Organisational and technical starting points
You and INDICA should define the technical starting points, preferably via a conference call.
Which INDICA product (Enterprise Search/ eDiscovery/ GDPR/ Predictive tagging)? Which environment (cloud or on premise)? Which data sources and their size? Number of users? Etc.
This is important to enable uptime and a scalable environment, first time right setup, no surprises in the costs.
For the cloud environment the setup requires less work. Typically for eDiscovery purposes the cloud environment will be used, with an upload of data per case. Depending on the size and complexity of the data set, and the state of the art in hardware and networking the initial upload and indexing requires more time. It is impossible to foresee or to guarantee the throughput time. It is possible to add extra computing power on the INDICA side. It is also possible to upload closer to the data center of INDICA. It is also possible to not OCR documents in the initial indexing, because that is a much slower process. All this is not determined by the speed of INDICA (Indica itself is ultra fast), but depends on other factors.
INDICA running on live sources of a customer could involve extremely large data sets, that require to be indexed initially. With an extremely large data set the initial indexing is not the way to go via an internet connection. Most usually it is feasible to install INDICA as an appliance closer to the data set.
For the on premise environment it is important to recognise that you will be fully responsible for purchase/rental of hardware and managing the uptime and scalability, so we advise you accordingly. The setup costs and hardware requirements are low. However, INDICA is fully dependant on your requested meeting structure and ICT architecture.
In case of on premise environment, please read system requirements.
The number of users is also important to define a training plan. Within our standard pricing we facilitate one webinar of one hour for all users simultaneously (no further training effort per user required; rapid adoption). Depending on the number of users and your organisation structure it cloud be wise to define a specific training plan with smaller groups of users (additional costs).
The type of data sources could be email, fileservers, ERP-system etc. Especially structured systems, like ERP, CRM, PDM etc. could require an additional interface that could involve additional costs. So it important to discuss the specific structured systems in the data set.
The definition of the organisational and technical starting points could influence the costs. Normally our pricing should be a reasonable estimation.
Our standard terms are pre payment of the setup costs. Please note the costs for usage and support are a monthly fee, invoiced on the first day of the month. Usage and support is subject to payment.
|Environment||Purpose||Type of user|
|The case investigation or user environment, where the investigation on the data or queries/searches will be done.||Case reviewer or regular users|
|The case management environment, where the type of tags (per case) can be defined, where the export of the tags after the investigation (the evidence of the investigation) can be done.||Case manager|
|https://files.indica.nl||The secure web upload environment, where the upload of the data can be done, comparable to Dropbox||Case manager|
Cloud environments and types of users
It is important to realise that INDICA eDiscovery is multi case. Per case the users and their roles are administered.
In the cloud environment, INDICA has three cloud complementary cloud environments that can be accessed by different people. The appropriate URL’s that a user have access to will be provided via email.
The case manager will use the admin and upload environment. The case manager will probably also use the investigation environment of the case manager is working side by side with the case reviewers in the investigation of the data. It could be that there are multiple case managers, perhaps even from a partner of Indica who might assist in upload, defining tags and export.
The access to the admin side of INDICA and the upload environment requires separate login from the investigation environment. This is on purpose to make sure that no case reviewer can change settings, and even for the case manager to make sure that person is fully aware before making changes in the settings.
The case investigation environment is solely for the case reviewers. They will only use that particular environment. Therefore the case reviewers or normal users will not be bothered with multiple URL’s and only use the specific environment for them.
In the on premise environment the customer is fully responsible for uptime, scalability and the provisioning of the service to the users. Depending on the agreement between customer and INDICA or reseller it could be that INDICA as a company or its reseller doesn’t have access to the environment at all, or that customer can allow specific access for support by INDICA or reseller.
INDICA can be delivered to you as an appliance in an on premise environment with the following support documentation:
Indica provides an OVF (VM template) or an installable, that should be downloaded by you
You send a serial key to Indica, Indica will verify everything, Indica will provide an activation code.
In the cloud environment Indica as a company will provision the service to the users. Each user will receive a certificate via email and/or SMS. That is the only way to have access to the environments.
- You provide a limitative list of all ‘reviewers/users’ versus ‘manager/admin’ users with first name, last name, email adress and mobile phone number.
- INDICA will administer the initial users and execute the service provisioning.
On premise or private cloud
In the on premise environment INDICA will be delivered as an appliance. The customer can provision the service to the users, following their directory service or via the internal INDICA user administration. Most usually INDICA as an organisation will help with the initial service provisioning.
You can add users via the tab ‘settings’ in the admin environment. Either via the internal database of INDICA, or via a connection with your Directory Service. Via the internal database of INDICA:
System → Users & apps Or using the directory service of customer:
Connections → AD Settings
A common issue has to do with the user administration and the service provisioning to users. In an on premise environment this can be easily rectified by the case manager or administrator. In a cloud environment it could be that users have switched their device needing to reissue the certificate.
