Forensic Email Intelligence 2.1.7 Release Notes

I am happy to announce that we have published FEI 2.1.7 today :sunglasses: This is an interesting release with a slightly groundbreaking feature. So, buckle up :rocket:

DKIM Supercache

Verifying DKIM and ARC signatures is extremely useful in email forensics. But, the ability to do so depends on the availability of the DKIM public keys.

Unfortunately, many providers started to phase out their older DKIM public keys. For instance, if you examine emails that were signed by Google (Gmail and Google Workspace) just a couple of years ago, you will find that those public keys are now unavailable. When we consider the numerous signing domains and selectors for all the organizations on Google Workspace, this becomes a bit of a nightmare :scream:

Now, on to the good news :smiley: We have finally managed to piece together the information needed to verify all Gmail and Google Workspace (based on our testing so far) DKIM signatures going back to the early days of Gmail (circa 2004)*. And, more importantly, we have bundled this information into FEI as part of a new feature called DKIM Supercache.

*Note: We plan to further discuss what this means and how we pulled this off in our upcoming Email Forensics Training.

You can activate DKIM Supercache as follows:

In summary, DKIM Supercache makes it possible to verify some historical DKIM signatures whose public keys are no longer available, and improves the lookup performance of DKIM public keys in general.

Now, if I were you, I would go find some old Gmail / Google Workspace messages that previously could not be DKIM verified and play with them using the new version of FEI :grin:

New Flag Experience

We have completely overhauled FEI’s flag system. You can now create custom flags with your label and color of choice as follows:

It is possible to edit the flag labels and colors after the fact, and import/export your flag list. This comes in handy when you have a set of predefined flags you would like to reuse across projects.

Advanced Flag Query

The numbers next to the flags serve two purposes: i) You can use them to refer to flags in an advanced query (e.g., (5 or 7) not 9); ii) They are a keyboard shortcut that can be used to quickly flag documents in FEI’s bulk flag/unflag interface (see below).

The Advanced Flag Query interface allows you to quickly combine flags using Boolean expressions and parentheses. This makes it a breeze to narrow the data down by the intersection of flags, union of flags, etc.

Bulk Flag Documents

The Flag Selected right click context menu of the Evidence Grid (or CTRL+T) now brings up a flag selection window. As I mentioned previously, you can use the flag identifier as a keyboard shortcut here. For instance, pressing 5 flags the selected documents with Flag #5 (i.e., Foreign Language).

Individual Document Flags and Notes

FEI Viewer also has a new side panel where you can set document flags and enter notes for each document.

The notes entered for each document are immediately reflected on the Evidence Grid and can be used for filtering :+1:t2:

Support for Gmail Style Content-ID Evidence

We have extended FEI’s Content-ID detection to cover Gmail. Decoded Content-ID timestamps are reflected in the Timestamps View…

…and as part of the MIME Structure:

I hope that you find these improvements helpful. I, for one, am extremely excited about the possibilities DKIM Supercache brings :muscle:t2:

You can find the changelog below. The new version is available for download :lock: here when you are ready.

1 Like

A post was split to a new topic: Pinned Taskbar Icon After Update