About Our Software

Import webmail into X-Ways Forensics using Exponent CloudMailTM

Exponent CloudMailTM is a powerful read-only forensic email collection and collation tool that expedites evidentiary analysis of cloud based email communications and their attachments.

Features at a Glance

Download email and attachments directly into your existing X-Ways Forensics case file.
Feature Description
3rd Party IMAP Providers CloudMailTM can connect with most 3rd party service providers that support the IMAP protocol. This includes, but is not limited to, these common mail providers: Microsoft, Google, Yahoo, Zoho and AOL.
Keyword & GREP Searching Use powerful case-insensitive keyword and GREP (Regular Expressions) searches to filter and narrow the scope of collections.
Save Copies to Disk Not only are emails imported directly into X-Ways, but you can also choose to save copies, including any attachments, to your local hard drive in .EML format for analysis, using other 3rd party tools.
Advanced Keyword Filtering Using the keyword searching options, you can target specific common message fields such as Subject, From, To, CC, BCC, Body (as Text and HMTL), Headers and filenames of attachments. This is an extra layer of refinement which enables you to be very selective about what you are looking for, and where.
Filter by Date You can also use date ranges that messages were Sent to further narrow your search. This is a very helpful feature, especially if you are mandated by a court order to limit or restrict your search and collection.
Filter by Folder You can limit or expand your search and colletion to certain folders, such as the Inbox or Sent Items folder. For Gmail, folders are also referred to as Labels. CloudMail works with both folders and labels.

System Requirements

There are a few things you need to know in order to make your email collection successful.
Requirement Description
X-Ways Forensics Version 19.3 or above is required to run Exponent CloudMailTM.
Internet Connection You will need an Internet connection in order for CloudMail to work properly. High speed connections are required to speed up your collection and to avoid connectivity timeouts or shutouts by remote servers. This is particularly important if the mailbox to which you are connecting contains an unsually large number of email messages.
Disable Firewall, VPN and Anti-Virus Software Firewalls and VPN's are likely to interfere with the connection and collection of emails in many cases, especially when authenticating with Google Sign In for Gmail accounts.
Sign-Out of Accounts If, after disabling any VPN and Firewall and your password entered is correct, you get an AUTHORIZATION FAILED error, open your browser. Navigate to the webmail services provider website and make sure you are logged out. If you are still signed-in, Sign Out and close your browser. Then try reconnecting.
Volume Snapshot Options Before using Refine Volume Snapshot within X-Ways Forensics to process any downloaded emails, you MUST first ensure that the following Volume Snapshot Option is enabled, as shown below. The purpose of the selected option is to transform the value in the Name column of XWF: from the collected email file name (e.g., 0000000.eml) to the Subject contained inside the email (e.g., 'Invitation to Attend').

To access this window, goto the Options > Volume snapshot... menu located at the top of the X-Ways Forensics window.

Product FAQs

Here are answers to some of the more common questions that we receive.

How long can I stay connected to a remote mail server?

This will largely depend on how much mail you are trying to filter and collect. It also depends on the mail services provider. In our tests, we found that collections from Microsoft and Google IMAP servers were fast and went smoothly without any disconnections. However, that's not to say that a disconnection will not occur - especially if you are collecting a large amount of mail.

This is why CloudMail was designed with several powerful filtering options. We recommend using these features to target your collection and limit the amount of time required.

Sometimes a disconnection might occur by the remote server for several reasons (e.g., response timeout, IDS senstivity, bandwidth). In these cases, we recommend any or all of the following:

  • -> Make sure your firewall and anti-virus are turned off.
  • -> Break up your collection into small ones. Try collecting one folder at a time.
  • -> Try collecting mail at off-peak hours.
  • -> Limit repeat collections to the same mailbox over a short period of time. This will raise security concerns at the server level.
  • -> Use a VPN to switch up your IP address.
  • -> Wait a period of time before re-attempting to collect mail from the same mailbox.

Can I connect to more than 1 mailbox at a time?

We're sorry but CloudMail can only work with one mailbox (connection) at a time.

How does CloudMail store downloaded emails inside of X-Ways Forensics (XWF)?

Emails are downloaded to a designated Collection Folder that you specify during the collection process. Once the collection is completed, CloudMail will automatically mount the Collection Folder as a Directory evidence object, within XWF, inside the Case Data pane. This will then allow you to run Refine Volume Snapshot to process the emails and pull out any attachments and metadata. Please see the System Requirements section on this page for important information BEFORE you run Refine Volume Snapshot.

Do I need to use Refine Volume Snapshot after using CloudMail?

Yes. It is imperative that Refine Volume Snapshot be run once the emails are collected. X-Ways Forensics will process the emails and pull out all metadata and attachments automatically. Again, please see the System Requirements section on this page for important information BEFORE you run Refine Volume Snapshot.

© API Forensics 2024. All rights reserved.
X-Ways Forensics is the trademark and copyright of X-Ways Software Technology AG