For over a decade I have used email collection software which was designed solely and specifically for email. Today, email is just one of a vast assortment of communication formats. SMS, WhatsApp, iMessage, Facebook, and Yahoo Messenger, are just a few of many dozens of available communication applications.
Collection, preservation, and analysis of diverse communication sources make it financially challenging to continue spending thousands of dollars on software and renewals — when they only have a single focus.
The RIGHT Software MATTERS
I chose to discuss email collections in this post because a majority of the law firms that I assist with their technical civil litigation routinely request this service. Unlike other forensics software (which is still trying to catch-up with Oxygen Forensic Detective) I specifically need forensics software which is updated often in order to keep up with online communications platforms.
In addition to its other capabilities, Oxygen Forensic Detective is a Swiss Army Knife when it comes to handling all types of communication-based evidence. To begin with, Oxygen Detective has a simple point-and-click function to select the service application for acquiring and preserving Gmail, as displayed in the following graphic.
Once collected, Oxygen Detective has the capability for me to review or filter out specific emails (as you can see below):
Oxygen Detective: Filling in The Blanks
What I had missed for months (and honestly wasted thousands of dollars on) was the flexibility which Oxygen Forensic Detective has with all types of email sources; not just Gmail, Apple Mail and Microsoft 365 that other applications had to offer.
Specifically, the Mail (IMAP) function allows me to perform collections on hosted email accounts. The next screenshot demonstrates a recent collection of approximately 15,000 emails. If I compare the time it took me to collect the Gmail and filter the email, other solutions that charge thousands for this type of add-on could not begin to compete. The added fact that the Oxygen Cloud Extractor is built into the Oxygen Forensic Detective, makes it a no brainer.
IMAP Collections Take It to The Limit!
Once the IMAP setting for the email provider is known (and the username and password are provided) collecting email using Oxygen Forensic Detective is effortless. There are other considerations — such as Multi-Factor Authentication options and whether to validate access using Tokens or Credentials — but these obstacles are faced while using any cloud-based collection software.
For the purpose of assisting others who are utilizing Oxygen Detective to collect email, I have provided a list of IMAP settings for Common Providers (Tab #1) as well as a Comprehensive List (Tab #2) in this Google Sheet entitled IMAP Settings.
During my 24 years of experience dealing directly with cyber and mobile device evidence, it became apparent that the previously available software available before Oxygen Forensic Detective only solved portions of the civil or criminal investigative process.
Fast forward to Oxygen Forensic Detective v11.2x — most likely to update with new features upon publishing this post — I have saved myself more than $25,000 in just five years of using this software to collect of all types of communications, and other mobile devices, drone, and cloud-based evidence. The value of using Oxygen to collect webmail not only saves the analyst time but the return for the client is an added bonus!