New updates and improvements to Forensic Email Intelligence
🔥Added aggregate data panels to display and query domains and IP addresses at the project level.
✔️Added two new index fields to enable searching of the X-Originating-IP and X-Mailer headers directly.
✔️Improved support for ingesting PST/OST files with the read-only file system attribute set.
✔️Numerous other performance and user experience enhancements.
🌐Project Compatibility Level: 2.1.14.6
🔥Added support for S/MIME and OpenPGP decryption and signature verification.
✔️Extended export options to include exporting decrypted versions of emails where applicable.
✔️Timestamps View has been extended to include timestamps from digital signature certificates.
✔️Insights have been extended to cover decryption and digital signature verification.
✔️Renamed the "Red Flags" column to "Markers" and added markers to include the signature and encryption status of emails.
✔️Improvements to the display of extended participant information.
✔️Numerous other performance and user experience enhancements.
🌐Project Compatibility Level: 2.1.7.0
✔️Added option to normalize accented characters during indexing.
✔️Added Expand All and Collapse All options to the folder tree.
✔️Other minor improvements.
🌐Project Compatibility Level: 2.1.7.0
🔥Added a new option to display extended participant information on rendered emails and printouts for "sent on behalf of" and "received representing" scenarios.
🔥Item flags are now displayed on the Evidence Grid and can be queried from there directly.
✔️Extended SuperCache definitions with new DKIM & ARC public keys.
✔️Added custom JumpLists to FEI taskbar icon.
✔️Improved resilience of the Render View when the active item is changed rapidly.
✔️Added Insights for read and delivery receipts.
✔️Added Insights for MAPI retention date and period.
✔️Improvements to displaying SMTP addresses of MAPI recipients when available.
✔️Improved detection of OST mail stores.
✔️Added /NewProject, /OpenProject, and /Viewer command line arguments.
✔️Numerous other user interface and performance improvements.
🌐Project Compatibility Level: 2.1.7.0
🔥Internal Attachment Metadata — FEI's Attachments View now contains a menu item that displays the internal metadata of attachments. Internal attachment metadata is also factored into timelining, Insights, and scoring.
🔥PDF Deep Scan — FEI now supports extracting multiple XMP metadata streams from PDFs as well as numerous other timestamps such as embedded PDF attachment timestamps, annotation timestamps, etc.
🔥Image Deep Scan — FEI now supports extracting Exif, IPTC, and XMP metadata from images.
🔥Built-in Attachment Viewers — It is now possible to directly view popular attachment types (e.g., PDFs, Word and Excel documents, text files, etc.) directly within FEI without using an external viewer.
✔️Extended MAPI property definitions.
✔️Significant user interface performance improvements.
✔️Numerous other performance and user experience enhancements.
🌐Project Compatibility Level: 2.1.7.0
✔️Added Expected Body Hash to failed DKIM signature reporting.
✔️Added the ItemId field to bulk timeline exports.
✔️Improved character encoding detection in MIME emails.
✔️Improved pagination during individual and bulk PDF exports.
✔️Increased details captured during exception logging.
✔️Improved support for multiple FEI Viewer window instances.
✔️Added definitions for more MIME headers.
✔️Fixed a rare race condition that could cause an unexpected error during ingestion.
✔️Numerous minor performance and user experience improvements.
🌐Project Compatibility Level: 2.1.7.0
🔥Bulk PDF Export — You can now export a subset of the items on the Evidence Grid in PDF format. The result is very similar to the individual PDF export from FEI Viewer, but performed on multiple items automatically.
Ingesting a PST into FEI, then running index searches for relative evidence items- to then have the ability to export the grid into a PDF build. But also to export the emails inside the grid as PDF also.
1
🔥Multiple Viewer Instances — A new right-click context menu has been added to the Evidence Grid that allows multiple emails to be opened in their own FEI Viewer instances. This makes it much easier to examine emails comparatively.
