±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 34183
New Yesterday: 5 Visitors: 148

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Recommendations for searching .mbox files

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Recommendations for searching .mbox files

Post Posted: Sun Mar 20, 2016 2:25 am

At work, I've been handling a number of discovery and public records requests for email. Our mail system (Gmail) allows me to extract messages in Mbox format. The problem is that Gmail's Vault is more coarse than I need and I end up with far more messages than I actually care about.

I need a tool that allows me to do the following:

1) Filter based on the To: and From: fields.
2) Filter based on date ranges.
3) Search the message body for key words.
4) Allow me to save or print a report where each message starts on a new page.
5) Report messages in chronological or reverse chronological order.

A typical directive from our attorneys would be something like: Produce a report of all of the emails between Bob and Sally from 1/1/2012 to 3/15/2015 that include the words "Susan", "Sue" or "Johnson"; do not include messages from a third party where Bob and Sally are both recipients.

I tried using EnCase but I'm not getting the results I want. It doesn't reliably print put the messages in chronological order even when the bookmarks are arranged that way. It doesn't start each message/bookmark on a new page (if there's a way to do that, please share). And, it doesn't filter as well as I would like. There may be a better way to do what I'm doing, but I've been on the phone with support and they weren't able to figure it out either.

So, can any of you recommend a relatively inexpensive product that I can use to extract relevant messages from an mbox file as I outlined above?

Thanks,

tracedf  

tracedf
Senior Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Sun Mar 20, 2016 8:24 am

Try X-ways, it has good filtering options for emails and handles large MBOX files well.  

minime2k9
Senior Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Tue Mar 22, 2016 7:18 pm

Encase and Xways are mainly forensic tools, but it sounds like you're more focus on EDiscovery. Those tools cost much more, but will have the better capacity to do what you want to provide data to counsel. Also eDisco software usually can pull directly from Gmail w/o having to export it to MBOX format.

I'd be curious to know what version of EnCase you're running. 7.10 or higher has much improved index and mail processing capacity.
_________________
------------------------
t: @JasonPickens 

jpickens
Senior Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Fri Mar 25, 2016 12:57 am

Hello,

I personally use and recommend Fookes Software's Aid4Mail Forensic edition (http://www.aid4mail.com/email-forensics).

You can try "eDiscovery Edition" at $150.00 if the Forensic Edition at $300.00 is too costly.

Aid4Mail can convert MBOX files into other mail formats such as PST\MSG\EML, and perform filtering such as date range and key words.

You will need to test if Aid4Mail specifically key word filters by the body of emails - I am not sure on this point.

** If you are working in electronic discovery, please note that attorneys usually need key word filters to be applied to email attachments in addition to the emails themselves. So, if an email attachment is a ZIP file, for example, then you will need eDiscovery indexing software that will first unpack archive files such as ZIP files and identify & OCR image file attachments to emails that do not have searchable text BEFORE you embark on reliably applying key word filters.

I have encountered PST files attached to emails, which means my eDiscovery software (LAW by LexisNexis) was able to extract the emails and attachments within the PST file email attachment, etc. etc. etc.

I use Aid4Mail primarily for 3rd party email collections, which it does very well in my opinion.

If you are using it to collect Gmail accounts, you will need to login in to the account owner's Google profile to enable access by 3rd party programs such as Aid4Mail before using Aid4Mail to download a Gmail account.

The Fookes support team is very responsive to questions, I have found.  

UnallocatedClusters
Senior Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Tue Mar 29, 2016 5:31 pm

Another possibility is loading the mbox files into the Thunderbird email client. Should provide the capabilities you are looking for sans the reporting which I cannot speak to. You can always try the printing options to see if it does what you want.

I will also second Aid4Mail. I recommend either using the mbox in Thunderbird or converting to PST and using Outlook. If you do get Aid4Mail FE then you can probably do without the clients.


Regards,
_________________
Preston Coleman, MFS, GCFE, EnCE

"The only thing necessary for the triumph of evil is for good men to do nothing" - Edmund Burke 

pcstopper18
Senior Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Fri May 13, 2016 1:39 pm

You have a few options in the eDiscovery space, here's some options to get you going.

proof finder by Nuix - www.prooffinder.com/ - $100 a year

actual nuix - www.nuix.com/ - $$$$

Intella - www.vound-software.com...-solutions - lots of options price wise

Law - www.lexisnexis.com/lit...ediscovery - $$$$

FreeEed - freeeed.org/ - open source


I would probably suggest proof finder or Intella for you.


Be careful with non-searchable documents e.g. a scanned document in a PDF. It will have text from a human point of view but not a computer point of view. You'll need OCR to help you with this.  

4144414D
Member
 
 
  

Re: Recommendations for searching .mbox files

Post Posted: Mon May 16, 2016 6:23 am

- 4144414D

proof finder by Nuix - www.prooffinder.com/ - $100 a year

+1 on this, seems to fit your needs precisely.


..FreeEed - freeeed.org/ - open source..


Haven't even seen this, will check it out. Thanks for the link!

As a quickie, if you are genuinely stuck then Thunderbird in offline mode might work for you? It does after all allow for filtering on the fields you require. You can import the mbox via a plugin.
It's not perfect but it does in a pinch.  

Chris_Ed
Senior Member
 
 

Page 1 of 1