Metaspike Forensic Email Collector Training
The training will be performed by Arman Gungor. Arman is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them. In his role as Director of Forensics at Meridian Discovery, Arman has assisted corporations, law firms, and government entities with the forensic preservation and investigation of email evidence.
Duration: Approximately 5 hours in total. Please plan to allocate 5.5 hours in your schedule in case we go over the allotted time during the labs or while answering questions.
Instructor: Arman Gungor
Mode: Live remote instruction over the Internet in group setting
Attendee Provides: Windows computer with Internet access and Forensic Email Collector installed (temporary FEC license for the training will be provided upon request)
Discovering Target Details
How to find information about a target in preparation for email preservation.
— Mail Exchanger records
Manually performing mail exchanger lookups and interpreting the results.
— Email footprint reconnaissance
Techniques we can use to determine an organization’s email footprint.
— Determining server settings
Finding the best server settings to use on a target.
— Modern authentication
Modern authentication best practices for service providers.
— Remote Authentication
Benefits of Remote Authentication. FEC Remote Authenticator usage and customization.
— Authentication token reuse
How we can reuse authentication tokens and potential use cases for law enforcement and civil practitioners.
— Enterprise authentication
—— Delegate access
Setting up delegate access on M365.
Setting up impersonation on M365. Impersonation vs. delegate access.
—— Domain-wide delegation
Setting up domain-wide delegation of authority. Effective permissions when a service account is used.Domain-wide delegation vs. Impersonation vs. delegate access.
Persistent Preferences & General Concepts
— Notification Emails
Setting up email notifications for acquisition updates and low disk space notifications.
— Automated throttling mitigation
Configuring number of retries and maximum wait time.
— Low disk space monitoring
How FEC monitors disk space and why this is necessary.
— Container name templating
Customizing PST and VHDX container names to suit your project needs.
— IMAP logs
Low level IMAP logs and interpretation of common IMAP commands.
— IMAP server metadata
What server metadata FEC collects during IMAP acquisitions and how to leverage it in forensic investigations.
— Authentication options
IMAP authentication options by provider.
— Yahoo folder cap bypass
FEC behavior when bypassing Yahoo folder cap.
Google API Acquisitions
— Calendar events
Acquiring calendar events with FEC. How Drive attachments in calendar events are handled.
— Storage quota reports
Creating storage quota reports with FEC and why you may want such data points.
— Mailbox filters
Overview of mailbox filters acquired by FEC during Gmail / Google Workspace acquisitions.
— History records
Acquiring History Records, dating events referenced in History Records, and creating your own audit log for free Gmail accounts.
— Drive attachment acquisition
Acquisition of Drive attachments, revisions, and folders. Packaging considerations.
— Gmail output options
How to configure FEC’s label-based output options for your project requirements.
— Gmail API vs. IMAP
Differences between Gmail API acquisitions and IMAP acquisitions for Google data.
— EWS logs
Review of the logs created during Exchange acquisitions.
— Recoverable Items Folder
Data types to expect in the Recoverable Items Folder.
— Inbox Rules
Overview of Inbox Rules acquired by FEC during Exchange acquisitions.
— Exchange In-place Archive
Acquiring the Exchange In-place Archive for on-premises Exchange and M365 targets.
— Impersonation setup
Configuring impersonation with a service account in Exchange Management Console.
— Impersonation vs. delegate access
Differences between delegate access and impersonation.
— On-premises Exchange
FEC vs. Exchange Management Console (EMC) vs. forensic imaging.
Graph API Acquisitions
Graph API vs. Exchange Web Services (EWS) comparison for M365. Using Graph API to preserve Microsoft consumer accounts.
— Use cases
Discussion of scenarios where using POP3 for an email acquisition may be appropriate.
Limitations of POP3 compared to IMAP.
Scenarios where In-place Search use is appropriate.
In-place Search syntax for Gmail API, Graph API, EWS, and IMAP.
— Unified Query Builder
How to use Unified Query Builder to bring search query creation to a common denominator.
— Hit count reports
Getting hit count reports prior to performing an acquisition.
— Use cases
Scenarios where you may want to use Inline Search instead of In-place Search.
Inline Search syntax for common query types.
— In-place Search vs. Inline Search
Differences between In-place Search and Inline Search performance and capabilities.
Performing bulk acquisition of mailboxes from providers such as M365 and Google Workspace using central credentials.
Brief introduction to Internet X.509 Public Key Infrastructure Time-Stamp Protocol and use cases.
— Creation and verification
How to create and verify trusted timestamps with FEC.
— Open-source workflows
How external organizations and third-party experts can verify FEC’s timestamps using open-source tools.
— Use cases
General discussion on which scenarios are a good fit for Differential Acquisition use.
Using Differential Acquisition input lists for inclusion vs. exclusion.
Local Google Vault Export Workflow
Targeting local Google Vault exports with linked Drive attachments using FEC.
Mailbox Remediation with Obliterator
Planning a mailbox remediation project from start to finish with FEC and Obliterator.
Exploring how FEC acquisitions can be automated for various use cases.
— Disk image containerization
Having FEC create a disk image to house acquired data.
— Deferred PST output
Use cases and benefits of deferred PST output compared to progressive PST output.
— Credential Manager
Using Credential Manager to clear credentials in ongoing projects, change existing credentials or authentication tokens.
Hands-on labs to practice what we cover during training.
You can cancel your enrollment and receive a full refund until 14 calendar days before the start date of the training by emailing us at [email protected]. In the event that Metaspike cancels the training session due to insufficient attendance, you will have the option to receive a full refund or attend a future training session.
Q. Will a certificate of completion be provided?
A. Yes, please contact us to request your certificate after you have taken the course.
Temporary FEC license will be provided for the duration of the training upon request.
Duration - 5 hours