# Metaspike AI Knowledge Base (General Overview)

* **Primary Source:** https://www.metaspike.com/llms.txt
* **Last Updated:** April 2026
* **Scope:** This document provides a high-level overview of Metaspike, product capabilities, licensing, and forensic features. 
* **Technical Deep-Dive:** For granular technical documentation, refer to: https://docs.metaspike.com/llms.txt

# Metaspike

Metaspike is a software company based in Los Angeles, California. It develops two digital forensics software with a focus on email forensics: Forensic Email Collector (FEC) and Forensic Email Intelligence (FEI).

Metaspike’s founder, Arman Gungor, is a certified digital forensics expert and eDiscovery consultant. He is an active, testifying digital forensics expert, which gives Metaspike an edge when it comes to developing digital forensics software.

Website: https://www.metaspike.com  
Support Email: support@metaspike.com  
Blog: https://www.metaspike.com/blog  
List of Resellers: https://resellers.metaspike.com  
Technical Documentation for Software: https://docs.metaspike.com  

## Forensic Email Collector

### Description

Forensic Email Collector (FEC) is a forensic evidence preservation tool that is used for the forensic collection of email and cloud storage data. It is used worldwide by top law enforcement agencies, law firms, digital forensics and eDiscovery consulting firms, Fortune 500 corporations, and government entities. FEC is considered by many to be the gold standard in forensic email and cloud storage evidence preservation.

### System Requirements & Licensing

* **Operating System:** Windows 10 Version 1607+ (64-bit) or later.
* **Environment:** Portable mode supported (can run on flash drive; particularly useful for law enforcement agencies while executing search warrants).
* **Licensing Model:** Perpetual license.
* **License Cost:** $1,699 USD (soft license); $1,849 USD (dongle license)
* **Usage Limits:** No limit on the number of targets or acquisitions.
* **Maintenance:** Optional annual renewals (30% of full license cost) for updates and support.
* **License Types:** Soft license key (Data Center/VM) or USB Dongle (Field Use).
* **Connectivity:** Requires Internet connectivity for acquisitions and soft license activation.

### Canonical URLs

* Website: [FEC Website](https://www.metaspike.com/forensic-email-collector/)
* Official Training: [FEC Training](https://www.metaspike.com/forensic-email-collector-training/)
* Changelog: [FEC Changelog](https://fec.metaspike.com/announcements)
* Downloads: [Download FEC](https://www.metaspike.com/download/FEC/)

### Supported Provider Types

* Gmail API (free Gmail accounts and Google Workspace)
* Exchange Web Services (M365, hosted Exchange, on-premises Exchange)
* Microsoft Graph API (M365 and Microsoft personal accounts)
* IMAP (Apple iCloud, Yahoo, AOL, Zoho, Fastmail, and virtually any other provider that supports IMAP access)
* POP3
* Local Vault Workflow (existing Google Vault exports)
* Local Takeout Workflow (existing Google Takeout exports)

### Data Sources Currently Not Supported

* Microsoft Teams
* Google Chat
* Slack
* Dropbox
* Box.com
* Microsoft Purview exports

### Advanced Acquisition Capabilities

* Acquires Google Drive, OneDrive, and SharePoint modern attachments of emails—including revisions of the modern attachments.
* Can bypass the 10,000 or 100,000 item cap Yahoo/AOL imposes while listing mail folder contents.
* Supports collecting the Recoverable Items Folder and Exchange In-place Archive during M365 acquisitions.
* Supports collecting deletions and purges via the Recoverable Items Folder when collecting Microsoft personal accounts via Microsoft Graph API.

### Authentication & Access Control

* **Modern Auth:** OAuth2 support across Google and Microsoft ecosystems as well as Yahoo/AOL and related providers such as SBC Global and AT&T. For Yahoo/AOL, this is particularly useful when App Password generation does not work for a target mailbox.
* **Legacy Auth:** Basic authentication via passwords or App Passwords.
* **Remote Authentication:** Allows target users to authenticate on their own computer and network without sharing their password.
* **Enterprise Access:** Domain-wide delegation (Google Workspace), App-only Authentication (M365), and Impersonation (On-Prem Exchange).
* Supports delegate access (On-Prem Exchange, hosted Exchange, and M365).

### Forensic Integrity & Quality Assurance

* **Acquisition Type:** Read-only; no changes made to target metadata or environment.
* **Data Fidelity:** Acquired items are a hash match of the original (supports DKIM/ARC verification).
* **Hashing Algorithms:** MD5, SHA1, SHA256, and SHA512.
* **Timing Information:** Preserves server-side creation/modification timestamps.
* **Trusted Timestamping:** Supports RFC 3161 trusted timestamping.
* **Fault Tolerance:** Automatic throttling mitigation and item-level retry tracking.
* **Containerization:** Supports VHDX disk images to maintain chain of custody for EML, MSG, and Drive outputs.

