01How it works
Two modes, one output.
Krellix has two operating modes. Choose based on who the custodian is — yourself, or somebody else in your tenant. Everything downstream of that choice is identical: the same hashes, the same timestamp, the same manifest.
Mode
Personal
The operator is the custodian. You're preserving your own email with a named contact.
- Built for
- Solo and small-firm attorneys. An operator collecting their client correspondence at the start of a matter.
- Mailbox access
- Your own M365 mailbox, via /me/messages
- Filtering
- From/to filter against a named contact
- Document collection
- Email only. No OneDrive or SharePoint.
- Authorization
- No admin consent required. User-consentable scopes — you sign in and collect in under a minute.
Graph scopes requested
Mail.ReadUser.Readoffline_accessMode
Enterprise
Somebody else is the custodian. You're preserving their mailbox, OneDrive, and SharePoint on behalf of the matter.
- Built for
- In-house counsel, HR, compliance officers, IT running custodian holds.
- Mailbox access
- Named custodian's mailbox, via /users/{custodian}/messages
- Filtering
- Full mailbox or scoped by KQL, date range, folder, sender list
- Document collection
- Email plus OneDrive and SharePoint, scoped by custodian.
- Authorization
- Tenant admin consent required once, plus Add-MailboxPermission granting the operator Full Access to each custodian mailbox.
Graph scopes requested
User.ReadMail.ReadMail.Read.SharedFiles.Read.AllSites.Read.Alloffline_access02End-to-end walkthrough
From sign-in to sealed export.
These are the actual steps the app walks through in order. A typical collection takes under thirty minutes of operator time, and most of that is Krellix running while you do something else.
Pick a mode on the first screen
Personal or Enterprise. The choice determines which Microsoft Graph scopes Krellix requests at sign-in, which UI controls appear, and whether the collection targets /me/messages or /users/{custodian}/messages. You can't change it mid-collection.
Sign in with your Microsoft 365 account
Krellix uses MSAL (Microsoft's own authentication library) to run the sign-in in the system browser. Your credentials never touch Krellix — the app only sees the resulting access token. In Enterprise mode, your tenant admin approves the scope set once per tenant; subsequent operators sign in without prompting.
Identify the custodian and scope the query
In Personal mode, enter the contact you corresponded with. In Enterprise mode, enter the custodian's UPN and optionally restrict by date range, subject keyword, folder, or KQL filter. Krellix translates your inputs into a Graph $filter expression and shows it to you before the collection begins.
Pre-flight probe
Before collecting, Krellix runs a single MailFolders.GetAsync(Top=1) call against the target mailbox. This surfaces permission problems — a missing Add-MailboxPermission grant, a typo'd UPN, a disabled account — as a clean user-facing error instead of a mid-export 403 that leaves a half-completed collection on disk.
Collection
Krellix streams messages page by page. Each message is written as a native .eml, converted to a searchable PDF with the attachment list rendered inline, and its attachments are saved in their original format. A running SHA-256 and MD5 is computed for each file as it's written, not after the fact.
Manifest + TSA timestamp
When the collection finishes, Krellix writes ChainOfCustody.json — the manifest describing who collected what, from whom, when, and with what query. It hashes that JSON, sends the hash to a public Time Stamp Authority (DigiCert by default, with Sectigo and GlobalSign as failovers), and stores the signed TSR response alongside the manifest. At that point the collection is sealed.
Deliver
The export is a folder on your disk. Hand it to opposing counsel, your eDiscovery vendor, or your reviewer as-is. The VERIFY.md inside the 07_TimestampMaterials folder walks any third party through re-hashing the files and re-validating the TSA token with OpenSSL — no Krellix license required to verify.
03What lands on disk
Seven numbered folders.
Named so they sort in the order a reviewer would want to see them: native first, derived second, metadata last. Nothing in the export is a proprietary format you can only read with Krellix.
- 01_NativeEmails/Original .eml files as Microsoft Graph returned them. Byte-preserved.
- 02_PDFs/One PDF per email with embedded attachments. Bates-numbered if enabled.
- └─Thread_Combined.pdfChronological thread roll-up across all custodians.
- 03_Attachments/Native attachment files. Names prefixed with Bates if enabled.
- 04_Reports/Human-readable reports for review and production cover letters.
- └─CollectionSummary.htmlCounts, date ranges, custodian list.
- └─DeduplicationReport.csvEvery duplicate and the hash it matched on.
- └─KQLQuery.txtExact Graph filter used, re-runnable by another tool.
- 05_Logs/Operation log. Every Graph call, every retry, every skip — timestamped.
- 06_HashManifests/SHA-256 and MD5 for every file in the export.
- └─Hashes.sha256.txtStandard sha256sum format.
- └─Hashes.md5.txtStandard md5sum format.
- └─Hashes.csvSame data with file size, path, and relative folder.
- 07_TimestampMaterials/RFC 3161 artifacts proving the manifest existed at a point in time.
- └─ChainOfCustody.jsonThe signed manifest itself.
- └─manifest.tsqTime-stamp request sent to the TSA.
- └─manifest.tsrTime-stamp response — the thing you verify in court.
- └─TSA.pemTSA certificate chain captured at timestamping.
- └─VERIFY.mdStep-by-step instructions for re-verification.
04Which mode should I pick?
Ask one question: who is the custodian?
If the custodian is you — if what you're preserving is your own correspondence with somebody else — pick Personal. No admin consent, no mailbox permission grant. You can be collecting in under a minute.
If the custodian is someone else in your tenant — a departed employee, a subject of an investigation, the other side of a regulatory response — pick Enterprise. You'll need your tenant admin to approve the scopes once and to grant you Full Access mailbox permission on the custodian mailboxes you're authorized to collect.
The output is the same either way. The distinction is entirely about the authorization model, not the defensibility of the result.
Next step
Ready to collect your first defensible export?
Download the 14-day trial. No credit card, no sales call — just the real build on your machine. If it doesn't hold up under a motion to compel, don't pay.