Learn to use Forensic Email Collector in 7 steps
1. System Requirements
We’ve designed Forensic Email Collector to be lean and mean. For best performance, we recommend that you install it on a computer along these lines:
- Windows 7 SP1 or later (preferably 64-bit)
- Quad-core processor
- 8 GB or more RAM
- Modern web browser (for OAuth)
- Stable internet connection
If you’re behind a firewall, you may also need to open a few ports for FEC to do its job—that is, connect to email servers and acquire emails.
2. Installation & Licensing
Installing FEC takes only a few minutes:
- Follow the download link we sent you when you purchased FEC and grab a fresh copy
- Run the installer
- If you have a dongle, plug it into your computer
- Launch FEC
- If you do not have a dongle, click the “Install License” button and enter your license key
That’s it. You are now ready to preserve mailboxes!
3. Getting Started
Acquisitions start with the target email address. Once you enter the target email address and click NEXT, FEC will do some magic in the background and try to automatically populate the connection settings. Unless you are dealing with exotic providers, you will find that you rarely have to enter any server settings.
Speaking of servers—FEC supports five provider types: Exchange Web Services (EWS), Microsoft Graph, Gmail, IMAP (Yahoo, Hotmail, AOL, iCloud, etc.), and POP3 (as a last resort). In addition to emails, you can collect calendars, contacts, and notes from Exchange servers. As for Google, you can grab Google Calendar events along with Gmail.
4. Connection Settings
FEC usually auto-populates connection settings to make your life easier. Want to do your own thing? You have three options:
- You can change the provider type using the Switch Profile hyperlink on the top right
- Clicking the acquire this mailbox via IMAP instead hyperlink will allow you to quickly switch from Gmail or EWS API to IMAP
- When using an EWS or IMAP profile, you can click on the Customize hyperlink next to the profile name to edit its settings
If you need help finding out the EWS endpoint URL for an Exchange acquisition, we’ve got you covered.
It’s also a good idea to familiarize yourself with FEC’s Gmail output options when you have a few minutes.
FEC can output to the following formats simultaneously:
- MIME (eml, iCal, vcf)
We recommend that you keep the MIME output option enabled. Email servers transmit messages in MIME format (RFC 5322), and this is the closest you can get to native format in most cases.
FEC populates the file system timestamps of acquired items with metadata captured from the server. Keep those timestamps intact so they can be parsed by your processing and investigative tools down the line.
6. In-place Searches
Most acquisitions involve capturing the entire mailbox. Having the entire mailbox at your disposal is great! You can search and filter using your eDiscovery and digital forensics tools and re-do your searches if parameters change.
If you are not able to acquire the entire mailbox for some reason (e.g., privacy issues, time constraints, etc.), then you’ll love FEC’s in-place searches. You can perform instant searches directly on the server and acquire only the results. This applies to all providers except POP: EWS, Graph, Gmail, Google Calendar, and IMAP.
7. Logs & Resuming
FEC keeps detailed logs inside the Logs folder in your output directory. You should expect to see:
- Acquisition Log—details of the acquisition, case information, and the settings you chose
- Exception Log—list of acquisition errors, if any
- Downloaded Items Log—list of acquired items
- Remaining Items Log—list of items that could not be downloaded, if any
- Raw IMAP logs
This is a good time to check the exception logs and the remaining items log to make sure the acquisition went smoothly. If you find any unresolved exceptions, you can re-open and resume the project by double-clicking the .FECProj file in your output folder. When you click the RESUME button, FEC will continue the acquisition where it left off.
This was just a quick tour. When you have a moment, check out our knowledge base for details.
Join the Metaspike Community to connect with other DFIR professionals, learn tips and tricks, and share your experiences.
If you would like to make suggestions for new functionality, our idea board is the place to visit. You can upvote existing feature requests or send us your own feedback.
Our walkthrough videos and webinar recordings are a great place to learn more about FEC and email forensics in general.
Need a helping hand? Don’t hesitate to get in touch at any time. We’re looking forward to hearing from you!