Getting Started with Forensic Email Collector

System Requirements

We’ve designed Forensic Email Collector (FEC) to be lean and mean. For best performance, we recommend that you install it on a computer along these lines:

• PC running 64-bit Windows 10 Version 1607+ or later
• Quad-core processor
• 8 GB or more RAM
• Modern web browser (for OAuth)
• Stable internet connection

If you’re behind a firewall, you may also need to open a few ports for FEC to do its job.

Installation & Licensing

Installing FEC takes only a few minutes:

• Follow the download link we sent you when you purchased FEC and grab a fresh copy
• Run the installer
• If you have a dongle, plug it into your computer
• Launch FEC
• If you do not have a dongle, click the I have a soft license key… I have a soft license key… button and enter your license key

That’s it! You are now ready to preserve email and cloud drive evidence.

Can we help?

If we can help with anything, please reach out to us anytime. We would love to hear from you!

Community Membership

We strongly recommend creating an account in our DFIR Community. At the Community, you can access FEC downloads directly, connect with other DFIR professionals, learn tips and tricks, and share your experiences.

What to Read First

Note

This section comprises a small selection of our core documents that we recommend reading. Feel free to pick and choose the ones that suit your immediate needs—you can always come back to the rest later.

Our Forensic Email Preservation Best Practices guide is a good place to start as it covers many of our recommendations regarding key FEC functionality.

The next area to focus on is often Authentication. You would ordinarily Use FEC Remote Authenticator to authenticate with providers for individual mailboxes, or Domain-wide Delegation or App-only Authentication for batch acquisitions.

Another core feature of FEC is its ability fo filter and search mailboxes before (In-place Search) or during (Inline Search) acquisitions.

If you are interested in preserving modern attachments of emails, you can learn more here. FEC supports modern attachment acquisitions from Google Drive, OneDrive, and SharePoint.

It is also possible to acquire Google Drive, OneDrive, and SharePoint data directly, without an email acquisition. We call this feature Direct Drive acquisitions. You can interrogate a Drive using Drive Explorer 🎥 prior to the acquisition to generate metadata listings, or to filter and search Drive items.

FEC plays nicely with Google Vault and can help you get existing Vault exports—especially with Google Drive modern attachments—get ingestion ready using its Local Vault Acquisition Workflow. Vault acquisitions containing data from multiple custodians are supported.

Before kicking off your first acquisition, we also recommend reviewing FEC’s output settings.

Idea Board and Changelog

If you have any suggestions or feature requests, we would love it if you posted them to our idea board. While there, you can also review FEC’s changelog.