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
About Project Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Workflow for Reviewing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
About Date and Time Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
About How Time Zones Are Set . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Configuring the Date Format Used in Review . . . . . . . . . . . . . . . . . . . .41
Contents | 8
Configuring the Date Format Used in Production Sets and Export Sets . . . . .45
Chapter 4: Project Review Page
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Introducing the Project Review Page . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Project Review Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Project Bar. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Review Page Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Chapter 5: Customizing the Project Review Layout
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Working with Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Hiding and Showing Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Collapsing and Showing Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Moving Panels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Moving Panels to a New Window . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Working with Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Selecting a Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Resetting Layouts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Saving Layouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Managing Saved Custom Layouts . . . . . . . . . . . . . . . . . . . . . . . . . .54
Chapter 6: Viewing Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Viewing Data in Panels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Using the Item List Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Viewing Documents in the Item List Panel . . . . . . . . . . . . . . . . . . . . . .58
Using Item List Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
About the Amount of Data Displayed in Fields. . . . . . . . . . . . . . . . . . . .63
Using Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Performing Actions from the Item List. . . . . . . . . . . . . . . . . . . . . . . . .69
Using the Project Explorer Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
The Explore Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
The Navigation Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
Using Document Viewing Panels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Using the Natural Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Using the Image Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .80
Using the Text Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
Using the KFF Details and Detail Information Panels . . . . . . . . . . . . . . . .82
Using Document Data Panels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
The Activity Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
The Related Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
The Production Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
The Notes and Transcript Notes Panels . . . . . . . . . . . . . . . . . . . . . . .86
The Conversation Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86
The Family Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
The Linked Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Contents | 9
Adding a Link from the Linked Panel . . . . . . . . . . . . . . . . . . . . . . . . .91
Viewing Timeline Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Viewing Graphics and Videos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Chapter 7: Deleting Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Deleting a Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Part 3: Searching Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97
Chapter 8: Introduction to Searching Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
About Searching Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Search Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Chapter 9: Running Searches
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Running a Quick Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Selecting the Data that you Want to Search In. . . . . . . . . . . . . . . . . . . 101
Using Search Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Building Search Phrases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Using Search Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Using Boolean Logic Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Using ? and * Wildcards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Searching Numbers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Searching for Virtual Columns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Running a Subset Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Returning to a Previous Search . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Searching in the Natural Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using Global Replace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Committing a Global Replace Job. . . . . . . . . . . . . . . . . . . . . . . . . . 110
Using Dates and Times in Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Using Dates and Times in Searches . . . . . . . . . . . . . . . . . . . . . . . . 111
How Time Zone Settings Affect Searches . . . . . . . . . . . . . . . . . . . . . 111
Viewing the Display Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Using the Search Excerpt Report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Using Search Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
About Search Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Generating and Downloading a Search Report . . . . . . . . . . . . . . . . . . 115
About the Search Report Details . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Chapter 10: Running Advanced Searches
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Running an Advanced Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Advanced Search Operators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Advanced Search Operators Exceptions . . . . . . . . . . . . . . . . . . . . . . 120
Contents | 10
Understanding Advanced Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
Using the Term Browser to Create Search Strings . . . . . . . . . . . . . . . . . . 122
Importing Index Search Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 11: Using the Search Tab
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
The Search Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Running Recent Searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Clearing Search Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Saving a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Sharing a Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Chapter 12: Using Filters to Cull Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Filtering Data in Case Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
About Filtering Data with Facets. . . . . . . . . . . . . . . . . . . . . . . . . . . 128
The Facets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
Available Facet Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Examples of How Facets Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Using Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Caching Filter Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Filtering by Column in the Item List Panel . . . . . . . . . . . . . . . . . . . . . . . 143
Clearing Column Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Object Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Part 4: Using Visualization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Chapter 13: Using Visualization
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Culling Data with Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Files Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Emails Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Chapter 14: Using Visualization Social Analyzer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
About Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Accessing Social Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Social Analyzer Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Analyzing Email Domains in Visualization . . . . . . . . . . . . . . . . . . . . . 158
Analyzing Individual Emails in Visualization . . . . . . . . . . . . . . . . . . . . 158
Chapter 15: Using Visualization Heatmap
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Chapter 16: Using Visualization Geolocation
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
About Geolocation Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Geolocation Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Contents | 11
Geolocation Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
General Geolocation Requirements. . . . . . . . . . . . . . . . . . . . . . . . . 163
Viewing Geolocation EXIF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Using Geolocation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
The Geolocation Map Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Using the Geolocation Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Filtering Items in the Geolocation Grid . . . . . . . . . . . . . . . . . . . . . . . 168
Using Geolocation Columns in the Item List . . . . . . . . . . . . . . . . . . . . . . 169
Using Geolocation Column Templates . . . . . . . . . . . . . . . . . . . . . . . 170
Using Geolocation Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Using Geolocation Visualization to View Security Data . . . . . . . . . . . . . . . 171
Prerequisites for Using Geolocation Visualization to View Security Data . . . . 171
Configuring the Geolocation Location Configuration File . . . . . . . . . . . . . 171
Viewing Geolocation IP Locations Data . . . . . . . . . . . . . . . . . . . . . . 173
Using the Geolocation Network Information Grid . . . . . . . . . . . . . . . . . 174
Geolocation Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Part 5: Using Litigation and eDiscovery Tools
. . . . . . . . . . . . . . . . . . . . . .175
Chapter 17: Working with Transcripts and Exhibits
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Working with Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Formatting Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
The Transcript Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Viewing Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Annotating Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Searching in Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Displaying Selected Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Displaying Selected Highlights. . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Opening Multiple Transcripts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Generating Reports on Multiple Transcripts . . . . . . . . . . . . . . . . . . . . 185
Working with Video Transcripts . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Culling Transcripts and Exhibits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Using the Explorer Panel to Cull Transcripts and Exhibits . . . . . . . . . . . . 188
Using Object Type Facets to Cull Transcripts and Exhibits. . . . . . . . . . . . 188
The Exhibits Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Viewing Exhibits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Chapter 18: Imaging Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Converting a Document to an Image . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Viewing Image Page Counts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Image on the Fly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Contents | 12
Chapter 19: Using Tags and the Case Organizer
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
The Tags Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Using Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Applying and Removing Labels . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Viewing Documents with Tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Viewing Documents with a Label Applied . . . . . . . . . . . . . . . . . . . . . 202
Viewing Documents with an Issue Coded . . . . . . . . . . . . . . . . . . . . . 202
Viewing Documents with a Category Coded . . . . . . . . . . . . . . . . . . . . 202
Using the Case Organizer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
About Case Organizer Categories and Organization . . . . . . . . . . . . . . . 204
Creating, Associating, and Viewing Case Organizer Objects . . . . . . . . . . 206
Managing Case Organizer Object Properties . . . . . . . . . . . . . . . . . . . 210
Viewing the Source Document of a Case Organizer Note . . . . . . . . . . . . 212
Creating Project Files Reports. . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Using the Case Organizer Columns . . . . . . . . . . . . . . . . . . . . . . . . 218
Chapter 20: Coding Documents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
The Review Sets Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
The Review Batches Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Checking In/Out a Review Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Coding in the Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Editable Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Using the Coding Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
The Coding Panel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Coding Single Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Coding Multiple Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Predictive Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Understanding Predictive Coding . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Instructing Predictive Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Obtaining a Confidence Score. . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Applying Predictive Coding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Performing Quality Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
Chapter 21: Annotating and Unitizing Evidence
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Prerequisites for Annotating and Unitizing Files . . . . . . . . . . . . . . . . . . . 235
About Generating SWF Files for Annotating or Unitizing . . . . . . . . . . . . . 235
Configuring Maximum PDF Size for SWF Creation . . . . . . . . . . . . . . . . 236
Accessing SWF Files for Annotating or Unitizing . . . . . . . . . . . . . . . . . 236
Annotating Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
About Annotating Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
Prerequisites for Annotating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
About Annotating Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Profiles and Markup Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Contents | 13
Using Annotation Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Viewing the Source Document of a Case Organizer Note . . . . . . . . . . . . 241
Adding a Highlight. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Adding a Link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
Adding a Redaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Unitizing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Chapter 22: Bulk Printing
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Bulk Printing Multiple Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Network Bulk Printing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Local Bulk Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
General Print Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Bulk Print Dialog Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Viewing Print Statuses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Viewing Print Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Chapter 23: Managing Review Sets
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Creating a Review Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Deleting Review Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Renaming a Review Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Manage Permissions for Review Sets. . . . . . . . . . . . . . . . . . . . . . . . . . 255
Part 6: Exporting Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256
Chapter 24: Introduction to Exporting Data
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
About Exporting Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
About Excluding Data in Production Sets and Export Sets . . . . . . . . . . . . 259
Export Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Production Set History Tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Export Set History Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Exporting Export Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Using The Browser Briefcase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
About the Browser Briefcase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Exporting to a Browser Briefcase . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Viewing and Using the Browser Briefcase . . . . . . . . . . . . . . . . . . . . . 268
Sharing the Browser Briefcase . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Chapter 25: Creating Production Sets
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
About Creating Production Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Points to Consider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Process for Creating Production Sets . . . . . . . . . . . . . . . . . . . . . . . . . 269
Production Set General Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Production Set Files to Include Options . . . . . . . . . . . . . . . . . . . . . . 272
Contents | 14
Columns to Include . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Volume Document Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Production Set Image Branding Options . . . . . . . . . . . . . . . . . . . . . . 283
Additional Production Set Options. . . . . . . . . . . . . . . . . . . . . . . . . . 286
Chapter 26: Exporting Production Sets
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Exporting a Production Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Export Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Chapter 27: Creating Export Sets
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
About Creating Export Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Creating an AD1 Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
AD1 Export General Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Creating a Native Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Native Export General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Native Export Files to Include . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Export Volume Document Options . . . . . . . . . . . . . . . . . . . . . . . . . 299
Export Excel Rendering Options . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Export Word Rendering Options. . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Creating a Load File Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Load File General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Load File Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Load File Files to Include Options. . . . . . . . . . . . . . . . . . . . . . . . . . 308
Part 7: Reference
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Chapter 28: Getting Started with KFF (Known File Filter)
. . . . . . . . . . . . . . . . . . . . . . . . . . 312
About KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Introduction to the KFF Architecture . . . . . . . . . . . . . . . . . . . . . . . . 313
Components of KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
How KFF Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
About the KFF Server and Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . 317
Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
About Installing the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
About KFF Server Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Process for Installing KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Downloading the Latest KFF Installation Files . . . . . . . . . . . . . . . . . . . 319
Installing the KFF Server Service . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Configuring the Location of the KFF Server . . . . . . . . . . . . . . . . . . . . . . 320
Configuring the KFF Server Location on FTK-based Computers . . . . . . . . 320
Configuring the KFF Server Location on Summation and eDiscovery Applications
320
Migrating Legacy KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Contents | 15
Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
About Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Using the KFF Import Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Importing Pre-defined KFF Data Libraries . . . . . . . . . . . . . . . . . . . . . 325
Installing the Geolocation (GeoIP) Data . . . . . . . . . . . . . . . . . . . . . . 328
About CSV and Binary Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Uninstalling KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Installing KFF Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
KFF Library Reference Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
About KFF Pre-Defined Hash Libraries. . . . . . . . . . . . . . . . . . . . . . . 334
What has Changed in Version 5.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Chapter 29: Using KFF (Known File Filter)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
About KFF and De-NIST Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 340
Process for Using KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Configuring KFF Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Adding Hashes to the KFF Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
About the Manage KFF Hash Sets Page . . . . . . . . . . . . . . . . . . . . . . 342
Importing KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Manually Creating and Managing KFF Hash Sets. . . . . . . . . . . . . . . . . 345
Adding Hashes to Hash Sets Using Project Review. . . . . . . . . . . . . . . . 346
Using KFF Groups to Organize Hash Sets . . . . . . . . . . . . . . . . . . . . . . . 348
About KFF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Creating a KFF Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Viewing the Contents of a KFF Group . . . . . . . . . . . . . . . . . . . . . . . 349
Managing KFF Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
About the Manage KFF Groups Page . . . . . . . . . . . . . . . . . . . . . . . 350
Enabling a Project to Use KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
About Enabling and Configuring KFF . . . . . . . . . . . . . . . . . . . . . . . . 352
Enabling and Configuring KFF. . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Reviewing KFF Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Viewing KFF Data Shown on the Project Details Page . . . . . . . . . . . . . . 354
About KFF Data Shown in the Review Item List . . . . . . . . . . . . . . . . . . 354
Using the KFF Information Quick Columns. . . . . . . . . . . . . . . . . . . . . 354
Using Quick Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Using the KFF Facets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Viewing Detailed KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
Re-Processing KFF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Exporting KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
About Exporting KFF Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Exporting KFF Groups and Hash Sets . . . . . . . . . . . . . . . . . . . . . . . 359
Contents | 16
Chapter 30: Understanding LawDrop™
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
About LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Chapter 31: Using LawDrop™
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Getting Started with LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
About the LawDrop Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Creating and Deleting Sub-Folders in LawDrop. . . . . . . . . . . . . . . . . . . . 366
Dropping and Uploading Files to LawDrop . . . . . . . . . . . . . . . . . . . . . . . 367
About Dropping and Uploading Files . . . . . . . . . . . . . . . . . . . . . . . . 367
About Dropping and Uploading Folders . . . . . . . . . . . . . . . . . . . . . . 367
Dropping Files into the File Upload Queue. . . . . . . . . . . . . . . . . . . . . 367
Uploading and Managing Files in the File Upload Queue . . . . . . . . . . . . 368
Viewing and Managing Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . 369
Using the Item List Grid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Moving and Copying Uploaded Items. . . . . . . . . . . . . . . . . . . . . . . . 370
Performing Actions on LawDrop Items . . . . . . . . . . . . . . . . . . . . . . . 371
Sharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
About Sharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Sharing Files and Folders with other Application Users. . . . . . . . . . . . . . 373
Sharing Files and Folders with External People . . . . . . . . . . . . . . . . . . 374
Unsharing Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Adding Evidence to Projects Using LawDrop . . . . . . . . . . . . . . . . . . . . . 376
About Adding Evidence to Projects Using LawDrop. . . . . . . . . . . . . . . . 376
Exporting Files to LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Viewing Exported Files in LawDrop . . . . . . . . . . . . . . . . . . . . . . . . . 378
Chapter 32: Integrating with AccessData Forensics Products
. . . . . . . . . . . . . . . . . . . . . . 379
Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Managing User Accounts and Permissions Between
FTK and Summation/eDiscovery . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Creating and Viewing Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Managing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Reviewing Evidence in FTK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Reviewing FTK Data in Summation . . . . . . . . . . . . . . . . . . . . . . . . . 382
Known Issues with FTK Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . 383
| 17
Part 1
Introducing eDiscovery
This part introduces eDiscovery and includes the following chapters:
-Introducing eDiscovery (page 18)
-Getting Started (page 19)
| 18
Chapter 1
Introducing eDiscovery
About eDiscovery
eDiscovery helps you to identify and collect relevant data in-house to address electronic discovery from
beginning to end. You can run collections across the entire enterprise Network of a company. The collected
evidence can then be processed, reviewed, and exported.
The reports are enhanced by the use of keyword searches and filters to gather only relevant data that pertains to
a case. The resulting production set can then be exported into an AD1 format, or into a variety of load file
formats such as Concordance, Summation, EDRM, Introspect, and iConect.
About This Reviewer Guide
This Reviewer Guide explains how to use Project Review to analyze the data in your projects.
This guide includes the following parts:
-Getting Started (page 19)
-Reviewing Project Data (page 39)
-Searching Data (page 97)
-Using Visualization (page 146)
-Using Litigation and eDiscovery Tools (page 175)
-Exporting Data (page 256)
-Reference (page 311)
For information about administrating the AccessData eDiscovery product and projects, see the eDiscovery
Admin Guide.
For information about new features, fixed issues, and known issues, see the eDiscovery Release Notes.
You can download the Admin Guide and Release Notes from the Help/Documentation link.
See User Actions on page 31.
Getting Started Terminology | 19
Chapter 2
Getting Started
Terminology
Features and technology are shared across the multiple applications. To provide greater compatibility between
products, some terminology in the user interface and documentation has been consolidated. The following table
lists the common terminology:
Terminology Changes
Previous Term New Term
Case Project
Custodian Person
Custodians People
System Console Work Manager Console
Security Log Activity Log
Audit Log User Review Activity
Getting Started About the AccessData Web Console | 20
About the AccessData Web Console
The application displays the AccessData web-based console that you can open from any computer connected to
the network.
All users are required to enter a username and password to open the console.
What you can see and do in the application depends on your product license and the rights and permissions
granted to you by the administrator. You may have limited privileges based on the work you do.
See About User Accounts on page 21.
Note: Like many applications that you run in a browser, do not click the browser’s Back button. Use the menus
and buttons to navigate in the console.
Web Console Requirements
Software Requirements
The following are required for using the features in the web console:
-Windows-based PC running the Internet Explorer web browser:
Internet Explorer 9 or higher is required for full functionality of most features.
Internet Explorer 10 or higher is required for full functionality of all features. (Some new features use
HTML5 which requires version 10 or higher.
Note: If you have issues with the interface displaying correctly, view the application in compatibility
view for Internet Explorer.
The console may be opened using other browsers but will not be fully functional.
-Internet Explorer Browser Add-on Components
Microsoft Silverlight--Required for the console.
Adobe Flash Player--Required for imaging documents in Project Review.
-AccessData console components
AD NativeViewer--Required for viewing documents in the Alternate File Viewer in Project Review.
Includes Oracle OutsideX32.
AD Bulk Print Local--Required for printing multiple records using Bulk Printing in Project Review.
To use these features, install the associated applications on each users’ computer.
See Installing the Browser Components on page 23.
Hardware Recommendations
-Use a display resolution of 1280 x 1024 or higher.
Press F11 to display the console in full-screen mode and maximize the viewing area.
Getting Started About User Accounts | 21
About User Accounts
Each user that uses the web console must log in with a user account. Each account has a username and
password. Administrators configure the user accounts.
User accounts are granted permissions based on the tasks those users perform. For example, one account may
have permissions to create and manage projects while another account has permissions only to review files in a
project.
Your permissions determine which items you see and the actions you can perform in the web console.
There is a default Administrator account.
User Account Types
Depending on how the application is configured, your account may be either an Integrated Windows
Authentication account or a local application account.
The type of account that you have will affect a few elements in the web interface. For example, if you use an
Integrated Windows Authentication account, you cannot change your password within the console. However,
you can change your password within the console if you are using an application user account.
Opening the AccessData Web Console
You use the AccessData web console to perform application tasks.
See About the AccessData Web Console on page 20.
You can launch the console from an approved web browser on any computer that is connected to the application
server on the network.
See Web Console Requirements on page 20.
To start the console, you need to know the IP address or the host name of the computer on which the application
server is installed.
When you first access the console, you are prompted to log in. Your administrator will provide you with your
username and password.
To open the web console
1. Open Internet Explorer.
Note: Internet Explorer 7 or higher is required to use the web console for full functionality. Internet
Explorer 10 or 11 is recommended.
2. Enter the following URL in the browser’s address field:
https://<host_name>/ADG.map.Web/
where <host_name> is the host name or the IP address of the application server.
This opens the login page.
You can save this web page as a favorite.
Getting Started Opening the AccessData Web Console | 22
3. One of two login pages displays:
If you are using Integrated Windows Authentication, the following login page displays.
Integrated Windows Authentication Page
Note: If you are using Integrated Windows Authentication and are not on the domain, you will see a
Windows login prompt.
If you are not using Integrated Windows Authentication, the login page displays the product name and
version for the product license that your organization is using and provides fields for your username and
password.
Non-Integrated Windows Authentication Login
4. On the login page, enter the username and password for your account.
If you are logging in as the administrator for the very first time and have not enabled Integrated Window
Authentication, enter the pre-set default user name and password. Contact your technical support or
sales representative for login information.
5. Click Sign In.
If you are authenticated, the application console displays.
If you cannot log in, contact your administrator.
6. The first time the web console is opened on a computer, you may be prompted to install the following
plug-ins:
-Microsoft Silverlight
-Adobe Flash Player
-AD Alternate File Viewer (Native Viewer)
-AD Bulk Print Local
Download the plug-ins. When a pop-up from Internet Explorer displays asking to run or download the
executable, click Run. Complete the install wizard to finish installing the plug-in.
See Web Console Requirements on page 20.
See Installing Browser Components Manually on page 25.
Getting Started Installing the Browser Components | 23
Installing the Browser Components
To use all of the features of the web console, each computer that runs the web console must have Internet
Explorer and the following add-ons:
-Microsoft Silverlight--Required for the console.
-Adobe Flash Player--Required for imaging documents in Project Review.
-AccessData Alternate File Viewer (Native Viewer)--Required for imaging documents in Project Review.
This includes the Oracle OutsideX32 plug-in.
-AccessData Local Bulk Print--Required for printing multiple records using Bulk Printing in Project Review
Important:
Each computer that runs the console must install the required browser components. The installations
require Windows administrator rights on the computer.
Upon first login, the web console will detect if the workstation's browser does not have the required versions of
the add-ons and will prompt you to download and install the add-ons.
See Installing Components through the Browser on page 23.
See Installing Browser Components Manually on page 25.
Installing Components through the Browser
Microsoft Silverlight
To install Silverlight
1. If you need to install Silverlight, click Click now to install in the Silverlight plug-in window.
2. Click Run in the accompanying security prompts.
3. On the Install Silverlight dialog, Install Now.
When the Silverlight installer completes, on the Installation successful dialog, click Close.
Getting Started Installing the Browser Components | 24
If the web browser does not display the AD logo and then the console, refresh the browser window.
The application Main Window displays and you can install Flash Player from the plug-in installation bar.
Adobe Flash Player
To install Flash Player
1. If you need to install Flash Player, click the Flash Player icon.
2. Click Download now.
3. Click Run in the accompanying security prompts.
4. Complete the installation.
5. Refresh the browser.
Once the application is installed, you need to install the Alternate File Viewer and Local Bulk Print software. You
can find the links to download the add-ons in the dropdown in the upper right corner of the application.
AccessData Alternate File Viewer (Native Viewer)
To install the AD Alternate File Viewer (Native Viewer)
1. From the User Actions dropdown, select AD Alternate File Viewer.
2. Click RUN on the NearNativeSetup.exe prompt.
3. Click Next on the InstallShield Wizard dialog.
4. Click Next on the Custom Setup dialog.
5. Click Install on the Ready to Install the Program dialog.
6. Allow the installation to proceed and then click Finish.
7. Close the browser and re-log in.
8. Click Allow on the ADG.UI.Common.Document.Views.NearNativeControl prompt.
9. Refresh the browser.
Getting Started Installing the Browser Components | 25
AccessData Local Bulk Print
To install the Local Bulk Print add-on
1. From the User Actions dropdown, select AD Local Bulk Print.
2. Click Run at the AccessData Local Bulk Print.exe prompt in Internet Explorer.
3. In the InstallShield Wizard dialog, click Next.
4. Accept the license terms and click Next.
5. Accept the default location in the Choose Destination Location dialog and click Next.
6. Click Install on the Ready to Install the Program dialog.
7. Click Finish.
Installing Browser Components Manually
You can use EXE files to install the components outside of the browser. You can run these locally or use
software management tools to install them remotely.
Installing AD Alternate File Viewer
To install the Alternate File Viewer add-on, navigate to the following path on the server:
C:\Program Files (x86)\AccessData\MAP\NearNativeSetup.exe
To install the AD Alternate File Viewer add-on
1. Run the NearNativeSetup.MSI file.
2. Click Next on the InstallShield Wizard dialog.
3. Click Next on the Custom Setup dialog.
4. Click Install on the Ready to Install the Program dialog.
5. Allow the installation to proceed and then click Finish.
Installing the Local Bulk Print Tool
To install the Local Bulk Print tool, navigate to the following path on the server:
C:\Program Files (x86) \AccessData\MAP\AccessDataBulkPrintLocal.exe
To install the Local Bulk Print add-on
1. Run the AccessDataBulkPrintLocal.exe. The wizard should appear.
2. Click Next to begin.
3. Click Next on the Select Installation Folder dialog.
4. Click Next. After the installation is complete, click Close.
Installing Adobe Flash Player
Visit http://get.adobe.com/flashplayer/ and follow the prompts to install the flash player.
Getting Started Introducing the Web Console | 26
Introducing the Web Console
The user interface for the application is the AccessData web console. The console includes different tabs and
elements.
The items that display in the console are determined by the following:
-Your application’s license
-Your user permissions
The main elements of the application are listed in the following table. Depending on the license that you own and
the permissions that you have, you will see some or all of the following:
Component Description
Navigation bar This lets you open multiple pages in the console.
Home page The Home page lets you create, view, manage, and review projects based on the
permissions that you have. This is the default page when you open the console.
See Using the Project Management Home Page on page 149.
Getting Started Introducing the Web Console | 27
Dashboard (Available in eDiscovery or with a special Litigation Hold license.)
The Dashboard allows you to view important event information in an easy-to-read
visual interface.
See Using the Dashboard on page 334.
Data Sources The Data Sources tab lets you manage people, computers, network shares, evidence,
as well as several different connectors. This tab allows you to manage these data
sources throughout the system, not just by project.
See About Data Sources on page 110.
Lit Hold (Available in eDiscovery or with a special Litigation Hold license.)
The Lit Hold tab lets you create and manage litigation holds.
See Using Litigation Holds on page 299.
Management
(gear icon) The Management page lets administrators perform global management tasks.
See Opening the Management Page on page 45.
User Actions Actions specific to the logged-in user that affects the user’s account.
See User Actions on page 31.
Project
Review
The Project Review page lets you analyze, filter, code and label documents for a
selected project.
You access Project Review from the Home page.
See the Reviewer Guide for more information on Project Review. You can download the
Reviewer Guide from the Help/Documentation link. See User Actions on page 31.
Component Description
Getting Started The Project List Panel | 28
The Project List Panel
The Home page includes the Project List panel. The Project List panel is the default view after logging in. Users
can only view the projects for which they have created or been given permissions.
Administrators and users, given the correct permissions, can use the project list to do the following:
-Create projects.
-View a list of existing projects.
-Add evidence to a project.
-Launch Project Review.
If you are not an administrator, you will only see either the projects that you created or projects to which you
were granted permissions.
The following table lists the elements of the project list. Some items may not be visible depending on your
permissions.
Getting Started The Project List Panel | 29
Elements of the Project List
Element Description
Create New Project Click to create a new project.
See Creating a Project on page 163.
Filter Options Allows you to search and filter all of the projects in the project list. You can
filter the list based on any number of fields associated with the project,
including, but not limited to the project name.
See Filtering Content in Lists and Grids on page 36.
Filter Enabled Displayed if you have enabled a filter.
Project Name Column Lists the names of all the projects to which the logged-in user has permissions.
Action Column Allows you to add evidence to a project or enter Project Review.
Add Data
Allows you to add data to the selected project.
Project Review
Allows you to review the project using Project Review.
See the Reviewer Guide for more information on using Product Review. You
can download the Reviewer Guide from the Help/Documentation link. See
Changing Your Password on page 32.
Processing Status Column Lists the status of the projects:
Not Started - The project has been created but no evidence has been added.
Processing - Evidence has been added and is still being processed.
Completed - Evidence has been added and processed.
Note: When processing a small set of evidence, the Processing Status may
show a delay of two minutes behind the actual processing of the evidence.
You may need to refresh the list to see the current status. See Refresh below.
Size Column Lists the size of the data within the project.
Page Size drop-down Allows you to select how many projects to display in the list.
The total number of projects that you have permissions to see is displayed.
Total Lists the total number of projects displayed in the Project List.
Page Allows you to view another page of projects.
Refresh If you create a new project, or make changes to the list, you may need to
refresh the project list
Delete Select one or more projects and click Delete Project to delete them from the
Project List.
Project Property
Cloning
Clone the properties of an existing project to another project. You can apply a
single project’s properties to another project, or you can pick and choose
properties from multiple individual projects to apply to a single project.
See Using Project Properties Cloning on page 176.
Getting Started The Project List Panel | 30
Custom Properties
Add, edit, and delete custom columns that will be listed in the Project list
panel. When you create a project, this additional column will be listed in the
project creation dialog.
See Adding Custom Properties on page 156.
Export to CSV Export the Project list to a .CSV file. You can save the file and open it in a
spreadsheet program.
Columns Add or remove viewable columns in the Project List.
Element Description
Getting Started User Actions | 31
User Actions
Once in the web console, you can preform user actions that are specific to you as the logged-in user. You access
the options by clicking on the logged-in user name in the top right corner of the console.
User Actions
User Actions
Link Description
Logged-on user The username of the logged-on user is displayed; for example, administrator.
Change password Lets the logged-on user change their password.
See Changing Your Password on page 32.
Note: This function is hidden if you are using Integrated Windows
Authentication.
Help/ Documentation Lets you to access the latest version of the Release Notes and User Guide.
The files are in PDF format and are contained in a ZIP file that you can
download.
Manage My Notifications Lets you to manage the notifications that you have created and that you belong
to.
See About Managing Notifications for a Job on page 457.
You can delete notifications, export the notifications list to a CSV file, and filter
the notifications with the Filter Options.
See Filtering Content in Lists and Grids on page 36.
Download Alternate File
Viewer Lets you to download the Alternate FIle Viewer application.
See AccessData Alternate File Viewer (Native Viewer) on page 24.
Download Local Bulk
Print software Lets you to access the latest version of the Local Bulk Print software. See
AccessData Local Bulk Print on page 25.
Logout Logs you off and returns you to the login page.
Note: This function is hidden if you are using Integrated Windows
Authentication.
Getting Started User Actions | 32
Changing Your Password
Note: This function is hidden if you are using Integrated Windows Authentication. You must change your
password using Windows.
Any logged-in user can change their password. You may want to change your password for one of the following
reasons:
-You are changing a default password after you log in for the first time.
-You are changing your password on a schedule, such as quarterly.
-You are changing your password after having a password reset.
To change your own password
1. Log in using your username and current password.
See To open the web console on page 21.
2. In the upper right corner of the console, click your logged-in username.
3. Click Change Password.
Change User Password
4. In the Change User Password dialog, enter the current password and then enter and confirm the new
password in the respective fields. The following are password requirements:
-The password must be between 7 - 50 characters.
-At least one Alpha character.
-At least one non-alphanumeric character.
5. Click OK.
Getting Started Using Elements of the Web Console | 33
Using Elements of the Web Console
Maximizing the Web Console Viewing Area
You can press F11 to enable or disable the console in full-screen mode.
About Content in Lists and Grids
Many objects within the console are made up of lists and grids. Many elements in the lists and grids recur in the
panels, tabs, and panes within the interface. The following sections describe these recurring elements.
You can manage how the content is displayed in the grids.
-See Refreshing the Contents in List and Grids on page 33.
-See Managing Columns in Lists and Grids on page 34.
-See Sorting by Columns on page 33.
-See Filtering Content in Lists and Grids on page 36.
-See Changing Your Password on page 32.
Refreshing the Contents in List and Grids
There may be times when the list you are looking at is not dynamically updated. You can refresh the contents by
clicking .
Sorting by Columns
You can sort grids by most columns.
Note: You can set a default column to sort by when you create a project or in the Project Details pane. The
default is ObjectID.
To sort a grid by columns
1. Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.
2. Click it a second time to sort by descending order.
3. Click Search Options > Clear Search to return to the default column.
Sorting By Multiple Columns
In the Item List in Project Review, you can also sort by multiple columns. For example, you can do a primary sort
by file type, and then do a second sort by file size, then a third sort by accessed date.
Getting Started Using Elements of the Web Console | 34
To sort a grid by columns
1. Click the column head to sort by that column in an ascending order.
A sort indicator (an up or down arrow) is displayed.
2. Click it a second time to sort by descending order.
3. In the Item List in Project Review, to perform a secondary search on another column, hold Shift+Alt keys
and click another column.
A sort indicator is displayed for that column as well.
4. You can repeat this for multiple columns.
Moving Columns in a Grid View
You can rearrange columns in a Grid view in any order you want. Some columns have pre-set default positions.
Column widths are also sizable.
To move columns
In the Grid view, click and drag columns to the position you want them.
Managing Columns in Lists and Grids
You can select the columns that you want visible in the Grid view. Project managers can create custom columns
in the Custom Fields tab on the Home page.
See Configuring Custom Fields on page 213.
For additional information on using columns, see Using Columns in the Item List Panel in the Reviewer Guide.
To manage columns
1. In the grid, click Columns.
2. In the Manage Columns dialog, there are two lists:
-Available Columns
Lists all of the Columns that are available to display. They are listed in alphabetical order.
If the column is configured to be in the Visible Columns, it has a .
If the column is not configured to be in the Visible Columns, it has a .
If the column is a non-changeable column (for example, the Action column in the Project List), it has
a .
-Visible Columns
Lists all of the Columns that are displayed. They are listed in the order in which they appear.
Getting Started Using Elements of the Web Console | 35
Manage Columns Dialog
3. To configure columns to be visible, in the Available Columns list, click the for the column you want
visible.
4. To configure columns to not be visible, in the Visible Columns list, click the for the column you want
not visible.
5. To change the display order of the columns, in the Visible Columns list, select a column name and click
or to change the position.
6. Click OK.
Managing the Grid’s Pages
When a list or grid has many items, you can configure how many items are displayed at one time on a page. This
is helpful for customizing your view based on your display size and resolution and whether or not you want to
scroll in a list.
To configure page size
1. Below a list, click the Page Size drop-down menu.
2. Select the number of items to display in one page.
3. Use the arrows by Page n of n to view the different pages.
Getting Started Using Elements of the Web Console | 36
Filtering Content in Lists and Grids
When a list or grid has many items, you can use a filter to display a portion of the list. Depending on the data you
are viewing, you have different properties that you can filter for.
For example, when looking at the Activity Log, there could be hundreds of items. You may want to view only the
items that pertain to a certain user. You can create a filter that will only display items that include references to
the user.
For example, you could create the following filter:
Activity contains BSmith
This would include activities that pertain to the BSmith user account, such as when the account was created and
permissions for that user were configured.
You could add a second filter:
Activity contains BSmith
OR Username = BSmith
This would include the activities performed by BSmith, such as each time she logged in or created a project.
In this example, because an OR was used instead of an AND, both sets of results are displayed.
You can add as many filters as needed to see the results that you need.
To use filters
1. Above the list, click Filter Options.
This opens the filter tool.
Filter Options
2. Use the Property drop-down to select a property on which to filter.
This list will depend on the page that you are on and the data that you are viewing.
3. Use the Operator drop-down to select an operator to use.
See Filter Operators on page 37.
4. Use the Value field to enter the value on which you want to filter.
See Filter Value Options on page 38.
5. Click Apply.
The results of the filter are displayed.
Once a filter had been applied, the text Filter Enabled is displayed in the upper-right corner of the panel.
This is to remind you that a filter is applied and is affecting the list of items.
6. To further refine the results, you can add additional filters by clicking Add.
7. When adding additional filters, be careful to properly select And/Or.
If you select And, all filters must be true to display a result. If you select OR, all of the results for each
filter will be displayed.
Getting Started Using Elements of the Web Console | 37
8. After configuring your filters, click Apply.
9. To remove a single filter, click Delete.
10. To remove all filters, click Disable or Clear All.
11. To hide the filter tool, click Filter Options.
Filter Operators
The following table lists the possible operators that can be found in the filter options. The operators available
depend upon what property is selected.
Filter Operators
Operator Description
= Searches for a value that equals the property selected. This operator is available
for almost all value filtering and is the default value.
!= Searches for a value that does not equal the property selected. his operator is
available for almost all value filtering.
> Searches for a value that is greater than the property selected. This operator is
available for numerical value filtering.
<Searches for a value that is less than the property selected. This operator is
available for numerical value filtering.
>= Searches for a value that is greater than and/or equal to the property selected.
This operator is available for numerical value filtering.
<= Searches for a value that is less than and/or equal to the property selected. This
operator is available for numerical value filtering.
Contains Searches for a text string that contains the value that you have entered in the
value field. This operator is available for text string filtering.
StartsWith Searches for a text string that starts with the value that you have entered in the
value field. This operator is available for text string filtering.
EndsWith Searches for a text string that ends with a value that you have entered in the
value field. This operator is available for text string filtering.
Getting Started Using Elements of the Web Console | 38
Filter Value Options
The following table lists the possible value options that can be found in the filter options. The value options
available depend upon what property is selected.
Filter Value Options
Value Option Description
Blank field This value allows you to enter a specific item that you can search for. The
Description property is an example of a property where the value is a blank field.
Date value This value allows you to enter a specific date that you can search for. You can
enter the date in a m/d/yy format or you can pick a date from a calendar. The
Creation Date property is an example of a property where the value is entered as
a date value.
Pulldown This value allows you to select from a pulldown list of specific values. The
pulldown choices are dependent upon the property selected. The Priority
property with the choices High, Low, Normal, Urgent is an example of a property
where the value is chosen from a pulldown.
Reviewing Project Data | 39
Part 2
Reviewing Project Data
This part describes how to review project data and includes the following sections:
-Introduction to Project Review (page 40)
-Project Review Page (page 46)
-Customizing the Project Review Layout (page 50)
-Viewing Data (page 55)
-Deleting Documents (page 95)
Introduction to Project Review About Project Review | 40
Chapter 3
Introduction to Project Review
This guide is designed to aid reviewers in performing tasks in Project Review.
About Project Review
In Project Review, you can review documents, electronic data, and transcripts in a web-based console. You can
cull and filter the data in a particular project and search for specific terms. The collected evidence can then be
processed, reviewed, and exported.
The resulting production set can then be exported into an AD1 format, or into a variety of load file formats such
as Concordance, Summation, EDRM, Introspect, and iConect. You can also export native files.
Workflow for Reviewing Projects
Although there is no formal order in which you process evidence, you can use the following basic workflow as a
guide.
Basic Workflow
Step Task Link to the tasks
1 After you process a collection, you
open the resulting project in Project
Review
See Introducing the Project Review Page on page 46.
2View Data See Viewing Data in Panels on page 55.
3 Search Documents See Searching Data on page 97.
4Culling Documents See Using Filters to Cull Data on page 128.
5 Imaging Documents See Imaging Documents on page 190.
6Coding Documents See Coding Documents on page 220.
7 Annotating Documents See Annotating and Unitizing Evidence on page 235.
Introduction to Project Review About Date and Time Information | 41
About Date and Time Information
When viewing data in Review, most items have dates and times associated with them. For example, you can
see the following:
-File created, accessed, and modified dates and times.
-Email sent and received dates and times.
How dates and times are displayed can be configured.
About How Time Zones Are Set
The dates and times associated with data files in a project are stored, by default, in Coordinated Universal Time
(UTC), also known as Greenwich Mean Time (GMT). The Project Manager can configure a Display Time Zone
for the project. This will offset the times as needed and display them in the desired time zone. For example, a
project can be configured so that all times are displayed in Pacific Time Zone.
For more information, see the Normalized Time Zones topic in the Creating a Project chapter in the Admin
Guide.
Configuring the Date Format Used in Review
Each user of the web console can configure which date format is used for displaying date fields in Review. For
example, some of the date formats that you can use include the following:
-M/d/yyyy (1/31/2014)
-dd.MM.yy (31.01.14)
-yyyy-MM-dd (2014-01-31)
This only applies to how the dates are displayed in the web console; it does not affect how the dates are stored
in the database.
The date format that is displayed is controlled by the Windows region date format that is configured on one or
both of the following:
-The Windows computer (server) that is running the eDiscovery or Summation application.
-The Windows client computer (the computer that is accessing the web console through a browser)
However, some date fields behave differently and must be configured differently.
8Work with Transcripts See Viewing Transcripts on page 181.
See Annotating Transcripts on page 181.
See Viewing Exhibits on page 189.
See Searching in Transcripts on page 184.
9 Deleting Documents See Deleting Documents on page 95.
Basic Workflow
Step Task Link to the tasks
Introduction to Project Review About Date and Time Information | 42
Configuring the Date Format for File and Email Date Fields
The following dates are stored in the database and are displayed as standard dates:
-Review
File: CreatedDate, AccessedDate, LastModifiedDate, and LastUpdated
Email: SentDate and RecieivedDate
Event: EventDate
-Home page:
Project creation
Evidence processing
Job events
Each user can configure their computer's Windows date format to what they want to use. For example, one
person can use M/d/yyyy while another person uses yyyy-MM-dd.
To configure a date format, a user selects the Short date format using the Windows Control Panel > Region and
Language setting.
Note: A console user can select any available Short date format, however, the Language (Country) format on
the client computer must match the Language (Country) format selected on the Windows computer
(server) that is running Summation. Otherwise, you will get a default date format based on the server’s
settings.
For example, if the server is set to English (New Zealand) and the client is also set to English (New
Introduction to Project Review About Date and Time Information | 43
Zealand), the client can display any of the New Zealand Short date formats. However, if the server is set
to English (New Zealand) and the client is set to English (United States), the client will display the default
New Zealand format.
To configure the Windows date format
1. On the client computer that is accessing the web console, open the Control Panel > Region and
Language.
2. Select the language/country Format and Short date format that you want to use.
3. Click OK.
Configuring the Date Format for DocDate and NoteDate fields
When you enter a DocDate or a NoteDate, it is not entered into the database as a standard date value, but
rather as a text string that is masked as a date. Because of this, these two fields will not be affected by the date
format setting on the client computer. Instead, it is controlled by the date format setting on the Windows server
that is running the eDiscovery or Summation application.
Note: If you are using multiple Windows servers, the server running the AccessData Business Services
Common service determines the date format.
When entering a DocDate or a NoteDate, it will only accept a date format that is set on the application server.
DocDate and NoteDate Format Limitations
-The DocDate and NoteDate fields do not support a year-first date format, such as yyyy/MM/dd. If this
format is selected, these two date fields will display the year at the end, for example, MM/dd/yyyy.
-Slashes are always used as separators instead of dashes or dots (MM/dd/yyyy).
Changing the Date Format on the Application Server
If you want to change the date format on the application server (the computer running the eDiscovery or
Summation application), there are a few steps that you must follow in order to have the new date recognized
properly.
To configure the Windows date format
1. On the Windows computer running the application, you must log in using the Windows Administrator
account that is the “service user”.
2. Open the Control Panel > Region and Language.
3. Select the language format and date format that you want to use.
4. Click OK.
After changing the date format in Windows, you must perform a few manual steps to reset the date format in the
application.
Important:
The following process will temporarily disable the web server making the web console unavailable to
users. Make sure no one is working in the console before proceeding.
Introduction to Project Review About Date and Time Information | 44
To reset the date format in the application
1. Restart an application service by doing the following:
1a. On the Windows computer running the application, click Start > Run.
1b. Enter services.msc.
1c. Click OK.
1d. From the list of services, select AccessData Business Services Common.
1e. Click Restart Service.
1f. After the service has been restarted, close the Services management console.
2. Stop the IIS web server so that you can delete cached settings by doing the following:
2a. On the Windows computer running the application, click Start > Run.
2b. Enter cmd.
2c. Click OK.
2d. In the command prompt window, type iisreset /stop and press ENTER; type Y and then press
ENTER.
The web server is stopped.
2e. Leave this CMD prompt window open so you can re-start IIS later.
3. Delete cached application settings by doing the following:
3a. On the Windows computer running the application, browse to the following folder:
\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files.
3b. While the IIS web server is stopped, delete the adg.map.web folder.
4. Re-start the IIS web server by doing the following:
4a. In the command prompt window, type iisreset /start and press ENTER.
4b. After IIS has successfully started, close the CMD prompt window.
5. Close and re-launch the browser running the web console.
Introduction to Project Review About Date and Time Information | 45
Configuring the Date Format Used in Production Sets and Export Sets
In this version, dates that are in Production Sets and Export Sets do not follow the Windows Regional settings.
Instead, they default to the United States default format.
In order to change the date format in Production Sets and Export Sets, you must change a setting in a
configuration file by doing the following:
1. On the computer running the Summation application, open the folder where the WorkManager service
is installed.
The default location is C:\Program Files\AccessData\eDiscovery\Work Manager.
2. Edit the Infrastructure.WorkExecutionServices.Host.exe.config file.
3. Replace the following keys in the Config section:
-DefaultLoadFileDateFormat
-DefaultLoadFileTimeFormat
-DefaultLoadFileDateTimeFormat
For example, to have dates in the dd-MM-yyyy format, replace the values as follows:
<add key="DefaultLoadFileDateFormat" value="dd-MM-yyyy" />
<add key="DefaultLoadFileTimeFormat" value="" />
<add key="DefaultLoadFileDateTimeFormat" value="dd-MM-yyyy h:mm:ss" />
4. Save the config file.
5. Restart the WorkManager service.
Project Review Page Introducing the Project Review Page | 46
Chapter 4
Project Review Page
Introducing the Project Review Page
You can use the Project Review page to search, analyze, filter, code, annotate, and label evidence for a selected
project. You have access to Project Review for the projects that you have created or that you are associated
with. You can access Project Review by clicking the magnifying glass button next to the project in the Project List
panel.
To access the Project Review page
From the project list on the Home page, click next to the desired project.
See The Project List Panel on page 28.
Project Review Page
Project Review Page Introducing the Project Review Page | 47
At the top of the Project Review page is a project bar and below that are multiple panels that are customizable.
Project Bar
The project bar is at the top of the Project Review page.
Elements of the Project Bar
Element Description
Current Project The name of the current project.
Return to Project Management Click this button to return to the Home page.
Current Item ID Displays the DocID, ObjectID, or Transcript name for the item selected
in the Item List grid. You can download the current document if the Item
ID is underlined. Click the number. When the Do you want to open or
save <document> bar appears at the bottom of the menu, either click
Open or Save and save the file.
Next and Previous Buttons Click previous page or previous document button to move around in the
Item List panel.
Click next page or next document to move around in the Item List panel.
Layout Button
Expand to manipulate panels in the Project Review. Panels can be
hidden, shown, dragged, and/or docked to customize the Project
Review page for your workflow.
See Customizing the Project Review Layout on page 50.
User Name Displays the name of the currently logged in user and allows you to log
out if desired.
Project Review Page Introducing the Project Review Page | 48
Review Page Panels
The Project Review page is made up of many panels. You select which panels are visible or hidden. The panels
that you can use may depend on the license that you own and the permissions that you have.
You can select which panels to display by doing either of the following:
-Manually selecting panels.
- Using the Layout tool. You can choose pre-defined layouts that display certain panels or you can
customize a layout.
See Customizing the Project Review Layout on page 50.
To manually select panels
1. Open a project in Review.
2. Click the Layouts drop-down.
3. Click Panels.
4. Select the panels that you want to display.
The following table briefly describes each panel that is available.
Panels in the Project Review
Panel Description
Activity Lists the history of actions performed on the selected document.
See The Activity Panel on page 83.
Case Organizer
Details Lets you view and edit the details of Case Organizer objects.
See Using the Case Organizer on page 204.
Coding Use to select and edit coding layouts.
See The Coding Panel on page 226.
Confidence Displays Predictive Coding confidence scores.
See Predictive Coding on page 230.
Conversation Displays email conversation threads.
See The Conversation Panel on page 86.
Detail Information The Detail Information contains tabs that allow you to view information about the
selected record.
See Using the KFF Details and Detail Information Panels on page 82.
Exhibits Displays exhibits for the selected transcript.
See The Exhibits Panel on page 189.
Family Lists the family relationships for email documents.
See The Family Panel on page 88.
Image Displays the selected document as an image. You can perform annotations, redactions,
and make notes in this view.
See Using the Image Panel on page 80.
Project Review Page Introducing the Project Review Page | 49
Item List Lists the filtered evidence for the selected project. This panel also includes the search
bar.
See Using the Item List Panel on page 57.
Labels Lists available labels in the project to apply to evidence. Also displays the selected label
for the document currently being viewed.
See About the Labels Panel on page 200.
Linked Two types of documents are displayed in this view:
-Documents manually linked to other documents of the same project
-Documents linked to other documents during import
See The Linked Panel on page 90.
Natural This viewer displays a file’s contents as it would appear normally without having to use
the native application.
The first time you use this view, you will need to follow the prompts to install the viewer
application.
See Using the Natural Panel on page 76.
Notes Use to display the notes for the currently selected document.
See The Notes and Transcript Notes Panels on page 86.
Production Displays the history of production for the selected document.
See The Production Panel on page 85.
Project Explorer Lets you cull and configure project data.
Contains the following tabs: Facets, Explorer, Tags, Searches, and Review Sets.
See Using the Project Explorer Panel on page 72.
Review Batches Displays review batches. You can check in and check out batches from this panel.
See The Review Batches Panel on page 221.
Search Excerpts Lets you generate and view a list of search excerpts.
See Using the Search Excerpt Report on page 112.
Similar Use to see the similarity between documents within the same cluster.
See The Related Panel on page 84.
Text The Text view displays the file’s content as text.
You can configure the text view so that sentences wrap if they are longer than the
panel’s width.
You can also limit how much text is displayed by setting the Page Depth in characters.
See Using the Text Panel on page 81.
Transcript Displays transcripts for the project.
See The Transcript Panel on page 180.
Unitization Lets you unitize documents which lets you merge multiple documents together, split
single documents into multiple documents, and rearrange page order.
See Unitizing Documents on page 246.
Panels in the Project Review (Continued)
Panel Description
Customizing the Project Review Layout Working with Panels | 50
Chapter 5
Customizing the Project Review Layout
You can customize the Project Review panels for your workflow. Layouts are specific to the logged-in user.
You can save custom layouts for future use.
See Managing Saved Custom Layouts on page 54.
You can customize the layout by doing the following:
-Hiding and Showing Panels (page 50)
-Collapsing and Showing Panels (page 51)
-Moving Panels (page 51)
-Resetting Layouts (page 53)
-Saving Layouts (page 53)
-Managing Saved Custom Layouts (page 54)
Working with Panels
All data in Review is shown in various panels.
See Review Page Panels on page 48.
You can show or hide panels.
Hiding and Showing Panels
You can hide and show panels to fit your needs.
To hide a panel
To hide a panel, do one of the following:
-Click the close button (x) on the panel.
-Click Layout > Panes and uncheck the panel you want to hide.
To show a panel
Click Layout > Panes and check the panel from the list.
Customizing the Project Review Layout Working with Panels | 51
Collapsing and Showing Panels
You can collapse a panel so that it is still open, but not shown unless you hover your mouse over it. This is useful
for panels that you want to view less frequently.
To collapse a panel
1. In top-right corner of the panel, click .
The panel is collapsed and the name of the panel is displayed in a box on the left side.
If the panel was in the top half of the page, the collapsed panel name is displayed in the top-left corner.
If the panel was in the bottom half of the page, it will be displayed in the bottom-left corner.
Collapsed Panels
2. To view a collapsed panel, mouse over the panel name and the panel will be shown until you move the
mouse away from the panel.
3. To un-collapse a panel, view the panel, and in the top-right corner of the panel, click .
Moving Panels
You can move panels to different locations on the Project Review page. When you move a panel, you can
position it in one of the following ways:
To move Project Review panels
1. Click and drag the panel that you want to move.
Docking guides appear on the page.
Project Review Page with Docking Guides
Customizing the Project Review Layout Working with Panels | 52
2. Place the panel by doing one of the following:
-Floating: Leave the panel floating on top of the page.
-Docking to a location on the page: Dock the panel by dragging the panel to one of the docking
guide arrows and releasing the mouse button.
There are four page docking guides on the outside of the page.
-Docking as a tab on another panel: Drag the panel on top of another panel and onto the center of
the docking cluster and release the mouse button.
There is a cluster of four page docking guides on the panel.
Moving Panels to a New Window
You can move the Natural, Image, Text, and Transcript panels to a new window from the Project Review page.
To move panels to a new window
In the Project Review, expand the Layouts drop-down and select Move Viewers to New Window.
The Natural, Image, and Text panels open in one window with tabs at the bottom so that you can toggle
between views.
If you have other panels docked to the Natural panel frame and choose to Move Viewers to New
Window, all other panels will be hidden.
You can open a separate transcript window by choosing the mass action option View Transcripts.
You can get your panels back into the main window by choosing the Reset Panels option.
Customizing the Project Review Layout Working with Layouts | 53
Working with Layouts
Selecting a Layout
You can use default layouts and custom layouts that you have saved in Project Review. The following are the
available default layouts:
-Culling Layout: Designed to aid reviewers in culling documents by giving more screen area to the viewer
panel and Item List grid, but collapsing the Project Explorer panel so you can concentrate on the
documents you are reviewing.
-Review Layout: Designed to aid reviewers in coding documents by providing the viewer panel, coding,
and label panels along with the relationship panels: Family, Similar, Conversation, Linked, and so on.
-Search Layout: Designed to aid reviewers in searching documents by docking the Project Explorer panel
which contains the facets tab. This is the default layout that appears for first time users.
-Transcript Layout: Designed to aid reviewers in working with transcripts by providing all of the panels
related to a transcript such as the transcript viewer with the Notes, Exhibits, Linked, and Item List panels
-CIRT Layout: Designed to aid reviewers in working with KFF jobs. This layout is similar to the Search
Layout except that it also includes the Detail Information tab which lets you see more information on jobs
that include Cerberus, Threat Analysis, and KFF.
To select a layout
1. Open a project in Review.
2. Click the Layouts drop-down.
3. Click Layouts.
4. Select the layout that you want to use.
Default layouts appear above the line and custom layouts appear below the line.
Resetting Layouts
If you have hidden, collapsed, or moved panels, you can return to the original layout.
To reset a layout
Select Layout > Reset Layout.
If you have modified a custom layout, it will reset to the last saved state.
Saving Layouts
If you have customized the default layout, you can save it as a custom layout. You can save multiple layouts.
To create a second custom layout, you must first return to a default layout, modify it, and then save it. If you
make changes to a custom layout, and save it, it will save it as an update.
To save a layout
1. Customize the layout.
2. Click Layout > Save Layout.
Customizing the Project Review Layout Working with Layouts | 54
Manage Layouts Dialog
3. Enter the name of the layout and click Save.
Managing Saved Custom Layouts
You can rename and delete custom layouts that you have saved. You cannot delete the currently selected layout
using the Manage Layouts dialog.
To manage a saved custom layout
1. Select Layout > Manage Layouts.
Manage Layouts Dialog
2. To rename a layout, select the layout, and enter a new name.
3. To delete a layout, click the X next to the layout, and click OK.
4. Click Save.
Viewing Data Viewing Data in Panels | 55
Chapter 6
Viewing Data
Viewing Data in Panels
Using Project Review, you can select and examine your data in multiple ways. You can use various panels to
examine the data.
You use the Panels List to select which panels to display. The panels that you can use may depend on the
license that you own and the permissions that you have.
See Review Page Panels on page 48.
Note: Actions completed in a specific panel may affect search results in that panel. Always execute a previous
search in a panel if you have changed the scope of what you are examining in the panel. For example, if
you change the page depth of a document in the Text panel, you should execute any previous searches in
that panel after changing the page depth.
This chapter describes how to use the following panels to view data in Project Review:
Data Viewing Panels
Panel Category Panel Descriptions
Project Data Panels Lets you view and manage the data in your project.
Item List Provides a list of evidence items in your project. This list may
be filtered.
See Viewing Documents in the Item List Panel on page 58.
Project Explorer Lets you cull and configure project data.
Contains six tabs: Facets, Explorer, Tags, Searches, and
Review Sets.
See Using the Project Explorer Panel on page 72.
File Data Panels Lets you view the data about the selected document.
Document Viewing
Panels Lets you view document data.
See Using Document Viewing Panels on page 76.
-See Using the Natural Panel on page 76.
-See Using the Image Panel on page 80.
-See Using the Text Panel on page 81.
-See Using the KFF Details and Detail Information Panels
on page 82.
Viewing Data Viewing Data in Panels | 56
Note: The language identification feature only works in the following categories: documents, spreadsheets, and
email.
Activity Lists the history of actions performed on the selected
document.
See The Activity Panel on page 83.
Conversation Displays email conversation threads.
See The Conversation Panel on page 86.
Family Lists the family relationships for email documents.
See The Family Panel on page 88.
Linked Two types of documents are displayed in this view:
-Documents manually linked to other documents of the
same project
-Documents linked to other documents during import
See The Linked Panel on page 90.
Production Displays the history of the production for the selected item.
See The Production Panel on page 85.
Related Displays the similarity between documents within the same
cluster.
See The Related Panel on page 84.
Transcript Notes Use to add notes to transcripts.
See The Notes and Transcript Notes Panels on page 86.
Data Viewing Panels
Panel Category Panel Descriptions
Viewing Data Using the Item List Panel | 57
Using the Item List Panel
The Item List panel lists the filtered evidence for the selected project. This panel also includes the search bar
and the ability to perform mass actions.
Item List Panel
Elements of the Item List Panel
Element Description
Options Click to use the following options in the Item Grid:
-Cache: See Caching Filter Data on page 142.
-Columns: See Selecting Visible Columns on page 61.
-Quick Columns: See Using Quick Columns on page 62.
-Quick Filters: See Using Quick Filters on page 62.
-Visualization: See Using Visualization on page 146.
