Forensic Email Intelligence v1.3.8046 Release Notes

We have released a major update to FEI today :rocket: Here are the key highlights:

New Insights

We have expanded FEI’s Insights and scoring with two additional insights:

1. Missing DKIM Signatures
We are now maintaining a database of when certain popular email providers started DKIM signing outbound messages (you can contribute to this database if you have early examples of DKIM signed messages in MIME format). When scanning messages, FEI now compares message headers to this internal DKIM database and offers an insight—and corresponding score points—if the message was expected to have DKIM signatures and doesn’t.

2. Removed Attachments
FEI also checks a number of data points within messages to determine if a message appears consistent with one whose attachments were removed after the fact.

Grid Layouts

The Evidence Grid now comes with four built-in layout templates to fit different scenarios. You can switch between the templates using the right-click context menu as in the screenshot below:

Additionally, it is now possible to export / import your own custom Evidence Grid layout templates. If you like to organize your columns a certain way, you can easily load your custom template at the start of your investigation.

Finally, FEI now remembers your last Evidence Grid layout—including column positions and filters—between sessions. So, the columns will stay put once you configure them to your liking. :grin:

Red Flags

FEI already brought potentially problematic items to your attention based on their heightened Insight Scores. It now takes this a step further and allows you to hone in on such items based on the specific red flags that they have. For instance, you can filter the Evidence Grid for items missing DKIM signatures, or items whose attachments might have been removed.

Red flags (i.e., negative insights) are now listed in a new grid column named Red Flags. You can filter this column using the built-in grid filters, or using a list that is displayed when you click on the funnel icon next to the Red Flags column header.

Folder Tree

We have made some performance improvements to how the folder tree is populated. While we were at it, we also included item counts next to each subnode. You can now quickly see where your data is by looking at the tree nodes.

MAPI Header Improvements

We have improved transport header parsing for MAPI items as well as the insights we derive from them. You will now see additional timestamps, entities, and insights for MAPI items based on what we extract from their transport headers. If a MAPI item is missing headers, FEI Viewer now offers a clearer message to indicate that absence.

Other Evidence Grid Improvements

Previously, there were two mechanisms to export data from the Evidence Grid: Using the right-click context menu Export List option allowed you to export the entire grid in Excel, CSV, and text formats while selecting a range of cells and copying them to the clipboard (CTRL+C) copied them in tabular form along with their corresponding header—ready to be pasted into a spreadsheet such as Excel.

We have now added a third mechanism to copy only the value of a single cell to the clipboard. This is activated with the CTRL-SHIFT+C shortcut and copies only the cell’s value, not its corresponding header. Having the cell value in your clipboard makes it easier to pivot on that value. For instance, you can copy a Gmail Thread-ID into the clipboard and paste it as a grid filter to see messages within that email thread.

In addition to these highlights, this new release brings a ton of performance, stability, and GUI improvements. You can find the full changelog here: