Feature Ideas

Filter

  1. Bulk URL Threat Scan

    Integration with Google Web Risk or similar URL scanning API to bulk scan URLs for threats.

    Arman Gungor
    #Integrations 🔗

    0

  2. Extract links from emails

    When searching for phishing links, it would be handy to have a list of all links from all emails, project wide. From here we can push into various link scanning APIs or domain scanning APIs. Arman suggested integration with https://cloud.google.com/web-risk , which I think is a great ida.

    Greg K
    #Improvement 👍#Integrations 🔗

    1

  3. DKIM Verify M365 Emails

    If the email manipulations by Microsoft 365 can be measured and reversed, then it would be great if FEI could DKIM verify these emails. For any emails with a Microsoft domain as the recipient that fail DKIM, FEI could attempt to reverse common Microsoft manipulations (delete newlines between MIME boundaries, remove extra html meta tag) and then calculate DKIM. For emails that verify this way, FEI could include an entry in the DKIM Results stating as much. Something like, Verified: True (after reversing common MS manipulations).

    Michael Y
    #Improvement 👍

    1

  4. More Detailed DKIM Verification

    This is a two part request. In the DKIM Results window, FEI should specify the individual components that fail or pass verification. Did the body hash not match indicating that the body was manipulated? Or did the signature data not match because the header fields were manipulated? Something like the following: Body = verified These Headers: mime-version, from, date, message-id, subject, to = failed verification Selecting one of the above fields (Body or These Headers) should highlight the associated section in the MIME window. Reason for request: When manually fixing a DKIM issue like in your CTF, I want to know which section I should be focusing on. Also, because I am not as familiar with the normalization rules for DKIM verification, it is not clear when a single line break might affect verification especially between signed header fields. Having the associated fields highlighted will make it immediately clear which characters are included in the verification calculation.

    Michael Y
    #Improvement 👍

    2

  5. Quoted emails are broken out into child objects

    Quoted emails from Replies and Forwards are parsed to create new child email records in FEI's list of emails for the collection. This would be similar to how X-Ways' shows child objects for embedded content. The advantage of this would be when filtering the metadata of embedded objects. Example: employee@company.com -> employee@personal.email.com employee@personal.email.com -> new.boss@competitor.com In this example, email 1 is sent and then forwarded as email 2. Email 1 is then deleted and the account employee@personal.email.com is collected. All emails involving (to/from/cc/bcc) @company.com are to be collected. Since @company.com is not one of the participants to email 2, it is not identified. If the embedded email that is being forwarded in email 2 were broken out as a child object then the child object would hit on the filter for @company.com. I know that a string search across the email bodies for @company.com would also identify these emails but it would also have a lot of false positives and introduce legal complications. Lastly, the parsing required to implement this feature would likely help support development of the Email thread mapping feature I previously suggested.

    Michael Y

    1

  6. Option to split large PST by multiple data ranges without file size limitation.

    Option to split large PST by multiple data ranges without file size limitation.

    Niko C

    0

  7. Be able to merge PSTs then export/save as PST

    Be able to merge PSTs then export/save as PST

    Niko C

    0

  8. Be able to open 2 Viewers instances at same time

    When investigation 2 .msg file will be easier to have 2 instances Viewer open

    Niko C

    2

  9. Intel buttons should be accessible in the standalone viewer without an email loaded.

    When launching FEI and choosing to Launch Viewer, it would be nice to have access to the 4 Intel buttons (IP Intel, Domain Intel, Email Intel, and URL Intel) without loading an email. Currently they are grayed out be default. Basically, I would like to be able to use FEI to access these various APIs for things other than email investigation. FEI can currently do this but I have to load a dummy email before getting access to those features.

    Michael Y
    #Improvement 👍

    2

  10. Option to Export PST in multiple formats

    View content of PST files and able to export to different options such as EML, PDF and PST formats.