-Keep Family Together: See Using Keep Family Together on page 63.
Search field Enter search terms to perform a quick search of documents in your project. Results
appear in the Item Grid.
See Running Searches on page 100.
Go button Click to execute your quick search.
Viewing Data Using the Item List Panel | 58
Viewing Documents in the Item List Panel
The Item List panel displays documents in the project.
By default, items are displayed using the Grid view. You can use different Views.
See Using Views on page 64.
To view documents in the Item List panel
1. From the project list on the Home page, click next to the desired project to enter Project Review.
2. By default, the Item List and Project Explorer panels are displayed.
3. Do the following to determine the items displayed in the Item List:
-In the Item List panel, use the Options to use columns, Quick Filters, and Visualization.
See Elements of the Item List Panel on page 57.
-In the Project Explorer panel, use the Facets, Explore, Tags, or Review Sets tabs.
See Using the Project Explorer Panel on page 72.
Search Options Select to perform search options.
See Using Search Options on page 102.
Views The following views are available: See Using Views on page 64.
-Grid View: See Using the Grid View on page 64.
-Conversation View: See Using Conversation View on page 65.
-Thumbnail View: See Using the Thumbnail View on page 65.
-Not Cached: See Caching Filter Data on page 142.
-Summary View: See Using the Summary View on page 66.
-Timeline View: See Using the Timeline View on page 67.
The Summary and Timeline Views are now hidden by default. You can have them
displayed by changing settings in the MAP\Web.Config file:
“ShowSummaryView” value=“false” Change to “true” to display
“ShowTimelineView” value=“false” Change to “true” to display
(change to “true” to display)
Actions Select the mass action that you want to perform on the documents in the Item List.
See Performing Actions from the Item List on page 69.
Actions Go Button
(bottom of panel) Click to execute the selected mass action.
Page Size Select the number of documents you want visible in the Item List.
Page Lists the page you are on and the number of pages. Click the next arrow to see the next
page.
(Refresh) Click the refresh button to update the Item List.
Elements of the Item List Panel (Continued)
Element Description
Viewing Data Using the Item List Panel | 59
Using Item List Options
Using Columns in the Item List Panel
About Columns
You use columns to display specific data properties about evidence items.
You can sort, filter, customize, and reposition the columns of information in the Item List panel in Grid.
See About Content in Lists and Grids on page 33.
There are many pre-configured fields that you can display as columns.
Project managers can also create custom columns in the Custom Fields tab on the Home page.
See Configuring Custom Fields in the Admin Guide.
About Pre-existing Fields
There are many pre-existing fields that are available to use for columns. You can select to display any of the pre-
existing fields as columns.
See Selecting Visible Columns on page 61.
New fields are added regularly. For a list of many of the available fields for Summation, download:
https://ad-zip.s3.amazonaws.com/Summation%205.2.2%20Field%20List.xlsx
Some fields provide basic information. For example, the following general columns are displayed by default:
-DocID - Documents are given a DocID when data is added to a document group. Documents are added
to a document group either when data is imported to a project or when document groups are created
manually by a project manager. A document may not be assigned more than one DocID number.
-ObjectID - All items added to the project are given an ObjectID.
-ObjectName
-[File] Extension
-[File] Path
-[Email] From
-[Email] Subject
-[Email] To
-[Email] ReceivedDate
-LogicalSize
-AccessedDate
Some columns provide information about the file. For example:
-ActualFile
-Archive
-ArchiveType
-Attachment
Viewing Data Using the Item List Panel | 60
-BadExtension
-Decrypted
-EmailDirectAttachCount - Shows the direct email attachments to an email. It does not display children
attachments of the direct attachments.
-EMailMessage
-Encrypted
-FromEmail
-FromMSOffice
-GraphicFile
-HasTrackChanges (for Office files)
-ObjectType and ObjectSubType (see Object Types page 144)
-Person
-System
Some columns provide specific data about certain file types. For example:
-EXIF geolocation data (See Using Geolocation Columns in the Item List on page 169.)
-OLESubItem
-PSTFilePath and PSTStoreID
-Microsoft Office document metadata:
HasTrackChanges lets you to sort and filter the following documents that have Track Changes
enabled:
Word documents (This currently only applies to DOCX document formats)
Excel documents (.XSLX and .XLS documents)
HasEmbeddedComments (PPT files)
HasHiddenColumnsRows (Excel files)
HasHiddenWorkSheets (Excel files)
From file Origin properties:
LastSavedBy
RevisionNumber
CreateTime (Content created)
LastSavedTime (Date last saved)
LastPrinted
TotalEditingTime (Word and PPT)
 Adobe files metadata:
DateCreatedMetadata
DateModifiedMetadata
Some columns provide data that is obtained through processing. For example:
-OcrScore
This column provides the OCR confidence % score for each file that has been processed with OCR. This
column is sortable which helps you determine which files may need to be manually reviewed for
keywords.
Some columns display data related to certain product functions. For example:
Viewing Data Using the Item List Panel | 61
-BatesNumber
-Hash values
-ProductionDocID
-KFF
Some columns are virtual columns that do not support search, column level filtering, tagging layout fields, or
production/export fields. However, you can export them to CSV. For example:
-ImagePageCount - This column shows the total number of pages in produced images. This column is
also populated if you bulk image or import images.
Selecting Visible Columns
You can select the columns that you want visible in the Grid view.
You can also select Quick Columns to use pre-define column templates.
Only the columns and fields related to the features of your licensed product are displayed. For example, columns
related to eDiscovery product features, are not shown in Summation.
See Using Quick Columns on page 62.
To select visible columns
1. In the Item List panel in Grid view, click the Columns button and select Select
Columns.
Select Columns Dialog
2. Click the right arrow to add columns to the Grid and the left arrow to remove them from the Grid.
3. Organize the order of the columns by clicking the up and down arrows.
Viewing Data Using the Item List Panel | 62
Columns Tips
-The FilePath column has been changed to display the heading Path in the Item List. This allows the
column to display any path information, not just file paths. Searches for this value should be created by
specifying Path instead of FilePath.
Using Quick Columns
You can use Quick Columns to quickly display columns related to certain types of data. This allows you to make
relevant columns visible without having to manually select them.
The following standard pre-configured Quick Columns are available to choose from.
-Case Organizer - See Using the Case Organizer Columns on page 218.
-Document
-eDocs
-eMail
-KFF
-Notes
-Scanned Paper
-Transcripts
Depending on the license that you own, you may have more. For security related products, see the Viewing
Security Data chapter of the Admin Guide.
To apply Quick Columns
1. For a project, enter Review.
2. Click Options > Quick Columns.
3. Select the Quick Columns that you want to use.
The selected Quick Column will be designated with a check.
4. To remove a Quick Column, select it again and the check will be cleared.
Using Quick Filters
The Item List panel includes Quick Filters that you can use to quickly refine the list of evidence.
You can quickly hide or show the following types of data.
Quick Filters
Filter Description
Hide/Show Duplicates By default, the Hide Duplicates Quick Filter is set and duplicate files are hidden.
To view duplicate files, change to Show Duplicates.
Hide/Show eDiscovery
Refinement By default, the Hide eDiscovery Refinement Quick Filter is set.
Enabling this shows extra files that may not be important. For example, this
includes embedded files, such as XML, RELS, and graphics that are embedded
in office documents.
Hide/Show Folders By default, the Hide Folders Quick Filter is set and folder items are hidden. To
view folder items, change to Show Folders..
Viewing Data Using the Item List Panel | 63
Depending on the license that you own, you may have more. For security related products, see the Viewing
Security Data chapter of the Admin Guide.
Using Keep Family Together
An object in the item list may have children items that have a much different Object ID, therefore, they may not
appear together in the Item List. For example, in the Family panel, you may see an object with ObjectID 45 that
has two children with Object IDs 546 and 547.
In the Item List Options, you can turn on the Keep Family Together option and the following will occur:
-In the Item List, the children objects appear under the parent object.
-A new column, HeadOfFamilyID is displayed.
For children objects, the ObjectID of the head of family item will be displayed. The Item List will also be
sorted by this column.
-While the Keep Family Together option is on, you can only sort by the HeadOfFamilyID column.
-If you need to sort by another column, uncheck the Keep Family Together option.
About the Amount of Data Displayed in Fields
By default, the number of characters that display for a field in the Item List and Coding Panel is limited to 512
characters. Additional characters are truncated.
For the Item List only, you can modify the number of characters displayed in custom text or text-based fields
before they are truncated. You can set the value using the “FieldTruncationSize” value in the web.config file. You
can set a limit value or turn off the limit by using a value of 0. This only applies to the Item List. The Coding Panel
maintains the 512 character limit.
If fields contain large amounts of data, you may need to remove the column from grid or you can reduce the
page size to a smaller size such as 100, 50 or 20 records.
Hide/Show Ignorables By default, the Hide Ignorable Quick Filter is set and KFF Ignorable files are
hidden. To view Ignorable files, change to Show Ignorables.
See About KFF on page 312.
Quick Filters
Filter Description
Viewing Data Using the Item List Panel | 64
Using Views
You can use different pre-configured views to help you review data.
-Grid View: See Using the Grid View on page 64.
-Summary View: See Using the Summary View on page 66.
-Timeline View: See Using the Timeline View on page 67.
-Conversation View: See Using Conversation View on page 65.
-Thumbnail View: See Using the Thumbnail View on page 65.
-Not Cached
Whenever you change views, the File List is refreshed.
You can perform actions on the documents in the Item Grid.
See Performing Actions from the Item List on page 69.
Using the Grid View
The default view in the Item List panel is the grid view. Grid view is a grid that displays each document.
Grid View
Viewing Data Using the Item List Panel | 65
Using Conversation View
Conversation view displays all the conversation threads for emails.
To access the conversation view
In the Item List panel, click the Conversation View button .
Conversation View
Using the Thumbnail View
You use the Thumbnails View to see rows of thumbnail images of the graphic files or video files in your project.
See Viewing Graphics and Videos on page 94.
If your project has graphics, such as JPEG, GIF, or PNG, thumbnails of those files are automatically created
during processing.
Note: Image thumbnails are generated only when choosing the processing option: Generate Image
Thumbnails.
To view thumbnails for video files, you must first enable the Generate (Video) Thumbnails processing option
when you create a project. You can use the Thumbnail View to rapidly scan through the visual contents in a
video file, without having to launch and watch the entire video.
See Evidence Processing and Deduplication Options on page 166.
To access the Thumbnail view
In the Item List panel, click the Thumbnail View button .
When you click a thumbnail, the item is displayed in the Natural panel.
You can use the slider to change the size of the displayed thumbnail.
Viewing Data Using the Item List Panel | 66
Using the Summary View
The Summary view displays a detail of the documents.
To access Summary view
In the Item List panel, click the Summary View button .
Summary View
Viewing Data Using the Item List Panel | 67
Using the Timeline View
This view lets you view file actions and the date and time that those actions took place. You can view the
following file action information:
-File (Created, Last Modified, Last Accessed)
-Registry (Modified)
-Event Log (Event Created)
-Email (Sent and Received)
-Process (Start time)
-Queried events (see the Admin Guide)
Each action is listed on it own row in the list.
Note: You can configure the format that dates are displayed in. SeeConfiguring the Date Format Used in
Review page 41
The Timeline View is an extension of the default Grid View with special event columns data added.
The following columns are added:
-EventType - Displays the type of action (created, last accessed, and last modified)
-EventDate - Displays the date and time of the file action.
-EventData - Displays data about the item that evoked the timeline event. For example:
If the event was file-related, the name of the file is displayed.
If the event was process-related, the name of the process is displayed.
If the event was web-related, the name of the URL is displayed.
If the event was email-related, the email subject is displayed.
If the event is from an EVTX file, the event data xml is displayed.
When you open the Timeline View, any other columns that you had configured for the Grid View are maintained.
Note: The ActionDate and ActionType columns are only available in the Timeline View.
If you perform a search or filter in the Grid View, and then change to the Timeline View, only the results of the
search or filter are in the list.
Viewing Data Using the Item List Panel | 68
A difference between the normal Grid View and the Timeline View is that the Timeline View displays multiple
rows for the same item (ObjectID). Each row will have a different action type but have the same Object ID.
Depending on your data and how your list is sorted, rows for the same file may be on different pages. When you
check an item to perform an action on it, all rows related to ObjectID file are also checked.
From the Timeline View, you can do the following:
-Sort on one or more columns including the ActionDate and ActionType columns.
-Use filters on any column.
-Add columns to the view. (Any added columns persist when returning to the Grid View.)
-Perform mass actions on items in the list.
See Performing Actions from the Item List on page 69.
-Export the list to CSV.
You will get a separate row in the CSV for every Action Type.
See Exporting a List to CSV on page 70.
-You can view, filter, and sort events related to modifying registry keys
-You can view, filter, and sort log2timeline events that come from Add Evidence and Collection jobs.
To access the Timeline view
In the Item List panel, click the Timeline View button .
Viewing Data Using the Item List Panel | 69
Performing Actions from the Item List
You can perform mass actions on items in the list.
There are two drop-downs for performing actions.
-In the first Actions drop-down, you specify whether you want to perform an action on all of the objects in
the grid or only the checked objects.
-In the Action-type drop-down, you select the action that you want to perform.
Actions You Can Perform in the File List
Task Link
Add to KFF Adds the MD5Hash value of the selected item to a KFF hash set.
See Adding Hashes to Hash Sets Using Project Review on page 346.
Bulk Coding Allows you to apply issues, categories, and other field coding to the selected item.
(Default action)
See Coding Multiple Documents on page 228.
Create Report Allows you to create a report of the selected items.
See Creating Project Files Reports on page 216.
Delete Evidence Allows you to delete the selected items from the Project.
See Deleting Documents on page 95.
Export List to CSV Allows you to export the selected items to a CSV file.
See Exporting a List to CSV on page 70.
Global Replace Allows you to search and replace values in non-read only fields.
See Using Global Replace in the Searching documentation.
Using Global Replace page 109
Imaging Allows you to create an image for the selected item.
See Imaging Documents on page 190.
Label Assignment Allows you to assign or remove a label from the selected item.
See Applying and Removing Labels on page 198.
Local Bulk Print Allows you to send the selected item to a local printer.
See Local Bulk Printing on page 249.
Network Bulk Print Allows you to send the selected item to a network printer. Reviewers with the
Imaging permission can print multiple records.
See Bulk Printing on page 248.
OCR Documents Allows you to OCR the selected item.
See Using OCR on page 70.
Remove Document
Group Items Allows you to remove the document group association from the selected item.
See Deleting a Document Group in Project Review on page 233.
Remove from Case
Organizer Allows you to remove selected Case Organizer associations from the selected
item.
See Using the Case Organizer on page 204.
Viewing Data Using the Item List Panel | 70
Exporting a List to CSV
You can export the Item List to a CSV file. Any field that is available in the list can be exported to a CSV file.
Once exported, you download the exported CSV file from the Work List on the Home page.
To perform an Export to CSV action
1. Identify the files that you want to perform the action on by doing one of the following:
-In the first Action drop-down, click All.
-Check individual files, and then in the first Action drop-down, click Selected Objects.
2. In the second Action drop-down, click Export List to CSV.
3. Click Go.
To view the status of an Export to CSV job
1. Click Return to Project Management.
2. For the project, click Work Lists.
3. Under Job Type, view the ExportToCSV job.
To download the CSV file
1. On the Work List page, select the ExportToCSV job that you want to download the file for.
2. In the Filter Options pane, click Download.
3. Select to Open or Save the file.
4. If you save the file, go to your Downloads folder to access the file.
Using OCR
You can create a job to OCR documents if you did not select to have this done during processing.
About Optical Character Recognition (OCR)
Optical Character Recognition (OCR) is a feature that generates text from graphic files and then indexes the
content so the text can be searched, labeled, and so forth.
OCR currently supports English only.
Some limitations and variables of the OCR process include:
-OCR can have inconsistent results. OCR engines have error rates which means that it is possible to have
results that differ between processing jobs on the same machine with the same piece of evidence.
View Transcripts Allows you to open a transcript viewer for each selected transcript so that you can
view them side by side.
See Viewing Transcripts on page 181.
Actions You Can Perform in the File List
Task Link
Viewing Data Using the Item List Panel | 71
-OCR may incur longer processing times with some large images and, under some circumstances, not
generate any output for a given file.
-Graphical images that have no text or pictures with unaligned text can generate illegible output.
-OCR functions best on typewritten text that is cleanly scanned or similarly generated. All other picture
files can generate unreliable output.
-OCR is only a helpful tool for you to locate images with index searches, and you should not consider
OCR results as evidence without further review.
-Documents that have already been processed for OCR do not process again.
-Documents imported with the @O token cannot be processed for OCR. The Text tab displays filtered text.
OCR Options
-File Types
You can select which file types to OCR
-Filtering Options
You can select whether or not to OCR documents based on their file size and whether or not they are full
color documents.
-Multi-Language OCR
When you use the OCR action, there is a new option to select to OCR from one of 35 languages.
You can only select one language per file per job. You can re-run the job and select a different language.
-Re-OCR documents
When you use the OCR action, there is a new option to Re-OCR a document. For example, if a
document has two languages, you can OCR it in one language and then re-OCR it in the other language.
Performing an Optical Character Recognition (OCR) Action
To perform an OCR action
1. Identify the files that you want to perform the action on by doing one of the following:
-In the first Action drop-down, click All.
-Check individual files, and then in the first Action drop-down, click Selected Objects.
2. In the second Action drop-down, click OCR Documents.
3. Click Go.
About Viewing Optical Character Recognition (OCR) Jobs
After performing an OCR action you can view the the status of the OCR job.
To view the status of an OCR job
1. Click Return to Project Management.
2. For the project, click Work Lists.
3. Under Job Type, view the OCR Documents job.
Viewing Data Using the Project Explorer Panel | 72
Using the Project Explorer Panel
The Project Explorer provides tools to help you organize and cull your data.
The Project Explorer panel has the following tabs:
In the Project Exporer, you use the following icons:
Facets This is the default tab and lets you use facets to cull your data.
See Filtering Data in Case Review on page 128.
Explore This can be used to cull your data by specific sets or groups of documents.
See The Explore Tab on page 73.
Navigation
This lets you specify the scope of data viewable in the Item List panel by pivots such
as Jobs, Groups, People, Computers, Network Shares, or Mobile Devices.
(Not available in all products)
See The Navigation Tab on page 74.
Tags This lets you manage and view the different types of coding tags, Production Sets,
and Case Organizer objects.
See Using Tags and the Case Organizer on page 196.
Searches This lets you view searches that you have run and saved.
See Introduction to Searching Data on page 98.
Review Sets
This lets you manage and view Review Sets.
See Managing Review Sets on page 251.
Expand the items in the list.
Collapse the items in the list.
Reset the selections.
Viewing Data Using the Project Explorer Panel | 73
The Explore Tab
The Explore tab in the Project Explorer panel can be used to cull documents by the following items:
-Document Groups
-Exhibits
-Export Sets
-Notes
-Transcripts
Explore Tab
When you check an item in the document tree, then click the Apply icon, all documents in that category will be
included in your search query.
Note: If you check only the parent node, you will not get any documents included in the search. You must select
one or more of the child nodes (Document Groups, Transcripts, Notes, or Exhibits) in order to return
results.
Apply the selections to the Item List.
Important: You must reset each tab of the Project Explorer individually. For example, if you apply
a filter on the Explore tab, and then apply a filter on the Facets tab, you must go to each tab and
reset the selections to undo them.
Elements of the Document Tree
Element Description
Document Groups Check to include document groups in your search. Right-click to create document
groups.
Viewing Data Using the Project Explorer Panel | 74
The Navigation Tab
Use the navigation panel to specify the scope of evidence that you want to view in the Item List panel of the
Project Review. You can view evidence by specific sources of data such as Jobs, Groups, People, Computers,
Network Shares, or Mobile Devices.
Navigation Panel
Exhibits Check to include exhibits in your search.
See Working with Transcripts and Exhibits on page 176.
Exports Sets Check to include export sets in your search.
See About Creating Export Sets on page 290.
Notes Check to include notes in your search.
See The Notes and Transcript Notes Panels on page 86.
Transcripts Check to include transcripts in your search. Right-click to create transcript groups,
upload transcripts, update transcript, and upload exhibits.
See Working with Transcripts on page 176.
Elements of the Document Tree
Element Description
Viewing Data Using the Project Explorer Panel | 75
Elements of the Navigation Panel
Element Description
Navigation Tree
Button
Select this button to select the scope of evidence from among the following:
-Jobs
-Groups
-People
-Computers
-Shares
-Mobile
Jobs Button Click to select a scope of evidence from the jobs in the project.
Groups Button Click to select a scope of evidence from the groups in the project.
People Button Click to select a scope of evidence from the people in the project.
Computers Button Click to select a scope of evidence from the computers in the project.
Shares Button Click to select a scope of evidence from the network shares in the project.
Mobile Button Click to select a scope of evidence from the mobile devices in the project.
Apply Button Click to apply the scope that you selected. Results appear in the Item List panel.
Viewing Data Using Document Viewing Panels | 76
Using Document Viewing Panels
You can use various panels to view document data.
See Viewing Data in Panels on page 55.
You can use the following panels:
-See Using the Natural Panel on page 76.
-See Using the Image Panel on page 80.
-See Using the Text Panel on page 81.
-See Using the KFF Details and Detail Information Panels on page 82.
Using the Natural Panel
You can use the Natural Panel to view, annotate, and redact documents in your project.
The first time you use this, you will need to follow the prompts to install the viewer application. When Internet
Explorer displays a message that it has blocked a pop-up, select Always allow from the Options for this site
pull-down.
Viewing Data Using Document Viewing Panels | 77
To view documents in the Natural panel
1. In Project Review, select a file in the Item List panel.
2. Click the Natural tab.
If the Natural panel isn’t showing, select the panel from the Layouts drop-down.
Elements of the Natural Panel
Element Description
Standard Viewer Lets you view a AccessData-generated SWF version of the document that lets you
do the following:
-View the document as it appears in its native format
-Edit the document with annotation tools
See Using the Standard Viewer and the Alternate File Viewer on page 78.
See About Annotating Tools on page 238.
Alternate File Viewer Uses INSO viewer technology that lets you view the document as it appears in its
native format.
This format has some limitations on the data that can be displayed. In some cases
the Standard Viewer has greater functionality.
See Using the Standard Viewer and the Alternate File Viewer on page 78.
Annotate Native Click to annotate the native document. A new version of the document will be
created in SWF format. Check the progress of the image being created in the Work
List of the Home Page.
See Using the Standard Viewer and the Alternate File Viewer on page 78.
Create Image Click to create an image of the native document. An image of the document will be
created. Check the progress of the image being created in the Work List of the
Home Page.
Highlight Profile Select a predefined highlight profile to apply to the document.
Find Enter a word or phrase to find in the document. The term highlights in the panel. You
do not need to enter the whole word or phrase. You can begin to type the first few
letters of the word and the pane highlights the first word that matches the typed
letters. For example, typing “Glo” highlights the word “Global.”
To navigate from one highlight to the next, use the arrow keys.
Note: You cannot navigate highlighted terms displayed by a highlight profile.
Copy Selected
Text
Enter a word or phrase to find in the document.
Viewing Data Using Document Viewing Panels | 78
Using the Standard Viewer and the Alternate File Viewer
The Natural panel has two viewers that have different functionality:
-Standard Viewer
-Alternate File Viewer
Both of these viewers are designed to show documents as they would appear natively.
The most basic viewer is the Alternate File Viewer. This viewer uses the OutsideIn viewer technology to display
the content of a document as it would in its native application.
Note: The following file types do not display in the Alternate File Viewer: 3G2, 3GP, 7ZIP, AD1, AIF, ASF, AVI,
ASX, DBX, DD, DMG, E01, EX01, FLAC, FLV, GZIP, JAR, L01, M3U, M4A, M4V, MID, MKV, MOV, MP3,
MP4, MPA, MPG, NSF, OGG, OST, PST, RA, RAR, RM, SRT, SWF, TAR, VOB, WAV, WMA, WMV, WTV,
ZIP, and ZIPX. Also, files over 50 MB will not display. However, depending upon the options that you
select, these files will be processed.
The more advanced viewer is the Standard Viewer. This viewer lets you view an AccessData-generated SWF
version of the document that lets you do the following:
-View the document as it appears in its native format
-Edit the document with annotation tools (See About Annotating Tools on page 238.)
However, in order to view content in the Standard Viewer, a document must first be converted to a format that
can be annotated or redacted.
See About Generating SWF Files for Annotating or Unitizing on page 235.
In some cases the Standard Viewer has advanced viewing capabilities. For example, if a Word document has
Track Changes enabled, this viewer can show the formatted changes, whereas the Alternate File Viewer cannot.
AccessData converts documents into an Adobe’s SWF file format for viewing and editing. As a result, the
Standard Viewer will only display files that have been converted to SWF.
If a SWF file is not available, the contents of the file will be displayed using the Alternate File Viewer.
Standard Viewer Features
In the Standard Viewer, you can do the following:
-Use the Annotation feature.
See Annotating Evidence on page 237.
-Use the Unitization feature.
See Unitizing Documents on page 246.
-Use in-document searching
The in-document searching includes type-down capabilities and counts.
-Print the current document.
See Annotating Evidence on page 237.
Viewing Data Using Document Viewing Panels | 79
Workflow for the Standard Viewer and the Alternate File Viewer
-If the Enable Standard Viewer processing option is enabled, the Standard Viewer is the default viewer.
When you click a file in the item list, if a SWF has been generated, or if the file can have a SWF
generated, it will display in the Standard Viewer.
If the SWF file has not yet been generated, it will do so automatically.
If you click a file that does not support SWF, it will be displayed in the Alternate File Viewer instead.
-If the Enable Standard Viewer processing option is not enabled, by default, the Alternate File Viewer is
used. If you then switch to the Standard Viewer, and if a SWF can be generated, it will be converted “on-
the-fly”.
Attachment Counts
You can see attachment counts on imported Emails in the Natural panel.
Emails imported using a load file, are constructed in the Natural panel using the metadata from the load file for a
consistent Outlook type look and feel. In previous versions emails with attachments did not display that
attachments existed unless the user imported these files as EDOCS. Now, when importing these files as EMAIL
document types, the count of the attachments is now displayed in the Natural Viewer. Emails processed using
evidence processing will display the attachment name rather than the attachment count.
Standard Viewer Caching
When you view an item in the Standard Viewer, it now caches the next few items in the Item List. This makes
navigating to and viewing the next item much faster.
Note the following:
-The number of files that is cached is based on GridCacheCount value in the Map\Web.config file.
(The default is 3)
Viewing Data Using Document Viewing Panels | 80
-It only caches the next items, not the previous items.
-When using the Standard Viewer, it loads the generated SWF file for the item. This new feature caches
the SWF files. If SWF files do not already exist, a SWF is auto-generated on-the-fly and may take a few
seconds. You can make SWF files in bulk by using the Imaging action.
Using the Image Panel
The Image panel displays image documents and electronic documents that have been converted into images
from the Natural panel.
The Image panel displays the selected document as an image. You can perform annotations and make notes in
this view.
Image Panel
See About Annotating Tools on page 238.
See Unitizing Documents on page 246.
To view documents in Image view
1. In Project Review, select a file in the Item List panel.
2. Click on the Image view tab.
If the Image panel isn’t showing, select the panel from the Layouts drop-down.
Viewing Data Using Document Viewing Panels | 81
Using the Text Panel
The Text panel in Project Review displays the file’s content as text. There are two options for viewing text:
-Filtered text - This is basic text that is extracted during processing (unless you used the Quick Processing
Mode).
-OCR - This is text that is generated using OCR.
See Using OCR on page 70.
Text Panel
To view documents in Text view
1. In Project Review, select a file in the Item List panel.
2. Click on the Text view tab.
If the Text panel isn’t showing, select the panel from the Layouts drop-down.
Elements of the Text Panel
Element Description
Filtered / OCR Select to view Filtered text or OCR text.
Find Search for text in the document.
Page Depth Limit how much text is displayed by setting the Page Depth in characters.
Wrap Configure the text view so that sentences wrap if they are longer than the panel’s width
(on by default).
Viewing Data Using Document Viewing Panels | 82
Using the KFF Details and Detail Information Panels
You can show the KFF Details panel or the Detail Information panel.
-The KFF Details panel is displayed when using the Review layout.
-The Detail Information panel is displayed when using the CIRT layout.
The Detail Information contains tabs that allow you to view information about the selected record.
You can enable these panels by customizing the Project Review panels and layouts.
See Customizing the Project Review Layout on page 50.
To view KFF Detail / Detail Information
1. In Project Review, select a layout that displays the desired panel.
2. Select a file in the Item List panel.
3. Click on the KFF Detail / Detail Information view tab.
Elements of the Detail Information Panel
Element Description
Archived Details Displays the details of the file path, size, and dates associated with the record.
Cerberus Displays the Cerberus threat score for the record.
You will see data for applicable files if you selected the Enable Cerberus processing
option.
See the About Cerberus Malware Analysis chapter.
You can download the information as an HTM file by clicking Download in the bottom-
right corner.
KFF Details Displays the details of the Known File Filter for the selected record.
See Using KFF (Known File Filter) on page 340.
Evidence Source Displays the source of the evidence.
Viewing Data Using Document Data Panels | 83
Using Document Data Panels
You can use the following document data panels in Review:
-The Activity Panel page 83
-The Related Panel page 84
-The Production Panel page 85
-The Notes and Transcript Notes Panels page 86
-The Conversation Panel page 86
-The Family Panel page 88
-The Linked Panel page 90
-Exporting a List to CSV page 70
-Using OCR page 70
See Viewing Data in Panels on page 55.
The Activity Panel
The Activity panel on the Project Review page lists the history of actions performed on the selected document.
Activity Panel
Elements of the Activities Panel
Element Description
Date Column Displays the date of the action performed.
User Displays the user that performed the action.
Activity Type Displays the detailed information regarding the action performed.
Viewing Data Using Document Data Panels | 84
The Related Panel
In version 6.0, the Similar panel was renamed to the Related panel.
The Related panel in Project Review is used to show similarity between documents. This panel displays
documents that are clustered together based on their content. The similarity is determined by running Cluster
Analysis. You can perform Cluster Analysis by doing one of the following:
-When creating a project, select the Cluster Analysis processing option.
-After initial processing, on the Home page, select the project, click , and click Cluster Analysis.
Performing Cluster Analysis will take some time after normal processing is completed. For information on
performing Cluster Analysis, see the Admin Guide or Project Manager Guide.
When Cluster Analysis is run, a “K-means” algorithm is run to determine a pivot document. Other documents are
then compared to the pivot. If a document has an 80% similarity to the pivot, it will be displayed in the list in the
panel.
Related Panel
There is a DeDuplicate Type column that shows if it is Primary or Secondary.
The Clustered Distance Score column indicates whether the document is Duplicate or clustered data
(with a % score).
Items that are Duplicates are displayed at the top of the grid.
The star icon indicates the pivot document.
Viewing Data Using Document Data Panels | 85
The Production Panel
The Production panel in Project Review displays the history of production for the project. You can navigate to
produced documents via hyperlinks in the Production panel. The ProductionDocID appears as a hyperlink in the
Production panel. While viewing a source document highlighted in the Item List, you can click on the
ProductionDocID in the Production panel, and the produced document opens in a new window.
When a document is produced, it is automatically linked to the original from which it was produced. When
looking at the original document, you can see that it has been produced.
You can navigate to the produced documents via hyperlinks in the Production panel.
-The ProductionDocID appears as a hyperlink in the Production panel. While viewing a source document
highlighted in the Item List, you can click on the ProductionDocID in the Production panel, and the
produced document opens in a new window.
Elements of the Related Panel
Element Description
File list Displays the Pivot item (designated by the gold star) and other items that are similar. The
level of similarity of each item to the pivot is displayed as a percentage.
Actions You can select items and then perform the following actions on items in the list.
Label Assignment Allows you to assign or remove a label from the selected item.
See Applying and Removing Labels on page 198.
Bulk Coding Allows you to apply issues, categories, and other field coding to the
selected item.
See Coding Multiple Documents on page 228.
Compare Docs Allows you to compare the contents of two items.
Select the documents that you want to compare, select Compare Docs,
and click Go.
A new window opens and displays a report that details how the items
compare.
Go Performs the selected action on the selected items.
Viewing Data Using Document Data Panels | 86
-Also, if you display produced documents in the Item List by filtering, the Source ID of a produced
document appears as a hyperlink in the Production panel. Clicking on the Source ID opens the source
document in a new window.
Note: Export sets do not have hyperlinks in the Production panel.
Production Panel
The Notes and Transcript Notes Panels
In version 6.0, the Notes panel was renamed to the Transcript Notes Panel.
See Adding a Note to a Transcript on page 181.
In version 6.x and later, notes are now stored in the Case Organizer.
See Using the Case Organizer on page 204.
If you are using an environment that was upgraded from 5.x, your legacy notes are not converted to the Case
Organizer and can still be viewed in the legacy Notes panel. Notes can be viewed and deleted from the Notes
panel for users with the View Notes and Delete Notes permission.
The Conversation Panel
The Conversation panel in Project Review displays email conversation threads and emails from a cluster. The
Conversation panel shows any compilation of related messages that makes up a conversation. The displayed
threads are those emails that are sent and answered, or forwarded emails with the originals and any string of
threads that went back and forth for each message.
Emails are organized by cluster in the Conversation panel.
-The email clusters are displayed in a hierarchical order with the original message displayed first, followed
by subsequent messages for any email that have a conversational ID.
-There may be an email in the cluster that is from the thread which is not necessarily a part of the cluster
since they are a part of the thread.
Viewing Data Using Document Data Panels | 87
-Emails may be identified because they are in the cluster, but not a part of the thread.
-Emails listed in green text are clusters
-Emails listed in black text are threads
-The icons that are displayed for each email in the hierarchy which are as follows:
Purple arrow from right to left is reply
Green arrow from left to right is sent
You can use the Filters panel to refine the list by:
-Who the email was sent to
-Who the email is from
-Date range
Conversation Tab
Elements of the Conversation Tab
Element Description
Email Count Displays the number of emails in the thread.
Attachments Displays the number of attachments.
Time Frame Displays the time frame when the emails were sent.
Participants Displays the email address of the email participants.
Actions You can select items and then perform the following actions on items in the list.
Label Assignment Allows you to assign or remove a label from the selected
item.
See Applying and Removing Labels on page 198.
Bulk Coding Allows you to apply issues, categories, and other field
coding to the selected item.
See Coding Multiple Documents on page 228.
Compare Docs Allows you to compare the contents of two items.
Select the documents that you want to compare, select
Compare Docs, and click Go.
A new window opens and displays a report that details
how the items compare.
Viewing Data Using Document Data Panels | 88
The Family Panel
The Family panel in Project Review lists the family relationships for email documents. The Family panel shows
the email message and any attachments to the message.
The Family panel will display related documents if you select the parent or child document.
Note: If you have a zip file containing a folder, the family relationship does not contain the folder because the
folder is omitted from view.
For both the message file and the attachments, you can do the following:
-Click the item to view the item in the Natural panel.
-Perform actions:
Apply labels.
See Applying and Removing Labels on page 198.
Perform Bulk Coding.
See Coding Multiple Documents on page 228.
-Compare documents.
-Click the hyper link to open the child or parent document in a new window.
Note: In order to avoid memory issues, the family panel will limit the amount of documents retrieved to 1000.
Families will be displayed for the following types of documents: TAR, JAR, GZIP, RAR, 7ZIP, ZIP, and
ZIPX. Families will not be displayed for the following type of documents: AD1, PST, NSF, OST, E01, CSV,
and DII.
Family Panel
Go Performs the selected action on the selected items.
Elements of the Conversation Tab
Element Description
Viewing Data Using Document Data Panels | 89
Elements of the Family Panel
Element Description
DocID Displays the DocID for the documents in the same family as the selected document.
ParentDocID Displays the DocID for the parent document.
AttachDocIds Displays whether the parent document has attachments.
ObjectID Displays the ObjectID of the document or the documents in the same family as the
selected document.
ObjectName Displays the ObjectName of the document or the documents in the same family as the
selected document
Actions You can select items and then perform the following actions on items in the list.
Label Assignment Allows you to assign or remove a label from the selected item.
See Applying and Removing Labels on page 198.
Bulk Coding Allows you to apply issues, categories, and other field coding to the
selected item.
See Coding Multiple Documents on page 228.
Compare Docs Allows you to compare the contents of two items.
Select the documents that you want to compare, select Compare
Docs, and click Go.
A new window opens and displays a report that details how the
items compare.
Go Performs the selected action on the selected items.
Viewing Data Using Document Data Panels | 90
The Linked Panel
The Linked panel in Project Review displays two types of documents:
-Documents manually linked to other documents of the same project
See Adding Links to a Transcript on page 182.
See Adding a Link on page 243.
-Documents linked to other documents during import
Linked Panel
Elements of the Linked Panel
Element Description
DocID The DocID of the linked documents.
LinkObjectID The ObjectID of the linked documents.
Path The path of the linked documents.
Actions You can remove links from a document. Select the linked documents that you want to
remove.
Go Click to execute the selected action.
Page Size Select the number of documents you want visible in the Linked panel.
Page Lists the page you are on and the number of pages. Click the next arrow to see the next
page.
Refresh Click the refresh button to update the Linked panel.
Link Lets you link additional documents.
Viewing Data Using Document Data Panels | 91
Adding a Link from the Linked Panel
You can manually link other documents.
To add a link from the Linked panel
1. Select a document that you want to add a linked document to.
2. In the Linked panel, click Link.
The Add Document Link dialog appears.
Add Document Link Dialog
3. In the Search field, enter the DocID of the document you want to link to.
4. Press the tab button to activate the Go button and click Go.
5. Select the document you want to link to from the search results.
6. Click Save.
Viewing Data Viewing Timeline Data | 92
Viewing Timeline Data
You can parse and view the following types of timeline data.
-Data that is contained in CSV files that are in the Log2timeline format
-EVTX event logs
You can view the data in the Alternate File Viewer of the Item List.
The individual records from the original files will be interspersed with other data, giving you the ability to perform
more advanced timeline analysis across a very broad set of data. In addition you can leverage the visualization
engine to perform more advanced timeline based visual analysis.
To process timeline files, there is a Timeline Options processing option. This option is not enabled by default.
You can view timeline data in one of two ways:
To expand timeline files and view individual records
1. Create a new project.
2. In the Processing Options, select Expand Additional Timeline Events.
3. Include a timeline file, such as a Log2timeline CSV or EVTX file in your evidence and process it.
4. In Review, in the Item List, you can click and view the contents of original file.
5. You can also view the expanded individual records in individual rows.
Log2Timeline items have row #... in the ObjectName.
EVTX items have a event # ... in the ObjectName.
6. You can use the Timeline view to sort items by data and time.
See Using the Timeline View on page 67.
To filter timeline data
1. You can filter your data to find timeline data.
For example, you can find Log2Timeline data by using the File Category > Other Known Types facets:
-The original zip files: Log2t CSV logs
-The expanded entries: Log2t CSV log entries
You can find EVTX data by using the File Category > OS/File System Files facets:
-The original EVTX files: Windows EVTX Events
-The expanded entries: Windows EVTX Event
View the original
files, such as the
CSV or EVTX
In the Item List, you can see the original files. When you select a file, you can view the
information that is contained in each file in the File Content pane.
Expand file data out
as individual
records
When you expand timeline files, each record is extracted. As a result, in the Item List,
each record is shown as its own item.
If you expand Log2Timeline files into separate records, you can also use columns
to view each field.
See the table Log2timeline CSV fields (page 93)
Viewing Data Viewing Timeline Data | 93
To add Log2Timeline-related columns in the Item List
1. In Review, click Options > Columns.
2. Add one or more Log2T columns.
3. Click OK.
Log2timeline CSV fields
Log2t Desc A description field, this is where most of the information is stored. This field is the full
description of the field, the interpreted results or the content of the actual log line..
Log2t Extra Additional information parsed is joined together and put here. This 'extra' field may
contain various information that further describe the event. Some input modules contain
additional information about events, such as further divide the event into source IP's,
etc. These fields may not fit directly into any other field in the CSV file and are thus
combined into this 'extra' field.
Log2t Filename The full path of the filename that contained the entry. In most input modules this is the
name of the logfile or file being parsed, but in some cases it is a value extracted from it,
in the instance of $MFT this field is populated as the name of the file in question, not the
$MFT itself.
Log2t Format The name of the input module that was used to parse the file. If this is a log2timeline
input module that produced the output it should be of the format Log2t::input::NAME
where name is the name of the module. However other tools that produce l2t_csv
output may put their name here.
Log2t Host The hostname associated with the entry, if one is available.
Log2t Inode The inode number of the file being parsed, or in the case of $MFT parsing and possibly
some other input modules the inode number of each file inside the $MFT file.
Log2t MACB The MACB or legacy meaning of the fields, mostly for compatibility with the mactime
format.
Log2t Notes Some input modules insert additional information in the form of a note, which comes
here. This might be some hints on analysis, indications that might be useful, etc. This
field might also contain URL's that point to additional information, such as information
about the meaning of events inside the EventLog, etc.
Log2t Short The short description of the entry, usually contains less text than the full description
field. This is created to assist with tools that try to visualize the event. In those output
the short description is used as the default text, and further information or the full
description can be seen by either hovering over the text or clicking on further details
about the event.
Log2t Source The short name for the source. This may be something like LOG, WEBHIST, REG, etc.
This field name should correspond to the type field in the TLN output format and
describes the nature of the log format on a high level (all log files are marked as LOG,
all registry as REG, etc.)
Log2t SourceType A more comprehensive description of the source. This field further describes the format,
such as "Syslog" instead of simply "LOG", "NTUSER.DAT Registry" instead of "REG",
etc.
Log2t User The username associated with the entry, if one is available.
Log2t Version The version number of the timestamp object.
Viewing Data Viewing Graphics and Videos | 94
Viewing Graphics and Videos
In the Natural panel, you can view the following kinds of media files that are in your project:
-View graphics files (such as JPEG, GIF, PNG)
-Play video files
The following video files are supported:
-View video thumbnail files
How videos are viewed is in part determined by the video processing options that were used when the
project was created. For example, you can view video thumbnails that were created at certain intervals.
To view thumbnails for video files, you must first enable the Generate (Video) Thumbnails processing
option when you create a project.
See Evidence Processing and Deduplication Options on page 166.
You can use the Thumbnail View to rapidly scan through the visual contents in a video file, without having
to launch and watch the entire video.
See Using the Thumbnail View on page 65.
To find graphics and media files
Do the following:
-Use filters, such as File Category or File Extensions.
-Use the Thumbnails View.
See Using the Thumbnail View on page 65.
To play a video file
1. Select a video file in the Item List or Thumbnail View.
2. Click the play button in the Natural Panel.
You can change the volume and expand the video viewer.
3G2 AVI MP4 SWF FLAC
3GP FLV MPG VOB MKV
ASF M4V RM WMV WTV
ASX MOV SRT OGG WEBM
Deleting Documents Deleting a Document | 95
Chapter 7
Deleting Documents
Users with the Delete Summaries permission can delete documents in the Item List panel of Project Review.
Users must be careful and back up the project before deleting documents.
You can delete individual records and documents from a project that has been added by either Evidence
Processing or Import. You can select any record or multiple records in Review and delete them. This will delete
the record and system generated data associated with the record, such as filtered text, .DAT files, and data from
the database.
Note the following:
-If a record is in use by another process, some part of the record might be locked, triggering an error when
you attempt to delete the record.
-If an original document has been included in a production set, you will not be able to delete that
document. This avoids issues with production sets.
-Both the Audit Log and the Work List displays what records have been deleted and which user has
deleted the record.
Note: You cannot delete an individual record that is part of a production set. However, you can delete a
complete production set.
You can also use the Delete action in the Item List to delete all filtered files without having to select the files
individually.
Deleting a Document
To delete a document
1. Log in as a user with Delete Summaries permissions.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List panel is showing.
4. Use filters or others tools to cull the files in the Item List.
5. Check the documents that you want to delete. Skip this step if want to delete all the documents.
6. In the first Actions drop-down, select one of the following:
-Checked: Select this to delete just the checked documents.
-All: Select this to delete all of the documents on all pages of the Grid list.
7. In the second Actions drop-down, select Delete.
Deleting Documents Deleting a Document | 96
8. Click Go.
9. In the Confirm Delete Dialog, check Include Family to delete family documents as well.
10. Click Delete.
The job is sent to the Work List for the project/case manager to complete.
Note: When you apply the Delete action to filtered items in the Item List, the filtered data will not reset after the
data is deleted. You will need to click on the clear button to show all of the data back into the grid.
Searching Data | 97
Part 3
Searching Data
This part describes how to search data and includes the following sections:
-About Searching Data (page 98)
-Running Searches (page 100)
-Running Advanced Searches (page 117)
-Using the Search Tab (page 124)
-Using Filters to Cull Data (page 128)
Introduction to Searching Data About Searching Data | 98
Chapter 8
Introduction to Searching Data
This document will help you filter and search through data in the Project Review.
About Searching Data
You can use searching to help you find files of interest that are relevant to your project. After you perform a
search, you can save your search or share your search with groups. Then, you can filter your result set to further
cull down evidence. As you find relevant files, you can tag the files with Labels, Issues, or Categories for further
review or for export.
When you search data, you use search phrases to find relevant evidence. A search phrase is any item that you
would receive a search hit on, such as a word, a number, or a grouping of words or numbers.
See Building Search Phrases on page 103.
You can search for text that is either in the metadata of the file or in the body of a file. You can also select a
column in the Item List panel and filter on that specific column.
When you start a search, be mindful of the items in the list that you are starting with. For example, if you have
applied a facet filter to show only DOC files, and you search for a text string that you think is in a PDF file, it will
not find it. However, the same is not true for column filters. If you have applied a column filter to show only DOC
files and you search for a text string that you think is in a PDF file, it will locate the file, regardless of the previous
column filter application.
Searching Results
When you run a search, any items in your data that contain the search phrase are displayed in the Item List.
When you view an item in the Natural, Image, or Text viewers, the terms in the search phrase are highlighted.
You need to be aware of the following when viewing highlighted terms:
-After the first page of search results are available, the application retrieves the excerpts for the word/
phrase hits on the document through a separate workflow. Depending upon the load on the system,
highlights might take longer to appear.
-Search results are not highlighted in the view if the word phrases is split on separate lines, especially in
documents created in ASCII, such as text files.
-If you have a document where the text is arranged in columns, search results that appear in the same
column or span across multiple columns do not highlight in the Natural Viewer. The Text view should
highlight the results accurately.
Introduction to Searching Data About Searching Data | 99
To search data, see the following:
-Running Searches (page 100)
-Running an Advanced Search (page 117)
-Running Recent Searches (page 125)
-Saving a Search (page 126)
Search Limitations
When performing a Quick Search or Advanced Search, if you have over 10,000 total characters of search text,
the search may fail and the application may become non-responsive.
Running Searches Running a Quick Search | 100
Chapter 9
Running Searches
You can perform the following search tasks:
-Running a Quick Search (page 100)
-Searching for Virtual Columns (page 107)
-Running a Subset Search (page 108)
-Searching in the Natural Panel (page 109)
-Using Dates and Times in Search (page 111)
-Using the Search Excerpt Report (page 112)
-Using Search Reports (page 115)
-Running an Advanced Search (page 117)
When running a search, you build and use search phrases.
See Building Search Phrases on page 103.
Running a Quick Search
In most projects, relevant data and privileged information in a data set is found using quick searches. You can
use the basic search field in the Item List panel to help you perform fast filtering on selected evidence.
When you start a search, be mindful of the items in the list that you are starting with.
See About Searching Data on page 98.
Important:
A processing option, Disable Tab Indexing, disables the reindexing of labels, categories, and issues.
With this option, the application prevents reindexing from occurring as frequently while you are
reviewing data, and search counts appear correctly. This option is enabled by default. If this option is
enabled, in Review, the following text is displayed: Tag indexing is disabled. However, you can still
search for specific tags using a field search, such as “Label contains xxx”.
To run a quick search
1. Log in as a user with Run Search privileges.
2. Click the Project Review button in the Project List panel next to the project.
3. In Project Review, ensure that the Project Explorer, the Item List, and Natural panel are showing.
4. Populate the data in the Item List with the data that you want to search within.
See Selecting the Data that you Want to Search In on page 101.
Running Searches Running a Quick Search | 101
5. In the search bar of the Item List panel, enter a search phrase.
A search phrase can be either one word or or number or multiple words. You may also use operators or
boolean search phrases.
See Building Search Phrases on page 103.
6. Click Go to execute the search.
A green spinner indicates that the search is in progress. When the search is complete, the spinner is no
longer displayed.
The search is performed within the specified scope and searches the body content of the documents within the
scope. Also depending upon the type of search query, the query will also search the documents’ metadata.
Search results appear in the Item List panel.
If you are searching by keyword, you can select a document from your search results, and see highlighted
instances of the word in the Natural view. The instances will also be highlighted in the text view and in the Item
List if there are results in the metadata.
Quick searches will also appear in the Recent Searches on the Searches tab of the Project Explorer.
Note: You are unable to perform a quick search for values in the ProductionDocID column. To search for values
in the ProductionDocID column, use Advanced Search. See Running an Advanced Search on page 117.
Selecting the Data that you Want to Search In
When you perform a search, only the data that is contained in the Item List (all pages) will be searched. That
means that any data that you have filtered out of the list will not be searched.
This will apply the currently selected scope and any selected facets to the Item List, allowing you to search and
review on the resulting subset. The facets will persist through searches until you clear them. Scopes may be
changed and searches re-run by use of the Apply button as well. After updating a facet or scope item, you may
click the Apply button, which will update the scope and re-run any search that has not been cleared out by use of
the Clear Search button in the Search Options menu of the Item List panel.
To populate data in the Item List that you want to search from:
1. Select the data that you want to search in by doing the following:
1a. In the Project Explorer, the default scope selection includes all evidence items in the project. Using
the check boxes, uncheck items to exclude items from the scope of the search. These scope items
include:
Document Groups
Transcript Exhibits
Export Sets
Notes
Transcripts
1b. In the Facets tab of the Project Explorer, you may select any combination of facets to apply to the
current search scope.
2. Click the Apply check mark button in the top of the Project Explorer.
Running Searches Using Search Options | 102
Using Search Options
The following are search options that you can perform from the Search Options drop-down:
Search Options
Element Description
Clear Search This clears any search strings from the search bar and removes all results of the
search. The contents of the Item List are restored to how they were before the search.
Advanced Search Lets you perform and save advanced searches.
See Running Advanced Searches on page 117.
Vocabulary Lets you search within the current or all transcripts.
See Working with Transcripts and Exhibits on page 176.
Expansion Lets you include Family, Linked, or Similar Documents.
Settings Lets you configure the following search settings:
-Sorting
You can sort your search results by any column. By default, search results are
sorted by Relevancy in descending order. You can change the column by which to
sort by, such as ObjectID, extension, and so forth.
-Display Options:
Excerpts column
On by default. You can select to not display the Excerpts column. You can also
configure the number of excerpt words.
Relevancy column
On by default. You can select to not display the Relevancy column. If you turn
this off, results will not sort by Relevancy, even if that is the sorting selection.
Search Report
Options Lets you generate and download search reports.
See Using Search Reports on page 115.
Running Searches Building Search Phrases | 103
Building Search Phrases
When you search data, you use search phrases to find relevant evidence. A search phrase is any item that you
would receive a search hit on, such as a word, a number, or a grouping of words or numbers.
A search phrase can be any of the following:
-A single term, such as a word or number
For example, patent. Any document with the term “patent” will be found.
-A string of terms (within parentheses)
For example, 2010 patent application. Any document with the string “2010 patent application” will be
found.
-Multiple terms with boolean operators, such as AND or OR
For example, patent AND 2010. Any document with both “patent” and “2010” will be found.
See the following about building search phrases:
-See Using Search Operators on page 103.
-See Using Boolean Logic Options on page 105.
-See Using ? and * Wildcards on page 106.
-See Searching Numbers on page 107.
-See Search Limitations on page 99.
Using Search Operators
You can use a Boolean search to find the logical relationships among the search terms and phrases that you
enter. A Boolean search consists of the following three full logical operators:
-OR
-AND
-NOT
Note: The NOT operator by itself is not an option in Advanced Search. The Not Contains and Not Equals
operators are available in Advanced Search. However, you can use the NOT operator in Quick Search.
If you use more than one logical operator, you should use parentheses to indicate precisely what you want to
search for. For example, the phrase apple and pear or orange could mean either (apple and pear) or orange,
or it could mean apple and (pear or orange). Use parentheses to clarify which of the two searches that you
want.
However, if you want to execute searches that contain parentheses as part of the search term, you should
enclose the search term with double quotes. For example, if you want to search the To field of emails for the
phrase, Carton, Sydney (TTC-San Antonio), you need to write the search query as To Contains “Carton,
Sydney (TTC-San Antonio).” This will allow you to get the expected search results and those search results will
be highlighted in the Text view. However, the search results will not be highlighted in the Natural view.
Only alphanumeric characters are recognized in search terms. Also, certain non-alphanumeric characters are
recognized by the search, such as @ and $. To search for text with non-alphanumeric characters, include the
whole string in quotes. For example, if you searched for mckay@accessdata, you would find
mckay@accessdata. But if you searched for mckay#accessdata, it would not return results.
Running Searches Building Search Phrases | 104
Noise Words
Noise words, such as if, or the are ignored in searches. For example, if you were to search on the term MD&A,
the search would treat the & as an AND operator and return documents with both the terms “MD” and “A” in
them. However, because A is a noise word, the search only highlights “MD” in the document.
When a search phrase contains a noise word with another term, the search results will return results with the
noise word, as well as other words that are in the same place as the noise word. For example, by searching for
the term MD and A, not only are results returned that locate the terms “MD” and “A,” but also “MD” and “<any
word that is adjacent to ‘MD’>.” For example, by searching for the term MD and A, you might also get the result
of “MD” and “Surgeon.”
However, if you were to search on MD&Surgeon, you will only get “MD” and “Surgeon.
Words that are used as logical operators, such as And or Or will be treated as operators and not as part of the
search phrase. If you want to include words such as and or or as part of the search phrase, you need to enclose
the entire search phrase in double quotes. For example, enclosing in double quotes the search phrase “this or
that” will return only those occurrences where this exact phrase appears, and not where this appears
separately from that.
The following words and symbols are ignored in searches:
@, a, about, after, all, also, an, and, any, are, as, at, be, been, but, by, can, come, could, did, do, even,
for, from, get, got, he, her, him, his, how, i, if, in, into, it, its, just, like, me, my, not, now, of, on, only, or,
other, our, out, over, see, she, some, take, than, that, the, their, them, then, there, these, they, this, those,
to, too, under, up, very, was, way, we, well, were, what, when, where, which, while, who, will, with, would,
you, your
Also, there are exceptions for certain characters:
-The characters 0-9, a-z, A-Z, and the _ (underscore) are searchable.
-Other characters, such as - , +, and ; are not searchable. With a few exceptions, they are treated as
spaces.
-The characters ? and * are wildcards. See Using ? and * Wildcards on page 106.
-The %, ~, #, & , :, = characters are used in advanced variations of the search, such as synonym or fuzzy
searches. See Understanding Advanced Variations on page 121.
Note: The & symbol is interpreted as an AND operator. If you searched for Steinway & Sons, it would search for
Steinway AND Sons. To use the & symbol in a search, include it in quotes. For example, “Steinway &
Sons”.
Using the @ Symbol
In versions 6.0.1 and earlier, the @ symbol was indexed as a regular character and was searchable. One result
of this was that when searching for names within email addresses, you had to use the full address or a wildcard.
For example, if you searched on gwashington, it would not result in a hit for gwashington@usa.gov. Instead, you
had to search for gwashington* or gwashington@usa.gov.
In versions 6.0.1 SP1 and later, the @ symbol is now indexed as a space character and is ignored. This is the
same as FTK/LAB. Now, if you search for gwashington, it will result in a hit for gwashington@usa.gov.
This change is only in effect for projects that were created in 6.0.1 SP1 and later, not just reviewed or indexed in
6.0.1 SP1 or later.
Running Searches Building Search Phrases | 105
Using Boolean Logic Options
The following table describes the boolean options that you can use in searches. Some boolean options are
combined in the table to serve as examples of what is possible.
Boolean Logic Options
Option Description
AND Returns as search results those evidence files that contain all of the search words that you
specified. For example:
marijuana AND cocaine
Matches all evidence files that contain both the words “marijuana” and “cocaine.” However, if you
search for the example:
marijuana + cocaine
You will only get search results highlighted if “marijuana” and “cocaine” are adjacent.
