Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range
|
From: MATT P. <mat...@ad...> - 2014-09-25 20:50:21
|
I’m really excited to see this coming along. Thank you for putting the time to add this capability. Search would be an amazing ability. The ability to carve an email into an evidence container with metadata intact would be ultimately amazing. From: Joyce Nord [mailto:joy...@gm...] Sent: Thursday, September 25, 2014 2:04 PM To: 'Jason Letourneau' Cc: sle...@li... Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Jason... Gotcha..thank you. Wanted to make sure I didn't screw something up. All the Best, Joyce ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...] Sent: Thursday, September 25, 2014 1:42 PM To: Joyce Nord Cc: sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Hi Joyce - The email support in Autopsy isn't as robust as you might be looking for and have discovered. The PST parsing creates "artifacts" for each email, but not fully qualified files that get indexed for search. The result is the ability to browse through the email contents, but not do too much more than that at this point. Jason ------------------------------------------------ Jason Letourneau Product Manager, Digital Forensics Basis Technology jle...@ba...<mailto:jle...@ba...> 617-386-2000 ext. 152 On Sep 24, 2014, at 1:16 PM, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: So I've been paying with sleuthkit, and I can sort by date sent / date received, and select. However, when I select the emails within a given range by highlighting them, then right-clicking and choosing extract, it exports the entire pst again -- not just the ones I've selected. So apparently the extract file option is not to export the email messages individually. If I tag the results, Autopsy bookmarks the entire file rather than the individual email. So it does not appear there is a way to export individual emails inside Autopsy. Can someone confirm this? ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: Jason Letourneau [mailto:jle...@ba...<http://basistech.com>] Sent: Tuesday, September 23, 2014 9:20 AM To: Joyce Nord Cc: ajs; sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed email for names) ;) Jason On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau <jle...@ba...<mailto:jle...@ba...>> wrote: Hi Albert - It looks like your PST was parsed (see the Email node in the tree in one of your screenshots). I think your search isn't doing what you think it should which is why you are seeing no results. The "Name" field is searching for the file name, uncheck that box and see what results you get. I don't see any file with the name in the box, were you thinking that names the search/filter set? Jason On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: I tried adding it as a data source before I asked the group and and no results are produced which fall into the known data set: Here are the search parameters: <image001.png> And, here are the results: <image002.png> The email ingest option was turned on because if I look manually I can see: <image003.png> Yet if I open the pst in outlook, I see: <image004.png> ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...<mailto:ant...@gm...>] Sent: Monday, September 22, 2014 9:06 PM To: Jason Letourneau; Joyce Nord Cc: sle...@li...<mailto:sle...@li...> Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Thanks. I don't recall if i added it as a data source specifically in my case but it never pulled anything for me. I'll try again to see what I can get. ________________________________ From: Jason Letourneau<mailto:jle...@ba...> Sent: 9/22/2014 7:17 PM To: Joyce Nord<mailto:joy...@gm...> Cc: ajs<mailto:ant...@gm...>; sle...@li...<mailto:sle...@li...> Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add the PST file as a data source (logical file) and get it parsed as long as you enable the email parser ingest module - there are some limitations with Libpst in terms of file and version support, so you may need to see if your file is in their supported version set Jason On Monday, September 22, 2014, Joyce Nord <joy...@gm...<mailto:joy...@gm...>> wrote: Thank you. Trying to do it with open source right now to prove it can be done. Looks like my options are readpst and then grepmail or even perhaps regular grep and scripting moving the files matching the attribute pattern. grepmail looks like it might work but I keep getting the error "invalid config variable: todayismidnight Which was supposedly rectified back in 2010 or 11, but apparently not. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** From: ajs [mailto:ant...@gm...] Sent: Monday, September 22, 2014 6:30 PM To: Joyce Nord; sle...@li...<mailto:sle...@li...> Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range In my limited experience, no. I asked about this a week or two ago and didn't hear anything back. If you have IEF or FTK, both if those handle it well. ________________________________ From: Joyce Nord Sent: 9/22/2014 6:07 PM To: sle...@li...<mailto:sle...@li...> Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated date range Is there a way to do this within Autopsy 3.0? I have a PST I need to parse, not an entire image. ***************************************************************************************************************************************************************************************************** In accordance with applicable privacy protection laws, this email and its contents are a private communication and are intended only for the expressed recipient. I do not authorize disclosure to a third party without my direct written consent. If you have received this email in error or are not the intended recipient, securely destroy it (as well as all copies) and notify me via separate email immediately. ****************************************************************************************************************************************************************************************************** |
