Summary: In this blog, we highlighted how we could do a forensic investigation of Outlook emails. First, we mentioned enterprise-oriented features, such as calendaring, contact managing, task managing, journal logging, and note-taking. After this, we emphasized the importance of using a PST forensics tool, such as the recovery of Deleted and Tampered Emails, advanced search functions, etc. We also mentioned how one email forensics software, Stellar Email Forensic, fulfills every criterion for a forensic PST viewer tool.
Microsoft Outlook is a popular email client used by organizations of all sizes. This is mainly because it comes packed with many enterprise-oriented features, such as calendaring, contact managing, task managing, journal logging, note-taking, etc.
When you need to do a forensic investigation of Outlook emails, you can use the export option in the application to extract the mailbox data. This data is saved in a PST file.
Features of a PST Forensics Tool
An advanced PST forensics tool can help you to search for the relevant emails in the Outlook mailbox, create reports, and collect evidence. There are several PST forensics tools available but a tool that is easy to use with a simple user interface should be preferred.
The following are some essential features that you should seek in a PST forensics tool:
1. Recovery of Deleted and Tampered Emails
To conduct a successful Outlook email forensics investigation, you need to collect all the emails, including the deleted emails, from the PST files. So, the PST forensics tool in consideration should be able to recover the deleted emails from the PST file. When an email is deleted from a PST file, it remains in the file. However, the client cannot access that deleted email. So, the ideal PST forensics tool should be able to find and recover the deleted email.
A PST forensics tool can also help in the case of tampered emails. For instance, if someone has spoilt email evidence by tampering with the email header, the PST forensics tool would still be able to display the email header fields. This can serve as a great utility for identifying the discrepancies.
2. Advanced Search Functions
You can open a PST file with Microsoft Outlook and perform searches to find the information. However, the search functions offered by Outlook are limited and rudimentary. To perform advanced searches, you should use a dedicated PST forensics tool. It can help you to filter certain file types in the email attachments sent or received or scan emails sent during a particular period by certain users. It can also help you to search items by using Boolean Search or Regular Expression Search.
3. Case Management
It is a challenge to conduct formal email forensics investigation when it comes to managing a large number of emails and other mailbox data. During an investigation, you may need to examine many PST files, mark several important emails and attachments, and document a wide range of events. These tasks demand a lot of time and effort. So, you should choose an easy-to-use PST forensics tool that supports the management of multiple cases simultaneously.
Your choice of a PST forensics tool should have case management features, such as email bookmarking and tagging, log maintenance, and generation of reports like investigation reports, evidence summary reports, etc. These features can help you simplify the otherwise complex investigation tasks and facilitate evidence collection.
4. Support for Large PST Files
Investigators often need to examine multiple mailboxes while conducting email forensic investigation. To correlate the events, read and analyze the email messages, and identify tampered evidence, the investigators would need to examine several mailboxes (saved in Outlook PST files) in a single process. It’s important that the PST forensics tool supports examination of multiple PST files at the same time.
Conclusion
Email forensics is a domain replete with all kinds of challenges. However, with the right tool, you can achieve high productivity and get reliable results. A top-of-the-line PST forensics tool should have all the above-mentioned features. Stellar Email Forensic is one such tool that ticks all the right boxes.
Stellar Email Forensic is an advanced enterprise-based eDiscovery and email forensics software that supports more than 25 widely-used file formats, such as PST, EDB, OST, MBOX, etc. It comes with features, such as Boolean Search, Regular Expression Search, bookmarking, tagging, report generation, deleted email recovery, bulk email forensics, generation of MD5 and SHA1 hash values of the original email files, and much more. You can download Stellar Email Forensic to start your email investigation now. It’s available for a free 60-day trial!
About The Author
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