OR Returns as search results those evidence files that contain any of the search words that you
specified or at least one of the search words that you specified. For example:
marijuana OR cocaine
Matches all evidence files that contain either the word “marijuana” or “cocaine.”
NOT Returns as search results those evidence files that do not contain the search words that you
specified.
This expression is an efficient way to eliminate potential privileged data from production sets.
Used the expression at the beginning of your search word or phrase. For example:
NOT licensed
Matches all evidence files except those with the word “licensed” in them.
Note: Do not use implied boolean search with this operator (Example: -license). It will
return incorrect results.
W/N Returns as search results those evidence files that include the specified word or phrase that is
found within so many number of words of another.
For example:
(rock AND stump) W/2 (fence AND gate)
Matches all evidence files that contain both the words “rock” and “stump” that occur within two
words of both the words “fence” and “gate.”
or
(pear w/10 peach) W/7 (apple OR plum)
Matches all evidence files that contain the word “pear” that occurs within ten words of the word
“peach” and that also occurs within seven words of either “apple” or “plum.”
You can also use this option to search for evidence files with known words in certain locations or
instant messaging chats.
Note: For all evidence files other than email, all occurrences of the words on either side of
the W/N operator are highlighted. For email files, there is no highlighting on the Natural
and Text views.
AND
NOT Returns as search results those evidence files that contain the expression on the left when the
expression on the right is not found. For example:
peach AND NOT pineapple
Matches all evidence files that contain the word “peach,” but do not also contain the word
“pineapple.”
Running Searches Building Search Phrases | 106
Using ? and * Wildcards
A search word can contain the wildcard characters * and ?. A ? in a word matches any single alphanumeric
character, and a * matches any number of alphanumeric characters. The wildcard characters can be in any
position in a word.
You can use wildcards with search phrases that use operators.
For example, 20* OR pat* OR appl* would match any document that had 2010, 2011, patent, patents,
application, or applications.
You can use wildcards within terms that are within text strings.
For example, “20* p*t a*n” would match 2010 patent application.
? and * Wildcard Limitations and Tips
-The ? and * wildcards can be used for alphanumeric characters only.
For example, a search of PSE?G or PSE*G will not find PSE&G.
-The ? and * wildcards only work within single words not separated by spaces, periods, commas, and so
on.
For example, a search of “n*w” will find “New” but a search of “n*k” will not find “New York” or New.York”.
OR NOT Returns as search results those evidence files that contain either the left expression or
specifically not containing the right expression. For example:
peach OR NOT pineapple
Matches all evidence files that contain the word “peach,” and any other file that does not contain
the word “pineapple.”
Note: The search phrase before the OR operator is highlighted.
Wildcard Description
? Matches any single alphanumeric character.
The following are examples:
-appl? matches apply or apple, but not apples
-a?l matches all or aol
*Matches any number of characters within a single word.
The following are examples:
-appl* matches apply, apple, apples, application
-ap*ed matches applied, approved
-appl*ion matches application
-a*l matches all, aol, april, actual, additional
-*cipl* matches principle, participle
Note: Use of the * wildcard character near the beginning of a word will slow searches
somewhat.
Boolean Logic Options (Continued)
Option Description
Running Searches Searching for Virtual Columns | 107
Searching Numbers
When searching for numbers, be aware the commas, dashes, and spaces are word separators. A word
separator will find evidence files where terms are separated by that separator or space.
For example:
-A search of 123,?56 will find
123,456, 123,556, 123,656, etc.
123-456
123 456
-A search of 123-456 will also find 123,456
-A search of *123, 456* will find
xxx123
456xxx
To find numbers containing a comma, dash, or space, use a string in parentheses.
Searching for Virtual Columns
You can search for virtual columns in the quick search field. Virtual columns are fields of data that are included in
the records, but there is not a physical column in the database that correlates with that data. Searching for virtual
columns will result in records that contain the virtual data, but the column will not actually appear in the Item List
panel.
Examples of virtual columns:
-AnyDate
-AnyField
-AnyText
-IsPivot
Running Searches Running a Subset Search | 108
Running a Subset Search
After running any kind of search, you can run another search that is a subset of your search. Subset searches
appear in your recent searches. Subset searches connect your first search with your second search using an
AND connector. Subset searches will appear in the recent searches of the Searches tab of the Project Explorer.
To run a subset search
1. Run any kind of search.
See Running a Quick Search on page 100.
See Running an Advanced Search on page 117.
2. Enter new search criteria in the quick search field in the Item List panel.
Subset Search Button
3. Click the Subset Search button.
Your search results appear in the Item List panel.
Returning to a Previous Search
After you run a subset search, you can return to a previous search using the subset drop-down.
To return to a previous search
After you run a quick search and a subset search, expand the Subset Search drop-down and select
Previous Search.
Running Searches Searching in the Natural Panel | 109
Searching in the Natural Panel
In the Natural panel, you can use the Standard Viewer or the Alternate File Viewer to search by keyword in the
selected document.
See Using the Standard Viewer and the Alternate File Viewer on page 78.
Note: You cannot search for numerals in spreadsheets.
To search in the Natural panel
1. In Project Review, ensure the Natural and Item List panel are showing.
2. Select a document in the Item List that has a native file.
3. Do one of the following:
-In the Alternate File Viewer:
3a. In the Find field, enter a search term for which you want to search.
3b. The first instance of a found search term is highlighted in the Natural view.
3c. Click the > next and < previous buttons to see the other instances of the keyword.
-In the Standard Viewer:
3a. In the Search field, enter a search term for which you want to search.
3b. The search field provides a type-down search as you enter text.
3c. All instances of the search term are highlighted.
3d. Click the > next and < previous buttons to see the other instances of the keyword.
Using Global Replace
In the Item List, you can use Global Replace to globally search the fields in documents and replace a keyword or
phrase. Only one Global Replace job can be submitted at a time per project. Once the job is submitted, you will
have thirty minutes to either manually commit the job or allow it to commit automatically. After a Global Replace
job has been committed, you can choose to create a new Global Replace job for that project.
Note: If Global Replace jobs are submitted by two different users on the same project at the same time, both
Global Replace jobs will fail. However, if two different users submit Global Replace jobs on two separate
projects at the same time, both Global Replace jobs should complete successfully.
See Committing a Global Replace Job on page 110.
To use Global Replace
1. In Project Review, either select a document in the Item List or select All from the actions.
2. Select Global Replace from the pull-down menu and click Go.
The Global Replace dialog appears.
Running Searches Using Global Replace | 110
Global Replace Dialog
3. Choose which field that Global Replace will search and replace:
-Text
-Number
-Date Time
Note: You cannot search for a specific date and replace it with a fuzzy date.
4. Choose the fields you want to look in from the Available list of fields, moving them to the Selected list of
fields. The fields available will change depending on what is chosen in the Look In drop-down.
5. Click Submit.
Once you have completed the Global Replace action, return to the Work List on the Home page. If there
were any items that failed to code, they will be listed by their number under the Work List. You can then
resubmit Global Replace for those failed items.
Committing a Global Replace Job
You must manually commit a Global Replace job if you want to run another Global Replace job on the same
project before thirty minutes has elapsed. You can also undo a Global Replace job within that thirty minute
window.
To manually commit a Global Replace job
1. In the Work List on the Home page, select the Global Replace job.
2. Click Commit .
3. A Commit job will appear in the Work List.
4. (optional) Click Undo to cancel a Global Replace job. You cannot cancel a Global Replace job
once thirty minutes has elapsed from the job’s creation.
Running Searches Using Dates and Times in Search | 111
Using Dates and Times in Search
Using Dates and Times in Searches
You can perform searches based on dates and times. For example, you can perform searches based on the
date a files was created or when an email was sent or received. The following are examples of date or time
searches:
-2/2/2008 - this will find any item with text or a database date of 2/2/2008
-anydate = 2/5/2011 - this will find any item with an event occurring on 2/5/2011
-anytext = 2/5/2011 - this will find any item with a date of 2/5/2011 in the text
-receiveddate = 12/18/2011 - this will find emails that were received on 12/18/2011
-receiveddate between 12/17/2011 and 12/19/2011 - this will find emails that were received between those
dates
-receiveddate > 12/17/2011 - this will find emails that were received after 12/17/2011
-receiveddate < = 12/17/2011 - this will find emails that were received on or before 12/17/2011
How Time Zone Settings Affect Searches
By default, date and times from metadata that you see in Review are in UTC format. These dates and times are
converted to UTC when data is entered in a project. As a result, by default, email dates and times, and file stamp
date and times are displayed in the UTC time zone.
However, an administrator can configure a Display Time Zone for a project. If this was done, then all dates and
times are offset to be shown in the specified time zone. For example, suppose an email was sent on 1/1/ 2010 at
1:15 am based on UTC time. If the project was set to the display the Pacific Time Zone, the email sent data
would have an -8:00 offset. As a result, it would have a sent date and time of 5:15 pm on December 31, 2009.
The offset does apply not to dates or times that are in the text body of a document, only dates in the metadata--
for example, file creation dates, email sent dates. As another example, if an email is a reply, the date and time of
the original email is in the email but simply as text, not metadata.
If you perform a search based on a metadata date or time, be aware the Display Time Zone will be used, not the
UTC date and time.
Viewing the Display Time Zone
To the Display Time Zone settings for a project
1. On the Home page in Review, select the case.
2. On the (Info) page, view the Display Time Zone value.
The time zone and the offset from UTC is displayed.
Running Searches Using the Search Excerpt Report | 112
Using the Search Excerpt Report
After performing a search, you can generate a Search Excerpt Report. You generate and see this report in the
Search Excerpts panel. This panel is now included by default in the Search layout.
You can generate the Search Excerpt Report after you have completed a search. When you generate the
Search Excerpt Report, a dtSearch job is run in the background on the text of the documents. The Search
Excerpt Report contains a list of all of the items that have search hits.
The excerpts can viewed in two different tabs:
-Document Type - Items are clustered by document type, such as email Message, Microsoft Word,
PowerPoint, PDF, and so on. Under each Object ID item, there is a list of excerpts of the text that
contains the search hits.
-Search Context - You can display the 1, 2, or 3 words before and after each search term hit. This lets you
more easily find the results you are looking forward by seeing the search term in context with other words
within each excerpt.
You can click either the item or the excerpt and the document is shown in the Natural view and the search results
and the excerpts are highlighted.
The Search Excerpt uses dtSearch to search for text strings. dtSearch will find exact terms unless you use
wildcards. For example, if your initial search is for the word document, other forms of the word, like documents or
Running Searches Using the Search Excerpt Report | 113
documented will be highlighted as a partial hit, but will not be shown as excerpts --it will not show excerpts of text
containing documents or documented. However, if your search includes a wildcard, like document*, then it will
display excerpts for all forms of the word.
Also, the dtSearch will not return excerpts for search results that do not contain text strings. For example, you
can search on a database property such as ObjectID > 50. Because there are no text hits, no excerpt scan be
generated.
You can also save and download a Search Excerpt report in CSV format.
To access the Search Excerpt panel
1. Open a project in Review.
2. Click the Layouts drop-down.
3. Click Panels.
4. Make sure that the Search Excerpt panel is checked.
5. If it is already checked, click the Search Excerpt panel in Review.
To generate the Search Excerpt Report
1. Run a search and let it complete.
2. In the Search Excerpt panel, click Create Search Excerpt Report.
A dtSearch job is run in the background to generate the list.
3. Click the Document Type tab.
The resulting view lists all items that contain the search results.
The items are clustered by document type, such as email Message, Microsoft Word, PowerPoint, PDF,
and so on.
3a. Expand a document category.
All of the items are listed by their ObjectID.
It also shows how many excerpts within that item meet the search results.
3b. Expand an item.
One or more excerpts containing the matching search hit from within the document are displayed.
4. Click the Search Context tab.
The resulting view lists all items with the default search context of:
-Sort Children: By Excerpt Hits
-Return: Top 10
-1 word before
-0 words after.
4a. Change any of the properties and click Refresh.
Sort Children By: This determines how the children are sorted.
- By Excerpt Hits
- By Object ID
- Document type
Return Top (10, 20, or 50)
Words before term (0,1,2)
Words after term (0,1,2)
Running Searches Using the Search Excerpt Report | 114
5. You can do one of the following:
-Click an Object ID item.
If you click an item, the document is opened in the Viewer and the search results are highlighted in
the document.
-Click an excerpt.
If you click an excerpt, and if the document has been converted to SWF, the document is displayed
in the Standard Viewer, and the whole excerpt is highlighted along with the search results. If the
document has not been converted to SWF, the document is displayed in the Alternate File Viewer
and only the search results are highlighted.
See Using the Standard Viewer and the Alternate File Viewer on page 78.
Performing either of the above actions will filter the Item List to the item you are viewing.
6. To restore the Item List to include all of the documents from the search, click Return Item List to
Search Results.
7. To save and download a report, click Save.
Running Searches Using Search Reports | 115
Using Search Reports
About Search Reports
You can generate, download, and view search reports. The search reports provide a history of a search and
information about the results.
The reports are saved in XLSX format. The report has the following XLSX sheets:
Generating and Downloading a Search Report
After you have generated a search report you can download it in one of two ways:
-In Review, from the Search Options.
-On the Home page, on the Reports tab, under Search Reports.
To generate and download a search report
1. In Review, after performing a search, click Search Options.
2. Click Search Report Options > Generate Search Report.
After several seconds, the report is generated.
To download the report, click Download Search Report.
3. Select to Open or Save the report.
By default, the report is saved in the browser’s Downloads folder as Search History Report - n.
You can use Save As to specify a filename and path.
Search Report Sheets
Sheet Description
Details Includes the following:
-The date and time of the search
-Who performed the search
-Which phrase was searched for
-Which search options were used
-Information about the files that were in the search results
Filters Which facets were included and excluded and which Quick Filters were applied.
Documents Group Any related Document Groups
Hits by Type Details which file types hits were found in
Keywords Details hit counts for each keyword used
Files Details of the files for the search hits
Running Searches Using Search Reports | 116
About the Search Report Details
The following table describes some of the information provided in the report details.
Search Report Details
Field Description
Total Files Includes all emails and eDocs that match the search criteria.
Unique Family Items This count is the number of files where any single family member had a keyword
hit. If any one file within a document family had a keyword hit, the individual files
that make up this family are counted and added to this total. For example, one
email had 3 attachments and the email hit on a keyword, a count of 4 files would
be added to this count as a result.
Unique Family Emails This count is the number of emails that have attachments where either the email
itself or any of the attachments had a search hit. This count is for top level
emails only. Emails as attachments are counted as attachments.
Unique Emails with no
Attachments This count is the number of the emails that have no attachments where a search
hit was found.
Unique Loose eDocs This count is the number of loose edocuments where a search hit was found.
This does not include attachments to emails, but does count the individual
documents where a hit was found from within a zip file.
Total Hit Count This count is the total number of hits that were found within all of the documents.
Max Relevancy This is the maximum relevancy score achieved with the search criteria. *
Min Relevancy This is the minimum relevancy score achieved with the search criteria. *
Note: * Max and Min relevancy scores are calculated based on the total number
of hits in the document as a percentage of the maximum number of hits found
in a during the search when performing an index search. For example, if one
document contains 50 hits but another document in the results has 100 hits
(and that’s the max) then the first document will be scored as 50% relevant
and the second document will be scored as 100% relevant. These relevancy
scores are only relative within a single search set. They may vary when the
search set is increased or decreased. Additionally, some searches are run
against the database instead of the index and these searches will always get a
100% relevancy score. A database search would be one that requests
information within a specific field or non-indexed field such as “ObjectID =
xxx”.
Running Advanced Searches Running an Advanced Search | 117
Chapter 10
Running Advanced Searches
Running an Advanced Search
If using a simple search does not return the results you expected, you can use advanced searching techniques
to pinpoint relevant data and privileged information.
AccessData software uses the utility dtSearch to index project data. In Advanced Searching, you can query the
index using a specialized query language. In addition to extended searching capabilities, the index allows
searches to be returned in seconds instead of the minutes or hours that are required for a standard linear
search.
Note: In order for a document to be indexed for search, it must contain at least six characters in the file.
Documents with less than six characters will not be indexed. However the metadata in those documents
will be indexed normally.
Note: When searching using the DocDate or NoteDate fields, you must search using a YYYYMMDD format
regardless of how your date fields are formatted for display.
For more information on using dtSearch syntax, you can view technical papers on the AccessData web site:
http://www.accessdata.com/technical
To run an advanced search
1. Log in as a user with Run Search privileges.
2. Click the Project Review button in the Project List panel next to the project.
3. In Project Review, ensure that the Project Explorer, the Item List, and Natural panel are showing.
4. Populate the data in the Item List with the data that you want to search within.
See Selecting the Data that you Want to Search In on page 101.
5. Click the Search Options button in the Item List panel and select Advanced Search.
Running Advanced Searches Running an Advanced Search | 118
Advanced Search Dialog
6. In the Information section, do the following:
6a. Enter a Name for the search if you want to save the search. Otherwise, the search will appear in
the Recent Searches list and will not be able to be saved.
6b. (Optional) Select the type of Variation you want to include in your search.
See Understanding Advanced Variations on page 121.
6c. In the text field, enter the free form text you want to include in the search. Freeform searching lets
you combine keyword, boolean, and regular expression criteria to perform a search on evidence
files.
See Using the Term Browser to Create Search Strings on page 122.
6d. To add related terms for the words you entered, click Expand All.
See Using the Term Browser to Create Search Strings on page 122.
6e. To import a list of terms from a TXT file, click Import Terms.
See Importing Index Search Terms on page 123.
7. Expand the Conditions section to search within the fields/columns of the documents.
Conditions
8. In the Conditions section, do the following:
8a. Select a field that you want to search within.
See the Project Manager Guide for more information on creating custom fields.
Running Advanced Searches Running an Advanced Search | 119
8b. Select an Operator from the drop-down.
See Using Search Operators on page 103.
See Using Boolean Logic Options on page 105.
8c. Select or enter a value using the following:
Field: Enter text or symbols.
Date: Enter a date or click the calendar to select a date.
Look up button: Click the blank button to look up available search criteria for the selected field.
8d. Select either “And” or “Or” as the connector.
See Using Boolean Logic Options on page 105.
8e. Click Add Row to add additional conditions.
8f. Set parenthetical criteria. Then, click Validate Grouping to validate your parenthesis.
9. Expand Result Sorting to select the column by which you want the search results to be sorted. The
column does not need to be visible to sort by it.
Result Sorting
9a. In the Sort By drop-down, select the field you want to sort by.
9b. In the second drop-down, select whether you want to sort by Ascending or Descending.
10. Click Search.
Advanced Search Operators
The following search operators are available in the advanced search:
Advanced Search Operators
Operator Description
Equal Searches for the exact value entered.
Not Equal Searches for everything in the selected field except the exact value entered.
Exists Searches for the existence of data within the selected field.
Fails Searches for all documents that do not contain data within the selected field.
GreaterThan Searches for a number greater than the value entered.
GreaterThanEqualTo Searches for a number greater than or equal to the value entered.
LessThan Searches for a number less than the value entered.
LessThanEqualTo Searches for a number less than or equal to the value entered.
Contains Searches for the value entered within a string. The value should be a full word. If
you want to search for a partial word, you need to include the * operator.
Running Advanced Searches Running an Advanced Search | 120
The search operators available depend upon the field selected to search. Not all search operators are available
for all fields.
Advanced Search Operators Exceptions
The ProductionSetID column contains values for exported files from both Export Sets and Production Sets and is
used for associating exported files with the original file. This column is populated with queries from multiple
tables and does not operate like other standard metadata columns. Search operators will return different results
than expected with other columns. You can expect the following results when searching the ProductionSetID
column:
NotContains Searches for everything except the value entered. The value should be a full word.
If you want to exclude a partial word, you need to include the * operator.
Between Searches between a range of dates or numbers.
NotBetween Searches for all dates or numbers except the range selected.
Search Operators Exceptions for ProductionSetIDs
Operator Results
Exists Search results return only the produced document.
Fails Search results return source documents and not the produced copy.
Contains Search results return only the produced document.
Not Contains Search results return source documents and not the produced copy.
Advanced Search Operators (Continued)
Operator Description
Running Advanced Searches Understanding Advanced Variations | 121
Understanding Advanced Variations
The following table describes the Variation options in the Information section of the Advanced Search dialog.
Variation Options in the Advanced Search Dialog
Search Variations Description
None No search variations are applied.
Stemming Finds grammatical variations on word endings. For example, stemming reduces
the words “fishing,” “fished,” “fishy,” and “fisher” to the root word “fish.”
Phonic Finds words that sound like the word that you are searching and begins with the
same first letter. For example, searching for “whale” using phonic, would also find
wale and wail.
Synonyms Finds word synonyms. For example, searching on “fast” would also find “quick”
and “rapid.” You can enable this option for all words in a request. You can also
add the “&” character after certain words in your request.
Related Finds all words in the search criteria and any related words from the known
related categories.
Fuzzy Finds words that have similar spellings, such as “raise” and “raize.” You can
enable this option for all words in a request.
The level of fuzziness that you can set is 1-10. The higher the level of fuzziness,
the more differences are allowed when matching words, and the closer these
differences can be to the start of the word. Setting too many letter differences
may make the search less useful.
Dragging the slider bar to the right increases the number of letters in a word that
can be different from the original search term.
Dragging the slider bar to the left decreases the number of letters in a word that
can be different from the original search term.
You can also add fuzziness directly in the search term you enter using the “%”
character. The number of % characters that you add determines the number of
differences that are ignored when you search for a word. The position of the %
characters determines how many letters at the start of the word have to match
exactly.
For example, “ca%nada” must begin with “ca” and have just one letter difference
between it and “canada.” Whereas, “c%%anada” must begin with “c” and have
only two letter differences between it and “canada.” In another example,
marijuana can be spelled “marihuana” or “maryjuana.” In this project, your
search expression could be “mar%%uana.”
As with the fuzzy slider bar setting, you should exercise care when you use
multiple % symbols because the number of junk hits rises quickly with each
added error.
Running Advanced Searches Using the Term Browser to Create Search Strings | 122
Using the Term Browser to Create Search Strings
You can create a search using terms that are related to any keyword. You can use the Term Browser to generate
a list of similar words. You then select which words you want to include in the search.
For example, you may start with a keyword of “delete.” By using the Term Browser, it will suggest synonyms,
such as “erase” and “cut.” It will also suggest related terms, such as “cut,” “deletions,” “excise,” and “expunge.” It
will also suggest general related terms, such as “censor,” “remove,” “take,” and “withdraw.” You can select which
of those words to include in your search.
To search for terms using related words
1. In Project Review, in the Item List panel, click Search Options > Advanced Search.
2. Enter a keyword.
3. Click Expand All.
Term Browser
4. In the Term Browser, highlight the keyword.
A list of synonyms is generated.
5. To add other related words, select the Include Related, Include Specific, and Include General check
boxes.
6. Select the words that you want to include in the search or click Variations to select all words.
7. To build a search including the words that you selected, click Apply.
8. You can edit the search or run it by clicking Search.
Running Advanced Searches Importing Index Search Terms | 123
Importing Index Search Terms
You can import a list of search terms. This lets you reuse a list of search terms that you saved from previous
searches, or that you saved for documentation purposes. You can import terms for CSV or TXT files.
To import a saved search terms file
1. In Project Review, in the Item List panel, click Search Options > Advanced Search.
2. Click Import to import a set of search terms.
3. Select the text file that you previously saved.
4. Click Open.
Using the Search Tab The Search Tab | 124
Chapter 11
Using the Search Tab
The Search Tab
The Search tab in the Project Explorer can be used to view recent searches, your searches, and shared
searches.
Search tab in Project Explorer
Elements of the Search Tab
Element Description
My Searches Displays all the searches that the logged-in user has saved.
See Saving a Search on page 126.
Users can run, delete and edit saved searches.
Users can also share their searches. If you share a search, it is moved to the Shared
Searches folder.
See Sharing a Search on page 127.
Using the Search Tab Running Recent Searches | 125
Running Recent Searches
When you execute a search, the search conditions are saved. You can view and reuse recent searches. The last
ten searches are saved in the Recent Searches. To run recent searches, you must have the Run Searches
permission.
To run a recent search
1. Log in as a user with Run Searches permissions.
2. Click the Project Review button in the Project List panel next to the project.
3. In Project Review, ensure the Project Explorer is showing.
4. Click on the Searches tab.
5. Expand the Recent Searches.
6. Right-click the search and select Run Search.
The search is run using the original search scope and the original search criteria. The search results
appear in the Item List panel.
Clearing Search Results
After you have performed a search, the items in the Item List are the result of the list. You can clear the search
result to view the documents in the Grid before you performed the search.
To clear search results
1. In Project Review, ensure the Item List panel is showing.
2. Click Search Options > Clear Search.
Recent Searches Every time a search is performed by the logged-ed in user, it is saved in the Recent
Searches folder. The last 10 searches are saved here in chronological order. Users can
run and delete searches from Recent Searches.
Shared Searches Displays all the shared searches that the user has permissions to access. Users can
run searches from Shared Searches.
Elements of the Search Tab (Continued)
Element Description
Using the Search Tab Saving a Search | 126
Saving a Search
You can save any advanced search that you design in the Advanced Search Builder. All saved searches are
stored in the Searches tab of the Project Explorer. You can use saved searches to run past searches again or to
share your search with a group of users.
To save a search
1. Log in as a user with Run Search privileges.
2. Click the Project Review button in the Project List panel next to the project.
3. In Project Review, ensure that the Project Explorer, and the Item List panel are showing.
4. Populate the data in the Item List with the data that you want to search within.
See Selecting the Data that you Want to Search In on page 101.
5. Click the Search Options button in the Item List panel and select Advanced Search.
6. Enter a Name for the search.
7. Enter criteria for the search.
See Running Recent Searches on page 125.
8. Click Save.
Using the Search Tab Sharing a Search | 127
Sharing a Search
You can share your saved searches with other groups of users. To share a search, you need to have the
Manage Searches permission.
To share a search
1. Log in as a user with Manage Searches permissions.
2. Click the Project Review button in the Project List panel next to the project.
3. In Project Review, ensure the Project Explorer is showing.
4. Click on the Searches tab.
5. Expand My Searches.
6. Right-click the search and select Manage Permissions.
Assign Security Permissions
7. Check the groups with which you want to share the search.
8. Click Save.
Using Filters to Cull Data Filtering Data in Case Review | 128
Chapter 12
Using Filters to Cull Data
Filtering Data in Case Review
In Project Review, you can filter evidence to help view only relevant evidence for the project. After filtering data,
the results are then displayed in the Item List. You can also use searches and column sorting to help you further
review and cull down evidence.
About Filtering Data with Facets
You can filter data using facets. Facets are properties of a document that you can include or exclude. The
following are a few example of facets:
-Object type and object sub-type (File > Email, File > Spreadsheet, Disk Image, Partition)
-File extension type (EXE, DLL, TXT, GIF, DOC, XLS)
-File category (Documents, Email, Graphics, Audio Multimedia, Video Multimedia)
-File Size (Small, Medium, Large)
-Email Senders Address
-Email Recipients Address
-Email by Date
See Available Facet Categories on page 133.
That facets that are available to use are based on your evidence. For example, if there are no XLSX documents
in your evidence, the XLSX facet is not displayed.
By default, when you first open a project in Project Review, all facets are applied, and as a result, all evidence is
listed in the Item List. You can use the facets to include or exclude evidence from the Item List. You can choose
one or more facets within a single category or you can choose facets across multiple categories.
For example, you can filter evidence to only display emails sent by one person to another person with a certain
date range. As another example, you can filter evidence to display only DOC or DOCX files that have a specific
label applied.
Applied facets are persistent across searches and have to be cleared by you manually.
Note: When you cull data with facets, this filtering will override and clear other filters applied to the Item List,
including Search and Column Filters.
Using Filters to Cull Data Filtering Data in Case Review | 129
About Dynamic Facets
Most facets are now dynamic. When you select and apply a facet, all other facet categories will reflect the results
of the previously selected facet. Other categories will only show facets that have data based on the applied
facet.
For example, suppose that before applying any facets, that under File Extensions, there are 25 DOCX files of
various file sizes. And then suppose you apply a facet to include only Large files. When you look at the File
Extensions filter again, you will only see the number of DOCX files that have a Large file size.
However, applying column filters, column filters, or searches does not affect facet counts.
About Sortable and Searchable Facets
Some facet categories include a pre-configured set of facets. For example, under the File > File Size facet
category, there will be a maximum of five facets: Tiny, Small, Medium, Large, and Huge.
Using Filters to Cull Data Filtering Data in Case Review | 130
Some facet categories include a dynamic set of facets based on the files in the evidence. For example under the
File > File Extensions facet category, facets are shown for all of the file extensions that exist in the evidence.
These facet categories can potentially have a very large number of facets. A project could easily include dozens
of different file extensions.
Facet categories that have a large number of facets have additional features that help you use them:
-By default only nine facets are shown but you can select to see more.
-Facets are sortable.
By default, the facets are sorted by the facets with the most hits. When you open a category, by default
the nine facets with the most hits are shown. You can use the following sort orders:
Ascending by name
Descending by name
Ascending by the number of hits
Descending by the number of hits
-You can search for specific values within the facets.
For example, if there are 100 email senders names, you can search for a certain name. You can clear the
search by clicking the red X.
Using Filters to Cull Data Filtering Data in Case Review | 131
About Excluding Tags Filters From a Facet Search
You can exclude Tags filters (categories, issues, labels, and summaries) from a facet search. The default for the
Tags facets are checked, or included. Clicking the check box once actively excludes the facet in filters group.
Clicking the check box a second time clears the check box and the facet is not included in the facet search.
When excluded, a red x appears in the facet check box, indicating that the facet is excluded. The hyperlink to
apply the excluded facet is disabled. You need to be aware of the following considerations when excluding Tags
facets:
-For labels, the exclude feature applies to all labels in a group. However, if there are children under the
labels, and one child label is selected for exclusion while another is not, the label group appears blank.
This is because you cannot include a whole label group when one of the child labels is excluded.
-For issues, you can exclude or include an individual issue. Additionally, you can exclude a child issue
while including a parent issue or vice versa.
-If you have a document that has been assigned a tagged item that is included in a facet in the Tags filter
and has also been assigned a tagged item that is excluded in a facet in the Tags filter, the facet does not
display the document. For example, a document may be tagged with both Tag 1 and Tag 2. If all
documents with Tag 1 are included in the facet and all documents with Tag 2 are excluded in the facet,
the document with both Tag 1 and Tag 2 is not posted to the Item List. The exclusion takes precedence.
This is because exclusions and inclusions in facets act as an AND property, not as an OR property.
The Facets Tab
The Facets tab in the Project Explorer in Project Review lists the available facets to apply to documents. You can
filter evidence to help view only relevant evidence for the Project. After you have applied facets, the results are
then displayed in the Item List. You can also use searches along with column sorting and filtering to help you
further review and cull down evidence.
The Facets tab in the Project Explorer allows you to filter before (and maintain after) conducting any searches.
This allows targeting specific areas of data for search and review with persistent facets. You may maintain the
applied facets as long as desired.
You can use one or more facets within a single filter or one or more facets across several categories to cull down
the evidence. By default, when you first open a project in Project Review, all filter facets are applied, and as a
result, all evidence is listed in the Item List. You use the facets to exclude evidence from the Item List.
Using Filters to Cull Data Filtering Data in Case Review | 132
Facets Panel
Only the top nine facets of a filter display when you expand a category. To see all the facets in a category, click
More... to display a facet dialog. Many categories also contains a search field that searches for facet hits within
that particular category.
The facets that appear in the Facets tab depends upon the product license that you have.
Using Filters to Cull Data Filtering Data in Case Review | 133
Available Facet Categories
The following table lists facets that may be available in the Facets tab of the Project Explorer.
Note: The Evidence Explorer and Custodian Facet counts are reduced when Family data uploaded by
Evidence Processing is updated by a CSV import. Existing documents that are updated by the CSV
import are removed from the Evidence Explorer and Custodian Facets.
Depending on your license, some filters may not be available.
General
Facet Category
General Filters Description
Evidence Explorer Filters evidence based on the source of the evidence.
Note: If you add new evidence to either an existing or an upgraded project,
only the new evidence that has been added will populate this filter.
Custodians Filters evidence based on people or custodians associated to the items is a
project.
Authors Filters evidence by author of Microsoft Office documents.
Object Types
Object Sub-Type
Filters evidence based on the Object Type. You can expand an ObjectType facet
for a list of object sub-type facets.
See Object Types (page 144)
Tags Facet Category
Tags Filters Description
Issues Filters evidence based on issues tags. You can still filter for issues under the
Tags tab.
Labels Filters evidence based on labels tags. You can still filter for labels under the Tags
tab.
Categories Filters evidence based on category tags. You can still filter for categories under
the Tags tab.
Case Organizer Filters evidence based on summaries. You can still filter for summaries under the
Tags tab.
Production Sets Filters evidence based on production sets. You can filter out the produced
records from the normal view.
When a production set is created, a new facet is added to the Production Set
Facet and by default this facet is set to exclude those records from the Item List
grid. These records can be displayed by simply clicking the facet until you have a
check mark and then applying the setting.
Using Filters to Cull Data Filtering Data in Case Review | 134
Viewed Documents Lets you show or hide items within your project based on whether or not they
have been viewed by any user.
The Viewed facet value breaks the count of viewed documents down by user.
If a document is viewed by multiple users, the document will be counted within
each user’s facet value.
Administrators can see all users. Other users can see themselves and other
users in their user group.
Email Facet Category
Email Filters Description
Email Senders Display
Name Filters evidence based on the email senders display name.
Email Senders Address Filters evidence based on the email senders address.
Email Senders Domain Filters evidence based on the email senders domain.
Email Recipients Display
Name Filters evidence based on the email recipients display name.
Email Recipients Address Filters evidence based on the email recipients address.
Email Recipients
Domains Filters evidence based on the email recipients domain.
Email Recipients BCC Filters evidence based on BCC recipient address, display name, and domain.
Email Recipients CC Filters evidence based on CC recipient address, display name, and domain.
Email Recipients To Filters evidence by To recipient address, display name, and domain.
Email by Date Filters evidence by email date. You can select to filter by the Delivered date or
the Submitted date.
Email by Date Range Filters evidence by either the delivered (received) date or by submitted (sent)
date. You can enter a start range or/and an end range. Both fields are not
required for the search.
Email Status Filters evidence by email status, including: attachments, related items, replies,
and forwarded.
File Filters Facet Category
File Filters Description
File by Date Range Filters evidence by the Date Range: by modified date, by creation date, and by
accessed date. You can enter a start range or/and an end range. Both fields are
not required for the search.
Tags Facet Category (Continued)
Tags Filters Description
Using Filters to Cull Data Filtering Data in Case Review | 135
For information about KFF, see Reviewing KFF Results (page 354)
File Extensions Filters evidence by file extension, including: .doc, .docx, .log, .msg, .rtf, .txt, .wpd,
.wps. This filter is both sortable and searchable.
File Size Filters evidence by file size.
-Empty = 0KB
-0KB < Tiny <= 10KB
-10KB < Small <= 100KB
-100KB < Medium <= 1MB
-1MB < Large <= 16MB
-16MB < Huge <= 128MB
-128MB < Gigantic
File Category Filters evidence by file category, including: archives, databases, documents,
email, executables, folders, graphics, internet/chat files, mobile phone data,
multimedia, OS/file system files, other encryption files, other known types,
presentations, slack/free space, spreadsheets, unknown types, and user types.
File Status Filters evidence by file status, including: bad extension, email attachments, email
related items, encrypted files, and OLE sub-items.
KFF Facet Category
KFF Filters Description
KFF Vendors Filters evidence by vendor as listed in the KFF Vendor field.
KFF Groups Filters evidence by group as listed in the KFF Groups field.
KFF Statuses Filters evidence by status according to the KFF Statuses field. There are two
possible KFF Statuses, Unknown (0), Ignore (1), and Alert (2). The KFF Status,
Ignore (1) is not included in an evidence search because it was already ignored
by KFF during the initial evidence search.
KFF Sets Filters evidence by sets at listed in the KFF Sets field. KFF Sets contain multiple
document hashes.
Geolocation Facet Category
Geolocation Filters Description
From Country Name Filters evidence by the country that the communication originated from.
To Country Name Filters evidence by the country that the communication was sent to.
From City Name Filters evidence by the city that the communication originated from. Example:
San Francisco, San Jose, Los Angeles.
File Filters Facet Category (Continued) (Continued)
File Filters Description
Using Filters to Cull Data Filtering Data in Case Review | 136
For information about Geolocation, see Using Visualization Geolocation (page 162).
Examples of How Facets Work
Including and Excluding Items
Next to each facet within a filter is a check box. By default, all facets within each filter are selected. Next to each
facet is also a count of the number of files that match that facet’s criteria.
To City Name Filters evidence by the city that the communication was sent to. Example: San
Francisco, San Jose, Los Angeles.
From Continent Filters evidence by the continent that the communication originated from.
To Continent Filters evidence by the continent that the communication was sent to.
Document Content Facet Category
Document Content
Filters
Description
Cluster Topic Filters evidence by clusters of similar documents. These clusters are determined
by cluster analysis of the documents.
See Using Cluster Analysis in the Admin Guide.
Credit Card Numbers Filters evidence based on extracted credit card numbers.
See Using Entity Extraction in the Admin Guide.
Email Addresses Filters evidence based on extracted email addresses found within the body of
documents, not in the email meta data.
For Email addresses found in To: or From: fields in Email meta data, use the
Email facet category.
See Using Entity Extraction in the Admin Guide.
People Filters evidence based on extracted people's names.
See Using Entity Extraction in the Admin Guide.
Phone Numbers Filters evidence based on extracted phone numbers.
See Using Entity Extraction in the Admin Guide.
Social Security Numbers Filters evidence based on extracted social security numbers.
See Using Entity Extraction in the Admin Guide.
Geolocation Facet Category (Continued)
Geolocation Filters Description
Using Filters to Cull Data Filtering Data in Case Review | 137
The following figure shows an example of the File Category filter with all of the individual facets in that category.
As an example of how you can use this category, to help reduce irrelevant files, you can exclude executable and
system files.
For each facet, there is also a link labeled Only. You can click Only for a facet and that one facet will be checked
and all other facets within that filter will be cleared. This action only affects that particular filter that you are
working with. All other filters in the Facet Panel will remain as you have previously set them.
You can also click on the facet name which will exclude all other facets and all other filters.
See Using Facets on page 141.
Using Filters to Cull Data Filtering Data in Case Review | 138
Excluding Tags Facets
In addition to using the Only link, you can exclude Tags filters (categories, issues, and labels) from a facet
search. This allows you to further narrow and refine your facet scope.
The default for the Tags facet displays as checked or included. Selecting the check box once actively excludes
the facet in the Tags filters. Selecting the check box a second time clears the check box and the facet is not
included in the facet search.
When excluded, a red x appears in the facet check box, indicating that the facet is excluded. The hyperlink to
apply the excluded facet is disabled.
You need to be aware of the following considerations when actively excluding Tags facets:
-For labels, the exclude feature applies to all labels in a group. However, if there are children under the
labels, and one child label is selected for exclusion while another is not, the label group appears blank.
This is because you cannot include a whole label group when one of the child labels is excluded.
-For issues, you can exclude or include an individual issue. Additionally, you can exclude a child issue
while including a parent issue or vice versa.
-If you have a document that has been assigned a tagged item that is included in a facet in the Tags filter
and has also been assigned a tagged item that is excluded in a facet in the Tags filter, the facet does not
display the document. For example, a document may be tagged with both Tag 1 and Tag 2. If all
documents with Tag 1 are included in the facet and all documents with Tag 2 are excluded in the facet,
the document with both Tag 1 and Tag 2 is not posted to the Item List. The exclusion takes precedence.
This is because exclusions and inclusions in facets act as an AND property, not as an OR property.
Using a Single Facet
You can filter your evidence based on one or more facets within a given filter or based on one or more facets
across multiple filters. There may be times when you want to use a single facet.
For example, there is a filter category called Tags. Inside that category is a filter called Labels. Nested inside the
Label filter are facets for each of the labels that have been used in the project. You can clear all but one label
facet and only the files with that label are displayed; all other files are excluded.
However, the action of clearing all but one label facet will not exclude documents with multiple labels, if one of
those labels is within the scope of the selected label facet. Even if the non-selected label facet is left unchecked,
documents with multiple labels will be included.
Using Multiple Facets in a Single Category
You can filter evidence using multiple facets within a single filter category. For example, there is a filter category
called File Category. Inside that category are individual filter facets for each type of files that are in the project
(archives, documents, emails, graphics, spreadsheets, and so on.) You can exclude the types of files that you do
not need to review while leaving the file types that you do want to review.
Using Filters to Cull Data Filtering Data in Case Review | 139
Using the N/A Facet
In most of the filter categories, there is a special facet that is labeled N/A, which stands for “not applicable.” If you
check this, the filter will display items to the results that are not applicable to that category.
For example, if you apply a single facet for one or more email addresses, and N/A is unchecked for that
category, then the only results will be records that contain an email address. If you also check N/A, then other file
types will also be displayed, such as documents, spreadsheets, and PDFs, because they don’t have an email
address property.
As another example, you can see a list of all files that do not have a person applied to them. In the People
category, you can select only the N/A facet, and that excludes all files that have a person applied.
If your project has no files that pertain to a filter, it will show N/A as the only item in the facet.
Refining Evidence Using Facets in Multiple Categories
You can use multiple facets together in order to further refine your evidence. For example, you may have applied
a facet for a single person and want to refine it further to only include spreadsheets and documents that are
related to that person. You can apply another set of facets for file extensions choosing to exclude all files but
Documents and Spreadsheet files. By combining the two facet categories, you can display only spreadsheets
and documents that have a certain person.
Assume you want to find all the PDFs associated with a person named Sarah. In the Person filter, you would
deselect all facets except for Sarah, who has 20 files of multiple file types associated with her. In the File
Extensions filter, you would deselect all facets except for PDF, which has 40 different people associated with it.
Since five of those PDFs are associated with Sarah, only those five PDF would display in the results.
Almost every filter can be used together to find information. Most filters treat the combination as a Boolean AND
operator in conjunction with other filters. (In the example of Sarah and the PDFs, the search syntax was: Where
Person = Sarah AND File Extension = PDF.) The only filters that cannot act as an AND operator against other
filters are Email Sender’s Display, Address, and Domain, as well as the Email Recipient’s Display, Address, and
Domain filters. These filters act as OR operators.
You would use the filters with the OR operator functionality when you wanted results that produced returns of
two different sets of data. For example, if you were to select the Sarah facet under the Email Senders Display
filter and the accessdata.com facet under the Email Senders Domain, you would get results of all emails where
the email was sent by Sarah. You would also get results of all the emails that were sent within the
accessdata.com domain. The search syntax would be: Where Email Senders Display = Sarah OR Email
Senders = accessdata.com.
If you want to narrow the scope of your search using OR filters, you must use a filter that operates as an AND
operator with one of the filters that operate as an OR. For example, if you were to select the Sarah facet under
the Email Senders Display and the Larry facet under the Email Recipients To, this would return results of emails
that contained both Sarah in the Email Senders Display field, and Larry in the Email Recipients To field.
Using Filters to Cull Data Filtering Data in Case Review | 140
Examples of Using Facets in Multiple Categories
Assume you need to create an export set of a specific person’s data, but at the same time, remove anything that
is obviously unimportant to reviewers. You can do the following:
-Using the People category, select only the one person.
-Using the File Extensions category, exclude unimportant file types, such as EXE and DLL files.
-Using the Email Senders Domain category, exclude all emails that came from ESPN.com and
Comcast.com.
As another example, a development in a project may reveal that some very important evidence may exist as an
email attachment sent either to or by a person within a specific date range. You can do the following:
-Using the People category, select only the one person.
-Using the File Status category, select only Email Attachments.
-Using the Email by Date category, select only emails delivered in March and April of 2009.
Email Recipient and Senders Facet Counts
When viewing facets, a count of the items related to each facet is displayed. For any given facet that is selected,
the filter count will be part of the total number of items displayed in the Item List. For example, suppose you
configure facets to show only PDF and XLS files and the facet counts show 6 PDF files and 4 XLS files. In the
Item list, only the 10 PDF and XLS files will be displayed. The total of the two facet counts will match the number
of files in the Item List.
There is a situation where the facet count may be higher than the count of items in the Item list. There are six
different filters that are related to email recipients and senders. To help reduce the length of the list of recipients,
there is a first-level division that contains alphabetical ranges of the names that are used. For example, ABurr --
> AHamilton, ALincoln --> ASteveson, and so on. From that first level, you can drill down to individual names.
The facet counts displayed for the first levels (a range of names) may by higher than the number of emails in the
Item List. The reason is that a single email may have been sent to multiple recipients. In the Item List, that email
is reflected as one single item, yet in the first-level list of the facet, the counts may reflect 5 recipients of that one
email. Because there can be more recipients than emails, this can cause the first-level facet count to be higher
than the Item List count.
Using Filters to Cull Data Using Facets | 141
Using Facets
To use facets, you specify the items that you want to include. As you specify facets, the results are displayed to
the Item List. As you clear facets, files are removed from the Item List.
The Filters list denotes with an icon which facets you have configured.
Note: You must be careful when filtering evidence. Once evidence has been culled using a facet in the Facets
panel, the only way to display that evidence again is to recheck the specific facet or reset all of the facets.
No other facet will return the evidence to the item list.
To apply a single facet to evidence
1. In the Facets panel on the Project Review page, expand the filter category that you want to use.
For a list of filter categories, see Available Facet Categories (page 133).
To expand all categories, click Expand.
2. In the expanded filter, click the Facet name link.
Click this link to filter out all other facets and filters.
For example, in the filter, if you click the facet named Email, you will only get email messages.
3. To reset a single facet, click .
To apply one or more facets to evidence
1. In the Facets panel on the Project Review page, expand the filter that you want to use.
For a list of filters, see Available Facet Categories (page 133).
To expand all filters, click Expand.
2. In the expanded filter, perform one of the following tasks:
-Check: Manually check the items that you want to include.
-Uncheck: Manually uncheck the items that you want to exclude.
-Only: Click Only to uncheck all other facets in the filter.
-Expand: Many facets can be expanded to show dynamic facets. For example, in the Email By Date
filter, there is a Delivered facet. You can expand it to show detailed facets for years, months, or days.
3. Click Apply.
The Item List will change to display only the items that you filtered for.
When you change the configuration of a category, a appears next to the category name. This
shows you which categories have been configured.
4. (Optional) Repeat steps 2 and 3 as often as needed. After making any changes, you must click
Apply.
5. (Optional) To reset facets, do any or all of the following:
-To undo an individual facet, check the box for an item that you previously unchecked.
-To reset all facets in a single filter category, click the next to the filter name.
-To undo all filters, click Reset.
6. Click Apply.
Using Filters to Cull Data Caching Filter Data | 142
Caching Filter Data
If you use the same filters a lot, you can cache your results in the database so that the next time you use the
filter, your results will appear faster.
To cache a filter result set
1. Set filters that you commonly use in the Project Review.
2. In the Item List panel, select Options > Cache > Add current filter to cache.
Your data is cached in the database and the cached icon turns orange.
Cached Icon in the Item List Panel
Using Filters to Cull Data Filtering by Column in the Item List Panel | 143
Filtering by Column in the Item List Panel
You can filter the evidence in the Item List panel by the data in the columns. You cannot filter the content of the
first three columns. You can apply multiple column filters.
For ore information, see Filtering Content in Lists and Grids (page 36).
Note: Column Filters are applied after facet scope filters and visualization filters. Changing your facets scope or
visualization filters will clear the column level filters. Also, Column Filters do not persist and will be cleared
out when you either execute a new search or use the Clear Search button.
To filter evidence by data in columns
1. In Project Review, ensure the Item List panel is showing.
2. Select the document groups, labels, or issues that you want to view from the Project Explorer and click
Apply.
3. In the Item List panel, click on the column filters button .
4. Uncheck the items that you want to filter out of your view.
5. (Optional) You can use the Search field to search by keyword among the items in the column.
6. (Optional) Expand the Sort drop-down to sort the items in the column by ascending or descending hits
or values.
7. Click Apply.
All documents with the item that you unchecked are removed from the Item List panel.
Note: When you filter the ProductionDocID column, only the produced record value is displayed, not the source
document.
Clearing Column Filters
You can clear column filters that you have applied to the Item List panel.
To clear column filters
1. In Project Review, ensure the Item List panel is showing.
2. Select the document groups, labels, or issues that you want to view from the Project Explorer.
3. In the Item List panel, click on the column filters button .
4. Click Clear Filter.
Using Filters to Cull Data Object Types | 144
Object Types
You can use columns and facets to view an item’s Object Type and cull data based on the Item Types in your
evidence.
Some Object Types have Object Sub-Type data. For example, for the Endpoint Event object type, you can have
the following object sub-types: File Event, Network Event, Registry Event, and Endpoint OS Event.
With the ObjectType and ObjectSubType columns, you can search, filter, and sort on these columns in order to
quickly cull down the files that you are viewing.
The Object Type facets, which are under the General facet category, dynamically list facets for all of the object
types in your evidence. You can expand an ObjectType facet for a list of object sub-type facets.
The following table lists the object types and object sub-types that may exist in your data.
Object Types and Object Sub-Types
Object Types Object Sub-Types
Unknown
Partition
File System
Live Folder
Live File
Directory
File or Loose Files
(Listed in the Facets
as Files & Email)
Files that are added
through Import have
the object type of
Loose Files, whereas
files added as
evidence have the
object type of Files.
-Documents
-Spreadsheet
-Database
-Presentations
-Graphics
-Multimedia
-Email
-Executable
-Archives
-Folders
-Slack Free Space
-Other Known
-Mobile Device Items
-Encryptions Files
-Internet Chat
-OS Files
-Transcripts
-Exhibits
-Notes
Mailbox
Archive
Unpartitioned Space
Using Filters to Cull Data Object Types | 145
Carved File
Drive Remote
File Slack
File System Remote
Custodian Group
Removable Media File -Devices Inserted
-Devices Removed
-Files Copied From Device
-Files Copied To Device
Network Traffic -There are many types, for example, WebMail, SMTP email, Chat, and FTP.
Threat Scan
Endpoint Event -File Event
-Registry Event
-Network Event
-OSEvent
-ProcessEvent
Mobile
Case Organizer -Event
-Fact
-Person
-Question
-Research
-Pleading
-Summary
Volatile -There are many types, for example, Process, DLL, Socket, Driver, Service,
Registry Key, Registry Value
Object Types and Object Sub-Types (Continued)
Object Types Object Sub-Types
Using Visualization | 146
Part 4
Using Visualization
This part describes how to use visualization and includes the following sections:
-Using Visualization (page 147)
-Using Visualization Social Analyzer (page 154)
-Using Visualization Heatmap (page 160)
-Using Visualization Geolocation (page 162)
Using Visualization Culling Data with Visualization | 147
Chapter 13
Using Visualization
Culling Data with Visualization
Visualization allows you to see visual representations of data in the selected project and to filter the data, based
on the visualization graphs. The Visualization feature allows you to choose the type of graph in which to display
the data. The graphs are interactive, allowing you to isolate and search on sections of the graph. Once you
select how you want the data represented, you can apply the visualization filter to the data. The filtered data will
appear in the Item List, and you can apply additional scope filters and column filters to further cull the data.
You can also clear previous visualization filtering sessions in the Options > Visualization dialog. If no previous
visualization filter has been applied to the data, the Clear Visualization options are inactive.
You can apply visualization filters to the data in the following ways:
Files Visualization (page 148)
Emails Visualization (page 151)
About Geolocation Visualization (page 162)
Using Visualization Social Analyzer (page 154)
Using Visualization Geolocation (page 162)
Using Visualization Files Visualization | 148
Files Visualization
Files Visualization allows you to view and filter data in a project by using the same data that is posted in the Item
List grid. This allows you to cull the data in the Item List grid with filters before applying Files Visualization to the
data.
To access Files Visualization
1. Click Project Review.
2. In the Item List panel, click Options > Visualization > Files.
Important:
When you first open File Visualization, the Files grid will show only a portion of the total files. The
Files grid only shows the files that are currently filtered using the Visualization tool. Initially, the top
Timeline filter only covers a small part of the total timeline, as a result, you may not see many files
listed in the Files grid. You can expand or move the Timeline filter to show other files.
Files Visualization Panel
Using Visualization Files Visualization | 149
Files Visualization Options Panel
The following table identifies the tasks that you can perform from the File Visualization panel
.
File Visualization Panel Options
Element Description
Apply Visualization Applies the files that have been filtered in the visualization graph filters to the
Item List grid. Once applied, only those items filtered with visualization appear in
the Item List grid.
To remove the filters, re-enter files visualization and click Cancel.
Note: If you use the “check all” button in the visualization Files grid, be aware
that only the items on the current page will be selected.
Cancel Visualization Cancel the visualization graph filters and exit out of Visualization.
Options
Refresh Timeline Refreshes the Timeline pane.
Refresh Extensions Refreshes the Extensions pane.
Refresh Categories Refreshes the Categories pane.
Refresh Files Refreshes the Files pane.
Data -Scale - Choose to display the data scale either by logarithmic or by linear. If
this field is changed, data in the panes will refresh automatically.
-Metrics - Choose to display the data metrics either by size or by count. If this
field is changed, data in the panes will refresh automatically.
View -Timeline Data Type - Choose to display the data in the timeline, extensions,
categories, and files panes by date created, modified, or accessed.
-Timeline Graph Type - Choose to display timeline data by bar, line, area, or
scatter graph.
-Extension Graph Type - Choose to display extension data by bar or pie
graph.
-Categories Graph Type - Choose to display category data by bar or pie
graph.
Using Visualization Files Visualization | 150
Timeline Examine the data based on when the data was created, accessed, or modified.
You can highlight a specific period of time in the timeline and filter data based on
that specific time.
Extensions Displays the data by document’s extension, such as .doc or .dll. Only extensions
found in the data set will display in the graph. You can click a specific extension
in the graph’s list or graphic, and all files with that extension will appear in the
Files panel.
Categories Displays the data by category. The categories available by which to sort are
documents, spreadsheets, database, presentations, graphics, multimedia, email,
executables, archives, folders, slack free space, encryption files, internet chat,
operating system file, other known, unknown, user types, stego apps, and mobile
device items. You can click a specific category in the graph’s list or graphic, and
all files within that category will appear in the Files panel.
Files Displays the files represented by the visualization graphs. This list can be all of
the data set, or only files filtered by either timeline, extensions, or categories. You
can sort information in each column by clicking the column header.
History The History tab captures the movement of the box that isolates a time period
within the time line. Each time that you move the box along the timeline, a new
tab is created for that section of the timeline. Each section can be identified by
start date and end date. By clicking one of the History tabs, you can examine the
data from that particular time period, allowing you to quickly return to a period
that you have already examined.
Selected Lists the files selected in the Files pane.
File Visualization Panel Options
Element Description
Using Visualization Emails Visualization | 151
Emails Visualization
Emails Visualization allows you to view and filter data in a project by using the same data that is posted in the
Item List grid. This allows you to cull the data in the Item List grid with filters before applying Emails Visualization
to the data.
To access Email Visualization
1. Click Project Review.
2. In the Item List panel, select Options > Visualization > Emails.
Emails Visualization Panel
Using Visualization Emails Visualization | 152
Email Visualization Options Pane
l
The following table identifies the tasks that you can perform from the Emails Visualization panel.
Emails Visualization Panel
Element Description
Apply Visualization Apply the visualization graph filters to the Item List grid. Once applied, only
those items filtered with visualization will appear in the Item List grid.
Cancel Visualization Cancel the visualization graph filters and exit out of Visualization.
Options
Refresh Timeline Refreshes the Timeline pane.
Refresh Mail Statistics Refreshes the Mail Statistics pane.
Refresh Email Addresses Refreshes the Email Addresses pane.
Launch Social Analyzer Click to launch the Social Analyzer pane. See Using Visualization Social
Analyzer on page 154.
Data -Scale - Choose to display the data scale either by logarithmic or by lin-
ear. If this field is changed, data in the panels will refresh automatically.
-Metrics - Choose to display the data metrics either by size or by count.
If this field is changed, data in the panels will refresh automatically.
View -Timeline Graph Type - Choose to display timeline data by bar, line,
area, or scatter graph.
-Mail Stats Graph Type - Choose to display mail stats graph by bar, line,
spline, or scatter graph.
Timeline Examine the email data set based on when the emails were created,
accessed, or modified. You can highlight a specific period of time in the
timeline and filter the emails based on that specific time.
Mail Statistics Displays the Mail Statistics of the emails - the sent and receive dates. You
can click a specific item in the graph and filter the email addresses in the
email addresses list.
Using Visualization Emails Visualization | 153
Email Addresses Lists the email addresses in the email data set. You can view display
name, email address, traffic count, and the sent and received data.
