Using FEC Remote Authenticator
FEC Remote Authenticator is a standalone application that you can provide to the owner of a Gmail / G Suite email account so that they can authenticate you remotely. This can be especially useful when the custodian uses two-factor-authentication. Using FEC Remote Authenticator, eDiscovery and digital forensics practitioners do not have to know the custodian's email password at all.
The remote authentication workflow works as follows:
Custodian (owner of the mailbox) downloads a copy of FEC Remote Authenticator from our website using the following link. The same link is also available on the Forensic Email Collector (FEC) user interface under the "Remote Authentication" menu for convenience.
FEC Remote Authenticator is a single EXE file which does not require extraction, installation, administrative privileges or a license key. It does require—like the main FEC application—that the custodian's computer have .NET framework 4.6.1 installed. We found this to be the case in most modern computers. .NET Framework 4.6.1 can also be downloaded directly from Microsoft Download Center.
The custodian runs FEC Remote Authenticator and authenticates with Gmail using the same Gmail API workflow as FEC. FEC Remote Authenticator does not ask for the custodian's password; the password is provided directly to Gmail. If two-factor-authentication is enabled, the custodian can perform the two-factor-authentication via the Gmail web interface as usual.
Once authentication is complete, the following screen is displayed where the custodian can save an encrypted FEC Remote Authentication Token.
The saved token has a file name in the following format:
Once the token file is saved, the custodian can send the token file to you using the channel where you ordinarily exchange sensitive files with each other (e.g., file transfer system, secure FTP, etc.)
Once you receive the token file, you can launch FEC and import it using the "Remote Authentication" menu as follows:
Once the token is imported, you can perform the acquisition without having to authenticate with Gmail on your end.
Once email preservation is complete, the custodian can go to their Gmail account settings and revoke access to FEC as follows:
2. Expand Forensic Email Collector and click the REMOVE ACCESS button.
Once access is removed, the FEC Remote Authentication Token will be invalidated. You can no longer use the token to access the custodian's emails.