Aid4Mail – A fast and highly accurate email forensics tool. Superior forensic email recovery that retrieves data missed by other software.
As a forensic investigator, you face the challenge of dealing with vast amounts of email data. Traditional tools often fall short, making investigations slow and less effective. Missing crucial evidence can mean the difference between solving a case and hitting a dead end.
Imagine spending weeks on an email investigation, only to realize your software missed key evidence. Dealing with multiple email formats and service providers adds to the complexity, risking data integrity and slowing progress. The frustration can feel overwhelming, making your crucial work even more challenging.
Enter Aid4Mail, a tool specifically designed to tackle these challenges head-on. It’s fast—processing data up to 10 times quicker than its competitors. This speed transforms weeks of work into just days, without sacrificing accuracy or thoroughness.
Aid4Mail supports a wide range of email formats and services. Whether it’s PST, OST, or webmail, all are handled with ease. Aid4Mail’s versatility means you’re ready for any investigation, regardless of the data format.
Data integrity is at the heart of Aid4Mail. It preserves folder structures, attachments, and metadata exactly as they are. This ensures your evidence remains reliable and court-admissible, an essential requirement in your field.
Aid4Mail’s recovery capabilities are second to none. Retrieve deleted or corrupted emails and uncover vital evidence that other tools miss. You can delve deeper into your investigations, confident that no stone is left unturned.
The software is user-friendly and designed with simplicity in mind. Advanced filtering options, including Boolean searches, make pinpointing specific data straightforward and efficient.
Experience Aid4Mail’s impact on investigations for yourself. Download the free trial and discover how it transforms your email forensic work. With Aid4Mail, you’re not just choosing a tool; you’re elevating your investigative capabilities to new heights.
Not convinced yet? Please read on for in-depth coverage of Aid4Mail’s many unique capabilities. It’s a long article, but you don’t have to read it all. Use the floating Table of Contents menu on the right (or below, if you’re on a phone) to jump to a section that interests you.
A professional forensic email collector must support a wide range of file formats and service providers. It should also be optimized for speed to efficiently handle large volumes of data in a reasonable time. And it must do all it can to preserve data integrity during the collection process, and report issues when they occur.
Aid4Mail is optimized for speed and stability. It can work through terabytes of data without user intervention. Aid4Mail performed 6 to 10 times faster than its competitors in tests with local files. For example, a forensic email collection taking a week to complete with a competing solution would require just one day with Aid4Mail—a considerable time-saving!
With Aid4Mail, you’re in complete control of your data, and all processing is performed on-premises. This is safer because it avoids sharing sensitive data with third-party service providers. It can also significantly reduce costs by avoiding additional fees based on the volume of data processed.
The following file formats are supported:
Aid4Mail can process PST files with or without Outlook. It’s noticeably faster with Outlook, and you can further reduce processing time by using native filtering. We’re not aware of any other PST forensics tools offering this capability.
Aid4Mail integrates an advanced email parser that can accurately extract emails from corrupted mbox files. This is essential because of the prevalence of damage in those types of files.
Note that some competing products claim to support EMLX files from Apple Mail. Our tests found those claims to be misleading, resulting in significant data loss. We’re confident that Aid4Mail is the only forensic email collector that can accurately extract Apple Mail messages with all their contents and metadata.
Aid4Mail provides several methods to collect emails from Microsoft Outlook and Exchange accounts. You can access the account through an Outlook profile (using MAPI), the IMAP protocol, or Microsoft’s Graph API. Each method offers native pre-acquisition filtering, which can significantly speed up forensic email collection.
Note that, to collect mail from Exchange Online Archives, and Public and Shared folders, you must use an Outlook profile.
Collect emails from all webmail service providers that support the IMAP protocol. These include Microsoft 365 (formerly Outlook 365), Gmail, Yahoo! Mail, AOL, etc. Aid4Mail can also access Gmail accounts through the Google APIs. Fast native pre-acquisition filtering is available for all these accounts.
