Email Forensics Software (recover, collect, search, convert)

The #1 forensic email collector and search tool for professionals.

Email is still king when it comes to communication, especially in the professional world. According to Statista, around 347 billion emails are sent daily in 2023. And those numbers keep increasing!

Why does this matter?

Because email produces such vast amounts of Electronically Stored Information (ESI), it’s usually a dominating component of ediscovery and digital forensics investigations. Many cases have been solved after finding incriminating data in email messages or their attachments. Unfortunately, investigations relying on suboptimal email forensics tools have taken longer to resolve than necessary and, in some cases, may even have failed.

Don’t make that mistake! Choosing a quality forensic email collector can make the difference between quickly solving a crime and failing to find the incriminating information. This is why you should consider Aid4Mail an essential component of your digital forensics tools. It is based on years of expertise in the field of email processing. Expertise that began in 1999 and led to the release of our first email forensics tool in 2002. That’s way longer than all our competitors.

Compared to other forensic tools
High speed forensic email collector
Unrivaled search features
Effective email recovery
Collect mail from files and servers
Preserve email evidence
Email forensics made easy
Get help when you need it
Flexible licensing options
Try Aid4Mail for free
Why choose Aid4Mail?

How does Aid4Mail compare to other computer forensics tools?

First of all, Aid4Mail only deals with emails and their attachments. But it can collect, find, and recover mail that other forensics tools miss—Aid4Mail is an industry leader in this domain.

Secondly, Aid4Mail’s workflow differs greatly from digital forensics software like FTK, Encase, and Nuix. As its primary job is to collect, filter, and convert emails, the whole process takes a fraction of the time needed by traditional computer forensics tools. Here’s why:

Once configured, Aid4Mail can operate without user intervention. There is no manual review stage to interrupt the streamlined workflow.
Aid4Mail’s native pre-acquisition filtering can significantly reduce the volume of data downloaded from mail servers like Microsoft Exchange, Office 365, and Gmail.
With no review stage, Aid4Mail doesn’t need to build search indexes. This saves a lot of time and system resources.

As a result, you can process terabytes of email data, unattended from start to finish, fast and accurately.

Furthermore, since the whole process happens on-premises, you don’t incur any third-party charges for the volume of data processed and stored. This can significantly reduce costs.

Although you can’t review email data directly in Aid4Mail, if your forensic email collection is small enough, Aid4Mail can easily convert it to a searchable format. For example:

PST, then review emails in Microsoft Outlook.
Mbox, then review emails in Mozilla Thunderbird.
PDF, then review emails in Adobe Reader.
HTML, then review emails in your browser.
CSV, then review emails in Microsoft Excel.
Plain text, then review emails in a text editor.

If you cannot cull down your forensic email collection to a reasonable size, consider transferring Aid4Mail’s output into a comprehensive e-discovery platform (e.g., FTK, Encase, AXIOM, etc.). In this respect, Aid4Mail is an excellent complement to other digital forensics tools.

Use a high-speed forensic email collector

Aid4Mail has been optimized for speed and stability. It can work through terabytes of data without user intervention. In tests with local files, Aid4Mail performed 6 to 10 times faster than its competitors! For example, a forensic email collection taking a week to complete with a competing solution would require just one day with Aid4Mail—a considerable time-saving.

With Aid4Mail Investigator and Aid4Mail Enterprise, you can run multiple processing tasks simultaneously, taking full advantage of your computer’s hardware and saving more time. For example, four tasks may all use the same input but different filters, and output to separate folders within the same PST file. All four tasks could be run concurrently and unattended while you’re working on something else. This example is shown in the screenshot below.

Alternatively, simultaneously collect email accounts from several employees under investigation, or multiple source formats from a single custodian. For example, their Microsoft 365 account, Gmail account, local Thunderbird files, and archived EML files, merging them into the same batch of target PST files. Set the project up and let it run overnight so no time is wasted.

Collecting email from your custodians’ cloud-based accounts is made easier with Aid4Mail Remote Authenticator, a free stand-alone utility that they can download and run without installation. It enables the account owner to grant Aid4Mail secure, temporary access to their email service or IMAP account without providing full login credentials and without having a copy of Aid4Mail.

