Forensic Email Collector v3.85 Release Notes

We have released FEC v3.85 with major improvements! Here is what’s new: :rocket:

Output into Disk Images

FEC can now pack its MIME or MSG output into VHDX disk images. You can trigger automatic containerization on the Output page as follows:

Alternatively, you can create the containers when needed as a post-acquisition action:

In either case, containerization takes place once the acquisition is complete. Choosing to create the containers automatically as part of the acquisition may have a few benefits:

  1. Helps with automation in large-scale, automated acquisitions
  2. If you are running an unattended acquisition, you could have FEC kick off the containerization automatically without user interaction
  3. If you are using trusted timestamping, the hash of the created containers will be included in the timestamped logs :+1:t2:

The naming of the VHDX containers is controlled by the Output Container Base Name template specified in FEC’s preferences. By default, they look as follows:

Yahoo / AOL 100,000 Item Limit Bypass

After the 10k item limit Yahoo implemented a while back, which we worked around by targeting a different set of servers, Yahoo started using a 100k items per subfolder cap. This version of FEC can bypass that limit and acquire subfolders that contain in excess of 100k items from Yahoo and AOL.

FEC v3.81 introduced modern authentication to address Yahoo / AOL authentication issues. This release marks phase 2 of our Yahoo improvements by addressing the 100k cap.

Acquisition Insights

We realize that FEC outputs quite a bit of information in its logs—and, as we introduce new features, key areas of the logs such as the Acquisition Summary section are getting more crowded.

In order to make sure critical information does not fall into the cracks, we have taken a page out of our FEI playbook and introduced Acquisition Insights :sunglasses: FEC now interprets some of the key elements of the acquisition and brings them to the user’s attention.

For example, here is a Graph API acquisition where FEC is pointing out that it acquired 1 more email than what was on the folder tree view—possibly because a Microsoft email notifying the user of FEC’s being authenticated into the mailbox was received between when the folder listing was acquired, and when the folder snapshots were taken.

Reverse Differential Acquisitions

FEC’s Differential Acquisition capability has been hugely helpful to many of our users performing recurring acquisitions. A request we have received was to make it possible to do the reverse—that is, instead of treating the Differential Acquisition sources as exclusion lists, optionally treat them as inclusion lists.

This makes it possible to start with a known list of items and limit the acquisition to only them. For instance, a list of Item IDs obtained from an outside source such as Microsoft Purview.

In addition to the new features above, this release bring numerous performance and usability improvements. You can refer to FEC’s Changelog below for a more complete list of the changes.

As usual, you can download the new version :lock: here when ready.

1 Like