Encase processing PSTs and exporting e-mails to PSTs
I a noticed quite unexpected situation when processing PSTs as LEF in Encase Endpoint Investigator 8.05.
Firstly I used a help to acquire PSTs (could avoid due to time constraints). I got around 50PSTS collected using two methods due to risk of alternation (25 using Exchange Server 2013 tools, 25 using Stellar EDB to PST Converter). I decided to upload 3 (two from Exchange of one custodian, 1 Stellar of different custodian) as Evidence using LEF (logical evidence file) to test consistence/completeness etc.
Then I processed using indexing and extract e-mail option checked in EnCase 8.05 version.
When reviewing results I noticed only one custodian (Stellar) emails are searchable via indexing tool.
I opened new case and processed only those of 2 PSTs of Exchange-acquired. One of short keywords gave me a unreadable hits (resembling encrypted data). I uploaded smaller PSTs from the batch and all were readable using Outlook.
So I can't really get why PSTs acquired PSTs via MS tool are not giving readable results. In other words - please help )
Also, while being in the same forest, do you know Encase 8.05 or any useful EnCases scripts or apps having an option to extract selected (not all) emails to PSTs to ease review for MS office users ?
I would be grateful for any hints and advises ! Thanks !
Have you tried to mount them in Outlook to see if there is any issue with the PST itself or its messages? You may need to run ScanPst.ext to see if there are any issues with the file(s).
If you have the PST file already on hand, you can put it on your desktop, or wherever the file is stored grab it from the C drive. Add Local Evidence File, and look for the specific PST where it is located.
1) To just view the PSTs you can right click on the file, -> “Entries” -> “View File Structure”. This will mount the PST so you can view each individual email.
2) The 2nd way is to create a logical evidence file (LEF), If you have the PST file already on hand, you can put it on your desktop, or wherever the file is stored grab it from the C drive. Add Local Evidence File, and look for the specific PST where it is located.
- Acquire the file -> Create a logical evidence file-> then you can Process to carve out any needed keywords, indexed items, then you will be able to create a report and export as html, txt…etc.
YOU CANNOT CARVE OUT THE DATA AND CHANGE THE LEF/L01 File into a PST after it is in Encase Endpoint Investigator, this will require a 3rd party program