What is Obliterator?
I have been tasked with mailbox sanitization numerous times, and I know it isn’t fun without the right tools. This is a common request, especially in connection with trade secret misappropriation cases. Usually, one of the conditions of the settlement involves searching devices for files containing the misappropriated trade secrets, and then logging and removing those items.
When it comes to mailbox sanitization, Forensic Email Collector has been helpful in identifying and logging the items to be deleted from a mailbox. But, since it is a forensic tool, FEC is not capable of altering the source mailbox. So, it didn’t help with the removal part.
Last year, we received an inquiry from one of our users and decided to put together a free tool that does the following:
- Receive a tab-delimited list of messages to be deleted, including their cryptographic hashes and IDs
- Request each item on the list from the email server by its ID, hash it in memory, and compare the hash to the hash supplied on the list above UPDATE (May 5, 2021)—this applies to IMAP remediation only, not Gmail API
- If the hashes match, remove the item from the mailbox UPDATE (May 5, 2021)—this applies to IMAP remediation only, not Gmail API
- Keep detailed logs of the operation
Today, we are releasing this free tool to the public with the hope that it might be helpful to other forensic examiners.
UPDATE (May 5, 2021):
Obliterator now supports Gmail API in addition to IMAP. When remediating via Gmail API, you can target an individual Gmail or Google Workspace mailbox via OAuth, or multiple Google Workspace mailboxes using domain-wide delegation of authority.
Input List
Obliterator requires a tab-delimited list of items to be deleted.
A. IMAP
When using IMAP, the input list should contain the following fields (order doesn’t matter):
ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the UID and UID Validity of the item as provided by the server concatenated and Base64 encoded. Obliterator will use this information to request the item. (e.g., “IAAA3p”)
Folder: This is the IMAP folder where the message is located (e.g., “Inbox”)
MIME Hash [Sha256]: This is the SHA-256 hash of the raw MIME message
Here is how the list file should look (columns should be separated by tabs):
| ID | Service ID | Folder | MIME Hash [Sha256] |
|---|---|---|---|
| 1 | IAAA3p | Sent | 06C8CA9A77754F35098AC8F64A19D545C2ED44732130B33777046A755054A852 |
| 2 | IAAA4P | Sent | 92D88DF6E11E3A926E17D9B413A51FD0C1D929521ED71054219C520AAAA050EE |
| 3 | IAAA4Z | Sent | 232C087F831A29331DA0E51D0A669C72F3FFDE06C2966CEFADABFC78E3E3292D |
| 4 | IAABFN | Sent | A32BD508723688DB203C0BDB5F7D5922954F53DE223CFC9F28ACBE95E2075673 |
You can download a copy of this file here: Sample Input List
B. Gmail API
When using Gmail API, the input list should contain the following fields (order doesn’t matter):
ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the message ID Gmail assigns to messages. (e.g., “17937bf1b3dbb3bb”)
Here is how the list file should look (columns should be separated by tabs):
| ID | Service ID |
|---|---|
| 1 | 17937bf1b3dbb3bb |
| 2 | 178ea9a306924c29 |
| 3 | 178db20fc49d6bc8 |
| 4 | 178c67aae8cc70fa |
Important Note: The Service IDs are not interchangeable between IMAP and Gmail API. For instance, you cannot use IMAP UIDs when remediating emails via Gmail API.
How to Create The Input List
If you are a user of Forensic Email Collector, you probably noticed that the above format is the format of the Downloaded Items log file FEC produces using its default options. So, in order to create the input list in FEC:
- Start a new IMAP or Gmail API acquisition depending on your target type.
- If using IMAP, keep the MIME output option checked (you can add other output formats if needed) and keep the default value for hashing algorithm (SHA-256).
- Perform an in-place search to identify the items to be deleted.
- Complete the acquisition.
Having completed the steps above, you will now have a preservation copy of the items to be deleted (great to keep a copy before you delete them) as well as the input list needed for Obliterator. You can now run Obliterator and point it to the Downloaded Items Log file FEC produced.
Alternatively, you can acquire the entire mailbox, identify the items to be deleted using other tools such as a forensic investigation tool or an eDiscovery review tool, and create a subset of the Downloaded Items Log for Obliterator based on the results of your review.
If you are not a Forensic Email Collector user, you can put together the input list manually or by using a script. When calculating the hash of each email message, it is important to hash the raw MIME message (RFC 5322) presented by the server without any manipulation.
Email Remediation Using Obliterator
A. IMAP
Once you have the input list described above, you can provide Obliterator with the target server’s details, credentials for the target mailbox, the output path where the logs will be written, and the path to the input list. Here is a screenshot:
The Skip Hash Comparison option determines how Obliterator identifies the messages to be deleted. If checked, Obliterator uses a combination of IMAP UID, IMAP folder name, and UIDVALIDITY values. If unchecked, Obliterator also downloads each message, hashes it, and compares the hash to the hash provided in the input list.
B. Gmail API
When using Gmail API, you have two main decisions to make:
1. Authentication Method: You can authenticate into an individual user’s mailbox using OAuth, or at the organization level using domain-wide delegation of authority. For OAuth, you will need to create your own Gmail API credentials and supply the Client ID and Client Secret to Obliterator. The credentials will be used to authenticate with the target mailbox. It is important that you add “Gmail API” to your Google API project.
When using domain-wide delegation, configure domain-wide delegation as described in our domain-wide delegation documentation for FEC with one difference—you need to add the ‘https://mail.google.com’ scope to the authorized scopes. If you are using the service account for Obliterator only, this is the only scope you need. You can then import the JSON file into Obliterator and use it for authentication.
Important Note: If you are using domain-wide delegation, you need to add a third column to your input list named TargetEmail. This column should be populated with the email address for each target. This way, you can compile a combined list of messages for multiple end-users, and tell Obliterator which message belongs to which mailbox.
2. Remediation Mode: Obliterator is able to operate in three different modes depending on your needs:
-
- Individual: In this mode, a delete request will be issued for each message one at a time.
- Batch (default): In Batch mode, Obliterator combines the delete requests into batches to improve performance.
- Bulk: In this mode, a bulk request will be submitted to Google for deletion. This is significantly faster but does not guarantee whether the messages were found in the target mailbox or if they even existed at all.
Get Your Copy
System Requirements
- Windows 7 SP-1 or later
- .Net Framework 4.6.1 (download from Microsoft)
- If running on Windows 7, make sure that the KB4457144 Windows update has been installed
Changelog
You can find Obliterator’s changelog here.