Forensic Email Collector V3.10

Reviewed Oct 2019 by Jon Munsey

Review Last Updated 20-Nov-2019

1. About This Review

This review is not your average "fire it up and fiddle with it for a few minutes", nor is it written by someone who was the tea boy at an E-Discovery firm in the late 90's and is suddenly a digital forensics expert.  You can find paid reviews on other sites here and here, but whats the point of that - it's more fun here at CFRO!. 

I poke and prod things in places where they shouldn't and hopefully inject a bit of fun and banter into reviewing what could be deemed as incredibly boring software (I could be playing Borderlands 3 instead of writing this review..).

I have been using forensic software for a long time now (nearly 17 years) so I can often see things that even the developers' testing has missed.

2. The Gotcha! System

Throughout reviewing products, I alway see things that could trip you up as an investigator -  costing you time, money or embarrassment in front of a client.

If you see a Gotcha!, it does not mean the program on test is broken, buggy or has something seriously wrong with it - what it means is to take care and don't make the same mistakes that I did during the review! 

3. About the Vendor

So, Metaspike is a relative newcomer to the world of digital forensics software, based in Los Angeles, California - in the good old USA.  Arman Gungor, the founder of Metaspike appears to have built a small team around him to nuture and expand the product.

Don't get too big Arman is what I told him a few years ago when FEC was first released, I also told him to always...always listen to your customers.  He replied "Yeah, we are trying to avoid being swallowed up by a big corporate".

You don't have to do everything customers ask (as that would be commercial suicide), but listen and let them influence (but not control) the direction of the product,. Remember, its not what you the develope thinks we need, its what we ask you to put into the product that you need to pay attention to and evaluate on a case by case basis!  When is the "Find All Evidence" button being implemented...?*giggle*.

So many forensic software vendors are not customer focussed, yes, they say they are, but in reality there is either a) a small team of dev's with a vision who think they know what we want, or b) a team of marketing exec's who tell the dev's what features they think we want.  No, no, no and no both of those are a road to oblivion and obscurity. 

If you want to make a terrible product, then do a) or b), if you want people to renew their licence year on year - recursive revenue is the cornerstone of building a stable business.

Pay attention and read your forums and regularly run feature request threads. 

Even if you don't implement them, you can see what the actual users of your product would like - polls are king.  The internet is a toxic place, so nuturing a community of followers will pay dividends in the long run.

Metaspike is adding features all the time to the product, these are (at the moment) relevant and an enhancement to the product.  There will be a time when the "new features" tail off, as there is only so much you can do with an E-Mail collector.  Maybe expansion into sharepoint collections would be a useful one?

So please Metaspike, keep focussed and polish what you have, don't add a PST viewer or other things that are not needed - which will only bloat out your precision instrument.  One thing to remember is that we are not 16 year old Fortnite addicts that need new features to keep our attention - we are searching for a reliable tool that does what we need repeatedly and reliably.

Feature Suggestion:  What would be nice is the ability to download directly to an Encase logical image file the good old .L01 (not the newer LX01), which is supported by a lot of vendors E-Discovery products, and would save me the ardous task of encapsulating collected files for each email account I download.  Heck, you could even write an EnScript that would neatly encapsulate each downloaded account automatically!  Heck, you could even use FTK imager's command line to have a script to put all of the downloaded messages into an .AD1 logical image file.   Lightbulb moment, I might do that myself!

Exclusive:  Arman himself has answered some of the questions in the review himself, so we have a celebrity comment - check it out at the bottom of the page!

4. Features

FEC is sold as a tool to forensically collect E-Mail from mail accounts, be they on an internet connected server or a local exchange box.  It is not intended for processing (apart from rudimentary searching), this product is designed to get the messages for you, so that you can then feed them into the forensic or E-Discovery tool of your choice.

Notable Features:

- Download any IMAP, POP, Exchange & GMail, Office 365 & other accounts

- Support for two-factor authentication

- Command line support for batch operations

- Hashes output to preserve integrity and defensibility of captured mail

- Supports server side searches, negating the need to download the whole mailbox

- Outputs to .Eml, .Pst and .Msg formats

- Downloads Google Calendars and supports Google Drive Gmail attachments

- Portable mode (no need to install onto target machine)

- Exchange delegation / privileges

- Comes with 12 months SMS and warranty

- Lightweight 11mb on disk - Runs on Windows 7

- Vibrant support community

5. Purchasing Process:

Purchasing the software is a cinch, you pay by credit card on the Metaspike website and are promptly sent a link to the software download.

