Error Message Cheat Sheet
Here is a list of error messages and codes you might come across when using FEC:
Exchange / O365
"The server cannot service this request right now. Try again later." Indicates that the Exchange server is in a throttling state. You can find more information on throttling and how to work around it here.
"Unauthorized (Code 401)" The Exchange server denied access to the target mailbox. This may be caused by incorrect credentials or a permissions issue.
"Too many concurrent requests for user" or "Rate Limit Exceeded (Code 429)" Indicates that Gmail is in a throttling state. You can find more information on throttling and how to work around it here.
"invalid_grant Invalid JWT Signature" This message is typically encountered when using domain-wide delegation to authenticate with Google Workspace (formerly called G Suite) and indicates that the computer on which FEC is running may not be keeping accurate time. Correcting the computer's time should resolve the issue.
"File not found (Code 404)" Indicates that the Drive attachment or revision FEC is requesting is no longer available. It might have been deleted from Google Drive.
"The user does not have sufficient permissions for file (Code 403)" Indicates that the authenticated user does not have the authority to access the requested file. This message is more common when requesting revisions as the user may have the required permissions to view a Drive attachment, but not its revisions.
"This file is too large to be exported" Indicates that the native Drive attachment (e.g., Google Docs, Sheets, Slides document) is larger than the 10 GB Drive API export limit. Starting with v3.13, FEC will be able to export such files using a fallback method. Alternatively, they can be exported by acquiring Drive revisions for that parent message.
"This file cannot be exported by the user" Indicates that the target account does not have the necessary permissions to export the Drive attachment. This can happen if the owner chooses the “can view” or “can comment” option and also checks the option to “Disable options to download, print, and copy for commenters and viewers” when sharing a file.
"AUTHENTICATE Invalid credentials (NO)" Indicates that the server denied access to the target mailbox. This may be caused by incorrect credentials, or a server such as Yahoo, AOL, or iCloud which requires app-specific passwords.
"Message not found" Indicates that the message FEC requested was not available. This may be caused by a message being deleted or moved by the end-user between when FEC took a snapshot of its parent folder, and when it actually attempted to acquire the message. To work around this issue, the end-user should be advised to refrain from accessing the target mailbox using any email client while forensic preservation is in progress. Note that services that automatically categorize and organize messages in a mailbox can also cause this issue if they move messages during the acquisition.
"A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond." Indicates a connectivity problem such as the connection to the target IMAP server being blocked by a firewall or other network device. Please review the following document regarding which ports are typically used by FEC: Which Network Ports Does Forensic Email Collector Use?
"Unexpected continuation request received from the server" In the context of Yahoo Mail, we have observed that this error is thrown (as of October 2022) when an attempt is made to access the target mailbox using the target user's account password rather than an App Password. Generating and using an App Password should resolve the issue.