1.Document Overview
2.LIBPST/LIBDBX
3.Locating Exchange .dbx/.pst Files
3.2 Locating files in the filesystem
3.2.1 Deleted Files
3.2.2 Allocated Files
3.3 Exporting from Exchange
4.Converting .dbx/.pst files
5.Viewing decoded .dbx/.pst files with Thunderbird
6.Converting to HTML with MHONARC
7.Bonus Ideas
7.1Converting Eudora e-mail
7.2Converting UNIX e-mail
7.3Importing mbox into other e-mail clients
7.4Using uudeview to extract attachments
7.5Carving for .eml and using eml2mbox for conversion
8.Summary

E-mail is everywhere and the digital forensic examiner is often faced with the task of searching e-mail for evidence of wrongdoing. This paper attempts to outline a simple methodology for using free and open source based tools for converting Microsoft Outlook or Outlook Express files into a flat mbox format that can be then manually imported into the Mozilla Thunderbird e-mail client for viewing, or manipulated using other useful scripts. This document is really just a primer for basic e-mail analysis, and is intended to be a living document. If you have any questions, comments or suggestions (including sections that you think should be added!) please contact the authors directly

The paper will be divided into several sections. Section two details installing Libpst and Libdbx to convert the outlook and Outlook Express files. Section three deals with finding the .dbx or .pst e-mail files. Section four details converting the found .dbx or .pst files into the flat mbox format using the readdbx or readpst tools that were compiled in Section One. The fifth section covers how to import these converted files into the Mozilla Thunderbird e-mail client for viewing. The sixth section will discuss how to parse mbox files into threaded HTML documents and extract attachments for easy searching and manipulation. The last section will discuss other useful tools and tricks that could be of use to the examiner.

Throughout this paper the examples we will be using are based on my forensic laptop that is an AMD64 machine running Gentoo an x86_64 2.6.12 kernel 1. The examples should work exactly the same for x86 based machines or other UNIX-type systems in general.

2. LIBPST/LIBDBX

The readbx and readpst executables are created from the Libdbx and Libpst source code respectively. You can find the source for both at the following site.

http://sourceforge.net/project/showfiles.php?group_id=18756&release_id=117314

(Of course, using Gentoo one only needs to use the commands 'emerge libdbx' or 'emerge libpst'...;-)

Once you've downloaded the source to a download location of your choice (in this case I've downloaded the source to '/usr/local/forensicapps') you need to untar and unzip the archives.

chimp forensicapps# tar xvzf libdbx_1.0.3.tgz
chimp forensicapps# tar xvzf libpst_0.3.4.tgz

Then change into the directory for libdbx.

chimp forensicapps# cd libdbx_1.0.3
chimp libdbx_1.0.3# make

You should now have a file called readbx in this directory. Make sure its executable by issuing the following command

chimp libdbx_1.0.3# chmod +x readbx

Now move the executable to a directory in your path usch as /usr/local/bin.

chimp libdbx_1.0.3# mv ./readbx /usr/local/bin

Repeat the following steps for untaring/zipping and compiling readpst. You will then have file named readpst that you can then make executable by the same method described above. Also move this into a directory in your path.

That's it! You can now move onto the next section which details the .dbx and .pst files that you want to convert.