New updates and improvements to Forensic Email Intelligence



     Read release notes 

    🔥Internal Attachment Metadata — FEI's Attachments View now contains a menu item that displays the internal metadata of attachments. Internal attachment metadata is also factored into timelining, Insights, and scoring.

    🔥PDF Deep Scan — FEI now supports extracting multiple XMP metadata streams from PDFs as well as numerous other timestamps such as embedded PDF attachment timestamps, annotation timestamps, etc.

    🔥Image Deep Scan — FEI now supports extracting Exif, IPTC, and XMP metadata from images.

    🔥Built-in Attachment Viewers — It is now possible to directly view popular attachment types (e.g., PDFs, Word and Excel documents, text files, etc.) directly within FEI without using an external viewer.

    ✔️Extended MAPI property definitions.

    ✔️Significant user interface performance improvements.

    ✔️Numerous other performance and user experience enhancements.


    🌐Project Compatibility Level:



    ✔️Added Expected Body Hash to failed DKIM signature reporting.

    ✔️Added the ItemId field to bulk timeline exports.

    ✔️Improved character encoding detection in MIME emails.

    ✔️Improved pagination during individual and bulk PDF exports.

    ✔️Increased details captured during exception logging.

    ✔️Improved support for multiple FEI Viewer window instances.

    ✔️Added definitions for more MIME headers.

    ✔️Fixed a rare race condition that could cause an unexpected error during ingestion.

    ✔️Numerous minor performance and user experience improvements.


    🌐Project Compatibility Level:



     Read release notes 

    🔥Bulk PDF Export — You can now export a subset of the items on the Evidence Grid in PDF format. The result is very similar to the individual PDF export from FEI Viewer, but performed on multiple items automatically.


    Export to PDF after indexing.

    Ingesting a PST into FEI, then running index searches for relative evidence items- to then have the ability to export the grid into a PDF build. But also to export the emails inside the grid as PDF also.

    J E


    🔥Multiple Viewer Instances — A new right-click context menu has been added to the Evidence Grid that allows multiple emails to be opened in their own FEI Viewer instances. This makes it much easier to examine emails comparatively.

    🔥Timeline Export — In addition to being able to export the timestamps of an individual email from FEI's Timestamps View, you can now export the timestamps in an entire FEI project in timeline format. For instance, you can ingest a PST file and get a dump of all datetime type MAPI properties! Perfect for performing timeline analysis externally.


    Bulk Export Timeline

    This idea expands on the Timestamps view in FEI Viewer. For a set of items within the Evidence Grid, provide a right-click command (similar to the commands for data export) to export a combined timeline for all emails within the view. The exported timeline will be a tabular file (e.g., CSV) which will lend itself well to traditional timeline analysis.

    Arman Gungor


    🔥Control Numbers — Along with the new export improvements, FEI now supports assigning document-level control numbers (aka Bates numbers) to exported items. The filenames of the exported items reflect their control numbers. The ControlNumber column of the Export Manifest can also be used to reference which control number was assigned to each file.

    ✔️Added the option to export files and PDFs into a flat folder structure.

    ✔️Improved support for Message-IDs corrected by Google MTAs.

    ✔️Miscellaneous performance and usability improvements.


    🌐Project Compatibility Level:




     Read release notes 

    🔥New Integration: VirusTotal — You can now get intelligence for email attachments using VirusTotal API. This includes threat intel, timestamps, filenames encountered in the wild, and more. Acquired data points are used in FEI's Timestamps View, Attachments View, and Insights.

    🔥New Feature: Apple Mail (EMLX) Support — FEI now supports examining and ingesting both EMLX and Partial EMLX files created by Apple Mail. The file export dialog contains a new option that controls whether EMLX files should be exported in their original form or in MIME format.

    It is also possible to drag & drop an EMLX file (partial or regular) directly into FEI Viewer to open it without going through ingestion.

    ✔️It is now possible to apply / remove flags in bulk directly from the Index Search window. This makes it much faster to search and categorize documents.

    ✔️FEI Decoder can now be launched to decode timestamps and Base64-encoded text within the text and HTML body tabs.

    ✔️DNS Insights for a domain now include the DMARC records of the domain. The DMARC records are parsed and their details are shown in a human-readable format.

    ✔️Added support for Message-ID values corrected by Gmail MTAs, and definition for the corresponding MIME header.

    ✔️Fixed an issue where RFC 2047 encoding could cause a Thread-Topic Insight to be triggered unnecessarily on MAPI messages.

    ✔️Added more contrast to the Content-Length header highlighting in the event that there is no calculated Content-Length value.

    ✔️Added new MIME header definitions.

    ✔️Numerous other performance and user interface improvements.


    🌐Project Compatibility Level:




     Read release notes 

    🔥New Feature: DKIM Supercache — FEI can now optionally utilize an internal repository of DKIM/ARC public keys to verify some historical DKIM/ARC signatures whose public keys are no longer available via DNS.

    🔥Improved Flag Management — We have improved FEI's flag capabilities significantly. You can now create several custom flags, import / export your flag list, and perform advanced queries involving flags.

    ✔️Added the option to create and save notes for each document. Notes are available in the Evidence Grid and can be used for filtering.

