Forensic Email Collector
Expertly preserve email evidence without breaking a sweat. Get plug & play output for digital forensic investigations and eDiscovery.
Forensic Email Collector can connect to most popular email servers and cloud email providers. You are not stuck with IMAP or POP for forensic email preservation.
Forensic Email Collector can connect to Exchange servers—including Office 365—via Exchange Web Services. You can preserve emails faster and more accurately, and without having to configure the target Exchange server for IMAP access.
FEC connects to Gmail and G Suite directly via Gmail REST API instead of IMAP and captures extended Gmail metadata such as labels. Say goodbye to having to download the same message multiple times because of overlapping labels.
FEC connects to IMAP servers in a read-only manner and preserves email evidence without modifying the target mailbox. Outlook.com, Hotmail, Yahoo Mail, Zoho, iCloud and AOL Mail are just a few supported providers.
Forensic Email Collector is a powerful tool—it can forensically acquire emails from Exchange Servers, Office 365, Gmail, G Suite and virtually any IMAP server with many output options and detailed logs. It is also remarkably intuitive. You can get started in just a few minutes and preserve emails and document your efforts with a few clicks.
Check out the video on the right for a brief overview of how to forensically preserve a Gmail mailbox using FEC (~1 min).
As soon as you start an acquisition, Forensic Email Collector captures snapshots of each mail folder. The snapshots are used to keep track of which mail folders and messages have been downloaded.
If you run into a network error or if the server throws a fit—free email providers are notorious for throttling large scale downloads—FEC automatically retries remaining messages as many times as you want, calculating an optimal delay amount between each retry session.
Mailbox snapshots are persisted in a database. So, you can even stop the acquisition and resume it later by loading a past project.
Examiners are often required to only preserve email messages that respond to certain search criteria. Enter FEC Search Console for Gmail.
Search Console takes advantage of the Gmail API and allows examiners to perform pre-acquisition searches on a mailbox prior to forensic email collection. The search is run on the server side, and only responsive documents are collected. Search syntax is the same as one would use within Gmail. You can filter emails by a ton of criteria such as recipients, subject, date, sender, labels, etc.
Works with Gmail via REST API and Exchange servers via EWS for efficient and high-fidelity data acquisition.
Did an acquisition get interrupted? No problem; we can resume a past project when you are ready.
Detailed acquisition and exception reports so that you can record and document exactly what happened, when and why.
FEC can automatically retry acquisition as many times as you want. You don’t have to go back to square one because of a pesky server or due to network issues.
You can connect to Gmail using OAuth 2.0 instead of using credentials. No need to enable “access for less secure apps”.
FEC can output to EML, MSG or PST format. You can export to all three simultaneously—complete with MD5, SHA1 or SHA256 hashing of the output.
We have added a few features to FEC to make sure it is a joy to use.
When preserving email evidence from an Exchange server, you may not immediately know the Exchange Web Services (EWS) endpoint URL. FEC utilizes the Exchange Autodiscover service to automatically configure itself using the target email address and password.
FEC includes built-in connection profiles—including host name, protocol, port and SSL settings—for hundreds of popular domain names used by email service providers such as Gmail, Yahoo, Outlook.com and iCloud. If the target email address matches one of the profiles, server settings are populated automatically for you.
As soon as you type the target email address, FEC checks the domain name to see if it fits one of the pre-configured profiles such as Gmail, Outlook.com, Yahoo, etc. If it does not, it looks up the mail exchanger records (MX records) to determine the mail servers handling email messaging for the target user’s domain.
When you use the IMAP protocol, FEC keeps a detailed log of IMAP communications with the server in addition to its standard acquisition and exception logs. You can do a play-by-play of what FEC asked the server and how the server responded if that’s your thing.