Collecting Data Using Suspects' Existing Login Sessions

Depending on applicable legislation, some law enforcement agencies have the authority to forensically collect a suspect’s data using an existing login session while executing a search warrant. However, agencies often do not have the authority to log into the suspect’s account after the fact—while performing analysis in the lab.

This presents a window of opportunity where agents can forensically preserve the data of an uncooperative suspect on-site. Forensic Email Collector (FEC) supports this workflow for Gmail, Google Workspace (formerly called G Suite), Microsoft 365, and personal Microsoft accounts (e.g., Hotmail, Outlook.com, etc.) via FEC Remote Authenticator. The forensic preservation may include data points such as emails, contacts, calendar events, as well as Google Drive, OneDrive, and SharePoint files.

Preparation

It is helpful to do the following ahead of time in preparation for the on-site work:

1. Download FEC Remote Authenticator and copy it to a sanitized flash drive that will be inserted into the suspect’s computer. FEC Remote Authenticator is a self-contained executable that does not require installation or a license key.
2. Install the full Forensic Email Collector software on the agency laptop.
3. Depending on your license type, take your FEC dongle with you, or activate FEC on the agency laptop.

Tip

The workflow below describes the use case on a live system. It is also possible to use Remote Authenticator on the forensic image of a system by launching the forensic image as a virtual machine and bringing Remote Authenticator there.

On-site Workflow Using Existing Login Session

While executing the search warrant, agents can forensically collect the suspect’s data as follows:

1. Plug the flash drive containing FEC Remote Authenticator into the suspect’s computer.

2. Execute FEC Remote Authenticator, enter the suspect’s email address, and click AUTHENTICATE AUTHENTICATE .

   

3. This will cause the default web browser on the suspect’s computer to be launched. Since the suspect is already logged in using their default web browser, the provider will not ask for credentials.

4. Follow the provider’s prompts to authorize access.

5. Click SAVE SAVE and save the encrypted authentication token to the agency flash drive.

   

6. Disconnect the flash drive from the suspect’s computer and connect it to the agency laptop with the full installation of FEC.

7. Launch FEC on the agency laptop and switch to the Remote Authentication page.

8. Import the encrypted authentication token using the IMPORT TOKEN IMPORT TOKEN button.

   

9. You can now enter the target email address and perform the forensic preservation without having to enter credentials. You can even use FEC’s In-place Search capabilities to search and filter the data before the acquisition and collect only the relevant items.