Using In-place Search for IMAP

Forensic Email Collector makes it possible to run pre-acquisition searches on a mailbox over IMAP to narrow down the data set. You can launch the in-place search interface for IMAP by clicking the "Perform Pre-Acquisition Search" link as shown below.

Activating FEC In-place Search for IMAP

FEC in-place search for IMAP allows you to execute your search query on the server side and preview the search results. The accuracy of the search results is dependent on the capabilities of the target IMAP server.

Note: The search is performed only in the selected mail folders. So, you can exclude certain folders from the search by deselecting them using the checkboxes in the screenshot above before you launch the in-place search interface.

What You Can Search For

FEC in-place search for IMAP allows you to build complex queries by combining search criteria and Boolean operators. 

Here are a few examples to get you started:

  • Emails that contain a string in the "From:" field. — Example:  From contains johndoe@example.com
  • Emails that contain a string in the "To:" field. — Example:  To contains robert smith
  • Emails that contain a string in the "CC:" field. — Example:  CC contains johndoe@example.com
  • Emails that contain a string in the "BCC:" field. — Example:  BCC contains johndoe@example.com
  • Emails that contain a string in the "Subject:" field. — Example:  Subject contains notice
  • Emails that contain a string in their body. — Example:  Body contains contract
  • Emails that contain a string in their headers or body. — Example: FullText contains purchase agreement
  • Emails that have an internal date within a time period. — Example: Date is between <Start Date> and <End Date>
  • Emails that have a sent date within a time period. — Example: Sent Date is between <Start Date> and <End Date>
    (Please note that some IMAP servers such as that of Yahoo do not support searching by sent date. You can use the internal date instead.)
  • Emails that contain a string in one of their header fields. — Example: Header Field Message-Id contains <2138201489.39373.1520893278445@example.com>
    (Please note that some IMAP servers such as that of Yahoo do not support header field searches).

Note: When you add multiple search terms to the search query, FEC combines the terms using an AND operator by default. You can change this by using Boolean operators as described below.

Boolean Operators

In order to combine search terms using AND or OR Boolean operators, you should first create an AND Group or an OR Group and then add the terms inside that group. 

In the example below, the two terms inside of the OR Group will be combined with the "OR" Boolean operator. The resulting query would be:  SUBJECT contains 'contract dispute' OR SUBJECT contains 'litigation hold'.

AND Groups and OR Groups can be nested. You can add terms inside a group by clicking on the group before adding the child terms using the "ADD" button.

You can also invert a term by clicking on the term, choosing "NOT" from the drop-down and clicking "Apply".

Saving The Search Query

Once you have finalized your search query, you can save it by using the SAVE button. This will close the in-place search window and activate your query. You will see a notice as in the screenshot below.

Search Query Activated

Clearing the Search Query

If you would like to clear the search query, you can click on the small (x) symbol next to the "Search Query Activated" text as shown in the figure above.

Limitations of IMAP Search

The IMAP search functionality utilized by FEC is limited to the fields (e.g., From, To, etc.) available in FEC's user interface. Attachments—except for plain text attachments that are directly accessible via the message body—are typically not indexed by IMAP servers and are not searchable.

Given the above limitations, it may be appropriate to use the IMAP search functionality in FEC to filter messages by their dates, or top-level message characteristics such as sender, recipient and subject content. It is recommended to preserve the entire mailbox and use digital forensics or eDiscovery tools after the acquisition if you plan to perform a blanket search intended to search all documents and their attachments recursively.

Yahoo Limitations

We discovered that Yahoo's IMAP server caps search results on recipient fields to 1,000 records. This is not an FEC-specific limitation, but one that applies to virtually any email client that connects to Yahoo over IMAP. Date searches performed on the Internal Date message attribute do not appear to be affected by the Yahoo search cap.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us