Aid4Mail supports the OAuth2 login protocol, enabling secure access to your (or your custodian’s) webmail account.
Collecting email from your custodians’ cloud-based accounts is made easier with Aid4Mail Remote Authenticator—a free stand-alone utility that they can download and run without installation. It enables the account owner to grant Aid4Mail secure, temporary access to their email service, or IMAP account, without providing full login credentials, and without having a copy of Aid4Mail.
Aid4Mail can extract mail from the following archival formats:
Note that you’ll need the Enterprise edition of Aid4Mail to process Google Vault, Mimecast, and Proofpoint exports.
Aid4Mail Investigator integrates a powerful file carving tool that can extract whole or partial emails stored in MIME format, from any uncompressed file type. It can also carve emails from uncompressed disk images or forensically extracted disk space. This includes double-deleted files, slack space, and unallocated space.
Processing errors typically relate to:
This is where incremental processing (differential acquisition) comes to the rescue. Aid4Mail identifies the emails that have been added since (or missed during) the last cycle and processes only them. In other words, it lets you pick up where you left off; no need to start all over again.
Aid4Mail offers incremental processing for all supported email formats and performs it natively, server-side, when collecting from cloud services like Microsoft 365, Gmail, and Yahoo! Mail.
This ability is usually missing in other tools. It is a significant time-saver because Aid4Mail can determine whether it has already processed an email before downloading it. As a result, resuming an aborted acquisition is very fast and reduces the risk of reaching those dreaded service bandwidth limits.
Aid4Mail is highly optimized for speed without sacrificing reliability or accuracy. When processing local mailbox files, it can parse, collect, and convert emails up to 10 times faster than competing email forensics tools—a considerable time-saving!
We conducted speed tests using a standard ASUS laptop (2022 model with an AMD Ryzen 9 5900HX processor and an internal SSD drive). Our tests included converting the publicly available John Podesta email collection, a 5 GB file containing 50,887 emails.
In our first test, Aid4Mail converted the Podesta emails from mbox to Outlook PST in 2 minutes and 59 seconds. That’s a rate of 284 emails per second!
In our second test, Aid4Mail converted the same data from PST to mbox in 8 minutes and 10 seconds, a rate of 103 emails per second. The slower performance in this second test is due to additional processing to preserve metadata and improve conversion accuracy. Despite this, Aid4Mail still performed faster than competing tools. With a high-end computer, you can expect even better results.
Note that you can download the Podesta mbox file from the internet for free. Use it to test your current digital forensics tool and compare its performance with Aid4Mail. We’d be happy to provide you with a download link if you can’t find it. Just contact us with your request.
Aid4Mail is optimized for cloud-based email accounts, offering two time-saving features often missing in other tools. Both involve native, server-side processing of emails and are covered in the following sections:
With these capabilities, Aid4Mail can collect emails up to 100 times faster than tools without them.
With Aid4Mail Investigator and Aid4Mail Enterprise, you can run multiple processing tasks simultaneously, taking full advantage of your computer’s hardware and saving more time. Consider a scenario where you need to collect email accounts from several employees under investigation, or one where you need to gather multiple source formats from a single custodian.
For example, you might need to collect data from a custodian’s Microsoft 365 account, Gmail account, local Thunderbird files, and archived EML files, and combine them into the same batch of target PST files. With Aid4Mail, you can set up the project in advance and let it run overnight so that no time is wasted.
Alternatively, you may have four tasks that use the same input but require different filters, with the results output to separate folders within the same PST file. In Aid4Mail, all four tasks can be run concurrently, and unattended, while you are working on something else. You can see an example of this in the screenshot below.
Data integrity and preservation is an essential part of digital forensics. Without it, you risk compromising your case due to loss of evidence. Large mbox files and Outlook PST files often contain data corruption, and some email client programs worsen the situation by deviating from format standards in undocumented ways. Even fully intact email is vulnerable to data loss during collection, format conversion, and target storage.
Aid4Mail stands out from other digital forensics tools in its ability to maintain data integrity. It is built on a foundation of 25 years of email processing, significantly longer than other email forensic tools on the market. Not only does Aid4Mail avoid data loss during processing, but it can usually repair pre-existing data corruption, and work around non-standard file format implementations.
Read on for details of how Aid4Mail excels at preserving data integrity.
Preserving folder structures and names during mail collection helps to quickly distinguish between emails like Sent, Drafts, Deleted, Spam, and Received messages. It also reveals how custodians grouped and organized their incoming mail. This makes it easier to sift through extensive email collections and find clues to the most significant messages.
Aid4Mail lets you include or exclude folders during the acquisition process. This can significantly speed up email collection, especially if you can exclude large folders with unnecessary content. However, folder filtering only works reliably when based on an accurate representation of the source account. Aid4Mail provides this.
Aid4Mail excels at preserving data integrity with respect to the email folder structure. It particularly stands out among other solutions when handling Google Takeout files, Google Vault exports, Maildir stores, and local Thunderbird mailboxes. This is because Aid4Mail understands the unique implementations of these formats and is able to work with (or around) them.
During email collection, certain storage formats have a higher risk of data loss of attachments and embedded content. This concerns formats that don’t store or deliver emails in native MIME format; for example, Apple Mail EMLX files, Thunderbird and RFC 1521 emails with detached attachments, and emails acquired through Microsoft Outlook.
Again, Aid4Mail understands the unique implementations of all these formats. Unlike many forensic acquisition tools, it handles them correctly and recovers their attachments (as long as they haven’t been moved or deleted).
If processed incorrectly, specific email formats and protocols are susceptible to loss of header metadata. This occurs when collecting messages through Outlook’s MAPI protocol or accessing MSG, OST, and PST files through third-party DLLs.
We’ve seen results from forensic email collectors that lost important information including:
This level of data loss is potentially disastrous when performing email header forensics. You can easily avoid these serious issues by using Aid4Mail.
Email status information tells you about the actions taken on a received message. For example, whether it was read, replied to, or forwarded. It also indicates the status of an outgoing message, whether it is still a draft, unsent, or sent. Emails can also be flagged (or starred), and marked as double-deleted. This is crucial information as it provides valuable insights into the lifecycle and interactions associated with an email.
Some forensic acquisition tools do not collect email status information at all, or only partially collect it. Aid4Mail stands out again by preserving this important data, whether the emails are obtained from cloud-based accounts or from local stores such as Google Takeout, OST, and PST files.
There are many different email client programs and cloud-based systems for sending messages. Unfortunately, some don’t fully respect standards, or they contain bugs that produce email format errors.
We have encountered a considerable number of these format errors during our many years of creating email solutions, even from companies like Microsoft and Google. The result of our extensive experience is that Aid4Mail can fix many of these errors, ensuring emails and their metadata render without data loss.
Aid4Mail provides detailed progress information and error reporting to ensure a smooth experience. You can track the progress of your task through real-time indications of both the amount of data processed and the estimated time to completion. You have access to a detailed progress report and, when necessary, an error log. The software displays various counters indicating how many folders and emails have been collected, excluded by your filter criteria, and failed due to errors.
To ensure a successful email forensics investigation, you must collect as much relevant evidence as possible. This includes emails a suspect has deleted, and emails contained inside damaged or deleted files.
Aid4Mail Investigator and Enterprise integrate email carving capabilities that outperform most forensic data recovery software. In other words, Aid4Mail can successfully recover more emails than digital forensics solutions costing thousands of dollars more. The quality of forensic email recovery matters—with the wrong tool, you might miss critical responsive ESI.
Aid4Mail Investigator and Enterprise can recover double-deleted emails (unpurged mail). These emails are no longer available in the Trash or Deleted Items folders. Aid4Mail can recover them from IMAP accounts, mbox files, and the Exchange Recoverable Items folder (for Microsoft 365 and other Microsoft accounts accessible through MAPI).
When people delete emails and empty their Trash folder, they may think they have hidden any wrongdoing. Don’t let them get away with it! Recover those double-deleted emails with Aid4Mail; you will find lots of responsive material.
The generic mbox file format (including mboxo and mboxrd variants) is widely used. Google Takeout and Google Vault use it as their export format. Mozilla Thunderbird and SeaMonkey, Mutt, Elm, Nmh, and Evolution use it as their native mail storage format.
Unfortunately, the mbox format has a severe weakness. It is a straightforward database format that stores emails in native format, one after another, using a simple delimiter to identify the start of each message. It can be difficult to accurately identify the delimiter because certain programs create variations in the format.
An email may contain what looks like a delimiter but is not. This can result in a single email being misidentified as two or more. Bugs in client programs may cause delimiters or emails to save incorrectly in the mbox file, creating corruption. And, more rarely, issues with the computer file system or hard drive can damage the file.
Throughout the years we’ve been developing Aid4Mail, we have seen all kinds of corruption in mbox files. Every time, we have successfully developed methods to work around the damage. Our tests show that Aid4Mail systematically recovers more emails than competing solutions.
For one test, we created an mbox file containing the most common types of corruption observed over the years. Aid4Mail was able to recover all its emails. We then compared the results with ten competing email recovery tools. The best recovered less than 82% of emails, and the worst just 30%. Averaging the results gave a 65% success rate for competing solutions versus 100% for Aid4Mail.
🛈 We’d be happy to provide you with a copy of the corrupted mbox file so you can conduct your own tests. Just contact us with your request.
Aid4Mail Investigator and Enterprise offer a powerful carving tool that can uncover emails in forensically extracted unallocated space or an uncompressed disk image. They can “carve” out MIME emails from almost any file, including corrupt and unsupported mailboxes.
While these features are not unique to Aid4Mail, its performance is outstanding. In tests, Aid4Mail finds emails in unallocated space that other forensic email recovery tools can’t detect. It recovers whole emails when others only find fragments. Even if you already use a digital forensics platform with carving capabilities, Aid4Mail can be beneficial by finding evidence that these tools miss.
🛈 We’d be happy to provide you with a sample DD Disk Image file so you can conduct your own tests. Just contact us with your request.
Collecting the appropriate data and finding specific, incriminating information is crucial. Fortunately, Aid4Mail’s forensic email search and filter features are second to none.
In addition to basic folder filtering available in all editions, Aid4Mail Investigator and Aid4Mail Enterprise add email content search, including attachments and embedded files. Features range from basic date and keyword filtering to support for complex search queries with Boolean constructs, wildcards, Regular Expressions, multilingual stemming, and more.
Aid4Mail’s search engine is fully Unicode compliant and supports queries in any language, including non-Latin scripts like Greek, Arabic, and Chinese.
When accessing PST files, Gmail, Microsoft 365 (formerly Office 365), MS Exchange, or IMAP accounts, you can use Aid4Mail’s native pre-acquisition search to limit the scope of collected emails. This works by filtering mail directly on the server before downloading, or by filtering internal indexes in the case of PST files.
By narrowing the date range, and including specific keywords and message properties in your filter, you can avoid downloading unnecessary emails altogether. This will significantly speed up collection and acquire a higher ratio of responsive emails.
Minimizing the volume of emails retrieved from cloud accounts has a key advantage: it reduces the likelihood of service-provider data throttling. Throttling can significantly slow down email delivery or cap daily downloads. However, it can be effectively mitigated using Aid4Mail’s native pre-acquisition filter, circumventing such frustrations.
⚠ Beware of email forensics tools that have an undisclosed search cap, which may significantly affect your results. For example, a popular forensic email collector we tested could not retrieve more than 500 emails from a Gmail account. The software reached this cap without warning, and hundreds of emails were missing from the collection! This does not happen with Aid4Mail.
Aid4Mail does not rely on concordance indexes for its search and filter capabilities. Instead, it uses a fast, live search engine that operates on emails as soon as they are collected. The search syntax is easy to learn, similar to that of Gmail and Microsoft 365.
Search queries can include:
Aid4Mail search queries offer unique features that even Google and Microsoft cannot match! For example:
Responsive data may not always be present in the message body of an email. Sometimes, it can be found in other parts, such as the header, attachments, or embedded files (e.g., PDFs, pictures, and videos). Or even in metadata associated with these files. Therefore, examining these elements can provide valuable insights and help conduct effective digital forensics investigations.
Aid4Mail provides fielded search operators, acting on email header metadata like the sender, recipients, date, etc. Unique operators enable you to search for emails sent on specific days of the week, or times of the day. For example, you can find all emails sent over lunchtime during workdays.
Email status information is valuable metadata, rarely exploited during investigations because many digital forensic tools don’t support it. Aid4Mail does and offers a search operator specifically for status information. Use it to exclude unread emails, or only collect flagged/starred emails, for example.
Aid4Mail can search the contents of attachments and their metadata recursively. For example, it can find a word in a PDF file, that’s contained within a ZIP archive, attached to an email, that is itself an attachment of the source email. Another complex example would be EXIF metadata contained in a picture from a TAR archive, that is attached to an email in a ZIP file, attached to the source email.
Aid4Mail’s support for Python scripts enables you to completely customize filters and add new features.
Here are some examples:
Significant time and effort have gone into making Aid4Mail one of the most versatile and accurate email conversion tools available. Its high-end email parser can convert messages, their contents, and metadata into a variety of formats for review and analysis with other tools.
During the acquisition, review, or production phase, a forensic email collector must usually convert email from one format to another. If not performed correctly, significant data loss can occur. Certain format conversions are more prone to this than others, notably conversions between Outlook files (PST, OST, and MSG) and MIME formats (mbox and EML).
Data loss can affect various aspects of email data. The following may be missing altogether:
Other parts of the email may be present but incorrectly converted:
Data loss is sometimes unavoidable due to the constant evolution and complexity of mail systems and formats. However, it can be mitigated by using a specialized and up-to-date email forensics tool like Aid4Mail.
Aid4Mail’s conversion engine boasts over 25 years of expertise and is updated regularly to respond to changes in the products it interacts with. In conversions between MIME and Outlook formats, Aid4Mail outperforms most of its competitors. It is one of the few tools that can convert native Apple Mail files (EMLX) without any data loss, as well as Thunderbird and RFC 1521 emails with “detached” attachments.
We know how to preserve data integrity, that’s how we built our reputation!
Sometimes, format conversion fails due to issues with the target API (typically with MAPI or IMAP). When this happens, it is essential to have a backup of the source email for preservation purposes.
Aid4Mail stores email backups locally under a folder structure that mirrors the source account. Emails collected through Outlook, or from PST and OST files, are backed up as MSG files. Emails from other formats are backed up as EML files.
Organizations use email journaling to create and maintain a secure and tamper-proof record of all email communications. They do this to satisfy compliance and legal requirements, as well as for data retention and disaster recovery.
A journaled email comprises:
In an investigation, journaled messages present several challenges. For example:
Aid4Mail solves these challenges with two unique features:
Aid4Mail can convert emails to formats commonly used in email forensics investigations. These include PST, PDF, CSV, EML, and mbox, as well as more unusual formats like HTML, XML, and plain text. PST files, frequently used for ingestion into an ediscovery platform, or for review in Outlook, are by far the most popular format.
Emails are often converted to PDF files, a convenient format for presenting evidence in court or sharing with others. Aid4Mail offers standard PDF as well as variants, including PDF/A. You can insert Bates stamping into PDF pages, embed attachments in their native format, password-protect files, and more.
By converting emails to HTML, you can view them in any web browser, rendered as in a mail app. Attachments are stored separately in their native format, relative to the HTML file, and accessible from a link in the email message. You can even customize the HTML data to fit your requirements.
Aid4Mail includes a convenient HTML email viewer. It displays a list of all available emails as well as the content of the selected item. You can filter emails by folder, or by keywords in the date, subject, sender, and recipient fields.
You can upload the HTML output to a website and share the link to the viewer page with others. Your audience can then access faithfully rendered messages, and attachments in their native format. Don’t forget to scan all the files with an anti-virus before uploading.
To perform metadata and attachment analysis in your investigation, you will need to extract relevant data from emails. Aid4Mail offers flexibility and complete control over this process.
Its high-end email parser can reliably extract:
Aid4Mail’s configuration editor enables you to choose exactly which data to extract.
Extracted attachments and embedded contents are saved in their native formats. Metadata and message text are saved in CSV (comma-separated values) files, either database-compliant or Microsoft Excel-compliant, or as TSV (tab-separated values) files.
Aid4Mail offers a friendly interface for performing conversions quickly. And, unlike many other digital forensics tools, Aid4Mail supports high-resolution displays and provides accessibility features. You’ll also find plenty of resources to help with your email processing tasks.
We’re known for our customer support! All editions of Aid4Mail come with:
Aid4Mail includes accessibility features to provide a more inclusive and user-friendly experience for a broad spectrum of users. This includes people with disabilities and anyone who finds such features beneficial.
High-contrast mode and a user-interface zoom assist users with visual impairments. Those with cognitive disabilities or mobility impairments can navigate the interface with a keyboard or dictation instead of a mouse.
Aid4Mail specializes in emails and their attachments and can collect, find, and recover mail that other forensics tools miss—it is an industry leader in this domain. Due to this specialization, Aid4Mail’s workflow differs from traditional digital forensics software like OpenText Encase, Exterro FTK, and Magnet Axiom. By focusing on its primary tasks, collecting, filtering, and converting emails takes a fraction of the time needed by other computer forensics tools.
As a result, you can process terabytes of email data, unattended from start to finish, fast and accurately. And, unlike hosted ediscovery tools like Relativity, Everlaw, and LogikCull, the whole process happens on-premises, so you don’t incur third-party charges for the volume of data collected and processed. This significantly reduces costs.
If you need to examine a small forensic email collection, Aid4Mail offers convenient searchable formats, enabling you to review with the optimal app for your chosen output—examine PST files in Microsoft Outlook, Mbox files in Mozilla Thunderbird, PDF files in Adobe Reader, HTML files in your browser, CSV files in Microsoft Excel, and plain text files in a text editor.
If you cannot cull your forensic email collection to an adequate size, consider transferring Aid4Mail’s output to a comprehensive ediscovery platform like Relativity, Encase, Axiom, etc. Aid4Mail is an excellent complement to other digital forensics tools, thanks to its fast email collection, native pre-acquisition filtering, and email recovery.
Fookes Software has been developing software since 1989. Our first email tool was launched in 1999, followed by Aid4Mail in 2005. We have more than two decades of experience processing email data, longer than any other vendor of email forensic tools.
All core functionality in Aid4Mail is developed in-house. As a result, you benefit from key features that are tightly integrated and optimized for speed. We are in complete control of our code, including major components like email parsing and conversion, the filtering engine and its search syntax, MAPI access to Outlook accounts, and even the IMAP protocol used to connect with services like Yahoo! Mail and AOL.
Important clients around the world rely on our software, and the numbers keep growing. They include:
Aid4Mail has a number of features that you won’t find in competing tools or, if they exist, are less well implemented. These are presented here, listed by Aid4Mail edition. (For a detailed feature comparison between the three Aid4Mail editions, check out our Aid4Mail 5 feature comparison table in PDF format.)
|High-speed email collection and conversion engine
|slower and less accurate
|Very fast native incremental processing
|Process Apple Mail mailboxes in native format
|Restore Google Takeout folder structure
|Reliably extract emails from corrupted mbox files
|Recover and preserve email status information
|not at all or partially
|Remove the journaling envelope while preserving its metadata
|Reorganize and group emails by sender, recipient, date, etc.
|Remote authentication of custodian accounts
All the unique features of Aid4Mail Converter, plus:
|Native pre-acquisition search with cloud-based accounts and PST files
|not common, results capped
|Search all mail formats using a Gmail and Microsoft 365 compatible syntax
|Find two search terms within the scope of a sentence or paragraph
|Filter emails based on the day of the week or the hour of the day
|Exclude non-personal emails (bulk mail, mailing lists, etc.)
|Reorganize mixed email collections by individual account owner
|Forensic file-carving that accurately recovers MIME data from disk images
|Recover MS Exchange items and unpurged mail from IMAP accounts, MBOX files, etc.
All the unique features of Aid4Mail Investigator, plus:
|Collect mail from native Google Vault, Mimecast, and Proofpoint exports
|Command-line interface for automation and seamless integration with other tools
|Licensing options for offline use, virtual machines (VM), servers, and USB key installations
Aid4Mail licenses allow you to process an unlimited number of mail accounts and files, no matter their origin. You can purchase a one-year license, or three years at a reduced price. Either way, you benefit from free software updates and our award-winning customer support during the license validity period.
If you’re not ready to commit to a full license, we offer a low-cost two-week Aid4Mail Converter license as an alternative to our free trial.
On purchasing a license, you will receive an activation code that gets you up and running with Aid4Mail within minutes of payment. After activation, trial mode is disabled, and your license is linked to your computer and Windows login account. See the Aid4Mail EULA for details.
If you need to run Aid4Mail on a computer that doesn’t allow Internet access, simply contact us for an offline activation code. There is no charge for this option, but it is less flexible than online activation.
It is also possible to run Aid4Mail in a virtual environment. Pricing is determined by the number of concurrent users plus the total number of users and installations. Contact us for a quote.
If you’re ready to buy an Aid4Mail license, visit our Buy Now page for pricing details, an overview of each edition, and links to our online store.
A method of communication between two pieces of software. Using a mail service’s API to access data usually offers benefits over using more general protocols like IMAP. For example, access to additional metadata, native filtering, and reduced bandwidth limitations. Email-related APIs used by Aid4Mail include MAPI, Microsoft Graph API, and Google APIs.
A branch of forensic science that focuses on identifying, collecting, preserving, analyzing, and presenting data from digital devices, such as computers, smartphones, and network servers. Its aim is to extract and examine digital evidence in a way that is legally admissible, often for the purpose of solving crimes or legal disputes.
A precise digital copy or snapshot of the contents of a storage device, such as a hard drive, SSD, CD, DVD, or USB drive. It captures the entire data structure, including all the files and folders, as well as system-specific information like the master boot record, file system, and partition table.
Unused space on a storage drive that exists when a file does not entirely fill the space allocated to it. Storage on digital devices is organized into clusters (or blocks) of a fixed size. A file usually requires multiple clusters and does not completely fill the last one. The unused “slack” space may contain remnants of previously deleted data or random bits of information from the memory. In digital forensics, disk slack space can be a valuable resource for recovering hidden or inadvertently stored data, providing insight into previous activities on the device.
An email that has been deleted twice: first from the inbox or mail folder, and then again from the trash or Deleted Items folder.
Any data or information that is created, stored, or used in digital form. ESI encompasses a wide range of data types, including emails, documents, presentations, databases, audio, and video files, social media content, and electronic records stored on digital devices like computers, smartphones, and servers.
A branch of digital forensics focusing on the recovery and investigation of email as potential evidence in legal cases or security investigations. Email forensics involves the analysis of email messages, including their content, headers, attachments, and metadata. It is used to investigate cybercrimes like financial fraud, intellectual property theft, harassment, blackmail, and extortion, and plays a crucial role in any legal dispute where email is relevant to the case.
A unique string of characters in the email header, that identifies a message in the context of a particular email conversation or thread. The Message-ID is assigned by an email system when a message is created, and is used to track, reference, and relate individual emails. This helps to manage message threading and prevent duplication. In digital forensics and email analysis, the Message-ID can be crucial for tracing the origin and trajectory of an email.
Metadata in an email message, containing detailed routing information. The SMTP header is automatically generated and located before the email message body. Although there is no limit to what can be added to it, key elements include the sender and recipient addresses, timestamps marking the email’s path through multiple servers, and unique identifiers for each server. Email service providers use the SMTP header to authenticate the email sender, and to correctly allocate incoming mail. In email forensics, the SMTP header is an essential resource for tracing the origin and path of an email, identifying spoofing, and understanding the network behavior of email communication.
Metadata associated with an email that indicates the actions taken on it. For incoming mail, this includes whether the email has been read, replied to, or forwarded. For outgoing messages, it indicates whether an email is a draft, and whether sent or unsent. All emails can also be flagged, starred, or marked as double-deleted.
A standard for storing information as metadata in image files. EXIF metadata is commonly used by digital cameras and smartphones, and typically includes the camera model, capture settings (shutter speed, aperture, ISO, etc.), and the image date, time, and location (GPS coordinates). It is useful for organizing and cataloging images, and can be crucial in digital forensics for verifying the authenticity and origin of photographic evidence.
A command used to narrow down search results by targeting a specific field or attribute of an email or document. It enables you to search for an element like the sender, recipient, subject line, date, or other metadata field.
A process used in digital forensics to recover files from a storage medium (like a hard drive or memory card) without relying on the file system metadata. It is typically employed when the file system is damaged, incomplete, or unavailable (as in formatted or corrupted drives). File carving works by searching the raw bytes and reconstructing file data based on known structures, signatures, or patterns. It is particularly useful for recovering deleted files or extracting data from unallocated disk space.
An Internet Standard protocol (RFC 3501) supported by most email applications that enables direct access to mail on a remote server. IMAP allows multiple apps to access the same mail account, even from different devices. This feature is the main reason IMAP is generally preferred over POP, an older protocol that requires mail to be downloaded to the device.
An API for accessing Microsoft Outlook and Exchange. Aid4Mail uses MAPI to read and write to Outlook profiles, and PST/MSG files when the “Process using Outlook” option is turned on.
An Internet standard for email messages that supports both data and metadata, non-ASCII character sets, multiple fonts, non-textual content, and multiple attachments of various file types. It is an extension of the original Simple Mail Transport Protocol (SMTP).
Data that is pertinent to matters of the case (in a legal context) and meets the criteria specified in a discovery request. It can be in various forms, such as emails, documents, images, or other electronically stored information (ESI).
An early part of the MIME standard that defines support for non-ASCII character sets, multiple fonts, and non-textual content. We refer to this standard when discussing certain types of attachments based on the Message/External-Body subtype format that Aid4Mail supports.
A standard protocol for email transmission. Mail servers use SMTP to both send and receive email messages. Email client programs typically only use SMTP to send messages (to the mail server for relaying), using IMAP or POP to retrieve them. SMTP was created in the 1980s and has since been modified and extended multiple times. The version commonly used today is extensible, with extensions for authentication, encryption, binary data transfer, and internationalized email addresses.
The process of reducing words to their base or root form. For instance, the words “running,” “runs,” and “ran” are all stemmed from the root word “run.” This technique is used in search algorithms to improve their effectiveness, by allowing for the matching of word variants with a common stem. Stemming enhances the ability of search engines or text analysis tools to find relevant results when the exact form of a word is not known.
The process of breaking a string of text into smaller units, or tokens, usually words or phrases. Tokenization helps to identify key elements in a text. It is fundamental in text analysis and search algorithms, where the tokenized text is used for further processing like indexing or evaluating search queries.
The areas of a drive, or other storage device, that are not currently assigned to any files or directories. This space may contain remnants of deleted files, temporary files, or data fragments that have not been overwritten. In digital forensics, unallocated space is a valuable resource for recovering deleted data or investigating past activities on a device.
The virtualization of a computer system that provides the functionality of a physical computer and its operating system. With enough computing power, multiple virtual machines can run independently from one another on the same underlying hardware.