Expand either the sent or received field for a particular email address to
obtain additional information.
Selected Lists the history of the data set. By highlighting a tabbed date in History,
you can examine the data from that particular time period.
History Lists the files selected in the Files pane.
Emails Visualization Panel
Element Description
Using Visualization Social Analyzer About Social Analyzer | 154
Chapter 14
Using Visualization Social Analyzer
About Social Analyzer
The Social Analyzer shows a visual representation of email volume contained in the data set. Social Analyzer
will display all of the email domains in a project, as well as individual email addresses within the email domains.
Social Analyzer Map
The Social Analyzer map displays emails in the data set group by domain name. These domain names appear
on the map in circles called “bubbles.” The larger the bubble, the more emails are contained within that domain.
The bubbles in the map are arranged in a larger sphere according to how many emails were sent to that domain.
The center bubble in the sphere will have the most emails sent from this domain, while domains radiating
clockwise from the center will have fewer and fewer emails in their domain bubble. If you want to examine email
domains with the most sent emails, concentrate on examining the bubbles in the center of the map.
Email data in the Social Analyzer map can be examined on two different levels. On the first level, you can get an
overall view of communications between domains. You can then select domains that you want to examine in a
Using Visualization Social Analyzer About Social Analyzer | 155
more detailed view and expand those domains to view communications between specific email addresses from
the domain. For example, if you search for high email traffic between two domains, you can see which two
domains have the highest amount of traffic between them. Select the two domains, and expand them to view the
email traffic between individual users from those two selected domains.
See Analyzing Email Domains in Visualization on page 158.
See Analyzing Individual Emails in Visualization on page 158.
Elements of the Social Analyzer Map
Element Description
This map presents the overall view of the social analyzer data. The orange
rectangle indicates the area displayed in the main social analyzer map. Black
dots in the overall view show domains that are either selected or communicating.
You can either expand or collapse the overall view by clicking on the triangle in
the upper right corner.
When you select a domain bubble, it is surrounded by a colored double ring. The
ring may be colored blue, black, purple, or red. The different colors allow you to
distinguish between different selected domains, but they do not have any
significant meaning.
Domain bubbles that are not selected, but have sent emails to the selected
domain bubble, are surrounded by a single colored ring that is the same color as
the selected domain bubble. This allows you to easily tell which domains have
been communicating with the selected domain bubble. Domain bubbles that do
not connect to any selected domains are greyed out.
Lines connect other domain bubbles to the selected domain bubble. These lines
represent emails sent to the selected domain from other domains. The more
emails that have been sent to the domain, the thicker the line between domain
bubbles are. You can also see emails sent from the selected domain. Select
Show Reversed Connections in the Social Analyzer panel to show visual
representations of emails sent from the selected domain.
A domain bubble with an orange ring indicates that a domain has been
connected to from another domain multiple times. This allows you to pinpoint
domains that have heavy communication between them.
Using Visualization Social Analyzer About Social Analyzer | 156
Accessing Social Analyzer
To navigate throughout the Social Analyzer pane, click and drag inside the pane. Hover over an email domain
bubble to view the total number of emails that were sent from the domain.
Note: Expansion of large datasets may result in slow server speeds and slow rendering the Social Analyzer
visualization data.
To access Social Analyzer
1. Click Project Review.
2. In the Item List panel, click Options > Visualization > Social Analyzer.
Social Analyzer Options Panel
Using Visualization Social Analyzer About Social Analyzer | 157
Social Analyzer Options
The following table identifies the tasks that you can perform from the Social Analyzer panel
.
Social Analyzer Options
Element Description
Apply Visualization Applies the visualization graph filters to the Item List grid. Once
applied, only those items filtered with visualization will appear in
the Item List grid.
Cancel Visualization Cancels the visualization graph filters and exits out of
Visualization.
Refresh Refreshes the Social Analyzer pane.
Clear Selections Clears the selected bubbles in the Social Analyzer pane.
Select Most Connected Items Selects the ten bubbles that have been most connected to in the
Social Analyzer pane. Each time you click this icon, the next top
ten bubbles will be selected, and so forth.
Expand Selected Domains Expands selected domains in the Social Analyzer pane. You can
drill down to a second level to examine the email data. See
Analyzing Individual Emails in Visualization on page 158.
Zoom In Zooms into the Social Analyzer pane. If you are unable to view
the social analyzer data, click Zoom In to locate the data. You can
also zoom in by expanding the slider bar located at the bottom of
the Social Analyzer pane, by using the + key on the keyboard, or
by scrolling the mouse wheel up.
Zoom Out Zooms out of the Social Analyzer pane. You can also zoom out
by expanding the slider bar located at the bottom of the Social
Analyzer pane, by using the - key on the keyboard, or by scrolling
the mouse wheel down.
Expands and collapses the overall map of the data set. Dots that
appear in black in the overall map are domains/emails that are
connected to the selected domain/email. The orange rectangle on
the map shows where the expanded location is on the map.
Using Visualization Social Analyzer About Social Analyzer | 158
Analyzing Email Domains in Visualization
Once you have you opened the Social Analyzer pane, you can isolate and examine individual email domains.
Note: Social Analyzer is very graphics-intensive. In order to avoid server issues, you should cull the data with
facets and other filters to isolate the information that you want to examine before viewing it in Social
Analyzer.
To analyze email domains in Visualization mode
1. Click Project Review.
2. In the Item List panel, click Options > Visualization > Social Analyzer.
3. Click the domain bubbles to select the domain(s) that you want to view.
4. (optional) If you want to view the top ten domains in terms of received emails. click . Each time you
click this icon, the next top ten bubbles will be selected, and so forth.
5. (optional) You can zoom in and zoom out of the Social Analyzer panel. If you hover over a domain
bubble, the full display name and address, as well as the count, is displayed in the tool tip.
6. You can expand selected email domains and examine individual emails in a domain. See Analyzing
Individual Emails in Visualization on page 158.
Analyzing Individual Emails in Visualization
You can expand email domains to display individual emails and the traffic between those emails.
View -Show Reversed Connections - Select to show all reversed
connections in the pane. Reversed connections are emails
sent from a particular email or email domain.
-Show Connections - Select to show the connections between
domains in the pane. Connections are emails sent to a particu-
lar email or email domain.
-Preview Connections on Hover - Select to view connections
between domains when you hover over them. This option is
not selected by default to speed rendering of the map.
-Email Display - Display email domains either by the display
name or address.
-Bubble Limit - You can choose a display limit of either 2,500,
5,000, or 10,000 domains. Server issues may occur with larger
display limits.
Stats Displays the statistics of either the first or second level of the
email domain data. You can view:
-The total number of domains, emails, and bubbles in the pane.
-The total number of selected domains, emails, and bubbles in
the pane.
-The total number of domains, emails, and bubbles that have
been expanded.
You can access the second level of data by clicking Expand
Selected Data.
Social Analyzer Options
Element Description
Using Visualization Social Analyzer About Social Analyzer | 159
To analyze individual emails within selected email domains
1. Click Project Review.
2. In the Item List panel, select Options > Visualization > Social Analyzer.
3. Click the domain bubbles to select the domain(s) that you want to view.
4. (optional) If you want to view the top ten domains in terms of received emails. click . Each time you
click this icon, the next top ten bubbles will be selected, and so forth.
5. (optional) You can zoom in and zoom out of the Social Analyzer panel. If you hover over a domain
bubble, the full DisplayName and address, as well as the count, will be displayed in the tool tip.
6. Click to expand the domain names to display the individual emails.
Using Visualization Heatmap | 160
Chapter 15
Using Visualization Heatmap
Heatmap allows you to view a visual representation of file categories and file volume within a project. Information
displays in a grid comprised of squares of different colors and sizes. Each color represents a different file
category, and the relative size of the square represents the file volume within the category. You can view each
file category for more details about the files within that category (similar to a file tree) and navigate between file
categories.
You can also switch between viewing the file volume by the physical size of each file and the file count. This
allows you to see any discrepancies in the size of the files. For example, if someone were trying to hide a file by
renaming the file extension, you could easily see the size discrepancy in the heatmap, and then investigate that
particular file further.
To access Heatmap
1. In FTK, do the following:
1a. Open the Examiner.
1b. In the File List panel, click (Heatmap).
2. In Summation or eDiscovery, do the following:
2a. Click Project Review.
2b. In the Item List panel, click Options > Visualization > Heatmap.
Heatmap Panel
Using Visualization Heatmap | 161
Heatmap Options Panel
The following table defines the tasks from the Heatmap panel
.
Heatmap Panel Options
Element Description
Cancels the heatmap filters and exits out of Visualization.
Apply the visualization graph filters to the Item List grid. Once applied, only those
items filtered with visualization appear in the Item List grid.
Options
Category -Files - Allows you to view files by the file category. You can view the files in
each category:
By double-clicking that particular file category’s square, or
By clicking the menu from the upper left side and choosing the file cate-
gory that you want to view in the heatmap.
-Folders - Allows you to view files by the folders contained within the project.
You can view the files in each folder:
By double-clicking that particular folder’s square.
By clicking the menu from the upper left side and choosing the folder that
you want to view in the heatmap.
-Extensions - Allows you to view files by the file extension.
Metric -By Size - Allows you to view file types by size of the files. The larger the files,
the larger the represented square in the heatmap.
-By Count - Allows you to view file types by quantity. The more files of a partic-
ular type that are in the project, the larger the represented square in the heat
map.
Using Visualization Geolocation About Geolocation Visualization | 162
Chapter 16
Using Visualization Geolocation
About Geolocation Visualization
Geolocation allows you to view a map with real-world geographic location of evidence items that have
geolocation information associated with them. This lets you understand where certain activities/actions took
place.
See Using Visualization on page 147.
For example, if you have photos in the evidence that have GPS data in the EXIF data, you can see where those
photos were taken. For volatile/RAM data, you can see the lines of communication (both sent and received)
between addresses, showing the location of all parties involved.
Geolocation supports the following data types:
-Photos with GPS information in the EXIF data.
Note: Geolocation IP address data may take up to eight minutes to generate, depending upon other jobs
currently running in the application.
Geolocation Components
Geolocation includes the following components:
-Maps
When viewing geolocation data, you can use any of the three following maps:
MapQuest Streets
MapQuest Satellite
OpenStreetMaps
You have the option to switch between the three map views while in the Geolocation filter.
-Geolocation Grid
Below the map, you can view a grid that shows details about the items in the map.
See Using the Geolocation Grid on page 168.
-Geolocation Data in columns in the Item List
You can view geolocation data for files in the Item List.
See Using Geolocation Columns in the Item List on page 169.
Using Visualization Geolocation Viewing Geolocation EXIF Data | 163
-Geolocation Facets
There are specific facets for filtering on Geolocation data.
See Using Geolocation Facets on page 170.
Geolocation Workflow
When you launch Geolocation, it will display all relevant files currently in the item list. You can cull the data using
filters and other tools in the item list to limit the data that is displayed in geolocation.
General Geolocation Requirements
As a prerequisite, you must have the following:
-Access to a KFF Service Server.
The KFF Server can be installed on the same computer as the AccessData software or on a separate
computer.
KFF Geolocation Data. This must be installed on the KFF Server.
See Getting Started with KFF in the Admin Guide.
-Internet access to view web-based maps.
You can download the offline maps for Geolocation. Use the link Geolocation Map for Offline Use
and Geolocation Map for Offline ReadMe on the FTK Product download page:
http://www.accessdata.com/support/product-downloads/ftk-download-page
-For FTK, FTK Pro, Lab, and Enterprise:
The File Signature Analysis option selected when processing the evidence.
Viewing Geolocation EXIF Data
When your evidence has photos with GPS information in the EXIF data, you can view photo locations.
To view EXIF data in FTK
1. In FTK, open the Examiner.
2. In the File List panel, click (Geolocation).
3. You can filter the items displayed and see item details.
See Using the Geolocation Grid on page 168.
To view EXIF data in Summation or eDiscovery
1. Click Project Review.
2. In the Item List panel, click Options > Visualization > Geolocation.
Using Visualization Geolocation Viewing Geolocation EXIF Data | 164
3. You can filter the items displayed and see item details.
See Using the Geolocation Grid on page 168.
Geolocation Panel - EXIF data
Using Visualization Geolocation Using Geolocation Tools | 165
Using Geolocation Tools
The Geolocation Map Panel
Points of data in a particular area on the map are represented by large dots called clusters. The number on each
cluster show how many points of data (known as pins) are represented by the cluster. Clicking a particular
cluster on the map zooms in on a group of pins.
The general location of the clusters are determined by a central point on the map. The clusters radiate from this
central point. When you zoom in and out of the map, your central point on the map moves as well, and clusters
will shift position on the map. However, as you zoom into a cluster, the cluster rendered will more closely align
itself with the location of the individual pins.
When viewing IP data, the connections between two pins display on the map as lines between clusters/pins. The
width of the lines represent the amount of traffic between two IP address. The thicker the lines, the more traffic
has occurred. Green lines represent traffic originating from the pin and red lines represent traffic entering the pin.
When you select a cluster and zoom in on a particular pin, you can select one or more pins. When a pin is
selected, the outline and shadow of the selected pin turns orange. If you zoom out of the map, the cluster with
one or more selected pins has an orange ring.
Hovering over the cluster displays the following icons:
- Selects all of the pins in a cluster.
- Clears all of the selected pins in a cluster.
The following table describes the Geolocation panel options.
Geolocation Panel
Element Description
After filtering data by selecting one or more pins, this applies the selected
geolocations to the Item List grid. Once applied, only those geolocations filtered
with visualization appear in the Item List grid.
For network data, you will see any communication from those pins to any other
location. This may include one or more items.
If you enter the Geolocation view again, only those geolocation will be displayed
in the map.
To reset the items in the Item List, click the Project Explorer’s Reset and Apply
icons.
Cancels the geolocation filters and exits out of Visualization.
Pins displayed Shows the number of spins that are displayed and the number selected.
Clear Clears and selected pins.
Options
Displays the number of pins selected in the map versus the number of pins
available in the data.
Using Visualization Geolocation Using Geolocation Tools | 166
Right-clicking a pin displays more information about the pin.
Detail of Pin
In the pin dialog, you can:
-Add any notes
-View the exact coordinates and status of the pin
Map Tab Choose which map to display in the Geolocation filter.
Expands or collapses the overall view map.
Displays the latitude and longitude where the mouse pointer resides. To view the
position of a particular pin, hover the mouse over the pin. To view the exact
coordinates of the pin, select the pin and right-click.
Turns the connections between the pins/clusters either on or off.
Displays all of the pins on the map.
Zooms in or out on the map. A slide bar displays, allowing you to control the
zoom feature.
View All/View Selected
Filter Displays either EXIF data or network connection data. You can also view both
types of data at the same time.
Geolocation Panel
Element Description
Using Visualization Geolocation Using Geolocation Tools | 167
-View the IP Address of the pin
Note: To save processing time and to ensure data accuracy, the host name does not populate in the
Geolocation pin. However, the host name does populate in the Item List.
-Change the color and shape of the pin
If you make any changes to the pin, a warning icon displays that notifies you that changes were made to
the pin and need to be saved. You can do the following in the pin dialog:
-Click to save the changes that you have made to the pin
-Click to reset the pin. If changes have been saved previously to the pin, this action resets the pin to
the saved version
-Click to close the dialog
Using Visualization Geolocation Using the Geolocation Grid | 168
Using the Geolocation Grid
When you open Geolocation, you can view a grid that shows details of the items on the map.
The Geolocation Grid shows the following:
-Exif: This shows the following Exif data from photos
Capture Data column
File Name column
File Size Coordinate column
When you click an item in the grid, the map will be centered to reflect the location of the selected item.
You can minimize the grid so that the whole map is visible.
Filtering Items in the Geolocation Grid
When you first launch Geolocation, all of the items on the map are shown in the grid.
You can filter the contents of the grid in the following ways.
-In the map, if you select a pin, only that item is displayed. You can click (and select) multiple pins.
-In the map, if you right-click a cluster and click , that selects all of the pins in a cluster. This will filter
the grid to those clustered pins. You can add multiple clusters to the grid.
-In the grid, the columns in the Geolocation Grid can be filtered to cull the items in the grid. For Network
Communication data, the data in the bar chart is filtered as well when columns are filtered.
Using Visualization Geolocation Using Geolocation Columns in the Item List | 169
Using Geolocation Columns in the Item List
The data that the Geolocation filter uses to render the information is also available in columns in the Item List.
You can find the following columns in the Item List, depending upon the data that has been collected. These
columns can be sorted and filtered.
Data for geolocation columns require that the KFF Geolocation Data be installed.
See General Geolocation Requirements on page 163.
Geolocation EXIF Data Columns
When your evidence has photos with GPS information in the EXIF data, you can view data using the following
columns.
Geolocation Columns: EXIF data
Column Display name Description
Geotagged Area Code: Area Code Area code location of geotagged photo or object.
Geotagged City: City City location of geotagged photo or object.
Geotagged Country Code: Country Code: ISO country code location of geotagged photo or object,
such as USA, FRA, MEX, HKG, and EST.
Geotagged Direction: Direction Direction geotagged photo or object.
Geotagged Latitude: Latitude Latitude of geotagged photo or object.
Geotagged Longitude: Longitude Longitude of geotagged photo or object.
Geotagged Postal Code: Postal Code Postal code of geotagged photo or object.
Geotagged Region: Region Regional or State location of geotagged photo or object,
such as NY, DC, IL, FL, and UT.
Geotagged Source: Source Source used to resolve geotagged GPS location to locality
information.
Using Visualization Geolocation Using Geolocation Facets | 170
Using Geolocation Column Templates
When using AD Forensics products, you can use the following Column Templates to help you quickly display
Geolocation-based columns in the File List:
Geolocation - Displays all available Geolocation columns.
GeoEXIF - Displays all columns that contain EXIF-related Geolocation data.
GeoIP - Displays all columns that contain IP-related Geolocation data.
Using Geolocation Facets
When using Summation or eDiscovery, you can also use facets to cull data based on Geolocation data.
See Geolocation Facet Category on page 135.
Using Visualization Geolocation Using Geolocation Visualization to View Security Data | 171
Using Geolocation Visualization to View Security Data
You can use geolocation to view IP location data to discover where in the world a computer is communicating.
You can view IP locations data when using the following products:
-AD Forensics products, after gathering Volatile data
The Geolocation view will display lines that trace internet traffic sent and received between IP addresses,
indicating the physical location of all parties involved. You can drill into geographic regions to see multiple
evidence items. You can then select specific data to post back to the case, where they can view information in
the examiner or include it in reports.
Geolocation Panel - IP Locations
To view IP data in Geolocation viewer
Note: For data collected by Geolocation Visualization, the To Domain Name, To ISP, To Netspeed, and To
Organization columns do not populate in the Item Grid. If you require this data, you need to purchase a
MaxMind Premier database license.
Prerequisites for Using Geolocation Visualization to View Security Data
-For FTK or Enterprise:
For examining network acquisition and volatile data, enable the Geolocation option in the Web Config
file. To enable this option, contact AccessData’s support.
Also for examining network acquisition and volatile data, you need to generate a text file of your IP
locations and place the text file in the GeoData directory. Configuring the Geolocation Location
Configuration File (page 171)
Configuring the Geolocation Location Configuration File
When working with network acquisition and volatile data, some data may come from a private network where the
physical location of the IP address is not known. For example, you may need to provide the location of your own
network and any satellite offices that you interact with.
Normally you would start with block of IPs in your local network.
To set this information, you need to populate a configuration file for the KFF server.
Using Visualization Geolocation Using Geolocation Visualization to View Security Data | 172
The filename is iplocations.txt.
You can configure this file in one of two ways:
-Using the Management page > System Configuration > Geolocation page.
-Configuring the file manually
If you have already manually created this file, you will see the information in the configuration page interface.
Using the Geolocation Configuration Page
1. In the console, click Management > System Configuration > Geolocation
2. Click to add an item.
3. Fill in the location data. See Geolocation Configuration Page Options on page 172.
See sample data below. You can get latitude longitude data for an area from Google maps.
Any data you save here is saved in the configuration file.
Important:
Any time you save new data, the KFF Service is automatically restarted. This can affect running KFF
jobs.
Geolocation Configuration Page Options
The table below lists the various Geolocation Configuration Page options.
Geolocation Configuration Page Options
Option Description
Ip Address The IP address. The IP addresses must be written in CIDR format and need to
be IPv4 addresses.
ID
Country Code The two letter country code for a country, such as HK for Hong Kong or US for
the United States.
Country Code 3 The three letter country code for a country, such as RUS for Russia or DEU for
Germany.
Country The full country name, such as United States or Argentina.
Region The state or province of the geolocation data, such as NY for New York or ON for
Ontario.
City The city of the geolocation data, such as Beijing or San Francisco.
Postal Code The postal code or zip code of the geolocation data.
Latitude The latitude of the geolocation data.
Longitude The longitude of the geolocation data.
Metro Code The metro code of the geolocation data.
Using Visualization Geolocation Using Geolocation Visualization to View Security Data | 173
Configuring the Location Configuration File Manually
You can manually create and edit the iplocations.txt text file for the KFF server. It has the following
requirements:
-The text file needs to be saved with the filename iplocations.txt.
-The IP addresses must be written in CIDR format and need to be IPv4 addresses.
-Each comment line in the file must start with the character #. List only one address/network per line.
-The network line must contain the following information in the following order: address (in CIDR format),
Id, CountryCode, CountryCode3, CountryName, Region, City, PostalCode, Latitude, Longitude,
MetroCode, AreaCode, ContinentCode, Source.
-The iplocations.txt file must be placed in the Geodata folder of the kffdata folder on the server.
The following is an example of an iplocations.txt file:
#this file goes in the <kffdata>\GeoData directory
#address (in cidr
form),Id,CountryCode,CountryCode3,CountryName,Region,City,PostalCode,Latitude,Longitud
e,MetroCode,AreaCode,ContinentCode,Source
#192.168.0.0/24,1,,USA,United States,Utah,Taylorsville,84129,40.6677,-111.9388,,801,,
#10.10.200.252/30,1,,USA,United States,Utah,Orem,84042,40.2969,-111.6946,,801,NA,
#10.10.200.48/32,1,,USA,United States,Utah,Orem,84042,40.2969,-111.6946,,801,NA,
10.10.200.0/24,1,,USA,United States,Utah,Orem,84042,40.2969,-111.6946,,801,NA,
Viewing Geolocation IP Locations Data
To view IP location data in FTK
1. Open the Examiner.
2. Click the Volatile tab.
3. In the Volatile tab, click (Geolocation).
4. You can filter the items displayed and see item details.
See Using the Geolocation Grid on page 168.
Area Code The area code of the geolocation data.
Continent Code The continent code of the geolocation data. For example, NA for North America
and AS for Asia.
Source The source of the geolocation information. This field is optional.
Geolocation Configuration Page Options
Option Description
Using Visualization Geolocation Using Geolocation Visualization to View Security Data | 174
Using the Geolocation Network Information Grid
-When viewing network acquisition and volatile data connection information, you can now view a grid that
displays the following information:
Process Start Time
Machine
User Name
Process Name
Path
Host Name
IP Address
Coordinates
Ports
You can show the communication between multiple pins.
Geolocation Filter
You can filter your Geolocation data with filters in the Facets Panel. The following filters are available under the
Geolocation filter categories for security jobs that contain geolocation data.
Geolocation Filters in the Facets Panel
Geolocation Filters Description
From Country Name Filters evidence by the country from which the communication originated.
To Country Name Filters evidence by the country to which the communication was sent.
From City Name Filters evidence by the city from which the communication originated. Example:
San Francisco, San Jose, Los Angeles.
To City Name Filters evidence by the city that the communication to which was sent. Example:
San Francisco, San Jose, Los Angeles
From Continent Filters evidence by the continent from which the communication originated.
To Continent Filters evidence by the continent to which the communication was sent.
Using Litigation and eDiscovery Tools | 175
Part 5
Using Litigation and
eDiscovery Tools
This part describes how to review files for litigation and eDiscovery and includes the following sections:
-Working with Transcripts and Exhibits (page 176)
-Imaging Documents (page 190)
-Using Tags and the Case Organizer (page 196)
-Coding Documents (page 220)
-Annotating and Unitizing Evidence (page 235)
-Bulk Printing (page 248)
-Managing Review Sets (page 251)
Working with Transcripts and Exhibits Working with Transcripts | 176
Chapter 17
Working with Transcripts and Exhibits
Working with Transcripts
Reviewers can view and annotate transcripts using the Transcripts panel in Project Review. Project managers
with the Upload Exhibits, Upload Transcripts, and Manage Transcripts permissions can upload transcripts,
create transcript groups, grant transcript permissions to users, and upload exhibits.
You can also work with video transcripts.
See Working with Video Transcripts on page 186.
Formatting Transcripts
The following transcripts formats are supported:
-ASCII text
-LEF
-EXE
A court reporter’s computer-aided transcription (“CAT”) system should include the option to save or export a
transcript in Summation or Amicus format, both of which are compatible with Summation.
If, however, a court reporter’s CAT system does not allow export to Summation or Amicus format — or if a court
reporter uses word-processing software to produce a transcript and does not have the option to export a
transcript in Summation or Amicus format — the specifications and accompanying illustration below will guide
you in creating a Summation-compatible transcript file. Conforming to this specification will save Summation
users transcript-loading time, avoid formatting errors, enhance searching capability, and enhance note-location
accuracy.
You can convert transcript files to SWF files which will allow them to be displayed in the Standard Viewer panel
rather than in the separate transcript.
Summation Preferred Transcript Style Specification
-Transcript size is less than one megabyte
-Page number specification:
All transcript pages are numbered
Page numbers appear next to the left margin, with the first digit of the page number appearing in
Column 1. (See illustration of column numbers and transcript elements below.)
Working with Transcripts and Exhibits Working with Transcripts | 177
Page numbers appear at the top of each page
Page numbers contain at least four digits, including zeros, if necessary. For example, Page 34 would
be shown as “0034” or “00034”
The very first line of the transcript (Line 1 of the title page) contains the starting page number of that
volume. For example, “0001” or “00001” if the volume starts on Page 1; “0123” or “00123” if the
volume starts on Page 123.
-All lines in the transcript are numbered
-Line numbers appear in the Columns 2 and 3
-Text starts at least one space after the line number. (We recommend starting text in Column 7)
-No lines are longer than 78 characters (letters and spaces)
-If possible, there are no page breaks. If you must include them, they should be on the line preceding the
page number
-There is a consistent number of lines per page if neither page breaks nor Summation’s page number
format are used
-No headers or footers appear, except for headers bearing page numbers only
-In the example below, the column numbers at the top designate how many spaces from the left margin a
given transcript element should occur
In the example below, the column numbers at the top designate how many spaces from the left margin a given
transcript elements should occur.
Summation Preferred Transcript Style
Tips for Working With Word-Processed Transcripts
Sometimes word-processed transcripts (e.g., those produced using Microsoft Word) may not display correctly in
Summation. This is because, even if the word-processed transcript is exported to ASCII or TXT format, word-
processing programs leave behind embedded formatting characters that interfere with proper display in
Summation. If you open a word-processed transcript in Microsoft WordPad and see unusual characters, the
transcript may need to be edited before loading into Summation. The closer the transcript files are to pure ASCII
or TXT format, the better.
The following are some suggested methods to remedy these issues. Success depends on how heavily a
transcript has been formatted; e.g., graphics contained in the footers.
Working with Transcripts and Exhibits Working with Transcripts | 178
Using Generic/Text Only Printer
Reporters can try using word-processing software to create a PRN file, rather than create an ASCII file.
Make a copy of your transcript within the word-processing program to use as a test file and format it in this way:
To format a transcript for a generic/text only printer
1. All pages must have a page number, including the title page, appearance page, etc.
2. The page number should appear at the top of each page.
3. Delete all headers, except for page numbers.
4. Delete all footers.
5. Make sure all lines are numbered.
6. For Microsoft Word transcripts, it may help to select Use printer metrics to lay out document. You
can find this option in Microsoft Word by selecting File > Options > Advanced. Scroll to the bottom of
the pane, expand Layout Options and select Use printer metrics to lay out document.
7. Print the file, selecting Generic/Text Only as the printer. See Adding Generic/Text Only as a Printer on
page 178.
8. When prompted, save the file to .PRN format (or as Printer Files in Windows 7).
9. Save the file to a location that you will remember later, such as your Desktop.
10. Open the . PRN file with Notepad to view the result. You can then also save it as a .TXT file.
Adding Generic/Text Only as a Printer
Follow the instructions below to add Generic / Text Only as a printer.
These steps may vary somewhat, depending on which version of Windows you are running. The screens may
also look slightly different, depending on your view options.
To add Generic/Text Only as a printer
1. In Control Panel, double-click Devices and Printers to open the Devices and Printers screen. Select
Add a printer.
2. Select the Add a local printer option. Click Next.
3. In the Choose a printer port screen, choose Use an existing port and select FILE: (Print to File)
from the drop-down menu. Click Next.
4. In the Install the printer driver screen, scroll down the list of Manufacturers and choose Generic. In the
Printers list, Select Generic/Text Only. Click Next.
5. The printer is named Generic/Text Only by default. This is the name which appears on the list of
printers that you select from when printing. Click Next.
6. In the Printer Sharing screen, select Do not share this printer. Click Next.
7. In the You’ve successfully added Generic/Text Only screen, uncheck Set as the default printer. Click
Finish.
8. The Generic/Text Only printer icon now displays in the Devices and Printers folder.
Working with Transcripts and Exhibits Working with Transcripts | 179
Additional Suggestions
You can use also takes the following actions:
-Fix “curly” quotes
If unusual characters ( such as “smart” or “curly” quotes - “”) occur within the word-processed transcript
and are causing display issues in Summation, convert them to regular characters before creating a text
file. For specific instruction, consult your world-processing program’s Help file.
-Convert file via a CAT system
Alternatively, try importing a word-processing ASCII file into a CAT system. Apply the CAT system’s
standard transcript formatting, then export the file in a Summation-friendly format: Amicus, CAT-
generated ASCII or Summation. Sometimes condensed-printing programs can also successfully perform
this conversion.
-Double-check transcript page-and-line integrity
Whatever method you choose, check the page-and-line integrity of the transcript in Summation with that
of the original transcript to ensure that the text appears in the correct position.
Working with Transcripts and Exhibits Working with Transcripts | 180
The Transcript Panel
The Transcripts panel in Project Review displays transcripts for the project. You can add and edit notes in the
transcript view.
Transcript Panel
Elements of the Transcript Panel
Element Description
Print Button Click to print the transcript.
Report Click to print a report of the transcript with notes and highlights optionally included. To
generate a report listing issues, highlights and notes that occur across multiple
transcripts, see Generating Reports on Multiple Transcripts (page 185)
Search Field Enter text that you want to search for in the selected transcript.
Working with Transcripts and Exhibits Working with Transcripts | 181
Viewing Transcripts
To view transcripts
1. In the Project Review, ensure the Project Explorer, Item List and Transcript panels are showing.
2. In the Project Explorer, in the Document Tree, expand the Transcript folder.
3. Select the Transcript Groups that you want to view and click (Apply) on the Project Explorer panel.
4. In the Item List panel, select the transcript you want to view.
The transcript appears in the Transcript panel.
Note: When the Enable Standard Viewer processing option is enabled for the project, you can also view
transcripts in the Standard Viewer.
Annotating Transcripts
Reviewers with the Add Annotations permission can annotate transcripts in the Transcripts panel.
You can add the following annotations to a transcript:
-See Adding a Note to a Transcript on page 181.
-See Adding Highlights to a Transcript on page 182.
-See Adding Links to a Transcript on page 182.
Adding a Note to a Transcript
Reviewers can add notes to transcripts in the Transcripts panel of the Project Review. Notes can be viewed and
deleted from the Transcript Notes panel.
To add a note to a transcript
1. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
2. In the Transcripts panel, highlight the text to which you want to add a note.
Previous Button Click to go to the previous hit of the search term.
Next Button Click to go to the next hit of the search term.
Transcript Name The name of the transcript appears in the title bar.
Previous Page
Button Click to go to the previous page in the transcript.
Page Field Displays the current page that you are on in the transcript. You can enter a page
number to quickly jump to a desired page in the transcript.
Next Page Button Click to go to the next page in the transcript.
Elements of the Transcript Panel (Continued)
Element Description
Working with Transcripts and Exhibits Working with Transcripts | 182
3. Right-click and select Add Note.
The page and line numbers of the highligted areas are displayed.
4. In the Create Note View dialog, enter a note in the Note field.
5. Select a Date for the note.
6. (Optional) Check issues related to the note.
Note: If you check an issue that has a color associated with it, the selected text will be highlighted that
color.
7. Check the groups with which you want to share the note.
8. Click Save.
Adding Highlights to a Transcript
Reviewers with the Add Annotations permission can add highlights to a transcript in the Transcripts panel of
Project Review.
To add a highlight
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
4. In the Transcripts panel, expand the color drop-down and select a color for your highlight.
Color Drop-down
5. Highlight the text and a highlight is added.
Adding Links to a Transcript
Reviewers with the Add Annotations permission can add links to transcripts in the Transcripts panel of Project
Review. Transcripts can be linked to other transcripts or to other documents.
Working with Transcripts and Exhibits Working with Transcripts | 183
Linking to Another Transcript
To link to another transcript
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
4. In the Transcripts panel, highlight the text to which you want to add a link.
5. Right-click and select Add Transcript Link.
Add Transcript Link
6. In the Add Transcript Link dialog, select the Transcript Group that contains the transcript to which you
want to link.
7. In the Transcript drop-down, select the transcript to which you want to link.
8. Click Ok.
Linking to a Document
To link to another transcript
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
4. In the Transcripts panel, highlight the text to which you want to add a link.
5. Right-click and select Add Document Link.
Working with Transcripts and Exhibits Working with Transcripts | 184
Add Document Link
6. In the Search field, enter the DocID of the document you want to link to.
Note: If you want to see a list of DocIDs, enter a wildcard (*) and click Go.
7. Click Go.
8. Select the document you want link to from the search results.
9. Click OK.
Searching in Transcripts
You can search within a transcript by keyword using the Transcripts panel.
To search within a transcript
1. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
2. Enter a keyword in the search field.
3. Click the Next button to see the first instance of the keyword. The keyword is highlighted in the
transcript.
4. Click the Next or Previous buttons to see more instances of the keyword.
Displaying Selected Notes
You can display selected notes in the transcripts. This allows you to control which notes to display or hide from
view. Filter the notes either by owner or by issues.
To display selected notes within a transcript
1. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
2. Click Notes. Click Apply Filter.
3. Click either the By Owner or By Issues radio button.
Working with Transcripts and Exhibits Working with Transcripts | 185
4. (optional) You can select owners or issues individually. Click Select All to select all the owners/issues
or Select None to clear the check boxes.
5. Click Apply.
6. Once the Notes filter has been applied, the filter icon appears orange.
7. (optional) To clear the filter, click the filter icon again.
Displaying Selected Highlights
You can display selected highlights in the transcripts. This allows you to control which highlights to display or
hide from view. Filter the highlights either by owner or by color.
To display selected notes within a transcript
1. View a transcript in the Transcripts panel.
See Viewing Transcripts on page 181.
2. Click Highlights. Click Apply Filter.
3. Click either the By Owner or By Color radio button.
4. (optional) You can select owners or colors individually. Click Select All to select all the owners/colors or
Select None to clear the check boxes.
5. Click Apply.
6. Once the Highlights filter has been applied, the filter icon appears orange.
7. (optional) To clear the filter, click the filter icon again.
Opening Multiple Transcripts
You can open multiple transcripts in by using the mass actions. This will allow you to view multiple transcripts at
once. Each transcript opens in a new window.
To open multiple transcripts
1. In the Item List Grid, check the transcripts that you want to open.
2. In the first Actions drop-down, select Checked.
3. In the second Actions drop-down, select View Transcripts.
4. Click Go.
5. Click OK.
The transcripts open in their own windows.
Generating Reports on Multiple Transcripts
You can generate a report listing issues, highlights and notes that occur across multiple transcripts.
To generate the report
1. In Project Explorer, click on the Explore tab.
2. Right-click Transcripts.
3. Select Transcript Report.
Working with Transcripts and Exhibits Working with Transcripts | 186
4. In the Transcript Report dialog, select the notes, issues, and highlights on which you want to generate a
report. You can select either just your notes and/or highlights or you can select all users’ notes and/or
highlights.
5. Click Generate Report.
The report will display all the transcripts that have those selected notes, issues, and highlights in
common. You can export this report to PDF.
Working with Video Transcripts
You can upload and view digital video transcripts with synchronization of the transcript text with the video portion
of the transcript. In the Natural panel, you can view the video and the textual transcript side-by-side.
Video transcripts are composed of two primary files that contains the text of the transcript along with syncing
information, and a video file.
The following video transcript formats are supported:
-SBF
-MDB
The following video formats are supported:
-MP4
You can convert other video formats, such as MPG. When uploading other formats they will be converted
to MP4.
The synchronization of the video and text transcript is controlled by the synchronisation information contained in
the SBF or MDB file. The text is linked to time segments of the video. You can pause, restart, or skip sections in
the video.
You can annotate the text of video transcripts.
See Annotating and Unitizing Evidence on page 235.
To upload and view video transcripts
1. In Review, in the Project Explorer pane, click the Explore tab.
2. Right-click Transcripts and click Upload Video Transcript.
3. Browse to and select the transcript file and the video file.
4. Enter any of the following information:
-Transcript Groups
-Deponent
-Deposition Date
-Deposition Volume
-If the transcript contains unnumbered preamble pages.
5. Click Upload Transcript.
If the file that you selected is not an MP4 file, the file is uploaded and converted. This may take several
minutes. (Gear icons in the top right of the console will display and spin during conversion.)
6. In the Project Review, ensure the Project Explorer, Item List and Transcript panels are showing.
7. In the Project Explorer, in the Document Tree, expand the Transcript folder.
Working with Transcripts and Exhibits Working with Transcripts | 187
8. Select the Transcript Groups that you want to view and click (Apply) on the Project Explorer panel.
9. In the Item List panel, select the transcript you want to view.
The transcript appears in the Transcript panel.
10. To view the video, open the Natural panel.
If the video file is still being converted, there will be a video box with the message, No Converted Video
Found.
You will need to refresh the panel until the video conversion is complete.
11. When the video completes loading, click > play.
Working with Transcripts and Exhibits Culling Transcripts and Exhibits | 188
Culling Transcripts and Exhibits
Using the Explorer Panel to Cull Transcripts and Exhibits
You can use the Explorer Panel to cull the transcripts and exhibits in a project.
To use the Explorer panel to view transcripts and exhibits
1. In Project Review, in the Project Explorer panel, open the Explorer tab.
2. Clear the top (project) item.
3. Select the Transcripts or Exhibits nodes that you want to view and click .
See The Explore Tab on page 73.
Using Object Type Facets to Cull Transcripts and Exhibits
You can use facets to cull the transcripts and exhibits in a project.
To use facets to view transcripts and exhibits
1. In Project Review, in the Project Explorer panel, open the Facets tab.
2. Expand the General > Object Types category.
3. Expand the Files & Email category.
4. Select the Transcripts or Exhibits facets that you want to view and click .
See Filtering Data in Case Review on page 128.
Working with Transcripts and Exhibits The Exhibits Panel | 189
The Exhibits Panel
The Exhibits panel in the Project Review displays the exhibits for the selected transcript.
Exhibits Panel
Viewing Exhibits
You can use the Exhibits panel to view the list of exhibits for the selected transcript. Exhibits are imported by the
project manager.
To view exhibits
1. In the Project Review, ensure the Project Explorer, Exhibits, Item List, and Natural panel are showing.
2. Select a transcript group in the Project Explorer.
3. In the Item List, select a transcript.
4. In the Exhibits panel, select an exhibit.
The exhibit is displayed in the Natural panel.
Elements of the Exhibits Panel
Element Description
Name Lists the name of the exhibit for the selected transcript.
Actions Drop-down All Select to perform a mass action.
Action 2nd Drop-down Select the action that you want to perform.
Go Click to start the mass action.
Imaging Documents Converting a Document to an Image | 190
Chapter 18
Imaging Documents
Reviewers with the Imaging permission can convert multiple documents to an image using the Imaging mass
action in the Item List panel.
Converting a Document to an Image
To convert documents to an image
1. Log in as a user with Imaging permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure the Item List panel is showing.
4. In the Item List panel, check the documents that you want to convert to images. Skip this step if you are
converting all the documents to images.
5. In the first Actions drop-down at the bottom of the panel, do one of the following:
-Select Checked to convert all the checked documents.
-Select All to convert all documents, including documents on pages not visible.
6. In the second Actions drop-down, select Imaging.
7. Click Go.
Document Conversion Dialog General Options
Imaging Documents Converting a Document to an Image | 191
8. In the General tab of the Document Conversion dialog, make your selections and click Next. The
following options are available.:
Image Rendering Options
9. In the Image Rendering Options, make your selections and click Next.
The following options are available:
General Options
Option Description
Imaging Check to create an image of the documents.
Process for Image
Annotation Check to create an image that will appear in the Image panel for annotation.
Process for Native
Annotation Check to create an image that will appear in the Natural panel for annotation.
Image Branding You can brand the PDF or TIFF image pages with several different brands and in
several different locations on the page.
See Production Set Image Branding Options on page 283.
Image Rendering Options
Option Description
Excluded Extensions Enter the file extensions of documents that you do not want to be converted. File
extensions must be typed in exactly as they appear and separated by commas
between multiple entries. For example, EXE, DLL, and COM.
This field does not allow the use of wild card characters.
Use existing image Enabled by default. When there is an existing image, regardless of its format,
that image is used. If the image exists and contains branding but is in a format
other than the one selected, the image is preserved.
Use SWF image Enabled by default. The document will be imaged using the PDF that was
created when generating the SWF rather than using the native document.
Imaging Documents Converting a Document to an Image | 192
Excel Rendering Options
Image Format Select which format you want the native file converted to:
-Multi-page - one TIFF image with multiple pages for each document.
-PDF - (Default option) One PDF file with multiple pages for each document.
-Single Page - a single TIFF image for each page of each document. For
example, a 25 page document would output 25 single-page TIFF images.
Note: Rendering a document into a TIFF image causes the image to appear
black and white, without any grayscale. If you want the tonality of
grayscale in the image, select Produce Color JPGs for Provided
Extensions.
TIFF Compression -CCITT3 (Bitonal) - Produces a lower quality black and white image.
-CCITT4 (Bitonal) - Produces a higher quality black and white image.
-LZW (Color) - Produces a color image with LZW compression.
-None (Color) - Produces a color image with no compression (This is a very
large image).
-RLE (Color) - Produces a color image with RLE compression.
DPI Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).
Produce Color JPGs for
Provided Extensions This and the following two options are available if you are rendering to CCITT3 or
CCITT4 format and allows you to specify certain file extensions to render in color
JPGs.
For example, if you wanted everything in black and white format, but wanted all
PowerPoint documents in color, you would choose this option and then type PPT
or PPTX in the To JPG Extensions text box. Additionally, you can choose the
quality of the resulting JPG from 1 - 100 percent (100 percent being the most
clear, but the largest resulting image).
To JPG Extensions Lets you specify file extensions that you want exported to JPG images.
JPG Quality Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.
Image Rendering Options (Continued)
Option Description
Imaging Documents Converting a Document to an Image | 193
10. In the Excel Rendering Options, make your selections and click Next. The following options are
available:
Excel Rendering Options
Option Description
Use Original Document
Settings Check to use the settings from the original document.
Paper Size Select the size of the paper that you would like to use for the image.
Orientation Select the orientation of the paper that you would like to use for the image.
Header Margins Set the size of the Header margin of the image (in inches).
Footer Margins Set the size of the Footer margin of the image (in inches).
Page Margins Set the size of the page margins of the image (in inches).
Formula Substitutions Check if you want to set the options of the formula substitutions in the image of
the excel document.
Date, Time, and Path Set how you would like the image to deal with formulas found in the excel file.
The following options are available:
-Original Formula: Select to keep the original formulas in the excel file.
-Custom Text: Select to replace the formulas with the text you provide.
-Original Metadata: Select to keep the original metadata of the excel file.
Print Comments Select how you would like to treat comments in the image:
-Print in Place: Select to have the comments appear where they are in the
document.
-Print No Comments: Select to not include comments in the image.
-Print Sheet End: Select to have the comments appear at the end of each
sheet in the image.
Print Order Set the print order:
-Over then Down: For use with Excel spreadsheets that may not fit on the
rendered page. For example, if the spreadsheet is too wide to fit on the ren-
dered page, you can choose to print left to right first and then print top to bot-
tom.
-Down then Over: For use with Excel spreadsheets that may not fit on the
rendered page. For example, if the spreadsheet is too wide to fit on the ren-
dered page, you can choose to print top to bottom first and then print left to
right.
Print Gridlines Check to include the gridlines of the spreadsheet in the image.
Print Headings Check to include the headings of the spreadsheet in the image.
Fit to X Pages Set the number of pages that you want the information to shrink to fit on.
Scaling Set the scale that you want to shrink or expand the content to on the image page.
Center Sheets
Horizontally Check to center the sheet horizontally on the page.
Center Sheets Vertically Check to center the sheet vertically on the page.
Fit Image to Page Check to fit the image to the page.
One Page Per Sheet Check to put each sheet on its own page.
Imaging Documents Converting a Document to an Image | 194
Word Rendering Options
11. In the Word Rendering Options, make your selections and click Next. The following options are
available:
Show Hidden Data Check to include hidden rows or columns in the image.
Word Rendering Options
Option Description
Use Original Document
Settings Check to use the settings from the original document.
Paper Size Select the size of the paper that you would like to use for the image.
Orientation Select the orientation of the paper that you would like to use for the image.
Header Margins Set the size of the Header margin of the image (in inches).
Footer Margins Set the size of the Footer margin of the image (in inches).
Page Margins Set the size of the page margins of the image (in inches).
Field Substitutions Check if you want to set the options of the field substitutions in the image of the
word document.
Date, Time, Path, and
Username Set how you would like the image to deal with fields found in the Word file. The
following options are available:
-Original Formula: Select to keep the original formulas in the file.
-Custom Text: Select to replace the fields with the text you provide.
-Original Metadata: Select to keep the original metadata of the file.
Show Hidden Text Check to include hidden text in the image.
Excel Rendering Options (Continued)
Option Description
Imaging Documents Image on the Fly | 195
12. Click Save.
Viewing Image Page Counts
You can display the ImagePageCount column in the Item List which shows the total number of pages in
produced images. This column is also populated if you bulk image or import images.
See Selecting Visible Columns on page 61.
This is a virtual column which does not support search, column level filtering, tagging layout fields, and
production/export fields. You can export it to CSV.
Image on the Fly
Note: This section only applies if you have not used the default processing option of Enable Standard Viewer.
With that option enabled, a SWF file is automatically generated for most files. See Using the Standard
Viewer and the Alternate File Viewer on page 78.
When viewing a document in its native format in the Natural panel, you can create an image of the document so
that you may annotate it.
Once an image has been annotated, you cannot create another image of the record on the fly. However, you can
still use the mass operations imaging to create an image.
See Converting a Document to an Image on page 190.
To create n image on the fly
1. Log in as a user with Imaging permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure the Item List, Natural, and Image panels are showing.
4. In the Item List panel, select the document for which you want to create an image.
5. In the Natural panel, click the Create Image button.
6. An image is created and opened in the Image panel. Make your annotations as usual.
Print Endnotes at End of
Next Section Check to include the endnotes at the end of the next section in the image.
Word Rendering Options
Option Description
Using Tags and the Case Organizer The Tags Tab | 196
Chapter 19
Using Tags and the Case Organizer
The Tags Tab
The Tags tab in the Project Explorer can be used to create labels, create issues, view categories, create
category values, create production sets and create Case Organizer objects. You can view documents assigned
to tags using the Tags tab in the Project Explorer.
Project managers create labels and issues for the reviewer to use.
Tags tab in Project Explorer
Elements of the Tags tab
Elements Description
Categories Displays all the existing categories for the project. Right-click to create category values.
See Viewing Documents with a Category Coded on page 202.
Issues Displays all the existing issues. Right-click to create a new issue for the project.
See Viewing Documents with an Issue Coded on page 202.
Using Tags and the Case Organizer The Tags Tab | 197
Labels Contains all the existing labels. Right-click to create a new label for the project.
See Viewing Documents with a Label Applied on page 202.
Production Sets Check to include Production Sets in your search. Right-click to create Production Sets.
See Creating Production Sets on page 269.
Case Organizer Displays all the existing case organizer objects for the project. Right-click to create new
objects.
See Using the Case Organizer on page 204.
Elements of the Tags tab
Elements Description
Using Tags and the Case Organizer Using Labels | 198
Using Labels
Applying and Removing Labels
You can apply existing labels to the evidence items in your project.
Project Managers must first create the labels for a project before you can apply them.
You can apply labels using one of two methods:
-Applying Labels using an Item List Action (page 198)
Can apply one or more labels to one or more documents at a time.
-Applying Labels using the Labels Panel (page 200)
Can apply one or more labels to only one document at a time.
After applying labels, you can use the same methods to remove labels.
Applying Labels using an Item List Action
You can use the Label Assignment mass action in the Item List to assign existing labels to evidence items. You
can also use the action to remove labels from items.
See Performing Actions from the Item List on page 69.
You can apply one or more labels to one or more documents at a time.
To apply labels using the Label Assignment action from the Item List
1. Identify the files that you want to perform the action on by doing one of the following:
-In the first Action drop-down, click All.
-Check individual files, and then in the first Action drop-down, click Selected Objects.
2. In the second Action drop-down, click Label Assignment.
3. Click Go.
The Label Assignment dialog opens.
Using Tags and the Case Organizer Using Labels | 199
Label Assignment Dialog
4. Check the labels that you want to assign to the documents.
Note: Boxes with a dash (-) indicate that one or more (but not all) of the documents are already
assigned that label. Click the box until it becomes a check mark to apply the label to all the
selected documents.
5. (Optional) Check the following Keep Together check boxes if desired:
-Keep Families Together: Check to apply the selected label to documents within the same family as
the selected documents.
-Keep Similar Documents Together: Check to apply the selected label to all documents related to
the selected documents.
-Keep Linked Documents Together: Check to apply the selected label to all documents linked to the
selected documents.
6. Click Save.
To remove labels from multiple documents
1. Identify the files that you want to perform the action on by doing one of the following:
-In the first Action drop-down, click All.
-Check individual files, and then in the first Action drop-down, click Selected Objects.
2. In the second Action drop-down, click Label Assignment.
3. Click Go.
4. In the Label Assignment dialog, click the check boxes until they are blank on the labels that you want to
remove.
5. Click Save.
Using Tags and the Case Organizer Using Labels | 200
Applying Labels using the Labels Panel
About the Labels Panel
The Labels panel in Project Review can be used to apply labels to documents. You can also use the panel to
remove label assignments.
For information on displaying panels, see Review Page Panels (page 48).
The Labels panel allows you to apply one or more labels to one document at a time.
Labels panel
To apply labels using the Labels panel
1. In the Project Review, display both the Labels and Item List panels.
See Review Page Panels on page 48..
2. In the Item List panel, highlight the document to which you want to apply a label.
Elements of the Labeling Tab
Element Description
Labels Folder Expand to see the labels created by the project manager.
Label Group Folders Folders that contain labels.
Collapse All Button Click to collapse all the folders.
Expand All Button Click to expand all the folders.
Refresh Click to refresh the label list.
Save Click to apply the selected labels to the selected document.
Reset Click to reset the labels to their original condition.
Using Tags and the Case Organizer Using Labels | 201
3. In the Labels panel, check the label(s) that you want to apply and click Save.
To remove labels from a single document
1. In the Project Review, ensure the Labelling and Item List panels are showing.
2. In the Item List panel, highlight the document from which you want to remove a label.
3. In the Labels panel, uncheck the label(s) that you want to remove and click Save.
Using Tags and the Case Organizer Viewing Documents with Tags | 202
Viewing Documents with Tags
Viewing Documents with a Label Applied
You can view all the documents assigned to a specific label using facets.
To view documents assigned a label
1. In the Project Review, ensure the Project Explorer and Item List panel are showing.
2. In the Project Explorer, click on the Facets tab.
3. In the Facets tab, expand Tags and then expand Labels.
4. Select a label, and then click Only.
5. Click the Apply in the Project Explorer panel.
All documents with the selected label appear in the Item List panel.
For more information on using facets, see Using Filters to Cull Data (page 128).
Viewing Documents with an Issue Coded
You can view all the documents assigned to a specific issue using facets.
To view documents assigned an issue
1. In the Project Review, ensure the Project Explorer and Item List panel are showing.
2. In the Project Explorer, click on the Facets tab.
3. In the Facets tab, expand Tags and then expand Issues.
4. Select a label, and then click Only.
5. Click the Apply in the Project Explorer panel.
All documents with the selected issue appear in the Item List panel.
For more information on using facets, see Using Filters to Cull Data (page 128).
Viewing Documents with a Category Coded
You can view all the documents assigned to a specific category using facets.
To view documents assigned a category
1. In the Project Review, ensure the Project Explorer and Item List panel are showing.
2. In the Project Explorer, click on the Facets tab.
3. In the Facets tab, expand Tags and then expand Categories.
4. Select a category, and then click Only.
Using Tags and the Case Organizer Viewing Documents with Tags | 203
5. Click the Apply in the Project Explorer panel.
All documents with the selected category appear in the Item List panel.
For more information on using facets, see Using Filters to Cull Data (page 128).
Using Tags and the Case Organizer Using the Case Organizer | 204
Using the Case Organizer
You can use the Case Organizer to add reference information to files in your project. To use the Case Organizer,
you create Case Organizer objects and associate one or more project files to them. Within Case Organizer
objects, you can include the following:
-Comments, including formatted rich text, numbered and bulleted lists, images, and hyperlinks
-Reference details, including Status, Impact, Material, and Date range
-Attached supplemental files
-Text snippets from the project files
You can generate reports that provide all information related to Case Organizer objects.
You can create as many case organizer objects as needed in a project. Case Organizer objects only apply to the
project that they are created in.
Case Organizer objects are compatible with FTK Bookmarks.
Note: The Case Organizer feature requires Internet Explorer 9 or higher.
About Case Organizer Categories and Organization
Within the Case Organizer, you use the following categories when creating Case Organizer objects:
-Bookmarks (formerly called Summary in 5.x)
-Event
-Fact
-Pleadings
-Question
-Research
-People
Except for People, these Case Organizer categories share the same functionality. The different categories are
available simply to help you organize your data. When you create Case Organizer objects, you can create them
under one of the categories or you can nest them under other objects that already exist under a category.
See About People on page 206.
Using Tags and the Case Organizer Using the Case Organizer | 205
You can view Case Organizer objects and their hierarchy in the Tags tab in the Project Explorer panel of Project
Review. Case Organizer objects are organized under each category parent.
Except for the Bookmarks category, all Case Organizer objects are shared with and can be viewed by all project
reviewers. However, under the Bookmarks category, you have two options:
-A Shared tree that is available to all reviewers
-A tree specific to the logged-in-user that is not shared
Note: Administrators and Case Administrators can see and use all Case Organizer objects in a project.
To create and manage Case Organizer objects, you use the Case Organizer Details panel.
If you have the Case Organizer Details panel open, when you click a Case Organizer object, it will make that
object active in the panel.
To filter your data for files that are associated with Case Organizer objects, use Case Organizer facets.
See Using Case Organizer Facets to View Case Organizer Items on page 209.
Using Tags and the Case Organizer Using the Case Organizer | 206
About People
People are a unique kind of Case Organizer object. A people object can be a person or an organization. People
objects have the following details that you can assign to them:
-First name
-Last name
-Email address
-Type of person
Co-Defendant
Co-Litigant
Defendant
Defense Counsel
Expert Witness
Fact Witness
Judge
Litigant
Plaintiff Prosecutor
-Role (free text field)
-Play key role in case (check box)
-Is Deponent (check box)
Creating, Associating, and Viewing Case Organizer Objects
To begin using the Case Organizer, you perform the following tasks:
-Creating Case Organizer Objects (page 207)
-Associating Project Evidence Files to Case Organizer Objects (page 207)
-Using the Case Organizer Column in the Item List (page 208)
-Viewing Case Organizer Objects (page 208)
-Using Case Organizer Facets to View Case Organizer Items (page 209)
-Dis-associating Project Evidence Files from Case Organizer Objects (page 210)
After learning how to use Case Organizer objects, you can then manage the properties of the objects.
See Managing Case Organizer Object Properties on page 210.
Using Tags and the Case Organizer Using the Case Organizer | 207
Creating Case Organizer Objects
To create and manage Case Organizer objects, you use the Case Organizer Details panel.
