What is Obliterator?
I have been tasked with mailbox sanitization numerous times, and I know it isn’t fun without the right tools. This is a common request, especially in connection with trade secret misappropriation cases. Usually, one of the conditions of the settlement involves searching devices for files containing the misappropriated trade secrets, and then logging and removing those items.
When it comes to mailbox sanitization, Forensic Email Collector has been helpful in identifying and logging the items to be deleted from a mailbox. But, since it is a forensic tool, FEC is not capable of altering the source mailbox. So, it didn’t help with the removal part.
Last year, we received an inquiry from one of our users and decided to put together a free tool that does the following:
- Receive a tab-delimited list of messages to be deleted, including their cryptographic hashes and IDs
- Request each item on the list from the email server by its ID, hash it in memory, and compare the hash to the hash supplied on the list above
- If the hashes match, remove the item from the mailbox
- Keep detailed logs of the operation
Today, we are releasing this free tool to the public with the hope that it might be helpful to other forensic examiners.
Obliterator currently supports the IMAP protocol. This is because the request we received was for an IMAP server, and other providers such as Gmail and O365 also allow IMAP access in a pinch. If you would like to see other provider types that FEC supports (Gmail API, Exchange, etc.) added to Obliterator, please send us a note.
Input List
Obliterator requires a tab-delimited list of items to be deleted. The list should contain the following fields in the order below:
ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the UID and UID Validity of the item as provided by the server concatenated and Base64 encoded. Obliterator will use this information to request the item. (e.g., “IAAA3p”)
Folder: This is the IMAP folder where the message is located (e.g., “Inbox”)
MIME Hash [Sha256]: This is the SHA-256 hash of the raw MIME message
MIME Path: This field should be in the list file, but can be left blank
IMAP Flags: This field should be in the list file, but can be left blank
IMAP UID: This field should be in the list file, but can be left blank
Internal Date: This field should be in the list file, but can be left blank
Here is how the list file should look (columns should be separated by tabs):
| ID | Service ID | Folder | MIME Hash [Sha256] | MIME Path | IMAP Flags | IMAP UID | Internal Date |
|---|---|---|---|---|---|---|---|
| 1 | IAAA3p | Sent | 06C8CA9A77754F35098AC8F64A19D545C2ED44732130B33777046A755054A852 | r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000001.eml | Seen | 3561 | 2004-06-04 15:14:23Z |
| 2 | IAAA4P | Sent | 92D88DF6E11E3A926E17D9B413A51FD0C1D929521ED71054219C520AAAA050EE | r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000002.eml | Seen | 3599 | 2004-06-06 04:29:15Z |
| 3 | IAAA4Z | Sent | 232C087F831A29331DA0E51D0A669C72F3FFDE06C2966CEFADABFC78E3E3292D | r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000003.eml | Seen | 3609 | 2004-06-06 13:54:01Z |
| 4 | IAABFN | Sent | A32BD508723688DB203C0BDB5F7D5922954F53DE223CFC9F28ACBE95E2075673 | r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000004.eml | Seen | 4429 | 2004-07-26 04:55:38Z |
You can download a copy of this file here: Sample Input List
How to Create The Input List
If you are a user of Forensic Email Collector, you probably noticed that the above format is the format of the Downloaded Items log file FEC produces using its default options. So, in order to create the input list in FEC:
- Start a new IMAP acquisition using the default settings (i.e., only MIME output, SHA-256 hashing)
- Perform an in-place search to identify the items to be deleted
- Complete the acquisition
Having completed the steps above, you will now have a preservation copy of the items to be deleted (great to keep a copy before you delete them) as well as the input list needed for Obliterator. You can now run Obliterator and point it to the Downloaded Items log file FEC produced.
If you are not a Forensic Email Collector user, you can put together the input list manually or by using a script. Obliterator only uses the first 4 fields, so the remaining 4 fields can be left blank—but should still be there. When calculating the hash of each email message, it is important to hash the raw MIME message (RFC 5322) presented by the server without any manipulation.
Mailbox Sanitization Using Obliterator
Once you have the input list described above, you can provide Obliterator with the target server’s details, credentials for the target mailbox, the output path where the logs will be written, and the path to the input list. Here is a screenshot:
Mailbox Sanitization with Obliterator
Get Your Copy
System Requirements
- Windows 7 SP-1 or later
- .Net Framework 4.6.1 (download from Microsoft)
