Forensic Email Collector (FEC) allows you to decrypt S/MIME-encrypted emails during email acquisitions. Decrypting S/MIME during the acquisition rather than after it offers the benefit that Google Drive attachments and revisions of encrypted emails can be acquired as part of Gmail / Google Workspace (formerly called G Suite) acquisitions.
Supported Encryption Algorithms and Padding Schemes
The following encryption algorithms are supported during S/MIME decryption:
The following padding schemes are supported:
- Public-Key Cryptography Standards (PKCS) #1 v1.5
- Optimal Asymmetric Encryption Padding (OAEP)
Enabling S/MIME Decryption
You can enable S/MIME decryption on the Output Settings page as shown in the screenshot below:
Once S/MIME decryption is enabled, you will be presented with an optional "Add certificates..." link. If you do not add any certificates, FEC will look for available certificates in the certificate store of the computer where FEC is running.
Note: If you are not running the acquisition on the target custodian's computer and do not possess any certificates that could be used for S/MIME decryption, it is generally not useful to enable S/MIME decryption. That said, although FEC cannot decrypt encrypted messages without the needed certificates, it would still attempt to identify and log encrypted messages which might be helpful in some cases. This additional scanning step introduces a minor acquisition performance impact.
Through the "Add certificates..." link, you can add certificates in PKCS #12 (.pfx or .p12) or DER format for decryption. It is possible to add multiple certificates if needed. This also allows you to pre-load all the necessary certificates ahead of time when batch creating acquisition projects.