Forensic Email Collector

Changelog

v3.9.2.0
Released on 07/08/2019

  • Google Drive support phase 1—FEC can now acquire Google Drive attachments of Gmail / G Suite messages when using delegation or custom API credentials.
  • Dongle licenses of FEC now support running in portable mode from a flash drive.
  • Reports can now be exported with DAT and CSV delimiters in addition to TSV.
  • Acquisitions can now be started and resumed from the command line.
  • Improved support for Google Calendar items with incomplete elements.
  • In-place search preview operations can now be canceled.
  • FEC now displays a running count of the number of responsive items as the in-place search preview is running.
  • Custom Google API credentials can now be saved for future use.
  • Changed the font used for the target email address to make the distinction between a “zero” and an “O” clearer.
  • Numerous other UI and performance improvements.

v3.8.3.0
Released on 05/23/2019

  • FEC’s folder tree for Exchange / O365 acquisitions now groups the “Recoverable Items” and “Archive” folders under separate tree nodes for clarity.
  • Improved folder tree creation for Exchange servers which can result in better support for In-Place Archives in some edge cases.
  • It is now possible to use OAuth authentication with O365 when using a custom Exchange profile rather than the built-in O365 profile. This helps in scenarios where the MX records for the domain do not reflect those of O365.
  • Added support for a legacy O365 MX record so that domains using the deprecated record are automatically recognized as using O365.

Remote Authenticator v1.8.2
Released on 05/10/2019

  • FEC Remote Authenticator now allows you to manually select a provider profile (i.e., Gmail, G Suite, or O365) if the provider for the target email address cannot be automatically detected.

v3.8.1.0
Released on 05/06/2019

  • OAuth authentication is now supported for Office 365. FEC Remote Authenticator was also updated to v1.8.1 to support the remote authentication workflow for O365.
  • In addition to delegation, FEC now supports impersonation in Exchange / O365.
  • FEC now captures inbox rules from Exchange / O365 targets and mailbox filters from Gmail / G Suite targets automatically.
  • The Acquisition Log now contains a summary section with message counts to assist with quality control.
  • In-place search previews and their result counts are now recorded in the Acquisition Log.
  • Exchange conversation index values and Gmail thread IDs are now recorded in the Downloaded Items Log.
  • The “Duplicate Items for Each Gmail Label” option is now reflected in the acquisition log.
  • The custom Exchange connection profile now has an “O365” button to populate the EWS Endpoint URI with that of O365.
  • Added support for additional Exchange item subtypes such as non-delivery reports.
  • Executing an in-place search preview for the inaccessible “Audits” and “System” Exchange folders no longer prevents the search preview from running. Any exceptions are logged in the exception log.
  • Exchange item types without a conversation index value are no longer logged as exceptions.
  • Numerous other minor improvements.

Remote Authenticator v1.8.1
Released on 05/06/2019

  • FEC Remote Authenticator now supports O365.
  • Increased system requirements to .NET Framework 4.5.

v3.7.1.0
Released on 03/06/2019

  • FEC now supports domain-wide delegation in G Suite organizations. Instead of authenticating into each end user’s mailbox individually, it is now possible to use a service account to access all end user mailboxes.
  • IMAP internal date and UID server metadata are now exported side by side in the Downloaded_Items log to make forensic authentication easier.
  • Reduced the vertical size of the notification email window to make it fit on smaller screens.
  • OAuth tokens are now stored in the project database instead of on the file system. This allows users to resume a project on another computer without moving the tokens manually and eliminates the need to clear the token cache.
  • Improved handling of Google Calendars without a name.
  • Improved handling of Google Calendar events without organizer data.
  • Enhanced throttling mitigation for Google Calendar acquisitions.
  • The startup page now allows the user to go back if it was entered from another page.
  • Gmail via IMAP authentication workflow no longer requests calendar OAuth scopes as Google Calendar is not accessed during an IMAP acquisition.
  • Conversation Index MAPI property is now stored in MSG and PST output for Exchange acquisitions.
  • Numerous other minor improvements.

