±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 3 Visitors: 126

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Encase processing PSTs and exporting e-mails to PSTs

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

maciekzzz
Newbie
 

Encase processing PSTs and exporting e-mails to PSTs

Post Posted: Mar 14, 19 12:17

Dear All,

I a noticed quite unexpected situation when processing PSTs as LEF in Encase Endpoint Investigator 8.05.

Firstly I used a help to acquire PSTs (could avoid due to time constraints). I got around 50PSTS collected using two methods due to risk of alternation (25 using Exchange Server 2013 tools, 25 using Stellar EDB to PST Converter). I decided to upload 3 (two from Exchange of one custodian, 1 Stellar of different custodian) as Evidence using LEF (logical evidence file) to test consistence/completeness etc.
Then I processed using indexing and extract e-mail option checked in EnCase 8.05 version.
When reviewing results I noticed only one custodian (Stellar) emails are searchable via indexing tool.
I opened new case and processed only those of 2 PSTs of Exchange-acquired. One of short keywords gave me a unreadable hits (resembling encrypted data). I uploaded smaller PSTs from the batch and all were readable using Outlook.

So I can't really get why PSTs acquired PSTs via MS tool are not giving readable results. In other words - please help Smile

Also, while being in the same forest, do you know Encase 8.05 or any useful EnCases scripts or apps having an option to extract selected (not all) emails to PSTs to ease review for MS office users ?

I would be grateful for any hints and advises ! Thanks !  
 
  

jpickens
Senior Member
 

Re: Encase processing PSTs and exporting e-mails to PSTs

Post Posted: Mar 18, 19 21:23

Have you tried to mount them in Outlook to see if there is any issue with the PST itself or its messages? You may need to run ScanPst.ext to see if there are any issues with the file(s).  
 
  

jimmysparrow
Newbie
 

Re: Encase processing PSTs and exporting e-mails to PSTs

Post Posted: Mar 19, 19 00:05

If you have the PST file already on hand, you can put it on your desktop, or wherever the file is stored grab it from the C drive. Add Local Evidence File, and look for the specific PST where it is located.
1) To just view the PSTs you can right click on the file, -> “Entries” -> “View File Structure”. This will mount the PST so you can view each individual email.

2) The 2nd way is to create a logical evidence file (LEF), If you have the PST file already on hand, you can put it on your desktop, or wherever the file is stored grab it from the C drive. Add Local Evidence File, and look for the specific PST where it is located.

- Acquire the file -> Create a logical evidence file-> then you can Process to carve out any needed keywords, indexed items, then you will be able to create a report and export as html, txt…etc.
YOU CANNOT CARVE OUT THE DATA AND CHANGE THE LEF/L01 File into a PST after it is in Encase Endpoint Investigator, this will require a 3rd party program  
 

Page 1 of 1