£566/$699/€636 buys you a the software licence for a year including any released updates, this is tied to one machine, meaning you install it on the machine you intend to use it on (which generates a unique ID) and you send this to Metaspike.  They then send you a software licence file/code that you copy/enter onto that machine, and boom, you are in business. 

You can't use the software on any other machine, so if that machine dies - you will be cap in hand to Metaspike for a new licence file.  I'm not sure how this would pan out, as anyone could simply abuse this and say their machine died and get essentially a free licence to install on a new machine - I'm sure that Metaspike have a mechanism in place to detect this though!  Thats another article altogether, watch out for that by signing up for the newsletter!

Software licence files/codes are a necessary evil, as often larger firms use a data centre or cloud based machines for their processing needs - so there literally is no USB port to plug a physical dongle into - just in case you were wondering why this option is available.

 £688/$849/€773 buys you the hardware dongle version, which uses a dongle that requires no software to be installed on Windows 10 (take note Codemeter dongle users) and is simply plug and play making installation a breeze.

Metaspike are confident that you will love FEC, they offer a 30 day no-questions-asked guarantee, which is absolutely amazing if you ask me, you can't really go wrong here.  This is starting to look good already!

6. Product Download:

Gotcha ! Downloading FEC is a chore if I am honest, even being a paid up licence owner, it is not possible  to navigate to the "Downloads" section of the Metaspike website (there isn't one) to obtain the product, nope - you have to send a medieval enquiry form to them.  Sheesh, is this FTK Imager or Arsenal Image mounter *grin*.

This results in a non instantaneous E-mail being sent back to you with a link to the download.  I have had to wait nervously for up to 10 minutes on the numerous occassions I have downloaded FEC. It's ok.... the client won't mind... have some tea while you wait...we will knock it off the bill :) The armchair experts have been triggered and are now shouting at the screen "you should have downloaded it before you left the lab" *giggle*.

I suspect it is something to do with telemetry so that they can monitor who has downloaded the software, but this is a double edged sword in you reviewer's humble opinion and could cause you needless inconvenience when the pressure is on.  Ah, I hear you say, go and use the download link you were provided with when you purchased the software!.... you can't those links expire pretty quickly... arrgh!

My advice is to keep a folder in your software repository for FEC and keep the latest (and all older) versions to hand.

The download is nice and compact, around 11 megabytes and this thing will run on that old 286 you used to use to decode sky/cable TV over the serial interface all those years ago.  Well, ok that is bit of an exaggeration, but it runs on Windows 7 which is a nice convenience if you are forced to collect from a super old machine for some reason.

You will need the .NET framework 4.6.1 and something like a recent version of Chrome or Firefox to download anything that requires a token for authentication (such as G-Mail mailboxes) but other than that, requirements are super light.

Update: Arman tells me that the download workflow will be redesigned to take this frustration out of the equation, which is nice to hear!

7. Installation & Uninstallation:

Running the installer failed on my Windows 10 machine that I used as a test rig, I run this machine as a limited user (not an admin) and I elevate when necessary to run programs that need to poke and bugger about with registry settings and the like.  I always like to run software with as few privileges as possible on the test rigs, but on this occassion, no dice.

A right click and "run as administrator" did not work, which means either FEC is either not conforming to the rules when it comes to running in an elevated environment, or Windows 10 is not actually giving FEC full fat administrative privileges.  I'll give Metaspike the benefit of the doubt and blame Windows 10 here.

It was actually good that the installation failed (what??! are you nuts?), FEC creates a really nice log file (other vendors should look at this and see how to do proper logging) which pinpointed the issue in plain text immediately..Metaspkie.. I love you!.  How many times have you had to call the support desk of your vendor and send them the log file which stated something cryptic like "Failed - Unknown Error".

I look at all sorts of things when I review, I have a twisty stick that I jam in places where it should not go, did you know that some vendors encrypt their log files, they must think that those 90's warez cracking groups are going to try and reverse engineer their protection routines from the log file (*giggles*).  Anyway, I digress.... onwards!

