Documentation · Getting started

From download to first export in fifteen minutes.

This is the short path. If you followed the trial link in your email, you already have the installer and a license file. If not, start at /trial and come back here once the installer has arrived.

Install

1. Double-click Krellix-Setup-3.1.0.exe. Windows SmartScreen may show a publisher confirmation — the installer is signed by “Cole Christopher Solutions LLC” with a DigiCert EV certificate.
2. Install for the current user (the default). Installing machine-wide works too, but the license file is stored per-user, so each operator on a shared machine needs their own license.
3. Launch Krellix Mail from the Start Menu. The first run asks for your license file — point it at the .lic you received by email.

Pick a mode

The first screen after license activation asks whether you're running Personal or Enterprise. This choice determines which Microsoft Graph scopes the sign-in requests. You can change it later by signing out, but not mid-collection.

• Personal — you're collecting your own correspondence with a named contact. No admin consent required. Jump to Personal setup.
• Enterprise — you're collecting from another custodian's mailbox, OneDrive, or SharePoint. Requires tenant admin consent and a mailbox permission grant. Jump to Enterprise setup.

Sign in to Microsoft 365

Click Sign in with Microsoft. Krellix opens your default browser to the Microsoft sign-in page — this is MSAL, Microsoft's own authentication library, not a Krellix-built login screen. Your password never touches Krellix; only the resulting access token does.

On your first Enterprise sign-in to a new tenant, you'll see a consent dialog listing the scopes Krellix is requesting. If you're not a tenant admin, the dialog will say an admin must approve the request on your behalf — send them to the admin-consent walkthrough.

Scope the collection

The main screen asks for a custodian and a filter. In Personal mode, the custodian is always you, and the filter is a contact (email address or display name) you corresponded with. In Enterprise mode, the custodian is a UPN; the filter can be a date range, subject keyword, folder, sender list, or a raw KQL expression.

Before the collection runs, Krellix shows you the translated Graph $filter string. This is the exact query that will be sent — read it once. If the filter looks wrong, the export will be wrong. Nothing below this point is hidden.

Run the collection

Click Run export. Krellix performs a pre-flight probe (a singleMailFolders.GetAsync(Top=1) call) to surface any permission problems up front, then begins streaming messages. Progress is shown as “collected / expected” — the expected number comes from a separate Graph count call, so if it's off by a few items that's usually new mail arriving mid-collection, not a bug.

Seal and deliver

When the collection finishes, Krellix writes ChainOfCustody.json, hashes it, sends the hash to DigiCert's public Time Stamp Authority, and stores the signed timestamp response next to the manifest. At that point the export is sealed — any modification to any file in the export will break the chain on verification.

The export is a folder on your disk. You can zip it, copy it to a USB stick, upload it to your review platform, or email it — Krellix has no opinion about what happens to it next.

Verify (optional but recommended)

Before you deliver, run the verification script yourself. It's a five-line OpenSSL command documented in Verify a collection. If verification fails on a brand-new export, something is wrong — don't ship a collection you haven't successfully verified.

Next steps

• Understand the output — what's in each of the seven folders.
• Troubleshooting — when something goes wrong mid-collection.
• Why defensible — the technical and legal framework behind the output.