±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36583
New Yesterday: 6 Visitors: 143

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Parsing PSTs

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

keydet89
Senior Member
 

Parsing PSTs

Post Posted: Feb 23, 07 21:45

All,

I've got a couple of PST files created by using ExMerge on an Exchange server. I'm looking for a tool that will allow me to list the attachments, by file name, within folders.

I know that EnCase, Paraben and FTK will let you open PST files. I have EnCase, but not the other two.

I'm looking for a solution that I can use in the future, and distribute to the team...anything freely available is good, but what I'd like to get is input on the tools that have worked, not just what's out there. "Outlook Express Archiver" from WheresJames Software was recommended to me, but the person recommending it never bothered to check if it was still available. ;-(

thanks,

Harlan  
 
  

andy1500mac
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 23, 07 22:26

Harlan,

If I understand you correctly Encase can pretty much do what you are asking. I'm using v6.2 and just dragged a PST into the case window and then mounted by "Viewing file structure".

I then sorted by file extension or alternately description (attachment). Then checked all the docs, xls, etc and exported the list (selecting name and full path as export fields)

Is this what you are looking for..?

Andrew  
 
  

keydet89
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 23, 07 23:30

Andrew,

Thanks. That is what I'm looking for, albeit I only have EnCase 5.05f.

I'm also looking for other alternatives, such as freeware apps (if possible) as alternatives. However, I do thank you for your response...it's greatly appreciated.

Harlan  
 
  

BraneRift
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 26, 07 20:40

I am not familiar with Exchange, but I am guessing the PST are the same with Outlook?

Before my department would come off money and but FTK and EnCase, I had a VM running with Outlook and just imported the PST Smile It was free and rather easy. I know you are looking for a freeware tool, but I am not aware of any. I tend to use FTK for email. I think it organizes better than Encase (5.05f).  
 
  

keydet89
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 26, 07 21:29

BraneRift,

Thanks for the response.

> Before my department would come off money and but FTK and EnCase,

What???

Also, I am not simply looking to open these PSTs with a freeware tool. Again, in my original post, I am looking for a way to list the names of the files that are attached to the emails, particularly those in the Sent folder. I am aware that Outlook and Outlook Express can open the emails, but then I'd have to go through by hand, and with the number of emails I'm looking at may end up missing some attachments.

Again, I am not looking for the content of the emails...I am looking to get just the names of the attachments.

Thanks,

Harlan  
 
  

BraneRift
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 27, 07 01:29

Harlan,

In my opinion, I think FTK does the superior job of listing only the attachments to the emails (path, times, etc). I will include a screenshot so you may see then end result, but I have to wait till I return home inorder to post the graphic on a server. This will give you a better idea of all the imformation that is included on the FTK email screen.

> Before my department would come off money and but FTK and EnCase,


What???


My mind works faster than my fingers or something is lost in the translation of brain activity and motor skills..... What it was supposed to say is "Before my department would come off the money for FTK and Encase"

Kevin  
 
  

gmarshall139
Senior Member
 

Re: Parsing PSTs

Post Posted: Feb 28, 07 00:31

Harlan,

You can isolate attachments in version 5 very easily. Mount the .pst file(s), homeplate everything, and create a condition for "description=Attachment".
_________________
Greg Marshall, EnCE 
 

Page 1 of 2
Page 1, 2  Next