Reinstalling under a user account which is a member of the local administrators group saw this error go away, installation completed successfully.  As Matthew Broderick once said to Jennifer ".....we're in... Protovision I have you now....".

One thing to note is that if you have Antivirus software running on your analysis machine, which has behavoiral analysis features - FEC is likely not to install whilst the Antivirus engine is scanning the installer. 

FEC (ot the installer framework it relies upon) seems to be sensitive to delays in the installation process and times out with an error message (whilst it is being scanned by AV).  A small warning on the installation screen about this would save a call to the help desk, but that's me picking nits.

There are some pro's and many serious con's for running AV software on a forensic workstation, but that is for another article.  In short, don't do it unless you know what you are doing.

UPDATE: I was using Avast AV on the test rig and Arman confirms that his team had issues with this package as well.  Simple fix, just disable Avast during the installation process.

Once installed, FEC is reported by the Add/Remove programs control panel applet (wow I am old, what's it called these days "Programs and Features"?) as taking 411 Megabytes of disk space.  I assume that it can't count and is including all the .NET libraries that FEC uses - as the original download is 11MB from Metaspike and no compression in the world is going to cram 411MB of binary data into 11MB.

32-bit Software is the work of the Devil;

FEC is a 32bit program, meaning that without some serious trickery it can't use more than 2GB of  your systems memory per instance.  In my experience of testing forensic software, this is usually a direct route to sluggish performance, crashes to the desktop, out of memory errors, general instability and a tendancy to make you want to throw yourself out of a 10th floor window in the style of Hans Gruber.

I'm letting FEC off on this one - it is not a resource hungry program so it does not need to be 64-bit.

Update: Arman informs me that FEC is in fact 64bit, even though it resides in the folder reserved for 32bit programs!  He may move the location it is installed to, for his ocd audience, but in all honesty, who cares, its 64bit so I am a happy bunny.

I Uninstalled like the Helpdesk told me - Where are my Previous Projects !!!

Gotcha!  Be careful when uninstalling FEC, as it deletes its entire program folder from within the "Program Files x86" folder.  This means if you have stored any mail downloads here in sub folders, they will be erased - with no warning. 

I have not tested whether this happens when you use the "upgrade" feature from within FEC to go to a new version, but suspect the same thing happens and that's what Gotcha!'s are for, to save you time and hair loss (wigs are not cheap).

A simple warning during the uninstall process that this is going to happen will save the bacon of those of you who store custodian data on your operating system drive.  Its a small thing, but I know that people out there do this.

8. First Run - Initial Impressions:

Ok, so we are installed, up to date and ready to do something!  It was nice to see that there is a "check for updates" button within FEC, which is a nice convenience feature.

As with all products, don't just try and use it and then whine when it goes wrong or frustrates you, Arman has put a lot of effort into making your life as easy as possible, so if you are a first time user read the Quick Start Guide first, then take a look at the Frequently Asked Questions section second, this as a minimum will let you get up and running quickly and have at least some idea how the tool works.

I had an issue with getting FEC to launch, as my dongle had expired, due to some "interesting" logic used by the program during its licence validation routine.  It refused to let me into the program so I could not go to the licence screen and input a dongle update code MetaSpike had sent me.  The fix was to install an older version, update the dongle, then install the latest version again.

UPDATE 11th October 2019: I have been in touch with Arman at Metaspike and a few people had sent him invoices for wigs, as they had also suffered hair loss with this problem.  The good news is that this has been fixed in the latest version (v3.11.1.0).  You can now launch the latest version of FEC with an expired dongle and input a dongle reactivation code without any problems!  Nice work Arman!

I've spent hours on the phone to various vendors when I have dongle licencing problems, don't even get me started on Codemeter dongles, so it was nice to see a superfast fix coming from Metaspike.

So now that we have a functional FEC let's try using it in anger.....

9. Using the Software: Acquiring G-Mail Account:

On the next screen (below) you are asked to populate the various case information fields, that let you identify the mailbox you are downloaded for evidential purposes;

It seems that when choosing the output folder, FEC now creates a new folder for the email to be store in, previously it would ask you to either ensure you were downloading to an empty folder or that if you continued it would delete everything in the target folder. 

I don't like forensic software that deletes anything, so this is a welcome change and once again shows that Metaspike listen to their customer feedback.

