Forensic Email Collector v3.50 Release Notes

We have just released FEC v3.50. This is a major release with a ton of improvements and significant new functionality—marking the halfway point to v4! Here is what’s new :grin:

Microsoft Graph

Microsoft Graph is a unified platform that allows working with a great number of Microsoft services such as O365, Teams, OneDrive etc. When we launched FEC, Graph API was available but, in my opinion, not quite ready for prime time for forensic work. We’ve kept an eye on it since then, and now that it has come a long way, we’ve added it to FEC as an additional provider type!

How Does This Help You?

Graph API supports both Microsoft’s business accounts (O365) as well as consumer accounts such as Hotmail and Outlook.com. The biggest benefit at the moment is that Graph API support brings modern authentication (including Remote Authenticator) support as well as powerful in-place search capabilities (similar to what you could previously do for Exchange) to Microsoft’s consumer accounts.

Graph API also adds an alternate way to acquire O365 accounts. Previously, you had the option to switch an Exchange Web Services (EWS) acquisition to an IMAP acquisition. Now, you have the option to switch to Graph or IMAP.

Does Graph API Replace Exchange Web Services?

Not quite. At least, not yet. Microsoft put development on EWS in the back burner and has been focusing on Graph API during the last few years. However, most of the Exchange-specific advanced functionality in EWS hasn’t yet made its way to Graph API. Here are some things you can do with EWS that you cannot with Graph:

  • Use delegation and impersonation
  • Connect to on-premises Exchange servers
  • Access the Recoverable Items folder -> FEC can now access the Recoverable Items Folder over Graph API
  • Access the Exchange In-place Archive
  • Acquire some non-message Exchange item types

On the other hand, Graph is a much cleaner API and performs better. I expect that Microsoft will eventually add the major Exchange functionality concerning O365 into Graph API and phase EWS out. So, adding Graph API support is also a step towards future-proofing FEC!

Gmail History Records

History records are a data point available in both free Gmail accounts and G Suite and can be used as a supplemental tool to investigate user activity. I think of them as an audit trail of sorts—with some limitations.


FEC can now acquire and export history records from Gmail and G Suite accounts. I touched on this briefly during the Email Forensics Workshop earlier this week. Expect to see a more detailed writeup—perhaps a blog post soon. Update: blog post can be found below:

Google Calendar Scope is Now Optional

Previously, FEC automatically queried Google Calendar and at least listed the calendars associated with your target mailbox. This required that you have the calendar scope when using domain-wide delegation or when generating tokens via Remote Authenticator.

We’ve now made this optional and you can control whether FEC will access Google Calendar through a checkbox. This also allows you to further customize Remote Authenticator scopes to exclude calendar permissions if needed/desired.

New OAuth Token Architecture

As part of the move towards Graph API, we have also switched to a new architecture that unifies the modern authentication experience across Graph API and EWS. This has also allowed us to utilize existing login sessions on web browsers when generating O365 or Microsoft consumer authentication tokens using Remote Authenticator—yay for LEAs! :muscle:t2:

One downside is that the new architecture is not compatible with the old EWS tokens. So, you have to use FEC 3.50+ and Remote Authenticator 1.50+ in tandem. We’ve updated the Remote Authenticator download link within FEC to point to the new version.

Progress Indicator During Snapshot Stage

FEC’s folder snapshots are usually pretty snappy, so we hadn’t thought to provide any progress notification at that stage. However, acquiring some huge mail folders showed us that waiting even a minute or two without seeing any update can be a bit nerve-racking :grimacing: So, we’ve added a small progress indicator that reassures the user that things are moving along nicely.

Metadata-only Acquisitions

FEC has been able to acquire metadata for remaining items for quite some time. We’ve now extended that support to include unstarted projects. That is, you can now create a new project and go straight to the post-acquisition page to kick off metadata acquisition without having to start the project at all.

Throttling Mitigation Improvements

One of FEC’s key features is how it handles throttling. That is, when the service provider slows things down or downright disconnects you. We have given this area some more thought and improved FEC’s handling of server responses—especially when the server offers a suggested wait time.

What does this mean for you? Shorter wait times for errors that are not throttling-related, and more accurate wait time calculation when throttling is in effect.

Please check out the changelog for the full list of improvements. The download links for both FEC and Remote Authenticator have been updated in the Community.

2 Likes

We have added/updated the following support articles in connection with this release:

:link: Using In-place Search for Graph
:link: Acquiring Gmail History Records
:link: Using FEC Remote Authenticator
:link: Supported Server Types