Forensic Email Collector v3.75 Release Notes

This is a significant update to FEC. Here is a list of what’s new :grin:

Post-Acquisition Actions

FEC now has a Post-Acquisition Actions menu that appears at the conclusion of an acquisition.

This opens the Post-Acquisition Actions page that allows certain operations based on the specifics of your acquisition.

Credential Manager

FEC now has a dedicated UI for managing project credentials post acquisition. There is also a new setting on FEC’s Preferences Page that controls whether FEC automatically closes acquisition projects.

Automatically Close Acquisition Projects

The Automatically close projects option is selected by default and controls whether FEC automatically clears credentials in successfully-completed acquisition projects.

If you choose to turn this feature off, you can manually clear project credentials using the Credential Manager.

Replacing Project Credentials

In addition to clearing credentials in an acquisition project, Credential Manager also allows you to replace the credentials. For instance, if the Remote Authenticator token you used to configure the acquisition was inadvertently invalidated by the end-user, you can clear that token and import a new one to keep going. Similarly, if the app password you used during an IMAP acquisition has changed, you can update it mid-acquisition with Credential Manager. :muscle:t2:

Drive Improvements

Support for Resource Key Locked Drive Attachments

With resource key support, you can now acquire files that were affected by Google’s link-sharing security update to Drive without having to disable the security update.

Enhanced Logging

We have also improved FEC’s logging during Drive acquisitions to reflect the raw responses from Drive API more clearly.

Low Disk Space Detection

You can now configure an optional low disk space threshold in FEC’s Preferences Page.

When a low disk space threshold is configured, FEC will monitor the available disk space in your output medium and automatically stop the acquisition once the low disk space threshold value is reached. If you have notification emails configured, you will also receive a notification email about the low disk space issue.

This helps prevent running out of disk space completely, which could leave your acquisition project database and output PSTs in an inconsistent state.

Output PST EntryID Capture

FEC now creates a reference between its Downloaded Items Log and the items in its output PSTs by reflecting the EntryID of each item written to the output PSTs in the Downloaded Items Log.

This is helpful in scenarios where you need to match the items in Downloaded Items Log to the items ingested from FEC’s output PSTs. For instance, when using PST output* and overlaying server metadata from FEC’s output to your forensic/eDiscovery tools.

* Note: We typically recommend item-level output (EML/MSG) for such tasks.

Clear Permanent Error Flags

An additional Post-Acquisition Action to clear permanent error flags is now available. Permanent error flags are markers FEC uses to identify items that will not be retried due to the nature of their errors—such as 404 (not found) and 403 (forbidden) errors.

In some rare cases, it may be possible to remedy these errors during or after the acquisition. For instance, it may be possible for the end-user to fix a permission issue that prevented a Drive item from being acquired. In such cases, you can clear the permanent error flags so that FEC retries items with permanent errors the next time you resume the acquisition.

Please refer to FEC’s Changelog below for a list of the remaining minor improvements. You can download the installer here.

Recent Announcements from Forensic Email Collector