Unrivaled forensic email search features

Collecting the appropriate data and finding specific incriminating information is crucial. Fortunately, Aid4Mail’s forensic email search and filter features are second to none.

In addition to the basic folder filtering available in all editions, Aid4Mail Investigator and Aid4Mail Enterprise add date and keyword filtering, and the ability to create complex search queries. These can include:

Fielded searches (including attachments and file metadata)
Boolean constructs
Comparisons
Proximity search operators
Deduplication
Wildcards and Regular Expressions
Externally-stored search lists (for large numbers of keywords or phrases)
Stemming (up to 24 languages) and tokenization

Native pre-acquisition search is also available for mail services that support it, like Outlook (including PST files), Gmail, Microsoft 365, and IMAP. This can significantly reduce the data Aid4Mail needs to process locally, speeding up the whole operation.

Support for Python scripts means you can completely customize Aid4Mail’s filters and add complementary features. For example, integrate OCR into your search or scan images for nudity.

Forensic email recovery from the most obscure places

Aid4Mail Investigator and Aid4Mail Enterprise can search hidden places—often the location of incriminating evidence. These include double-deleted (unpurged) emails, hidden Exchange folders (Recoverable Items), and unallocated space that’s been forensically extracted or is part of an uncompressed disk image. They can “carve” out MIME emails from almost any file, including corrupt and unsupported mailboxes.

Aid4Mail recoverable items in folder view.

While these features are not unique to Aid4Mail, its performance is outstanding. In tests, Aid4Mail finds emails in unallocated space that other forensic email recovery tools can’t detect. It finds whole emails when others often only find fragments. Even if you already use a digital forensics platform, Aid4Mail can be beneficial by finding evidence that these tools often miss.

Collect email from most file formats and webmail services

Aid4Mail supports most popular email formats, mail apps, and webmail services, including PST files, as input and output. When available, additional metadata can be added to email headers.

Output formats for manual review or producing evidence in court are also available. Many, like PDF, HTML, CSV, and TSV, can be customized: Header fields can be included or excluded, Bates stamps inserted, and folder hierarchies and filenames tailored. HTML exports even provide an option to create an online viewer with email and folder selection, and a metadata search bar to filter the email list.

Here’s a complete list of Aid4Mail’s supported source and target mail formats:

Source:

Gmail / Google Workspace
Microsoft 365
Outlook profile / Exchange
PST ¹
OST
OLM (Outlook for Mac)
MSG ¹
IMAP (for webmail)
EML
Mbox
Maildir
Mozilla Thunderbird
Mozilla SeaMonkey
Apple Mail (EMLX)
Google Takeout
Google Vault exports ²
Mimecast exports ²
Proofpoint exports ²
MIME emails in any file ³

Target:

Gmail / Google Workspace ²
Outlook profile / Exchange ²
PST ¹
MSG ¹
IMAP (for webmail) ²
EML
Mbox
Mozilla Thunderbird
Mozilla SeaMonkey
PDF, PDF/A, PDF/X
HTML
CSV
TSV
XML
Plain text

¹ With or without Outlook

² Aid4Mail Enterprise only.

³ Aid4Mail Investigator and Aid4Mail Enterprise only. The file must not be in a compressed or encrypted container (disk images and extracted unallocated space).

Preserve email evidence

Maintaining the integrity of email after conversion from one format to another is crucial to avoid loss of evidence. Aid4Mail’s email conversion engine is the most accurate on the market. It is fully Unicode-compatible and preserves more visible and hidden data than any of its competitors.

Visible data

To, From, Date, and Subject fields
Status information (Read, Replied, Starred, etc.)
Message text
Message formatting
Diacritical marks / accented characters (like é, ô and ç)
Non-Latin characters (for example 你好)
Embedded images and other media
Attachments and their filenames
Folder/label hierarchy

Here’s an example of how much better Aid4Mail performs with visible data. Notice that it has no problem with the accented characters in the first line, the embedded image, or the Chinese attachment name at the bottom.

