Using FEC Remote Authenticator
FEC Remote Authenticator is a standalone application that you can provide to the owner of a Gmail / G Suite email account so that they can authenticate you remotely. This can be especially useful when the custodian uses two-factor-authentication. Using FEC Remote Authenticator, eDiscovery and digital forensics practitioners do not have to know the custodian's email password at all.
The remote authentication workflow works as follows:
Custodian (owner of the mailbox) downloads a copy of FEC Remote Authenticator using the download link available on the Forensic Email Collector (FEC) user interface under the "Remote Authentication" menu.
FEC Remote Authenticator is a single EXE file which does not require extraction, installation, administrative privileges or a license key. It does require that the custodian's computer have .NET framework 4 installed.
The custodian runs FEC Remote Authenticator and authenticates with Gmail using the same Gmail API workflow as FEC. FEC Remote Authenticator does not ask for the custodian's password; the password is provided directly to Gmail. If two-factor-authentication is enabled, the custodian can perform the two-factor-authentication via the Gmail web interface as usual.
Once authentication is complete, the following screen is displayed where the custodian can save an encrypted FEC Remote Authentication Token.
The saved token has a file name in the following format:
Once the token file is saved, the custodian can send the token file to you using the channel where you ordinarily exchange sensitive files with each other (e.g., file transfer system, secure FTP, etc.)
Once you receive the token file, you can launch FEC and import it using the "Remote Authentication" menu as follows:
Once the token is imported, you can perform the acquisition without having to authenticate with Gmail on your end.
Once email preservation is complete, the custodian can go to their Gmail account settings and revoke access to FEC as follows:
2. Expand Forensic Email Collector and click the REMOVE ACCESS button.
Once access is removed, the FEC Remote Authentication Token will be invalidated. You can no longer use the token to access the custodian's emails.