Logs Created During Acquisition

Forensic Email Collector creates the following logs inside the "Logs" folder in the specified output directory:

1. Acquisition Log

This is a text file named using the "Acquisition_Log_yyyy-MM-dd_HH.mm.ss.fff.log" pattern and contains general information about the acquisition such as:

  • Date and time the log file was initialized, including time zone
  • The version of Forensic Email Collector that was used
  • Message and thread counts reported by Gmail
  • Information about any Google calendars connected to the account
  • Case information that was entered such as custodian name, case name, evidence ID, etc.
  • Server settings that were used
  • List of selected folders and their message counts
  • Acquisition activity including timestamps
  • Count of non-message EWS items where applicable
  • Calculated PST hash where applicable
  • The total duration of the acquisition session

2. Exception Log

This is a text file named using the "Exception_Log_yyyy-MM-dd_HH.mm.ss.fff.log" pattern and contains information about any unexpected events that occurred during the acquisition such as:

  • Any items that failed to be downloaded
  • Server throttling
  • Connectivity issues due to incorrect credentials, the server closing the connection, etc.
  • Any folders whose snapshots could not be completed

When you start a new acquisition session by resuming a previous project, FEC keeps the old exception log in the output folder for reference and creates a new one. The exception log with the latest timestamp reflects the exceptions associated with the last acquisition session.

3. Downloaded Items Log

This is a tab-delimited text file named using the "Downloaded_Items_yyyy-MM-dd_HH.mm.ss.fff.tsv" pattern that lists the items that were downloaded and contains information about them such as:

  • FEC's internal identifier for the item
  • Service provider's ID for the item
  • The folder where the item was found
  • Output paths for the MIME and MSG copies
  • Cryptographic hash values for the MIME and MSG copies
  • IMAP flags where applicable
  • IMAP UIDs where applicable
  • Gmail labels where applicable
  • Internal date values where applicable

The number of lines in the Downloaded Items log matches the number of files you should expect to find in the MIME and MSG output folders. If the "Duplicate Items for Each Label" option was selected for Gmail, the Downloaded Items log contains items with duplicate IDs but unique output paths to reflect the duplication.

If you start a new acquisition session by resuming a previous project, FEC keeps the old Downloaded Items log in the Logs folder for reference, and creates a new one that reflects the complete set of downloaded items at the end of the new acquisition session.

4. Remaining Items Log

This is a tab-delimited text file named using the "Remaining_Items_yyyy-MM-dd_HH.mm.ss.fff.tsv" pattern that lists the items that were not downloaded at the end of the acquisition session and contains information about them such as:

  • FEC's internal identifier for the item
  • Service provider's ID for the item
  • The folder where the item was found

If you start a new acquisition session by resuming a previous project, FEC keeps the old Remaining Items log in the Logs folder for reference, and creates a new one that reflects the remaining items at the end of the new acquisition session.

5. IMAP Logs

During IMAP acquisitions, FEC keeps IMAP logs that reflect the requests FEC makes to the IMAP server, and the server's responses to those requests. There are separate logs for the mailbox listing, search, and acquisition phases named as follows:

IMAP_Acquisition_yyyy-MM-dd_HH.mm.ss.fff.log
IMAP_MailboxListing_yyyy-MM-dd_HH.mm.ss.fff.log
IMAP_PreAcquisitionSearch_yyyy-MM-dd_HH.mm.ss.fff.log

6. Non-message Exchange Items Log

This is a tab-delimited text file named using the "Non-message_EWS_Items_yyyy-MM-dd_HH.mm.ss.fff.log" pattern that lists the Exchange items that were outside of the supported item types (i.e., messages, calendar items, notes, and contacts). The number of items listed in this log file matches the count for non-message EWS items in the acquisition log. The log contains information about the skipped items such as:

  • FEC's internal identifier for the item
  • Service provider's ID for the item
  • The folder where the item was found
  • Exchange Item Class for the item
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.