Email conversion by a competitor, showing accented characters incorrectly replaced by symbols, a missing image and incorrect attachment name. — Conversion by a competitor (visible data)

Email conversion by Aid4Mail without any issues. — Conversion by Aid4Mail (visible data)

Hidden data

Metadata in the email header
Server relay information
Digital signing

The following example shows Aid4Mail’s superiority with hidden data. Notice how much more metadata in the email SMTP header is preserved by Aid4Mail:

From: =?UTF-8?Q?"Bill Caff=c3=a9" <bill@aid4mail.net>?=
To: =?UTF-8?Q?"St=c3=a9phane Fran=c3=a7ois" <steve@aid4mail.net>?=
cc: =?UTF-8?Q?"'Lisa Gruy=c3=a8re'" <lisa@gruyere.org>?=
cc: "John Fire" <john@aid4mail.net>
cc: "Tim Sand" <tim@aid4mail.net>
Priority: Low
X-Priority: 5
X-Mozilla-Status: 0001
Subject: Poem by Charles Baudelaire
MIME-Version: 1.0
Message-ID: <001901cbcf87$707c25b0$51747110$@aid4mail.net>
Date: Fri, 18 Feb 2011 17:18:13 0100
Content-Type: multipart/alternative;boundary="Next_Item:_(A3CB49KFSA19)/1"

Conversion by a competitor (hidden data)

Return-path: <bill@aid4mail.net>
Envelope-to: bill@aid4mail.net
Delivery-date: Fri, 18 Feb 2011 11:18:13 -0500
Received: from 131-39.62-81.cust.bluewin.ch ([81.62.39.131]:17353 helo=PrecisionT3500)
  by centaur.dewahost.net with esmtpa (Exim 4.69)
  (envelope-from <bill@aid4mail.net>)
  id 1PqT25-00058l-7Z; Fri, 18 Feb 2011 11:18:13 -0500
From: =?utf-8?Q?Bill_Caff=C3=A9?= <bill@aid4mail.net>
To: =?utf-8?Q?St=C3=A9phane_Fran=C3=A7ois?= <steve@aid4mail.net>
Cc: =?utf-8?Q?'Lisa_Gruy=C3=A8re'?= <lisa@gruyere.org>,
  "John Fire" <john@aid4mail.net>,
  "Tim Sand" <tim@aid4mail.net>
Subject: Poem by Charles Baudelaire
Date: Fri, 18 Feb 2011 17:18:08 +0100
Organization: Fookes Software
Message-ID: <001901cbcf87$707c25b0$51747110$@aid4mail.net>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Priority: 5 (Lowest)
X-MSMail-Priority: Low
X-Mailer: Microsoft Outlook 14.0
Importance: Low
Thread-Index: AcvPhydgtD/Fiez1TJSn19MfhrGhJw==
Content-Language: en-us
Status: RO
X-Folder: Inbox

Conversion by Aid4Mail (hidden data)

Email forensics investigations made easy

Improve case completion with the help of Aid4Mail:

Simple and intuitive user interface.
Hands-off processing. Large forensic email collections can take hours or even days to process. Once you run a conversion in Aid4Mail, it will churn through the mail without further intervention. If there’s a problem with an email, it will try again. If the email can’t be processed, Aid4Mail will save a backup, log the issue, and move on.
Use the command-line interface (CLI) in Aid4Mail Enterprise to automate email processing and integrate with other tools.
Use familiar search operators similar to those used by Gmail and Microsoft 365 (Aid4Mail Investigator and Aid4Mail Enterprise only).
Progress statistics and logs provide a detailed overview of the collection, filter, and conversion processes.
There are also Accessibility features like high-contrast mode, zoom, and keyboard-only navigation to help users with special needs.

Options to avoid pre/post-processing and manual review in your email forensics investigation. For example:

Create PDF files directly instead of as a second step. You can have one email per PDF or combine them all together.
Add Bates stamps to documents as they’re produced.
Incremental processing: Run the same conversion multiple times, and Aid4Mail can skip already processed emails.
Remove the envelope around Journaled emails.
Split, combine, or restructure mailboxes and folder hierarchies.
Rebuild the folder hierarchy of Google Takeout and Google Vault exports.
Create custom filenames using unique hashes, email fields, Bates numbering, case information, and more.