🔥Timeline Export — In addition to being able to export the timestamps of an individual email from FEI's Timestamps View, you can now export the timestamps in an entire FEI project in timeline format. For instance, you can ingest a PST file and get a dump of all datetime type MAPI properties! Perfect for performing timeline analysis externally.
This idea expands on the Timestamps view in FEI Viewer. For a set of items within the Evidence Grid, provide a right-click command (similar to the commands for data export) to export a combined timeline for all emails within the view. The exported timeline will be a tabular file (e.g., CSV) which will lend itself well to traditional timeline analysis.
1
🔥Control Numbers — Along with the new export improvements, FEI now supports assigning document-level control numbers (aka Bates numbers) to exported items. The filenames of the exported items reflect their control numbers. The ControlNumber column of the Export Manifest can also be used to reference which control number was assigned to each file.
✔️Added the option to export files and PDFs into a flat folder structure.
✔️Improved support for Message-IDs corrected by Google MTAs.
✔️Miscellaneous performance and usability improvements.
🌐Project Compatibility Level: 2.1.7.0
🔥New Integration: VirusTotal — You can now get intelligence for email attachments using VirusTotal API. This includes threat intel, timestamps, filenames encountered in the wild, and more. Acquired data points are used in FEI's Timestamps View, Attachments View, and Insights.
🔥New Feature: Apple Mail (EMLX) Support — FEI now supports examining and ingesting both EMLX and Partial EMLX files created by Apple Mail. The file export dialog contains a new option that controls whether EMLX files should be exported in their original form or in MIME format.
It is also possible to drag & drop an EMLX file (partial or regular) directly into FEI Viewer to open it without going through ingestion.
✔️It is now possible to apply / remove flags in bulk directly from the Index Search window. This makes it much faster to search and categorize documents.
✔️FEI Decoder can now be launched to decode timestamps and Base64-encoded text within the text and HTML body tabs.
✔️DNS Insights for a domain now include the DMARC records of the domain. The DMARC records are parsed and their details are shown in a human-readable format.
✔️Added support for Message-ID values corrected by Gmail MTAs, and definition for the corresponding MIME header.
✔️Fixed an issue where RFC 2047 encoding could cause a Thread-Topic Insight to be triggered unnecessarily on MAPI messages.
✔️Added more contrast to the Content-Length header highlighting in the event that there is no calculated Content-Length value.
✔️Added new MIME header definitions.
✔️Numerous other performance and user interface improvements.
🌐Project Compatibility Level: 2.1.7.0
🔥New Feature: DKIM Supercache — FEI can now optionally utilize an internal repository of DKIM/ARC public keys to verify some historical DKIM/ARC signatures whose public keys are no longer available via DNS.
🔥Improved Flag Management — We have improved FEI's flag capabilities significantly. You can now create several custom flags, import / export your flag list, and perform advanced queries involving flags.
✔️Added the option to create and save notes for each document. Notes are available in the Evidence Grid and can be used for filtering.
✔️Added support for Gmail style Content-ID evidence. Decoded Content-ID timestamps will be listed in the Timestamps View as well as the MIME Structure View.
✔️Improved Unicode handling in some edge cases.
✔️Improvements to importing FEC projects that target Exchange.
✔️Numerous performance and user experience improvements.
✔️Switched to the new Forensic Email Collector project structure (FEC v3.86 and later) for FEC project imports. This allows FEC projects to be imported into FEI after they were moved to a different location.
✔️Failed DKIM signatures now include the reason for the failure as well as the calculated body hash.
✔️DKIM signatures that use a weak signature algorithm are highlighted on the DKIM/ARC view. Additionally, new Insights and Red Flags are assigned to them.
✔️New Red Flag for items whose DKIM public key could not be located.
✔️Added support for calendar and contact types in Index Search.
✔️FEI's timestamp decoder now supports GUID timestamps.
✔️Improved support for .th TLD during domain entity extraction.