When you create Case Organizer objects, they are added as objects to the Item List.
To create Case Organizer objects
1. In Review, open the Case Organizer Details panel by doing the following:
1a. Click the Layouts drop-down.
1b. Click Panels.
1c. Click Case Organizer Details.
2. Do one of the following:
Starting from the Tags tab
2a. In the Project Explorer, click the Tags tab.
2b. Expand Case Organizer.
2c. Select the category that you want to be the parent.
Starting from the Case Organizer Details panel:
2a. In the Case Organizer Details panel, click New.
2b. In the Parent drop-down, select the parent for the new object.
You can select a category or nest it under another object.
If you want to create an object that only you can see, use the Bookmarks category, then select
your logged-in-user name.All other objects are shared for the project.
3. In the Case Organizer Details panel, enter a name for the object.
4. Click Save.
Associating Project Evidence Files to Case Organizer Objects
After creating Case Organizer objects, you can associate files in your project to them.
To associate project evidence files to a Case Organizer object
1. Open the Case Organizer Details panel.
2. In the panel, in the drop-down, select the object that you want associate project files to.
If needed, refresh the list of objects.
3. In the Item List, select the files that you want to associate with the selected object.
Using Tags and the Case Organizer Using the Case Organizer | 208
4. In the Case Organizer Details panel, click the Evidence drop-down.
5. Click Add.
6. Click OK.
7. A job is submitted to perform the association.
To associate project evidence files to a People object
See Using People Columns on page 219.
or
Use the Coding panel.
To associate a People object to another Case Organizer object
1. In the Case Organizer Details panel, select the object in the drop-down.
2. Click the Tags tab.
3. Click the People objects that you want to associate with.
4. Click Save.
Using the Case Organizer Column in the Item List
You can enable the Case Organizer column in the Item List. This will display the Case Organizer objects that
project files are associated with. If a file is associated with more than one object, all objects will be listed,
separated by a semi-colon.
To use the Case Organizer column
1. In the Item List, click Options.
2. Click Columns.
3. Click Case Organizer.
4. Click the green arrow to make it selected.
5. Configure the order that you want the column displayed in.
6. Click OK.
Viewing Case Organizer Objects
You can view your Case Organizer objects in the following places:
-On the Case Organizer Details panel
-On the Tags tab
-In the Item List
As you click on Case Organizer objects in a list, the Case Organizer details panel is synced.
Using Tags and the Case Organizer Using the Case Organizer | 209
To view Case Organizer objects in the Tags tab
1. Open Project Review for a project.
2. In the Project Explorer, click the Tags tab.
3. Expand Case Organizer.
Note: To see new Case Organizer objects in the Tags tab after creating them, you must click Refresh in
the Project Explorer panel and then expand the parent object.
You cannot manage objects from the Tags tab, but if you have the Case Organizer Details panel open,
when you click an object, it will open that object in the panel.
To view Case Organizer objects in the Case Organizer Details panel
1. In Review, click the Layouts drop-down.
2. Click Panels.
3. Click Case Organizer Details.
4. Use the drop-down to view categories and objects.
To view Case Organizer objects in the File List
When you create Case Organizer objects, they are added as objects to the Item List.
You can use filters or facets to locate them.
See Using Case Organizer Facets to View Case Organizer Items below.
As you click on Case Organizer objects in the Item List, the Case Organizer details panel is synced.
Using Case Organizer Facets to View Case Organizer Items
You can use Case Organizer facets to filter for the following:
-Case Organizer objects that you have created.
When you create Case Organizer objects, they are added to the Item List.
For example, objects that you have created such as Event_A, or Fact_B.
In the Item List, this will display the Case Organizer objects that you filter for.
-The project files in your project that you have associated with Case Organizer objects.
For example, documents or spreadsheets that you have associated to objects Event_A, or Fact_B.
To filter for Case Organizer objects
1. In Project Explorer, click the Facets tab.
2. Expand General > Object Types.
3. Expand Case Organizer.
4. Select the object categories that you want to filter for and click Apply.
To filter for files associated with Case Organizer objects
1. In Project Explorer, click the Facets tab.
2. Expand Tags.
3. Expand Case Organizer.
4. Expand a category.
5. Select the objects that you want to filter for and click Apply.
Using Tags and the Case Organizer Using the Case Organizer | 210
Dis-associating Project Evidence Files from Case Organizer Objects
After you associate files in your project to Case Organizer objects, you can dis-associate them by doing one of
the following:
-Using a mass action, you can remove one or more files from one or more Case Organizer objects.
-Using the Case Organizer Details panel, you can remove one or more files from a single Case Organizer
object.
To dis-associate evidence files using a mass action
1. In the Item List, select the files that you want to remove from one or more objects.
2. In the Actions drop-down, click Remove From Case Organizer.
3. Click Go.
4. In the Remove From Case Organizer list, select the objects that you want to remove the file from.
5. Click Remove.
6. Click OK.
7. A job is submitted to perform the dis-association.
8. In the Item List, click Refresh.
To dis-associate evidence files using the Case Organizer Details panel
1. Open the Case Organizer Details panel.
2. In the panel, in the drop-down, select the object that you want dis-associate evidence files from.
If needed, refresh the list of objects.
3. In the Item List, select the files that you want to remove from the selected object.
4. In the Case Organizer Details panel, click the Evidence drop-down.
5. Click Remove.
6. Click OK.
7. A job is submitted to perform the dis-association.
8. In the Item List, click Refresh.
Managing Case Organizer Object Properties
After you have learned the basics of using Case Organizer objects, you can manage the properties of the
objects by doing the following tasks:
-Using Case Organizer Comments and Notes (page 211)
-Applying Case Organizer Details (page 213)
-Assigning Tags to Case Organizer Objects (page 214)
-Attaching External Files to Case Organizer Objects (page 214)
-Using the Case Organizer Panel Current Records Tab (page 215)
Using Tags and the Case Organizer Using the Case Organizer | 211
Using Case Organizer Comments and Notes
You can enter comments to a Case Organizer object.
In the comments, you can include the following:
-Formatted rich text
-Numbered lists
-Bulleted lists
-Images
-Tables
-Hyper-text links to URLs, email, and anchored text within the comment
-Links to other files in the project
In version 6.x and later, annotation notes are now stored within Case Organizer comments.
See Using Annotation Notes on page 241.
To enter comments for a Case Organizer object
1. In the Case Organizer Details panel, in the drop-down, select a Case Organizer object.
2. Click the Comments tab.
3. Enter your comments.
The following table describes the Case Organizer comment options.
Options of the Case Organizer Object Comments
Options Descriptions
Maximize/
Minimize You can maximize or minimize the Comments section of the Case
Organizer object dialog.
Source This lets you see the source of the tagged content of the comments.
Preview Open an web browser page to show a preview of the comments.
Print Lets you print the comments.
Cut/Copy/Paste Lets you cut, copy, and paste text using the text editor.
Undo/Redo Lets you perform an undo/redo of an editing action.
Numbered and
bulleted lists Lets you organize text with bulleted and numbered lists and clock
quotes.
Find text Lets you find text that is in the comment.
Replace text Lets you replace text that is in the comment.
Spell Check Lets you perform a spell check or enable SpellCheckAsYouType.
Character
formatting Lets you format your text with bold, italic, underline, strike through,
superscript, or subscript.
Indent and
outdent Lets you indent and outdent text.
Block quote Lets you block quote text.
Using Tags and the Case Organizer Using the Case Organizer | 212
Viewing the Source Document of a Case Organizer Note
When viewing annotation notes in Case Organizer you can quickly view the source document.
See Using Annotation Notes on page 241.
To view the source document of a note
1. In Case Organizer Details, select the appropriate object.
2. Click Comments.
3. The Comment are displayed showing the note.
4. In the note, click .
5. The source document is highlighted in Item List and is displayed in the viewer.
Insert Lets you insert an image, table, horizontal line, or special character.
Text formatting Lets you format the text using styles, fonts, size, text color, and
background color.
Hyperlinks Lets you create hyperlinks in the comments such as URL or email.
You can also create anchors in the comments and then add hyperlinks to
them.
Document Link Lets you associate files in the project to the Case Organizer object. You
can search for files using either the DocID or Object ID. You can add text
for the link. This creates a hyper link to the associated file in the Case
Organizer object comments.
Options of the Case Organizer Object Comments (Continued)
Options Descriptions
Using Tags and the Case Organizer Using the Case Organizer | 213
Applying Case Organizer Details
You can use the Details tab to add the following reference details to a Case Organizer object.
To add details to a Case Organizer object
1. In the Item List, select a file that has a Case Organizer object added to it.
2. In the Case Organizer Details panel, select the Case Organizer object that you want to configure.
Case Organizer Details
Item Description
Creator This is the application user that created the Case Organizer object.
This value is not editable.
Status Used to indicate whether the object is agreed upon by both sides of
the litigation. The valid values for this field are:
-blank (default)
-NA
-Unsure
-Disputed by Opposition
-Disputed by Us
-Undisputed
-Open
-Closed
Impact Used to indicate the value of the object on the case. The valid
values for this field are:
-blank (default)
-NA
-Unevaluated
-Heavily for us
-For us
-Neutral
-Against us
Material Used to indicate how materially relevant the object is to the case.
The valid values for this field are:
-blank (default)
-NA
-Unsure
-Low
-Medium
-High
-Very High
Assigned to You can enter the User Name of an application user to assign this
object to.
For information about application users, see the Admin Guide.
As you type letters of a user name, a list of possible users will
appear that you can choose from. To remove the user, click the x.
You can use the COAssignedTo column to view the assigned users
in the Item List.
Dates You can add a begin date and end date as reference information.
Using Tags and the Case Organizer Using the Case Organizer | 214
3. Click the Details tab.
4. Select the items that you want indicate for the Case Organizer object.
5. Click Save.
You can use Case Organizer columns to view object details.
See Viewing Documents with a Category Coded on page 202.
Assigning Tags to Case Organizer Objects
You can use the Tags tab to associate Categories, Issues, Labels, and People to a Case Organizer object. This
associates the tags with the Case Organizer object, not the project evidence file.
To associate Categories, Issues, and Labels to a Case Organizer object
1. In the Case Organizer Details panel, in the drop-down, select a Case Organizer object.
2. Click the Tags tab.
When you open the Tags tab, all Categories, Issues, Labels, and People for the project are displayed.
3. Select the tags that you want to associate with the Case Organizer object.
4. Click Save.
Attaching External Files to Case Organizer Objects
You can use the Files tab to attach external files to a Case Organizer object. To attach files, you select the files
that you want to attach and then upload them. You can add comments to the uploaded files.
To attach external files to a Case Organizer object
1. In the Case Organizer Details panel, in the drop-down, select a Case Organizer object.
2. Click the Files tab.
3. To add files, click Choose Files.
4. Use Windows Explorer to browse to and select the files that you want to upload.
The files are added to the Queue list.
5. You can upload files by doing the following:
-Click Upload all to upload all the files in the queue.
-Click the green Upload button for an individual file.
6. While files are uploading, you can cancel the upload.
After files have been uploaded, they appear in the Supplemental Files list.
7. After a file had been uploaded, you can delete it from the queue list.
8. You can select an uploaded file, and in the right pane, add a comment to it.
9. To remove an uploaded file, select the file and click Remove Selection.
10. Click Save.
Using Tags and the Case Organizer Using the Case Organizer | 215
Using the Case Organizer Panel Current Records Tab
Case Organizer objects may be associated with multiple project files. As a result, most Case Organizer data
would apply to all of the associated files. You can use the Current Records tab to add comments that are
applied to only the current record, which is the file that is selected in the Item List.
You can do the following:
-Enter a comment for the selected file.
-Highlight text from the file itself and add it as a comment.
Important:
You can only use the Standard Viewer to select the text in a file to add.
These comments are included in the Organizer Panel reports.
To add a comment to the current record
1. In the Case Organizer Details panel, in the drop-down, select a Case Organizer object.
2. Click the Current Record tab.
3. In the Current Record Comment field, enter the text of the comment for the file.
4. Click Save.
To add selected text as a comment to the current record
1. In the Item List, select a file that has a Case Organizer object added to it.
2. In the Case Organizer Details panel, select the Case Organizer object that you want to configure.
3. Click the Current Record tab.
4. In the Standard Viewer, click the Select Text Mode icon.
5. Select the text that you want to add as a comment.
6. On the Current Record tab, click Add Selection.
When you hover over the Add Selection text, it will display the text that will be added.
The selected text is automatically entered as a text snippet.
It may take a few seconds for the text to be saved.
7. After the text is added, you can see each add snippet in the Selections drop-down.
8. You can add multiple snippets as individual selections.
9. You can add a comment to the right of each selection.
10. To remove a text snippet, click a text selection and then click Remove Selection.
11. Click Save.
Using Tags and the Case Organizer Using the Case Organizer | 216
Creating Project Files Reports
About Project Files Reports
You can generate a report that displays information about files in your project.
The default page of the report displays a grid of the information that is displayed in the first several columns that
are displayed in the Item List. You can save the report in either PDF format or DOCX format. (The report will
display as many columns as will fit in a 11” x 8.5” format.)
You can create a report based on one or more files in your project.
When a report is created, the report is added as a file in your project.
When you create a report, you can select to include the following optional pages:
-Title Page
The name of your organization
The name of the project
A report title
The author of the report
The date the report was created
A graphic image as a header
A graphic image as a footer
-A page with a Statement of Confidentiality
You can type in plain text or import the text from a DOCX file.
-A page with an Introduction
You can type in plain text or import the text from a DOCX file.
-An image of the selected files.
About Report Types
You can generate the following types of reports:
About Report of Reports
After you have created multiple reports, you can select those report PDF files and create a Report of Reports.
This produces a master report that includes all selected reports.
Report types
Type Description
Timeline A report based on a timeline. If you selects a Timeline report, you then select one or multiple
case organizer categories you want to include in the timeline. You also select a date to sort by,
either Start or End.
Object A report based on objects. If you select an Object report, you then select one or multiple case
organizer categories you want to include in the report. You also select a column to use to
organize the report, such as Start, End, or Tags.
Using Tags and the Case Organizer Using the Case Organizer | 217
About Case Organizer Report Options
When you create a report based on Case Organizer objects, you can include the following:
-If you select to Include Files, it will include information about any supplemental files that are attached to
the Case Organizer object
-Any text selections that were added to the Case Organizer object
Creating Reports
To create a report
1. In Review, in the Item List, select one or more files that you want to generate a report for.
If you want to create a report for Case Organizer objects, select one or more objects.
See Using Case Organizer Facets to View Case Organizer Items on page 209.
2. Click the Actions drop-down menu.
3. Click Create Report.
4. Click Go.
5. In the Generate Report dialog, select the report format.
6. Enter a name for the report.
This name is also used in the Description field on the Case Organizer Reports page.
7. Select the report type: Timeline or Object.
8. (Optional) Select whether or not this is a Report of Reports.
See About Report of Reports on page 216.
9. (Optional) Select to Include Files.
This will include information about the files as well as include an image of the files in the report.
10. (Optional) Select to Include Case Organizer Text Selections.
For Case Organizer objects, this will include any added text selections.
11. (Optional) Select to include a Title Page and do the following:
11a. Enter information for the fields that you want to include on the Title Page.
11b. To include a header of footer, do the following:
You can use a graphic file, such as a PNG, GIF, or JPG.
Click the folder icon, browse to a file
Click the upload icon.
This file will be used in future reports.
To remove an uploaded graphic, click the x.
12. (Optional) Select to include a Confidentiality Statement and enter the information.
You can enter plain text or upload text from a DOCX file.
If you have previously uploaded a document, you can download it to view it.
13. (Optional) Select to include an Introduction and enter the information.
You can enter plain text or upload text from a DOCX file.
If you have previously uploaded a document, you can download it to view it.
Using Tags and the Case Organizer Using the Case Organizer | 218
14. Click OK.
A processing job is submitted to create the report.
Depending on the complexity of the report, it may take several minutes. You can view the status on the
project’s Work List page.
To view a report
1. After the report is created you can view the report by doing one of the following:
View the PDF in the Item List Standard Viewer by doing the following:
1a. In the Item List, click Refresh.
1b. Go to the end of the Item List and click the report PDF file.
View or download the report from the project’s Reports page by doing the following:
1a. Click Return to Case Management.
1b. On the Home page, click the Reports tab.
1c. On the bottom half of the page, click the Case Organizer Reports tab.
1d. In the Report List, click Refresh.
1e. For the report that you want to view, click Download.
1f. You can open or save the report zip file.
Using the Case Organizer Columns
You can add the Case Organizer columns to the Item List and see which Case Organizer objects have been
associated with a file along with other Case Organizer properties.
The following Case Organizer column can be used to view which project files in the File List have been applied
to a Case Organizer object:
-Case Organizer
Note: There is also a column named Summary which is used for a different feature.
The following Case Organizer columns can be used to display information about the actual Case Organizer
objects, not the evidence files applied to objects.
-CO Comments - Whether or not a comment has been added to the object.
-CO Files - Whether or not a supplemental file has been attached to the object.
-COAssignedTo - The application user that has been added in the Details > Assigned to field.
-COBeginDate - The begin date that has been added in the Details > Dates field.
-COCreator - The application user that created the object.
-COEndDate - The end date that has been added in the Details > Dates field.
-COImpact - The impact value that has been added in the Details > Impact field.
-COMaterial - The material value that has been added in the Details > Material field.
-COParent - The parent Case Organizer object if the object is nested another object.
Using Tags and the Case Organizer Using the Case Organizer | 219
-COStatus - The status value that has been added in the Details > Status field.
-COType - The type of Case Organizer object.
-COUser - The application user that created a nested Case Organizer object.
You can also use Quick Columns > Case Organizer to quickly display the following columns.
COType
COStatus
COBeginDate
COImpact
COMaterial
COAssignedTo
People
List of linked ObjectIDs
See Using Quick Columns on page 62.
Using People Columns
For People Case Organizer objects, the following columns can be used.
-People This shows which People a file has been associated with
You can click this field for an item and associate a People object to it.
You can make an initial association or change an association.
-PeopleEmailAddress
-PeopleFirstname
-PeopleIsDeponent (yes/no)
-PeopleIsOrganization (yes/no)
-PeopleLast name
-PeopleParent
-PeoplePlaysKeyRoleInCase (yes/no)
-PeopleRole
-PeopleType
You can also use Quick Columns > Case Organizer > People to quickly display these columns.
See Using Quick Columns on page 62.
Coding Documents The Review Sets Tab | 220
Chapter 20
Coding Documents
The Review Sets Tab
The Review Sets tab in the Project Explorer panel can be used to create review sets and view review sets in the
Review Batches panel. Review sets are batches of documents that users can check out for coding and then
check back in.
Before you code a set of documents, you can check out a review set so that you can track the documents you
code and to structure your workflow. Project managers can create and associate review sets. When you are
done coding a set of documents, you can check them back in if you have the Check In/Check Out Review
Batches permission.
See Managing Review Sets in the Project Manager documentation for more information.
See Checking In/Out a Review Set on page 222.
Review Sets Tab in Project Explorer
Coding Documents The Review Sets Tab | 221
The Review Batches Panel
The Review Batches panel in Project Review displays review batches. You can check in and check out batches
from this panel.
Review Batch Panel
Elements of the Review Sets Tab
Elements Description
Review Sets Contains the All Sets and My Batches folders.
All Sets Displays all the review sets available.
My Batches Displays review sets that you have checked out.
Elements of the Review Batches Panel
Element Description
Batch Name
Column Displays the name of the review set.
Batch Size
Column Displays the number of documents in review set.
Review Set Name Displays the name of the reviewed in set
Checked-Out By Displays the user that the review set is assigned to.
Batch Status Displays the status of the review set.
Reviewed Displays the number of documents reviewed in set.
Actions Expand the first actions drop-down and select one of the following options:
-All: To include all review sets in the panel in the action
-Checked: To include checked review sets in the action
-Unchecked: To include all the unchecked review sets in the action
Actions Check In/
Out The second Actions drop-down allows you to select to either Check In or Check Out the
review set.
Coding Documents The Review Sets Tab | 222
Checking In/Out a Review Set
Reviewers with the Check In/Check Out Review Batches permission can check out sets of documents for
coding. Project managers can create and associate review sets for reviewers. When you are done coding a set
of documents, you can check them back in if you have the Check In/Check Out Review Batches permission.
To check out a review set
1. Log in as a user with Check In/Check Out Review Batches permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Review Batches panel is showing.
See The Review Batches Panel on page 221.
4. In the Review Batches panel, check the batch(es) that you want to check out. Skip this step if you are
checking out all the review batches.
5. In the first Actions drop-down in the bottom of the panel, select one of the following:
-Checked: Select this to check out the checked review batches.
-All: Select this to check out all of the review batches, including those not visible on the current page.
6. In the second Actions drop-down, select one of the following:
-Check Out: Select this to check out the review set. Only one person can have a review set checked
out at a time.
-Check In: Select this to check in a checked out review set.
7. Click Go.
8. Click OK.
Go Button Click to execute the selected actions.
Elements of the Review Batches Panel
Element Description
Coding Documents Coding in the Grid | 223
Coding in the Grid
You change the data of editable columns by using Edit Mode in the Item List panel in Grid View. Only columns
that are editable can be altered in the Item List Grid, just as if you were coding using the coding panel. Data in
the Read-Only and evidence columns cannot be edited. You can edit dates, text, issues, categories, transcripts,
and notes in the Item List Grid.
Custom columns for any record, regardless of how it got into the project, can be edited as well as any coding
values such as issues, or categories. Metadata cannot be changed for records brought into the application using
Evidence Processing.
To code data in the Item List Grid
1. In Project Review, select the Item List panel and ensure it is in Grid View.
2. Do one of the following:
-Double click the field that you want to code.
-Select the field that you want to code and press F2.
Note: Not all fields are editable. You can only edit non-read-only fields, and columns that are not
populated by Evidence Processor.
3. Enter or select the text, date, or numbers that you want for the field.
See Editable Fields on page 223.
4. Move the focus away from the field by doing one of the following to save the changes that you have
made:
-Click anywhere else on the screen outside of the field.
-Press Tab to move to the next editable field.
Editable Fields
There are multiple fields that you can edit, including custom fields created by the project manager. You can
always edit any custom fields that you have added. The following are examples of the kinds of editable fields that
you will see by default in the Item List panel grid:
-Authors
-Deponents (transcript records only)
-DepositionDate (transcript records only)
-DocDate (allows fuzzy dates)
-DocType
-Endorsement
-Issues
-Mentioned
-Note (Note records only)
-NoteDate
-OriginalFileName
-Recipients
Coding Documents Coding in the Grid | 224
-Source
-Title
-UUID
-Volume
Text Fields
Text fields can contain numbers, letters, and symbols. Text fields are limited to 250 characters. If you attempt to
exceed 250 characters, your text will be truncated at 250 without warning that you have exceeded the limit.
Text Fields in the Item List Grid
Date Fields
Date fields can only contain numbers and must be a valid date. You can expand the calendar to select a date or
enter a date using your keyboard. If the column allows fuzzy dates, your date does not have to be complete, but
it still must be valid.
Date Fields in the Item List Grid
Number Fields
Number fields can only contain numbers. Numbers may be positive or negative. You can use the spin box in the
field to increase or decrease the number.
Coding Documents Coding in the Grid | 225
Number Fields in the Item List Grid
Radio Button Fields
Custom fields that include radio button options were created by the project manager and appear as options in a
drop-down. You may select one of the available options, but you cannot enter your own custom text in the grid
view in a radio button field.
Radio Button Field in the Item List Grid
Check Box Fields
Custom fields that include check boxes were created by the project manager and appear in a drop-down as a
check box. You can check one or multiple boxes if the field contains check box options.
Check Box Field in the Item List Grid
Coding Documents Using the Coding Panel | 226
Using the Coding Panel
The Coding Panel
Coding is putting values into the fields (columns) of documents. The Coding panel in Project Review allows you
to use coding layouts to change the data of the selected document. Coding layouts can be created on the
Tagging Layout tab of the Home page. Fields with greyed-out text on the Coding tab are read only. Fields in blue
on the Coding tab are required.
Reviewers with View Coding Layout permissions can code the data of a document using the Coding panel and
the mass actions in the Item List panel. Coding allows you to identify descriptive pieces of information that never
had metadata, like images that were loaded and need to have dates manually added into the field. The Coding
panel in Project Review allows you to use coding layouts to code the selected document.
You can code documents and transcripts. Transcripts can be coded for Deponent and Deposition Date as long
as the fields are in the tagging layout.
See Coding Single Documents on page 227.
See Coding Multiple Documents on page 228.
Coding layouts can be created by the project manager in the Tagging Layout tab of the Home page.
See the Project Manager documentation for information on creating coding layouts.
Coding Panel
Coding Documents Using the Coding Panel | 227
Coding Single Documents
Reviewers with the View Coding Layout permission can code the data of documents outlined in a coding layout.
Layouts are defined by the project manager. Layouts include custom fields, categories, and issues. You can
code the data for all of these things as long as they are included in the Layout defined by the project manager.
You can code single documents using the Coding panel. Fields with greyed-out text on the Coding tab are read
only. Fields in blue in the coding layout are required.
To code single documents
1. Log in as a user with View Coding Layout permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List, Project Explorer and Coding panel are showing.
4. If you are coding a checked out review batch, in the Project Explorer, click the Review Batches tab,
expand the My Batches folder, and select the batch that you want to code. The documents for the
selected batch appear in the Item List panel.
See The Review Batches Panel on page 221.
5. In the Item List panel, select the document that you want to code.
See Using the Item List Panel on page 57.
6. In the Coding panel, expand the layout drop-down and select the layout that you want to use. You must
be associated with the layout in order to use it. Project managers can associate layouts to users and
groups.
See The Coding Panel on page 226.
7. In the Coding panel, click Edit.
8. Edit the data to reflect accurate data. The options available will differ depending on the layout that the
project manager created.
9. Click one of the following:
-Save: Click this to save your changes and stay on the same document.
-Save and Next: Click this to save your changes and go to the next document in the Item List panel.
Elements of the Coding Panel
Element Description
Save Button Click to save your changes.
Save and Next Click to save your changes and move to the next codable record.
Cancel Click to cancel the coding and leave edit mode.
Apply Previous Click to apply the changes that you made to the previous record to the current record
you are viewing.
Layout Drop-down All available layouts for the user are in this drop-down.
Coding Documents Using the Coding Panel | 228
Note: You will only be able to save your changes if all the required fields (blue fields) are populated. If
all required fields are not populated, you will get an error message when you attempt to save the
record.
Coding Multiple Documents
Reviewers with the View Coding Layout permission can code the data of documents outlined in a coding layout.
Layouts are defined by the project manager. Layouts include custom fields, categories, and issues. You can
code the data for all of these things as long as they are included in the Layout defined by the project manager.
You can code multiple documents using the mass actions in the Item List panel. Fields with greyed out text in the
coding layout are read only. Fields in blue in the coding layout are required.
To code multiple documents
1. Log in as a user with View Coding Layout permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List and Project Explorer panel are showing.
4. If you are coding a checked out review batch, in the Project Explorer, click the Review Batches tab,
expand the My Batches folder, and select the batch that you want to code. The documents for the
selected batch appear in the Item List panel.
See The Review Batches Panel on page 221.
5. In the Item List panel, check the documents that you want to code. Skip this step if you are coding for all
the documents.
See Using the Item List Panel on page 57.
6. In the first Actions drop-down at the bottom of the panel, select one of the following:
-Checked: Select this to code only the documents that you checked.
-All: Select this to code all the documents in the Item List panel, including those on pages not
currently visible.
7. In the second Actions drop-down, select Bulk Coding.
Coding Documents Using the Coding Panel | 229
Bulk Coding Dialog
8. In the Bulk Coding dialog, select the layout in the layout drop-down.
9. Edit the data to reflect accurate data. The options available will differ depending on the layout that the
project manager created. Check boxes with a dash (-) indicates that some of the documents have the
box checked. Click the check box until it becomes a check mark to apply it to all the selected
documents.
10. (Optional) Check the following Keep Together check boxes if desired:
-Include Family: Check to apply the same coding to documents within the same family as the
selected documents.
-Include SImilar Documents: Check to apply the same coding to all documents related to the
selected documents.
-Include Linked Documents: Check to apply the same coding to all documents linked to the selected
documents.
11. Click Save.
Once you have completed the Bulk Coding action, return to the Work List on the Home page. If there were any
documents that failed to code, they will be listed by their number under the Work List. You can then resubmit
Bulk Coding for those failed IDs.
Coding Documents Predictive Coding | 230
Predictive Coding
You can automatically code documents by applying Predictive Coding to the document set. With Predictive
Coding, the system “learns” how you want certain documents coded and apply that coding to future documents.
This allows you to automatically code documents throughout the project.
In order to use Predictive Coding, you need to create a learning session from a subset of documents in the
project and code these documents with the appropriate responsive coding within that learning session. As the
system learns coding methodology, the system’s overall confidence level increases. This tells you how confident
the system is in learning how future documents should be coded. Once you have reached an acceptable
confidence score with the predictive coding, you can apply the predictive coding to the rest of the documents
within the project.
Note: Due to the conjecturable nature of predictive coding, any results from the predictive coding should be
considered an estimate and is not guaranteed to produce 100% accurate results. All results from
predictive coding should be verified against the data set.
The decision tree used by the system to perform Predictive Coding is generated by the Iterative Dichotomiser3
(ID3) algorithm. For more information on the ID3 algorithm, see http://www.cse.unsw.edu.au/~cs9417ml/DT1/
decisiontreealgorithm.html#A0.0 or http://en.wikipedia.org/wiki/ID3_algorithm .
A document that has Predictive Coding applied to it will be marked as responsive or non-responsive to the
subject matter that the reviewer has determined in the learning set. The reviewer has the ability to review the
Predictively Coded documents to ensure that the Predictive Coding was applied correctly. Any document that
has Predictive Coding applied to it can have the coding decision overridden. Also, any document that has had
manual coding applied to it will retain that manual coding.
There are four types of documents that are coded with predictive coding:
-Email
-Presentations
-Excel spreadsheets
-Word documents
All other document types will not be automatically coded.
The workflow of predictive coding occurs in three phases:
-Instructing Predictive Coding (page 231)
-Applying Predictive Coding (page 233)
-Performing Quality Control (page 234)
Understanding Predictive Coding
In order for the system to learn the parameters of the predictive coding, a set of documents must be defined by
the reviewer. These documents would be selected by either applying filters, facets, or search results to the
documents. You can also select documents from the Item List.
Coding Documents Predictive Coding | 231
When a new project is created, by default that project has a standard coding/tagging layout associated with it
named Predictive Coding. You can find this tagging layout under Tagging Layouts in the Home tab.
See The Project Manager Guide for more information on tagging layouts.
Instructing Predictive Coding
Because predictive coding is based on statistical analysis of the data, the subset of the data used for coding
should be selected using the following parameters. Data selected with these parameters will assist in achieving
greater success with predictive coding:
-You should code a minimum of 10% of the documents in a project. The more documents that are coded
within a project, the more likely predictive coding will be successful in determining how to code the rest of
the documents in a project.
-You should apply the Predictive Coding layout to documents scattered randomly throughout the project,
not to just the first 10% of the documents that are listed in a project.
-The subset of documents used for predictive coding should contain a combination of documents marked
as either Responsive and Non Responsive.
-At least ten documents must be coded Responsive and at least ten additional documents must be coded
Non Responsive. These documents must be native documents that contain text.
Note: If you do not code at least ten documents Responsive and ten documents Non Responsive, the
Confidence Score and Predictive Coding Job will fail.
You can code the documents with the Predictive Coding layout in order to teach the system.
To code a learning set of documents with Predictive Coding
1. Log in as a user with View Coding Layout permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List, Project Explorer and Coding panel are showing.
4. If you are coding a checked out review batch, in the Project Explorer, click the Review Batches tab,
expand the My Batches folder, and select the batch that you want to code. The documents for the
selected batch appear in the Item List panel.
See The Review Batches Panel on page 221.
5. In the Item List panel, select the document that you want to code.
See Using the Item List Panel on page 57.
6. In the Coding panel, expand the layout drop-down and select the Predictive Coding layout. You must be
associated with the layout in order to use it. Project managers can associate layouts to users and
groups.
7. Click Edit.
Coding Documents Predictive Coding | 232
Predictive Coding Panel
8. Mark whether a document is responsive or not responsive for the subset that you are creating.
-Add any additional keywords, separated by commas.
-The SetBy and CodingLog fields are not editable. SetBy displays whether a document has been
manually coded or predictively coded, and the CodingLog field displays data for predictively coded
documents.
9. Click one of the following:
-Save: Click this to save your changes and stay on the same document.
-Save and Next: Click this to save your changes and go to the next document in the Item List panel.
10. Code as many documents as you feel is necessary for the Predictive Coding subset.
See Instructing Predictive Coding on page 231.
Once you have completed manually coding the documents to be used in Predictive Coding, you should test the
system and obtain a confidence score of how well the system has learned.
Obtaining a Confidence Score
In order to determine if the system has received enough information in order to perform a successful coding, a
reviewer must run a confidence scoring job and generate a confidence score. The confidence score is a
percentage-based score. The higher the score, the greater the confidence that the system has in coding the rest
of the documents in the project correctly.
The confidence score is determined by using the F1 score statistical calculation. This score is calculated using
the precision rate (true positive count over total positive labeled) and recall rate (true positive count over total
positive count). For more information on the F1 score statistical calculation, see http://www.cs.odu.edu/~mukka/
cs795sum10dm/Lecturenotes/Day3/F-measure-YS-26Oct07.pdf or http://en.wikipedia.org/wiki/F1_score .
Cross-validation is the process used to determine the confidence level of the system. In this process, the original
learning set of manually coded documents is randomly partitioned into subsamples. These subsamples are
called validations folds, and the quantity of the subsamples in a given learning set is represented by the variable
k. From the k subsamples, a certain quantity of subsamples, represented by the variable n, is retained as the
validation data for testing the model. The remaining k - n subsamples are used as training data. The validation
process is then repeated k times (the folds), with different sets of n subsamples used as the validation data. The
results from the validation folds are then averaged to produce a single estimation.
Coding Documents Predictive Coding | 233
For more information about cross-validation, see http://www.cs.cmu.edu/~schneide/tut5/node42.html or http://
en.wikipedia.org/wiki/Cross-validation_%28statistics%29 .
In order to obtain the confidence score, you need to perform a confidence score job after the learning set has
been coded with Predictive Coding.
Note: You must code at least ten documents as responsive and ten other documents as non-responsive before
running a confidence score job. If not, the confidence score job will fail. You will be notified of the failed
job in the Job List.
To perform a confidence score job
1. From Project Review, open the Confidence panel by going to Layouts > Panels > Confidence.
2. From the Actions pull-down, select Confidence Score Calculation and click Go.
3. Go to the Work List under the Home tab to view the status of the Confidence Scoring job. Once the job
has completed, return to Project Review.
4. The confidence score will appear in the Confidence panel.
Confidence Panel
-Field Name - indicates the field that was tested against in the cross-validation.
-Confidence Score - the higher the score, the more confidence that the system has in applying the
Predictive Coding.
-Count - the count of the documents in the learning set.
Note:The Confidence Panel will display only the last confidence score that was calculated for the
learning set.
Applying Predictive Coding
After achieving a confidence score that sufficiently shows that the system can code the rest of the documents in
the project, you can apply the Predictive Coding to the rest of the documents in the project.
Coding Documents Predictive Coding | 234
Note: Only one Predictive Coding job may be executed at any one time per project.
To apply Predictive Coding to the project
1. From Project Review, open the Confidence panel by going to Layouts > Panels > Confidence.
2. From the Actions pull-down, select Predictive Coding and click Go.
3. Go to the Work List under the Home tab to view the status of the Predictive Coding job. Once the job
has completed, return to Project Review.
Performing Quality Control
Once the Predictive Coding job has completed, the reviewer can evaluate whether or not Predictive Coding was
applied successfully to the documents in the project. The reviewer can filter the documents to display only those
documents which have been predictively coded, and evaluate individual documents. If the coding for a
document is incorrect, the reviewer can override the Predictive Coding, and code the document manually. If the
reviewer has determined that the predictive coding was not accurate in coding the documents properly, the
reviewer can create a new Predictive Coding learning set, and reapply the Predictive Coding to the documents.
To check the Predictive Coding
1. In the Item List under Project Review, select Columns.
2. Add the SetBy column to the selected columns. The SetBy column displays whether a document has
been manually coded or predictively coded. Click Ok.
3. Filter the SetBy column to display only predictively coded documents.
4. In the Coding panel, expand the layout drop-down and select the Predictive Coding layout.
5. Click Edit.
6. Examine whether a document has been coded correctly. If not, mark the correct coding and click one of
the following:
-Save: Click this to save your changes and stay on the same document.
-Save and Next: Click this to save your changes and go to the next document in the Item List panel.
7. The manual override will appear in the SetBy column in the Item List.
Annotating and Unitizing Evidence Prerequisites for Annotating and Unitizing Files | 235
Chapter 21
Annotating and Unitizing Evidence
This chapter explains how to do the following:
-Annotating Evidence (page 237)
-Unitizing Documents (page 246)
Prerequisites for Annotating and Unitizing Files
About Generating SWF Files for Annotating or Unitizing
Before annotating or unitizing a file, the file must first be converted to a format that can be annotated, redacted,
or unitized. AccessData generates an Adobe’s SWF file for files that you can annotate and unitize.
You can generate SWF for the following file types: TXT, DOC, PPT, PDF, MSG, HTM, GIF, and similar formats,
but not PST, ZIP, DLL, and EXE files.
You can generate a SWF in the following ways:
Method Description
Generate SWF files when
processing the project There is a Enable Standard Viewer processing option that will automatically
convert many files to SWF and make the Standard Viewer the default viewer.
This option is checked as the default for the Summation license, but can be
enabled in other products.
When this option is enabled, during processing, a SWF file will be generated for
any document that can be generated as a SWF and that is also 1 MB or larger.
Some documents are not converted to SWF, such as PST, ZIP, DLL, and EXE
files.
For files that are smaller than 1 MB, the SWF file is generated “on-the-fly” when
the document is loaded into the Standard Viewer.
Microsoft Excel files are not automatically converted into SWF, neither during
processing nor “on-the-fly”, but can be done manually later.
Have SWF files
automatically generated
in Review
If you view a file that has not had a SWF file generated for it in the Alternate File
Viewer, then change to the Standard Viewer, and a SWF can be generated, it will
be converted “on-the-fly”.
Generate SWF files
manually You can generate SWF files with the Annotate Native or Create Image features.
See Using the Image Panel on page 80.
Annotating and Unitizing Evidence Prerequisites for Annotating and Unitizing Files | 236
Configuring Maximum PDF Size for SWF Creation
In order to help preserve disk space, you can limit the size of native SWF files that are created during Add
Evidence, Import, Imaging, and Production Sets. By default, if a file reaches 100 MB in size, the SWF creation is
cancelled.
You can configure the maximum size threshold in a new setting: “MaxPDFSizeForNativeSWFConversion”
-For SWF files created during Add Evidence and Production Sets, this setting is configured in the following
config file:
..\AccessData\eDiscovery\Work Manager\ Infrastructure.WorkExecutionServices.Host.exe.config
-For SWF files created during Import and Imaging jobs, this setting is configured in the following config file:
..\AccessData\AsyncProcessingServices\ Adg.AsyncProcessing.WindowsService.exe.config
Note: This setting does not affect native SWF files that created “on-the-fly” when viewing files in the
Standard Viewer in Review. In this case, the SWF creation automatically times out after a minute.
Accessing SWF Files for Annotating or Unitizing
You can annotate files using one of the following:
-The Standard Viewer in the Natural Panel
-The Image Panel
You cannot annotate files using the Alternate File Viewer in the Natural Panel.
How you access SWF files in the Standard Viewer depends on whether you enabled the Enable Standard
Viewer processing option for the project.
-If the Enable Standard Viewer processing option is enabled, the Standard Viewer is the default viewer.
When you click a file in the item list, if a SWF has been generated, or if the file can have a SWF
generated, it will display in the Standard Viewer.
If the SWF file has not yet been generated, it will do it automatically.
If you click a file that does not support SWF, it will be displayed in the Alternate File Viewer instead.
-If the Enable Standard Viewer processing option is not enabled, by default, the Alternate File Viewer is
used. If you then change to the Standard Viewer, and if a SWF can be generated, it will be converted “on-
the-fly”.
To access a SWF file
1. Log in as a user with appropriate permissions.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List and Natural panel are showing.
4. Select a document in the Item List panel that has a native application.
5. Do one of the following:
-Verify that the file is displayed in the Standard Viewer.
-If the file is displayed in the Alternate Viewer, either click the Standard Viewer, or click the Annotate
Native or Create Image button.
Annotating and Unitizing Evidence Annotating Evidence | 237
Annotating Evidence
About Annotating Evidence
Reviewers with the Add Annotations permission can annotate documents and emails.
The following annotation options are available:
-Using Annotation Notes (page 241)
-Adding a Highlight (page 242)
-Adding a Drawn Highlight (page 242)
-Adding a Redaction (page 244)
-Adding a Drawn Redaction (page 244)
-Adding a Link (page 243)
-Selecting a Highlight Profile (page 240)
-Selecting a Markup Set (page 240)
You can use the Natural Panel to perform all annotation options.
See Using the Natural Panel on page 76.
You can use the Image Panel to create redactions, highlights, and markup sets is also available on the.
See Using the Image Panel on page 80.
Prerequisites for Annotating
In order to Select Text, Draw Highlight Text, Draw Redaction Text, Draw Highlight, Draw Redaction, Create Note,
or Create Link, you must select an existing Markup Set.
See Selecting a Markup Set on page 240.
Project managers create Markup Sets and Reaction Reasons on the Home page.
Annotating and Unitizing Evidence Annotating Evidence | 238
About Annotating Tools
Standard Viewer
Elements of the Standard Viewer
Element Description
Standard Viewer Format that allows you to create annotations on the file.
See Using the Natural Panel on page 76.
Alternate File Viewer Format that allows you to view a native representation of the file.
See Using the Natural Panel on page 76.
Toggle Annotation
Tools
Toggles the annotation tools on and off.
Annotating and Unitizing Evidence Annotating Evidence | 239
Print Lets you print the file as it appears in the Standard Viewer. If you have made
any annotations, they will also be printed. For example, if you have added
redactions to the document, they are printed.
You can print with the following options:
-Print All Pages
-Print Current Page
-Print Range
This print feature can only print 50 pages at a time. If the document is larger
than that, you can do one of the following:
-Print a range of 50 pages at a time
-Use bulk print
See Bulk Printing on page 248.
-Download the file and then print it.
To download a file, click the Current Object ID number link at the top of
Review.
Redaction Reasons Click to select a redaction reason to apply to the document.
Save Annotations Save the annotations to file.
Show/Hide Redactions Click to show and hide the redactions in the document.
Markup Sets Click to show the Markup Sets that are available to apply to the document.
Note: An existing Markup Set is required for using Annotation Tools.
Annotation Tools Note: An existing Markup Set is required for using Annotation Tools.
Pan Mode Click to move within a document page. Navigate by clicking and dragging with
the hand icon.
Text Selection Mode Click to select text within the document to highlight or redact.
Text Highlight Click to highlight selected text. See Adding a Highlight on page 242.
Text Redaction Click to redact selected text. See Adding a Redaction on page 244.
Drawn Highlight Click to create a drawn or coordinate-based rectangle highlight. You can use
this tool for creating highlights on documents that are graphics based, rather
than text based. See Adding a Drawn Highlight on page 242.
Drawn Redaction Click to create a drawn or coordinate-based rectangle redaction. You can use
this tool for creating redactions on documents that are graphics based, rather
than text based. See Adding a Drawn Redaction on page 244.
Create Note Click to add a note to the document. See Using Annotation Notes on page 241.
Create Link Click to add a link to another document in the project. See Adding a Link on
page 243.
Navigation Icons
Thumbnails Click to view thumbnails of the pages in the document.
Elements of the Standard Viewer (Continued)
Element Description
Annotating and Unitizing Evidence Annotating Evidence | 240
Profiles and Markup Sets
Selecting a Highlight Profile
Persistent highlighting profiles are defined by the project/case manager and can be toggled on and off using the
Highlight Profile drop-down in Natural panel in the Project Review.
To select a highlight profile
1. In the Project Review, ensure that the Item List and Natural panel are showing.
2. Expand the Highlight Profile drop-down and select a profile.
Selecting a Markup Set
Markup sets are a set of annotations performed by a specified group of users. For example, you can create a
markup set for paralegals, then when paralegal reviewers perform annotations on documents in the Project
Review, all of their markups will only appear when Paralegal is selected as the markup for the document in the
Natural or Image panel.
Having an existing Markup Set is required for using Annotation tools.
See Prerequisites for Annotating on page 237.
Note: Only redactions and highlights are included in markup sets.
Markup sets are created by the project/case manager on the home page. Markup Sets are only accessible in the
Standard Viewer of the Natural or Image Panel.
Fit to Page Click to fit the document to the Natural pane.
Fit to Width Click to fit the document to the width of the Natural pane.
Rotate All Click to rotate the document clockwise in 90 degree increments.
Rotate Page Click to rotate a page of the document clockwise in 90 degree increments.
Page Navigation
Navigate through the document with either the arrows or by entering a page
number in the field. When documents are generated as PDFs, the page
navigation bar will not be available. You can still navigate through the PDF by
using the vertical scroll bar.
Zoom
Zoom in and out of the document. Use either the magnifying glass or enter a
percentage in the field.
Elements of the Standard Viewer (Continued)
Element Description
Annotating and Unitizing Evidence Annotating Evidence | 241
To select a markup set
1. In the Project Review, ensure that the Item List and Natural or Image panel are showing.
2. Access the file in the Standard Viewer.
3. Expand the Markup Set drop-down and select a markup set.
Using Annotation Notes
Reviewers with the Add Notes permission can add notes to documents in the Natural panel of Project Review.
Notes are attached to highlighted text in a document.
In version 6.x and later, notes are now stored as part of the Case Organizer.
See Using the Case Organizer on page 204.
Specifically, notes are saved within the comments of Case Organizer objects.
Important:
Before adding a note, become familiar with Case Organizer objects and comments.
See Using Case Organizer Comments and Notes on page 211.
Note: If you are using an environment that was upgraded from 5.x, your legacy notes are not converted to the
Case Organizer and can still be viewed in the Notes panel. Notes can be viewed and deleted from the
legacy Notes panel for users with the View Notes and Delete Notes permission.
See The Notes and Transcript Notes Panels on page 86.
To add a note
1. Log in as a user with Add Notes permission.
2. Click the Project Review button in the Project List panel next to the project.
3. Access the file in the Standard Viewer.
4. Select an existing Markup Set.
See Prerequisites for Annotating on page 237.
5. Click on the Create Note tool button .
6. Highlight the text in the body of the document to which you want to add a note.
7. The Case Organizer comment dialog appears.
8. Continue with the following instructions:
See Using Case Organizer Comments and Notes on page 211.
Viewing the Source Document of a Case Organizer Note
When viewing annotation notes in Case Organizer you can quickly view the source document.
See Using the Case Organizer on page 204.
To view the source document of a note
1. In Case Organizer Details, select the appropriate object.
2. Click Comments.
Annotating and Unitizing Evidence Annotating Evidence | 242
3. The Comment are displayed showing the note.
4. In the note, click .
5. The source document is highlighted in Item List and is displayed in the viewer.
Adding a Highlight
Adding a Text-Based Highlight
Reviewers with the Add Annotations permission can add highlights to documents in the Natural panel of Review.
To add a text-based highlight
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List and Natural panel are showing.
4. Access the file in the Standard Viewer.
5. Select an existing Markup Set.
See Prerequisites for Annotating on page 237.
6. Click the Text Highlight tool button.
7. (Optional) To delete a text highlight, click on the highlight and press Delete.
Adding a Drawn Highlight
Reviewers with the Add Annotations permission can add a drawn or coordinate-based highlights to documents
in the Natural or Image panel of Project Review. The following steps describe how to add a drawn highlight in the
Natural panel. These steps will also work in the Image panel.
To add a drawn highlight
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. In the Project Review, ensure that the Item List and Natural panel are showing.
4. Access the file in the Standard Viewer.
5. Select an existing Markup Set.
See Prerequisites for Annotating on page 237.
6. Click the Drawn Highlight tool button .
Annotating and Unitizing Evidence Annotating Evidence | 243
7. Click and drag the rectangle onto the body of the document.
8. (Optional) To delete a drawn highlight, click on the highlight and press delete.
Adding a Link
Reviewers with the Add Annotations permission can add links to documents in the Natural panel of Project
Review.
To add a link
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. Access the file in the Standard Viewer.
4. Select an existing Markup Set.
See Prerequisites for Annotating on page 237.
5. Click on the Create Link tool button.
6. Highlight the area in the body of the document to which you want to add a link. The Add Document
Link dialog appears.
Add Document Link Dialog
7. In the Search field, enter the DocID of the document you want to link to.
8. Press the tab button to activate the Go button and click Go.
9. Select the document you want to link to from the search results.
10. Click OK.
Annotating and Unitizing Evidence Annotating Evidence | 244
Adding a Redaction
Adding a Text-Based Redaction
Reviewers with the Add Annotations permission can add redactions to documents in the Natural panel of Project
Review.
Note: If you hover over a redaction while in ADViewer mode, the redaction will become transparent, and you
can view the text underneath the redaction.
Redaction color tips:
-You can change the color block for redacting documents to any color.
-If the redaction block color is a darker shade such as black or navy blue, the redaction reason will be set
to white. If the redaction color block is a lighter color such as yellow or white, the redaction reason will be
set to black.
To add a text-based redaction
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. Access the file in the Standard Viewer.
4. Select an existing Markup Set.
See Prerequisites for Annotating on page 237.
5. Click the Text Redaction tool button.
6. Drag over the text that you want to redact.
7. (Optional) To delete a text redaction, click on the redaction and press Delete.
Adding a Drawn Redaction
Reviewers with the Add Annotations permission can add a drawn or coordinate-based redactions to documents
in the Natural or Image panel of Project Review. The following steps describe how to add drawn redactions in the
Natural panel. These steps will also work in the Image panel.
Note: When using Draw Redaction, text that is very close to the Draw Redaction box may be included in the
redaction.
To add a coordinate-based redaction
1. Log in as a user with Add Annotations permission.
2. Click the Project Review button in the Project List panel next to the project.
3. Access the file in the Standard Viewer.
4. Click the Drawn Redaction tool button .
5. Click and drag the rectangle onto the body of the document.
6. (Optional) To delete a drawn redaction, click on the redaction and press Delete.
Annotating and Unitizing Evidence Annotating Evidence | 245
Coordinate-Based Redactions Boundaries
After drawing a coordinate-based redaction, red square boxes may appear on the redacted text, above the
redacted text, and/or below the redacted text. These red square boxes are the application’s attempt to insure
that all of a character is redacted. The application accomplishes this by indicating all characters that will be
redacted, including font boundaries defined in the file that the user cannot view. Any characters that are bound
by these red boxes will be redacted. If the application is indicating text that you do not want redacted, you can
adjust your redaction so that application will only redact the characters that you want.
Toggling Redactions On and Off
You can toggle redactions on and off in the Natural and Image panels so that you can view or hide them without
deleting redactions.
To toggle redactions on and off
1. In the Project Review, ensure that the Item List and Natural panel are showing.
2. Access the file in the Standard Viewer.
3. Click the Show/Hide Redactions button .
4. Click the button again to turn them back on.
Annotating and Unitizing Evidence Unitizing Documents | 246
Unitizing Documents
You can use the unitization feature to do the following:
-Break large documents into smaller documents.
-Combine one or more smaller documents into a larger one.
-Move pages within the same document to another location of the document. For example, you can move
the last page of the document to the first page.
-Rotate a single page or the entire document.
You can perform these tasks on any file that has been converted to SWF. Thus, you can only unitize documents
that can be viewed in the Standard Viewer on the Natural or Image tabs.
See About Generating SWF Files for Annotating or Unitizing on page 235.
When you perform unitization tasks on a document, the original document is maintained and a new file is
created. In the new filename, the original file’s Object ID is referenced. The new filename is
UnitizedObject_NewObjectID_OriginalObjectID.pdf.
You can also perform unitization tasks on the new unitized documents.
You perform these tasks in the Unitization panel.
To use unitization
1. In Review, select a file that you want to work with.
2. Make sure the file is displayed in the Standard Viewer.
3. From the Standard Viewer, click Unitization.
4. Click a page in the document and use the following unitization tools:
Item Description
Moves the current page up one page.
Moves the current page to be the first page of the document.
You can use the page number field at the bottom to quickly go to page 1.
Moves the current page down one page
Moves the current page to be the last page of the document.
Rotates the current page 90 degrees.
Deletes the current page.
Before saving this change, the current page is marked in red with an X though it.
You can click this icon again to undelete the page.
Splits the document from the current location. You can split a document in many
places to create multiple documents. Click this to split the page and a red line will
appear. After you have performed all your splits, click Save.
You cannot split on the first page.
Annotating and Unitizing Evidence Unitizing Documents | 247
Fits the view to the height of the document.
Fits the view to the width of the document.
Rotates all pages 90 degrees.
Rotates the current page 90 degrees.
(When in Unitization mode, this is the same as the other rotate button on the top
of the panel. When not in Unitization mode, this rotate the document for viewing
but does not edit the document.)
Show
Source Use the Show Source button to add pages from a totally different document to
the current document you’re working on.
When you click Show Source, it opens a separate panel for you to open a
different document in. Initially, it opens the same document.
In the Item List, select the second file you want to add from. It will then be
displayed in the second panel.
Click a page in the second document and click < to add that page to the first
document. Click << to add all pages.
Save Saves the changes made in unitization and creates a new document named
UnitizedObjectnn.
Item Description
Bulk Printing Bulk Printing Multiple Documents | 248
Chapter 22
Bulk Printing
Reviewers with the Imaging permission can print multiple records using the Bulk Printing mass action in the Item
List panel. You can print to printers that are on the server or to a local machine. You can also brand printed
documents. Bulk printing will print the source documents and include annotations or redactions on the
documents.
You can perform other actions (except for starting another print job) while the system is running a bulk print job.
Note: Before you can print to a local printer, you need to download and install the Bulk Print Local plug-in. See
Bulk Printing Multiple Documents (page 248).
You can print highlights and redactions on printed documents without needing to create a production set. In the
Bulk Printing dialog, you can select which type of markup sets to print.
Note: For documents that contain both Native and Image redactions, only Image redactions print. Image
redactions take precedence over Native redactions.
Bulk Printing Multiple Documents
To print multiple documents at one time
1. Click Project Review in the Project List panel next to the project.
2. In the Project Review window, verify that the Item List panel is showing.
3. In the Item List panel, select the documents that you want to print. Skip this step if you are printing all
the documents in the panel.
4. In the first Actions drop-down menu at the bottom of the panel, do one of the following:
-Select Checked to print all the checked documents.
-Select All to print all documents, including documents on pages not visible.
5. In the second Actions drop-down menu, select either Network Bulk Printing to print to a network
printer that has been set up by your IT or Administrator or Local Bulk Print to print to a local printer that
has been set up on your local workstation.
See Network Bulk Printing on page 249.
See Local Bulk Printing on page 249.
Bulk Printing Bulk Printing Multiple Documents | 249
Network Bulk Printing
To print to a network printer
1. Click Go.
2. Enter options in the General Print Options tab. See General Print Options on page 249.
3. Click Print.
Local Bulk Printing
To print to a local printer
1. Click Go.
2. Enter options in the General Print Options tab. See General Print Options on page 249.
3. A dialog box appears, asking if the file BulkPrintLocal.WPF may be opened on your system.
Click Allow.
Note: If you start another print job when the dialog window from a previous Local Bulk Printing job is
already open, a new Bulk Printing window will appear. Close the initial Local Bulk Print window
before starting a new local print job.
4. The Bulk Print Application dialog window appears. See Bulk Print Dialog Options on page 250.
5. Choose your printer from the drop down box in the Printer Selection area and click Print.
Note: This process may take longer than typical network print operations due in part to document image
conversion processes.
6. (optional) To cancel a printing job, click Cancel Print Job or close the Bulk Printing dialog box.
General Print Options
The following table shows the options available in the General Print Options screen.
General Print Screen Options
Option Description
Include Markups Allows you to print redactions on the printed documents. In the Markup Sets tab,
select which markup set(s) that you want to print.
Note: For a document with both native and image redactions, image redactions
will print, but not native redactions. Image redactions take precedence over
native redactions.
Image Branding Allows you to brand the printed documents. In the Image Branding Options tab,
select the options that you want for the branding. For more information, see the
Exporting Guide.
Note: Branding the document with the DocID in Local Bulk Printing will brand the
document with the existing DocID. Branding the document in the Export Wizard
will brand the document with the original DocID.
