New updates and improvements to Forensic Email Intelligence



    Read release notes

    🔥New Integration: VirusTotal — You can now get intelligence for email attachments using VirusTotal API. This includes threat intel, timestamps, filenames encountered in the wild, and more. Acquired data points are used in FEI's Timestamps View, Attachments View, and Insights.

    🔥New Feature: Apple Mail (EMLX) Support — FEI now supports examining and ingesting both EMLX and Partial EMLX files created by Apple Mail. The file export dialog contains a new option that controls whether EMLX files should be exported in their original form or in MIME format.

    It is also possible to drag & drop an EMLX file (partial or regular) directly into FEI Viewer to open it without going through ingestion.

    ✔️It is now possible to apply / remove flags in bulk directly from the Index Search window. This makes it much faster to search and categorize documents.

    ✔️FEI Decoder can now be launched to decode timestamps and Base64-encoded text within the text and HTML body tabs.

    ✔️DNS Insights for a domain now include the DMARC records of the domain. The DMARC records are parsed and their details are shown in a human-readable format.

    ✔️Added support for Message-ID values corrected by Gmail MTAs, and definition for the corresponding MIME header.

    ✔️Fixed an issue where RFC 2047 encoding could cause a Thread-Topic Insight to be triggered unnecessarily on MAPI messages.

    ✔️Added more contrast to the Content-Length header highlighting in the event that there is no calculated Content-Length value.

    ✔️Added new MIME header definitions.

    ✔️Numerous other performance and user interface improvements.

    🌐Project Compatibility Level:




    Read release notes

    🔥New Feature: DKIM Supercache — FEI can now optionally utilize an internal repository of DKIM/ARC public keys to verify some historical DKIM/ARC signatures whose public keys are no longer available via DNS.

    🔥Improved Flag Management — We have improved FEI's flag capabilities significantly. You can now create several custom flags, import / export your flag list, and perform advanced queries involving flags.

    ✔️Added the option to create and save notes for each document. Notes are available in the Evidence Grid and can be used for filtering.

    ✔️Added support for Gmail style Content-ID evidence. Decoded Content-ID timestamps will be listed in the Timestamps View as well as the MIME Structure View.

    ✔️Improved Unicode handling in some edge cases.

    ✔️Improvements to importing FEC projects that target Exchange.

    ✔️Numerous performance and user experience improvements.



    ✔️Switched to the new Forensic Email Collector project structure (FEC v3.86 and later) for FEC project imports. This allows FEC projects to be imported into FEI after they were moved to a different location.

    ✔️Failed DKIM signatures now include the reason for the failure as well as the calculated body hash.

    ✔️DKIM signatures that use a weak signature algorithm are highlighted on the DKIM/ARC view. Additionally, new Insights and Red Flags are assigned to them.

    ✔️New Red Flag for items whose DKIM public key could not be located.

    ✔️Added support for calendar and contact types in Index Search.

    ✔️FEI's timestamp decoder now supports GUID timestamps.

    ✔️Improved support for .th TLD during domain entity extraction.




    ✔️Added a right-click context menu option to freeze columns in the Evidence Grid. This makes it possible to affix one or more columns to the left side of the grid while reviewing items.

    ✔️The Evidence Grid now retains the height of rows while scrolling horizontally.

    ✔️Added a new option under General Settings > UI to retain window positions. When activated, FEI will save the position and dimensions of the Evidence Grid and FEI Viewer windows and attempt to restore them between sessions.

    ✔️Moved the drop target in FEI Viewer from the toolbar to the center of the screen. This makes it possible to make the FEI Viewer window shorter to accommodate screens that provide limited vertical space (e.g., laptop screens).

    ✔️It is now possible to copy values from the MIME Structure View to the clipboard.

    ✔️Added definitions to key MIME types (e.g., multipart/mixed, multipart/alternative, etc.) in MIME Structure View.

    ✔️Reduced the threshold for red flags based on MIME boundary timestamp discrepancies.




    Read release notes

    🔥New Feature: Index Search — FEI can now index the emails (including their attachments) that it ingests and allows you to execute detailed queries against that index. Search capabilities include field searches, range searches, date searches, wildcard searches, proximity searches, and regular expression searches.

    🔥New Feature: Aggregate Data Panels — Participants and attachments encountered during ingestion are now displayed in a side panel of the Evidence Grid. It is possible to quickly pivot from these panels to the emails that contain the referenced items.

    🔥New Feature: Project-level Insights — In addition to the item-level Insights that were previously available, FEI now presents project-level Insights by analyzing items in context.

    ✔️Added new context menu items—Find in This Field, Find in All Participant Fields—that allow the examiner to quickly pivot on key data points such as participants and email subjects.

