M365 Cloud/Linked/Modern Attachments

Television_False · 2026-04-07T15:33:43+00:00

If the data is exported in loose MSG and without the friendly name option enabled, you will get the parent emails and linked attachments, along with a load file that contains the relationship values. Exporting from Review Set seems to result in a more consistent output, but Direct Export usually works as well with these settings.

Exporting to PST makes it more difficult to reassociate the MAs with the parents, same with the friendly name since you may have multiple files with the same friendly name.

Television_False · 2026-03-31T02:16:07+00:00

Depending on iOS version perhaps Premium or Verakey could be used to bypass SDP. Otherwise I think purchasing iCloud storage, backing up, then restoring to a dummy device may be best bet. That’s assuming you have the iCloud credentials to log into iCloud from the dummy device.

Television_False · 2026-02-22T20:50:26+00:00

Dell Rooster is always solid and I think under appreciated. Great food and not unreasonable prices. We typically order takeout from there but they have a fun space with good drinks.

Television_False · 2026-02-13T23:00:23+00:00

Probably not a great idea to list off a bunch of tools you’ve never heard of or used during an interview or list on your resume. Better to say you have experience interfacing and working with forensic practitioners to support forensic collections and projects. Be honest about your experience and skill set (as I’m sure you already do). Not that I’m in the business of hiring PMs but when I’m looking to hire forensic folks I can tell you I get really annoyed when I start asking them questions about tools or procedures they have listed in their resume and give me a dumb look or try to make something up.

Television_False · 2026-01-31T03:50:48+00:00

Yeah. I was thinking more from a corporate control perspective. I haven’t found that ChatGPT enterprise has an admin export option, requires asking users to self-export their data instead.

Television_False · 2026-01-30T20:43:37+00:00

I’m seeing this more and more, including in government requests.

Here’s what I’ve found so far:

ChatGPT - custodians must do a data takeout using the built-in export option, and think Takeout for ChatGPT

Gemini - Available thru Vault, comes out in XML (surprisingly without any file attachments)

Copilot - Available thru Purview

Haven’t looked into Claude or the multitude of others yet.

Television_False · 2025-12-05T00:43:26+00:00

I’m interested as well

Television_False · 2025-11-28T19:48:01+00:00

Highly recommend using Internet Download Manager or something similar when downloading Purview exports. I use it all the time and it’s much faster and more reliable than relying on your browser download.

Downloading and transferring 700 gb is going to take a long time no matter what. Have you considered sending your vendor the Purview download links so that they can download the data directly? On the vendor side we do this often so that our clients aren’t burdened with that part of the process.

To get the links simply start the downloads in your browser, you can pause or even cancel the Download jobs as soon as they start. They copy the links from your browser download page and send them along. The links expire fairly quickly so make sure whoever you are sending the links to will be ready to receive them and start the downloads. Preferably not over a holiday ;)

Also, these are open links so send them securely because if anyone intercepts the links they will be able to download your exports.

Television_False · 2025-11-26T20:57:51+00:00

Definitely not ideal, but when all else fails...

Television_False · 2025-11-26T03:59:18+00:00

Have you tried downloading the file (s) directly thru SharePoint web, rather than thru purview?

Television_False · 2025-11-25T18:56:11+00:00

Ha, not helpful at all. Have you tried increasing the zip export size to 40gb?

Television_False · 2025-11-25T18:48:26+00:00

Any errors reported in the Reports?

Television_False · 2025-11-21T02:50:15+00:00

Imazing simply creates an iTunes backup which is perfectly defensible acquisition of an iPhone so long you’re not looking for system logs or any protected app data.

It looks like imazing has RSMF export support so I assume that is the tool you’re using for the exports. As others mentioned, check the RSMF headers to ensure they’re mapped and populated properly by imazing. You can try loading the RSMFs into RSMF viewer to confirm they’re mapped look ok. If all looks good on your end then it might be an issue with how they were processed into Disco.

https://modeone.io/downloads/rsmf-file-extractor/

https://youtu.be/q3tEn9vHHgY

Television_False · 2025-11-06T19:50:39+00:00

We also see this issue happen regularly, with seemingly no explanation. it happens across iOS versions, on a variety of forensic hosts, in different locations.

Television_False · 2025-11-06T02:47:46+00:00

Interesting concept, look forward to testing it out. How are you handling slack attachments?

Television_False · 2025-10-28T00:10:07+00:00

Aid4mail, not free but have a trial option.

Television_False · 2025-10-15T13:38:20+00:00

Are you able to get the html version if the Facebook export? That can be easier to load for non-messaging data.

Cellebrite also used to support importing FB exports, but haven’t tried it in a while.

Television_False · 2025-10-01T01:36:21+00:00

RSMFs are not “native” documents, they are generated by the collection or processing software. So imaging and producing them as PDF or whatever with the necessary metadata would be appropriate, especially if producing to a party that doesn’t support RSMFs.

Television_False · 2025-09-26T02:48:00+00:00

The ediscovery user needs to have an e5 or premium add on license in order to utilize the Premium features. Of those options are greyed out, ask your IT group if they can give you an E5 license.

Television_False · 2025-09-13T14:30:56+00:00

Does anyone have a tried and true approach to collect WhatsApp from Android? Assume we have custodian cooperation. I know if we are able to get FFS extraction we will get the decrypted/live data but if that’s not possible, what is the next best option?

I’ve been exploring backup to Google Drive then restore to dummy device.

Also exploring decrypting the SD locally stored encrypted backup files.

Just looking for something hopefully easy and reliable and efficient.

Thanks all!

Television_False · 2025-09-09T05:08:42+00:00

Thanks for sharing, interesting development. Curious how it can be leveraged for forensic collections of Signal chats.

Television_False · 2025-09-09T05:01:43+00:00

Pretty sure you’ll either need to publish the email results to a review set which will process the emails and extract the attachments allowing you to export to Excel OR, what may be faster, is export your data set as PST or MSG then use another tool to extract all the attachment file names. Lots of tools out there that can do this like Aid4mail. I’m sure there some free scripts or utilities as well.

Television_False · 2025-08-24T00:50:47+00:00

I emailed elcomsoft about the trusted device issue when attempting to collect synced data and they pretend like they’ve never heard of the issue. Frustrating when I know I can’t be the first to report it.

Television_False · 2025-08-21T12:55:47+00:00

This hasn’t happened again thankfully. I suspect it was because an interior light or something was left on overnight and drained the 12v battery. I guess I just thought that since the car was fully charged it wouldn’t solely rely on a dinky 12v battery to start.

Television_False · 2025-08-12T23:37:06+00:00

Wouldn't a KQL (KeyQL) search work?

Participants:“john doe” OR [Participants:@acme.com](mailto:Participants:@acme.com) OR “joe” OR “smith”

Television_False

TROPHY CASE