The #1 Forensic Email Collector and Search Tool for Investigators

A professional forensic email collector must support a wide range of file formats and service providers. It should also be optimized for speed to efficiently handle large volumes of data in a reasonable time. And it must do all it can to preserve data integrity during the collection process, and report issues when they occur.

Aid4Mail is optimized for speed and stability. It can work through terabytes of data without user intervention. Aid4Mail performed 6 to 10 times faster than its competitors in tests with local files. For example, a forensic email collection taking a week to complete with a competing solution would require just one day with Aid4Mail—a considerable time-saving!

With Aid4Mail, you’re in complete control of your data, and all processing is performed on-premises. This is safer because it avoids sharing sensitive data with third-party service providers. It can also significantly reduce costs by avoiding additional fees based on the volume of data processed.

Support for Most Email Formats and Services

Local Email Storage

The following file formats are supported:

• PST, OST, and MSG files from Microsoft Outlook
• OLM files from Outlook for Mac
• Mbox files from Mozilla Thunderbird, Google Takeout, etc.
• EML files, used to store a single email message
• Maildir files in native format from an IMAP server
• Apple Mail (EMLX) in native format

Aid4Mail can process PST and MSG files with or without Outlook. It’s noticeably faster with Outlook, and you can further reduce processing time by using native filtering. We’re not aware of any other PST forensics tools offering this capability.

Aid4Mail integrates an advanced email parser that can accurately extract emails from corrupted mbox files. This is essential because of the prevalence of damage in those types of mailboxes.

Note that some competing products claim to support EMLX files from Apple Mail. Our tests found those claims to be misleading, resulting in significant data loss. We’re confident that Aid4Mail is the only forensic email collector that can accurately extract Apple Mail messages with all their contents and metadata.

Microsoft Outlook and Exchange

Aid4Mail provides several methods to collect emails from Microsoft Outlook and Exchange accounts. You can access the account through an Outlook profile (using MAPI), the IMAP protocol, or Microsoft’s Graph API. Each method offers native pre-acquisition filtering, which can significantly speed up forensic email collection.

Note that, to collect mail from Exchange Online Archives, and Public and Shared folders, you must use an Outlook profile.

Webmail Service Providers

Collect emails from all webmail service providers that support the IMAP protocol. These include Microsoft 365 (formerly Outlook 365), Gmail, Yahoo! Mail, AOL, etc. Aid4Mail can also access Microsoft and Gmail accounts directly through their respective APIs. Fast native pre-acquisition filtering is available for all these accounts.

Aid4Mail supports the OAuth2 login protocol, enabling secure access to your (or your custodian’s) webmail accounts.

Remote Authentication

Collecting email from your custodians’ cloud-based accounts is made easier with Aid4Mail Remote Authenticator—a free stand-alone utility that they can download and run without installation. It enables the account owner to grant Aid4Mail secure, temporary access to their email service or IMAP account, without providing full login credentials or needing a copy of Aid4Mail.

Archival Formats

Aid4Mail can extract mail from the following archival formats:

• Google Takeout
• Google Vault exports (zipped MBOX files)
• Mimecast exports (zipped EML SJF or EJF files)
• Proofpoint exports (password-protected zipped EML files)

Note that you’ll need the Investigator or Enterprise edition of Aid4Mail to process Google Vault exports, and the Enterprise edition to process Mimecast and Proofpoint exports.

Unknown Formats

Aid4Mail Investigator integrates a powerful file carving tool that can extract whole or partial emails stored in MIME format, from any uncompressed file type. It can also carve emails from uncompressed disk images or forensically extracted disk space. This includes double-deleted files, slack space, and unallocated space.

Traditional and Cloud Attachments

Like many email forensics tools, Aid4Mail is able to collect files attached to an email in the traditional manner. However, it goes much further than most, into new territory—Aid4Mail enables the collection of cloud attachments (a.k.a. modern attachments) and their metadata from any of its supported formats. You can decide whether to collect multiple document revisions or only the latest version, and set a size limit for maximum efficiency.

If access to a cloud attachment requires login credentials, these can be provided to Aid4Mail for both Microsoft and Google accounts. Aid4Mail uses secure OAuth2 authentication, and also supports the remote authentication of custodian accounts.

Incremental Processing (Differential Acquisition)

Processing errors typically relate to:

• Server timeouts, overloads, or bandwidth limits
• Lost internet connections
• Insufficient free disk space on the target drive, etc.

This is where incremental processing (differential acquisition) comes to the rescue. Aid4Mail identifies the emails that have been added since (or missed during) the last cycle and processes only them. In other words, it lets you pick up where you left off; no need to start all over again.

Aid4Mail offers incremental processing for all supported email formats and performs it natively, server-side, when collecting from cloud services like Microsoft 365, Gmail, and Yahoo! Mail.

This ability is usually missing in other tools. It is a significant time-saver because Aid4Mail can determine whether it has already processed an email before downloading it. As a result, resuming an aborted acquisition is very fast and reduces the risk of reaching those dreaded service bandwidth limits.

Built for Speed

Processing Local Files

Aid4Mail is highly optimized for speed without sacrificing reliability or accuracy. When processing local mailbox files, it can parse, collect, and convert emails up to 10 times faster than competing email forensics tools—a considerable time-saving!

We conducted speed tests using a standard ASUS laptop (2022 model with an AMD Ryzen 9 5900HX processor and an internal SSD drive). Our tests included converting the publicly available John Podesta email collection, a 5 GB file containing 50,887 emails.

In our first test, Aid4Mail converted the Podesta emails from mbox to Outlook PST in 2 minutes and 59 seconds. That’s a rate of 284 emails per second!

In our second test, Aid4Mail converted the same data from PST to mbox in 8 minutes and 10 seconds, a rate of 103 emails per second. The slower performance in this second test is due to additional processing to preserve metadata and improve conversion accuracy. Despite this, Aid4Mail still performed faster than competing tools. With a high-end computer, you can expect even better results.

Note that you can download the Podesta mbox file from the internet for free. Use it to test your current digital forensics tool and compare its performance with Aid4Mail. We’d be happy to provide you with a download link if you can’t find it. Just contact us with your request.

Remote Accounts

Aid4Mail is optimized for cloud-based email accounts, offering two time-saving features often missing in other tools. Both involve native, server-side processing of emails and are covered in the following sections:

1. Incremental processing
2. Native pre-acquisition filtering

With these capabilities, Aid4Mail can collect emails up to 100 times faster than tools without them.

Concurrent Processing

With Aid4Mail Investigator and Aid4Mail Enterprise, you can run multiple processing tasks simultaneously, taking full advantage of your computer’s hardware and saving more time. Consider a scenario where you need to collect email accounts from several employees under investigation, or one where you need to gather multiple source formats from a single custodian.

For example, you might need to collect data from a custodian’s Microsoft 365 account, Gmail account, local Thunderbird files, and archived EML files, and combine them into the same batch of target PST files. With Aid4Mail, you can set up the project in advance and let it run overnight so that no time is wasted.

Alternatively, you may have four tasks that use the same input but require different filters, with the results output to separate folders within the same PST file. In Aid4Mail, all four tasks can be run concurrently, and unattended, while you are working on something else. You can see an example of this in the screenshot below.

Data Integrity

Data integrity and preservation are essential parts of digital forensics. Without them, you risk compromising your case due to loss of evidence. Large mbox files and Outlook PST files often contain data corruption, and some email client programs worsen the situation by deviating from format standards in undocumented ways. Even fully intact email is vulnerable to data loss during collection, format conversion, and target storage.

Aid4Mail stands out from other digital forensics tools in its ability to maintain data integrity. It is built on a foundation of 25 years of email processing, significantly longer than other email forensic tools on the market. Not only does Aid4Mail avoid data loss during processing, but it can usually repair pre-existing data corruption, and work around non-standard file format implementations.

Folder Names and Structure

Preserving folder structures and names during mail collection helps to quickly distinguish between emails like Sent, Drafts, Deleted, Spam, and Received messages. It also reveals how custodians grouped and organized their incoming mail. This makes it easier to sift through extensive email collections and find clues to the most significant messages.

