Metaspike Forensic Email Collector Training

Trainer Profile

The training will be performed by Arman Gungor. Arman is a certified computer forensic examiner (CCE) and software developer. He has been appointed by courts as a neutral computer forensics expert as well as a neutral eDiscovery consultant. Arman is passionate about doing digital forensics research, developing new investigative techniques, and creating software to support them. In his role as Director of Forensics at Meridian Discovery, Arman has assisted corporations, law firms, and government entities with the forensic preservation and investigation of email evidence.

Training Details

Duration: Approximately 5 hours in total. Please plan to allocate 5.5 hours in your schedule in case we go over the allotted time during the labs or while answering questions.
Language: English
Instructor: Arman Gungor
Mode: Live remote instruction over the Internet in group setting
Attendee Provides: Windows computer with Internet access and Forensic Email Collector installed (temporary FEC license for the training will be provided upon request)

Course Outline

Discovering Target Details

How to find information about a target in preparation for email preservation.

— Mail Exchanger records

Manually performing mail exchanger lookups and interpreting the results.

— Email footprint reconnaissance

Techniques we can use to determine an organization’s email footprint.

— Determining server settings

Finding the best server settings to use on a target.

Authentication

— Modern authentication

Modern authentication best practices for service providers.

— Remote Authentication

Benefits of Remote Authentication. FEC Remote Authenticator usage and customization.

— Authentication token reuse

How we can reuse authentication tokens and potential use cases for law enforcement and civil practitioners.

— Enterprise authentication

—— Delegate access

Setting up delegate access on M365.

—— Impersonation

Setting up impersonation on M365. Impersonation vs. delegate access.

—— Domain-wide delegation

Setting up domain-wide delegation of authority. Effective permissions when a service account is used.Domain-wide delegation vs. Impersonation vs. delegate access.

Persistent Preferences & General Concepts

— Notification Emails

Setting up email notifications for acquisition updates and low disk space notifications.

— Automated throttling mitigation

Configuring number of retries and maximum wait time.

— Low disk space monitoring

How FEC monitors disk space and why this is necessary.

— Container name templating

Customizing PST and VHDX container names to suit your project needs.

IMAP Acquisitions

— IMAP logs

Low level IMAP logs and interpretation of common IMAP commands.

— IMAP server metadata

What server metadata FEC collects during IMAP acquisitions and how to leverage it in forensic investigations.

— Authentication options

IMAP authentication options by provider.

— Yahoo folder cap bypass

FEC behavior when bypassing Yahoo folder cap.

Google API Acquisitions

— Calendar events

Acquiring calendar events with FEC. How Drive attachments in calendar events are handled.

— Storage quota reports

Creating storage quota reports with FEC and why you may want such data points.

— Mailbox filters

Overview of mailbox filters acquired by FEC during Gmail / Google Workspace acquisitions.

— History records

Acquiring History Records, dating events referenced in History Records, and creating your own audit log for free Gmail accounts.

— Drive attachment acquisition

Acquisition of Drive attachments, revisions, and folders. Packaging considerations.

— Gmail output options

How to configure FEC’s label-based output options for your project requirements.

— Gmail API vs. IMAP

Differences between Gmail API acquisitions and IMAP acquisitions for Google data.

Exchange Acquisition

— EWS logs

Review of the logs created during Exchange acquisitions.

— Recoverable Items Folder

Data types to expect in the Recoverable Items Folder.

— Inbox Rules

Overview of Inbox Rules acquired by FEC during Exchange acquisitions.

— Exchange In-place Archive

Acquiring the Exchange In-place Archive for on-premises Exchange and M365 targets.

— Impersonation setup

Configuring impersonation with a service account in Exchange Management Console.

— Impersonation vs. delegate access

Differences between delegate access and impersonation.

— On-premises Exchange

FEC vs. Exchange Management Console (EMC) vs. forensic imaging.

Graph API Acquisitions

Graph API vs. Exchange Web Services (EWS) comparison for M365. Using Graph API to preserve Microsoft consumer accounts.

POP3 Acquisitions

— Use cases

Discussion of scenarios where using POP3 for an email acquisition may be appropriate.

— Limitations

Limitations of POP3 compared to IMAP.

In-place Search

Scenarios where In-place Search use is appropriate.

— Syntax

In-place Search syntax for Gmail API, Graph API, EWS, and IMAP.

— Unified Query Builder

How to use Unified Query Builder to bring search query creation to a common denominator.

— Hit count reports

Getting hit count reports prior to performing an acquisition.

Inline Search

— Use cases

Scenarios where you may want to use Inline Search instead of In-place Search.

— Syntax

Inline Search syntax for common query types.

— In-place Search vs. Inline Search

Differences between In-place Search and Inline Search performance and capabilities.

Batch acquisitions

Performing bulk acquisition of mailboxes from providers such as M365 and Google Workspace using central credentials.

Trusted Timestamping

Brief introduction to Internet X.509 Public Key Infrastructure Time-Stamp Protocol and use cases.

— Creation and verification

How to create and verify trusted timestamps with FEC.

— Open-source workflows

How external organizations and third-party experts can verify FEC’s timestamps using open-source tools.

Differential Acquisitions

— Use cases

General discussion on which scenarios are a good fit for Differential Acquisition use.

— Modes

Using Differential Acquisition input lists for inclusion vs. exclusion.

Local Google Vault Export Workflow

Targeting local Google Vault exports with linked Drive attachments using FEC.

Mailbox Remediation with Obliterator

Planning a mailbox remediation project from start to finish with FEC and Obliterator.

Automation Possibilities

Exploring how FEC acquisitions can be automated for various use cases.

Post-acquisition Actions

— Disk image containerization

Having FEC create a disk image to house acquired data.

— Deferred PST output

Use cases and benefits of deferred PST output compared to progressive PST output.

— Credential Manager

Using Credential Manager to clear credentials in ongoing projects, change existing credentials or authentication tokens.

Practice Labs

Hands-on labs to practice what we cover during training.

Cancellation Policy

You can cancel your enrollment and receive a full refund until 14 calendar days before the start date of the training by emailing us at support@metaspike.com. In the event that Metaspike cancels the training session due to insufficient attendance, you will have the option to receive a full refund or attend a future training session.

FAQ

Q. Will a certificate of completion be provided?
A. Yes, please contact us to request your certificate after you have taken the course.

Temporary FEC license will be provided for the duration of the training upon request.