In a given scenario, if the IT team of some company provides you with the PST files how do we prove the authenticity of this file in the court.
I want to prove that mails that are extracted from the pst are genuine and not tampered with…
well the pst in this case has contents from one of the webmails, i.e. gmail or yahoo mail.
Secondly also wanted to know if the pst files can be tampered, i.e. can the mail contents within the pst be tampered with…
If you took an MD5 of it, I would think that it would change if you tampered with it in any way, shape, or form.
I guess the question would be, "How do we know that the IT dept did not tamper with it before giving it to you?" That's a more difficult question, I think.
I agree with Scubacuda. I would be comfortable if I had been present during th pst extraction so as to be able to describe the process.
Another (weaker) test is the MAC times analysis for the PST itself. Had it been created by an automatic extraction to its final destination,the three values should be very close.