Batch Creating Acquisition Projects

When acquiring multiple mailboxes from the same server, Forensic Email Collector allows you to load a list of target email addresses to batch-create acquisition projects.

You can accomplish this as follows:

1. Start a new acquisition

2. On the connection settings page, click the Add Additional Targets... link

3. Select the file that contains the list of target email addresses (see below for the format of this file)

4. On the folder selection page, click the Create Additional Projects button.

5. FEC will create a separate acquisition project for each additional target email address in your output directory.

Note: The project settings you specified during your initial acquisition session will carry over to the additional target projects except for your folder selection. For the additional projects, FEC will select all folders.

Format of The Target Email Address List

1. When Using Delegation / Impersonation

If you are using delegation or impersonation available for Google Workspace (formerly called G Suite), Exchange, and O365, you do not have to provide separate credentials for each target account. Your target email address list should simply be a text file containing a list of email addresses, with the string "TargetEmail" on the first row. For example:

TargetEmail aallender@metaspike.com aglover@metaspike.com alinson@metaspike.com aringdahl@metaspike.com bhilyard@metaspike.com cbuskey@metaspike.com cdonovan@metaspike.com cfuentez@metaspike.com dgarren@metaspike.com ecassell@metaspike.com edelisa@metaspike.com egooslin@metaspike.com egrothe@metaspike.com emcardle@metaspike.com

2. When Authenticating with Each Mailbox Individually

If you are authenticating with each mailbox individually, you will need to provide the username and password for each account in your target email address list. The columns on your list should be separated by tabs, and the header names for the username and password fields should be "Username" and "Password". You can accomplish this easily by creating the list in Excel, and then copying it to a text file. For example:

Would look as follows once copied to a text file:

TargetEmail Username Password aallender@example.com aallender@example.com 12412412r aglover@example.com aglover@example.com 12r892eg2 alinson@example.com alinson@example.com 2q38745g9 aringdahl@example.com aringdahl@example.com 4583y54g3 bhilyard@example.com bhilyard@example.com vwoeug23f2 cbuskey@example.com cbuskey@example.com eg249g723 cdonovan@example.com cdonovan@example.com 3592h8qfor cfuentez@example.com cfuentez@example.com wrhwe2fuefw dgarren@example.com dgarren@example.com 9gefqeen ecassell@example.com ecassell@example.com q3ef9gqegqe edelisa@example.com edelisa@example.com feuoqoqef egooslin@example.com egooslin@example.com dqqwf8yh

Mailbox Enumeration with Google Workspace

When using domain-wide delegation of authority with Google Workspace, you can have FEC enumerate the mailboxes and help you add them as additional targets. You can trigger this feature by clicking on the Explore Mailboxes hyperlink as in the screenshot below:

Explore Mailboxes in Google Workspace

The following requirements have to be met in order to use the Explore Mailboxes feature:

  1. The Service Account you are using should be authorized for the admin.directory.user.readonly scope as outlined in our domain-wide delegation documentation.
  2. The target email address you used to start the acquisition (i.e., first page in FEC) should be an administrator in the target Google Workspace organization.

Performing In-place Searches on All Acquisitions

You can have all targets searched using the same in-place search criteria by specifying it in your initial acquisition session. Since project settings carry over to the additional targets, all target acquisitions will be searched using the same criteria.

Decrypting S/MIME in All Acquisitions

If you choose the "Decrypt S/MIME" option while setting up your initial acquisition project, all additional acquisition projects will also have this setting applied. You can add all the certificates needed for decryption ahead of time, or use the computer's certificate store, so that FEC can decrypt S/MIME-encrypted items across the board.

Launching the Additional Acquisition Sessions

You can start the additional acquisition sessions by double-clicking on them and clicking the RESUME button. Additionally, FEC creates a batch file named !Run_Projects.bat in your output folder which can be used to launch the projects one after the other.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us