What is Obliterator?
I have been tasked with mailbox sanitization numerous times, and I know it isn’t fun without the right tools. This is a common request, especially in connection with trade secret misappropriation cases. Usually, one of the conditions of the settlement involves searching devices for files containing the misappropriated trade secrets, and then logging and removing those items.
When it comes to mailbox sanitization, Forensic Email Collector has been helpful in identifying and logging the items to be deleted from a mailbox. But, since it is a forensic tool, FEC is not capable of altering the source mailbox. So, it didn’t help with the removal part.
Last year, we received an inquiry from one of our users and decided to put together a free tool that does the following:
- Receive a tab-delimited list of messages to be deleted, including their cryptographic hashes and IDs
- Request each item on the list from the email server by its ID, hash it in memory, and compare the hash to the hash supplied on the list above
- If the hashes match, remove the item from the mailbox
- Keep detailed logs of the operation
Today, we are releasing this free tool to the public with the hope that it might be helpful to other forensic examiners.
Obliterator currently supports the IMAP protocol. This is because the request we received was for an IMAP server, and other providers such as Gmail and O365 also allow IMAP access in a pinch. If you would like to see other provider types that FEC supports (Gmail API, Exchange, etc.) added to Obliterator, please send us a note.
Obliterator requires a tab-delimited list of items to be deleted. The list should contain the following fields (order doesn’t matter):
ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the UID and UID Validity of the item as provided by the server concatenated and Base64 encoded. Obliterator will use this information to request the item. (e.g., “IAAA3p”)
Folder: This is the IMAP folder where the message is located (e.g., “Inbox”)
MIME Hash [Sha256]: This is the SHA-256 hash of the raw MIME message
Here is how the list file should look (columns should be separated by tabs):
|ID||Service ID||Folder||MIME Hash [Sha256]|
You can download a copy of this file here: Sample Input List
How to Create The Input List
If you are a user of Forensic Email Collector, you probably noticed that the above format is the format of the Downloaded Items log file FEC produces using its default options. So, in order to create the input list in FEC:
- Start a new IMAP acquisition. Keep the MIME output option checked (you can add other output formats if needed) and keep the default value for hashing algorithm (SHA-256).
- Perform an in-place search to identify the items to be deleted
- Complete the acquisition
Having completed the steps above, you will now have a preservation copy of the items to be deleted (great to keep a copy before you delete them) as well as the input list needed for Obliterator. You can now run Obliterator and point it to the Downloaded Items log file FEC produced.
If you are not a Forensic Email Collector user, you can put together the input list manually or by using a script. When calculating the hash of each email message, it is important to hash the raw MIME message (RFC 5322) presented by the server without any manipulation.
Mailbox Sanitization Using Obliterator
Once you have the input list described above, you can provide Obliterator with the target server’s details, credentials for the target mailbox, the output path where the logs will be written, and the path to the input list. Here is a screenshot:
Get Your Copy
- Windows 7 SP-1 or later
- .Net Framework 4.6.1 (download from Microsoft)
Important Note About Gmail
When accessing Gmail over IMAP, Gmail’s default behavior is to archive deleted messages. That is, copies of the deleted messages are left in the “All Mail” folder. If you are using Obliterator on a Gmail account for mailbox sanitization, you would most likely want to turn this behavior off. You can accomplish this by configuring the IMAP settings on the Gmail account as follows:
The Immediately delete the message forever option above would cause Gmail to skip archiving the messages, and allow Obliterator to permanently delete them.
- Obliterator is now more flexible with how the message list file should be formatted. Columns can be in any order, and only the 4 essential columns are needed.
- There is now an option to Skip Hash Comparison. When selected, Obliterator will only use the IMAP folder, UID, and UID validity values to match the messages.
- Selected settings are now included in the logs.