Bulk Printing Viewing Print Statuses | 250
Bulk Print Dialog Options
The following table shows the options available in the Local Bulk Print dialog.
Viewing Print Statuses
You can view the status of bulk printing jobs on the Printing/Export tab of the Home page. You can view the
status of your local bulk print job in the Bulk Print dialog window.
To view the status of your bulk print job
1. Select the project in the Project List panel.
2. Click the Printing/Export tab on the Home page.
3. Click the Printer Status tab.
Viewing Print Logs
You can access and view the logs from local bulk printing jobs. The logs are stored in a folder on the server.
To view the log of your bulk print job
1. In the Windows Start menu, enter Run.
2. In the Open field, enter %public%.
3. Open the folder and select the log that you want to view.
Bulk Printing Dialog Options
Option Description
Job Details Displays the job details of the print job, including the Project ID, Project Name,
User Name, Job ID, and number of documents in the print job.
Printer Selection Select a printer to print the documents to.
Note: You can also select a virtual printer, such as a PDF creation tool, to
save the documents to a local or network share in PDF format.
Cancel Print Job Click to cancel a print job. You can also cancel a print job by closing the Bulk
Printing Dialog window.
Progress Report -Docs Printed: Shows the number of documents that have already printed,
and the documents remaining to be printed.
-Pages Printed: Shows the number of pages that have been printed in a docu-
ment sent to the printer. It does not show the total amount of pages printed in
a job.
Status Report Displays the status of the print job.
Note: You can also monitor the status of the print job from the Printing/
Export tab of the Home page.
Managing Review Sets Creating a Review Set | 251
Chapter 23
Managing Review Sets
Review sets are batches of documents that you can check out for coding and then check back in. Review sets
aid in the work flow of the reviewer. It allows the reviewer to track the documents that have been coded and still
need to be coded. Project/case managers with Create/Delete Review Set permissions can create and delete
review sets.
Creating a Review Set
Project/case managers with Create/Delete Review Set permissions can create and delete review sets.
To create a review set
1. Log in as a user with Project Administrator rights.
2. Click the Project Review button next to the project in the Project List.
3. Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.
4. Right-click the Review Sets folder and click Create Review Set.
Create Review Set Dialog
5. Enter a Name for the review set.
Managing Review Sets Creating a Review Set | 252
6. Select a Review Column that indicates the status of the review. New columns can be created in the
Custom Fields tab of the Home page.
See Custom Fields Tab on page 213.
7. Enter a prefix for the batch that will appear before the page numbers of the docs.
8. Increase or decrease the Batch Size to match the number of documents that you want to appear in the
review set.
9. Check the following options if desired:
-Keep Families together: Check this to include documents within the same family as the selected
documents in the batch.
-Keep Similar document sets together: Check this to include documents related to the selected
documents in the batch.
Note: Any “Keep” check box selected will override the restricted Batch Size.
10. Click Next.
Create Review Sets Dialog Second Screen
11. Expand Labels and check the labels that you want to include in the review set. All documents with that
label applied will be included in the review set. This is only relevant if the documents have already been
labeled by reviewers.
12. Expand the Document Groups and check the document groups that you want to include in the review
set.
13. Click Next.
14. Review the summary of the review set to ensure everything is accurate and click Create.
15. Click Close.
Managing Review Sets Deleting Review Sets | 253
Deleting Review Sets
Project/case managers with Create/Delete Review Set permissions can create and delete review sets.
To create a review set
1. Log in as a user with Project Administrator rights.
2. Click the Project Review button next to the project in the Project List.
3. Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.
4. Expand the All Sets folder.
5. Right-click the review set that you want to delete and click Delete.
6. Click OK.
Managing Review Sets Renaming a Review Set | 254
Renaming a Review Set
Project/case managers with Manage Review Set permissions can rename review sets.
To rename a review set
1. Log in as a user with Project Administrator rights.
2. Click the Project Review button next to the project in the Project List.
3. Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.
4. Expand the All Sets folder.
5. Right-click the review set that you want to rename and click Rename.
6. Enter a name for the review set.
Managing Review Sets Manage Permissions for Review Sets | 255
Manage Permissions for Review Sets
Project/case managers with Manage Review Set permissions can manage the permissions for review sets.
To rename a review set
1. Log in as a user with Project Administrator rights.
2. Click the Project Review button next to the project in the Project List.
3. Click the Review Sets button in the Project Explorer.
See the Reviewer Guide for more information on the Review Sets tab.
4. Expand the All Sets folder.
5. Right-click the review set that you want to manage permissions for and click Manage Permissions.
Assign Security Permissions Dialog
6. Check the groups that you want to grant permissions to the review set. Groups granted the Check In/
Check Out Review Batches permission will be able to check out the review sets to which they are
granted permission.
7. Click Save.
Exporting Data | 256
Part 6
Exporting Data
This part describes how to export data and includes the following sections:
-Introduction to Exporting Data (page 257)
-Creating Production Sets (page 269)
-Exporting Production Sets (page 287)
-Creating Export Sets (page 290)
Introduction to Exporting Data About Exporting Data | 257
Chapter 24
Introduction to Exporting Data
This document contains information about exporting data for a project. Exporting data, in most projects, is
performed by the project/case manager. You need the correct permissions to create and export production sets.
About Exporting Data
When you sort through data, organization remains the key to preparing a streamlined set of data to include in a
report that is delivered to the attorney for the criminal project, civil project, or corporate authorities for a corporate
security project . To prepare data for the final report, you can create sets of filtered data that you can export in
various formats.
After applying labels to the evidence set, you can create either a production set or an export set of data.
When you create production or export sets of data, you can only use one label per set.
Note: Creating a production set results in new items being created.
Note: There are certain native formats that do not work for imaging and TIFF operations. These are: PST, NSF,
FC, DAT, DB, EXE, DLL, ZIP, and 7zip
See Export Tab on page 289.
See Exporting Production Sets on page 287.
See Creating Export Sets on page 290.
The following table describes the export formats that you can use for your production and export sets.
Export Formats
Format Description
AD1 Creates an AD1 forensic image of the documents included in the Export Set.
AD1 is a forensic file format that can be read by FTK.
An AD1 contains the logical structure of the original files and the original files
themselves. The AD1 file is hashed and verifiable to ensure that no changes
have occurred to it.
Image Load File Export Converts the native documents to a graphic format such as TIFF, JPG, or PDF.
It creates a load file in the IPRO LFP or the Opticon OPT formats.
This is similar to Load File Export except that it does not contain any metadata.
Introduction to Exporting Data About Exporting Data | 258
Native Export Exports the native documents in their original format and optionally rendered
images into a directory of your choosing. This export does not provide a load file.
Load File Export Exports your choice of Native, Filtered text (includes the OCR text that was
created during processing), rendered images of the native document, and
optionally OCR text of the rendered images.
If the recipient intends to use third-party software to review the export set, select
Load File Export.
You have the option of exporting rendered documents in the following formats:
-Concordance
-EDRM (Electronic Discovery Reference Model) XML
-Generic
-iCONECT
-Introspect
-Relativity
-Ringtail (MDB)
-Summation eDII
-CaseVantage
Some programs have load file size limits. If needed, you can split load files into
multiple files.
If you use the Concordance, Generic or Relativity exports, and include rendered
images, you will also get an LFP and OPT file.
Format Description
Introduction to Exporting Data About Exporting Data | 259
About Excluding Data in Production Sets and Export Sets
When configuring either a Production Set or Export Set, you specify how you want to export files. You can select
to export files as native files, generated images, or both. You can also select to exclude files when exporting. You
can select to exclude exporting files as native files or images. This allows you to export some files as only native
files and other files as only generated images. You may want to use this feature to exclude some files as being
exported in a given format. For example, images of spreadsheets may not be useful to you, and using this
feature, you can generate images for most files, but not spreadsheets.
You can select files to exclude based on the following:
-File Categories
-Labels
-Issues
Returning to the example of spreadsheets, one way this feature can be used is to export generated images of
most files, but export native files for spreadsheets only. To accomplish this, on the Files to Include page, you
would do the following:
1. Select Export Native Files but then exclude ALL file categories EXCEPT spreadsheets.
This will cause only spreadsheet files to be exported as native files.
2. Select Generate and Export Images and exclude the export of image files for ONLY the spreadsheet
file category.
This will cause all files except spreadsheets to be exported as image files.
The following provides more information on the exclude options:
-File Categories to Exclude
This will exclude all files with a selected file type or types.
In the drop-down, you can choose from the list of file categories, such as spreadsheets, documents,
emails, and PDFs.
The list of available file types are those that are associated to the label you chose for the set.
-Labels to Exclude
This will exclude all files with a selected secondary label.
If files have more than one label applied to them, you can exclude files based on other labels than the
one you selected for the set.
In the drop-down, the list of available labels are any other labels that are associated to the files with the
label you chose for the set. The label that you initially selected is not displayed.
For example, suppose you create a production set and selected the label L01 for the production set.
Suppose that objects A, B, and C are labeled with label L01. Suppose also that object A is labeled with
labels L01, L97 and L98. Object B is labeled with L01, L97, and L99, and object C is labeled with L01,
L98, and L99. The list of labels to be potentially excluded would consist of L97, L98, and L99. L01 would
not be listed.
One way that you can use this option is to use a unique label for any file that you do not want to image
and then use this option to exclude that label.
-Issues to Exclude
This will exclude all files with a selected issue.
The issue list is similarly populated with all of the issues that are associated with any of the labeled
objects.
If exclusion items are selected in more than one exclusion list, then any object excluded by ANY of the
selections is excluded. For example, if there are one or more entries selected in the file category list and one or
more issues selected in the issue list, then any object that is in any of the excluded file categories OR is
Introduction to Exporting Data About Exporting Data | 260
associated with any of the excluded issues will be excluded. In other words, the results of the exclusion lists are
“ORed” together.
Native and image exclusion are independent of each other. That is, export of the native file may be excluded for
the native file, but not for the image file.
Introduction to Exporting Data Export Tab | 261
Export Tab
The Export tab on the Home page can be used to manage production sets and export sets.
Production Set History Tab
The Production Set History can be used to export or delete production sets and view the history of the
production set.
Production Set History Tab Elements
Element Description
Production Set
History Search
Field
Enter text to search by production set name.
Click to Show/Hide Filtering options. You can add and delete filters, and specify
whether the filter is ascending or not. Field options that you can filter on include:
-Created By
-Description
-Email Count
-Export Path
-Item Count
-Total Size
Production Set List Lists the production set details and the status of the production sets.
Shows the status of the production set creation. During the creation process, the tab
displays blue, and displays the percentage of the process as it is being created. When
the tab turns green, the production set creation is complete.
Note: Even if the percentage counter shows 100%, the production set is not
complete until the status tab turns green.
Expand the tab to view the Status of the Production Set.
Cancel Button Click to cancel the creation of a production set.
Export Button Click to export the production set to a load file. This option is not available until the
production set has been created.
Delete Button Click to delete the production set. This option is not available until the production set
has been created.
Click to expand all expanders. Once the production set has been created, you can
expand the pane to access the reports for the production set, as well as Load File
Generations if the job is a load file.
Click to collapse all expanders.
Click to refresh the production set history list.
Introduction to Exporting Data Export Tab | 262
Show/Hide
Reports Expand to access reports.
Show/Hide Load
File Generations Expand to access the load file generations.
Production Set History Tab Elements
Element Description
Introduction to Exporting Data Export Tab | 263
Export Set History Tab
The Export Set History Tab can be used to export or delete export sets and view the history of the export set.
Export Set History Set Elements
Element Description
Export Set History
Search Field Enter text to search by export set name.
Click to Show/Hide Filtering options. You can add and delete filters, and specify
whether the filter is ascending or not. Field options that you can filter on include:
-Created By
-Email Count
-Export Path
-Item Count
-Total Size
Export Set List Lists the export set details and the status of the export sets.
Shows the status of the export set creation. During the creation process, the tab
displays blue, and displays the percentage of the process as it is being created. When
the tab turns green, the production set creation is complete.
Note: Even if the percentage counter shows 100%, the production set is not
complete until the status tab turns green.
Expand the tab to view the Status of the Export Set.
Cancel Button Click to cancel the creation of a export set.
Export Button Click to export the export set to either an AD1 file, Native file, or Load File. This option
is not available until the export set has been created. See Exporting Export Sets on
page 264.
Delete Button Click to delete the export set. This option is not available until the export set has been
created.
Click to expand all expanders. Once the export set has been created, you can expand
the pane to access the reports for the export set, as well as Load File Generations if the
job is a load file.
Click to collapse all expanders.
Click to refresh the export set history list. You can delete the load file generation.
Expand the status tab to view the status of the load file generation.
Show/Hide
Reports Expand to access reports. You can download the following reports:
Renaming: Export Renaming Report
Image Conversion Exception: Image Conversion Exception Report
Summary: This report must be generated before it can be downloaded. Allow a few
minutes to generate the report.
Show/Hide Load
File Generations Expand to access the load file generations.
Introduction to Exporting Data Export Tab | 264
Exporting Export Sets
Export Sets can be exported from the Export History Set as an AD1 file, Native file, or a Load file. Export Sets
can be exported more than one time.
The status of a successful export that contains any errors or warnings logged to the CSV log file displays as
Export Completed With Warnings. The status display in the Export History tab displays the status as yellow-
green to differentiate the status from a successful export without errors or warnings logged.
Note: If slipsheets have been generated upon the initial export of the export set, the slipsheet will be counted as
the main image for the object. On any subsequent export set export, the slipsheet generated is counted
as an image for the object. No new images are generated for that object, and a currently-selected
slipsheet is not placed.
Introduction to Exporting Data Using The Browser Briefcase | 265
Using The Browser Briefcase
About the Browser Briefcase
When you create a Load File Export, you can select the export format to be Browser Briefcase.
When configuring an export to Browser Briefcase, there are two new options:
-Export Native SWF
-Export Image SWF
These options export the SWF files that you can view in Browser Briefcase.
The Browser Briefcase is a stand-alone application that lets you view exported SWF files. You can open the
Browser Briefcase and review exported files away from the Summation application. You can also make notes
about files and export those notes to a CSV file. You can import the CSV file back into Summation. You can
easily share the export with different people for their review.
The viewer displays the list of files in a grid, similar to the Item List. The grid has columns for the fields that you
selected for the export, such as filename, Doc ID, Object ID, file extension, file size, and so on. You can sort on
any column.
There is also a natural viewer window to view either the exported Image SWF files or the exported Native SWF
file. You can size and rotate the document just like you can in the Natural Viewer. You can also open the native
document.
Introduction to Exporting Data Using The Browser Briefcase | 266
You can perform a text search across documents that will filter the list based on search hits. You can also
perform an in-document text search.
Exporting to a Browser Briefcase
You can export to a Browser Briefcase by using either of the following:
-Projection Set > Export
-Load File Export
Exporting to a Browser Briefcase using a Production Set
1. Create a Production Set and configure the General Options.
See Creating Production Sets on page 269.
2. On the Files to Include page, select Prepare Files for Browser Briefcase Export.
3. Make sure that the following options are selected.
-Export Native SWF
-Export Image SWF
4. Complete the Production Set.
5. Export the Production Set.
See Exporting Production Sets on page 287.
Introduction to Exporting Data Using The Browser Briefcase | 267
Exporting to a Browser Briefcase using a Load File Export
1. Create a Load File Export and configure the General Options.
See To create a load file export on page 304.
2. On the Files to Include page, select the Browser Briefcase format.
3. On the Files to Include page, verify that the options are selected to Export Native SWF and Export
Image SWF files.
These options are visible and automatically selected when you select the Browser Briefcase format.
4. Complete the export wizard.
Introduction to Exporting Data Using The Browser Briefcase | 268
Viewing and Using the Browser Briefcase
To view and use the Browser Briefcase
1. After the export is complete, go to the export file path.
2. Click BrowserBriefcase.exe.
3. To sort by column, click the column header.
4. To perform a search, do the following:
4a. To perform a text search across documents, in the Search All Documents field, enter the search
text and click Search.
The file list is filtered based on the search hits.
4b. To perform an in-document text search, in the viewer pane, in the Search field, enter the search
text and click Search.
4c. Click the arrows to go to the next or previous search hit.
4d. For either search, click Clear Search to clear the search results.
5. You can view either the Native SWF or the Image SWF. To change the document, select a file, and click
either View Native or View Image.
6. To open a native document, select a file, and click Open.
7. To add notes about a document, do the following:
7a. Click the Notes cell for the file that you want to add a note for.
7b. Enter the text of your note.
7c. Click away from the cell.
8. To export file data, do the following:
8a. Click the Tag box for each file that you want to export data for.
8b. Click Export Tagged.
8c. In the Export to CSV dialog, select the columns that you want to be exported to the CSV.
8d. Enter your desired separator.
8e. Click Export.
8f. Enter the path for the exported CSV file.
8g. Click Save.
Sharing the Browser Briefcase
To share a Browser Briefcase
1. Go to the export file path.
2. Archive (zip) the entire export folder.
3. Share the archived file.
Creating Production Sets About Creating Production Sets | 269
Chapter 25
Creating Production Sets
About Creating Production Sets
When you create a production set, you include all of the evidence to which you have applied a given label. After
you create the production set, you export the set to a load file.
Case/project managers with the Create Production Sets permission can create production sets.
Points to Consider
-Once you've created a production set you cannot add documents to that set even if you use the same
labels. You will need to label the additional documents and then create a new set using the same label.
Process for Creating Production Sets
To create a production set
1. Before you create a production set, be sure you have applied at least one label to evidence files that
you want to filter into the production set.
See Using Tags and the Case Organizer on page 196.
2. Log in as a user with Create Production Set rights.
3. Click the Project Review button next to the project in the Project List.
4. In the Project Explorer, select the Tags tab, right-click the Production Sets folder, and select Create
Production Set.
5. Configure the General Options.
See Production Set General Options (page 271) for information on how to fill out the options in the
General Options screen.
6. Click Next.
7. Configure the Files To Include.
See Production Set Files to Include Options (page 272) for information on the option in the Files to
Include screen.
8. Click Next.
9. Configure the Columns to Include.
Creating Production Sets Process for Creating Production Sets | 270
10. In the Columns to Include, click the right arrow to add a column to the production set and the left arrow
to remove a column from the production set. You can rearrange the order of the columns by clicking the
up and down arrows.
Note: Only columns added at this time will be available for exporting. Any columns not added will not be
available in the production set. Also, for a field to be available for branding, it must be included in
the Columns to Include. Field Branding for a production set fails if the field is not included in the
production columns.
11. Click Next.
12. Configure Volume Document Options.
See Volume Document Options (page 276) for information on the options in the Volume Document
Options screen.
13. Configure Image Branding Options.
See Production Set Image Branding Options (page 283) for information on the options in the Image
Branding Options screen.
14. In the Summary screen, review the options that you have selected for the production set and click the
Edit (pencil) button if you want to make any changes.
15. Click Save.
After your production set is created, it will appear in the Export tab of the Home page and under the
Production Sets folder in the Project Explorer of the Project Review.
See Export Tab on page 289.
Creating Production Sets Process for Creating Production Sets | 271
Production Set General Options
The following table describes the options that are available on the General Options screen of the production set
wizard.
See Export Tab on page 289.
General Export Options
Option Description
Name Enter the name of the production set job you are creating.
This does not need to be a unique name, but it is recommended that you make all names
unique to avoid confusion.
Label Select the label that has the documents you want to include in the production set.
Description Enter a description for the production set if desired.
Templates Select a previously created template to populate all the fields of the production set wizard
using the options selected in a previous production set.
Creating Production Sets Process for Creating Production Sets | 272
Production Set Files to Include Options
The following table describes the options that are available on the Files to Include screen of the production set
wizard.
See Export Tab on page 289.
Files to Include Options
Option Description
Include Text Files Select this to include all filtered text files in the production
set. This does not include redacted text. This will not re-
extract text from native files.
Export Native Files Select this option if you want to include the native
documents with the production set. This will only include
native files that have not been redacted. If the native file
has been redacted, a PDF of the file will be included.
Output a reduced
version of original PST/
NSF file
Select this option if there are emails that were originally in
a PST or an NSF format and you want to put them into a
new PST or NSF container.
-There is a config file setting that will create and export
to a new PST when this option is selected. When this
setting is true, it creates a brand new PST with only
the emails being exported (with their attachments) into
the new PST archive. Otherwise it will reduce the orig-
inal PST.
(This option only applies to PST files, not NSF.)
To enable this option, include the following setting in
the Work Manager configuration file:
<add key=”ExportEmailInNewPst” value="True"/>
Output messages as
individual HTML/RTF
files
Select this option if there are emails that were originally in
a PST or NSF and you want to make them HTML/RTF
files.
This option will not take loose MSG files and put them into
a PST.
Output email as MSG Select this option if there are emails that were originally in
a PST or an NSF that you want to make into MSG files.
Export Native SWF Exports the native SWF file. This provides SWF files that
you can view in Browser Briefcase. This option is enabled
automatically if you enable the Prepare for Browser
Briefcase Export option.
See Prepare for Browser Briefcase Export on page 275.
File Categories to
Exclude
Labels to Exclude
Issues to Exclude
Each of these options allow you to specify files that you
do NOT want a native file for.
See About Excluding Data in Production Sets and Export
Sets on page 259.
Generate and Export
Images Select this option to include images that have been
created in the Project Review. Additionally, if an image
has not yet been created, this option will convert the
native document to an image format.
Creating Production Sets Process for Creating Production Sets | 273
Enable Image Branding Enable this option to create image branding.
See Production Set Image Branding Options on
page 283.
Export Image SWF Exports the generated image SWF file. This provides
SWF files that you can view in Browser Briefcase. This
option is enabled automatically if you enable the Prepare
for Browser Briefcase Export option.
See Prepare for Browser Briefcase Export on page 275.
Excluded Extensions Enter the file extensions of documents that you do not
want to be converted. File extensions must be typed in
exactly as they appear and separated by commas
between multiple entries. For example:
EXE, DLL, and COM
This field does not allow the use of wild card characters.
Use existing image Enabled by default. If the item being exported already has
an image file, choosing this option will use that existing
image in the production set. If the item being exported
does not already have an image associated with it, a new
one will be created from the SWF file or from the native
file.
Use SWF image Enabled by default. If the item being exported does not
already have an existing image associated with it and this
option is selected, the SWF file will be used to generate
the image. If a SWF file does not exist, then the native file
will be used.
File Format Select which format you want the native file converted to:
-Multi-page - one TIFF image with multiple pages for
each document.
-PDF - (Default option) One PDF file with multiple
pages for each document.
-Single Page - a single TIFF image for each page of
each document. For example, a 25 page document
would output 25 single-page TIFF images.
Compression Available if Multi-page or Single-page are selected.
-CCITT3 (Bitonal) - Produces a lower quality black and
white image.
-CCITT4 (Bitonal) - Produces a higher quality black
and white image.
-LZW (Color) - Produces a color image with LZW com-
pression.
-None (Color) - Produces a color image with no com-
pression (This is a very large image).
-RLE (Color) - Produces a color image with RLE com-
pression.
DPI Available if Multi-page or Single-page are selected.
Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).
Files to Include Options (Continued)
Option Description
Creating Production Sets Process for Creating Production Sets | 274
Page Format Select the page size for the image. The available page
sizes are:
-Letter – 8 ½” x 11”
-A3 – 29.7 cm x 42 cm
-A4 – 29.7 cm x 21 cm
Normalize images Select this option to obtain consistent page sizes
throughout the entire production.
Any document determined to be landscape in orientation
will produce a proper landscape image.
Produce color JPGs for
provided extensions This and the following two options are available if you are
rendering to CCITT3 or CCITT4 format and allows you to
specify certain file extensions to render in color JPGs.
For example, if you wanted everything in black and white
format, but wanted all PowerPoint documents in color,
you would choose this option and then type PPT or PPTX
in the To JPG Extensions text box. Additionally, you can
choose the quality of the resulting JPG from 1 - 100
percent (100 percent being the most clear, but the largest
resulting image).
To JPG Extensions Lets you specify file extensions that you want exported to
JPG images.
JPG Quality Sets the value of JPG quality (1-100). A high value (100)
creates high quality images. However, it also reduces the
compression ratio, resulting in large file sizes. A value of
50 is average quality.
File Categories to
Exclude
Labels to Exclude
Issues to Exclude
Each of these options allow you to specify files that you
do NOT want a native file for.
See About Excluding Data in Production Sets and Export
Sets on page 259.
Export Text
Export Priority: Export priority determines which text data is most
important for your project. The choice you make
determines which text data will be exported.
-Export OCR text over extracted text - When a docu-
ment has both OCR text and extracted text, the OCR
text will be exported. If the document does not have
OCR text, the extracted text will be exported.
-Export extracted text over OCR text - When a docu-
ment has both OCR text and extracted text, the
extracted text will be exported. If the document does
not have extracted text, the OCR text will be exported.
-Export both extracted text and OCR text - Choosing
this option will export both the extracted text and the
OCR text.
Files to Include Options (Continued)
Option Description
Creating Production Sets Process for Creating Production Sets | 275
OCR Options: -Maintain existing OCR - Choosing this option will allow
you to export the existing OCR data without having to
regenerate it.
OCR redacted images - Choosing this option will
OCR images that have been redacted.
OCR documents that lack extracted text -
Choosing this option will evaluate each item for the
existence of text content, if none is found, the doc-
ument will be OCR’ed.
-OCR all - Page level OCR - choosing this option will
ignore the extracted text and OCR every image page
generating a single text page per image page.
OCR TIFF Images Creates a page by page OCR text file from the rendered
images.
By default, the text file uses a TXT extension.
As a best practice, you would not create both Filtered
Text files and OCR text files. However, if you do both, the
Filtered Text files use a TXT extension and the OCR text
files use an OCR.TXT extension.
If you create only OCR text files and not Filtered Text
files, the OCR text files use a TXT extension.
OCR Text Encoding -ANSI - Encodes text files using ANSI.
ANSI encoding has the advantage of producing a
smaller text file than a Unicode file (UTF). ANSI-
encoded text files process faster and save space. The
ANSI encoding includes characters for languages
other than English, but it is still limited to the Latin
script.
If you are exporting documents that contain languages
written in scripts other than Latin, you need to choose
a Unicode encoding form. Unicode encoding forms
contain the character sets for all known languages.
-UTF- 16 Encodes load files using UTF-16.
-UTF - 8 (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see
the following web site
http://www.unicode.org/standard/principles.html\
Redactions
Markups Check the Markup Sets that you want included in the
production set. Markups will be burned into the images
that are created.
Browser Briefcase
Prepare for Browser
Briefcase Export Prepares files to be included in the Browser Briefcase
when exported.
See Using The Browser Briefcase on page 265.
If selected, this will auto select the Export Native SWF
and Export Image SWF options, and if unselected, it will
unselect these two options.
Files to Include Options (Continued)
Option Description
Creating Production Sets Process for Creating Production Sets | 276
Columns to Include
Choose the database fields that should be part of the production set.
Volume Document Options
This section describes the options available in the Volume Document Options screen of the production set
wizard if you have US numbering enabled. US numbering is default. The following table describes the options
available in the following screen.
Volume Document Options Screen
Option Type Option Description
Naming Options Choose a naming option:
New
Production
DocID
(Default) This file naming allows you to determine what the name of
the files will be, based on the document ID numbering scheme. This
option is used with the Document Numbering Options below.
In Project Review, you can view the ProductionDocID that is created
for exported files. This is useful in associating an exported file with the
original file.
Original DocID This option lets you re-use that original DocID for the produced record.
Documents can be imported via a load file with pre-existing Doc IDs or
documents can be assigned a DocID when adding them to a
Document Group.
If the documents do not have an existing DocID, you can assign one
by placing the documents in a document group or by providing a
DocID naming schema using the Document Numbering Options
below.
Original File
Name This file naming uses the original file name as the name of the
document rather than a numbered naming convention.
If the files were brought into the project by way of importing a DII or
CSV file, the file name may not be present and therefore the file will be
put into the Production Set using the original DocID that it was
imported with. With this option, the files when exported will be put into
a standard volume directory structure.
Original File
Path This option uses both the original file name and the original file path
when the production set is exported. The file path will be recreated
within the export folder.
Volume Partition Sorting You can sort the documents before they are converted and named.
This allows you to choose one or more meta data field values to sort
the documents in ascending or descending order.
You can choose any combination of fields by which to sort, however, it
is not recommended to choose more than 3 fields to sort by.
(Volume
Partition
Sorting)
Add volume partition sorting filters based on specified ascending or
descending fields.
Creating Production Sets Process for Creating Production Sets | 277
(Volume
Partition
Sorting)
Delete the selected sorting option.
Sorting Specify the order that the files are listed in each volume. Sorting
occurs on the parent document.
For example, you might sort by Ascending on the field FILESIZE. In
such project, the first volume contains the largest file sizes, and the
last volume contains the smallest file sizes.
Field Set the column heading by which you want to sort.
Add Add the sorting options that you have selected. You can add one or
more sorting filters.
Volume Sample Provides a sample of the volume directory structure that will be
created when the production set is exported.
Volume Options Select a volume folder structure for the output files. The selections will
determine how much data is put into each folder before a new folder is
created and the folder structure in which the output is placed.
See About the U.S. Volume Structure Options on page 279.
Partition Type Select the type of partition you would like to create.
Partition Limit Set the size of the partition based on the partition type that you have
selected.
Prefix Specify the prefix-naming convention you want to use for the root
volume of the production set.
Starting
Number Set the starting number of the first partition in the production set.
Padding Specify the number of document counter digits that you want. The
range is 1 to 21. 0 padding is not available.
Folder Limit Create a new numbered volume when the specified folder limit is
reached inside the volume.
Folder Lets you name and limit the size or the number of items that are
contained in a folder. An export can have one or more folders.
Prefix Specifies the prefix-naming convention that you want to use for the
folders within the volume of the export.
Suffix Specifies the suffix-naming convention that you want to use for the
folders within the volume of the export.
Starting
Number Sets the starting number of the first folder within the volume of the
export.
Padding Specify the number of document counter digits that you want. The limit
is 21.
File Limit Creates a new numbered folder when the specified file limit is reached
inside the folder.
Volume Document Options Screen (Continued)
Option Type Option Description
Creating Production Sets Process for Creating Production Sets | 278
Native Folder Lets you set the name of the Natives folder.
See Files to Include Options on page 272.
Image Folder Lets you set the name of the Image folder.
See Files to Include Options on page 272.
Text Folder Lets you set the name of the Text folder where text files go that are
generated by the OCR engine.
See Files to Include Options on page 272.
Document This pane is only available if the New Production Doc ID or Original
Doc ID option is selected in the Naming Options.
Use these setting to determine how to generate new names of
produced records. (Some files may retain an original DocID.
See Naming Options above.)
Numbering
Options See About U.S. Document Numbering Options on page 280.
Prefix Specifies the prefix-naming convention that you want to use for the
document and page numbering within the folders of the export.
Suffix Specifies the suffix-naming convention that you want to use for the
document and page numbering within the folders of the export.
Starting
Number Sets the starting number of the first document or image within the
volume of the export.
Padding Specify the number of document counter digits that you want. The limit
is 21.
Volume Document Options Screen (Continued)
Option Type Option Description
Creating Production Sets Process for Creating Production Sets | 279
About the U.S. Volume Structure Options
You can specify the volume folder structure for the output files. The selections will determine how much data is
put into each folder before a new folder is created and the folder structure in which the output is placed.
See Volume Document Options on page 276.
The output files will be contained within the following hierarchy:
-Volume folder - Contains two levels of subfolders for organizing the files. A new volume will be created
when a specified limit is reached.
You can choose from the following limits.
You can also specify a volume folder limit. In order to prevent issues with Microsoft Windows Explorer,
you can specify an additional limit of the number of folders in a volume. This works in addition to the
selected limit type. If the specified volume limit is not reached, but the folder limit is, a new volume will be
created.
-File type folder - The first level subfolders within each volume are separated by the file types of the
exported files. By default, the folders are named by file type, for example, native documents, images, or
text files. You can name these file type folders anything you want. This allows you to put your image and
text files into the same folder. While you can name all of the file type folders the same; thereby placing
the natives, images, and text files into a single folder; it is not recommended because there could be
naming conflicts if your native file and image or text file have the same name.
-Level 2 folder - The second level folders contain the actual files being exported. You can specify a limit of
the total number of files per folder. This limit, once reached, will create a new folder within the same file
type folder until the volume maximum or number of folders has been reached.
Using the Partition Type, Partition Limit, and Folder limit values together, you can create the volume structure
that meets your needs. The following graphic is an example of a volume structure.
Limits
Limit Description
Documents Output will be placed into a volume until the specified number of documents has
been reached, then a new volume will be created.
For example, if you export 2000 files and you set the partition limit to 1000, you
will have two document volumes.
Images Output will be placed into a volume until the specified number of images has
been reached, then a new volume will be created.
This option is useful because a single, large document may create hundreds or
thousands of single page images.
Megabyte Output will be placed into a volume until the specified megabyte size of all of the
files has been reached, then a new volume will be created.
For example, you can set a partition limit of 4000 MB if you intend to burn the
files to DVD media.
Single All output will be placed into one volume.
Creating Production Sets Process for Creating Production Sets | 280
Note: No document that has been rendered will have its rendered pages divided into more than one folder.
If a folder limit is about to be reached, but the next document that should go into that folder will exceed the
maximum, a new folder will be started automatically for the new document. The same applies to document
families, if the volume maximum is about to be reached and the next document family will exceed the limit, a new
volume will be started and the next document family will be placed into that new volume.
About U.S. Document Numbering Options
If you have chosen to use a DocID naming scheme for the output files, you can specify the method for creating
Doc IDs. This section describes the Numbering options found in the Volume Document Options screen of the
Production Set wizard.
See Volume Document Options on page 276.
Production Set Numbering Options
You will choose from the document numbering options:
Document And Page Numbering Uniquely Sequenced (page 281)
Document Numbering Tied To Page Numbering (page 281)
Document Numbering With Page Counter Suffix (page 282)
Creating Production Sets Process for Creating Production Sets | 281
Document And Page Numbering Uniquely Sequenced
This option generates a sequential number that is applied to the document without regard to the rendered pages
that may or may not be produced. The images will also be numbered sequentially without regard to the
document number.
For example, if you have two documents each that produce two images during conversion, the output would be:
You can optionally specify a prefix- and a suffix-naming convention.
Document Numbering Tied To Page Numbering
This option generates a sequential number for every document and the pages produced for that document will
carry the document's name with a counter as a suffix that represents which page is represented by the image.
For example, if you have two documents each that produce two images during conversion, the output would be:
Considerations for Document Numbering Tied to Page Numbering
If creating production sets with a dot (.) in the DocID and page branding, you must choose the option Document
Numbering with Page Counter Suffix, not Document Numbering Tied to Page Numbering in order to
ensure that each page has a unique page ID.
For example, if the original DocIDs are:
JXT.001.0001
JXT.001.0002
JXT.001.0003 and so on.
If you chooses Document Numbering Tied to Page Numbering as the numbering option, then the last numeric
part of the DocID is used as the page ID, and it is incremented for each page. Suppose that each document has
Example Output
Native Documents Image Output
ABC00001.doc IMG00001.tif
IMG00002.tif
ABC00002.doc IMG00003.tif
IMG00004.tif
Example Output
Native Document Image Output
ABC00001.doc ABC00001.001.tif
ABC00001.002.tif
ABC00002.doc ABC00002.001.tif
ABC00002.002.tif
Creating Production Sets Process for Creating Production Sets | 282
five pages, and that the Page ID is branded on each page. In this example, the DocID of the first document will
be JXT.001.0001. The first page is branded as JXT.001.0001, the second page as JXT.001.0002, and so forth.
The second document's doc ID will be JXT.001.0002. The first page will be branded as JXT.001.0002, the
second page as JXT.001.0003, and so on.
In this example, you can see that the page IDs are not unique, since JXT.001.0003 will be branded on:
-The third page of the first document
-The second page of the second document
-The first page of the third document
In order for the page IDs to be unique, the Document Numbering with Page Counter Suffix must be chosen.
Continuing with the same DocIDs as in the first example and with this numbering option, the DocID of the first
document will still be JXT.001.0001, but the first page will be branded as JXT.001.0001.0001, the second page
as JXT.001.0001.0002, and so on. This will ensure that each page has a unique page ID.
Document Numbering With Page Counter Suffix
This option generates a sequential number for every page created. The corresponding document name will be
the same as its first page generated for each document.
For example, if you have two documents each that produce two images during conversion, the output would be:
You can optionally specify a prefix- and a suffix-naming convention.
Example Output
Native Documents Image Output
ABC00001.doc ABC00001.tif
ABC00002.tif
ABC00003.doc ABC00003.tif
ABC00004.tif
Creating Production Sets Process for Creating Production Sets | 283
Production Set Image Branding Options
You can brand the PDF or TIFF image pages with several different brands and in several different locations on
the page using the Production Set wizard.
See Export Tab on page 289.
Image Branding Options
Option Group Options Options Options Description
Sample Displays a sample of the image branding
options selected.
Watermark Set options to brand a watermark to the middle
of the document.
Watermark
Opacity Sets the visibility of the watermark text.
Watermark
Type There are multiple types of image branding
available. The options in the Watermark group
box will differ depending on the Type that you
select.
None No branding on the image.
Font Sets the font style for the text.
Font Size Sets the font size for the text.
Bates Bates numbering is a term used for placing an
identifying number on every page of evidence
files that are presented in court.
Bates numbering in this project is not driven by
the document or page numbering that was
assigned in the Volume/Document Options
panel.
Prefix Specify up to any 25 alphanumeric characters
except the forward slash or backward slash.
You can use a separator to create a visual
break between the different sections of the
Bates number.
Starting
Number Sets the starting number to a value from 1-100.
Padding Specify the number of document counter digits
that you want. The limit is 42.
Font Sets the font style for the text.
Font Size Sets the font size for the text.
Doc ID Brands each page with the Doc ID in the
designated location. For example, if you have a
single document that was assigned a DocID of
ABC00005.doc, each image representing that
document will have ABC00005 branded in the
specified location.
Note: This brands the document with the
original DocID.
Creating Production Sets Process for Creating Production Sets | 284
Font Sets the font style for the text.
Font Size Sets the font size for the text.
Global
Endorsem
ent
Brands each page with the entered text in the
designated location.
Text Enter the text that you want to appear in the
designated location.
Font Sets the font style for the text.
Font Size Sets the font size for the text.
Page ID Brands each page with the name that was
provided during the Production Set creation in
the designated location.
For example if you have a document that
produced three image pages named
ABC00001.tif, ABC00002.tif, and
ABC00003.tif, the images will be branded with
ABC00001, ABC00002, and ABC0003
respectively.
Font Sets the font style for the text.
Font Size Sets the font size for the text.
Near Header Displays the branding options for a header on
the upper-left side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.
Center Header Displays the branding options for a header on
the upper-center side of the page. These
options are based on the Header Type
selected. See the Watermark Type options
above for more information on the Header Type
options as they are the same options.
Far Header Displays the branding options for a header on
the upper-right side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.
Near Footer Displays the branding options for a header on
the lower-left side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.
Image Branding Options (Continued)
Option Group Options Options Options Description
Creating Production Sets Process for Creating Production Sets | 285
Center Footer Displays the branding options for a header on
the lower-center side of the page. These
options are based on the Header Type
selected. See the Watermark Type options
above for more information on the Header Type
options as they are the same options.
Far Footer Displays the branding options for a header on
the lower-right side of the page. These options
are based on the Header Type selected. See
the Watermark Type options above for more
information on the Header Type options as they
are the same options.
Image Branding Options (Continued)
Option Group Options Options Options Description
Creating Production Sets Process for Creating Production Sets | 286
Additional Production Set Options
Saving Production Set Options as a Template
After configuring the production set options, you can save the settings as a template. The template can be
reused for future production sets with the current project or other projects.
To save options as a template
1. Access the production set wizard and set the options for the production set.
See Export Tab on page 289.
2. In the production set wizard, click Save As.
3. Enter a name for the template.
4. Click Save.
Deleting a Production Set
Users with production set rights can delete production sets from Project Review.
To delete a production set from Project Review
1. Log in as a user with Production Set rights.
2. Click the Project Review button next to the project in the Project List.
3. In the Project Explorer, select the Explore tab, expand the Production Sets folder, right-click the
production set that you want to delete and select Delete.
4. Click OK.
To delete a production set from the Home page
1. Log in as a user with Production Set rights.
2. Select the project in the Project List panel.
3. Click the Print/Export tab on the Home page.
4. Click the Delete button next to the production set.
Sharing a Production Set
Users with production set rights can share production sets that they have created with other groups of users.
To share a production set
1. Log in as a user with Production Set rights.
2. Click the Project Review button next to the project in the Project List.
3. In the Project Explorer, select the Explore tab, expand the Production Sets folder, right-click the
production set that you want to share and select Manage Permissions.
4. Check the groups that you want to have access to the production set that you created and click Save.
Exporting Production Sets Exporting a Production Set | 287
Chapter 26
Exporting Production Sets
Exporting a Production Set
After you create a production set, you can export it containing only the files needed for presentation to a law firm
or corporate security professional.
To export a production set
1. On the Home Page, select a project and click the Export tab.
2. Next to the production set that you want to export, click Export.
3. Enter the Export Path Location by doing one of the following:
-Send to LawDrop™ - Instead of exporting to network a share, the files are exported to LawDrop.
See the Understanding LawDrop chapter in the Admin Guide.
-File Path - Enter the UNC path to the export set. You can browse to the server and path, and validate
the path before exporting the load file. This path must be accessible to the logged in user. A new
folder will be created if the folder you specify does not exist.
4. Enter a name for the Load File.
5. Select a format that you want to use for the export. The following formats are available:
-Browser Briefcase - Generates an HTML format that provides links to the native documents, images,
and text files. See Using The Browser Briefcase on page 265.
-CaseVantage - Generates a DII file specifically formatted for use with the AD Summation
CaseVantage program.
-Concordance - Generates a DAT file that can be used in Concordance.
-EDRM - Generates an XML file that meets the EDRM v1.2 standard.
-Generic - Generates a standard delimited text file.
-iCONECT - Generates an XML file formatted for use with the iConect program.
-Introspect (IDX file) - Generates an IDX file specifically formatted for use with the Introspect
program.
-Relativity - Generates a DAT file that can be used in Relativity.
-Ringtail (MDB) - Generates a delimited text file that can be converted to be used in Ringtail.
-Summation eDII - Generates a DII file specifically formatted for use with the AD Summation iBlaze or
Enterprise programs.
Exporting Production Sets Exporting a Production Set | 288
Note: If you are outputting a Concordance, Relativity, or Generic load file, and include rendered
images, you will also get an OPT and LFP file in the export directory.
6. Depending on the load file format you choose, you may need to check whether or not to show the row
header for the columns of data. The Show Row Header option is only available for the following load file
formats:
-Concordance
-Generic
-Introspect
-Relativity
-Ringtail (MDB)
7. Select an option for Load File Encoding. The following options are available:
-ANSI - Encodes load files using ANSI (for text written in the Latin script).
ANSI encoding has the advantage of producing a smaller load file than a Unicode file (UTF). ANSI-
encoded load files process faster and save space. The ANSI encoding includes characters for
languages other than English, but it is still limited to the Latin script.
If you are exporting documents that contain languages written in scripts other than Latin, you need to
choose a Unicode encoding form. Unicode encoding forms contain the character sets for all known
languages.
-UTF-8 - (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see the following website:
http://www.unicode.org/standard/principles.html
Most commonly used for text written in Chinese, Japanese, and Korean.
-UTF-16 - Encodes load files using UTF-16.
Similar to UTF-8 this option is used for text written in Chinese, Japanese, and Korean.
8. Select a Field Mapping character. This delimiter is the character that is placed between the columns of
data. The default delimiters are recommended by the program to which the load file was intended.
However, you can change these defaults by selecting the drop-down and choosing an alternative.
Field Mapping is available for the following load file formats:
-Concordance
-Generic
-Introspect
-Relativity
-Ringtail (MDB)
9. Select a Text Identifier character. This delimiter is the character that is placed on either side of the
value within each of the columns. All of the text that follows the character and precedes the next
occurrence of the same character is imported as one value.
The default delimiters are recommended by the program to which the load file was intended. However,
you can change these defaults by selecting the drop-down and choosing an alternative. If you do not
wish to use a delimiter, you can choose the (none) option.
Text Identifier is available for the following load file formats:
-Concordance
-Generic
-Introspect
-Relativity
-Ringtail (MDB)
Exporting Production Sets Export Tab | 289
10. Select a Newline character. This is a replacement character for any newline (carriage return/line feed)
character. The default delimiters are recommended by the program to which the load file was intended.
However, you can change these defaults by selecting the drop-down and choosing an alternative. If you
do not wish to use a delimiter, you can choose the (none) option.
Newline is available for the following load file formats:
-Concordance
-Generic
-Introspect
-Relativity
-Ringtail (MDB)
11. Select the Available Fields of metadata to be included in the load file and click the right arrow to add
the field.
12. Some load file applications require that certain fields be in the load file. In such projects, you can click
the Custom plus button to add a custom field entry that is not already listed in the Available Fields list.
13. Click Export.
Export Tab
The Export tab on the Home page can be used to export or delete production sets and view the history.
Export Tab Elements
Element Description
Production Set
History Search
Field
Enter text to search by production set name.
Production Set List Lists the production sets and the status of the production sets.
Export Button Click to export the production set to a load file.
Delete Button Click to delete the production set.
Creating Export Sets About Creating Export Sets | 290
Chapter 27
Creating Export Sets
About Creating Export Sets
You can export documents without creating a production set. To do this, create an Export Sets of labeled
documents, and then export the created Export Sets. Unused Export Sets can also be deleted.
When you create a set, you include all of the evidence to which you have applied a given label. After you create
the export set, you export the set to an AD1 image file, an image load file, a native export, or a load file.
Note: Once you've created an export set you cannot add documents to that set even if you use the same labels
used previously. You can label additional documents and then create a new set using the same label.
See Creating an AD1 Export on page 291.
See Creating a Native Export on page 294.
See To create a load file export on page 304.
Creating Export Sets Creating an AD1 Export | 291
Creating an AD1 Export
Choose to create an AD1 forensic image of the document included in the Export Set if you want to load the AD1
files into AD Forensic Toolkit (FTK) for further investigation. An AD1 contains the logical structure of the original
files and the original files themselves.
To create an AD1 export
1. Before you create an AD1 export, be sure that you have applied at least one label to evidence files that
you want to filter into the export set.
2. Log in as a user with Create Export rights.
3. Click the Project Review button next to the project in the Project List.
4. In the Project Explorer, click Explore.
5. Right-click the Export Sets folder, and select Create AD1 Export.
6. See AD1 Export General Options on page 292. for information on how to fill out the options in the
General Option screen.
7. Click Export.
8. After your export is created, it appears in the Export tab of the Home page and under the Export Sets
folder in the Project Explorer of the Project Review. A Summary report generates and saves to the
export folder.
Creating Export Sets Creating an AD1 Export | 292
AD1 Export General Options
The following table describes the options that are available on the General Options screen of the AD1 export set
wizard.
AD1 Export General Options Screen
AD1 Export General Option Screen
Option Description
Send to LawDrop Instead of exporting to a network share, the files are exported to LawDrop.
See the Understanding LawDrop chapter in the Admin Guide.
Export Path Enter the UNC path to the export set. You can browse to the server and path,
and validate the path before exporting the load file. This path must be accessible
to the logged in user. A new folder will be created if the folder you specify does
not exist.
Job Name Specify the name for your export set. For example, you can organize export sets
by using the person’s name for ease of examination. This naming method is
particularly useful if there are multiple people.
Label This field is required. Before you create an AD1 export, be sure that you have
applied at least one label to evidence files that you want to filter into the export
set.
Generate Exclusion
Report Lets you create a report of all the documents within the selected collection that
were not included in the export.
Creating Export Sets Creating an AD1 Export | 293
Include Duplicates Mark to include duplicates. Includes unlabeled documents that are flagged as
secondary (duplicates) to the labeled primary documents. These duplicate files
will not be labeled as part of the export set, however, so the file count in the load
file will be different that what is listed in the export set.
Organize by Person Creates a folder for each person to place the output into.
Email Contained in PST/
NSF Select to either output a reduced version of the original PST/NSF file, the emails
as individual MSG files, or as individual HTML/RTF files.
Note: In order to view the PST file after export, make sure to have Outlook
installed on the environment.
AD1 File Name Specifies the name of the exported AD1 file. If you are also selecting to organize
by person, each person’s folder will contain its own AD1 image file with this
name.
Encryption Select to encrypt the AD1 file, either with a certificate or password, or choose not
to encrypt it.
AD1 Export General Option Screen
Option Description
Creating Export Sets Creating a Native Export | 294
Creating a Native Export
Choose to create a Native Export if you want to export the native documents in their original format and
optionally rendered images into a directory of your choosing. This export does not provide a load file.
To create a native export
1. Before you create an export, be sure that you have applied at least one label to evidence files that you
want to filter into the export set.
2. Log in as a user with Create Export rights.
3. Click the Project Review button next to the project in the Project List.
4. In the Project Explorer, click Explore.
5. Right-click the Export Sets folder, and select Create Native Export.
6. See Native Export General Options on page 295. for information on how to fill out the options in the
General Option screen.
7. Click Next.
8. See Native Export Files to Include on page 297. for information on how to fill out the options in the Files
to Include screen.
9. Click Next.
10. See Export Volume Document Options on page 299. for information on how to fill out the options in the
Volume Document Options screen.
11. Click Next.
12. See Export Excel Rendering Options on page 301. on how to fill out the options in the Excel Rendering
Options screen.
13. Click Next.
14. See Export Word Rendering Options on page 303. for information on how to fill out the options in the
Word Rendering Options screen.
15. Click Next.
16. On the Summary page, review your options before saving to export.
After your export is created, it will appear in the Export tab of the Home page and under the Export Sets folder in
the Project Explorer of the Project Review.
Creating Export Sets Creating a Native Export | 295
Native Export General Options
The following table describes the options that are available on the General Options screen of the Native Export
set wizard.
Native Export General Options Screen
Native Export General Options Screen
Option Description
Send to LawDrop Instead of exporting to a network share, the files are exported to LawDrop.
See the Understanding LawDrop chapter in the Admin Guide.
Export Path Enter the UNC path to the export set. You can browse to the server and path,
and validate the path before exporting the load file. This path must be accessible
to the logged in user. A new folder will be created if the folder you specify does
not exist.
Job Name Specify the name for your export set. For example, you can organize export sets
by using the person name for ease of examination. This naming method is
particularly useful if there are multiple people.
Label This field is required. Before you create an AD1 export, be sure that you have
applied at least one label to evidence files that you want to filter into the export
set.
Generate Exclusion
Report Lets you create a report of all the documents within the selected collection that
were not included in the export..
Include Duplicates Mark to include duplicates. Includes unlabeled documents that are flagged as
secondary (duplicates) to the labeled primary documents. These duplicate files
will not be labeled as part of the export set, however, so the file count in the load
file will be different that what is listed in the export set.
Organize By Person Creates a folder for each person to place the output into.
Creating Export Sets Creating a Native Export | 296
Export Templates If you have saved an export template you can apply it to the current export set.
By applying a template, all current settings will be replaced.
You can also delete and rename a template.
By clicking Save As in the wizard, you can save the export options as a template.
Native Export General Options Screen
Option Description
Creating Export Sets Creating a Native Export | 297
Native Export Files to Include
You can select how you want to export native files and rendered images. Select the graphics images that you
want to use for slipsheets in the load file. The following table describes the options that are available on the
Native Files screen of the Native Export set wizard.
Export Files to Include Options
Options Description
Export Native Files You can include the native documents with the export set. This will only include
native files that have not been redacted. If the native file has been redacted, a
pdf of the file will be included.
Output a Reduced
Version of the Original
PST/NSF file
Select this option if there are emails that were originally in a PST or an NSF
format and you want to put them into a new PST or NSF container.
-There is a config file setting that will create and export to a new PST when
this option is selected. When this setting is true, it creates a brand new PST
with only the emails being exported (with their attachments) into the new PST
archive. Otherwise it will reduce the original PST.
(This option only applies to PST files, not NSF.)
To enable this option, include the following setting in the Work Manager con-
figuration file:
<add key="ExportEmailInNewPst" value="True"/>
Output messages as
individual HTML/RTF Select this option if you are exporting emails that were originally in a PST or NSF
and you want to export them as HTML or RTF files.
Uses the FTK object ID instead of the file name of the email message.
Note: MSG files exported as HTML format are output in MSG format instead
of HTML/RTF format.
Output messages as
individual MSG Select this option if you want to save the email as individual MSG files.
File Categories to
Exclude
Labels to Exclude
Issues to Exclude
Each of these options allow you to specify files that you do NOT want a native file
for.
See About Excluding Data in Production Sets and Export Sets on page 259.
Include Rendered
Images Select this option to include images that have been created in the Project
Review. Additionally, if an image has not yet been created, this option will convert
the native document to an image format. If selected, you will have the option to
set rendering options for Excel and Word documents.
See Export Excel Rendering Options on page 301.
See Export Word Rendering Options on page 303.
Excluded Extensions Enter the file extensions of documents that you do not want to be converted. File
extensions must be typed in exactly as they appear and separated by commas
between multiple entries. This field does not allow the use of wild card
characters. The default values are:
EXE, DLL, and COM
Creating Export Sets Creating a Native Export | 298
File Format Select which format you want the native file converted to:
-Multi-page - one TIFF image with multiple pages for each document.
-PDF - one PDF file with multiple pages for each document.
-Single Page - a single TIFF image for each page of each document. For
example, a 25 page document would output 25 single-page TIFF images.
Compression -CCITT3 (Bitonal) - Produces a lower quality black and white image.
-CCITT4 (Bitonal) - Produces a higher quality black and white image.
-LZW (Color) - Produces a color image with LZW compression.
-None (Color) - Produces a color image with no compression (This is a very
large image).
-RLE (Color) - Produces a color image with RLE compression.
DPI Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).
Page Format Select the page size for the image. The available page sizes are:
-Letter – 8 ½” x 11”
-A3 – 29.7 cm x 42 cm
-A4 – 29.7 cm x 21 cm
Normalize images Select this option to obtain consistent branding sizes throughout the entire
production.
Any image that is less than the chosen size will not be resized or rescaled to fit
the chosen page size but will be placed inside of the chosen size frame and will
be oriented to the upper left corner of the page.
Any document determined to be landscape in orientation will produce a proper
landscape image.
Produce color JPGs for
provided extensions This and the following two options are available if you are rendering to CCITT3 or
CCITT4 format and allows you to specify certain file extensions to render in color
JPGs.
For example, if you wanted everything in black and white format, but wanted all
PowerPoint documents in color, you would choose this option and then type PPT
or PPTX in the To JPG Extensions text box. Additionally, you can choose the
quality of the resulting JPG from 1 - 100 percent (100 percent being the most
clear, but the largest resulting image).
To JPG Extensions Lets you specify file extensions that you want exported to JPG images.
JPG Quality Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.
Slipsheet Select this option to upload a slipsheet image to the server for use in the exports.
Slipsheets are an image that you can use when certain files cannot be converted
to an image, such an .exe file, or a .dll file. The slipsheet image is substituted in
place of the unconverted file.
A copy of this file is placed in the export image folder for every document that
you have chosen to exclude from conversion and will be named in accordance
with your file naming selection.
You need to select a file that matches the export file type. For example, if you are
exporting TIFFs, you must select a TIFF file as a slipsheet.
Enter the path to the slipsheet. You can browse to the server and path, and
validate the slipsheet path.
Note: You can have only one custom slipsheet per project.
Export Files to Include Options
Options Description
Creating Export Sets Creating a Native Export | 299
Export Volume Document Options
This section describes the options available in the Volume Document Options screen of the Export set wizard if
you have US numbering enabled. US numbering is the default. If you click Original in Naming Options, this panel
becomes disabled. The following table describes the options available.
Export Volume Document Options
Options Description
Naming Options Choose a naming option.
New Production DocID (Default) This file naming allows you to determine what the name of the files will
be, based on the document ID numbering scheme. This option is used with the
Document Numbering Options on this tab.
In Project Review, you can view the ProductionDocID that is created for exported
files. This is useful in associating an exported file with the original file.
Original DocID This naming is based on the original DocID.
Documents that were imported were put into a document group and will have a
DocID. Documents that were added through the evidence wizard, will not.
This option lets you re-use that original DocID for the produced record.
If the documents do not have an existing DocID, you can assign one by placing
the documents in a document group or by providing a DocID naming schema
using the Document Numbering Options on this tab.
Original File Name This file naming uses the original file names in the name of the documents rather
than a numbered naming convention.
