1.3.8049
Release
✔ Fixed a rare issue that prevented messages from being rendered in certain time zones.
Like
New updates and improvements to Forensic Email Intelligence.
✔ Fixed a rare issue that prevented messages from being rendered in certain time zones.
Like
✔ Added new insight for messages missing DKIM signatures. Only applies when a message was expected to have a DKIM signature due to its sender and timing information.
✔ Added new insight for removed email attachments.
✔ It is now possible to filter the Evidence Grid by the red flags of each message.
✔ Insight Score is now represented with a corresponding color in the Evidence Grid for improved visual identification.
✔ Folder tree now contains the item counts for each subnode.
✔ It is now possible to import / export the layout of the Evidence Grid—including any active filters. When FEI is launched, it remembers your last layout automatically.
✔ Built-in Evidence Grid layout templates introduced to make it easy to switch between different layouts for different types of email evidence (MAPI, MIME, compact, etc.)
✔ It is now possible to copy only the value of a single Evidence Grid cell. This makes it easier to pivot on that value and use it as a filter.
✔ Performance improvements to folder tree creation.
✔ FEI now checks the version of the project database being opened and reports back if it is incompatible with the version of the software that is being used to open it.
✔ Improved handling of failed DNS lookups when verifying DKIM/ARC signatures while batch Insight scoring during ingestion.
✔ Improved MIME header parsing from MAPI items.
✔ Improved resource management during navigation among multiple MAPI stores via the Evidence Grid.
✔ Path of the MAPI container being ingested is now displayed during ingestion.
✔ Clearer representation of MAPI items missing transport headers.
✔ Extended timestamps and insights for MAPI items with data points extracted from MIME headers.
✔ Fixed an issue where context switching between reviewing a container's contents in the Evidence Grid and reviewing a loose item dragged and dropped from the outside onto FEI Viewer did not behave as expected.
✔ Presence of DKIM/ARC signatures and the Content-Length header field value can now be queried for MAPI items even when those data points cannot be leveraged due to the underlying MIME data being unavailable.
✔ Numerous minor performance, stability, and GUI improvements.
Like
✔ Added attachment count and list of attachment names to Evidence Grid.
✔ FEI now remembers your timestamp sort preference (chronological vs. reverse chronological order) between messages and between sessions.
In the Timestamps sub-menu of the Viewer, the Timestamp (UTC) column always defaults to reverse chronological sorting. Please offer an option in the Settings to default to chronological sorting. Alternatively, you could have this sub-menu's column sorting state retained between launches of FEI. Either way, I would like to be able to view the timeline chronologically (oldest events first) all of the time. Currently, I have to re-sort the Timestamp column as the first part of my workflow, every single time I open this sub-menu.
4
✔ Resolved a dongle issue that manifested itself on VirtualBox.
✔ FEI now remembers your last input folder.
✔ It is now possible to select a subset of the evidence grid and copy it to the clipboard, including the header row. The resultant data can easily be pasted into Excel to create a small spreadsheet.
✔ It is now possible to select an individual cell on the Evidence Grid and copy its value (without the corresponding header row) to the clipboard. This can be used to quickly filter by that value.
✔ FEI now displays the version of the software that was used to create the FEI project that is open.
✔ Optimizations to startup time.
Important Note: Due to significant changes to the project structure, this version of FEI cannot open FEI projects that were created using earlier versions of the software.
Like
✔ Added MAPI EntryID and Message Class data points to the evidence grid.
✔ Switched the default filtering mechanism for some grid columns from "Begins with" to "Contains".
✔ FEI Viewer no longer displays the message drop target if a side panel is open. This is so that the opened side panel is not obscured by the drop target.
In the latest release, in the stand alone viewer with no email loaded you can open the Updates sub-menu on the right but the "Check for Updates" button does not do anything.
2
✔ Improved the responsiveness of folder tree view.
✔ It is now possible to search the folder tree to locate a specific node.
✔ Menu items in FEI Viewer that do not require a message to have been loaded are now enabled by default.
When launching FEI and choosing to Launch Viewer, it would be nice to have access to the 4 Intel buttons (IP Intel, Domain Intel, Email Intel, and URL Intel) without loading an email. Currently they are grayed out be default. Basically, I would like to be able to use FEI to access these various APIs for things other than email investigation. FEI can currently do this but I have to load a dummy email before getting access to those features.
