Read release notes

🔥New Feature: Index Search — FEI can now index the emails (including their attachments) that it ingests and allows you to execute detailed queries against that index. Search capabilities include field searches, range searches, date searches, wildcard searches, proximity searches, and regular expression searches.

🔥New Feature: Aggregate Data Panels — Participants and attachments encountered during ingestion are now displayed in a side panel of the Evidence Grid. It is possible to quickly pivot from these panels to the emails that contain the referenced items.

🔥New Feature: Project-level Insights — In addition to the item-level Insights that were previously available, FEI now presents project-level Insights by analyzing items in context.

✔️Added new context menu items—Find in This Field, Find in All Participant Fields—that allow the examiner to quickly pivot on key data points such as participants and email subjects.

✔️Add a new column to the Evidence Grid called Level, which indicates how deep the item is within the evidence tree.

✔️It is now possible to add evidence to an existing project.

✔️Increased minimum height for FEI Viewer window so that the drop target is not hidden on short screens.

✔️Significantly improved Evidence Grid initial load time.

✔️It is now possible to export the results of subdomain lookup for a domain.

✔️Export manifest for PST exports now includes EntryID values of the items within the output PST(s) for ease of reference.

✔️Significantly improved the cold start performance of MIME Structure View.

Important Note: FEI now requires .NET Desktop Runtime 6, which can be obtained from Microsoft here.

This is a maintenance release with a few quality-of-life improvements before FEI's upcoming 2.0 update:

✔️Improvements to MAPI container export

✔️Updated Microsoft's public key for .Net Framework 4.7.2 so that FEI can verify its signature during installation—only applies if that dependency is missing.

✔️Stability improvements to the Render tab in FEI Viewer in some edge cases.

✔️Improved Federal Information Processing Standards (FIPS) compliance.

✔️Improved handling of blank (i.e., invalid) DKIM public key lookup results.

Read release notes

🔥New Feature: MIME Structure Analysis — FEI now allows the examination of the hierarchical MIME structure of a message. It is possible to navigate to the individual MIME entities and export them.

🔥Added child entity timestamps to the Timestamps View. These are timestamp evidence items such as hidden MIME boundary and Content-ID timestamps that are extracted recursively from child RFC 822 MIME entities of the message (i.e., embedded messages). Child entity timestamps are color coded so that they can be distinguished from the timestamps of the parent email.

🔥Ability to store DKIM / ARC public keys — FEI now has an additional option that allows the fetched DKIM and ARC public keys on the file system. This can be extremely useful for long-term archival of critical cryptographic keys in your investigation in the event that the keys become unavailable in the future.

✔️Added Content-ID as an additional evidence type for email client and timestamp identification.

✔️Improved performance and responsiveness of flagging items. This is especially noticeable when a very low-performance storage medium is used for FEI's project file.

✔️Improved the export of embedded messages.

✔️FEI Viewer now contains an icon that clarifies whether it is working in Connected Mode or Independent Mode.

✔️Improved the display of MAPI items without Sent/Delivery dates in the Evidence Grid.

✔️Fixed an issue where MIME syntax highlighting could end before the end of the message headers in some edge cases.

✔️Numerous performance and user experience improvements.

✔ FEI now supports ingesting, rendering, and examining additional MAPI item types such as calendar events, tasks, contacts, sticky notes, and RSS feeds.

✔ It is now possible to export a subset of the ingested data both as loose files and as MAPI containers where applicable.

✔ Added the option to include an export manifest with data exports.

✔ Added new Insight for MIME items with deferred delivery.

✔ Added definitions for various MAPI enumerations.

✔ Introduced the option to skip batch Insight Score calculation during ingestion.

✔ Improved the performance of bulk tagging a large number of items on the Evidence Grid.

✔ Added in-place help system to decribe the functionality of certain features within the software.

✔ Various performance and user interface improvements.

✔ FEI can now export evidence items from the Evidence Grid. It is possible to export the selected items, or all visible items on the grid based on any filters that were applied.

✔ Added a new MAPI insight for messages that were sent using the Delay Delivery option in Outlook.

✔ Various other performance and user interface improvements.

✔ Introduced the ability to export data from FEI's Intel panels such as Entities, Timestamps, and Attachments in multiple formats.

✔ Introduced FEI Decoder to decode timestamps and Base64-encoded strings via the right click context menu. More decoding options will be added as needed.

✔ It is now possible to navigate to the previous/next item in the Evidence Grid when FEI Viewer is in focus. The global shortcut for navigation is CTRL+Up or CTRL+Down.

✔ Added support for Mozilla Thunderbird Message-ID and MIME boundary values.

✔ Added definitions for various MIME headers.

✔ Added insights based on the newly-added Exchange header definitions.

✔ Extracted entities are now sorted alphabetically where applicable.

✔ Improved the resilience of MAPI header parsing against invalid headers.

✔ Improved PDF printouts from Render view to reduce unnecessary pagination.

✔ Improved the visibility of hyperlink previews in Render View in dark mode.

✔ Resolved an issue where certain Evidence Grid search and sort operations could cause unexpected behavior.

✔ Numerous other performance and user interface improvements.

✔ Improvements to URL Intel GUI and performance.

✔ Added In-Reply-To and References headers to the Evidence Grid.

✔ Timestamps view and automated analysis now include timestamps of non-attachment MIME entities that have timestamps.

✔ Added an additional insight and associated Red Flag about Postfix Authenticated User.

✔ Added an additional insight about messages that contain quoted message bodies but no References or In-Reply-To fields.

✔ Improved detection of Outlook quote stings.

✔ Changed formatting of MAPI property tag display to follow Microsoft's documentation more closely.

✔ Fixed an issue where double-clicking an item on the Evidence Grid while FEI Viewer is open could behave unexpectedly.

✔ Attachments tab in MAPI view is now only displayed when needed.

✔ Numerous minor performance and visual improvements.

✔ Introduced urlscan integration for URL intelligence.

✔ Introduced local diff tool integration for item comparisons.

✔ Expanded MAPI support to include two additional tabs: Recipients and Attachments

✔ Improved resolution of certain enum MAPI properties to provide information in addition to the raw MAPI data.

✔ Increased color contrast in dark mode for improved visibility of certain elements.

✔ Improved handling of items with no body text.

✔ Improved support for MIME items with an invalid first line.

✔ FEI Viewer now automatically adjusts its size and position at launch on smaller screens.

✔ SecurityTrails API credentials are now validated against the API, and the remaining quota is displayed.

✔ It is now possible to batch-export email attachments. FEI automatically names the exported attachments to avoid collisions if needed.

✔ Improved the scroll experience in attachments view.

✔ Improved the performance of domain intelligence.

✔ Certain export processes such as exporting attachments and PDF printouts of emails now display a button to open the exported file directly upon completion.

✔ Improved the performance of transport header extraction from MAPI items and made it more resilient to invalid MIME headers.

✔ Content-length checks are now applied to messages in bulk, and a corresponding red flag is included in the Red Flags column in grid view.

✔ FEI now parses the individual Gmail labels in Grid View and provides the option to filter for them. This makes it easier to get a tally of which labels are present in a collection (e.g., a Takeout import or an FEC project import).

✔ Improved the visual design of subdomain intelligence and made it possible to copy individual subdomains to the clipboard.

✔ Numerous minor performance and visual improvements.

✔ Fixed a rare issue that prevented messages from being rendered in certain time zones.

✔ Added new insight for messages missing DKIM signatures. Only applies when a message was expected to have a DKIM signature due to its sender and timing information.

✔ Added new insight for removed email attachments.

✔ It is now possible to filter the Evidence Grid by the red flags of each message.

✔ Insight Score is now represented with a corresponding color in the Evidence Grid for improved visual identification.

✔ Folder tree now contains the item counts for each subnode.

✔ It is now possible to import / export the layout of the Evidence Grid—including any active filters. When FEI is launched, it remembers your last layout automatically.

✔ Built-in Evidence Grid layout templates introduced to make it easy to switch between different layouts for different types of email evidence (MAPI, MIME, compact, etc.)

✔ It is now possible to copy only the value of a single Evidence Grid cell. This makes it easier to pivot on that value and use it as a filter.

✔ Performance improvements to folder tree creation.

✔ FEI now checks the version of the project database being opened and reports back if it is incompatible with the version of the software that is being used to open it.

✔ Improved handling of failed DNS lookups when verifying DKIM/ARC signatures while batch Insight scoring during ingestion.

✔ Improved MIME header parsing from MAPI items.

✔ Improved resource management during navigation among multiple MAPI stores via the Evidence Grid.

✔ Path of the MAPI container being ingested is now displayed during ingestion.

✔ Clearer representation of MAPI items missing transport headers.

✔ Extended timestamps and insights for MAPI items with data points extracted from MIME headers.

✔ Fixed an issue where context switching between reviewing a container's contents in the Evidence Grid and reviewing a loose item dragged and dropped from the outside onto FEI Viewer did not behave as expected.

✔ Presence of DKIM/ARC signatures and the Content-Length header field value can now be queried for MAPI items even when those data points cannot be leveraged due to the underlying MIME data being unavailable.

✔ Numerous minor performance, stability, and GUI improvements.