Forensic Email Collector (FEC) Changelog

Released on 10/28/2018

This is a minor maintenance release with the following improvements:

  • Hardened folder tree generation for Exchange mailboxes so that FEC can work around folder names containing invalid characters.
  • FEC now includes a message that a browser window will open for OAuth authentication when that option is selected.

Remote Authenticator v1.3.1
Released on 10/23/2018

This is an update to the FEC Remote Authenticator application only.

  • Reduced system requirements to .NET Framework 4 from 4.6.1. This allows FEC Remote Authenticator to run on earlier versions of Windows 7 without SP1, Windows Vista, and even Windows XP.
  • Updated the save token dialog to make it more intuitive for end users.

Released on 10/15/2018

  • Direct PST writer—Forensic Email Collector can now write output PSTs all on its own. Outlook is no longer required. In addition to the removal of the Outlook dependency, the direct PST writer brings performance improvements.
  • Foldered output option for Gmail API—FEC now provides an option to create an output folder structure based on Gmail labels when acquiring Gmail / G Suite mailboxes via Gmail API.
  • Long file path support—Long file paths inside target mailboxes exceeding 260 characters are now supported.
  • Improvements to Exchange Autodiscover functionality.
  • You can now display the password inside the password box when entering credentials.
  • Introduced option to expand and collapse all child tree nodes when working with the folder tree of a target mailbox.
  • email addresses are now associated with the AOL built-in profile.
  • FEC now logs the username used during the acquisition. This can be helpful in instances where the username differs from the target email account (e.g., when delegation is used).
  • Hardened the folder tree creation process for IMAP mailboxes.
  • Improvements to the management and hashing of multiple output PSTs when the split output PST option is selected.
  • The display names of output PSTs are now set to reflect the target email address for easier identification.
  • Numerous other minor improvements.

Released on 7/23/2018

  • Delegation for Exchange/Office 365—You can now acquire a target mailbox using the credentials of another authorized user (e.g., an administrator) who has access to the target mailbox.
  • Email Notifications—FEC can now notify you via email when an acquisition is complete.
  • File System Timestamps—FEC now sets the file system timestamps of collected MIME and MSG emails based on the Internal Date attribute for IMAP servers and Gmail API, and creation and last modification dates for Exchange servers.
  • Exchange Version Autodetect—New option to have FEC automatically detect the Exchange version of the target server during Exchange acquisitions.
  • Improved output folder validation to allow the user to create a folder if it does not exist, or optionally output to an existing folder containing files as long as a previous FEC project is not found in the output folder.
  • Fixed a GUI issue that prevented the split output PSTs option from being recorded.
  • Exchange acquisitions now report non-message items both in the acquisition log and as a report named “Non-message_EWS_Items”.
  • FEC now reports the time elapsed during an acquisition session in the acquisition log.
  • Numerous other minor improvements.

Released on 6/19/2018

  • You can now acquire metadata for remaining items in a mailbox and export a metadata report.
  • It is now possible to save custom IMAP acquisition profiles and re-use them as needed.
  • FEC now alternates between batch download and individual download mode for Google API and Exchange acquisitions—this was already in place for IMAP. This helps work around memory limitations on 32-bit and low-memory systems and allows for challenging messages to be downloaded individually. More detailed logging of encountered issues is also possible at the item level, rather than at the batch level. Individual download mode is automatically triggered on every third retry attempt.
  • New user interface for acquisition settings page. It is now possible to customize an existing profile in-place without having to re-enter the server details. You can also switch from Gmail API to Gmail via IMAP or from Office 365 via EWS to Office 365 via IMAP with one click.
  • New workaround for GoDaddy’s improper handling of Inbox folder case sensitivity.
  • Resolved a very rare Gmail API issue where a mailbox snapshot would never complete.
  • Added new built-in acquisition profiles for ProtonMail and Gandi. The connection to ProtonMail requires a paid plan and installation of ProtonMail Bridge.
  • Added a new option to allow all SSL certificates when connecting to an IMAP server. This helps connect to servers with invalid SSL certificates, as well as ProtonMail Bridge which works on the local computer.
  • Added option to IMAP Search Console to search messages by their UID values—to the extent supported by the server.
  • Improved handling of Gmail labels containing the “/” character when acquiring Gmail via IMAP.
  • Moved some database calls to a separate thread for improved UI responsiveness.
  • Added safeguards to better distinguish timeouts from user-initiated cancelations.
  • User-entered information such as the target email address and output path is now instantly validated before navigating to the next page.
  • FEC will now remember user preferences when you update FEC to a newer version.
  • Numerous other minor improvements.

