MailXaminer is an email forensic investigation suite developed by SysTools. The application examines email data files of Non-MAPI / MAPI desktop mail applications & Cloud mail services. MailXaminer allows cyber investigators to analyze digital evidences from emails, attachments, contacts, calendar entries, etc.; stored within the data repository of different email services.
- 1 Summary
- 2 Version History
- 3 Product Overview
- 4 Features
- 4.1 Create New Case Repository
- 4.2 Email Scanning
- 4.3 Office365 Examination
- 4.4 Google Apps Analysis
- 4.5 Live Exchange Mailbox Impersonation
- 4.6 Email & Attachment Analysis
- 4.7 Image Analysis
- 4.8 Video Analysis
- 4.9 Geo Location Image Mapping
- 4.10 Evidence Search
- 4.11 Case Evidence Bookmarking
- 4.12 Export Email Data Artifacts
- 4.13 Email Tagging With Labels
- 4.14 Section 508 Compliance
- 4.15 PDF Bates Numbering
- 4.16 Skype Database Analysis
- 4.17 Link Analyzes Searches
- 4.18 Searching Within Subset
- 4.19 Other Features
- 5 Licensing
- 6 Support
MailXaminer was originally developed by CoreDataTree and was officially released on the 1st of December, 2013. Later, the application and its licensing were handed over to SysTools Pvt. Ltd. Since then, the software underwent a number of version upgrades and the most recent update took place in the year 2014, Version 4.6. The software was made available for the worldwide online audience to perform email data investigation and evidence extraction.
|Version||Date of Release||Update|
|1.1||13/03/2013|| Scanning process optimized for:|
PST (MS Outlook file)
OLM (Outlook for Mac file)
OST (Exchange Offline Store) files
|1.2||22/04/2013||Support for “Contacts” added.|
|3.0||7/3/2013|| View or modify case information from UI|
Send for Review by Shared Location
Improved PST performance
|4.0||31/12/2013|| Dashboard for Quick view of completed files in graphical format.|
Provided support for “Cloud” & IMAP.
Allows user to set the throttling.
Provided Pause & Resume for “Cloud”.
Provide date filters for “Cloud”.
Added support for “Outlook Express” .dbx files.
Added support for “Lotus Notes” NSF (Non Password Protected Files) files.
Does not export Privileged mails.
Ability to show mails in “Conversation” view.
Provided “Email Hop” view to display how mail has been traversed.
Provides “Restart” option for “Stopped (cancelled by user)” & “Failed” files.
Provides “Remove” option for “Failed” & “Pending” files.
Ability to stop the scanning in between.
Ability to track all the activities done in the application.
Ability to export logs.
Able to export as PST without Outlook installed.
Provided “Set Page Orientations”, “Margins” & “Page Size” options for PDF.
Provided “Exclude Duplicate Mails” option for export.
Provided “Concordance” format while export.
Display “Duplicate” & “Deleted” mails at a glance.
Added support for “Audio” & “Video” in “Media” category.
Ability to search mails having “Attachments” or without “Attachments”
Ability to search mails having “Attachments” or without “Attachments”.
Ability to search using PreDefined templates.
Ability to search mails having “Importance”(Low, Normal & High)
Provided “Advance Search” to search with “Starts with”, “Ends With” & “Contains”
Ability to search “Keywords” while “Scanning” & also “On Demand”.
Allows user to change the “Storage Location”.
|4.5||7/6/2014|| Added support for EML Reader.|
Added support for MSG Reader.
Added support for E01 Reader. Supporting PST, OST & EDB files in .E01 files.
Added support for Client Server. User can view the files scanned by other users in “Connected” mode if those files are “Synced”.
The user can “Sync” selected scanned files in “Connected” mode.
Provided option to “Sync” all scanned files in “Connected” mode.
Provided different types of “Search”. They are as follows:
Wildcard Search: Provided “Wildcard Search”. Asterisk (*) to represent ‘several’ characters or ‘zero’ character. Question mark (?) to replace a single character.
Stem Search: The use of linguistic analysis to get to the root form of a keyword.
Regular Expression Search: Regular expression is a special text string for describing a search pattern.
Fuzzy Search: A type of search that will find matches even when users misspell words or enter in only partial words for search.
Proximity search allows to specify how close two (or more) words must be to each other in order to register a match.
User can add multiple Search fields in “General Search” & “Advance Search”.
Display hierarchical view of the selected mail in “ Hierarchical View” tab.
Provided option to maintain folder hierarchy while export or not.
|4.6||27/7/2014|| Added ability to “Export case”.|
The option to “import case” supported.
“Delete case” option provided.
Addition of keyboard Hotkey support.
