Another major update to FEI is now out. Here is a quick walkthrough of the new functionality
FEI now connects to urlscan API for URL intelligence. Here are a couple of screenshots of what this currently looks like:
urlscan supports header, meta, and HTTP redirects, returns a comprehensive list of HTTP transactions, takes a screenshot of the URL (which you can save through FEI), compiles a list of entities such as IP addresses, URLs, domains, that are encountered while accessing the URL, etc.
Another significant benefit of using urlscan is that the scanning process is run in the cloud in a sandbox, not by interacting with the URL on your analysis workstation—especially important when investigating malware.
Finally, urlscan returns a classification for the URL (i.e., safe, malicious, etc.) based on several factors.
We have included buttons next to the identified URLs, IP addresses, domains, etc., so that you can quickly pivot on them within FEI. For instance, click on an IP address to invoke IP intel.
P.S. As you will see in the screenshots, we are keeping the Unfurl integration. You can continue to send URLs there to take advantage of the wonderful analysis Unfurl does.
FEI’s MAPI section now includes two additional tabs—Recipients and Attachments. These will gather information from those interfaces and present it in a flattened view so that you can run quick searches on them just as you do with other MAPI properties.
We have also expanded FEI’s support for enum type MAPI properties so that you get helpful descriptions of them next to the raw value (e.g., the PR_ACCESS_LEVEL, PR_OBJECT_TYPE, etc. values above).
You can now specify the path to a diff tool (e.g., Beyond Compare) that takes two command-line arguments for text and binary comparisons. You can invoke the comparison via the right-click context menu after selecting two items from the Evidence Grid, as in the screenshot below:
The attachments view now has a Save All… option that allows exporting all attachments to the file system. This preserves any file system timestamps, if present, and automatically names the exported files to avoid file name collisions.
Evidence Grid now parses lists of Gmail labels. This makes it possible to quickly see a tally of all labels present in a population and filter messages by specific labels easily, as in the screenshot below. Applies to both Takeout and FEC Project imports. Invoked using the funnel icon next to the Gmail Labels header in the Evidence Grid.
This release contains numerous minor performance and GUI improvements in addition to what I have mentioned above. You can find a comprehensive list here: