FEC Output Settings

FEC provides a number of options regarding its output. 

Output Format

Preserved emails can be saved in the following three formats. You can choose multiple formats if you wish; FEC will save the messages in multiple formats simultaneously without requiring a conversion after the fact.

EML (MIME) Format

Regardless of which server type is used, FEC retrieves emails from mail servers over the internet in Internet Message Format as defined by RFC 5322. Messages in this format can be saved as plain text files with the .EML file extension, and can be rendered by numerous email clients. 

This format is achieved without a conversion being performed by FEC, and is therefore recommended for forensic preservation.

MSG Format

Outlook Item (.msg) File Format is based on the Compound File Binary File Format. It is used primarily to store a message object (e.g., e-mail, appointment, contact, etc.) in a file. 

MSG format is commonly used in digital forensics and eDiscovery, and is supported by FEC as an output option. Exporting messages in MSG format requires a conversion from the MIME format described above.

PST Format

Outlook Personal Folders (.pst) File Format is a complex file format that allows storing multiple message objects in a single container file.

Selection of this option requires that the MSG Format option is also selected. Additionally, Microsoft Outlook 2007 or newer must be installed on the computer where the acquisition is performed.

PST files have maximum file size limits depending on the version of Outlook. FEC allows you to split output PST files when a certain size threshold is reached. For example, in the example screenshot below, FEC would create a new PST file once the output PST reaches ~20 GB. This also helps with eDiscovery and digital forensics tools that do not play nicely with large PST files.

Once the acquisition is complete, FEC closes the output PST file and hashes it depending on your output hashing preference.

Note: MSG and PST output options require additional conversion and hashing processes. Therefore, the acquisition may take longer to complete when these options are selected.

Output Options

Decrypt S/MIME

Controls if FEC will scan for S/MIME-encrypted items and attempt to decrypt them (see S/MIME Decryption for details).

Hash Algorithm

FEC performs cryptographic hashing on the output files including EML, MSG, and PST output. You can specify MD5, SHA-1, or SHA-256 as your hashing algorithm of choice.

 n  Files per Folder

Many file systems do not deal very well with folders containing a large number of files. If you anticipate that a mail folder may contain a large number of items (e.g., larger than 10,000 messages), it may be a good idea to choose this option to have FEC create subfolders within each output mail folder.

This would break the mail folder into subfolders containing a predetermined number of files that you specify. For instance, if you specified 1,000 files per folder, an inbox containing 2,359 items may look as follows:

   \0001   —   Contains first 1,000 items
   \0002   —   Contains second 1,000 items
   \0003   —   Contains remaining 359 items

Note: FEC requires that the files per folder value be no less than 100. This is to prevent excessive subfolder creation. For instance, if the user could set this value to 1, a subfolder would have to be created for each message.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.