Recursive listing view of emails supported.
|4.7||16/11/2014|| Supports Office365 Single and multiple account using Admin credentials.|
Supports GApps Admin multiple accounts of similar domain.
Single and Multiple Mailboxes from Live Exchange Server supported.
Performs Skin Tone Analysis on images while scanning.
Emails tagging supported.
Dongle based software licensing support.
Changes to UI interface for reader categorization.
|4.8||19/09/2015|| Provided support for Geo Location & IP Reporting.|
Performs Forensic Video Analysis on videos while scanning data.
Supports examination of documents from image files such as E01, DD and DMG.
Supports new Desktop/Web based Email Applications and Servers such as hMailServer, MDaemon, Kerio, Zimbra, KMail and many more.
Support for customizing the scanning speed of evidence files on the basis of concurrency level.
Added thumbnail and gallery view for attachments.
|4.8.2||05/09/2016|| Section 508 compliance for keyboard support.|
Added support provided for 64-bit application.
Bates Numbering facility provided for PDF export.
Multiple partition of E01 & DD File supported.
Multiple export facility added for enhanced export.
Additional support for Skype Database analysis.
Splitting option for PST and CSV file type export.
Search subsets; keywords, saved searches, & more</br>PDF setting options enhanced for custom export.
CSV header settings adds Properties to components.
Customized naming convention for export output.
Timeline analysis of searches; chats, mails, & more
Link Analysis provisioned for examined Search Result
MailXaminer is an Electronic Mail Data Analysis program built to fulfill the email forensics requirement in legal, IT, and corporate sector. The application is Windows based and runs on all available Windows OS versions including XP, Win7, and also the latest series; Windows 8 and 8.1. Its functionality mainly relies on optical mouse / mouse pad operations yet there is full support for keyboard hotkey control. MailXaminer being an email forensic tool supports both desktop & web based mail client data analysis. Several versions of the MailXaminer application have been updated since its release, the latest of which is v.4.6 announced on the 27th of July, 2014 introducing 5 new features in the tool.
The MailXaminer program is built with the combination of the adept algorithms and multiple, individual email analysis facilities set up in one application. The unique built of the software provides a single unit of solution for performing digital forensics on email artifacts.
Create New Case Repository
The new case creation option lets investigators prepare a case of their own for performing investigation of the evidence storing email artifacts. The new case creation option can be opted on the immediate start up of MailXaminer tool. Otherwise an existing case can be reopened for proceeding investigation. By the means of creating a new case, investigators can reach to the core of the software to explore its key facilities intended to perform email data investigations. Create new case window resembles a form with fields provided to fill in details regarding the case with the described options.
- Title: The title to be given to a case according to its subject matter.
- Case Directory: Browse path to select a directory location for storing case and its components.
- Description: To give a brief yet detailed description about the subject of a respective case.
- Keyword List: Specific terms to be used for searching particular email(s) to perform investigation on.
- Browse CSV: For In case of too many key terms, select a CSV file maintained with the list of keywords.
- Investigator: For Name of the investigator to whom the case belongs.
- Agency: Name of the agency to which the investigator is associated with.
- Phone: For making notes pertaining to the case on a per need basis.
- Fax: Fax number of the investigator / agency.
- Email: Email address of the investigator / agency.
Emails from both; web based & desktop based email services can be scanned for analysis purpose. Two types of modes featured to scan emails are as; Single File Mode and Bulk File Mode. In Single File Mode only one file of a single type can be processed at a time. While Bulk File Mode supports multiple files of different types to be scanned at once.
NOTE: In case if a corrupt data file or file containing deleted emails is selected for analysis; MailXaminer recovers it through email scanning process.
The email data scanning stage also offers internet bandwidth throttling and email filter.
- The Throttle Option: It is for web/cloud based email downloading, to specify the desired amount of internet packet to be consumed.
- Email Filter Option: It is an option to download and scan emails of a specific duration based on the date range defined by the investigator.
- Case Details: This automatically displayed screen displays progress of scanning for the selected file(s) with major display of details like; Mail Count, File Count, and File Size.
- Dashboard: This tab next to case detail’s File tab displays the ratio of data stored within the selected files with the help of pie chart and graphs.
Email examination from Office365 accounts can be executed. The two ways in which emails are scanned and downloaded from Office 365 are: Single Account and Multiple Account analysis mode. Being an investigation tool, the only precondition is that the download of user account(s) from Office365 can only be performed using Admin credentials and not individually.
Google Apps Analysis
GApps, better known as Google Apps is one of the email platforms, accounts from which can be examined using MailXaminer. The program shares compatibility ration with the platform but on one condition, i.e. the account credentials used in the process of scanning and downloading GApps account emails will be of the administrator account. Only authorities and officials having access of the Admin credentials will be able to conduct email examination on the account data of GApps using this email analysis application.