Original File Path with
Original Path This uses the original file path folder structure rather than an auto-generated,
numbered folder structure. Clicking this option disables the Doc ID Numbering
pane
Append Object ID’s Allows you to use the name of your choice (Original or Original File Name with
Original Path), but also include the FTK Object ID as part of the native file
names. This option is not available for Doc ID
Volume Partition
Sorting You can sort the documents before they are converted and named. This allows
you to choose one or more metadata field values to sort the documents in
ascending or descending order.
You can choose any combination of fields by which to sort, however, it is not
recommended to choose more than 3 fields to sort by.
-Plus sign - Add volume partition sorting filters based on specified ascending
or descending fields.
-Minus sign - Delete the selected sorting option.
Sorting Specifies the order that the files are listed in each volume. Sorting occurs on the
parent document.
For example, you might sort by Ascending on the field FILESIZE. In such project,
the first volume contains the largest file sizes, and the last volume contains the
smallest file sizes.
Field Sets the FTK column heading by which you want to sort.
Volume Sample Provides a sample of the volumes.
Doc ID Numbering
Creating Export Sets Creating a Native Export | 300
Volume Partition
Options Select a volume folder structure for the output files. The selections will determine
how much data is put into each folder before a new folder is created and the
folder structure in which the output is placed.
Folder Lets you name and limit the size or the number of items that are contained in a
folder. An export can have one or more folders.
Prefix Specifies the prefix-naming convention that you want to use for the folders within
the volume of the export.
Suffix Specifies the suffix-naming convention that you want to use for the folders within
the volume of the export.
Starting Number Sets the starting number of the first folder within the volume of the export
File Limit Creates a new numbered folder when the specified file limit is reached inside the
folder.
Native Folder Lets you set the name of the Natives folder.
Image Folder Lets you set the name of the Image folder.
See Native Export Files to Include on page 297.
Text Folder Lets you set the name of the Text folder where text files go that are generated by
the OCR engine. See Native Export Files to Include on page 297.
Document This pane is only available if the New Production Doc ID or Original Doc ID
option is selected in the Naming Options.
Use these setting to determine how to generate new names of produced records.
(Some files may retain an original DocID. See the Naming Options on this tab.)
Numbering Options See About U.S. Document Numbering Options on page 280.
Prefix Specifies the prefix-naming convention that you want to use for the document
and page numbering within the folders of the export.
Suffix Specifies the suffix-naming convention that you want to use for the document
and page numbering within the folders of the export.
Starting Number Sets the starting number of the first document or image within the volume of the
export.
Padding Specify the number of document counter digits that you want. The limit is 21.
Export Volume Document Options
Options Description
Creating Export Sets Creating a Native Export | 301
Export Excel Rendering Options
You can set the options to format any Microsoft Excel spreadsheet prior to converting it to a graphic format. In
order for any of the options within this tab to be applied, you must first deselect the Use Original Document
Settings option check box. When this option is selected, the other formatting options will not be applied and the
document will be converted using the fromatting that it was last saved with. The following table describes the
options that are available on the Excel Rendering Options screen.
Export Excel Rendering Options
Options Description
General Set to determine how the spreadsheet is rendered.
Use Original Document
Settings Specifies that the original settings for Excel spreadsheets, such as paper size,
orientation, and margins, be maintained on the converted output.
Paper Size Choose to render the spreadsheet in the following paper sizes. The default paper
size is Letter:
-10 x 14
-11 x 17
-A3
-A4
-A5
-B4
-B5
-Custom
-Envelope DL
-Executive
-Folio
-Ledger
-Legal
-Letter
-Quarto
-Statement
-Tabloid
Orientation Select either Letter or Landscape for the paper size of the spreadsheet.
Header, Footer, and
Page Margins Set the margins of the spreadsheet. The default is 1 inch.
Formula Substitutions Substitute the formulas for the Date, Time, and Path fields. You can choose to
substitute the original formula, the original metadata, or custom text string.
Printing Specify how the spreadsheet comments are printed
Printing Comments Print comments on either Print Sheet End, Print in Place, or Print No Comments
Print Order For use with Excel spreadsheets that may not fit on the rendered page. If the
spreadsheet is too wide to fit on the rendered page, you can choose to print in
the following ways:
Down Then Over - Choose to print top to bottom first and then print left to right.
Over Then Down - Choose to print left to right first and then print top to bottom.
Creating Export Sets Creating a Native Export | 302
Page Mark the following options:
-Center Sheets Horizontally
-Center Sheets Vertically
-Fit Image To Page
-One Page Per Sheet
-Show Hidden Data - This is checked by default
Fix To X Pages Converts an Excel document and attempts to fit the resulting output image into a
specified number of pages.
Scaling Scales the output image to a specified percentage of the original size. The
maximum scale is 100%.
Export Excel Rendering Options
Options Description
Creating Export Sets Creating a Native Export | 303
Export Word Rendering Options
You can set the page size, orientation, and margins of a word processing document on the converted output.
The following table describes the options that are available on the Word Rendering Options screen of the Native
Export set wizard.
Export Word Rendering Options
Options Description
General Set to determine how the word processing is rendered.
Use Original Document
Settings Specifies that the original settings for Word documents, such as paper size,
orientation, and margins, be maintained on the converted output.
Paper Size Choose to render the word processing document in the following paper sizes.
The default paper size is Letter:
-10 x 14
-11 x 17
-A3
-A4
-A5
-B4
-B5
-Custom
-Envelope DL
-Executive
-Folio
-Ledger
-Legal
-Letter
-Quarto
-Statement
-Tabloid
Orientation Select either Letter or Landscape.
Header, Footer, and
Page Margins Set the margins of the spreadsheet. The default is 1 inch.
Field Substitutions Substitute the fields for the Date, Time, and Path fields. You can choose to
substitute the original formula, the original metadata, or custom text fields.
Page -Show Hidden Text - this is checked as default
-Print Endnotes At End Of Next Section
Creating Export Sets Creating a Load File Export | 304
Creating a Load File Export
When creating a load file export, you can export your choice of Native, Filtered text (includes the OCR text that
was created during processing), rendered images of the native document, and optionally OCR text of the
rendered images.
If the recipient intends to use third-party software to review the export set, select Load File Export.
To create a load file export
1. Before you create an export, be sure that you have applied at least one label to evidence files that you
want to filter into the export set.
2. Log in as a user with Create Export rights.
3. Click the Project Review button next to the project in the Project List.
4. In the Project Explorer, click Explore.
5. Right-click the Export Sets folder, and select Create Load File Export.
6. See Load File General Options on page 305. for information on how to fill out the options in the General
Option screen.
7. Click Next.
8. See Load File Options on page 306. for information on how to fill out the options in the Load File
Options screen.
9. Click Next.
10. See Load File Files to Include Options on page 308. for information on how to fill out the options in the
Include screen.
11. Click Next
12. See Export Volume Document Options on page 299. for information on how to fill out the options in the
Volume Document Options screen.
13. Click Next.
14. See Export Excel Rendering Options on page 301. on how to fill out the options in the Excel Rendering
Options screen.
15. Click Next.
16. See Export Volume Document Options on page 299. for information on how to fill out the options in the
Word Rendering Options screen.
17. Click Next.
18. On the Summary page, review your options before saving to export.
After your export is created, it will appear in the Export tab of the Home page and under the Export Sets folder in
the Project Explorer of the Project Review.
Creating Export Sets Creating a Load File Export | 305
Load File General Options
The following table describes the options that are available on the Load File General Options screen of the Load
File Export set wizard.
Load File General Options
Options Descriptions
Send to LawDropInstead of exporting to network a share, the files are exported to LawDrop.
See the Understanding LawDrop chapter in the Admin Guide.
Export Path Enter the UNC path to the export set. You can browse to the server and path,
and validate the path before exporting the load file. This path must be accessible
to the logged in user. A new folder will be created if the folder you specify does
not exist.
Job Name This field is required.
Label This field is required. Before you create a load file, be sure that you have applied
at least one label to evidence files that you want to filter into the export set.
Generate Exclusion
Report Lets you create a report of all the documents within the selected collection that
were not included in the export.
Include Duplicates Mark to include duplicates. Includes unlabeled documents that are flagged as
secondary (duplicates) to the labeled primary documents. These duplicate files
will not be labeled as part of the export set, however, so the file count in the load
file will be different that what is listed in the export set.
Generate Load File This is marked as default.
Export Templates If you have saved an export template you can apply it to the current export set.
By applying a template, all current settings will be replaced.
You can also delete and rename a template.
By clicking Save As in the wizard, you can save the export options as a template.
Creating Export Sets Creating a Load File Export | 306
Load File Options
The following table describes the options that are available on the Load File Options screen of the Load FIle
Export set wizard.
Load File Export Options
Options Descriptions
Load File Export
Load File Name Enter the name for the Load File.
Load File Encoding The following options are available for load file encoding:
-ANSI - Encodes load files using ANSI (for text written in the Latin script).
ANSI encoding has the advantage of producing a smaller load file than a Uni-
code file (UTF). ANSI-encoded load files process faster and save space. The
ANSI encoding includes characters for languages other than English, but it is
still limited to the Latin script.
If you are exporting documents that contain languages written in scripts other
than Latin, you need to choose a Unicode encoding form. Unicode encoding
forms contain the character sets for all known languages.
-UTF-8 - (Default) Encodes load files using UTF-8.
For more information on the Unicode standard, see the following website:
http://www.unicode.org/standard/principles.html
Most commonly used for text written in Chinese, Japanese, and Korean.
-UTF-16 - Encodes load files using UTF-16.
Similar to UTF-8 this option is used for text written in Chinese, Japanese, and
Korean.
Selected Format The following formats are available for export:
-Browser Briefcase
Generates an HTML format that provides links to the native documents,
images, and text files.
You can do the following:
Use multiple links for image, native, and text documents.
Work with production sets exported previously in iBlaze Browser Briefcase
format. This allows you to have greater control over the production set.
See Using The Browser Briefcase on page 265.
-caseVantage - Generates a DII file specifically formatted for use with the AD
Summation caseVantage program.
-Concordance - Generates a DAT file that can be used in Concordance.
-EDRM - Generates an XML file that meets the EDRM v1.2 standard.
-Generic - Generates a standard delimited text file.
-iCONECT - Generates an XML file formatted for use with the iConect pro-
gram.
-Introspect (IDX file) - Generates an IDX file specifically formatted for use with
the Introspect program.
-Relativity - Generates a DAT file that can be used in Relativity.
-Ringtail (MDB) - Generates a delimited text file that can be converted to be
used in Ringtail.
-Summation eDII - Generates a DII file specifically formatted for use with the
AD Summation iBlaze or Enterprise programs.
Note: If you are outputting a Concordance, Relativity, or Generic load file, and
include rendered images, you will also get an OPT and LFP file in the export
directory.
Multi-Entry Separator Choose which character to separate multi-entries. The default character is ;.
Creating Export Sets Creating a Load File Export | 307
Available Fields Select from the available fields.
There is an ORIGINALDOCID field available. This allows you to include a field to
reflect the original DocID when exporting with new DocIDs.
You can select FTK metadata to be included in the load file. Select columns of
metadata to be included in the load file and click the right arrow to add the
Selected Mapping field.
Selected Mapping In addition to the columns of metadata, you can also add Custom fields to be
included in the load file.
Field Mapping Templates Additionally, you may need a placeholder field. Use the plus button to add a field
mapping template. You can also edit and delete the templates.
Load File Export Options
Options Descriptions
Creating Export Sets Creating a Load File Export | 308
Load File Files to Include Options
The following table describes the options that are available on the Load File Export Files to Include Options
screen.
Load File Export Files to Include Options
Options Description
Export Native Files Select this option if you want to export the native documents with the export set.
This will only export native files that have not been redacted. If the native file has
been redacted, a pdf of the file will be included.
Output a Reduced
Version of the Original
PST/NSF file
Select this option if there are emails that were originally in a PST or an NSF
format and you want to put them into a new PST or NSF container.
-There is a config file setting that will create and export to a new PST when
this option is selected. When this setting is true, it creates a brand new PST
with only the emails being exported (with their attachments) into the new PST
archive. Otherwise it will reduce the original PST.
(This option only applies to PST files, not NSF.)
To enable this option, include the following setting in the Work Manager con-
figuration file:
<add key="ExportEmailInNewPst" value="True"/>
Output messages as
individual HTML/RTF Select this option if you are exporting emails that were originally in a PST or NSF
and you want to export them as HTML or RTF files.
Uses the FTK object ID instead of the file name of the email message.
Output messages as
individual MSG Select this option if you are exporting emails that were originally in a PST or NSF
and you want to export them as HTML or RTF files.
Uses the FTK object ID instead of the file name of the email message.
Export Native SWF Exports the native SWF file. This provides SWF files that you can view in
Browser Briefcase. This option is visible and enabled automatically if you select
the Browser Briefcase export format.
See Browser Briefcase on page 306.
File Categories to
Exclude
Labels to Exclude
Issues to Exclude
Each of these options allow you to specify files that you do NOT want a native file
for.
See About Excluding Data in Production Sets and Export Sets on page 259.
Export Rendered
Images Select this option to include images that have been created in the Project
Review. Additionally, if an image has not yet been created, this option will convert
the native document to an image format.
Export Image SWF Exports the image SWF file. This provides SWF files that you can view in
Browser Briefcase. This option is visible and enabled automatically if you select
the Browser Briefcase export format.
See Browser Briefcase on page 306.
Excluded Extensions Enter the file extensions of documents that you do not want to be converted. File
extensions must be typed in exactly as they appear and separated by commas
between multiple entries. This field does not allow the use of wild card
characters. The default values are:
EXE, DLL, and COM
Creating Export Sets Creating a Load File Export | 309
File Format Select which format you want the native file converted to:
-Multi-page - one TIFF image with multiple pages for each document.
-PDF - one PDF file with multiple pages for each document.
-Single Page - a single TIFF image for each page of each document. For
example, a 25 page document would output 25 single-page TIFF images.
Compression -CCITT3 (Bitonal) - Produces a lower quality black and white image.
-CCITT4 (Bitonal) - Produces a higher quality black and white image.
-LZW (Color) - Produces a color image with LZW compression.
-None (Color) - Produces a color image with no compression (This is a very
large image).
-RLE (Color) - Produces a color image with RLE compression.
DPI Set the resolution of the image.
The range is from 96 - 1200 dots per inch (DPI).
Page Format Select the page size for the image: A3, A4, Letter.
Normalize images Select this option to normalize the image n to the same size so that
endorsements appear to be the same size on all pages.
Produce color JPGs for
provided extensions This and the following two options are available if you are rendering to CCITT3 or
CCITT4 format and allows you to specify certain file extensions to render in color
JPGs.
For example, if you wanted everything in black and white format, but wanted all
PowerPoint documents in color, you would choose this option and then type PPT
or PPTX in the To JPG Extensions text box. Additionally, you can choose the
quality of the resulting JPG from 1 - 100 percent (100 percent being the most
clear, but the largest resulting image).
To JPG Extensions Lets you specify file extensions that you want exported to JPG images.
JPG Quality Sets the value of JPG quality (1-100). A high value (100) creates high quality
images. However, it also reduces the compression ratio, resulting in large file
sizes. A value of 50 is average quality.
File Categories to
Exclude
Labels to Exclude
Issues to Exclude
Each of these options allow you to specify files that you do NOT want a native file
for.
See About Excluding Data in Production Sets and Export Sets on page 259.
Slipsheet Select this option to upload a slipsheet image to the server for use in the exports.
Slipsheets are an image that you can use when certain files cannot be converted
to an image, such an .exe file, or a .dll file. The slipsheet image is substituted in
place of the unconverted file.
A copy of this file is placed in the export image folder for every document that
you have chosen to exclude from conversion and will be named in accordance
with your file naming selection.
You need to select a file that matches the export file type. For example, if you are
exporting TIFFs, you must select a TIFF file as a slipsheet.
Enter the path to the slipsheet. You can browse to the server and path, and
validate the slipsheet path.
Note: You can have only one custom slipsheet per project.
OCR TIFF Images Mark to OCR TIFF Images.
Load File Export Files to Include Options
Options Description
Creating Export Sets Creating a Load File Export | 310
OCR Text Encoding Encode the text in the OCR with either ANSI, UTF-16, or UTF-8. See Load File
Options on page 306.
Load File Export Files to Include Options
Options Description
Reference | 311
Part 7
Reference
-Getting Started with KFF (Known File Filter) (page 312)
-Using KFF (Known File Filter) (page 340)
-Understanding LawDrop™ (page 361)
-Using LawDrop™ (page 363)
-Integrating with AccessData Forensics Products (page 379)
Getting Started with KFF (Known File Filter) About KFF | 312
Chapter 28
Getting Started with KFF (Known File Filter)
This document contains the following information about understanding and getting started using KFF (Known
File Filter).
-About KFF (page 312)
-About the KFF Server and Geolocation (page 317)
-Installing the KFF Server (page 318)
-Configuring the Location of the KFF Server (page 320)
-Migrating Legacy KFF Data (page 321)
-Importing KFF Data (page 322)
-About CSV and Binary Formats (page 329)
-Installing KFF Updates (page 333)
-Uninstalling KFF (page 332)
-KFF Library Reference Information (page 334)
-What has Changed in Version 5.6 (page 339)
Important:
AccessData applications versions 5.6, 6.0, and later use a new KFF architecture. If you are using one
of the following applications version 5.6 or later, you must install and implement the new KFF
architecture:
FTK-based products (FTK, FTK Pro, AD Lab, AD Enterprise)
Summation
eDiscovery
See What has Changed in Version 5.6 on page 339.
About KFF
KFF (Known File Filter) is a utility that compares the file hash values of known files against the files in your
project. The known files that you compare against may be the following:
-Files that you want to ignore, such as operating system files
-Files that you want to be alerted about, such as malware or other contraband files
The hash values of files, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or
extension. The helps you identify files even if they are renamed.
Getting Started with KFF (Known File Filter) About KFF | 313
Using KFF during your analysis can provide the following benefits:
-Immediately identify and ignore 40-70% of files irrelevant to the project.
-Immediately identify known contraband files.
Introduction to the KFF Architecture
There are two distinct components of the KFF architecture:
-KFF Data - The KFF data are the hashes of the known files that are compared against the files in your
project. The KFF data is organized in KFF Hash Sets and KFF Groups. The KFF data can be comprised
of hashes obtained from pre-configured libraries (such as NSRL) or custom hashes that you configure
yourself.
See Components of KFF Data on page 313.
-KFF Server - The KFF Server is the component that is used to store and process the KFF data against
your evidence. The KFF Server uses the AccessData Elasticsearch Windows Service. After you install
the KFF Server, you import your KFF data into it.
Note: The KFF database is no longer stored in the shared evidence database or on the file system in EDB
format.
Components of KFF Data
Item Description
Hash The unique MD5 or SHA-1 hash value of a file. This is the value that is compared
between known files and the files in your project.
Hash Set A collection of hashes that are related somehow. The hash set has an ID, status,
name, vendor, package, and version. In most cases, a set corresponds to a
collection of hashes from a single source that have the same status.
Group KFF Groups are containers that are used for managing the Hash Sets that are
used in a project.
KFF Groups can contains Hash Sets as well as other groups.
Projects can only use a single KFF Group. However, when configuring your
project you can select a single KFF Group which can contains nested groups.
Status The specified status of a hash set of the known files which can be either Ignore
or Alert. When a file in a project matches a known file, this is the reported status
of the file in the project.
Library A pre-defined collection of hashes that you can import into the KFF Serve.
There are three pre-defined libraries:
-NSRL
-NDIC HashKeeper
-DHS
See About Pre-defined KFF Hash Libraries on page 315.
Getting Started with KFF (Known File Filter) About KFF | 314
About the Organization of Hashes, Hash Sets, and KFF Groups
Hashes, such as MD5, SHA-1, etc., are based on the file’s content, not on the file name or extension.
You can also import hashes into the KFF Server in .CSV format.
For FTK-based products, you can also import hashes into the KFF Server that are contained in .TSV, .HKE,
.HKE.TXT, .HDI, .HDB, .hash, .NSRL, or .KFF file formats.
You can also manually add hashes.
Hashes are organized into Hash Sets. Hash Sets usually include hashes that have a common status, such as
Alert or Ignore.
Hash Sets must be organized into to KFF Groups before they can be utilized in a project.
Index/Indices When data is stored internally in the KFF Library, it is stored in multiple indexes
or indices.
The following indices can exist:
-NSRL index
A dedicated index for the hashes imported from the NSRL library.
-NDIC index
A dedicated index for the hashes imported from the NDIC library.
-DHC index
A dedicated index for the hashes imported from the DHC library.
-KFF index
A dedicated index for the hashes that you manually create or import from
other sources, such as CSV.
These indices are internal and you do not see them in the main application. The
only place that you see some of them are in the KFF Import Tool.
See Using the KFF Import Utility on page 323.
The only time you need to be mindful of the indices is when you use the KFF
binary format when you either export or import data.
See About CSV and Binary Formats on page 329.
Item Description
Getting Started with KFF (Known File Filter) About KFF | 315
About Pre-defined KFF Hash Libraries
All of the pre-configured hash sets currently available for KFF come from three federal government agencies
and are available in KFF libraries.
See About KFF Pre-Defined Hash Libraries on page 334.
You can use the following KFF libraries:
-NIST NSRL
See About Importing the NIST NSRL Library on page 326.
-NDIC HashKeeper (Sept 2008)
See Importing the NDIC Hashkeeper Library on page 327.
-DHS (Jan 2008)
See Importing the DHS Library on page 328.
It is not required to use a pre-configured KFF library in order to use KFF. You can configure or import custom
hash sets. See your application’s Admin Guide for more information.
How KFF Works
The Known File Filter (KFF) is a body of MD5 and SHA1 hash values computed from electronic files. Some pre-
defined data is gathered and cataloged by several US federal government agencies or you can configure you
own. KFF is used to locate files residing within project evidence that have been previously encountered by other
investigators or archivists. Identifying previously cataloged (known) files within a project can expedite its
investigation.
When evidence is processed with the MD5 Hash (and/or SHA-1 Hash) and KFF options, a hash value for each
file item within the evidence is computed, and that newly computed hash value is searched for within the KFF
data. Every file item whose hash value is found in the KFF is considered to be a known file.
Note: If two hash sets in the same group have the same MD5 hash value, they must have the same metadata.
If you change the metadata of one hash set, all hash sets in the group with the same MD5 hash file will be
updated to the same metadata.
The KFF data is organized into Groups and stored in the KFF Server. The KFF Server service performs lookup
functions.
Status Values
In order to accelerate an investigation, each known file can labeled as either Alert or Ignore, meaning that the file
is likely to be forensically interesting (Alert) or uninteresting (Ignore). Other files have a status of Unknown.
The Alert/Ignore designation can assist the investigator to hone in on files that are relevant, and avoid spending
inordinate time on files that are not relevant. Known files are presented in the Overview Tab’s File Status
Container, under “KFF Alert files” and “KFF Ignorable.”
Getting Started with KFF (Known File Filter) About KFF | 316
Hash Sets
The hash values comprising the KFF are organized into hash sets. Each hash set has a name, a status, and a
listing of hash values. Consider two examples. The hash set “ZZ00001 Suspected child porn” has a status of
Alert and contains 12 hash values. The hash set “BitDefender Total Security 2008 9843” has a status of Ignore
and contains 69 hash values. If, during the course of evidence processing, a file item’s hash value were found to
belong to the “ZZ00001 Suspected child porn” set, then that file item would be presented in the KFF Alert files
list. Likewise, if another file item’s hash value were found to belong to the “BitDefender Total Security 2008 9843”
set, then that file would be presented in the KFF Ignorable list.
In order to determine whether any Alert file is truly relevant to a given project, and whether any Ignore file is truly
irrelevant to a project, the investigator must understand the origins of the KFF’s hash sets, and the methods
used to determine their Alert and Ignore status assignments.
You can install libraries of pre-defined hash sets or you can import custom hash sets. The pre-defined hash sets
contain a body of MD5 and SHA1 hash values computed from electronic files that are gathered and cataloged by
several US federal government agencies.
See About KFF Pre-Defined Hash Libraries on page 334.
Higher Level Structure and Usage
Because hash set groups have the properties just described, and because custom hash sets and groups can be
defined by the investigator, the KFF mechanism can be leveraged in creative ways. For example, the
investigator may define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files and then apply only those groups while processing.
Getting Started with KFF (Known File Filter) About the KFF Server and Geolocation | 317
About the KFF Server and Geolocation
In order to use the Geolocation Visualization feature in various AccessData products, you must use the KFF
architecture and do the following:
-Install the KFF Server.
See Installing the KFF Server on page 318.
-Install the Geolocation (GeoIP) Data (this data provide location data for evidence)
See Installing the Geolocation (GeoIP) Data on page 328.
From time to time, there will be updates available for the GeoIP data.
See Installing KFF Updates on page 333.
If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.
Getting Started with KFF (Known File Filter) Installing the KFF Server | 318
Installing the KFF Server
About Installing the KFF Server
In order to use KFF, you must first install and configure a KFF Server.
For product versions 5.6.x and 6.0.x and later, you install a KFF Server by installing the AccessData
Elasticsearch Windows Service.
Where you install the KFF Server depends on the product you are using with KFF:
-For FTK and FTK Pro applications, the KFF Server must be installed on the same computer that runs the
FTK Examiner application.
-For all other applications, such as AD Lab, Summation, or eDiscovery, the KFF Server can be installed on
either the same computer as the application or on a remote computer. For large environments, it is
recommended that the KFF Server be installed on a dedicated computer.
Once the KFF components are installed, they will be accessible via the Windows Start Menu, as well as through
FTK in the Manage menu.
Note: KFF components will only be available in the Windows Start Menu on the computer where they are
physically installed.
After installing the KFF Server, you configure the application with the location of the KFF Server.
See Configuring the Location of the KFF Server on page 320.
About KFF Server Versions
The KFF Server (AccessData Elasticsearch Windows Service) may be updated from time to time. It is best to
use the latest version.
For applications 5.5 and earlier, the KFF Server component was version 1.2.7 and earlier.
AccessData
Elasticsearch
Windows Service
Released Installation Instructions
Version 1.3.2.x -November 2014 with
5.6 versions of
FTK-based products
Summation
eDiscovery
-November 2015 with
6.0 versions of
FTK-based products
Summation
eDiscovery
See Installing the KFF Server Service on page 319.
Getting Started with KFF (Known File Filter) Installing the KFF Server | 319
About Upgrading from Earlier Versions
If you have used KFF with applications versions 5.5 and earlier, you can migrate your legacy KFF data to the
new architecture.
See Migrating Legacy KFF Data on page 321.
Process for Installing KFF
The process for installing KFF is as follows:
1. Downloading the Latest KFF Installation Files (page 319)
2. Installing the KFF Server Service (page 319)
3. Configuring the KFF Server location:
-Configuring the KFF Server Location on FTK-based Computers (page 320)
-Configuring the KFF Server Location on Summation and eDiscovery Applications (page 320)
4. (Optional) Upgrading or importing KFF data.
-See Migrating Legacy KFF Data on page 321.
-About Importing KFF Data (page 322)
-Importing Pre-defined KFF Data Libraries (page 325)
-Installing the Geolocation (GeoIP) Data (page 328)
Downloading the Latest KFF Installation Files
You can download ISO files which has the latest KFF files. Files may be updated from time to time.
To download the latest KFF Installation Files
1. Go to the AccessData Current Releases - Digital Forensics product download page.
You can also download the file from the FTK or AD Lab product download pages.
2. Click Known File Filter (KFF) Compatible with 5.6 and above.
3. Do one of the following:
-To download the KFF Server files, utilities, and NSRL data, click KFF for all 6.0 products.
-To download the DHS library, click KFF DHS.
-To download the NDIC library, click KFF NDIC.
4. Click Download Now.
Installing the KFF Server Service
The KFF Server Service is install by installing the AccessData Elasticsearch Windows Service
For instructions on installing the AccessData Elasticsearch Windows Service, see Installing the Elasticsearch
Service (page 383).
Getting Started with KFF (Known File Filter) Configuring the Location of the KFF Server | 320
Configuring the Location of the KFF Server
After installing the KFF Server, on the computer running the application, such as FTK, AD Lab, Summation, or
eDiscovery, you configure the location of the KFF Server.
Do one of the following:
-Configuring the KFF Server Location on FTK-based Computers (page 320)
-Configuring the KFF Server Location on Summation and eDiscovery Applications (page 320)
Configuring the KFF Server Location on FTK-based Computers
Before using KFF with FTK, FTK Pro, Lab, or Enterprise, with KFF, you must configure the location of the KFF
Server.
Important:
To configure KFF, you must be logged in with Admin privileges.
To view or edit KFF configuration settings
1. In the Case Manager, click Tools > Preferences > Configure KFF.
2. You can set or view the address of the KFF Server.
-If you installed the KFF Server on the same computer as the application, this value will be localhost.
-If you installed the KFF Server on a different computer, identify the KFF server.
3. Click Test to validate communication with the KFF Server.
4. Click Save.
5. Click OK.
Configuring the KFF Server Location on Summation and eDiscovery
Applications
When using the KFF Server with Summation or eDiscovery applications, two configuration files must point to the
KFF Server location.
These setting are configured automatically during the KFF Server installation. If needed, you can verify the
settings.
However, if you change the location of the KFF Server, do the following to specify the location of the KFF Server.
1. Configure AdgWindowsServiceHost.exe.config:
1a. On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\Common\FTK Business Services.
1b. Open AdgWindowsServiceHost.exe.config.
1c. Modify the line <add key="KffElasticSearchUrl" value="http://localhost:9200" />.
1d. Change localhost to be the location of your KFF server (you can use hostname or IP).
1e. Save and close file.
1f. Restart the business services common service.
2. Configure AsyncProcessingServices web.config:
Getting Started with KFF (Known File Filter) Migrating Legacy KFF Data | 321
2a. On the computer running the application (for example, the server running Summation), go to
C:\Program Files\AccessData\AsyncProcessingServices.
2b. Open web.config.
2c. Modify the line <add key="KffElasticSearchUrl" value="http://localhost:9200" />.
2d. Change localhost to be the location of your KFF server (you can use hostname or IP).
2e. Save and close file.
2f. Restart the AsyncProcessing service.
Migrating Legacy KFF Data
If you have used KFF with applications versions 5.5 and earlier, you can migrate that data from the legacy KFF
Server to the new KFF Server architecture.
Important:
Applications version 5.6 and later can only use the new KFF architecture that was introduced in 5.6.
If you want to use KFF data from previous versions, you must migrate the data.
Important:
If you have NSRL, NDIC, or DHS data in your legacy data, those sets will not be migrated. You must
re-import them using the 5.6 versions or later of those libraries. Only legacy custom KFF data will be
migrated.
Legacy KFF data is migrated to KFF Groups and Hash Sets on the new KFF Server.
Because KFF Templates are no longer used, they will be migrated as KFF Groups, and the groups that were
under the template will be added as sub-groups.
You migrate data using the KFF Migration Tool. To use the KFF Migration Tool, you identify the following:
-The Storage Directory folder where the legacy KFF data is located.
This was folder was configured using the KFF Server Configuration utility when you installed the legacy
KFF Server. If needed, you can use this utility to view the KFF Storage Directory. The default location of
the KFF_Config.exe file is Program Files\AccessData\KFF.
-The URL of the new KFF Server (the computer running the AccessData Elastic Search Windows Service)
This is populated automatically if the new KFF Server has been installed.
To install the KFF Migration Tool
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
2. Click the 64 bit or 32 bit Install KFF Migration Utility.
3. Complete the installation wizard.
To migrate legacy KFF data
1. On the legacy KFF Server, you must stop the KFF Service.
You can stop the service manually or use the legacy KFF Config.exe utility.
2. On the new KFF Server, launch the KFF Migration Tool.
3. Enter the directory of the legacy KFF data.
4. The URL of Elasticsearch should be listed.
5. Click Start.
6. When completed, review the summary data.
Getting Started with KFF (Known File Filter) Importing KFF Data | 322
Importing KFF Data
About Importing KFF Data
You can import hashes and KFF Groups that have been previous configured.
You can import KFF data in one of the following formats:
KFF Data sources that you can import
Source Description
Pre-configured KFF libraries You can import KFF data from the following pre-configured libraries
-NIST NSRL
-NDIC HashKeeper
-DHS
To import KFF libraries, it is recommended that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 323.
See Importing Pre-defined KFF Data Libraries on page 325.
See KFF Library Reference Information on page 334.
Custom Hash Sets and KFF
Groups
You can import custom hashes from CSV files.
See About the CSV Format on page 329.
For FTK-based products, you can also import custom hashes from the
following file types:
-Delimited files (CSV or TSV)
-Hash Database files (HDB)
-Hashkeeper files (HKE)
-FTK Exported KFF files (KFF)
-FTK Supported XML files (XML)
-FTK Exported Hash files (HASH)
To import these kinds of files, use the KFF Import feature in your
application.
See Using the Known File Feature chapter.
KFF binary files You can import KFF data that was exported in a KFF binary format, such as
an archive of a KFF Server.
See About CSV and Binary Formats on page 329.
When you import a KFF binary snapshot, you must be running the same
version of the KFF Server as was used to create the binary export.
To import KFF binary files, it is recommend that you use the KFF Import
Utility.
See Using the KFF Import Utility on page 323.
Getting Started with KFF (Known File Filter) Importing KFF Data | 323
About KFF Data Import Tools
When you import KFF data, you can use one of two tools:
About Default Status Values
When you import KFF data, you configure a default status value of Alert or Ignore. When adding Hash Sets to
KFF Groups, you can configure the KFF Groups to use the default status values of the Hash Set or you can
configure the KFF Group with a status that will override the default Hash Set values.
See Components of KFF Data on page 313.
About Duplicate Hashes
If multiple Hash Set files containing the same Hash identifier are imported into a single KFF Group, the group
keeps the last Hash Set’s metadata information, overwriting the previous Hash Sets’ metadata. This only
happens within an individual group and not across multiple groups.
Using the KFF Import Utility
About the KFF Import Utility
Due to the large size of some KFF data, a stand-alone KFF Import utility is available to use to import the data.
This KFF Import utility can import large amounts of data faster then using the import feature in the application.
It is recommend that you install and use the KFF Import utility to import the following:
-NSRL, DHC, and NIST libraries
-An archive of a KFF Server that was exported in the binary format
After importing NSRL, NDIC, or DHS libraries, these indexes are displayed in the Currently Installed Sets list.
See Components of KFF Data on page 313.
You can also use the KFF Import Utility to remove the NSRL, NDIC, or DHS indexes that you have imported.
An archive of a KFF Server, which is the exported KFF Index, is not shown in the list.
KFF Data Import Tools
The application’s Import
feature
The KFF management feature in the application lets you import both .CSV and
KFF Binary formats. Use the application to import .CSV files.
See Using the Known File Feature chapter.
Even though you can import KFF binary files using the application, it is
recommend that you use the KFF Import Utility.
KFF Import Utility It is recommended that you use the KFF Import Utility to import KFF binary files.
See Using the KFF Import Utility on page 323.
Getting Started with KFF (Known File Filter) Importing KFF Data | 324
Installing the KFF Import Utility
You should use the KFF Import Utility to import some kinds of KFF data.
To install the KFF Import Utility
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
2. Click the 64 bit or 32 bit Install KFF Import Utility.
3. Complete the installation wizard.
Importing a KFF Server Archive Using the KFF Import Utility
You can import an archive of a KFF Server that you have exported using the binary format.
If you are importing a pre-defined KFF Library, see Importing Pre-defined KFF Data Libraries (page 325).
To import using the KFF Import Utility
1. On the KFF Server, open the KFF Import Utility.
2. To test the connection to the KFF Server’s Elasticsearch service at the displayed URL, click Connect.
If it connects correctly, no error is shown.
If it is not able to connect, you will get the following error: Failed after retrying 10 times: ‘HEAD
accessdata_threat_indicies’.
3. To import, click Import.
4. Click Browse.
5. Browse to the folder that contains the KFF binary files.
Specifically, select the folder that contains the Export.xml file.
6. Click Start.
7. Close the dialog.
Removing Pre-defined KFF Libraries Using the KFF Import Utility
You can remove a pre-defined KFF Library that you have previously imported.
You cannot see or remove existing custom KFF data (the KFF Index).
To remove pre-defined KFF Libraries
1. On the KFF Server, open the KFF Import Utility.
2. Select the library that you want to remove.
3. Click Remove.
Getting Started with KFF (Known File Filter) Importing KFF Data | 325
Importing Pre-defined KFF Data Libraries
About Importing Pre-defined KFF Data Libraries
After you install the KFF Server, you can import pre-defined NIST NSRL, NDIC HashKeeper, and DHS data
libraries.
See About Pre-defined KFF Hash Libraries on page 315.
In versions 5.5 and earlier, you installed these using an executable file. In versions 5.6 and later, you must import
them. It is recommend that you use the KFF Import Utility.
After importing pre-defined KFF Libraries, you can remove them from the KFF Server.
See Removing Pre-defined KFF Libraries Using the KFF Import Utility on page 324.
See the following sections:
-About Importing the NIST NSRL Library (page 326)
-Importing the NDIC Hashkeeper Library (page 327)
-Importing the DHS Library (page 328)
Getting Started with KFF (Known File Filter) Importing KFF Data | 326
About Importing the NIST NSRL Library
You can import the NSRL library into your KFF Server. During the import, two KFF Groups are created:
NSRL_Alert and NSRL_Ignore. In FTK-based products, these two groups are automatically added to the Default
KFF Group.
The NSRL libraries are updated from time to time. To import and maintain the NSRL data, you do the following:
Process for Importing and Maintaining the NIST NSRL Library
1. Import the complete
NSRL library.
You must first install the most current complete NSRL library. You can later add
updates to it.
To access and import the complete NSRL library, see
Importing the Complete NSRL Library (page 327)
2. Import updates to the
library
When updates are made available, import the updates to bring the data up-to
date.
See Installing KFF Updates on page 333.
Important: In order to use the NSRL updates, you must first import the complete
library. When you install an NSRL update, you must keep the previous NSRL
versions installed in order to maintain the complete set of NSRL data.
Available NRSL library files (new format)
NSRL Library
Release Released Information
Complete library
version 2.45
(source .ZIP file)
Nov 2014 For use only with applications version 5.6 and later.
Contains the full NSRL library up through update 2.45.
See Importing the Complete NSRL Library on page 327.
Available Legacy NRSL library files
Legacy NSRL
Library Release Released Information
version 2.44
(.EXE file)
Nov 2013 For use with the legacy KFF Server that was used with
applications versions 5.5 and earlier.
Contains the full NSRL library up through update 2.44.
Install this library first.
Note: NSRL updates for the legacy KFF format will end in the
2nd quarter of 2015. From that time, NSRL updates will only
be provided in the new format.
Getting Started with KFF (Known File Filter) Importing KFF Data | 327
Importing the Complete NSRL Library
To add the NSRL library to your KFF Library, you import the data. You start by importing the full NSRL library.
You can then import any updates as they are available.
See About Importing the NIST NSRL Library on page 326.
See Installing KFF Updates on page 333.
Important:
The complete NSRL library data is contained in a large (3.4 GB) .ZIP file. When expanded, the data
is about 18 GB. Make sure that your file system can support files of this size.
Important:
Due to the large amount of NSRL data, it will take 3-4 hours to import the NSRL data using the KFF
Import Utility. If you import from within an application, it will take even longer.
To install the NSRL complete library
1. Extract the NSRLSOURCE_2.45.ZIP file from the KFF Installation disc.
See Downloading the Latest KFF Installation Files on page 319.
2. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 324.
3. Click Import.
4. Click Browse.
5. Browse to and select the NSRLSource_2.45 folder that contains the NSRLFile.txt file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
6. Click Select Folder.
7. Click Start.
8. When the import is complete, click OK.
9. Close the Import Utility dialog and the NSRL library will be listed in the Currently Installed Sets.
Importing the NDIC Hashkeeper Library
You can import the Hashkeeper 9.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.
To import the Hashkeeper library
1. Have access the NDIC source files by download the ZIP file from the web:
See Downloading the Latest KFF Installation Files on page 319.
2. Extract the ZIP file.
3. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 324.
4. Click Import.
5. Click Browse.
6. Browse to and select the NDIC source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
7. Click Select Folder.
Getting Started with KFF (Known File Filter) Importing KFF Data | 328
8. Click Start.
9. When the import is complete, click OK.
10. Close the Import Utility dialog and the NDIC library will be listed in the Currently Installed Sets.
Importing the DHS Library
You can import the DHS 1.08 library.
For application versions 5.6 and later, these files are stored in the KFF binary format.
To import the DHS library
1. Have access the NDIC source files by download the ZIP file from the web:
See Downloading the Latest KFF Installation Files on page 319.
2. Extract the ZIP file.
3. On the KFF Server, launch the KFF Import Utility.
See Installing the KFF Import Utility on page 324.
4. Click Import.
5. Click Browse.
6. Browse to and select the DHS source folder that contains the Export.xml file.
(Make sure you are selecting the folder and not drilling into the folder to select an individual file. The
import process will drill into the folder to get the proper files for you.)
7. Click Select Folder.
8. Click Start.
9. When the import is complete, click OK.
10. Close the Import Utility dialog and the DHS library will be listed in the Currently Installed Sets.
Installing the Geolocation (GeoIP) Data
Geolocation (GeoIP) data is used for the Geolocation Visualization feature of several AccessData products.
See About the KFF Server and Geolocation on page 317.
You can also check for and install GeoIP data updates.
If you are upgrading to 5.6 or later from an application 5.5 or earlier, you must install the new KFF Server and the
updated Geolocation data.
The Geolocation data that was used with versions 5.5 and earlier is version 1.0.1 or earlier.
The Geolocation data that is used with versions 5.6 and later is version 2014.10 or later.
To install the Geolocation IP Data
1. On the computer where you have installed the KFF Server, access the KFF Installation disc, and run the
autorun.exe.
See Downloading the Latest KFF Installation Files on page 319.
2. Click the 64 bit or 32 bit Install Geolocation Data.
3. Complete the installation wizard.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 329
About CSV and Binary Formats
When you export and import KFF data, you can use one of two formats:
-CSV
-KFF Binary
About the CSV Format
When you use the .CSV format, you use a single .CSV file. The .CSV file contains the hashes that you import or
export.
When you export to a CSV file, it contains the hashes as well as all of the information about any associated Hash
Sets and KFF Groups. You can only use the CSV format when exporting individual Hash Sets and KFF Groups.
When you import using a CSV file, it can be a simple file containing only the hashes of files, or it can contain
additional information about Hash Sets and KFF Groups.
However, CSV files will usually take a little longer to export and import.
To view the sample of a .CSV file that contains binaries and Hash Sets and KFF Groups, perform a CSV export
and view the file in Excel.
You can also use the format of CSV files that were exported in previous versions.
To import .CSV files, use the application’s KFF Import feature.
About the KFF Binary Format
When you use the KFF binary format, you use a set of files that are in an internal KFF Server (Elasticsearch)
format that is referred to as a Snapshot. The binary format is essentially a snapshot of one of the indices
contained in the KFF Server. You can only have one binary format snapshot for each index.
See Components of KFF Data on page 313.
The benefit of the binary format is that it is able to support larger amounts of data than the CSV format. For large
data sets, the binary format will export and import faster than the CSV format.
For example, when you import the DHC or NDIC Hashkeeper libraries, they are imported from a KFF binary
format.
If you export your custom Hash Sets or KFF Groups using the KFF binary format, everything in the KFF Index is
included.
See About Choosing to Export in CSV or KFF Binary Format on page 330.
When exporting in a Binary format, you specify an existing parent folder and then the name of a new sub-folder
for the binary data. The new sub-folder must not previously exist and will be created by the export process.
After export, the binary export folder contains the following:
-Indices sub-folder - The folder contains the exported KFF data
-Export.xml - This file is the only file that is not an Elasticsearch file and is created by the export feature
and contains the KFF Group and Hash Set definitions for the index.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 330
-Index - an index file generated by Elasticsearch
-metadata-snaphot file with the data and time it was created
-snapshot-snaphot file with the data and time it was created
Note: The binary format is dependent on the version of the KFF Server. When exporting and importing the
binary format, the systems must be using the same version of the KFF Server.
When new versions of the KFF Server are released in the future, an upgrade process will also be
provided.
About Choosing to Export in CSV or KFF Binary Format
When you export your own KFF data, you have the option of using either the CSV or the binary format. The
results are different based on the format that you use:
CSV format
Exporting in
CSV format
When you export KFF data using the CSV format, you can export specific pieces
of KFF data, such as one or more Hash Sets or one or more KFF Groups.
The exported data is contained in one .CSV file.
The benefits of the CSV format are that CSV files can be easily viewed and can
be manually edited. They are also less dependent on the version of the KFF
Server.
Importing
from CSV
format
When you import a CSV file, the data in the file is data is added to your existing
KFF data that is in the KFF Index.
See Components of KFF Data on page 313.
For example, suppose you started by manually created four Hash Sets and one
KFF Group. That would be the only contents in your KFF Index. Suppose you
import a .CSV file that contains five hash sets and two KFF Groups. They will be
added together for a total of nine Hash Sets and three KFF Groups.
To import .CSV files, use the KFF Import feature in your application.
See Using the Known File Feature chapter.
KFF binary format
Exporting in
KFF binary
format
If you export your KFF data using the KFF binary format, all of the data that you
have in the KFF Index will be exported together. You cannot use this format to
export individual Hash Sets or KFF Groups.
See Components of KFF Data on page 313.
You will only want to use this format if you intend to export all of the data in the
KFF Index and import it as a whole. This can be useful in making an archive of
your KFF data or copying KFF data from one KFF Server to another.
Because NSRL, NIST, and DHC data is contained in their own indexes, when you
do an export using this format, those sets are not included. Only the data in the
KFF Index is exported.
Getting Started with KFF (Known File Filter) About CSV and Binary Formats | 331
Importing KFF
binary format
IMPORTANT: When you import a KFF binary format, it will import the complete
index and will replace any data that is currently in that index on the KFF Server.
For example, if you import the DHC library, and then later you import the DHC
library again, the DHC index will be replaced with the new import.
If you have a KFF binary format snapshot of custom KFF data (which would have
come from a binary format export) it will replace all KFF data that already exists in
your KFF Index.
For example, suppose you manually created four Hash Sets and one KFF Group.
Suppose you then import a binary format that has five hash sets and two KFF
Groups. The binary format will be imported as a complete index and will replace
the existing data. The result will be only be the imported five Hash Sets and two
KFF libraries.
When importing KFF binary files, it is recommend that you use the KFF Import
Utility.
See Installing the KFF Import Utility on page 324.
Getting Started with KFF (Known File Filter) Uninstalling KFF | 332
Uninstalling KFF
You can uninstall KFF application components independently of the KFF Data.
Main version Description
Applications 5.6
and later
For applications version 5.6 and later, you uninstall the following components:
-AccessData Elasticsearch Windows Service (KFF Server) v1.2.7 and later
Note: Elasticsearch is used by multiple features in various applications, use caution
when uninstalling this service or the related data.
-AccessData KFF Import Utility (v5.6 and later)
-AccessData KFF Migration Tool (v1.0 and later)
-AccessData Geo Location Data (v2014.10 and later)
Note: This component is not used by the KFF feature, but with the KFF Server for the
geolocation visualization feature.
The location of the KFF data is configured when the AccessData Elasticsearch Windows
Service was installed. By default, it is lactated at
C:\Program Files\AccessData\Elacticsearch\Data.
Applications 5.5
and earlier
For applications version 5.5 and earlier, you can uninstall the following components:
-KFF Server (v1.2.7 and earlier)
Note: The KFF Server is also used by the geolocation visualization feature.
-AccessData Geo Location Data (1.0.1 and earlier)
This component is not used by the KFF feature, but with the KFF Server for the geolo-
cation visualization feature.
The location of the KFF data was configured when the KFF Server was installed. You can
view the location of the data by running the KFF.Config.exe on the KFF Server.
If you are upgrading from 5.5 to 5.6, you can migrate your KFF data before uninstalling the
KFF Server.
Getting Started with KFF (Known File Filter) Installing KFF Updates | 333
Installing KFF Updates
From time to time, AccessData will release updates to the KFF Server and the KFF data libraries.
Some of the KFF data updates may require you to update the version of the KFF Server.
To check for updates, do the following:
1. Go to the KFF product download page.
See Downloading the Latest KFF Installation Files on page 319.
2. Check for updates.
-See About KFF Server Versions on page 318.
-See About Importing the NIST NSRL Library on page 326.
3. If there are updates, download them.
4. Install or import the updates.
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 334
KFF Library Reference Information
About KFF Pre-Defined Hash Libraries
This section includes a description of pre-defined hash collections that can be added as AccessData KFF data.
The following pre-defined libraries are currently available for KFF and come from one of three federal
government agencies:
-NIST NSRL (The default library installed with KFF)
-NDIC HashKeeper (An optional library that can be downloaded from the AccessData Downloads page)
-DHS (An optional library that can be downloaded from the AccessData Downloads page)
Note: Because KFF is now multi-sourced, it is no longer maintained in HashKeeper format. Therefore, you
cannot modify KFF data in the HashKeeper program. However, the HashKeeper format continues to be
compatible with the AccessData KFF data.
Use the following information to help identify the origin of any hash set within the KFF
-The NSRL hash sets do not begin with “ZZN” or “ZN”. In addition, in the AD Lab KFF, all the NSRL hash
set names are appended (post-fixed) with multi-digit numeric identifier. For example: “Password Manager
& Form Filler 9722.”
-All HashKeeper Alert sets begin with “ZZ”, and all HashKeeper Ignore sets begin with “Z”. (There are a
few exceptions. See below.) These prefixes are often followed by numeric characters (“ZZN” or “ZN”
where N is any single digit, or group of digits, 0-9), and then the rest of the hash set name. Two examples
of HashKeeper Alert sets are:
“ZZ00001 Suspected child porn
 “ZZ14W”
An example of a HashKeeper Ignore set is:
“Z00048 Corel Draw 6”
-The DHS collection is broken down as follows:
 In 1.81.4 and later there are two sets named “DHS-ICE Child Exploitation JAN-1-08 CSV” and
“DHS-ICE Child Exploitation JAN-1-08 HASH”.
In AD Lab there is just one such set, and it is named “DHS-ICE Child Exploitation JAN-1-08”.
Once an investigator has identified the vendor from which a hash set has come, he/she may need to consider
the vendor’s philosophy on collecting and categorizing hash sets, and the methods used by the vendor to gather
hash values into sets, in order to determine the relevance of Alert (and Ignore) hits to his/her project. The
following descriptions may be useful in assessing hits.
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 335
NIST NSRL
The NIST NSRL collection is described at: http://www.nsrl.nist.gov/index.html. This collection is much larger than
HashKeeper in terms of the number of sets and the total number of hashes. It is composed entirely of hash sets
being generated from application software. So, all of its hash sets are given Ignore status by AccessData staff
except for those whose names make them sound as though they could be used for illicit purposes.
The NSRL collection divides itself into many sub-collections of hash sets with similar names. In addition, many of
these hash sets are “empty”, that is, they are not accompanied by any hash values. The size of the NSRL
collection, combined with the similarity in set naming and the problem of empty sets, allows AccessData to
modify (or selectively alter) NSRL’s own set names to remove ambiguity and redundancy.
Find contact info at http://www.nsrl.nist.gov/Contacts.htm.
NDIC HashKeeper
NDIC’s HashKeeper collection uses the Alert/Ignore designation. The Alert sets are hash values contributed by
law enforcement agents working in various jurisdictions within the US - and a few that apparently come from
Luxemburg. All of the Alert sets were contributed because they were believed by the contributor to be connected
to child pornography. The Ignore sets within HashKeeper are computed from files belonging to application
software.
During the creation of KFF, AccessData staff retains the Alert and Ignore designations given by the NDIC, with
the following exceptions. AccessData labels the following sets Alert even though HashKeeper had assigned
them as Ignore: “Z00045 PGP files”, “Z00046 Steganos”, “Z00065 Cyber Lock”, “Z00136 PGP Shareware”,
Z00186 Misc Steganography Programs”, “Z00188 Wiping Programs”. The names of these sets may
suggest the intent to conceal data on the part of the suspect, and AccessData marks them Alert with the
assumption that investigators would want to be “alerted” to the presence of data obfuscation or elimination
software that had been installed by the suspect.
The following table lists actual HashKeeper Alert Set origins:
A Sample of HashKeeper KFF Contributions
Hash Contributor Location Contact Information Case/Source
ZZ00001
Suspected child
porn
Det. Mike McNown
& Randy Stone
Wichita PD
ZZ00002
Identified Child
Porn
Det. Banks Union County
(NJ) Prosecutor's
Office
(908) 527-4508 case 2000S-0102
ZZ00003
Suspected child
porn
Illinois State Police
ZZ00004
Identified Child
Porn
SA Brad Kropp,
AFOSI, Det 307
(609) 754-3354 Case # 00307D7-
S934831
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 336
ZZ00000,
suspected child
porn
NDIC
ZZ00005
Suspected Child
Porn
Rene Moes,
Luxembourg Police
rene.moes@police.eta
t.lu
ZZ00006
Suspected Child
Porn
Illinois State Police
ZZ00007b
Suspected KP
(US Federal)
ZZ00007a
Suspected KP
Movies
ZZ00007c
Suspected KP
(Alabama 13A-12-
192)
ZZ00008
Suspected Child
Pornography or
Erotica
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
suspected child
pornogrpahy from
20010000850
ZZ00009 Known
Child
Pornography
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
200100004750
ZZ10 Known Child
Porn
Detective Richard
Voce CFCE
Tacoma Police
Department
(253)594-7906,
rvoce@ci.tacoma.wa.u
s
ZZ00011
Identified CP
images
Detective Michael
Forsyth
Baltimore County
Police
Department
(410)887-1866,
mick410@hotmail.com
ZZ00012
Suspected CP
images
Sergeant Purcell Seminole County
Sheriff's Office
(Orlando, FL,
USA)
(407) 665-6948,
dpurcell@seminoleshe
riff.org
ZZ0013 Identified
CP images
Det. J. Hohl Yuma Police
Department
928-373-4694 YPD02-70707
A Sample of HashKeeper KFF Contributions (Continued)
Hash Contributor Location Contact Information Case/Source
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 337
The basic rule is to always consider the source when using KFF in your investigations. You should consider the
origin of the hash set to which the hit belongs. In addition, you should consider the underlying nature of hash
values in order to evaluate a hit’s authenticity.
ZZ14W Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41929134
ZZ14U Sgt Chris Walling
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41919887
ZZ14X Sgt Jeff Eckert
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG Internal
ZZ14I Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041908476
ZZ14B Robert Britt, SA,
FBI
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
031870678
ZZ14S Sgt Stephen May
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041962689
ZZ14Q Sgt Cody Smirl
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
041952839
ZZ14V Sgt Karen McKay
Tamara.Chandler@oa
g.state.tx.us,
(512)936-2898
TXOAG
41924143
ZZ00015 Known
CP Images
Det. J. Hohl Yuma Police
Department
928-373-4694 YPD04-38144
ZZ00016 Marion County
Sheriff's
Department
(317) 231-8506 MP04-0216808
A Sample of HashKeeper KFF Contributions (Continued)
Hash Contributor Location Contact Information Case/Source
Getting Started with KFF (Known File Filter) KFF Library Reference Information | 338
Higher Level KFF Structure and Usage
Since hash set groups have the properties just described (and because custom hash sets and groups can be
defined by the investigator) the KFF mechanism can be leveraged in creative ways. For example:
-You could define a group of hash sets created from encryption software and another group of hash sets
created from child pornography files. Then, you would apply only those groups while processing.
-You could also use the Ignore status. You are about to process a hard drive image, but your search
warrant does not allow inspection of certain files within the image that have been previously identified.
You could do the following and still observe the warrant:
4a. Open the image in Imager, navigate to each of the prohibited files, and cause an MD5 hash value
to be computed for each.
4b. Import these hash values into custom hash sets (one or more), add those sets to a custom group,
and give the group Ignore status.
4c. Process the image with the MD5 and KFF options, and with AD_Alert, AD_Ignore, and the new,
custom group selected.
4d. During post-processing analysis, filter file lists to eliminate rows representing files with Ignore
status.
Hash Set Categories
The highest level of the KFF’s logical structure is the categorizing of hash sets by owner and scope. The
categories are AccessData, Project Specific, and Shared.
Important:
Coordination among other investigators is essential when altering Shared groups in a lab
deployment. Each investigator must consider how other investigators will be affected when Shared
groups are modified.
Hash Set Categories
Category Description
AccessData The sets shipped with as the Library. Custom groups can be created from these sets, but
the sets and their status values are read only.
Project
Specific
Sets and groups created by the investigator to be applied only within an individual project.