Released on 4/22/2018

  • Released FEC Search Console for Exchange, which allows server-side searching of Office 365 and Exchange mailboxes.
  • Preservation of Office 365 and Exchange mailboxes now supports acquisition from the “Recoverable Items” folder (also known as the dumpster in earlier versions of Exchange).
  • You can now specify the version of the target Exchange server when acquiring emails from Exchange servers.
  • Improved cancel button behavior during Exchange acquisitions.
  • It is now possible to split the output PST file by size.
  • Added a message to the user interface to clarify that the MSG output option is required in order to output to PST format.
  • Output PST files are no longer hashed if the acquisition is canceled by the user—they will be hashed if the canceled session is later resumed to completion.
  • Added logic to the installation routine to make the Windows 7 Service Pack 1 or later requirement clearer.

Released on 3/14/2018

  • Released FEC Search Console for IMAP, which allows performing server-side searches on IMAP mailboxes.
  • IMAP logs are now prefixed to indicate what stage of the forensic preservation workflow each log represents (e.g., Search Console, Mailbox Listing, Acquisition, etc.).
  • Search terms applied in Search Console (both Gmail and IMAP) are now persisted and reloaded when a previous project is opened.
  • Other minor enhancements and performance improvements.

Released on 2/13/2018

  • Improved timings of exponential backoff algorithm for better handling of Gmail and EWS API and rate limits and IMAP server throttling.
  • Improved support for using Forensic Email Collector over Remote Desktop Protocol (RDP).
  • A GUI glitch that caused the menu buttons to become unresponsive which occurred on some devices after a long time of inactivity is now fixed.
  • Improved handling of Gmail messages without labels when using Gmail API.
  • Acquisition log now reflects the correct server address depending on whether Gmail API or Gmail via IMAP was used.
  • Added software version information to acquisition and exception logs.
  • Clicking the “STOP” button during processing now asks for confirmation before stopping the acquisition.
  • Processing now starts after the “START” button is clicked on the processing page. This makes the workflow consistent between starting a new project and resuming an existing project.
  • It is now possible to evaluate Forensic Email Collector for 30 days with a project limit of 5,000 messages.

Released on 1/29/2018

  • Improved Gmail API & rate limit handling and FEC’s exponential backoff algorithm.
  • When Gmail API returns a suggested wait time, FEC now parses that time from the server response and waits until then if possible.
  • Added Network Solutions and FastMail to the built-in email providers database.
  • It is now possible to select/deselect an entire branch (i.e., folder and subfolders) by SHIFT-clicking a checkbox in the folder selection page.
  • Improved support for UNC output paths.
  • Fixed an issue where case insensitive handling of folder names by an IMAP server could prevent FEC from creating a subfolder in the output PST when the PST output option is selected.
  • Improved the feedback FEC provides to the end user when the selected output folder is not writable.

Released on 1/3/2018

  • FEC now works as a 64-bit process when executed on a 64-bit version of Windows.
  • Improved handling of Gmail mailboxes with a very large number of labels.
  • Improved response time when performing queries in Search Console with the PST output option selected.
  • When FEC is launched by running an FEC Project file (i.e., “.FECProj”), FEC now automatically loads that project.
  • It is now possible to export a list of downloaded and remaining messages after loading a previous project.
  • FEC now automatically populates the username for iCloud accounts with the local part of the target email address.
  • Added an AT&T profile for AT&T affiliated domain names. This profile can also be used for Yahoo accounts affiliated with AT&T.
  • Upon completion of an acquisition session, FEC now displays a helpful message indicating the status of the acquisition. This message also contains a hyperlink that can be used to navigate to the output folder.
  • Minor improvements to Gmail acquisition logic to work around Gmail API rate limits.

Released on 11/16/2017

  • Released FEC Remote Authenticator for Gmail API acquisitions.
  • FEC now sets the MSGFLAG_READ and MSGFLAG_UNSENT flags in output MSG files for “read” and “draft” messages.
  • FEC Search Console now displays Gmail label names instead of label IDs for better clarity.
  • List of encountered Gmail labels, including label names, message counts and label IDs, are now included in the acquisition log for Gmail API acquisitions.
  • Fixed a bug that prevented the FEC user interface from being updated when software updates were checked manually.
  • Performance improvements to how Gmail labels are captured and saved.
  • Other minor enhancements and performance improvements.

Released 10/5/2017

  • Released FEC Search Console for Gmail API acquisitions.
  • FEC now supports hardware dongle-based licensing.
  • In the event that the end user authorizes FEC using an incorrect Gmail account during Gmail API acquisitions, both the target email address and the email address that was used for authorization are now displayed to the end user for easier troubleshooting.
  • Added help menu which links to Metaspike’s online knowledge base.

Released 9/18/2017

  • Fixed issue that caused some non-administrator users to have difficulty saving FEC preferences.
  • Added built-in connection profiles for GoDaddy and Rackspace.
  • Streamlined Connection Settings page.
  • Performance improvements to PST output.
  • Added automatic update check functionality.
  • Moved custom Gmail API credential input from Preferences page to Connection Settings page.