2
✔ Improved logging of project details and evidence items that were added to a project during ingestion.
✔ During ingestion setup, FEI now automatically suggests a randomized evidence identifier for new evidence items to speed up project setup.
✔ Ingestion page now displays a brief summary of the active project as well as a hyperlink to access ingestion logs.
✔ FEI's title bar now reflects a brief summary of the active project.
✔ Numerous minor performance and GUI improvements.
✔ DKIM verification now includes DKIM alignment check
Have the DKIM & ARC sub-menu also validate whether the email passes SPF and DMARC checks for the sending domain. Also, expand the DKIM validation to warn if the DKIM signature is verified but the signer does not match the sending domain. Example, I have an email with the sender listed as doe@gmail.com. The DKIM Signature is valid but the signer is webtotalsolutions.com instead of gmail.com. Basically looking for the same feature set as the DKIM Verifier plugin for Thunderbird if you're familiar with that one.
3
✔ FEI now extracts entities from all MAPI properties to provide a more comprehensive list of domains, contacts, IP addresses, and URLs
✔ Significantly improved logging and progress indication during ingestion
✔ Improved Grid View launch speed after ingestion
✔ Numerous minor performance improvements
✔ Improved progress indication during ingestion
✔ Improved exception handling when invalid API keys are used
✔ Render view now switches to dark background when dark mode is enabled
✔ Added description for tentative dates in Timestamps panel to clarify their use
✔ FEI now filters out unsupported item types during ingestion so that they do not clutter grid view.
✔ Containers such as FEC projects, OST/PST files, and Mbox files are no longer displayed in grid view—only their contents are displayed.
✔ FEI now remembers your last output path and automatically creates a subfolder there based on the selected project name. If you always output to the same location, you can create a new project simply by entering a project name.
✔ Improved the responsiveness of FEI during the folder tree creation process.
✔ Improved logging and reporting of the number of items with extraction errors.
✔ Improved the behavior of the show/hide remote images toggle.
✔ Various minor performance improvements.
✔ Implemented automatic update checks.
✔ Added a new menu item to FEI Viewer to launch FEI's online documentation.
✔ Fixed a minor GUI issue regarding the opening and closing of intelligence panels in FEI Viewer.
✔ Timestamps used in FEI's Timestamps and Attachments views are now displayed in 24-hour format.
The Timestamps sub-menu shows timestamps in the short date (yyyy-mm-dd) and long time (hh:mm:ss) format which matches the preferred one configured in my OS regional settings except that FEI uses a 12hr clock instead of a 24hr one. If you want to use hardcoded formatting then please add the option for users to switch to a 24hr clock. Otherwise please adopt the formatting specified by the user in their system's regional settings. The Attachments sub-menu appears to have a different hardcoded timestamp format of mm/dd/yyyy hh:mm:ss with a 12hr clock. Please make the formatting of this sub-menu consistent with the Timestamp sub-menu. If this timestamp were directly copied and not parsed from the email then I could understand why the formatting is different but based on my testing I believe this is a parsed value.
1
✔ Intelligence panels—such as the DKIM and Insights views—which may take some time to be displayed now show a progress spinner to make it clear that FEI is doing something.
When the DKIM & ARC button is pressed for the first time, it can take a while (30 seconds) before processing completes and the results are shown for some emails. In the meantime it is not clear to the user that the email has applicable records, that those records are currently being processed, and that the application actually registered the mouse click and is not hanging. Usually when such background processing occurs, the user is informed with a progress bar, spinning icon, or a textual message that says processing is occurring. I have no preference on which method is used, but some sort of processing indicator should be shown so that the user knows that FEI is doing something.
1
✔ Fixed an issue that could cause ingestion to be deralied due to corrupt messages.
✔ Significantly improved speed and responsiveness of FEI when ingesting a very large amount of files from the file system.
✔ Improved logging in both ingestion and metadata extraction stages.
✔ Settings page is now directly accessible from the startup page without having to open FEI Viewer or load a document.
✔ FEI now captures item sizes when ingesting MAPI items in place from a PST or OST file.
✔ Added option to copy high-level exceptions to the clipboard if desired.