Other Conditions: No IMAP support is required. However, the user / examiner will have to create a separate project and has to be logged into it during the examination is being channelized on the GApps account data.
Live Exchange Mailbox Impersonation
Email client and server environments usually found in corporate & enterprises are the most common targets of email based crimes and forgeries. User accounts from Live Exchange Server can be examined using either the respective mailbox credentials or impersonation rights (authority owned by a user for accessing a particular mailbox). Impersonation can be implemented to use:
- Provide Exchange Details: Exchange Server versions (2007 – 2013 are supported), Server Name/IP, and Domain Name.
- Using Impersonation: Enable the feature and Provide Mailbox Credentials.
- Select Mailboxes: Browse a CSV file with multiple mailbox holder names or provide the names manually.
Adding the details will begin downloading emails from Live Exchange Server mailboxes (selected) on the basis of impersonation.
Email & Attachment Analysis
Viewing email stored within scanned email files loaded in the software is distinguished under several views. There is a separate view tab dedicated for viewing particular details and sections of an email. Each email of the selected data file is listed with; subject, sender / recipient ID, dates, size, and MD5 value details displayed respectively.
- Normal Mail View: The tab shows selected email in a normal view as it can be seen in its respective email application; with a message header and body.
- Hex View: The view shows email message in a binary format. Each message bytes of the selected email can be seen here to detect any manipulations.
- Properties View: Detailed information about each email attribute can be viewed listed here in divided sections.
- Message Header View: Suspected email header details are specifically described in this view tab.
- MIME View: Multipurpose Internet Mail Extension is a type of internet standard that defines an email header along with attachment support of any SMTP mail.
- Email Hop View: Complete details of the path crossed by a selected email are shown via the gateways, switches, and router it has passed.
- HTML View: Entire HTML script of the email is displayed using which the message can be analyzed on different browsers.
- RTF View: Represents the Rich Text Formatting of emails, if any. Helpful in maintaining email originality & accessible easily on all systems.
- Attachments: Offers a preview of email attachment separately. Document and image formats of most types supported in preview and saving.
- Hierarchical View: This view tab shows the exact B+ Tree structure of the selected mail & its entire folder structure.
An Image Analysis feature is provided to expand the possibility of spotting pornographic images (of all types) scanned from emails attachments, email body, contacts, compressed files, etc., amongst other images. Once image analysis is switched on, any format of image available in any file type will be thoroughly and detected for obscenity. There are four sensitivity parameters provided by the tool to adjust the intensity of executing skin tone analysis on images:
- Very Low
- Very High
Higher the frequency more will be the detection rate and higher will be the chances of false positive rate being provided. Once detected the tree structure pane on the software lists all suspect detected images in the frequency category under the respective source, i.e. file types in which they have been detected.
NOTE: To receive the exact and sharp results, it is recommended to set the frequency to High (not "Very High").
The video analysis feature is meant for tracking and spotting the attached video files having pornographic content. After the video analysis mode is switched ON and the suspect evidence file is scanned, the available malicious video can be easily spotted. The sensitivity measure for the video analysis works in the similar pattern as mentioned in the skin tone analysis attribute.
Geo Location Image Mapping
The image attachments having the latitude, longitude and altitude coordinates saved within them can be easily mapped. Export such image attachments to KML format and thus, easily locate the exact location by importing the KML file into Google Earth.
Apart from the bulk email analysis, the program can perform selective email analysis via its advanced search facility. The search feature works rapidly on a keyword basis. Investigators can either analyze emails, searched using a single keyword or even with multiple keywords. The keywords / keyword CSV provided in the case at the beginning can be supplied to the search to detect associated emails.
Keyword Based Search
- Add Keywords
- Browse CSV
- Use Both
The search offers generic search to be performed on the overall data of the scanned files. The search process can be narrowed using different search criteria like; subject, sender ID, recipient ID, etc. The search is further divided into four more categorizations
- Wildcard Search: It offers the chance of performing a search using incomplete terms with an asterisk (*) or question mark (?) along with the search criteria provided to list associated results.
- Regular Expression Search: Can also be termed as special character based search for specific findings, carried out using a combination of patterns created by a number of special characters.
- Stem Search: The option provides possible search results associated with the term used for searching on the investigator being uncertain about the exact word to look up for.
- Fuzzy Search: This multi-valued component based search offers results matching the combination of words differentiated with symbol or special characters to list the nearest possible results.
Based on the Regular Expressions search algorithm, this search option helps detect email message pattern with the use of category and sub category search like; phone numbers, URLs, addresses, postal code, etc., and country, respectively.
