Krellix | Mail · v3.1.0

Preserve email in a way a court will accept.

Hashes, timestamps, manifest — verifiable on any machine.

Krellix Mail collects email and documents from Microsoft 365 and IMAP with full chain of custody. SHA-256 and MD5 file hashes, RFC 3161 timestamps from DigiCert, and a self-verifying manifest. Built for solo attorneys, in-house counsel, and HR investigators who need defensible collection without a Purview seat or a vendor invoice.

Request a pilot See how it works

§ 01/Two modes

Personal or Enterprise. The choice you make first.

Mode I

Personal

Operator is the custodian. Preserve your own correspondence by contact (Outlook-style autocomplete) or by mailbox folder (with optional subfolder inclusion). User-consentable scopes — no admin involvement required.

Graph scopes requested

Mail.ReadUser.ReadPeople.Readoffline_access

Mode II

Enterprise

Operator collects from another custodian's mailbox, OneDrive, and SharePoint. Tenant admin consent required once; Add-MailboxPermission grants per-custodian access.

Graph scopes requested

Mail.ReadMail.Read.SharedFiles.Read.AllSites.Read.AllUser.ReadPeople.Readoffline_access

§ 02/Walkthrough

From sign-in to sealed export.

Seven steps. Under thirty minutes of operator time. Most of that is Krellix running while you do something else.

§ 01

Pick a mode

Personal or Enterprise. Determines which Graph scopes Krellix requests, which UI controls appear, and whether the collection targets /me/messages or /users/{custodian}/messages.

§ 02

Sign in with Microsoft 365

MSAL runs sign-in in the system browser. Krellix receives an access token and a refresh token; it never sees the password.

§ 03

Identify the custodian and scope the query

By contact (Outlook-style autocomplete), by folder, or full custodian mailbox. Krellix shows you the Graph $filter expression before the collection begins.

§ 04

Pre-flight probe

A single MailFolders.GetAsync(Top=1) call surfaces permission problems — a missing Add-MailboxPermission grant, a typo'd UPN, a disabled account — as a clean user-facing error instead of a mid-export 403.

§ 05

Collect

Krellix streams messages page by page. Native .eml, searchable PDF, attachments in original format. SHA-256 + MD5 computed as files are written, not after the fact.

§ 06

Manifest + RFC 3161 timestamp

Krellix writes ChainOfCustody.txt, hashes it, sends the hash to a public Time Stamp Authority (DigiCert default, Sectigo and GlobalSign failovers), and stores the signed TSR token. At that point the collection is sealed.

§ 07

Deliver

Hand the export folder to opposing counsel, your reviewer, or your eDiscovery vendor. The bundled VerifyTimestamp.bat re-verifies on any machine. No Krellix license required to verify.

§ 03/Output

Seven numbered folders. Nothing proprietary.

Native first, derived second, metadata last — sorted in the order a reviewer would want to see them.

Export folder · /exports/2026-04-18_MillerScott_Marquez/07 folders

- MILLER0001 — 2025-09-04T14_22_18Z.eml
- MILLER0002 — 2025-09-04T15_07_44Z.eml
- MILLER0003 — 2025-09-05T09_31_02Z.eml

Hover or tab through folders to inspect. Every file in the export is hashed and timestamped — see 06_HashManifests/.

§ 04/Chain of custody

The manifest is the artifact that wins the argument.

Every export includes ChainOfCustody.txt — a signed plain-text manifest of who collected what, from whom, when, and how. Hash the manifest, send the hash to a public Time Stamp Authority, archive the signed response. Anyone with OpenSSL can verify the chain on any machine.

ChainOfCustody.txt

● Sealed

═══════════════════════════════════════════════════════════════
  KRELLIX MAIL — CHAIN-OF-CUSTODY MANIFEST
═══════════════════════════════════════════════════════════════
 
OPERATOR & ENVIRONMENT
─────────────────────────────────────────────────────────────
  Operator Account:  j.rourke@millerscottlaw.com
  Operator Name:     Jordan Rourke
  Organization:      Miller Scott Law
  Tenant ID:         c1d7f2b0-9a3e-4b5c-8d71-2e4f60a81c93
  Krellix Version:   3.1.0
  Collection Mode:   Enterprise
 
COLLECTION SCOPE
─────────────────────────────────────────────────────────────
  Custodian:         d.marquez@millerscottlaw.com (Diana Marquez)
  Date Range:        2025-09-01 — 2026-03-01 (UTC)
  Total Messages:    4,182
  Attachments:       1,776
  Deduplicated:      312
 
INTEGRITY
─────────────────────────────────────────────────────────────
  Hash Algorithm:    SHA-256 (primary), MD5 (compatibility)
  Files Hashed:      6,294
  Master Manifest:   See FileHashes.txt for the complete list

✓ Timestamp verified · DigiCert TSA · RFC 31612026-04-18T14:47:05Z

§ 05/Security

Local processing. No telemetry. Delegated scopes only.

Credentials

Your password never reaches Krellix

MSAL handles sign-in in the system browser. Krellix receives a token, never a password.

Network egress

Three outbound destinations, total

Microsoft Graph, a public RFC 3161 TSA, and the Krellix license server. That's it.

Tenant audit

Every Graph call appears in your audit log

Delegated permissions mean every call is logged under the operator's UPN. Visible to your SIEM with no extra integration.

Full security architecture

§ 06/Pricing

Annual license. No metering.

No per-seat, per-custodian, or per-gigabyte pricing. One annual license, unlimited collections.

Solo

$299

/ year

single operator

Firm

$799

/ year

up to 5 operator seats

Enterprise

from $2,499

/ year

custodian + OneDrive + SharePoint

Full pricing and FAQ

Talk to us

Talk to us about a pilot.

If you have a use case that fits, request a pilot — I'll set you up directly.

Request a pilot