I've been using FEC since it was launched, so your humble reviewer uses his super ocd powers to remember even subtle changes to the way the program works.

Moving forward (see image below) shows you a hierarchical view of the mailbox, here you can see message counts and choose which folders (don't use that word...more on that later) to download.  Note those "Gmail Labels" again, they are not folders parsee, they are assigned folders by Gmail and FEC based upon their label as we discussed previously.

We have a nice dollop of E-Mail here, around 14,600 messages which will be a good test.  There is a Gotcha! coming up, so stay  alert...

At this point you can search the mailbox using FEC's latest feature "Perform Pre Aquisition Search".  Put simply, you can import a list of keywords into FEC and it will use tell the mail server where the mailbox resides to do primitive searching for you.

This is an amazing feature for those where time is critical (for example, law enforcement where there is a hostage situation or other time critical crime), or where litigation prevents the download of the entire mailbox (for example a lawyers mailbox where only messages relating to a certain case or individual are required for download).

Whilst these searches are not fast (many times slower that using your analysis machine to search a local .Pst file for example), they do work. 

You have to remember that the server at the other end is opening each message and searching it, there is no index that the mail server has built, you are doing things in a linear fashion, one message after another - keep that in mind and your expectations will be met!

You can then choose to download only the material that has responded to your keywords, so this is an incredibly powerful and convenient feature.

Starting the download (see image below) takes us to a clear statistics screen that lets you see the progress of the download in real time.

Before any messages are downloaded, FEC takes a "snapshot" (makes a list) of the messages in the mailbox, so that it knows how many it has to download.  Any new messages that arrive during the mailbox download process won't be included - as they were not in the mailbox when the snapshot was originally taken.  This process is quick and took only a few minutes on my test machine.

Gotcha! Now for the hawkeyed amongst you, you may have noticed that in the screenshot above, FEC is only downloading a total of "3 selected folders". 

Its a bug...its a bug..... no, this is intended behaviour! FEC has not lost the plot here, it goes back to the "labels" I mentioned earlier, this is not an IMAP folder structure, so there are no folders par-say. 

So when we see 3 folders total, this is a) the mailbox "All Mail" and b) and c) two calendars (go back to the previous screen shot and count them!).

Feature Request: A small tool tip or onscreen wording next to "selected folders" would be a great way to let users know (the pesky fiends who did not read the manual).  I have mentioned this to Arman, so he may add an additional tool tip here.

Once the download has completed, you will usually get the "All items were downloaded" message (shown below) - meaning the job is done and dusted.

If all messages cannot be downloaded, this box won't appear and you will see another message stating what was not downloaded.  This is either the result of a bandwidth cap, connection error, disk full or a message that is not playing ball server side - exiting the project and "resuming" once or twice usually works, but always check the log files to see the exact reason for any failures for specific items.

The image below shows what the specified output folder structure looks like on the disk;

Inside the folders, messages are uniquely labelled (see below).

This is the inbox folder and note we have an "Ebay" sub folder inside here, meaning an "Ebay" label has been set up.

I would be a little careful here about G-Mail labels and the assumption that they are user created.  Google may be creating and automatically applying labels to some items.   For example, messages marked as "Important", I seem to recall many moons ago that when G-Mail first launched this feature, they stated

"We have marked certain messages as important, such as from your bank or those from people in your address book, you can always change this later if you don't want future messages to be flagged as important". 

So do some testing on this (don't rely on my speculation), as a message may have a flag as a result of an automated process - not a user action.

Gotcha! I would also be careful of what you do with the drive you chose as the output path.  It seems that FEC's backend downloads each message to a temporary file (or journal), these files are then either moved or copied to the output folder you specified. 

This means you may have many many messages floating around in free space on your drive.  I watched the process in a cursory fashion using some tools - and caught one of the journal files (that are created and then instantly deleted), they contained binary data, nothing human readable - however keep this in mind and perhaps wipe the free space of the destination drive (the output path).

Here in the U.K (and Europe) there are specific laws in relation to the 2018 General Data Protection Regulations (GDPR), and whilst this is a pretty extreme example (the Information Commissioners office are not going to come and carve your free space for emails) and is likely to never be discovered, having additional copies of E-Mail created is actually quite a big deal.

 am sure Arman will chime in when he reads this, so watch out for an update, I probably have the wrong end of the stick here and nothing readable gets dumped into free space.