Shared Sets and groups created by the investigator for use within multiple projects all stored in the
same database, and within the same application schema.
Getting Started with KFF (Known File Filter) What has Changed in Version 5.6 | 339
What has Changed in Version 5.6
WIth the 5.6 release of eDiscovery, Summation, and FTK-based products, the KFF feature has been updated.
If you used KFF with applications version 5.5 or earlier, you will want to be aware of the following changes in the
KFF functionality.
Changes from version 5.5 to 5.6
Item Description
KFF Server KFF Server now runs a different service.
-In 5.5 and earlier, the KFF Server ran as the KFF Server service.
-In 5.6 and later, the KFF Server uses the AccessData Elasticsearch Windows
Service.
For applications version 5.6 and later, all KFF data must be created in or
imported into the new KFF Server.
KFF Migration Tool This is a new tool that lets you migrate custom KFF data from 5.5 and earlier to
the new KFF Server.
NIST NSRL, NDIC HashKeeper, or DHS library data from 5.5 will not be
migrated. You must re-import it.
See Migrating Legacy KFF Data on page 321.
KFF Import Utility This is a new utility that lets you import large amounts of KFF data quicker than
using the import feature in the application.
See Using the KFF Import Utility on page 323.
KFF Libraries, Templates,
and Groups
In 5.5, all Hash Sets were configured within KFF Libraries. KFF Libraries could
then contain KFF Groups and KFF Templates.
KFF Libraries and Templates have been eliminated. You now simply create or
import KFF Groups and add Hash Sets to the groups.
You can now nest KFF Groups.
NIST NSRL, NDIC
HashKeeper, or DHS
libraries
In 5.5 and earlier, to use these libraries, you ran an installation wizard for each
library. You now import these libraries using the KFF Import Utility.
See About Importing Pre-defined KFF Data Libraries on page 325.
Import Log FTK-based products no longer include the Import Log.
eDiscovery and Summation products did not have it previously.
Export When you export KFF data you can now choose two formats:
-CSV format which replaced XML format
-A new binary format
See About CSV and Binary Formats on page 329.
Using KFF (Known File Filter) About KFF and De-NIST Terminology | 340
Chapter 29
Using KFF (Known File Filter)
This chapter explains how to configure and use KFF and has the following sections:
-See About KFF and De-NIST Terminology on page 340.
-See Process for Using KFF on page 341.
-See Configuring KFF Permissions on page 341.
-See Adding Hashes to the KFF Server on page 342.
-See Using KFF Groups to Organize Hash Sets on page 348.
-See Exporting KFF Data on page 359.
-See Enabling a Project to Use KFF on page 352.
-See Reviewing KFF Results on page 354.
-See Re-Processing KFF on page 358.
About KFF and De-NIST Terminology
You can configure the interface to display either the term “KFF” (Known File Filter) or “De-NIST”. For example,
this can change references of a “KFF Group” to a “De-NIST Group.”
This does not affect the functionality of KFF, but only the term that is displayed. This allows users in forensic
environments to see the term “KFF” while users in legal environments can see the term “De-NIST.”
By default, the KFF term is used in the interface.
This setting only affects text in the interface. The following new icon is used with either setting:
In this manual, the KFF term is used.
To change the KFF and De-NIST terminology
1. In the web.config file, in the <ReviewOptions> section, add or modify the following entry:
<add key="KFFAlternateName" value="KFF" />
2. To change the setting to use De-NIST terminology, change the value= from “KFF” to “De-NIST”.
Using KFF (Known File Filter) Process for Using KFF | 341
Process for Using KFF
To use the KFF feature, you perform the following steps:
Configuring KFF Permissions
In order to create and manage KFF libraries, sets, templates, and groups, you must have one of the following
permissions:
-Administrator
-Manage KFF
You assign the Manage KFF permission to an Admin Role and then associate that role with users.
See Configuring and Managing System Users, User Groups, and Roles on page 47.
A user with project management permissions does not require the Manage KFF permission in order to enable
KFF for a new project.
Process for using KFF
Step 1. Install and configure the KFF Server.
See Installing the KFF Server on page 318.
Step 2. Configure KFF permissions.
Configuring KFF Permissions (page 341)
Step 3. Add and manage KFF hashes on the KFF Server.
See Adding Hashes to the KFF Server on page 342.
Step 4. Add and manage KFF Groups to organize KFF Hash Sets.
Using KFF Groups to Organize Hash Sets (page 348)
Step 5. Configure a project to use KFF.
See Enabling a Project to Use KFF on page 352.
Step 6. Review KFF results in Project Review.
See Reviewing KFF Results on page 354.
Step 7. (Optional) Re-process the KFF data using different hashes.
See Re-Processing KFF on page 358.
Step 8. (Optional) Archive or export KFF data to share with other KFF Servers.
See Exporting KFF Data on page 359.
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 342
Adding Hashes to the KFF Server
You must add the hashes of the files that you want to compare against your evidence data. When adding hashes
to the KFF Serer, you add them in KFF Hash Sets.
See Components of KFF Data on page 313.
You can use the following methods to add hashes to the KFF Library:
About the Manage KFF Hash Sets Page
To configure KFF data, you use the KFF Hash Sets and KFF Groups pages.
To open the KFF Hash Sets page
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Hash Sets
If the feature does not function properly, check the following:
-The KFF Server is installed.
See Installing the KFF Server on page 318.
-The application has been configured for the KFF Server.
See Configuring the Location of the KFF Server on page 320.
-The KFF Service is running.
In the Windows Services manager, make sure that the AccessData Elasticsearch service is started.
Migrate legacy KFF Server
data You can migrate legacy KFF data that is in a KFF Server in applications
versions 5.5 and earlier.
See Migrating Legacy KFF Data on page 321.
Import hashes You can import previously configured KFF hashes from .CSV files.
See Importing KFF Data on page 343.
Manually create and manage
Hash Sets You can manually add hashes to a Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 345.
Create hashes from evidence
files in Review You can add hashes from the files in your evidence using Review.
See Adding Hashes to Hash Sets Using Project Review on page 346.
Elements of the KFF Hash Sets page
Element Description
Hash Sets Displays all of the Hash Sets that have been imported or created in the KFF Server.
Lets you create a Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 345.
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 343
Importing KFF Data
About Importing KFF Data
To understand the methods and formats for importing KFF data, first see About Importing KFF Data (page 322).
This chapter explains how to import KFF data using the application’s management console.
Importing KFF Hashes
You can import KFF data from the following:
-KFF export CSV files
-KFF binary files
Warning: Importing KFF binary files will replace your existing KFF data.
See About CSV and Binary Formats on page 329.
It is recommended that you use the external KFF Import Utility to import KFF binary files.
See Using the KFF Import Utility on page 323.
When importing KFF data, you can enter default values for the following fields:
-Default Status
-Default Vendor
-Default Version
Lets you edit the active Hash Set.
See Manually Creating and Managing KFF Hash Sets on page 345.
Lets you delete the active Hash Set.
Warning: You are not prompted to confirm the deletion.
See Manually Creating and Managing KFF Hash Sets on page 345.
Delete Lets you delete one or more checked Hash Sets.
View Hashes
Lets you view and manage the hashes in the Hash Set.
See Searching For, Viewing, and Managing Hashes in a Hash Set on page 346.
Import File Lets you import KFF data.
See Importing KFF Data on page 343.
Export Lets you export KFF data.
See Exporting KFF Data on page 359.
Refreshes the Hash Sets list.
Elements of the KFF Hash Sets page
Element Description
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 344
-Default Package
These are default values that will be used if they import file does not contain the information.
When importing hash lists using the CSV import, each hash within the CSV can have the same, different or no
status. During the import process you must choose a default status of Alert or Ignore. This default status will
have no affect on any hash in your CSV that already contains a status, however, any hash that does not have a
pre-assigned status will have this default status assigned to them.
The override status for the hash sets that you import will be automatically set to No Override. This is to ensure
that if your hash set contains both Alert and Ignore hashes, the program will not override the original status. You
can, however, choose to override the individual hash status within a set by choosing to set the whole set to Alert
or Ignore.
You can use these value to organize your hashes. For example, you can filter or sort data based on these
values.
To import KFF hashes from files
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Hash Sets.
3. Click Import File.
4. On the KFF Import File dialog, click Add File.
5. Browse to and select the file.
6. Click Select.
7. Specify a Default Status.
This sets a default status only for the hashes that do not have a status specified in the file.
8. (Optional) Specify a default Vendor, Version, and Package.
This sets values only for the hashes that do not have a value specified in the file.
9. (Optional) Add other files.
10. Click Import.
11. View the Import Summary to see the results of the Import.
12. Click Close.
To import KFF data from a binary format
Warning: This process may replace your existing KFF data.
See About the KFF Binary Format on page 329.
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Hash Sets.
3. Click Import File.
4. On the KFF Import File dialog, click Binary Import.
5. Browse to the folder that contains the binary files (specifically the Export.xml file) and click Select.
6. Click Import.
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 345
Manually Creating and Managing KFF Hash Sets
You can manually create Hash Sets and then add hashes to them. You can also edit and delete Hash Sets.
You can also add, edit, or delete the hashes in Hash Sets.
Note: You cannot manually add, edit, and delete hash values that were imported from NSRL, NDIC
HashKeeper, and DHS libraries.
To manually create a Hash Set
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Hash Sets.
3. On the KFF Hash Sets page, in the right pane, click Add .
4. Enter a name for the Hash Set.
5. Select the status for the Hash Set: Alert, Ignore, or No Override.
6. (Optional) Enter a package, vendor, or version.
These are not required, but you can use these values for sorting and filtering results.
7. Click Save.
To manually manage Hash Sets
1. Click Management > Hash Sets.
2. Do one of the following:
-To edit a Hash Set, select a set a set, and click Edit .
-To delete a single Hash Set, select a set, and click Delete .
-To delete a multiple Hash Sets, select the sets, and click Delete .
To manage hashes in a hash set
1. On the KFF Hash Sets page, select a Hash Set.
2. Click View Hashes.
To add hashes to a hash set
1. On the KFF Hash Sets page, select a Hash Set.
2. Click View Hashes.
3. In the KFF Hash Finder dialog, click Add .
4. Enter the KFF hash value.
5. Enter the filename for the hash.
6. (Optional) Enter other reference information about the hash.
7. Click Save.
The new hash is displayed.
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 346
Searching For, Viewing, and Managing Hashes in a Hash Set
Due to the large number of hashes that may be in a Hash Set, a list of hashes is not displayed. (However, you
can export a KFF Group that contains the Hash Set and view the hashes in the export file.)
You can use the KFF Hash Finder dialog to search for hash values within a hash set. You search by entering a
complete hash value. You can only search within one hash set at a time.
While the KFF Hash Finder does not display a list of hashes, it does display the number of hashes in the set.
To search for hashes in a hash set
1. On the KFF Hash Sets page, select a Hash Set.
2. Click View Hashes.
3. In the KFF Hash Finder dialog, enter the complete hash value that you want to search for.
4. Click Search.
If the has is found, it is displayed in the hash list.
If the hash is not found a message is displayed.
To edit hashes in a hash set
1. In the KFF Hash Finder dialog, search for the hash that you want to edit.
2. Click Edit .
3. Enter the hash information.
4. Click Save.
The edited hash is displayed.
To delete hashes from a hash set
1. In the KFF Hash Finder dialog, search for the hash that you want to delete.
2. Click Delete .
Adding Hashes to Hash Sets Using Project Review
You may identify files that in exist in a project as files that you want to add to your KFF hashes. For example, you
may find a graphics file that you want to either alert for or ignore in this or other projects. Using Project Review,
you can select files and then add them to existing or new KFF Hash Sets.
When you add hashes using Project Review, it starts a job that adds the hashes to the KFF Library.
To use Project Review to add hashes to Hash Sets
1. Log in as an Administrator or user with Manage KFF permissions.
2. Select a project and enter Project Review.
3. Select the files that you want to add to a hash set.
4. In the Actions drop-down, select Add to KFF.
5. Click Go.
6. In the Add Hash to Set dialog, select a status for the hash.
Using KFF (Known File Filter) Adding Hashes to the KFF Server | 347
7. Specify a Hash Set.
You can select an existing set or create a new set.
To create a new set, do the following:
7a. Select [Add New].
7b. Enter the name of the new set.
7c. Enter a name for the hash set.
7d. (Optional) Add other information.
7e. Click Save.
To use an existing set, do the following:
7a. Select an existing set.
By default, you will only see the sets that match the status that you select.
To see Hash Sets that have a No Override status as well, enable the Display hash sets with no
override status option.
7b. You can filter and sort the list with the following filters:
Name
Override
Package
Vendor
Version
7c. Click Save.
To verify that hashes were added to the KFF Server
1. Click to exit Review.
2. On the Home page, select the project that you are using.
3. Click Work List .
See Monitoring the Work List on page 227.
Click Refresh to see the current status.
4. View the Add Hash to KFF job types.
5. Click Refresh to see the current status.
6. When the jobs are completed, at the bottom of the page, you can view the results.
It will show the number of files that were added or any errors generated.
7. From the KFF Hash Sets tab on the Management page, you can view the Hash Sets.
See Searching For, Viewing, and Managing Hashes in a Hash Set on page 346.
Using KFF (Known File Filter) Using KFF Groups to Organize Hash Sets | 348
Using KFF Groups to Organize Hash Sets
About KFF Groups
KFF groups are containers for one or more Hash Sets. When you create a group, you then add Hash Sets to the
group. KFF Groups can also contain other KFF Groups.
When you enable KFF for a project, you select which KFF Group to use during processing.
Within a KFF group, you can manually edit custom Hash Sets.
About KFF Groups Status Override Settings
When you create a KFF Group, you can choose to use the default status of the Hash Set (Alert or Ignore) or
override it. You do this by setting one of the following Status Override settings:
-Alert - All Hash Sets within the KFF Group will be set to Alert regardless of the status of the individual
Hash Sets.
-Ignore - All Hash Sets within the KFF Group will be set to Ignore regardless of the status of the individual
Hash Sets.
-No Override - All Hash Sets will maintain their default status.
For example, if you have a Hash Set with a status of Alert, if you set the KFF Group to No Override, then the
default status of Alert is used. If you set the KFF Group with a status of Ignore, the Hash Set Alert status is
overridden and Ignore is used.
As a result, use caution when setting the Status Override for a KFF Group.
About Nesting KFF Groups
KFF Groups can contain Hash Sets or they can contain other KFF Groups. When one KFF Group includes
another KFF Group, it is called nesting.
The reason that you may want to nest KFF Groups is that you can use multiple KFF Groups when processing
your data. When you enable KFF for a case, you can only select one KFF Group. By nesting, you can use
multiple KFF Groups.
For example, you may have one KFF Group that contains Hash Sets with an Alert status. You may have a
second KFF Group that contains Hash Sets with an Ignore status. When processing a case, you may want to
use both of those KFF Groups. To accomplish this, you can create another KFF Group as a parent and then add
the other two KFF Groups to it. When processing, you would select the parent KFF Group.
When nesting KFF Groups you must be mindful of the Status Override of the parent KFF Group. The Status
Override for the highest KFF Group in the hierarchy is used when nesting KFF Groups. In most cases, you will
want to set the parent KFF Group with a status of None. That way, the status of each child KFF Group (or their
Hash Sets) is used. If you select an Alert or Ignore status for the parent KFF Group, then all child KFF Groups
and their Hash Sets will use that status.
Using KFF (Known File Filter) Using KFF Groups to Organize Hash Sets | 349
Creating a KFF Group
You create KFF groups to organize your Hash Sets. When you create a KFF Group, you add one ore more Hash
Sets to it. You can later edit the KFF Group to add or remove Hash Sets.
To create a KFF Group
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Groups.
3. Click Add .
4. Enter a Name.
5. Set the Status Override.
6. See About KFF Groups Status Override Settings on page 348.
7. (Optional) Enter a Package, Vendor, and Version.
8. Click Save.
To add a Hash Sets to a KFF Group
1. Click Management > Groups.
2. In the Groups list, select the group that you want to add Hash Sets to.
3. In the Groups and Hash Sets pane, click Add.
4. Select the Hash Sets that you want to add to the group.
5. You can filter the list of Hash Sets to help you find the hash sets that you want.
6. After selecting the sets, click OK.
Viewing the Contents of a KFF Group
On the KFF Groups page, you can select a KFF Group and in the Groups and Hash Sets pane, view the Hash
Sets and child KFF Groups that are contained in that KFF Group.
Managing KFF Groups
You can edit KFF Groups and do the following:
-Rename the group
-Change the Override Status
-Add or remove Hash Sets and KFF Groups
You can also do the following:
-Delete the group
-Export the group
See Exporting KFF Data on page 359.
Using KFF (Known File Filter) Using KFF Groups to Organize Hash Sets | 350
To manage a KFF Group
1. Click Management > Groups.
2. In the Groups list, select a KFF Group that you want to manage.
3. Do one of the following:
-Click Edit.
-Click Delete.
-Click Export.
See Exporting KFF Data on page 359.
About the Manage KFF Groups Page
To configure KFF Groups, you use the KFF Groups page.
To open the KFF Groups page
1. Log in as an Administrator or user with Manage KFF permissions.
2. Click Management > Groups
If the feature does not function properly, check the following:
-The KFF Server is installed.
See Installing the KFF Server on page 318.
-The application has been configured for the KFF Server.
See Configuring the Location of the KFF Server on page 320.
-The KFF Service is running.
In the Windows Services manager, make sure that the AccessData Elasticsearch service is started.
Elements of the KFF Groups page
Tab Element Description
KFF Groups pane KFF Groups Displays all of the KFF Groups that have been
imported or created in the KFF Server.
Lets you create a KFF Group.
See Creating a KFF Group on page 349.
Lets you edit the active KFF Group.
See Managing KFF Groups on page 349.
Lets you delete the active KFF Group.
See Managing KFF Groups on page 349.
Delete Lets you delete one or more checked KFF Groups.
Using KFF (Known File Filter) Using KFF Groups to Organize Hash Sets | 351
Export Lets you export KFF data.
See Exporting KFF Data on page 359.
Refreshes the KFF Groups list.
Groups and Hash
Sets Pane Lets you add and remote Hash Sets from KFF Groups.
See Managing KFF Groups on page 349.
Add Displays the list of Hash Sets that you can add to a
KFF Group.
See Managing KFF Groups on page 349.
Remove Lets you remove Hash Sets from a KFF Group.
See Managing KFF Groups on page 349.
View Hashes Lets you view and manage the hashes in the Hash
Set.
See Searching For, Viewing, and Managing Hashes
in a Hash Set on page 346.
Elements of the KFF Groups page
Tab Element Description
Using KFF (Known File Filter) Enabling a Project to Use KFF | 352
Enabling a Project to Use KFF
When you create a project, you can enable KFF and configure the KFF settings for the project.
About Enabling and Configuring KFF
To use KFF in a project you do the following:
Enabling and Configuring KFF
To enable and configure KFF for a project
1. Log in as an Administrator or user with Create/Edit Projects permissions.
2. Create a new project.
3. In Processing Options, select Enable KFF.
A Options tab option displays.
4. In Processing Options, select how to handle ignorable files.
5. Click Options.
The KFF Options window displays.
Process for enabling and configuring KFF
1. Create a new Project If you want to use KFF you must enable it when you create the project. You
cannot enable KFF for a project after it has been created.
2. Enable KFF Enable the KFF processing option.
See Enabling and Configuring KFF on page 352.
2. Configure how to
process ignorable files You can choose how to process ignorable files:
-Skip Ignorable Files - This option will not process any files determined to be
Ignorable. Any files that are ignorable will not be included or visible in the
project.
This is the default option.
-Process and Flag Ignorable Files - This option will process ignorable files, but
flag them as Ignorable. Any files that are Ignorable will be included and visi-
ble in the project, but can be filtered.
See Using Quick Filters on page 355.
4. Select a KFF Group When enabling KFF for a project, you select one KFF Group that you want to
use. You do not create KFF Group at that time. You can only select an existing
group. Because of this, you must have at least one KFF Group created before
creating a project.
See Using KFF Groups to Organize Hash Sets on page 348.
However, after processing, you can re-process the data using a different KFF
template. This lets you create and use different templates after you initially
process the project.
See Re-Processing KFF on page 358.
Using KFF (Known File Filter) Enabling a Project to Use KFF | 353
6. In the drop-down menu, select the KFF Group that you want to use.
See Using KFF Groups to Organize Hash Sets on page 348.
7. In the Hash Sets pane, verify that this template has the hash sets that you want. Otherwise select a
different template.
8. Click Create Project and Import Evidence or click Create Project and add evidence later.
Using KFF (Known File Filter) Reviewing KFF Results | 354
Reviewing KFF Results
KFF results are displayed in Project Review.
You can use the following tools to see KFF results:
-Project Details page
-Project Review
KFF Information Quick Columns
KFF Quick Filters
KFF facets
KFF Details
You can also create and modify KFF libraries and hash sets using files in Review.
See Adding Hashes to Hash Sets Using Project Review on page 346.
Viewing KFF Data Shown on the Project Details Page
To View KFF Data on the Project Details page
1. Click the Home tab.
2. Click the Evidence tab.
3. Verify that the project has completed processing.
4. Click the Project Details tab.
5. In the right column, you can view the number of KFF known files.
About KFF Data Shown in the Review Item List
You can identify and view files that are either Known or Unknown based on KFF results.
Depending on the KFF configuration options, there are two or three possible KFF statuses in Project Review:
-Alert (2) - Files that matched hashes in the template with an Alert status
-Ignore (1) - Files that matched hashes in the template with an Ignore status (not shown in the Item List by
default)
-Unknown (0) - Files that did not match hashes in the template
If you configured the project to skip ignorable files, files configured to be ignored (Ignore status) are not included
in the data and are not viewable in the Project Review.
See Enabling and Configuring KFF on page 352.
Using the KFF Information Quick Columns
You can use the KFF Information Quick Columns to view and sort and filter on KFF values. For example, you
can sort on the KFF Status column to quickly see all the files with the Alert status.
Using KFF (Known File Filter) Reviewing KFF Results | 355
See Using Document Viewing Panels on page 76.
To see the KFF columns, activate the KFF Information Quick Columns.
To activate the KFF Information Quick Columns
1. From the Item List in the Review window, click Options.
2. Click Quick Columns > KFF > KFF Information.
The KFF Columns display.
Item List with KFF Tabs displayed
See Filtering by Column in the Item List Panel on page 143.
Using Quick Filters
You can use Quick Filters to quickly show or hide KFF Ignorable files.
You can toggle the quick filter to do the following:
-Hide Ignorables - enabled by default
-Show Ignorables
KFF Columns
Column Description
KFF Status Displays the status of the file as it pertains to KFF. The three options are
Unknown (0), Ignore (1), and Alert (2).
-If you configured the project to skip Ignorable files, these files are not
included in the data.
-If you configured the project to flag Ignorable files, and the Hide Ignorables
Quick Filter is set, these files are in the data, but are not displayed.
See Using Quick Filters on page 355.
KFF Set Displays the KFF Hash Set to which the file belongs.
KFF Group Name Displays the name created for the KFF Group in the project.
KFF Vendor Displays the KFF vendor.
Using KFF (Known File Filter) Reviewing KFF Results | 356
The Hide Ignorables Quick Filter is set by default. As a result, even if you selected to process and flag Ignorable
files for the project, they are not included in the Item List by default.
To show ignorable files in the Item list, change the Quick Filter to Show Ignorables.
Note: If you configured the project to skip ignorable files, files configured to be ignored (Ignore status) will not
be shown, even if you select to Show Ignorables.
To change the KFF Quick Filters
1. From the Item List in the Review window, click Options.
2. Click Quick Filters > Show Ignorables.
Using the KFF Facets
You can use the KFF facets to filter data based on KFF values. For example, you can apply a facet to only
display items with an Alert status or with a certain KFF set.
See About Filtering Data with Facets on page 128.
Note: If you configured the project to skip Ignorable files, these files are not included in the data and the Ignore
facet is not available. If you configured the project to flag Ignorable files, and the Hide Ignorables Quick
Filter is set, the Ignore facet is available, but the files will not be displayed.
See Using Quick Filters on page 355.
You can use the following KFF facets:
-KFF Vendors
-KFFGroups
-KFF Statuses
-KFF Sets
Within a facet, only the filters that are available in the project are available. For example, if no files with the Alert
status are in the project, the Alter filter will not be available in the KFF Statuses facet.
To apply KFF facets
1. From the Item List in the Review window, open the facets pane.
2. Expand KFF.
3. Select the facets that you want to apply.
Using KFF (Known File Filter) Reviewing KFF Results | 357
Viewing Detailed KFF Data
You can view KFF results details for an individual file.
To view the KFF Details
1. For a project that you have run KFF, open Project Review.
2. Under Layouts, select the CIRT Layout.
See Managing Saved Custom Layouts on page 54.
3. In Project Review, select a file in the Item List panel.
4. In the view panel, click the Detail Information view tab.
5. Click the KFF Details tab.
Using KFF (Known File Filter) Re-Processing KFF | 358
Re-Processing KFF
After you have processed a project with KFF enabled, you can re-process your data using an updated or
different KFF Group. This is useful in re-examining a project after adding or editing hash sets.
See Adding Hashes to Hash Sets Using Project Review on page 346.
If you want to re-process KFF with updated hash sets, be sure that the selected KFF Group has the desired sets.
You can only select from existing KFF Groups.
To re-process KFF
1. From the Home page, select a project that you want to re-process.
2. Click the tab.
The currently selected group is displayed along with its corresponding hash sets.
3. (Optional) If you want to change the KFF Group, in the drop-down menu, select a different KFF Group
and click Save.
4. In the Hash Sets pane, verify that the desired sets are included.
5. Click Process KFF.
6. (Optional) On the Home page, for the project, click Work Lists , and verify that the KFF job starts
and completes.
See Monitoring the Work List on page 227.
7. Click Refresh to see the current status.
8. Review the KFF results.
See Reviewing KFF Results on page 354.
Using KFF (Known File Filter) Exporting KFF Data | 359
Exporting KFF Data
About Exporting KFF Data
You can share KFF Hash Sets and KFF Groups with other KFF Servers by exporting KFF data on one KFF
Server and importing it on another. You can also use export as a way of archiving your KFF data.
You can export data in one of the following ways:
-Exporting Hash Sets - This exports the selected Hash Sets with any included hashes. (CSV format only)
-Exporting KFF Groups - This exports the selected KFF Groups with any included sub-groups and any
included hashes. (CSV format only)
-Exporting an archive of all custom KFF data - This exports all the KFF data except NSRL, NIST, and DHC
data (in a binary format).
When exporting KFF Groups or Hash Sets, you can export in the following formats:
-CSV file
-Binary format
Important: Even though it appears that you can select and export one Hash Set or one KFF Group, if
you export using the KFF binary format, all of the data that you have in the KFF Index will be exported
together. You cannot use this format to export individual Hash Sets or KFF Groups. Use the CSV format
instead.
See About CSV and Binary Formats on page 329.
Exporting KFF Groups and Hash Sets
You can share KFF hashes by exporting KFF Hash Sets or KFF Groups. Exports are saved in a CSV file that can
be imported.
To export a one or more KFF Groups or Hash Sets
1. Do one of the following:
-Click Management > Hash Sets.
-Click Management > Groups.
2. Select one or more KFF Groups or Hash Sets that you want to export.
3. Click Export.
4. Select CSV (do not select Export Binary).
5. Browse to and select the location to which you want to save the exported file.
6. Click Select.
7. Enter a name for the exported file.
8. Click OK.
9. In the Export Summaries dialog, view the status of the export.
10. Click Close.
Using KFF (Known File Filter) Exporting KFF Data | 360
To create an archive of all your custom Hash Sets and Groups
1. Do one of the following:
-Click Management > Hash Sets.
-Click Management > Groups.
2. Select a KFF Group or Hash Set.
3. Click Export.
4. Select Export Binary.
5. Browse to and select the location to which you want to save the exported files.
6. Click Select.
7. Enter a name for the folder to contain the binary files (This is a new folder created by the export).
8. Click OK.
9. In the Export Summaries dialog, view the status of the export.
10. Click Close.
To view the Export History
1. Do one of the following:
-Click Management > Hash Sets.
-Click Management > Groups.
2. Click Export.
3. Select View Export History.
4. In the Export Summaries dialog, view the status of the export.
5. Click Close.
Understanding LawDrop™ About LawDrop | 361
Chapter 30
Understanding LawDrop™
About LawDrop
You can use LawDrop™ as an interface for application users to manage project evidence files without accessing
the file system on the Summation or eDiscovery server. This is beneficial for letting users who don’t have
permissions to access the server’s file system to add files to a project or access exported files. For example,
LawDrop is the only method to perform several tasks when using Summation in a hosted, multi-tenant
environment.
Understanding LawDrop™ About LawDrop | 362
You can use LawDrop to do the following:
Features of LawDrop
Feature Description
Upload files to the
Summation or
eDiscovery Server
You can use LawDrop to drag, drop, and upload files to the server.
You can upload files to two different types of locations in LawDrop
My DropSpace You can upload files to a location called My DropSpace. This is
a general area where you can upload, manage, and organize
evidence files.
Project Intake
Folders For every project in the system, LawDrop has a project Intake
folder. This folder acts as a staging area for files that you want
to add to a project.
When you have identified files that you want to add to a
project, you can copy them from the DropSpace to the Intake
folder for that project. (You can also upload files directly to an
Intake folder.)
From the project Intake folder, users with permissions can add
files as evidence to that project.
Share your uploaded
files with other users The person who uploads files in LawDrop is considered the owner of those files. By
default, when you use LawDrop, you can only see the files that you are the owner of.
However, you can share your uploaded files so that other users can access them as
well.
Where users see files that have been shared with them depends on where the files
were uploaded.
Sharing from My
DropSpace Each user has their own MyDropSpace folder.
When you share files from your MyDropSpace with another
application user, they can see those files in a LawDrop folder
called Shared with me.
Sharing from a
project Intake
folder
When you share files from a project Intake folder or sub-folder,
other users with permissions to that project can them see them
in the same Intake folder.
For example, a user may have permissions to add a file to an
Intake folder but not to add and process it in the project. Other
users with enhanced permissions can add and process shared
files in the project.
Sharing files with
external users You can also share files to people that are not application
users by specifying their email address. These external users
will receive an email with an HTML lick to the shared files.
Note: Currently, you cannot share files from a project Intake
folder with external users.
Download files You can download the files that you can access in LawDrop to your own computer.
Use LawDrop as a
destination when
exporting files
When performing an export, you can select LawDrop as the destination. After the
export, users with proper permissions can access the exported files within LawDrop
without having access to the server’s file system. Exported files are located in a
project’s Exports folder. Users can download the exported files to their own
computers.
Using LawDrop™ Getting Started with LawDrop | 363
Chapter 31
Using LawDrop™
Getting Started with LawDrop
All application users can access the LawDrop page.
To access LawDrop
1. Log in to the application with your credentials.
2. Click the LawDrop™ tab .
If LawDrop is not configured properly, you will see the following error:
The default path for user’s DropSpace folder is not set. Please the default path or contact your System
Administrator.
See Configuring the System for Using LawDrop.
3. The LawDrop page is displayed.
Using LawDrop™ Getting Started with LawDrop | 364
About the LawDrop Page
The LawDrop page has several elements.
About the Folder List
On the left side of the LawDrop is the folder list. In the folder list, all users see the following folders:
-My DropSpace - This is where you can upload and organize files.
You can create sub-folders under this folder. This is a private folder. You only see the files that you
uploaded in the My DropSpace folder. You can share files that you have uploaded with other users.
-Shared with me - If other users share files from their My DropSpace folder with you, this is where you see
those files.
You cannot create sub-folders under this folder, but if other users have created sub-folders for their
shared files, you will see them.
You cannot upload or copy files to this folder.
In the folder list, you may also see the following:
-Project folders - If you have permissions to see any projects on the Home page, you will also see a folder
for each of those projects in LawDrop.
Under each project folder are two sub-folders:
Intake - You can upload and organize files for a project in the Intake folder.
You can create sub-folders under this folder.
Every file you upload to an Intake folder is private unless you share it.
See About Sharing Files and Folders on page 373.
If another user has shared a file from a project Intake folder with you, you will see it in the same
folder.
If you have project administrator permissions, you can add and process files from an Intake folder into
a project. (You cannot add files to a project directly from the My DropSpace folder. You must first copy
it to a project Intake folder.)
See Adding Evidence to Projects Using LawDrop on page 376.
Exports - If an export is performed in a project and saved to LawDrop, they are saved here. You can
see and download exported files.
See Exporting Files to LawDrop on page 378.
Important: Only those who have permissions to view export sets and production sets in Review can
see the exported files in LawDrop. (For example, Admin and Admin Reviewer, or if you created the
export set).
You cannot upload files to the project Exports folder.
Using LawDrop™ Getting Started with LawDrop | 365
About the File Queue
You can add files to LawDrop by dragging and dropping files onto the LawDrop page. When you drag a file to
LawDrop, the file queue appears at the bottom of the LawDrop page. The file queue display a list files and their
upload status. You can show or hide the file queue.
See Dropping and Uploading Files to LawDrop on page 367.
See Viewing and Managing Uploaded Files on page 369.
About the Item List
After you have uploaded files to LawDrop, they are displayed in the Item List.
The item list displays the items that are in the currently selected folder in the folder list. You can also perform
actions on folders and files.
See Using the Item List Grid on page 369.
Using LawDrop™ Creating and Deleting Sub-Folders in LawDrop | 366
Creating and Deleting Sub-Folders in LawDrop
When you add files to LawDrop, you can upload them to one of the following:
-The My DropSpace folder
-A project Intake folder (if you have permissions to the project)
To help organize files that you upload, you can create sub-folders in either location. You can create multiple
levels of sub-folders.
You can upload files to the root of the folder or to a sub-folder. You can also copy and move files from one folder
or sub-folder to another.
See Moving and Copying Uploaded Items on page 370.
You can also delete sub-folders that you create in the My DropSpace folder.
To create a sub-folder
1. Open LawDrop.
2. In the folder list, click a folder, such as My DropSpace or a project Intake folder.
3. Do one of the following:
-In the tool bar, click New Folder.
-Right-click and click New Folder.
4. Enter a folder name.
5. Click Create.
To delete a sub-folder
1. In the My DropSpace folder list, click the sub folder that you want to delete.
2. Do one of the following:
-In the tool bar, click Delete.
-Right-click and click .
3. Confirm the deletion.
Using LawDrop™ Dropping and Uploading Files to LawDrop | 367
Dropping and Uploading Files to LawDrop
About Dropping and Uploading Files
You can add files to LawDrop by dragging and dropping files into a valid folder in LawDrop. When uploading files
to LawDrop, files are uploaded using HTML. There are no set limits to the size of uploads, however,
performance will be based on available bandwidth, network traffic, and the size of files.
You can upload files to the following LawDrop folders:
-My DropSpace and its sub-folders
-A project Intake folder that you have permissions for and its sub-folders
When you attempt to drop files to a LawDrop folder, if the folder is a valid folder, the color of the boundary turns
green. If it is an invalid folder, it does not turn green. For example, invalid folders include the Shared with me
folder, the root the project folder, and project Exports folder.
Uploading files is a two-step process:
1. You drop files onto a valid folder and the files are placed in the file upload queue.
2. You upload files from the queue into the folder.
During the upload, one file is uploaded at a time. File data is chunked into 1 MB chunks, and four chunks are
uploaded at a time. The chunks are uploaded to the server, then when the chunks are complete, they are saved
as the original file in the designated folder. If you lose your connection to the server during the upload, you
simply drop the file again to the queue and upload it. However, it will resume from previous spot when
connection was lost as it maintains the previous chunks that were uploaded.
About Dropping and Uploading Folders
Internet Explorer does not support dropping and uploading folders, only files. However, you may want to add and
process a complete folder using the Add Evidence Wizard. As a work-around, uploading a folder requires a four-
step process:
1. Create a .ZIP file of the folder that you want to upload.
2. Drag the .ZIP file onto a valid folder.
3. Upload the .ZIP file.
4. Use a LawDrop action to extract the .ZIP into a folder.
See Action Icons on page 372.
Dropping Files into the File Upload Queue
Important:
As a best practice, upload files to the My DropSpace folder and then copy files to a project Intake
folder
To drop files into the File Upload Queue
1. Open a File Explorer window with the files that you want to upload.
2. In the LawDrop folder list, click the folder that you want to upload files to.
3. Click and drag the files onto the LawDrop page.
Using LawDrop™ Dropping and Uploading Files to LawDrop | 368
4. If the destination is a valid folder, the border around the item list turns green.
5. Release the mouse button to drop the files.
6. The file upload queue is opened and the files are displayed in the queue.
Uploading and Managing Files in the File Upload Queue
After you have dropped files in the file upload queue, you can do the following:
-Upload the files.
-Pause and resume the uploading of files
-Delete the files from the queue
You can perform actions on all files in the queue or on one individually.
While a file is uploading, an upload progress is displayed.
After a file has completed uploading, the file is removed from the queue.
If you upload the same file to a folder more than once, the later files will be appended with a (1), (2), and so on.
If files are currently uploading, and you click to go to a different a different place in the application, such as the
Home page, you are warned that leaving LawDrop will cancel all the uploads.
To upload files in the queue
Click either Upload All or the single upload icon.
Note: If you have more than one file in the queue and upload a single file, after that file is uploaded, all other
files in the queue will then be automatically uploaded. If you want to upload only one file, do the following:
click Pause All, then upload the single file.
To pause the uploading of files in the queue
Click either Pause All or the single pause icon.
The upload status indicator turns orange.
You can either resume the upload or cancel it.
To cancel or delete files in the queue
Click either Cancel All or the single delete icon.
Using LawDrop™ Viewing and Managing Uploaded Files | 369
Viewing and Managing Uploaded Files
Using the Item List Grid
After you have uploaded files to LawDrop, they are displayed in the Item List.
The item list displays the items that are in the currently selected folder in the folder list.
By default, the item list displays the following columns:
-Name - The name of the file for folder.
-Owner - The login name of the user who uploaded the file.
-Last Modified - The date that the file was last modified.
-File Size - The size of the file.
-Actions - Displays icons for actions that you can perform on that one item.
You can do the following with the item list grid:
-Select which columns to display.
-Sort the item list by a column.
-Filter the item list by one or more columns. (Not currently working)
-See available actions for individual items in the list.
To select which columns to display
1. In the item list, click .
2. Select the columns to display .
To sort or filter the list by a column
Click the sort by or filter icon.
Important:
The filter action is currently no working.
Using LawDrop™ Viewing and Managing Uploaded Files | 370
Moving and Copying Uploaded Items
You can use folders to organize uploaded files. You can also use a project Intake folder to organize or stage files
that you want to add to a project. See Adding Evidence to Projects Using LawDrop on page 376.
To help you organize files and folders, you can drag items from one folder to another. Depending on where you
are dragging items, the item will either be copied or moved:
Note the following scenarios:
-Within My DropSpace: If both the source and the destination of the drag is within My DropSpace, the file
or folder is moved.
Examples:
Suppose under your My DropSpace, you have a sub-folder named MDS1. If you have a file in your
My DropSpace and drag it to MDS1, it will move the file.
Suppose under your My DropSpace, you have two sub-folders named MDS1 and MDS2. If you have
a file in MDS1 and drag it to MDS2, it will move the file.
Note: If you move a file that has been shared, the sharing is removed.
-Outside of My DropSpace: If either the source or destination of the drag is outside of My DropSpace, the
file or folder is copied.
Examples:
If you drag a file in My DropSpace to a project Intake folder, the file will be copied.
If you drag a folder in Shared with me to a project Intake folder, the folder will be copied.
If you drag a folder in Shared with me to My DropSpace, the folder will be copied.
If you drag a file in a project Intake folder to a different folder, the file will be copied.
Note: If you drag and copy a file or folder from Shared with me, the copy will list you as the owner.
If you copy a file to a folder more than once, the later files will be appended with a (1), (2), and so on.
Note the following limitations:
-When dragging items to a project folder, you must drag it to the Intake sub-folder. You cannot drag items
to the root of a project folder or to a project’s Exports sub-folder.
-You cannot drag items from a project’s Exports sub-folder. (If needed you can download). See Viewing
Exported Files in LawDrop on page 378.
-You cannot drag items to the Shared with me folder. Items will only appear there after they have been
shared by another user. See Sharing Files and Folders on page 373.
Using LawDrop™ Viewing and Managing Uploaded Files | 371
Performing Actions on LawDrop Items
Using the Tool Bar and Action Icons
You can use the action bar or action icons to perform actions on items in the list.
Tool Bar
Using the tool bar on the top of the action list, you can select one or more files or folders and then perform the
following actions: (some actions are not always available)
Law Drop Tool Bar
Download From within LawDrop, you cannot view the contents of files. For example, you
cannot view the contents of an uploaded DOCX file. To view a file, you can
download a file or folder then view it.
When you download a file or folder, they are downloaded as .ZIP files.
Delete In MyDropSpace, you can delete files that you uploaded or sub-folders that you
created.
You cannot delete the following files or folders:
-Items shared with you in the Shared with Me folder.
-Items shared with you in project Intake folders.
-Items in project Export folders.
See Creating and Deleting Sub-Folders in LawDrop on page 366.
Note: Files that have been processed or imported are no longer displayed in the
LawDrop project Intake folder.
New folder You can add sub-folders. (My DropSpace and project Intake folders only. Not
supported in Shared with Me or project Export folders.)
See Creating and Deleting Sub-Folders in LawDrop on page 366.
Add Evidence If you have project admin permissions you can select files or folders and add
them as evidence to a project. (Project Intake folders only.)
See Adding Evidence to Projects Using LawDrop on page 376.
Using LawDrop™ Viewing and Managing Uploaded Files | 372
Action Icons
Using the action icons in the Actions column of the action list, you can perform the following actions on one
single folder or file at a time: (some actions are not always available)
Law Drop Action Icons
Download From within LawDrop, you cannot view the contents of files. For example, you
cannot view the contents of an uploaded DOCX file. To view a file, you can
download a file or folder then view it.
When you download a file or folder, they are downloaded as .ZIP files.
Share You can share a file or folder with another user.
(My DropSpace and project Intake folders only. Not supported in Shared with Me
or project Export folders.)
See Sharing Files and Folders on page 373.
Extract You can extract an uploaded zip file.
(My DropSpace and project Intake folders only. Not supported in Shared with Me
or project Export folders.)
See About Dropping and Uploading Folders on page 367.
Import You can import files as evidence. If you have project admin permissions you can
select files and add them as evidence using import.
(Project Intake folders only.)
See Importing Data on page 377.
Using LawDrop™ Sharing Files and Folders | 373
Sharing Files and Folders
About Sharing Files and Folders
Any files or folders that you upload are private. Even files that you upload to a project Intake folder are private to
you even if additional people are working in the same project. To let other people see and access files that you
upload, you can share them.
You can share individual files or folders. If you share folders, others will see all of the contents of that folder.
How and where others see items that you shared depend on multiple scenarios:
-Sharing with other Summation or eDiscovery application users:
Files and folders in My DropSpace
You can share items in your My DropSpace with any other application user.
When you share items in your My DropSpace folder, others see the items in their LawDrop Shared
with me folder.
When someone else share items in their My DropSpace folder with you, you see the files in your
Shared with me folder. If they have files under sub-folders, you will see them in the same
hierarchy.
Files and folders in project folders
If you share items in an Intake folder, others will see them in the same folder.
For others to see shared items in an Intake folder, they must be associated to the project. (There
are no specific project-level permissions required, just that they are associated to the project.)
You cannot share items in the Exports folder.
Instead, you can download the exported files. You can then re-upload them to your My DropSpace
and share them or you can make them available using a network share or email. See Viewing
Exported Files in LawDrop on page 378.
-Sharing with external users
My DropSpace - If you share items in your My DropSpace folder with an external user, the user
receives an email with a link to the files.
Project Folders - Not currently supported.
You can only share files that you uploaded (that you are the owner of). You cannot share files that were shared
with you. However, you can copy the item and then share the copied items.
You cannot delete files that were shared with you.
If you share a file or folder that is nested under other sub-folders, the person will see the hierarchy of folders.
However, they will only see files in the folder that was shared, not any folders higher.
Sharing Files and Folders with other Application Users
You can share one file or one sub-folder at a time.
To share files and folders with application users
1. Go to the LawDrop folder list and open the parent folder of the item that you want to share.
2. In the item list, for the sub-folder or file that you share, in the far right column, click the share icon.
Using LawDrop™ Sharing Files and Folders | 374
3. In the Shared options dialog, click in the Invite more people field.
4. Type the username of the person you want to share with.
Note the following:
-After typing the first three letters, any matches with application users will be displayed.
-If you are using a multi-tenant environment, type the name of your environment first, and then select
the username.
5. Click the name that you want to add.
6. Click Add.
The name is added to a list in the dialog. The first letter of the username is shown in a circle.
7. If desired, add additional user names.
8. When completed, click Done.
Sharing Files and Folders with External People
You can share files or folders with external people. To do this, you enter the person’s email address and the
person receives an email. The email includes a link to files on the server. When the person clicks the link, the
ZIP file with the shared items is automatically download.
You can share one file or one sub-folder at a time.
Note: You can only share files externally from your My DropSpace folder. Sharing from an InTake folder to an
external user is not supported.
There are settings that must be configured correctly in order for the email to work correctly. See Configuring the
System To Share LawDrop Files with External Users on page 362.
To share files and folders with external people
1. Go to your My DropSpace folder.
2. In the item list, for the sub-folder or file that you share, in the far right column, click the share icon.
3. In the Shared options dialog, click in the Invite more people field.
4. Type the email address of the person you want to share with.
Note that the name is notated with (external user).
5. Click the name that you want to add.
6. Click Add.
The name is added to a list in the dialog. The first letter of the username is shown in a circle.
7. If desired, add additional user names.
8. When completed, click Done.
9. An email is sent to the user.
10. If needed, you can re-send the email.
Using LawDrop™ Sharing Files and Folders | 375
Unsharing Files and Folders
You can unshare files and folders from a specific user or from all users. This will cause the files or folders to no
longer be visible to others.
To unshare files and folders
1. Go to the LawDrop folder list and open the parent folder of the item that you want to unshare.
2. In the item list, for the sub-folder or file that you unshare, in the far right column, click the share
icon.
3. In the Shared options dialog, do one of the following:
-To unshare a file of folder with a specific user, click the X on the far right of the user list.
-To unshare a file of folder with all users, click Unshare folder or Unshare file.
Using LawDrop™ Adding Evidence to Projects Using LawDrop | 376
Adding Evidence to Projects Using LawDrop
About Adding Evidence to Projects Using LawDrop
From LawDrop, you can add evidence in similar ways that you can use on the Home page:
-Adding Evidence Using the Add Evidence Wizard on page 376
-Importing Data on page 377
Note: If you using Summation in a sub-admin environment, you cannot add evidence to a project from the
Project List on the Home page. You can only add evidence to a project from LawDrop.
You can only add evidence to a project from the project Intake folder. If you want to add a file or folder that you
have uploaded to your My DropSpace, you can drag and copy it to an Intake folder.
You can delete files from a project Intake folder that have not yet been processed or imported. Files that have
been processed or imported are no longer displayed in the LawDrop project Intake folder.
See Moving and Copying Uploaded Items on page 370.
Important:
Only those who have administrator permissions to the project can add files to a project.
Adding Evidence Using the Add Evidence Wizard
Users with project administrator permissions can add files or folders to a project from LawDrop. When items are
added, the Add Evidence Wizard is opened and you complete the wizard.
See Using the Evidence Wizard on page 257.
Depending on the items that you select to add, you will have different options available in the Add Evidence
Wizard.
Note the following scenarios for adding evidence:
-The CSV Import method for adding shares is not supported from within LawDrop. Any CSV file will be
imported as a native file.
-When selecting items to add to a project, you can add either files or folders at one time, not both.
For example, you can add two or more files at one time, but not a file and a folder. This is because in the
Add Evidence Wizard, you must specify if you are adding files or folder.
-If you are adding loose files in AD1 or E01 format, add them without other types of files.
In the wizard, the Individual Files and Native Files options are selected by default. You must change the
Data Type from Native Files to Evidence Images.
-If you add one or more loose files of other formats, in the wizard, the Individual Files and Native Files
options are selected by default and all other options are disabled.
-If you add one or more folders, in the wizard, the Folder Import and Native Files options are selected by
default.
If the folder contains AD1 or E01 files, you must change the Data Type from Native Files to Evidence
Images.
Adding evidence to a project
1. Go to the LawDrop folder list and open the parent folder of the item that you want to add.
2. In the LawDrop item list, select one or more files or one or more folders.
Using LawDrop™ Adding Evidence to Projects Using LawDrop | 377
3. Click the Add Evidence icon.
4. The Add Evidence Wizard is opened.
The available options are based on the types of items selected.
5. Complete the wizard.
See Using the Evidence Wizard on page 257.
6. To view the status, go to the Evidence tab on the Home page.
See Evidence Tab on page 154.
Importing Data
Users with project administrator permissions can import files to a project from LawDrop. When items are added,
the Import wizard is opened and you complete the wizard.
See Importing Evidence on page 266.
From an Intake folder, you can import a file that is one the following formats:
-CSV
-DAT
-TXT
-DII
You can import the following types of load files:
-Concordance
-Generic
-Summation dii
Importing evidence into a project
1. Go to the LawDrop folder list and open the parent folder of the item that you want to add.
2. In the LawDrop item list, mouse over the file you want to import.
3. In the Actions column, click the Import icon.
4. The Import dialog is opened.
5. Select the import file type.
For the Concordance image type selection, you must know the name of the associated OPT or LFP file.
You can copy and paste the image name.
6. You cannot change the path.
7. Complete the dialog.
See Importing Evidence into a Project on page 267.
Important:
If you perform an import validation and find errors, you cannot edit the import file within LawDrop.
You must edit the original files and re-drop them into LawDrop.
Using LawDrop™ Exporting Files to LawDrop | 378
Exporting Files to LawDrop
When you create an export, instead of selecting a file path, you can select to Send to LawDrop.
When you export to LawDrop, the Export Path is disabled.
Note: If you are in a Summation sub-admin environment, you cannot use an export path. You can only export to
LawDrop.
All other aspects of the export are completed as usual.
See About Exporting Data on page 257.
Viewing Exported Files in LawDrop
After an export is complete, exported files are viewable in the project’s Exports folder.
In order to view exported files, you must meet one of the following conditions:
-Be an administrator of the project
-Have Admin Reviewer permissions for the project
-Be the user who created the export
You can download exported files. Files are zipped and then downloaded. Be aware the exports can be quite
large and may take some time to download. As a result, download only one export at a time.
At this time, you cannot share items in the Exports folder. Instead, you can download the exported files. You can
then re-upload them to your My DropSpace and share them or you can make them available using a network
share or email.
Integrating with AccessData Forensics Products | 379
Chapter 32
Integrating with AccessData Forensics
Products
Web-based products (Summation and eDiscovery) can work collaboratively with FTK-based forensics products,
(FTK, Lab, FTK Pro, and Enterprise).
Note: For brevity, in this chapter, all FTK-based products will be referenced as FTK and Summation and
eDiscovery applications will be referenced as Summation.
You can access the same project data on the same database to perform legal review and forensic examination
simultaneously. The benefit of this compatibility is that FTK provides some features that are not available in the
web-based products. For example, you can create projects in Summation and then open, review, and perform
additional tasks in FTK and then continue your work in Summation.
Using FTK, you can do the following with Summation projects:
-Open and review a project
-Backup and restore a project
-Add and remove evidence
-Perform Additional Analysis after the initial processing
-Search, index, and label data
-View graphics and videos
-Export data
Important:
For compatibility, the version of the web-based product and the version for FTK must be the same--
both must be 5.0.x or be 5.1.x. For example:
Summation 5.2.x must be used with FTK 5.2.x
Summation 5.5 must be used with FTK 5.5
Integrating with AccessData Forensics Products Installation | 380
Installation
You can install FTK and Summation on either the same computer or on different computers. The key is that they
share a common database. The database that the data is stored in is unified so that the data can be shared
between products.
It is recommended that you install the web-based product first, configure the database, and then install FTK and
point FTK to that database. The administrator account for the web-based product is the administrative account
for the database for FTK.
When launching FTK and logging into the database, you use the administrator credentials from the web-based
product.
Important:
For compatibility, the version for Summation and the version for FTK must be the same.
Important:
Note that FTK and Summation may use different versions of the processing engine. If this is the case
there will be information in the Release Notes.
Managing User Accounts and Permissions Between
FTK and Summation/eDiscovery
You can create a user account in either product and then use that user name in the other product.
Permissions
When users are assigned permissions in one application, such as Summation, the permissions of the user in
FTK are not affected.
Creating and Viewing Projects
Using either product, you can create projects and add evidence to that project. You can then use either product
to open the project and perform tasks on the project data.
You can have users in each program reviewing the data at the same time.
Managing Evidence in FTK
Adding Evidence using FTK
You can use FTK to add evidence to a project that was created in Summation. Reviewers in Summation can
then review the new evidence. Using FTK, you can add live evidence and static evidence. When you add
evidence, you can add image files (such as AD1, E01), individual files, physical drives, and logical drives.
Important:
When you collect volatile data in FTK, you cannot see it in Summation.
Integrating with AccessData Forensics Products Creating and Viewing Projects | 381
Processing Evidence using FTK
FTK provides processing options that are not available in Summation. You can utilize the processing abilities of
FTK and then review the data in Summation/eDiscovery. You can do all processing in FTK or you can perform an
Additional Analysis in FTK after an initial processing.
The following are examples of additional processing options that are available in FTK:
-Processing Profiles
-Known File Filter (KFF)
-Automatic File Decryption
-Create Thumbnails for Video
-Generate Common Video File
-Explicit Image Detection
-PhotoDNA
-Cerberus Analysis
When you create a project with specific processing options, those options are maintained when the project is
viewed in the other product. (15940)
Important:
If you create a project in Summation, process the evidence, then add more evidence using FTK, if
you compare the JobInformation.log files, the processing options applied by FTK are different from
Summation.
Managing Evidence Groups in FTK and People in Summation
It is important to note that FTK does not use people, but rather has evidence groups. Evidence groups let you
create and modify groups of evidence. In FTK, you can share groups of evidence with other projects, or make
them specific to a single project.
When you create people in a project in Summation, and then look at the project in FTK, the people will be listed
as evidence groups. The opposite is also true. If you create an evidence group in FTK, it will be listed as a
person in Summation.
Important:
When you use FTK to add data to an evidence group that was an existing Summation person, two
child entries of the same person are created for the data. When you look at the person data in
Summation, there will be two child objects under the person with the same name, one with
Summation data and the other with FTK data.
Reviewing Evidence in FTK
Searching Evidence using FTK
You can use FTK to search evidence in Summation projects. The search capabilities in FTK are more robust
than Summation. In FTK, you can perform an index search as well as a live search. Live search includes options
such as text searching, pattern searching, and hexadecimal searching.
Important: Note the following issue:
Integrating with AccessData Forensics Products Creating and Viewing Projects | 382
-Issue: The search results counts for the same project may be different when viewed in the different
products due to the way search options are executed in the respective products. For example:
Summation only search columns that are visible to the user. FTK will search columns that are not
visible to a eDiscovery user.
Re-indexing the data will change the search results.
-Because of FTK’s Live Search feature, FTK will return more search results hits than in Summation.
Labeling Evidence Using FTK
After searching and identifying data in FTK, you can label the data and then review the project in Summation and
see the labeled data. You can then perform additional review, culling, and export tasks.
Viewing Labeled Evidence in FTK
When reviewing data in Summation, you can label data, and then that labeled data is viewable in FTK. This can
be useful in workflow management. For example, when reviewing the data, you can label data indicating that it
needs additional analysis. When the project is opened in FTK, the labeled data is visible.
Exporting Data using FTK
You can review and cull data in Summation and then export the data from FTK using its export capabilities.
The following are examples of what you can export using FTK:
-Export files to an AD1 Image file
-Save file list information
-Export the contents of the project list to a word list
-Export hashes from a project
-Export search hits
-Export emails to PST or MSG
Viewing Documents Groups and Review Sets in FTK
Important: In Summation, there are separate views and permissions defined for Document Groups and Review
Sets. In FTK, Document Groups and Review Sets that were created in Summation are displayed within the
Manage Labels dialog.
Reviewing FTK Data in Summation
You can use the following review features in Summation to help manage the workflow of working with data that
was added and processed using FTK.
-Review the data by reviewers in the Web console.
-Cull the data and get the desired data set.
-Export the data using Summation using its export capabilities.
Integrating with AccessData Forensics Products Known Issues with FTK Compatibility | 383
Known Issues with FTK Compatibility
See the product’s and FTK Release Notes for a list of known issues with FTK Compatibility.

Navigation menu