    Niko C

    4

  11. SPF and DMARC Validation

    Have the DKIM & ARC sub-menu also validate whether the email passes SPF and DMARC checks for the sending domain. Also, expand the DKIM validation to warn if the DKIM signature is verified but the signer does not match the sending domain. Example, I have an email with the sender listed as doe@gmail.com. The DKIM Signature is valid but the signer is webtotalsolutions.com instead of gmail.com. Basically looking for the same feature set as the DKIM Verifier plugin for Thunderbird if you're familiar with that one.

    Michael Y

    3

  12. Have timestamp formatting reflect the OS system regional setting or ISO 8601.

    The Timestamps sub-menu shows timestamps in the short date (yyyy-mm-dd) and long time (hh:mm:ss) format which matches the preferred one configured in my OS regional settings except that FEI uses a 12hr clock instead of a 24hr one. If you want to use hardcoded formatting then please add the option for users to switch to a 24hr clock. Otherwise please adopt the formatting specified by the user in their system's regional settings. The Attachments sub-menu appears to have a different hardcoded timestamp format of mm/dd/yyyy hh:mm:ss with a 12hr clock. Please make the formatting of this sub-menu consistent with the Timestamp sub-menu. If this timestamp were directly copied and not parsed from the email then I could understand why the formatting is different but based on my testing I believe this is a parsed value.

    Michael Y
    #Improvement 👍#Styling 🎨

    1

  13. Export a list of selected records from a FEI project.

    Similar to the "Export list..." command in X-Ways Forensics, it would be extremely useful if I could select a set of records in an open project and right-click to "Export list..." as a .tsv or copy the contents to the clipboard. This would provide some basic reporting functionality within FEI so that I could generate a spreadsheet that could be shared with others.

    Michael Y
    #Improvement 👍#Misc 🤷

    2

  14. Option for Timestamps to be chronological

    In the Timestamps sub-menu of the Viewer, the Timestamp (UTC) column always defaults to reverse chronological sorting. Please offer an option in the Settings to default to chronological sorting. Alternatively, you could have this sub-menu's column sorting state retained between launches of FEI. Either way, I would like to be able to view the timeline chronologically (oldest events first) all of the time. Currently, I have to re-sort the Timestamp column as the first part of my workflow, every single time I open this sub-menu.

    Michael Y
    #Improvement 👍

    4

  15. Email thread mapping for investigations

    This is a big feature request so maybe roll out aspects of it in stages. Part 1 would be to map out a timeline or chart showing the transfer of messages in a thread or reply chain for a single email message. So if a single email was the 4th reply in a chain of emails then all 5 emails would be plotted. Example: 2021-08-01: Subject: FW: Re: Test, john@example.com -> eve@example.com 2021-07-01: Subject: Re: Test, jane@example.com -> john@example.com 2021-06-01: Subject: Re: Test, john@example.com -> jane@example.com, CC: eve@example.com 2021-05-01: Subject: Re: Test, jane@example.com -> john@example.com 2021-04-01: Subject: Test, john@example.com -> jane@example.com Part 2 would enrich the data in the plot using additional emails from an email collection which contains other emails in the thread. Color coding, comments, or tooltips could be used to indicate the reliability of plot based on how many additional emails support the data. For example, the plot from part 1 might list all 5 records as being red (less reliable) since they are based on the body of a single which is editable and could be manipulated. The same thread enriched from several different individual emails (Part 2) might show the first record (2021-04-01) as being green (very reliable) since the original email is available and the contents of the first email matches the quoted reply of its contents in the four subsequent emails. If the original copy of the second email (2021-05-01) was missing, then its record might be labeled orange (somewhat reliable) because although the original email is gone, all subsequent messages were in agreement when quoting its contents. Part 3 would be to enrich the data using whatever additional details you can pull from the email headers and server side which would hint at how many messages are supposed to have been in a thread and when they were sent.

    Michael Y
    #Improvement 👍

    2