Basics of the administration
The administration and management can be done by a case manager or administrator. For more information please read Case admin interface article.
Using INDICA for eDiscovery requires the selection of a specific case, to define tags and to export the evidence after the investigation. All from the admin environment.
The case manager or administrator should click ‘manage case’ on the top right hand side and select the particular case. The admin side of that case will be opened. To be sure, the case manager will only be able to select and open cases that this person is allowed to handle.
Important tab on the top of the screen in the middle is ‘tags’. Per case it is possible to define the type of tags. Important to do this at the beginning of the investigation, to define this structure. Just a type a tag and press enter and it will immediately appear in the investigation side of the case.
Later on in the investigation it is possible for a document to be tagged with multiple different tags. So the tagging structure is extremely flexible.
Below the definition of tags there is the possibility of exporting the tags at the end of the investigation. An export will create two files. The first file is a ZIP with all the document of that type of tag. The second file is a list of all the documents in the ZIP file. Both documents typically serve as the evidence after the investigation. The documents have to be generated (built), it could take some time before they appear right under the export function.
For all kinds of troubleshooting and how to:
Basics of the upload of data
There are two distinct approaches for making data available for indexing in INDICA. Please be aware that INDICA will not assist in this area. However, a case manager from a business partner could assist in that area.
Method 1: A closed data set uploaded for a specific case:
The data to be uploaded for a specific case should normally be made available by the IT department of a customer, or can be safely made available by a forensic expert from a business partner of INDICA. INDICA itself doesn’t have the functionality to create a forensic copy, for example Encase can be used for that.
The case manager will upload the data of a case in the upload environment. Read this for guidance. The case manager uses the following URL https://files.indica.nl and is fully able to do this in a point and click way.
Method 2: A live data set:
The administrator uses the admin environment and can add data sources (see Datasources → Shares)
The administrator can also add data tabs. Perhaps you need additional guidance by INDICA. This could incur additional costs. See also Datatab Configuration.
Management by exception monitoring of upload&indexing:
The case manager or administrator should monitor whether all data has been uploaded and indexed. The case manager can monitor in the 'manage' environment. There could be corrupt data that should be fixed. There could also be encrypted data, or rights issues (which is not an INDICA issue).
For all kinds of troubleshooting and how to:
Basics of search and investigation
The user documentation can be found here:
2. User Manuals
INDICA will organise a webinar for all users simultaneously around the go-live date, or via a specific training plan upon request.
Search and investigation functionality illustrated via a demonstration with a demo data set:
- This is about a pharmaceutical company and there is a whistle-blower who indicates there is shady business in the Middle East or Asia, but he/she doesn’t have any specifics. Explain that this poses a real investigative challenge. Where to start? What to search for? Who to focus on? Which timeframe? Etc.
Explanation of the INDICA screen. On the top right hand side you see the amount of documents (emails, files etc.) in the whole data set, way too much to handle in a traditional approach. Please be aware that once you start to query that you actually filter down, and therefore the amount of documents in the particular query should go down. It is important to realize whether you would like to start with another new query on the whole data set, or that want to continue filtering down within a particular query. On the left hand side the type of docs, where you could place filters. In the middle a bar like Google to do fuzzy search. Below it specific docs.
At the top of the screen the data sources. Source one is unstructured data ‘pharmacorp’, the second source is structured data from the internet with a list of chemicals and the third sources is also structured data but now from the ERP-system with a debtor list. Mention that a unique feature of Indica is the possibility of relating unstructured with structured data
You can search like Google. Type in any word or combination and INDICA provides the corresponding results. The unique ranking algorithm uses all the meta data that INDICA extracts from the documents and relates them in order to rank them. They will never have to define the meta data themselves. INDICA extracts the meta data itself, much more precise and relates it to all other information.
When investigating email traffic, the best first angle would be to look at the ‘world map’. This is based on all communication in the data set and their IP numbers and locations. This is never watertight (an IP number & location could be manipulated) but is serves as the best possible indicator. Zoom out so that the whole world is visible. Click on the history chart below the world map and place a start versus end time, and move those start versus end back and forth. So you see less data due to the timeframe selection.
- Troubleshooting: if the laptop has a small screen of low resolution, it could be that the world is not fully visible and the timeline below is not visualised properly. Please make sure you verify this before starting a live demonstration. This can only be countered using a newer laptop.
- Myanmar looks peculiar. Click on Myanmar. Now you go back to the home screen of INDICA, but now with a selection of only 35 documents. So from > 300K docs to 35 docs.
‘Email map’ gives an overview of all people who are communicating with each other within the scope of the data. If you click on a certain stream of communication then ‘green’ is sending and ‘red’ is receiving.
‘Relationship map’ gives an overview of all the relationships between the various entities. In green the documents, in blue specific ‘entities’ (words) within these documents. You can simply click through to see more specific relationships. It illustrates the lowest possible level of indexing all the relationships in the data set.