v3.6.1.0
Released on 02/05/2019

  • Improved the snapshot process for Exchange / O365 which resulted in a major performance boost. This will also make server throttling less likely during the snapshot stage in Exchange acquisitions.
  • Made the Exchange snapshot stage more resilient to server throttling.
  • It is now possible to import and export IMAP search queries.
  • MSG output is no longer required for PST output. These two options can now be selected and deselected independently of each other.
  • It is now possible to output to a folder containing an existing FEC project. FEC will detect the presence of the other project and create a unique session subfolder where necessary. This should make it easier to go back and tweak settings while setting up an acquisition.
  • Added a hint next to the output folder picker that indicates if the output folder is not empty, and the available disk space.
  • A more prominent message is now shown at the end of an acquisition session if there are any folders whose snapshots have not been completed.
  • Revised target email address validation to add support for long TLDs.
  • OAuth requests to Google now also include the CalendarEventsReadonly scope.
  • Numerous other minor improvements.

Remote Authenticator v1.6.1
Released on 02/05/2019

  • OAuth requests to Google now also include the CalendarEventsReadonly scope.
  • Reduced footprint on target computers.

v3.5.2.0
Released on 01/10/2019

This is a major update with several new features and enhancements:

  • Added support for calendar, contact, and note item types for Exchange acquisitions.
  • Added support for Google Calendar acquisition.
  • Expanded Search Console for Gmail to enable in-place Google Calendar searches.
  • Improved support for meeting requests.
  • Added option to export messages multiple times under each Gmail label for Gmail API acquisitions.
  • The acquisition log now contains information about the Google Calendars that were found, if any.
  • New user preference for maximum wait duration.
  • Improved the calculation of username from target email address so that the username is not reset unless the target email address is changed.
  • IMAP acquisitions now capture message flags during message download rather than the folder snapshot phase. This improves snapshot performance and works around IMAP server issues where the server incorrectly returns search results that were not requested.
  • Improved folder snapshot performance for Gmail API acquisitions.
  • Added query syntax checking and correction functionality to Search Console for Gmail and Exchange.
  • PST hashing progress is now displayed using the progress bar in addition to the text-based display.

Remote Authenticator v1.5.0
Released on 01/10/2019

  • Updated to work with FEC v3.5 and later.
  • Remote Authenticator now requests Google Calendar access along with Gmail.

v3.4.6.2
Released on 10/28/2018

This is a minor maintenance release with the following improvements:

  • Hardened folder tree generation for Exchange mailboxes so that FEC can work around folder names containing invalid characters.
  • FEC now includes a message that a browser window will open for OAuth authentication when that option is selected.

Remote Authenticator v1.3.1
Released on 10/23/2018

This is an update to the FEC Remote Authenticator application only.

  • Reduced system requirements to .NET Framework 4 from 4.6.1. This allows FEC Remote Authenticator to run on earlier versions of Windows 7 without SP1, Windows Vista, and even Windows XP.
  • Updated the save token dialog to make it more intuitive for end users.

v3.4.6
Released on 10/15/2018

  • Direct PST writer—Forensic Email Collector can now write output PSTs all on its own. Outlook is no longer required. In addition to the removal of the Outlook dependency, the direct PST writer brings performance improvements.
  • Foldered output option for Gmail API—FEC now provides an option to create an output folder structure based on Gmail labels when acquiring Gmail / G Suite mailboxes via Gmail API.
  • Long file path support—Long file paths inside target mailboxes exceeding 260 characters are now supported.
  • Improvements to Exchange Autodiscover functionality.
  • You can now display the password inside the password box when entering credentials.
  • Introduced option to expand and collapse all child tree nodes when working with the folder tree of a target mailbox.
  • Verizon.net email addresses are now associated with the AOL built-in profile.
  • FEC now logs the username used during the acquisition. This can be helpful in instances where the username differs from the target email account (e.g., when delegation is used).
  • Hardened the folder tree creation process for IMAP mailboxes.
  • Improvements to the management and hashing of multiple output PSTs when the split output PST option is selected.
  • The display names of output PSTs are now set to reflect the target email address for easier identification.
  • Numerous other minor improvements.