Aid4Mail lets you include or exclude folders during the acquisition process. This can significantly speed up email collection, especially if you can exclude large folders with unnecessary content. However, folder filtering only works reliably when based on an accurate representation of the source account. Aid4Mail provides this.

Aid4Mail excels at preserving data integrity with respect to the email folder structure. It particularly stands out among other solutions when handling Google Takeout files, Google Vault exports, Maildir stores, and local Thunderbird mailboxes. This is because Aid4Mail understands the unique implementations of these formats and is able to work with (or around) them.

Attachments and Embedded Contents

During email collection, certain storage formats have a higher risk of data loss of attachments and embedded content. This concerns formats that don’t store or deliver emails in native MIME format; for example, Apple Mail EMLX files, Thunderbird and RFC 1521 emails with detached attachments, and emails acquired through Microsoft Outlook.

Again, Aid4Mail understands the unique implementations of all these formats. Unlike many forensic acquisition tools, it handles them correctly and recovers their attachments (as long as they haven’t been moved or deleted).

Header Metadata

If processed incorrectly, specific email formats and protocols are susceptible to loss of header metadata. This occurs when collecting messages through Outlook’s MAPI protocol or accessing MSG, OST, and PST files through third-party DLLs.

We’ve seen results from forensic email collectors that lost important information including:

• Email addresses
• Sender’s time zone
• IP address
• Server relay information
• Original Message-ID
• Thread index

This level of data loss is potentially disastrous when performing email header forensics. You can easily avoid these serious issues by using Aid4Mail.

Email Status Information

Email status information tells you about the actions taken on a received message. For example, whether it was read, replied to, or forwarded. It also indicates the status of an outgoing message, whether it is still a draft, unsent, or sent. Emails can also be flagged (or starred), and marked as double-deleted. This is crucial information as it provides valuable insights into the lifecycle and interactions associated with an email.

Some forensic acquisition tools do not collect email status information at all, or only partially collect it. Aid4Mail stands out again by preserving this important data, whether the emails are obtained from cloud-based accounts or from local stores such as Google Takeout, OST, and PST files.

Format Errors

There are many different email client programs and cloud-based systems for sending messages. Unfortunately, some don’t fully respect standards, or they contain bugs that produce email format errors.

We have encountered a considerable number of these format errors during our many years of creating email solutions, even from companies like Microsoft and Google. The result of our extensive experience is that Aid4Mail can fix many of these errors, ensuring emails and their metadata render without data loss.

Progress and Error Reporting

Aid4Mail provides detailed progress information and error reporting to ensure a smooth experience. You can track the progress of your task through real-time indications of both the amount of data processed and the estimated time to completion. You have access to a detailed progress report and, when necessary, an error log. The software displays various counters indicating how many folders and emails have been collected, excluded by your filter criteria, and failed due to errors.

Collecting the appropriate data and finding specific, incriminating information is crucial. Fortunately, Aid4Mail’s forensic email search and filter features are second to none.

In addition to basic folder filtering and deduplication, available in all editions, Aid4Mail Investigator and Aid4Mail Enterprise add email content search. This includes searching traditional attachments, cloud attachments, embedded files, and metadata.

Features range from basic date and keyword filtering, to support for complex search queries with Boolean constructs, wildcards, Regular Expressions, multilingual stemming, and more. You can also use AI to filter, classify, and even analyze emails.

Aid4Mail’s search engine is fully Unicode compliant and supports queries in any language, including non-Latin scripts like Greek, Arabic, Korean, and Japanese.

Native Pre-Acquisition Filtering

When accessing PST files, Gmail, Microsoft 365 (formerly Office 365), MS Exchange, or IMAP accounts, you can use Aid4Mail’s native pre-acquisition search to limit the scope of collected emails. This works by filtering mail directly on the server before downloading, or by filtering internal indexes in the case of PST files.

By narrowing the date range, and including specific keywords and message properties in your filter, you can avoid downloading unnecessary emails altogether. This will significantly speed up collection and acquire a higher ratio of responsive emails.

Minimizing the volume of emails retrieved from cloud accounts has a key advantage: it reduces the likelihood of service-provider data throttling. Throttling can significantly slow down email delivery or cap daily downloads. However, it can be effectively mitigated using Aid4Mail’s native pre-acquisition filter, circumventing such frustrations.

