MailXaminer provides basic case management functionality to allow the investigators to manage their case portfolios in an efficient manner. The Case Management functionality is a essentially a package of the following mentioned features:
New Case Creation:
Fig. 1: Create New Case
At the launch of MailXaminer, the tools prompts the user for either creating a new case or opening an already existing case.
Creating a New Case is the very first step in kick-starting any investigation. Creating a new case requires the users to input details relevant to the case. These details comprises of Title of the case, a brief description about the case and details about the investigators (Name, Agency, contact details). This process makes sure that every case is tied to a particular investigator and he/she is primary point of contact.
Apart from defining the case credentials, MailXaminer allows its users to define the keywords for search at the very beginning. A user can also specify the keywords by uploading a CSV file containing the list of keywords. The tools takes into account these keywords and during the indexing process itself, searches and clubs all the related artifacts. Defining the keywords in advance helps the investigator save a lot of time.
As soon as the files are put to scanning, a real time update is fed to the user. With the scan status screen right in front of the user, they get to know about the scanning progress (in percentage), scan status, scan start time and end time and the total mail count in a particular file. In case there is a problem in the scanning process, the user gets to know the problem area right away. Removing files from the case is as simple as scanning them. Just right clicking on a particular file gives the option of removing it from the case.
During the course of the scanning process, counts related to the total number of files scanned, the total number of emails scanned and the entire file size are updated and displayed on the left bar, on a real time basis.
Fig. 2: Scan status
Interactive dashboards containing bar graphs and pie charts, enable you to visualize your data, filter on demand and simply click to dig deeper into the underlying data. With this feature, getting to insight isn’t only fast, it’s fun. Visual display of important information like number of emails with/without attachment, age of the emails etc. can be consolidated and arranged on a single screen so the information can be monitored at a glance. With direct drill-down capability, users can move from a summary level directly to greater detail, and can see real-time information to proactively manage for better results. With all the information in a single snapshot, at fingertips, users will quickly realize increased productivity.
Fig. 3: Dashboard Representation
If the entire forensic team is working on a same case then all the findings of every individual can be collected & shared by everyone in the team by Exporting the case. The created case can be exported in .case format which is readable in MailXaminer itself.
Fig. 4: Export Case
The .case file can be imported & collected in the case repository of software.
Fig. 5(a): Import Case
Fig. 5(b): Select Location
The Created Case or Imported Case can be deleted if required by simply selecting the delete option corresponding to the case.
Fig. 6: Delete Case
Fig. 7: Bookmarking Mails
In the context of the MailXaminer, a bookmark is an email evidence that is marked and stored for retrieval at a later stage. During the course of investigation, investigators may come across scenarios where they want to mark the artifacts of some significance for reviewing later. Such emails can be selected and bookmarked by clicking on the "Bookmark" tab at the home navigation menu. The user is prompted if the selected items have been bookmarked correctly (as shown in above figure). These bookmarked items can later be retrieved by visiting the "Bookmark" section, as shown in the figure below:
Fig. 8: Bookmarked mails viewed in the "Bookmark" Section
In addition to all the email previews available for the mails, the investigator can also add comments for any of the bookmarked mails. The comments entered here for the bookmark mails are for personal reference of the investigator.
Fig. 9: MailXaminer Event Logs
MailXaminer maintains a file that records all the events which happen while the tool is running. These logs are basically event logs that record events taking place in the execution of a particular operation in order to provide an audit trail that can be used to understand the activity of the system and to diagnose problems.
These log files are also used extensively by the investigators to testify the authenticity of their investigation process, in the court of law. The log maintains every activity related to scanning, bookmarking, exporting and searching. These logs can also be exported to a CSV format and can be preserved in a court validated format.