v3.3.5
Released on 7/23/2018

  • Delegation for Exchange/Office 365—You can now acquire a target mailbox using the credentials of another authorized user (e.g., an administrator) who has access to the target mailbox.
  • Email Notifications—FEC can now notify you via email when an acquisition is complete.
  • File System Timestamps—FEC now sets the file system timestamps of collected MIME and MSG emails based on the Internal Date attribute for IMAP servers and Gmail API, and creation and last modification dates for Exchange servers.
  • Exchange Version Autodetect—New option to have FEC automatically detect the Exchange version of the target server during Exchange acquisitions.
  • Improved output folder validation to allow the user to create a folder if it does not exist, or optionally output to an existing folder containing files as long as a previous FEC project is not found in the output folder.
  • Fixed a GUI issue that prevented the split output PSTs option from being recorded.
  • Exchange acquisitions now report non-message items both in the acquisition log and as a report named “Non-message_EWS_Items”.
  • FEC now reports the time elapsed during an acquisition session in the acquisition log.
  • Numerous other minor improvements.

v3.2.5
Released on 6/19/2018

  • You can now acquire metadata for remaining items in a mailbox and export a metadata report.
  • It is now possible to save custom IMAP acquisition profiles and re-use them as needed.
  • FEC now alternates between batch download and individual download mode for Google API and Exchange acquisitions—this was already in place for IMAP. This helps work around memory limitations on 32-bit and low-memory systems and allows for challenging messages to be downloaded individually. More detailed logging of encountered issues is also possible at the item level, rather than at the batch level. Individual download mode is automatically triggered on every third retry attempt.
  • New user interface for acquisition settings page. It is now possible to customize an existing profile in-place without having to re-enter the server details. You can also switch from Gmail API to Gmail via IMAP or from Office 365 via EWS to Office 365 via IMAP with one click.
  • New workaround for GoDaddy’s improper handling of Inbox folder case sensitivity.
  • Resolved a very rare Gmail API issue where a mailbox snapshot would never complete.
  • Added new built-in acquisition profiles for ProtonMail and Gandi. The connection to ProtonMail requires a paid plan and installation of ProtonMail Bridge.
  • Added a new option to allow all SSL certificates when connecting to an IMAP server. This helps connect to servers with invalid SSL certificates, as well as ProtonMail Bridge which works on the local computer.
  • Added option to IMAP Search Console to search messages by their UID values—to the extent supported by the server.
  • Improved handling of Gmail labels containing the “/” character when acquiring Gmail via IMAP.
  • Moved some database calls to a separate thread for improved UI responsiveness.
  • Added safeguards to better distinguish timeouts from user-initiated cancelations.
  • User-entered information such as the target email address and output path is now instantly validated before navigating to the next page.
  • FEC will now remember user preferences when you update FEC to a newer version.
  • Numerous other minor improvements.

v3.1.6686
Released on 4/22/2018

  • Released FEC Search Console for Exchange, which allows server-side searching of Office 365 and Exchange mailboxes.
  • Preservation of Office 365 and Exchange mailboxes now supports acquisition from the “Recoverable Items” folder (also known as the dumpster in earlier versions of Exchange).
  • You can now specify the version of the target Exchange server when acquiring emails from Exchange servers.
  • Improved cancel button behavior during Exchange acquisitions.
  • It is now possible to split the output PST file by size.
  • Added a message to the user interface to clarify that the MSG output option is required in order to output to PST format.
  • Output PST files are no longer hashed if the acquisition is canceled by the user—they will be hashed if the canceled session is later resumed to completion.
  • Added logic to the installation routine to make the Windows 7 Service Pack 1 or later requirement clearer.

v3.0.6647
Released on 3/14/2018

  • Released FEC Search Console for IMAP, which allows performing server-side searches on IMAP mailboxes.
  • IMAP logs are now prefixed to indicate what stage of the forensic preservation workflow each log represents (e.g., Search Console, Mailbox Listing, Acquisition, etc.).
  • Search terms applied in Search Console (both Gmail and IMAP) are now persisted and reloaded when a previous project is opened.
  • Other minor enhancements and performance improvements.