⚠ Beware of email forensics tools that have an undisclosed search cap, which may significantly affect your results. For example, a popular forensic email collector we tested could not retrieve more than 500 emails from a Gmail account. The software reached this cap without warning, and hundreds of emails were missing from the collection! This does not happen with Aid4Mail.

Search Syntax and Features

Aid4Mail does not rely on concordance indexes for its search and filter capabilities. Instead, it uses a fast, live search engine that operates on emails as soon as they are collected. The search syntax is easy to learn, similar to that of Gmail and Microsoft 365.

Search queries can include:

• Fielded searches (search specific parts of each email including attachments and file metadata)
• Boolean constructs (AND, OR, NOT, etc.)
• Comparisons operators (>, <, =, <>)
• Proximity searches (like Google’s AROUND and Microsoft’s NEAR operators, and more)
• Deduplication
• Wildcards and Regular Expressions
• Multilingual stemming (up to 24 languages) and tokenization

Aid4Mail search queries offer unique features that even Google and Microsoft cannot match! For example:

• Filter out non-personal emails (bulk mail, mailing lists, etc.) with a single operator.
• Filter emails by the day of the week or time of day they were sent, irrespective of the date.
• Find two search terms within the same sentence or paragraph instead of arbitrarily deciding how many words separate them.
• Use keyword search lists that can include thousands of simple or complex criteria. Aid4Mail includes several sample search lists that are customizable, or you can create your own from scratch.

AI filtering and classification

Aid4Mail’s AI integration enables email filtering with unparalleled accuracy, going far beyond simple keywords to understand meaning and context. It can also classify emails into relevant categories, streamlining your review process, and organizing evidence with unprecedented efficiency.

Using AI to filter and classify in Aid4Mail offers significant advantages over traditional methods which can be time-consuming, expensive, and prone to missing crucial evidence.

• Enhanced Accuracy: AI-powered filtering, driven by well-crafted prompts and appropriate models, produces more accurate results than traditional keyword searches. This reduces the risk of false positives (irrelevant emails) and false negatives (missing relevant emails).
• Easier To Create: Creating effective search queries with traditional methods (Boolean logic, proximity operators, stemming, etc.) requires a certain expertise. AI prompts are simpler to create and can often be improved with the help of AI itself.
• Multilingual Support: AI filtering and classification excel at handling multiple languages reliably, a challenge for keyword-based approaches.
• Streamlined Classification: Go beyond simple “relevant” or “not relevant” results. AI lets you classify emails into many categories, enabling efficient organization and targeted review.

Aid4Mail leverages powerful AI models from OpenAI, Anthropic, Google, and Mistral AI, with more to come in the future. It also supports offline, on-premises AI models for handling sensitive information or when strict data sovereignty is required.

Aid4Mail’s incorporation of AI transforms your workflow from a laborious, resource-intensive process into a streamlined, efficient, and insightful operation. It offers flexibility and performance without compromising on security or compliance requirements. For further details, please refer to the Aid4Mail AI Integration User Guide.

Metadata and Attachments

Responsive data may not always be present in the message body of an email. Sometimes, it can be found in other parts, such as the header, attachments (traditional or cloud attachments), or embedded files (e.g., PDFs, pictures, and videos). Or even in metadata associated with these files. Therefore, examining these elements can provide valuable insights and help conduct effective digital forensics investigations.

Email header metadata

Aid4Mail provides fielded search operators, acting on email header metadata like the sender, recipients, date, etc. Unique operators enable you to search for emails sent on specific days of the week, or times of the day. For example, you can find all emails sent over lunchtime during workdays.

Email status information is valuable metadata, rarely exploited during investigations because many digital forensic tools don’t support it. Aid4Mail does and offers a search operator specifically for status information. Use it to exclude unread emails, or only collect flagged/starred emails, for example.

Traditional attachments and their metadata

Aid4Mail can search the contents of attachments and their metadata recursively. This means it can continually dig deeper into a nested structure of attachments in order to find search terms.

For example, if:

1. An email has an attachment that is another email message
2. The attached email has its own attachment, a ZIP file
3. Inside the ZIP is a PDF file
4. The PDF contains the text being searched

Then Aid4Mail will find the searched text!

Similarly, if:

1. An email contains an attached ZIP file
2. Inside the ZIP is another email
3. This second email contains an attached TAR archive
4. The TAR archive contains an image
5. The image metadata contains the searched text

Again, Aid4Mail will find it!

Cloud attachments and their metadata

Aid4Mail Investigator and Aid4Mail Enterprise both support the collection and searching of cloud attachments (modern attachments), including those stored on Microsoft OneDrive (Personal, Business, or SharePoint) or Google Drive. Document revisions are accessible when necessary as are all associated metadata.

Cloud attachments can be specifically targeted in searches using the “Has” fielded search operator. You can target all cloud attachments, or only those from a specific platform. Combine this with date and keyword queries to pinpoint exactly the required files.

Filtering with Python

Aid4Mail’s support for Python scripts enables you to completely customize filters and add new features. Here are some examples of what you can do:

• Integrate OCR capabilities into your search or scan images for nudity.
• Perform sentiment analysis on email content to gauge the emotional tone or intent of communications.
• Implement language detection to aid investigations involving multilingual communication.
• Use IP geolocation libraries to trace the physical locations associated with IP addresses, in email headers, to determine sender locations.
• Identify and cross-reference social media profiles mentioned in emails, to link email identities with online personas.

Aid4Mail offers a friendly interface for performing conversions quickly. And, unlike many other digital forensics tools, Aid4Mail supports high-resolution displays and provides accessibility features. You’ll also find plenty of resources to help with your email processing tasks.

Get Help When You Need It

We’re known for our award-winning customer support! All editions of Aid4Mail come with:

• Context-sensitive help with a description of each setting. Press F1 in Aid4Mail to open it in the right place.
• A comprehensive user manual, available in PDF and Windows Help (CHM) formats for offline use.
• A large selection of online Knowledge Base articles.
• An AI chatbot on our website that can answer most technical questions within seconds.
• Access to our Helpdesk, which typically responds to questions within a few hours.

Accessibility Features

Aid4Mail includes accessibility features to provide a more inclusive and user-friendly experience for a broad spectrum of users. This includes people with disabilities and anyone who finds such features beneficial.

High-contrast mode and a user-interface zoom assist users with visual impairments. Those with cognitive disabilities or mobility impairments can navigate the interface with a keyboard or dictation instead of a mouse. Screen readers, like Windows Narrator, are also supported.

Fookes Software has been developing software since 1989. Our first email tool was launched in 1999, followed by Aid4Mail in 2005. We have more than two decades of experience processing email data, longer than any other vendor of email forensic tools.

All core functionality in Aid4Mail is developed in-house. As a result, you benefit from key features that are tightly integrated and optimized for speed. We are in complete control of our code, including major components like email parsing and conversion, the filtering engine and its search syntax, MAPI access to Outlook accounts, and even the IMAP protocol used to connect with services like Yahoo! Mail and AOL.

Important clients around the world rely on our software, and the numbers keep growing. They include:

• US government and law enforcement agencies
• Top law firms
• National libraries
• Prestigious universities
• Major financial institutions
• International NGOs
• Half of the world’s Fortune 50 companies

Unique Functionality Missing in Other Digital Forensics Tools

Aid4Mail has a number of features that you won’t find in competing tools or, if they exist, are less well implemented. These are presented here, listed by Aid4Mail edition. (For a detailed feature comparison between the three Aid4Mail editions, check out our Aid4Mail 5 feature comparison table in PDF format.)

1. Aid4Mail Converter

2. Aid4Mail Investigator

All the unique features of Aid4Mail Converter, plus:

3. Aid4Mail Enterprise

All the unique features of Aid4Mail Investigator, plus:

Attachment

A traditional attachment is a file of any type that is attached to an email by the sender. An email can have one or more attachments, or none at all. Attachments are included in the email itself, increasing its size, although are not part of the message body.

Cloud attachments (also known as modern attachments) are a newer concept. They are not contained inside the email. Instead, they are hosted by a cloud-service provider and hyperlinked from the email. In some cases, this is done by the service provider because the file size exceeds their attachment limit. In other cases, often with collaborative online documents, it is simply for convenience.

Application Programming Interface (API)

A method of communication between two pieces of software. Using a mail service’s API to access data usually offers benefits over using more general protocols like IMAP. For example, access to additional metadata, native filtering, and reduced bandwidth limitations. Email-related APIs used by Aid4Mail include MAPI, Microsoft Graph API, and Google APIs.

Digital Forensics

A branch of forensic science that focuses on identifying, collecting, preserving, analyzing, and presenting data from digital devices, such as computers, smartphones, and network servers. Its aim is to extract and examine digital evidence in a way that is legally admissible, often for the purpose of solving crimes or legal disputes.

Disk Image

A precise digital copy or snapshot of the contents of a storage device, such as a hard drive, SSD, CD, DVD, or USB drive. It captures the entire data structure, including all the files and folders, as well as system-specific information like the master boot record, file system, and partition table.

Disk Slack Space

Unused space on a storage drive that exists when a file does not entirely fill the space allocated to it. Storage on digital devices is organized into clusters (or blocks) of a fixed size. A file usually requires multiple clusters and does not completely fill the last one. The unused “slack” space may contain remnants of previously deleted data or random bits of information from the memory. In digital forensics, disk slack space can be a valuable resource for recovering hidden or inadvertently stored data, providing insight into previous activities on the device.

Double-Deleted Email

An email that has been deleted twice: first from the Inbox or mail folder, and then again from the Trash or Deleted Items folder.

Electronic Discovery Reference Model (EDRM)

A framework that outlines standards for the recovery and discovery of digital data. The EDRM model is used to guide the process of handling electronic data during legal proceedings, including phases such as identification, preservation, collection, processing, review, analysis, production, and presentation of digital evidence. It’s widely adopted by legal and IT professionals to ensure a clear and efficient approach to eDiscovery processes.

EDRM Message Identification Hash (MIH)

A standardized method of identifying duplicate emails across multiple data sets from any vendor platform that supports it. The MIH is an MD5 hash value generated from the email’s Message-ID metadata field. It offers a universal method to recognize identical emails, enabling legal and investigative teams to efficiently manage, review, and deduplicate email collections. This solution enables cross-platform duplicate detection without the need to reprocess data, saving significant time and resources. The EDRM MIH is intended to complement existing vendor-specific deduplication methods, serving as an additional tool for more effective email management in discovery, disclosure, and investigations.

Electronically Stored Information (ESI)

Any data or information that is created, stored, or used in digital form. ESI encompasses a wide range of data types, including emails, documents, presentations, databases, audio, and video files, social media content, and electronic records stored on digital devices like computers, smartphones, and servers.

Email Forensics

A branch of digital forensics focusing on the recovery and investigation of email as potential evidence in legal cases or security investigations. Email forensics involves the analysis of email messages, including their content, headers, attachments, and metadata. It is used to investigate cybercrimes like financial fraud, intellectual property theft, harassment, blackmail, and extortion, and plays a crucial role in any legal dispute where email is relevant to the case.

Email Message-ID

A unique string of characters in the email header, that identifies a message in the context of a particular email conversation or thread. The Message-ID is assigned by an email system when a message is created, and is used to track, reference, and relate individual emails. This helps to manage message threading and prevent duplication. In digital forensics and email analysis, the Message-ID can be crucial for tracing the origin and trajectory of an email.

Although each Message-ID is unique within its own data set, it may not be so across multiple datasets. The EDRM MIH provides a solution to this problem.

Email SMTP Header

Metadata in an email message, containing detailed routing information. The SMTP header is automatically generated and located before the email message body. Although there is no limit to what can be added to it, key elements include the sender and recipient addresses, timestamps marking the email’s path through multiple servers, and unique identifiers for each server. Email service providers use the SMTP header to authenticate the email sender, and to correctly allocate incoming mail. In email forensics, the SMTP header is an essential resource for tracing the origin and path of an email, identifying spoofing, and understanding the network behavior of email communication.

Email Status Information

Metadata associated with an email that indicates the actions taken on it. For incoming mail, this includes whether the email has been read, replied to, or forwarded. For outgoing messages, it indicates whether an email is a draft, and whether sent or unsent. All emails can also be flagged, starred, or marked as double-deleted.

Exchangeable Image File Format (EXIF)

A standard for storing information as metadata in image files. EXIF metadata is commonly used by digital cameras and smartphones, and typically includes the camera model, capture settings (shutter speed, aperture, ISO, etc.), and the image date, time, and location (GPS coordinates). It is useful for organizing and cataloging images, and can be crucial in digital forensics for verifying the authenticity and origin of photographic evidence.

Fielded Search Operator

A command used to narrow down search results by targeting a specific field or attribute of an email or document. It enables you to search for an element like the sender, recipient, subject line, date, or other metadata field.

File Carving

A process used in digital forensics to recover files from a storage medium (like a hard drive or memory card) without relying on the file system metadata. It is typically employed when the file system is damaged, incomplete, or unavailable (as in formatted or corrupted drives). File carving works by searching the raw bytes and reconstructing file data based on known structures, signatures, or patterns. It is particularly useful for recovering deleted files or extracting data from unallocated disk space.

Internet Message Access Protocol (IMAP)

An Internet Standard protocol (RFC 3501) supported by most email applications that enables direct access to mail on a remote server. IMAP allows multiple apps to access the same mail account, even from different devices. This feature is the main reason IMAP is generally preferred over POP, an older protocol that requires mail to be downloaded to the device.

Messaging Application Programming Interface (MAPI)

An API for accessing Microsoft Outlook and Exchange. Aid4Mail uses MAPI to read and write to Outlook profiles, and PST/MSG files when the “Process using Outlook” option is turned on.

Multipurpose Internet Mail Extensions (MIME)

An Internet standard for email messages that supports both data and metadata, non-ASCII character sets, multiple fonts, non-textual content, and multiple attachments of various file types. It is an extension of the original Simple Mail Transport Protocol (SMTP).

PR_ENTRYID

A property used in Microsoft Outlook and Exchange to uniquely identify various types of objects within the messaging system, such as emails, calendar events, contacts, etc. It is a binary value that acts as a unique key, allowing each item to be retrieved, moved, or manipulated within the system. This identifier is crucial for developers and administrators working with Outlook and Exchange APIs, or scripting, as it enables precise access and control over individual messaging objects within the store.

Responsive Data

Data that is pertinent to matters of the case (in a legal context) and meets the criteria specified in a discovery request. It can be in various forms, such as emails, documents, images, or other electronically stored information (ESI).

RFC 1521

An early part of the MIME standard that defines support for non-ASCII character sets, multiple fonts, and non-textual content. We refer to this standard when discussing certain types of attachments based on the Message/External-Body subtype format that Aid4Mail supports.

Simple Mail Transfer Protocol (SMTP)

A standard protocol for email transmission. Mail servers use SMTP to both send and receive email messages. Email client programs typically only use SMTP to send messages (to the mail server for relaying), using IMAP or POP to retrieve them. SMTP was created in the 1980s and has since been modified and extended multiple times. The version commonly used today is extensible, with extensions for authentication, encryption, binary data transfer, and internationalized email addresses.

Stemming

The process of reducing words to their base or root form. For instance, the words “running,” “runs,” and “ran” all stem from the root word “run.” This technique is used in search algorithms to improve their effectiveness, by allowing for the matching of word variants with a common stem. Stemming enhances the ability of search engines or text analysis tools to find relevant results when the exact form of a word is not known.

Tokenization

The process of breaking a string of text into smaller units—tokens—usually words or phrases. Tokenization helps to identify key elements in a text. It is fundamental in text analysis and search algorithms, where the tokenized text is used for further processing like indexing or evaluating search queries.

Unallocated Space

The areas of a drive, or other storage device, that are not currently assigned to any files or directories. This space may contain remnants of deleted files, temporary files, or data fragments that have not been overwritten. In digital forensics, unallocated space is a valuable resource for recovering deleted data or investigating past activities on a device.

Virtual Machine (VM)

The virtualization of a computer system that provides the functionality of a physical computer and its operating system. With enough computing power, multiple virtual machines can run independently from one another on the same underlying hardware.