Re: [sleuthkit-users] pst file digest
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] pst file digest
|
From: Greg F. <gre...@gm...> - 2013-11-08 18:12:05
|
I try to get my clients to let me send them EML files. EML is an open standard (RFC-822 / RFC-2822). Various email clients can read them but not Outlook so I do get some pushback. The big advantage is the attachments are embedded. X-Ways as an example exports emails originating in PSTs as EML files. I don't know what FTK and/or EnCase do. Further EMLs maintain much of the internal metadata as internal metadata. (date sent, subject, to, from, cc, bcc) Greg -- Greg Freemyer On Fri, Nov 8, 2013 at 9:16 AM, MATT PIERCE <mat...@ad...> wrote: > Thank you guys for your suggestions. I would really find a native parser > useful. With the ability to import logical files into a case now half the > workflow is there. Being able to parse a number of pst’s against a keyword > list is what I need to do. Python isn’t my strength so I’ll have to ask > around. There are several commercial products but they are both expensive > and incomplete in their features. The report part is also a consideration. > Just locating the relevant data would be useful. Having a list of locations > in a pst were relevant keywords exist would be great. Being able to carve > message files out intact and/or export messages as a pdf would be amazing. > > > >>>Hi Matt - we are currently looking into pst parsing libraries and > >>>hope to have something in the next couple of months to make the > >>>Mbox parser a more generic email parser > > > > That is good news. I rely heavily on libpff for now, although I’ve not had > any success in doing a complete examination without having to resort to > native outlook and sectool to process p12/pfx certificates. If someone can > come up with an answer to that (or have I missed an existing one?), that > would be most helpful. > > > > Admittedly I don’t spend enough time on PST testing, but since it’s a big > chunk of our casework, I’ll need to start. > > > > /******************************************* > > Barry J. Grundy > > Assistant Special Agent in Charge > > Digital Forensic Support Group > > Electronic Crimes and Intelligence Division > > Treasury Inspector General for Tax Administration > > (301) 210-8741 (w) > > (202) 527-5778 (c) > > Bar...@ti... > > ********************************************\ > > > > From: Jason Letourneau [mailto:jle...@ba...] > Sent: Thursday, November 07, 2013 8:14 PM > To: MATT PIERCE > Cc: sle...@li... > Subject: Re: [sleuthkit-users] pst file digest > > > > Hi Matt - we are currently looking into pst parsing libraries and hope to > have something in the next couple of months to make the Mbox parser a more > generic email parser > > > > Jason > > On Thursday, November 7, 2013, MATT PIERCE wrote: > > I'm curious if there is any work on a plugin to digest pst files. I'm often > getting hit with eDiscovery requests to search multiple PST files for a > series of key words. Libpff has a few tools that can work with a pst to a > degree but it would be very nice to be able to use them with Autopsy's > workflow. > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and > register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > |
