Re: [sleuthkit-users] pst file digest
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] pst file digest
|
From: Luis G. 'P. <po...@lg...> - 2013-11-08 19:41:00
|
Hi all, As part of a forensic framework that relies on sleuthkit (the revealer toolkit - https://code.google.com/p/revealertoolkit/ ), I wrote some code that parses certain mail types (for PST/OST I use pffextract from libpff) and produces HTML output for every message, extracts the attachments, etc. in fact it goes further than that, because it parses every possible file type (for instance extracts compressed files, extracts strings from every possible file…) allowing for a nice search. I stopped working actively in the project when I changed my job nearly one year ago, but it is a nice bunch of code. The particular file is https://code.google.com/p/revealertoolkit/source/browse/branches/pope-search/RVT/RVTscripts/RVT_parse.pm In sub RVT_sanitize_libpff_item () (line 1948) we parse the output of libpff and generate our own representation, very nice for visualization, and for launching keyword searches. In addition, DBX, MBOX, MSG and EMLs are processed as well. The different attachments are also extracted / parsed as much as possible til text strings can be obtained from them. The thing is a little bit experimental, but if anyone wants to give it a try, I can lend a hand. Best regards Pope El 08/11/2013, a las 19:11, Greg Freemyer <gre...@gm...> escribió: > I try to get my clients to let me send them EML files. EML is an open > standard (RFC-822 / RFC-2822). > > Various email clients can read them but not Outlook so I do get some > pushback. The big advantage is the attachments are embedded. X-Ways > as an example exports emails originating in PSTs as EML files. I > don't know what FTK and/or EnCase do. > > Further EMLs maintain much of the internal metadata as internal > metadata. (date sent, subject, to, from, cc, bcc) > > Greg > -- > Greg Freemyer > > > On Fri, Nov 8, 2013 at 9:16 AM, MATT PIERCE <mat...@ad...> wrote: >> Thank you guys for your suggestions. I would really find a native parser >> useful. With the ability to import logical files into a case now half the >> workflow is there. Being able to parse a number of pst’s against a keyword >> list is what I need to do. Python isn’t my strength so I’ll have to ask >> around. There are several commercial products but they are both expensive >> and incomplete in their features. The report part is also a consideration. >> Just locating the relevant data would be useful. Having a list of locations >> in a pst were relevant keywords exist would be great. Being able to carve >> message files out intact and/or export messages as a pdf would be amazing. >> >> >> >>>> Hi Matt - we are currently looking into pst parsing libraries and >> >>>> hope to have something in the next couple of months to make the >> >>>> Mbox parser a more generic email parser >> >> >> >> That is good news. I rely heavily on libpff for now, although I’ve not had >> any success in doing a complete examination without having to resort to >> native outlook and sectool to process p12/pfx certificates. If someone can >> come up with an answer to that (or have I missed an existing one?), that >> would be most helpful. >> >> >> >> Admittedly I don’t spend enough time on PST testing, but since it’s a big >> chunk of our casework, I’ll need to start. >> >> >> >> /******************************************* >> >> Barry J. Grundy >> >> Assistant Special Agent in Charge >> >> Digital Forensic Support Group >> >> Electronic Crimes and Intelligence Division >> >> Treasury Inspector General for Tax Administration >> >> (301) 210-8741 (w) >> >> (202) 527-5778 (c) >> >> Bar...@ti... >> >> ********************************************\ >> >> >> >> From: Jason Letourneau [mailto:jle...@ba...] >> Sent: Thursday, November 07, 2013 8:14 PM >> To: MATT PIERCE >> Cc: sle...@li... >> Subject: Re: [sleuthkit-users] pst file digest >> >> >> >> Hi Matt - we are currently looking into pst parsing libraries and hope to >> have something in the next couple of months to make the Mbox parser a more >> generic email parser >> >> >> >> Jason >> >> On Thursday, November 7, 2013, MATT PIERCE wrote: >> >> I'm curious if there is any work on a plugin to digest pst files. I'm often >> getting hit with eDiscovery requests to search multiple PST files for a >> series of key words. Libpff has a few tools that can work with a pst to a >> degree but it would be very nice to be able to use them with Autopsy's >> workflow. >> >> ------------------------------------------------------------------------------ >> November Webinars for C, C++, Fortran Developers >> Accelerate application performance with scalable programming models. Explore >> techniques for threading, error checking, porting, and tuning. Get the most >> from the latest Intel processors and coprocessors. See abstracts and >> register >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> >> >> ------------------------------------------------------------------------------ >> November Webinars for C, C++, Fortran Developers >> Accelerate application performance with scalable programming models. Explore >> techniques for threading, error checking, porting, and tuning. Get the most >> from the latest Intel processors and coprocessors. See abstracts and >> register >> http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk >> _______________________________________________ >> sleuthkit-users mailing list >> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users >> http://www.sleuthkit.org >> > > ------------------------------------------------------------------------------ > November Webinars for C, C++, Fortran Developers > Accelerate application performance with scalable programming models. Explore > techniques for threading, error checking, porting, and tuning. Get the most > from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