This is a new unprecedented consideration and definately not a criticism of FEC - I am sure in the future vendors may look into branding their processing engines as GDPR compliant!

I wonder how many other vendors have considered the implications of GDPR with regard to temporary files generated during processing that contains personally identifiable data?  For example if your tool crashes and then leaves temporary files on the hard drive.. potentially forever!

A Subject Access Request (SAR) request to an E-Discovery firm in an interesting subject which I may well write an article on subscribe to keep informed!

Update:  Arman informs me that FEC writes the messages directly to the output folder, there are no temporary copies of emails floating around on your operating system drive or anywhere else.  So this clears this point up.... told you I may have the wrong end of the stick on this one!

10. Log Files:

I'm sad, I like logfiles, 9 times out of 10 when software does not perform as expected, I take to vendor or independant forums (Forensic Focus is a good one), look at log files and usually come up with a work around myself - as dealing with support technicians is often like pulling teeth (they are usually reading from a script and if working for a large corporate, have about as much enthusiasm for the product as a child does for washing his hands after using the bathroom).

There are the odd good egg at Guidance Software (before they became Opentext, now support is terrible) and Access Data's FTK support team has some good people (Hello Brian!) - but for the most part across the board it's terrible - we will have an article on that soon as well - subscribe to the newsletter to be notified!!. 

Obviously Metaspike are great - I have had no problems there, anyway I digress - back to FEC....

You get two log files (see below - click to enlarge), the first being a .Tsv file which lists each message downloaded - and shows you those labels that I have been banging on about;

The interesting stuff is in the .Log file which as you can see below (click to enlarge) is very detailed and will absolutely tell you what went right and what went wrong !

11. Stability and Bugs:

I'm dissapointed with FEC.... the reason some of you come here is for the bugs and the rants when things crash.

Sadly FEC performed flawlessly, it was perfectly stable on my test machine for the duration of this test, and by jobe, did I give it a jolly good thrashing.

I've also used it many many times previously on numerous projects and had 10 instances running at the same time, it performed perfectly - not once did it crash and leave me high and dry.

Oh how I wish all forensic software was this stable.  Maybe that is a bit unfair, its like saying a F16 fighter jet should be as reliable as a Sopworth camel - one is orders of magnitude more complex than the other.

12. Inital Pricing & Renewal:

Initial Pricing

So to recap its $699 + $150 for the dongle, you are getting 12 months of updates, essentially a years SMS (Sofware Maintenance Service).  So lets say $850/£696/€774 for the year.

Last year I purchased FEC for $399 + $150 for the dongle, making £671/$550/€612 give or take.  Thats a whopping 42% price increase.

Do I think that this is daylight robbery?

Yes, because we have all seen this before when something becomes popular, the vendor adds a few additional features that nobody wants, then ramps up the price to milk as much as possible from the product now it has momentum. 

This usually happens when investors get involved or a buyout occurs. (When Jad sold Internet Evidence Finder (IEF) to Magnet Forensics - it virtually doubled in price overnight and the terrible expired SMS extortion began (and continues to this day!). 

No, because Metaspike has put a massive amount of work into this (I can tell, I read change logs!) and the features he has added are ones we are going to use, they are not just eye candy - server side searching (where you can search a mailbox without downloading it) is one that springs to mind. 

From a business development perspective Metaspike has embarked on a marketing campaign - and that costs money, I would imagine they have also had to take on additional staff to assist with day to day adminstration as the customer base grows. 

None of this is free, so the money has to come from somewhere, I remember a good friend of mine Craig Wilson when I helped him with testing on NetAnalysis many moons ago, costs crept up as momentum gained - so the price had to increase.

I think we also have to keep in mind that we are businesses, this is not a product you are buying for yourself (well I am, it comes out of my pocket as I am my company!) so being cost sensitive over a few hundred pounds is ridiculous.

Renewal Pricing:

At the time of my renewal, July this year (2019) my renewal was £122/$150/€136, which is in my mind an absolute bargain.  This is a surefire way to retain customers for life, if this creeps up in line with the 42% or so increase on a new licence, it would still be a fair price to pay.

So is this good value for money, again, I have to say yes!

UPDATE: Arman informs me that renewal prices have increased in line with the purchase price, so a renewal comes in at £162/$210/€188 which is still great value in my opinion.

13. Alternative Products:

So what else is there out there that does what FEC does ?  Not much, there are squillions of programs that process E-Mail container files, but actually connecting to a mail server and downloading - thats a little bit niche!

Well, Aid4Mail is the grandaddy of this software segment - it has been around for a long long time, but sadly it is expensive in my opinion. 

Aid4Mail, comes in at £1228/$1499/€1366 for licence with similar (but not matching) functionality perhaps FEC was too cheap to start with and now is a good deal.

Then we have the likes of Systools MailXaminer and MailPro+ which come in at a paltry £235/$299/€271.

I would like to take a look at how far Systools and Aid4Mail have come with their products, both vendors make some good stuff, so subscribe to be notified of new reviews so you don't miss it, if I get my hands on a copy.  So Fookes and Systools, get in touch and submit them for review!

14. Updates & Bug Fixes:

Metaspike are on the money when it comes to updates, meaning they are frequent and always impressive.

Since I started writing this review, v3.11.1.0 has been released which fixed an number of issues I had, I've left those in the review on purpose so that other vendors can learn from the mistake or oversights from others.  If we can't learn from each other, then we have no hope!

The latest changelog can be seen below (click on it to enlarge).

UPDATE 20/11/2019:  Metaspike have updated FEC again and the latest version collects more Google Drive attachments than before -  now you can collect any "previous" versions of attachments as Google Drive keeps them allow FEC to collect them.  Head over to metaspike to see more!

15. Further Resources & Reading:

Most vendors will try and sell you a training course, before they provide you with any meaningful documentation.  There are exceptions (Paraben have amazing manuals!), but Arman's lot are also an exception to this rule.

Head over to the Webinars page and you can literally sit with Metaspike and watch run throughs of virtually all of the products features.  Click the image below to enlarge it.

I think and FEC training course would be an amazing idea, if it is not already something that is a thing.  Arman, if you are interested in me being a trainer - lets talk!

You can also download written manuals and how-to guides if you are more of a reader than a watcher, check out the Knowledge Base page for those.

The most impressive thing I have experienced in dealing with Metaspike at present is their ability to listen to the community.  If you have a suggestion or something that you think would improve FEC, Arman has a page dedicated to that, check out his Ideas Board, which is fantastic.

I've been in this business for 17 years now, I've seen how all the once defacto tools have become bloated, buggy garbage, which has let the next generation of tools come in and decimate market share.  Lets hope that Arman keeps his focus and continues to listen when he grows and the cash really starts rolling in.

16. The Verdict:

Buy it, what more can I say.

The feature set of this little tool is currently unrivalled, and if you do use a competitors product, for gods sake do random dip tests.

Certain competitors products have bugs, such as random messages mysteriously being tranformed into a chinese code page (all the text appears in mandarin), they lose message bodies (so they appear blank) or they don't decode MIME messages properly and blank out subject, submit and delivery times.

It is a minefiled out there with E-Mail processing tools, I can say hand on heart that I have put FEC through numerous tests - I have some really nasty test data that trips up processing engines - and FEC did not miss anything, whoever coded this did not buy something off the shelf, this has been hand built from the ground up - and for that reason alone, makes it my kind of software.

Finally, I have just scratched the surface with the product, the server side searching, ability to connect to exchange mailboxes and many other features are all must haves.

Overall Score = 9 out of 10

Don't forget to sign up for our newsletter which will keep you up to date on new reviews (and updates to existing ones) as they are posted !

17. Long Term Review Updates:

As you may have read in the review, I have been using FEC since launch.

It has quickly evolved into perhaps the only tool I would ever use to download E-Mail from accounts that are stored on a 3rd party server on the internet somewhere.

I think that all of the issues (lets say quirks) have been ironed out, I did at one point (over a year ago, so not in the current release) have problems where FEC would stubbornly refuse to download the last message from a mailbox.

However the log files actually give details of any undownloadable messages, so working with my client I was quickly able to label them irrelevant and move on to the next mailbox.  Arman, any ideas what was happening there - they were personal Hotmail/Outlook E-Mail accounts (not bandwidth related either).

So I don't have anything bad to report, it has been improving the whole time.

Comments:

Please feel free to leave a comment below, all comments are moderated and only those deemed appropriate will be published.