Get help when you need it

We’re known for our customer support! All editions of Aid4Mail come with:

Context-sensitive help with a description of each setting. Press F1 in Aid4Mail, and it will open in the right place.
A comprehensive user manual, available in PDF and CHM formats for offline use.
Knowledge Base articles on our website.
Access to our award-winning helpdesk, which typically responds to questions within hours.

Flexible licensing options

Aid4Mail licenses allow you to process an unlimited number of mail accounts and files, whether in-house or external. You can purchase a one-year license, or three years at a reduced price. You benefit from free software updates and our award-winning customer support during the license validity period.

On purchasing a license, you will receive an activation code that gets you up and running with Aid4Mail within minutes of making your payment. Once activated, trial mode is turned off, and your license becomes tied to your computer and Windows login account. See our EULA for details on how this works.

If you need to run Aid4Mail on a computer that doesn’t allow Internet access, simply contact us for an offline activation code. There is no charge for this option, but it offers less flexibility than online activation.

We also offer licensing options for running Aid4Mail in a virtual environment. Pricing is determined by the number of concurrent users plus the total number of users and installations. Contact us for a quote.

If you’re ready to buy an Aid4Mail license, visit our Buy Now page for pricing details and links to our online store.

Go To Pricing

To see a detailed feature comparison between the three Aid4Mail editions, check our Aid4Mail 5 feature comparison table in PDF format.

Try Aid4Mail for free

There’s much more to Aid4Mail; the best way to discover its capabilities is to try it out. We offer a free trial version with no time limit and no obligations. Simply visit our Downloads page to get your free trial and start using it within minutes.

Go To Downloads

Why choose Aid4Mail?

We have been developing software since 1989. Our first email tool was launched in 1999, and Aid4Mail followed in 2005. So our experience in processing email data spans over two decades. Longer than all other forensic tools for email investigation!

All core functionality in Aid4Mail is developed in-house. This means that key features are tightly integrated and optimized for speed. We are in complete control of our code, including major components like email parsing and conversion, the filtering engine and its search syntax, MAPI access to Outlook accounts, and even the IMAP protocol used to connect with services like Yahoo! Mail and AOL.

Important clients around the world are relying on our software. These include the US government and law enforcement agencies, top law firms, national libraries, prestigious universities, major banks, and international NGOs. Half of the Fortune 50 companies are Aid4Mail clients, and the numbers keep growing. For confidentiality reasons, we do not disclose their names.

Client testimonials

Aid4Mail exceeds our expectations on the speed in which it can convert data. It can convert larger amounts of data in no time at all. I would say it’s at least twice as fast as the rest of our tools

Jon Hanna, ESI Manager – Advanced Discovery (USA)

Aid4Mail is a spectacular product. I don’t think people realize how hard it is to reliably convert email from one format to another, and then do it at scale the way you do. It really is quite an accomplishment.

Matt Coan, Sonian

I often recommend my clients utilize Aid4Mail to assist in the conversion, search, and export of emails to aid in their eDiscovery cost containment strategies. Aid4Mail impressively allows flexibility in handling the myriad email formats found on modern computers, and is one of my must-have tools.

Richard D Lutkus – Partner – Seyfarth Shaw LLP (UK)

I work for a law firm and we used your product to convert a MBOX file to PST. This software worked brilliantly, it even fixed corruption that existed when we attempted to do it manually or with other software. Thank you for that.

Gregory Kerr, Lubin Olson & Niewiadomski LLP (USA)

Aid4Mail Rated 5 Stars at SourceForge!

An Aid4Mail user wrote on SourceForge. “I’m a litigation paralegal and a satisfied user of this product (various versions) for approximately 15 years. Over the years I have found this program to be a great timesaver for me as well as the attorneys I work with.” Click to read more user reviews.

About Fookes Software

Fookes Software Ltd
La Petite Fin 27
1637 Charmey (en Gruyère)
Switzerland

For over 25 years we have been developing award-winning tools and productivity software. We also have more than 20 years of expertise in the field of email processing and analysis.

Our clients include Fortune 500 companies, government agencies, law firms, universities, and professionals specializing in e-discovery and forensics from around the world.