v2.10.6618
Released on 2/13/2018

  • Improved timings of exponential backoff algorithm for better handling of Gmail and EWS API and rate limits and IMAP server throttling.
  • Improved support for using Forensic Email Collector over Remote Desktop Protocol (RDP).
  • A GUI glitch that caused the menu buttons to become unresponsive which occurred on some devices after a long time of inactivity is now fixed.
  • Improved handling of Gmail messages without labels when using Gmail API.
  • Acquisition log now reflects the correct server address depending on whether Gmail API or Gmail via IMAP was used.
  • Added software version information to acquisition and exception logs.
  • Clicking the “STOP” button during processing now asks for confirmation before stopping the acquisition.
  • Processing now starts after the “START” button is clicked on the processing page. This makes the workflow consistent between starting a new project and resuming an existing project.
  • It is now possible to evaluate Forensic Email Collector for 30 days with a project limit of 5,000 messages.

v2.9.6603
Released on 1/29/2018

  • Improved Gmail API & rate limit handling and FEC’s exponential backoff algorithm.
  • When Gmail API returns a suggested wait time, FEC now parses that time from the server response and waits until then if possible.
  • Added Network Solutions and FastMail to the built-in email providers database.
  • It is now possible to select/deselect an entire branch (i.e., folder and subfolders) by SHIFT-clicking a checkbox in the folder selection page.
  • Improved support for UNC output paths.
  • Fixed an issue where case insensitive handling of folder names by an IMAP server could prevent FEC from creating a subfolder in the output PST when the PST output option is selected.
  • Improved the feedback FEC provides to the end user when the selected output folder is not writable.

v2.8.6577
Released on 1/3/2018

  • FEC now works as a 64-bit process when executed on a 64-bit version of Windows.
  • Improved handling of Gmail mailboxes with a very large number of labels.
  • Improved response time when performing queries in Search Console with the PST output option selected.
  • When FEC is launched by running an FEC Project file (i.e., “.FECProj”), FEC now automatically loads that project.
  • It is now possible to export a list of downloaded and remaining messages after loading a previous project.
  • FEC now automatically populates the username for iCloud accounts with the local part of the target email address.
  • Added an AT&T profile for AT&T affiliated domain names. This profile can also be used for Yahoo accounts affiliated with AT&T.
  • Upon completion of an acquisition session, FEC now displays a helpful message indicating the status of the acquisition. This message also contains a hyperlink that can be used to navigate to the output folder.
  • Minor improvements to Gmail acquisition logic to work around Gmail API rate limits.

v2.7.6529
Released on 11/16/2017

  • Released FEC Remote Authenticator for Gmail API acquisitions.
  • FEC now sets the MSGFLAG_READ and MSGFLAG_UNSENT flags in output MSG files for “read” and “draft” messages.
  • FEC Search Console now displays Gmail label names instead of label IDs for better clarity.
  • List of encountered Gmail labels, including label names, message counts and label IDs, are now included in the acquisition log for Gmail API acquisitions.
  • Fixed a bug that prevented the FEC user interface from being updated when software updates were checked manually.
  • Performance improvements to how Gmail labels are captured and saved.
  • Other minor enhancements and performance improvements.

v2.6.6487
Released 10/5/2017

  • Released FEC Search Console for Gmail API acquisitions.
  • FEC now supports hardware dongle-based licensing.
  • In the event that the end user authorizes FEC using an incorrect Gmail account during Gmail API acquisitions, both the target email address and the email address that was used for authorization are now displayed to the end user for easier troubleshooting.
  • Added help menu which links to Metaspike’s online knowledge base.

v2.5.6470
Released 9/18/2017

  • Fixed issue that caused some non-administrator users to have difficulty saving FEC preferences.
  • Added built-in connection profiles for GoDaddy and Rackspace.
  • Streamlined Connection Settings page.
  • Performance improvements to PST output.
  • Added automatic update check functionality.
  • Moved custom Gmail API credential input from Preferences page to Connection Settings page.