What is Obliterator?

I have been tasked with mailbox sanitization numerous times, and I know it isn’t fun without the right tools. This is a common request, especially in connection with trade secret misappropriation cases. Usually, one of the conditions of the settlement involves searching devices for files containing the misappropriated trade secrets, and then logging and removing those items.

When it comes to mailbox sanitization, Forensic Email Collector has been helpful in identifying and logging the items to be deleted from a mailbox. But, since it is a forensic tool, FEC is not capable of altering the source mailbox. So, it didn’t help with the removal part.

Last year, we received an inquiry from one of our users and decided to put together a free tool that does the following:

  1. Receive a tab-delimited list of messages to be deleted, including their cryptographic hashes and IDs
  2. Request each item on the list from the email server by its ID, hash it in memory, and compare the hash to the hash supplied on the list above
  3. If the hashes match, remove the item from the mailbox
  4. Keep detailed logs of the operation

Today, we are releasing this free tool to the public with the hope that it might be helpful to other forensic examiners.

Obliterator currently supports the IMAP protocol. This is because the request we received was for an IMAP server, and other providers such as Gmail and O365 also allow IMAP access in a pinch. If you would like to see other provider types that FEC supports (Gmail API, Exchange, etc.) added to Obliterator, please send us a note.

Input List

Obliterator requires a tab-delimited list of items to be deleted. The list should contain the following fields (order doesn’t matter):

ID: This is a sequential integer number you can assign to the items (e.g., 1,2,3, etc.)
Service ID: This is the UID and UID Validity of the item as provided by the server concatenated and Base64 encoded. Obliterator will use this information to request the item. (e.g., “IAAA3p”)
Folder: This is the IMAP folder where the message is located (e.g., “Inbox”)
MIME Hash [Sha256]: This is the SHA-256 hash of the raw MIME message

Here is how the list file should look (columns should be separated by tabs):

ID Service ID Folder MIME Hash [Sha256]
1 IAAA3p Sent 06C8CA9A77754F35098AC8F64A19D545C2ED44732130B33777046A755054A852
2 IAAA4P Sent 92D88DF6E11E3A926E17D9B413A51FD0C1D929521ED71054219C520AAAA050EE
3 IAAA4Z Sent 232C087F831A29331DA0E51D0A669C72F3FFDE06C2966CEFADABFC78E3E3292D
4 IAABFN Sent A32BD508723688DB203C0BDB5F7D5922954F53DE223CFC9F28ACBE95E2075673

You can download a copy of this file here: Sample Input List

How to Create The Input List

If you are a user of Forensic Email Collector, you probably noticed that the above format is the format of the Downloaded Items log file FEC produces using its default options. So, in order to create the input list in FEC:

  • Start a new IMAP acquisition. Keep the MIME output option checked (you can add other output formats if needed) and keep the default value for hashing algorithm (SHA-256).
  • Perform an in-place search to identify the items to be deleted
  • Complete the acquisition

Having completed the steps above, you will now have a preservation copy of the items to be deleted (great to keep a copy before you delete them) as well as the input list needed for Obliterator. You can now run Obliterator and point it to the Downloaded Items log file FEC produced.

If you are not a Forensic Email Collector user, you can put together the input list manually or by using a script. When calculating the hash of each email message, it is important to hash the raw MIME message (RFC 5322) presented by the server without any manipulation.

Mailbox Sanitization Using Obliterator

Once you have the input list described above, you can provide Obliterator with the target server’s details, credentials for the target mailbox, the output path where the logs will be written, and the path to the input list. Here is a screenshot:

Obliterator v1.4

Get Your Copy

Enter your email address below and we will email you the download link for Obliterator.
If you do not receive an email from us in a few minutes, please check your spam folder.

System Requirements

Important Note About Gmail

When accessing Gmail over IMAP, Gmail’s default behavior is to archive deleted messages. That is, copies of the deleted messages are left in the “All Mail” folder. If you are using Obliterator on a Gmail account for mailbox sanitization, you would most likely want to turn this behavior off. You can accomplish this by configuring the IMAP settings on the Gmail account as follows:

Prevent deleted Gmail messages from being archived

The Immediately delete the message forever option above would cause Gmail to skip archiving the messages, and allow Obliterator to permanently delete them.


v1.5—Released 7/27/2020

Added a STOP button to gracefully end processing when needed.

v1.4—Released 9/25/2019

  • Obliterator is now more flexible with how the message list file should be formatted. Columns can be in any order, and only the 4 essential columns are needed.
  • There is now an option to Skip Hash Comparison. When selected, Obliterator will only use the IMAP folder, UID, and UID validity values to match the messages.
  • Selected settings are now included in the logs.

v1.3—Initial Release