    ✔️Added support for Gmail style Content-ID evidence. Decoded Content-ID timestamps will be listed in the Timestamps View as well as the MIME Structure View.

    ✔️Improved Unicode handling in some edge cases.

    ✔️Improvements to importing FEC projects that target Exchange.

    ✔️Numerous performance and user experience improvements.



    ✔️Switched to the new Forensic Email Collector project structure (FEC v3.86 and later) for FEC project imports. This allows FEC projects to be imported into FEI after they were moved to a different location.

    ✔️Failed DKIM signatures now include the reason for the failure as well as the calculated body hash.

    ✔️DKIM signatures that use a weak signature algorithm are highlighted on the DKIM/ARC view. Additionally, new Insights and Red Flags are assigned to them.

    ✔️New Red Flag for items whose DKIM public key could not be located.

    ✔️Added support for calendar and contact types in Index Search.

    ✔️FEI's timestamp decoder now supports GUID timestamps.

    ✔️Improved support for .th TLD during domain entity extraction.




    ✔️Added a right-click context menu option to freeze columns in the Evidence Grid. This makes it possible to affix one or more columns to the left side of the grid while reviewing items.

    ✔️The Evidence Grid now retains the height of rows while scrolling horizontally.

    ✔️Added a new option under General Settings > UI to retain window positions. When activated, FEI will save the position and dimensions of the Evidence Grid and FEI Viewer windows and attempt to restore them between sessions.

    ✔️Moved the drop target in FEI Viewer from the toolbar to the center of the screen. This makes it possible to make the FEI Viewer window shorter to accommodate screens that provide limited vertical space (e.g., laptop screens).

    ✔️It is now possible to copy values from the MIME Structure View to the clipboard.

    ✔️Added definitions to key MIME types (e.g., multipart/mixed, multipart/alternative, etc.) in MIME Structure View.

    ✔️Reduced the threshold for red flags based on MIME boundary timestamp discrepancies.




     Read release notes 

    🔥New Feature: Index Search — FEI can now index the emails (including their attachments) that it ingests and allows you to execute detailed queries against that index. Search capabilities include field searches, range searches, date searches, wildcard searches, proximity searches, and regular expression searches.

    🔥New Feature: Aggregate Data Panels — Participants and attachments encountered during ingestion are now displayed in a side panel of the Evidence Grid. It is possible to quickly pivot from these panels to the emails that contain the referenced items.

    🔥New Feature: Project-level Insights — In addition to the item-level Insights that were previously available, FEI now presents project-level Insights by analyzing items in context.

    ✔️Added new context menu items—Find in This Field, Find in All Participant Fields—that allow the examiner to quickly pivot on key data points such as participants and email subjects.

    ✔️Add a new column to the Evidence Grid called Level, which indicates how deep the item is within the evidence tree.

    ✔️It is now possible to add evidence to an existing project.

    ✔️Increased minimum height for FEI Viewer window so that the drop target is not hidden on short screens.

    ✔️Significantly improved Evidence Grid initial load time.

    ✔️It is now possible to export the results of subdomain lookup for a domain.

    ✔️Export manifest for PST exports now includes EntryID values of the items within the output PST(s) for ease of reference.

    ✔️Significantly improved the cold start performance of MIME Structure View.

    Important Note: FEI now requires .NET Desktop Runtime 6, which can be obtained from Microsoft here.



  9. 1.8.8348


    This is a maintenance release with a few quality-of-life improvements before FEI's upcoming 2.0 update:

    ✔️Improvements to MAPI container export

    ✔️Updated Microsoft's public key for .Net Framework 4.7.2 so that FEI can verify its signature during installation—only applies if that dependency is missing.

    ✔️Stability improvements to the Render tab in FEI Viewer in some edge cases.

    ✔️Improved Federal Information Processing Standards (FIPS) compliance.

    ✔️Improved handling of blank (i.e., invalid) DKIM public key lookup results.


  10. 1.8.8236


     Read release notes 

    🔥New Feature: MIME Structure Analysis — FEI now allows the examination of the hierarchical MIME structure of a message. It is possible to navigate to the individual MIME entities and export them.

    🔥Added child entity timestamps to the Timestamps View. These are timestamp evidence items such as hidden MIME boundary and Content-ID timestamps that are extracted recursively from child RFC 822 MIME entities of the message (i.e., embedded messages). Child entity timestamps are color coded so that they can be distinguished from the timestamps of the parent email.

    🔥Ability to store DKIM / ARC public keys — FEI now has an additional option that allows the fetched DKIM and ARC public keys on the file system. This can be extremely useful for long-term archival of critical cryptographic keys in your investigation in the event that the keys become unavailable in the future.

    ✔️Added Content-ID as an additional evidence type for email client and timestamp identification.

    ✔️Improved performance and responsiveness of flagging items. This is especially noticeable when a very low-performance storage medium is used for FEI's project file.

    ✔️Improved the export of embedded messages.

    ✔️FEI Viewer now contains an icon that clarifies whether it is working in Connected Mode or Independent Mode.

    ✔️Improved the display of MAPI items without Sent/Delivery dates in the Evidence Grid.

    ✔️Fixed an issue where MIME syntax highlighting could end before the end of the message headers in some edge cases.

    ✔️Numerous performance and user experience improvements.