Click back to the home screen. Press ‘date’, just below the Google like search bar within INDICA (next to ‘advanced query builder’).
Eventually you have to read some documents manually. Open the ‘as discussed’ email. You see the word ‘Ephedrine’, and that you would like to investigate this, press “analyse” on the right hand side. INDICA itself identifies important pieces of information and relates it to all the other available information.
Click through on “Ephedrine” in the chemical data popup. Scan through the description of the substance. It is a nose spray, but it also is a key component in ‘Methamfetamine’, also known as ‘Crystalmeth’.
Click through on ‘Order’ email. Again click ‘Analyse’ and a separate ‘Invoice’ appears. Click through and open the PDF. An order to London, with shipment to ‘offshore location’, no reference whatsoever the specific product involved.
One of the keys to find the needle in a haystack is that relationship between structured an unstructured data. Other keys are the powerful visual overviews like the world map and the email map. This combined with superior ease of use. Given that potential it is important to identify possible structured information sources to add to the data set.
The blue ribbon between ‘advanced query builder’ and ‘select all’ is a time line. Via drag and drop the timeline can be narrowed or widened. This is another way of zooming in or out.
Press ‘saved searches’ at the right hand side of the screen. Here you can save a query, containing a subset of the full data set. You typically do this to make sure that you can retrieve a query for later use, to investigate the documents in that particular query again. Without having to memorize the way you came to the selection in the query. Within the pulldown menu (of saved searches) you can select any previous query.
Tagging is a way to mark specific documents in the whole data set. Select / mark a document via the check box on the left hand side of each document. Click on ‘+ tags’, select the type of tag, and ‘save’. The specific type of tag will be shown next to the meta data of each document.
The definition of tags have to be set on the admin side of INDICA, by a case manager or administrator. This can’t be done by case reviewers / users, to make sure the whole team agrees upon the proper definition. The definition can be case specific.
Select / mark multiple documents in the query. Click on ‘select all’ and that will tag all the documents in the query (make sure the query is not too big). If the arrow is pressed right next to ‘select all’ a popup will appear ‘only on this page’ (of the query that could consist of multiple pages) or ‘deselect on this page’.
Also possible to open a document (only one document open from the whole query) and to tag this document on the right hand top side of the screen, and then move on to the next document by pressing the arrow right above the tags.
On the left-hand side of the screen the various types of documents can be seen. This also includes all the documents that have been tagged. So during the investigation the tagged documents are immediately visible.
Click ‘advanced query builder’. The logic can simple or complex, any combination thinkable, without having knowledge of advanced queries. ‘Add rule’ will create an extra rule. ‘Build’ will visualise the query logic in the Google bar. ‘Search’ will execute the query and give the results.
For regular search/query tips, please read the manual.
For advanced search/query tips, please refer to the cheatsheet.
Click on a document to open the document. The original version of the document can be accessed by clicking ‘original’ on the right hand side. The tab ‘comments’ can be used to make notes. Please be aware that this will never alter the original document. The notes will be stored separately.
- Punchline: Indica enables disruptive data driven case management.
Customer (administrator) will communicate the go-live date to the users via your preferred communication method and media. It is highly important that you proactively inform them:
- Which data is in scope versus out of scope for INDICA (manage expectations)
- When initial indexation of the data will be finished (if you enable usage before a full indexation is ready)
- If there are other limitations, for example if you have a proof of concept with a defined scope
Specifically for a case the case manager will inform the specific reviewers/users about the timelines. Especially explaining to them that the throughput time for taking a forensic copy of the data and upload&indexing could vary.
INDICA has a library of all possible support information. Please use these sources, to gain knowledge in your organisation, before consulting the Indica support organisation. This self-service approach is the way to make the support costs as low as possible.
The admin documentation. Please be aware that this is only accessible by case managers and administrators.
The user documentation. Please be aware that this accessible for everybody.
The usual issues are rather small and can be rectified by you very easily:
- A common issue has to do with the user administration and the service provisioning to users.
Another issue is with the access of data. Certain data that can’t be accessed because the rights structure in your ICT-architecture is not up to date.
- Another issue is with a data source, where the storage temporarily lost its connection.
Important to recognise is that the issues above are fully the consequence of your ICT-architecture, not caused by Indica. The usage of INDICA merely visualises existing problems in your ICT- environment.
- A last issue could be with indexing. Most usually it can help to re-index all the data, and make sure that all the data is fully indexed.
For additional support please visit our support portal or create a ticket via firstname.lastname@example.org and we will respond as soon as possible. This could be normal support, but it could also be ideas to drive the development of INDICA.
Please be aware that we have the possibility for additional service level agreements. Requests outside the scope of regular support could be characterised as an additional service that could incur additional costs.
For advanced use of INDICA you might consult a business partner of INDICA.
Important to verify the user statistics and engage users about their experience. Especially to steer towards a full rollout with usage. INDICA loves to periodically evaluate together with your team.