    ✔️Add a new column to the Evidence Grid called Level, which indicates how deep the item is within the evidence tree.

    ✔️It is now possible to add evidence to an existing project.

    ✔️Increased minimum height for FEI Viewer window so that the drop target is not hidden on short screens.

    ✔️Significantly improved Evidence Grid initial load time.

    ✔️It is now possible to export the results of subdomain lookup for a domain.

    ✔️Export manifest for PST exports now includes EntryID values of the items within the output PST(s) for ease of reference.

    ✔️Significantly improved the cold start performance of MIME Structure View.

    Important Note: FEI now requires .NET Desktop Runtime 6, which can be obtained from Microsoft here.


  6. 1.8.8348


    This is a maintenance release with a few quality-of-life improvements before FEI's upcoming 2.0 update:

    ✔️Improvements to MAPI container export

    ✔️Updated Microsoft's public key for .Net Framework 4.7.2 so that FEI can verify its signature during installation—only applies if that dependency is missing.

    ✔️Stability improvements to the Render tab in FEI Viewer in some edge cases.

    ✔️Improved Federal Information Processing Standards (FIPS) compliance.

    ✔️Improved handling of blank (i.e., invalid) DKIM public key lookup results.


  7. 1.8.8236


    Read release notes

    🔥New Feature: MIME Structure Analysis — FEI now allows the examination of the hierarchical MIME structure of a message. It is possible to navigate to the individual MIME entities and export them.

    🔥Added child entity timestamps to the Timestamps View. These are timestamp evidence items such as hidden MIME boundary and Content-ID timestamps that are extracted recursively from child RFC 822 MIME entities of the message (i.e., embedded messages). Child entity timestamps are color coded so that they can be distinguished from the timestamps of the parent email.

    🔥Ability to store DKIM / ARC public keys — FEI now has an additional option that allows the fetched DKIM and ARC public keys on the file system. This can be extremely useful for long-term archival of critical cryptographic keys in your investigation in the event that the keys become unavailable in the future.

    ✔️Added Content-ID as an additional evidence type for email client and timestamp identification.

    ✔️Improved performance and responsiveness of flagging items. This is especially noticeable when a very low-performance storage medium is used for FEI's project file.

    ✔️Improved the export of embedded messages.

    ✔️FEI Viewer now contains an icon that clarifies whether it is working in Connected Mode or Independent Mode.

    ✔️Improved the display of MAPI items without Sent/Delivery dates in the Evidence Grid.

    ✔️Fixed an issue where MIME syntax highlighting could end before the end of the message headers in some edge cases.

    ✔️Numerous performance and user experience improvements.

  8. 1.7.8166


    ✔ FEI now supports ingesting, rendering, and examining additional MAPI item types such as calendar events, tasks, contacts, sticky notes, and RSS feeds.

    ✔ It is now possible to export a subset of the ingested data both as loose files and as MAPI containers where applicable.

    ✔ Added the option to include an export manifest with data exports.

    ✔ Added new Insight for MIME items with deferred delivery.

    ✔ Added definitions for various MAPI enumerations.

    ✔ Introduced the option to skip batch Insight Score calculation during ingestion.

    ✔ Improved the performance of bulk tagging a large number of items on the Evidence Grid.

    ✔ Added in-place help system to decribe the functionality of certain features within the software.

    ✔ Various performance and user interface improvements.

  9. 1.6.8147


    ✔ FEI can now export evidence items from the Evidence Grid. It is possible to export the selected items, or all visible items on the grid based on any filters that were applied.

    ✔ Added a new MAPI insight for messages that were sent using the Delay Delivery option in Outlook.

    ✔ Various other performance and user interface improvements.

  10. 1.5.8130


    ✔ Introduced the ability to export data from FEI's Intel panels such as Entities, Timestamps, and Attachments in multiple formats.

    ✔ Introduced FEI Decoder to decode timestamps and Base64-encoded strings via the right click context menu. More decoding options will be added as needed.

    ✔ It is now possible to navigate to the previous/next item in the Evidence Grid when FEI Viewer is in focus. The global shortcut for navigation is CTRL+Up or CTRL+Down.

    ✔ Added support for Mozilla Thunderbird Message-ID and MIME boundary values.

    ✔ Added definitions for various MIME headers.

    ✔ Added insights based on the newly-added Exchange header definitions.

    ✔ Extracted entities are now sorted alphabetically where applicable.

    ✔ Improved the resilience of MAPI header parsing against invalid headers.

    ✔ Improved PDF printouts from Render view to reduce unnecessary pagination.

    ✔ Improved the visibility of hyperlink previews in Render View in dark mode.

    ✔ Resolved an issue where certain Evidence Grid search and sort operations could cause unexpected behavior.

    ✔ Numerous other performance and user interface improvements.