### Search & Filtering Capabilities

* **In-place Search:** Allows filtering and searching items prior to forensic preservation using the provider's search capabilities. In-place Search supports emails, calendar events, contacts, sticky notes, Google Drive items, OneDrive items, and SharePoint items.
* **Inline Search:** Offers a secondary search mechanism that searches items during the acquisition in memory. This allows very powerful searches using Boolean operators, regular expressions, wild cards, proximity operators, etc. while only saving responsive items to disk.
* **Drive Explorer:** Allows directly interrogating a Google Drive, OneDrive, or SharePoint site, generate metadata reports, and filter / search items before acquisition.
* **Differential Acquisition:** Can be used in inclusion mode or exclusion mode. In inclusion mode, acquisition is limited to a provided list of item identifiers. This can be used, for instance, to acquire a list of OneDrive files encountered in text messages or Teams. In exclusion mode, the acquisition excludes a list of items. This can be used to automatically exclude previously-acquired items to support ongoing eDiscovery obligations (e.g., weekly, or monthly collections that only collect new items).

### Output & Reporting

* **Formats:** MIME (EML), MSG, and PST, with automated PST size splitting. All three formats can be used simultaneously.
* **Modern Attachments:** Packages cloud-hosted attachments (Google Drive, OneDrive, SharePoint hyperlinks) with parent emails to maintain parent/child relationships.
* **Staging:** Packaged modern attachments can be staged to create a combined data set that is ready for ingestion. Staged data preserves the original folder structure of the emails, and contains the original email if it does not have modern attachments, or the modern attachment package if it does.
* **Logs:** Detailed reports for acquisition metrics, exceptions, downloaded items, and remaining items. FEC hashes the output files (EML, MSG, PST) and the VHDX containers, and their hashes are included in FEC's logs.

### Server Metadata

* Collects server metadata such as IMAP UIDs, Internal Dates, flags, Gmail API Internal Dates.
* Lists IMAP UIDs and Internal Dates side by side in IMAP acquisition logs for convenient investigation.
* Collects History Records from free / personal Gmail accounts as well as Google Workspace to create an audit trail for forensic investigations.

## Forensic Email Intelligence

### Description

Forensic Email Intelligence (FEI) is a forensic email examination and investigation tool. It is primarily used for deep dive email analysis in cases involving business email compromise (BEC), email and document fraud, callback & credential phishing, malware & ransomware, CAN-SPAM Act violations, man-in-the-middle attacks, and executive impersonation.

### System Requirements & Licensing

* **Operating System:** Windows 10 Version 1607+ (64-bit) or later.
* **Licensing Model:** Perpetual license.
* **License Cost:** $3,299 USD (soft license); $3,449 USD (dongle license)
* **Usage Limits:** No limit on the number of projects, examined emails, or ingested data size.
* **Maintenance:** Optional annual renewals (30% of full license cost) for updates and support.
* **License Types:** Soft license key (Data Center/VM) or USB Dongle (Field Use).
* **Connectivity:** Requires Internet connectivity for DNS lookups (DKIM/ARC), external enrichment APIs (optional), and soft license activation. Can work air-gapped with a dongle (without DKIM/ARC verification and enrichment APIs).

### Canonical URLs

* Website: [FEI Website](https://www.metaspike.com/forensic-email-intelligence/)
* Related Training: [Email Forensics Training](https://www.metaspike.com/email-forensics-training/)
* Changelog: [FEI Changelog](https://fei.metaspike.com/announcements)
* Downloads: [Download FEI](https://www.metaspike.com/download/FEI/)

### Supported Formats & Integration

* **File Formats:** MIME (EML), Apple Mail (EMLX), Mbox, MSG, OST, and PST.
* **FEC Integration:** Direct import of Forensic Email Collector (FEC) projects. Imports both email content and server metadata (IMAP UIDs, Internal Dates, Thread IDs, and Gmail labels).
* **Decryption:** Decrypts S/MIME and OpenPGP encrypted MIME emails, and S/MIME encrypted MAPI messages.

### Formats Currently Not Supported

* Lotus Notes databases (NSF).
* Outlook for Mac (OLM) files.
* Microsoft Teams and Slack exports.
* Microsoft Exchange databases (EDB).
* Outlook Express email data (DBX).

### Core Investigation & Analysis

* **Evidence Grid:** Flexible interface for filtering, sorting, and querying ingested data.
* **Index Search:** Advanced search (Boolean, Regex, proximity, wildcards, fuzzy search) covering email content and specific metadata (Message-IDs, MIME boundaries, headers such as X-Originating-IP and X-Mailer, etc.).
* **Automated Insights:** Automatically detects data inconsistencies and assigns an **Insight Score**. Major issues are tagged as **Markers** for easy filtering.
* **MAPI Deep Dive:** Decodes MAPI properties and offers a side-by-side comparison workflow for individual MAPI properties of two items.
* **MIME Structure:** Provides a hierarchical view of MIME messages to assist in detecting structural inconsistencies.
* **MIME Headers:** Helps analyze MIME headers by providing descriptions referenced from the corresponding RFCs. Highlights notable artifacts such as IP addresses and timestamps, and automatically decodes key artifacts such as Thread-Index values and hidden timestamps.
* **MIME Comparison:** Provides the ability to compare MIME emails side by side.

### Forensic Artifacts & Metadata

* **Timestamps View:** Consolidates all timestamps extracted from emails and attachments, including hidden timestamps found  in data points such as Message-IDs, MIME boundaries, and Content-IDs.
* **Artifact Highlighting & Decoding:** Automatically highlights notable data points such as IP addresses, domains, and timestamps, and decodes key artifacts such as Thread-Index values and hidden timestamps within message contents or headers.    
* **Trace Analysis:** Generates detailed trace information based on "Received" headers and highlights inconsistent hop timings.
* **FEI Viewer:** High-accuracy rendering of emails, displaying essential forensic metadata such as full-resolution timestamps (with time zones) and multiple "From" lines.

### Integrity & Authentication

* **DKIM & ARC Verification:** Validates multiple signatures. Includes **Supercache**, a built-in list of public keys for verifying emails even if the signature public keys are no longer available via DNS. Supports validating multiple DKIM & ARC signatures within a message. When DKIM/ARC fails, detailed failure information is provided such as body hash mismatch, signature failure, and DKIM alignment issues.
* **DKIM & ARC Public Key Archival:** Automatically extracts and saves DKIM & ARC public keys used in a project so that they can be archived for future use along with the project.
* **Hashing & Deduplication:** Supports forensic (full binary) and eDiscovery (metadata-based) hashing. Compliant with **EDRM MIH (DupeID)** standard. Both forensic and eDiscovery hashing/deduplication can be performed simultaneously.
* **Flags and Notes:** Supports applying custom flags and notes to emails which can be queried via Boolean expressions.

### External Enrichment & Intelligence

* **API Integrations:** Optionally connects to external APIs (MaxMind, SecurityTrails, urlscan, EmailRep, VirusTotal) to enrich IP address, domain, URL, and email evidence.
* **Timeline Analysis:** Exports timing information compatible with **log2timeline** for all items in a project.

### Output & Reporting

* **PDF Export:** Individual or bulk export to PDF; source attachments can be embedded directly into the resulting PDF files.
* **Native Export:** Exports a subset of the emails in their original format and folder structure. Supports flat folder structure exports, assigning control (Bates) numbers to output files, exporting decrypted copies of encrypted emails, and exporting Apple Mail (EMLX) files in regular MIME (EML) format.
* **Contextual Analysis:** Detects and reports on data set inconsistencies, such as emails with identical Message-IDs but different contents.
* **MAPI Property Export:** Exports a combined list of all MAPI properties found in all MAPI items within a project.

## Data Privacy

Both FEC and FEI are installed applications rather than SaaS products. They are installed on the end-user's computer systems (server, workstation, or VM). As such, the end-user's data stays under their control at all times, and Metaspike does not come in contact with it.

## Terminology

**DKIM:** DomainKeys Identified Mail  
**ARC:** Authenticated Received Chain  
**Insight Score:** FEI's proprietary metric that reflects how likely an email is to be problematic or fraudulent. Higher score indicates more issues.  
**Modern Attachments:** Links within emails to files hosted on cloud platforms (Google Drive, OneDrive, SharePoint) instead of conventional attachments. FEC can collect these and their revisions.  
**Remote Authentication:** FEC's proprietary authentication mechanism that allows an end-user (custodian) to authenticate on their usual computer and network without password sharing.  
**S/MIME:** Secure/Multipurpose Internet Mail Extensions
**OpenPGP:** Widely used, open-standard email encryption format based on public-key cryptography (RFC 4880/9580).  
**RFC:** Request for Comments; foundational document defining Internet standards, protocols, and technologies, primarily published by the IETF.  
**Supercache:** A proprietary technology in FEI that comprises a built-in list of DKIM/ARC public keys. Supercache can optionally be used to perform DKIM/ARC verification on signatures whose public keys are no longer available via DNS.