Forensic Email Intelligence 2.1.8 Release Notes

Metaspike Software Releases
1

FEI 2.1.8 is out with a new integration, support for additional email formats, and major new features. :grin: Here is what’s new:

VirusTotal Integration

We have added VirusTotal to FEI’s API integrations for intelligence. When examining emails, you can click a button to trigger a VirusTotal scan of the email’s attachments—individually, or in bulk.

This brings back a list of data points including threat intel, known names in the wild, timestamps, etc. FEI displays this information as part of its Attachments View, and also uses it in Insights, scoring, and timelining.

vt-attachment
vt-attachment1920×1902 211 KB

Here is how the Timestamps View looks after the VirusTotal enrichment:

vt-timestamps
vt-timestamps1594×1171 151 KB

Note: There is something else wrong with this email other than its malicious payload. Do you see it? :wink:

You will notice that as part of the VirusTotal integration, we have also added capabilities to hash an email attachment, or hash all attachments of an email. This is so that FEI can perform the VirusTotal scan using the hash of the attachment rather than its contents.

If VirusTotal does not have a record of the attachment hash (i.e., the file was not previously submitted to VirusTotal), it is possible to have FEI upload the file’s contents to VirusTotal for analysis. Here is how that looks:

upload-to-vt
upload-to-vt789×113 6.2 KB

For safety, we put the upload functionality behind an integration option. If you turn off the VirusTotal upload functionality, the user interface to upload an attachment to VirusTotal will not be shown.

allow-vt-uploads

Apple Mail Support

FEI now supports ingesting and examining Apple Mail messages in EMLX and Partial EMLX formats. You can ingest such messages as part of an FEI project, or open them individually by dragging and dropping an EMLX message into FEI Viewer.

On the export side, there is now a new option called Export EMLX Files as EMLs, which controls whether EMLX files should be exported as is, or in MIME format. This is especially important for Partial EMLX files—utilizing such files in other tools may not be possible unless they are reconstituted into a complete MIME message from their parts.

emlx-export
emlx-export1974×987 38.4 KB

FEI Decoder Improvements

FEI Decoder makes it a breeze to convert virtually any timestamp into human-readable form. In addition to FEI’s MIME View, you can now trigger FEI Decoder from the text and html bodies of messages. Same functionality applies to decoding Base64-encoded text.

decoder
decoder1920×1902 235 KB

DMARC Records

We have extended FEI’s domain intelligence to include DMARC records. The DMARC records are parsed and shown in a human-readable manner.

dmarc
dmarc2474×1987 388 KB

I am particularly excited about the new VirusTotal integration as well as EMLX support. :rocket:

You can find the changelog below. The new version is available for download :lock: here when you are ready.

Recent Announcements from Forensic Email Intelligence

1 Like
2

We have started including a Project Compatibility Level field in FEI’s changelog. This indicates how far back that version of FEI is compatible.

For instance, 2.1.8.4 has a Project Compatibility Level of 2.1.7.0. So, it can open FEI projects that were created with FEI v2.1.7.0 or later.

This should make it easier to identify if you can safely upgrade FEI without having to create a new FEI project.

1 Like