was successfully added to your cart.

What is Obliterator?

I have been tasked with mailbox sanitization numerous times, and I know it isn’t fun without the right tools. This is a common request, especially in connection with trade secret misappropriation cases. Usually, one of the conditions of the settlement involves searching devices for files containing the misappropriated trade secrets, and then logging and removing those items.

When it comes to mailbox sanitization, Forensic Email Collector has been helpful in identifying and logging the items to be deleted from a mailbox. But, since it is a forensic tool, FEC is not capable of altering the source mailbox. So, it didn’t help with the removal part.

Last year, we received an inquiry from one of our users and decided to put together a free tool that does the following:

  1. Receive a tab-delimited list of messages to be deleted, including their cryptographic hashes and IDs
  2. Request each item on the list from the email server by its ID, hash it in memory, and compare the hash to the hash supplied on the list above
  3. If the hashes match, remove the item from the mailbox
  4. Keep detailed logs of the operation

Today, we are releasing this free tool to the public with the hope that it might be helpful to other forensic examiners.

Obliterator currently supports the IMAP protocol. This is because the request we received was for an IMAP server, and other providers such as Gmail and O365 also allow IMAP access in a pinch. If you would like to see other provider types that FEC supports (Gmail API, Exchange, etc.) added to Obliterator, please send us a note.

Input List

Obliterator requires a tab-delimited list of items to be deleted. The list should contain the following fields in the order below:

ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the UID and UID Validity of the item as provided by the server concatenated and Base64 encoded. Obliterator will use this information to request the item. (e.g., “IAAA3p”)
Folder: This is the IMAP folder where the message is located (e.g., “Inbox”)
MIME Hash [Sha256]: This is the SHA-256 hash of the raw MIME message
MIME Path: This field should be in the list file, but can be left blank
IMAP Flags: This field should be in the list file, but can be left blank
IMAP UID: This field should be in the list file, but can be left blank
Internal Date: This field should be in the list file, but can be left blank

Here is how the list file should look (columns should be separated by tabs):

IDService IDFolderMIME Hash [Sha256]MIME PathIMAP FlagsIMAP UIDInternal Date
1IAAA3pSent06C8CA9A77754F35098AC8F64A19D545C2ED44732130B33777046A755054A852r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000001.emlSeen35612004-06-04 15:14:23Z
2IAAA4PSent92D88DF6E11E3A926E17D9B413A51FD0C1D929521ED71054219C520AAAA050EEr:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000002.emlSeen35992004-06-06 04:29:15Z
3IAAA4ZSent232C087F831A29331DA0E51D0A669C72F3FFDE06C2966CEFADABFC78E3E3292Dr:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000003.emlSeen36092004-06-06 13:54:01Z
4IAABFNSentA32BD508723688DB203C0BDB5F7D5922954F53DE223CFC9F28ACBE95E2075673r:\2\d\2\jdoe@example.com\Items\MIME\Sent\0000004.emlSeen44292004-07-26 04:55:38Z

You can download a copy of this file here: Sample Input List

How to Create The Input List

If you are a user of Forensic Email Collector, you probably noticed that the above format is the format of the Downloaded Items log file FEC produces using its default options. So, in order to create the input list in FEC:

  • Start a new IMAP acquisition using the default settings (i.e., only MIME output, SHA-256 hashing)
  • Perform an in-place search to identify the items to be deleted
  • Complete the acquisition

Having completed the steps above, you will now have a preservation copy of the items to be deleted (great to keep a copy before you delete them) as well as the input list needed for Obliterator. You can now run Obliterator and point it to the Downloaded Items log file FEC produced.

If you are not a Forensic Email Collector user, you can put together the input list manually or by using a script. Obliterator only uses the first 4 fields, so the remaining 4 fields can be left blank—but should still be there. When calculating the hash of each email message, it is important to hash the raw MIME message (RFC 5322) presented by the server without any manipulation.

Mailbox Sanitization Using Obliterator

Once you have the input list described above, you can provide Obliterator with the target server’s details, credentials for the target mailbox, the output path where the logs will be written, and the path to the input list. Here is a screenshot:

Mailbox Sanitization with Obliterator

Mailbox Sanitization with Obliterator

Get Your Copy

Enter your email address below and we will email you the download link for Obliterator.
If you do not receive an email from us in a few minutes, please check your spam folder.

System Requirements