This search option offers the most comprehensive and in-depth exploration of data within the file(s). Multiple number of search criteria can be added along with conjunctions for added detail and to look up for information in the message body, attachment, as well as email header.
Based on the hit & trial method of searching, the option provides a search field for adding look up terms to be added and searched for approximate results between the terms ranging from zero to infinity.
NOTE: Maximum four words / terms can be added at once.
- Distance Between Words: Enter the approximate amount of words that separate the mentioned terms to search.
Case Evidence Bookmarking
Evidences collected from email artifacts can be bookmarked for future analysis purposes. Evidences in the form of emails, media files, keywords, and search results can be bookmarked. The bookmarks section will contain a record of case related evidences bookmarked which can further be exported, sent for review, deleted, or comments can be added to it.
Export Email Data Artifacts
On the completion of email data file recovery and analysis, evidences can be exported into multiple formats of output file according to the type of data. The software is built to support multiple types of export, including; email, media files, search results, bookmarks, etc.
- Emails: Emails are exported into the following file types; CSV, Concordance, EML, TIFF, MSG, PDF, PST, and can also be printed directly in bulk.
- Search Results / Bookmarks: Bookmarks and search results are exported into email file formats.
- Keywords: The program exports keywords used for performing evidence searches in text format file.
- Media Files: Images, videos, audio files, and other media file artifacts of any type are exportable in respective formats.
Email Tagging With Labels
Emails of particular importance or category can be tagged under the respective label using the email tagging feature. Email tagging makes classification of email based evidences easier and quicker to organize the investigation to next level. Multiple tags can be created under which selective email evidences can be labeled by an investigator for future analysis, categorization, or purposes whatsoever. Further, the emails tagged under a category can also be removed off from their respective tags using the remove tag option provided along with add tag facility.
Section 508 Compliance
Data analysis is actionable in compliance with section 508 offering support for keyboard usage. The support makes MailXaminer operable with keyboard shortcuts simplifying email investigation for everyone. The provision is made as part of abiding by the U.S. Government standards stating technology to be accessible for all users regardless of their disability.
PDF Bates Numbering
Bates numbering facilitated for evidence exported as Portable Document Format file type. Document maintenance ensured during export as PDF with bates numbering enabling addition of page numbering, stamping of dates with additional data prefixed / suffixed to it, with preferred font styling. Enhanced manageability is aimed at, with bates numbering of evidence exported as Portable Document Format file.
Skype Database Analysis
MailXaminer, besides examining emails, features Skype database investigation. Skype messenger being a commonly used medium of instant communication is both the prime source as well as target of cyber criminal activities. The examination of Skype Messenger database enables viewing conversations carried out through chats, SMSs, and calls.
Link Analyzes Searches
The prime feature of Link Analysis between Users and Domains is further integrated into Search Result analysis too. The concept is to detect and represent direct or indirect communication relation between users/domain via graphics. The very technique is advanced into the analysis of search results for custom link analysis to be executed on emails listed under a specific search.
Searching Within Subset
MailXaminer is programmed to generate subsets, i.e. categorized collection investigated data/results. Further provision of performing Searches within these subsets is featured. Subsets maintained on the software may consist of multiple entries of the same kind. Provision of searching simplifies and fastens the investigative procedure. Keywords used for conducting evidence search, saved search results, items restored from deleted state, are some of the common subsets maintained on MailXaminer by investigators.
A number of other additional and supportive facilities are owned by the MailXaminer program. These features assist investigators at managing case storage and handling.
- Import Review File
- Export / Import Case
- Delete Case
- Email Recursive View
- Change Software Language
- Set Email Throttling
- Mark / Remove Privilege
Import Review File
SaaS review facility allows investigators to share case for review of analysis and evidence collection performed on the case.
Export / Import Case
The facility allows exporting and importing entire case to and fro from the software with scanned data files and other case details preserved.
Existing / recently used case can be deleted from the software list.
Email Recursive View
Allows viewing emails of the parent directory and sub folder collectively under the parent directory.
Change Software Language
Software interface language can be changed from the default language; English to other featured.
Set Email Throttling
Throttle desired percentage of internet bandwidth consumption as per the requirement is in Kbps unit.
Mark / Remove Privilege
To maintain the privacy and avoid violation confidential content, emails can be marked with privilege to be protected from being shared.
Read the Licensing on official website.
Dongle Based Licensing
Licensing of the application has been extended to Dongle basis. A dongle with licensed software setup will be provided via shipping or courier to the respective person after making a purchase under the Dongle Based Licensing. The provided Dongle can be carried along by an investigator to crime scenes and used instantaneously for examination of emails on the spot, on any particular machine eliminating the licensed machine obstruction.
Technical support and graphical demonstration are provided via phone, email, and chat mediums to offer operational and technical assistance.