I have 8 .PST files that I need to review, bookmark relevant emails, and produce for an attorney. I am currently using Paraben P2C. I either need direction to better instructions on how to properly bookmark, search, and produce - or use another tool entirely.
Other tools to which I have access – EnCase, X-Ways, Magnet Forensic Axiom/Internet Evidence Finder.
Thanks for any help/direction you can provide.
While all of those tools can process PST's none of them are really the best option.
I would recommend you have a look at Intella from Vound Software. It's a forensic tool designed with email data in mind, but not limited to email.
you can get a fully functional trial version and if you like what you see they have a version called PI which only costs $99 US and can handle up to 10GB or data per case. If you've used NUIX before then you will have no issues as it's very similar.
I agree with Adam10541 - while all the other tools can process the .pst files fine (some better than others), I've found that they are pretty poor at reporting, exporting properly, etc. Intella was designed specifically for email type support (and other files) - we've found it is better hands down and not even close.
As with the previous messages I would also recommend Intella, especially due to the options available for exporting in different naming conventions and file types.
One thing to be aware of with regard to the PI version is that it is a one year electronic version, tied to a particular workstation and won't run in VM.
The actual 10GB dongle based version is around $900.
All depends whether this is a one-off requirement for you or not.
Paraben has also been pretty good with email review as well, especially EDB, PST, and NSF files.
Many thanks to you all for taking the time to respond!
One important item to watch out for Maintaining Parent-Child relationships
Please make sure that whatever review tool you are using maintains email and attachment parent-child relationships when you create production documents.
This is critical when applying privileged and responsive tags to families of documents.
Most "forensic tools" will create a unique Document ID for each email and/or email attachment but use the following numbering scheme (which breaks up Parent-Child relationships)
DOCID 0001 Email #1
DOCID 0002 Email #2
DOCID 0003 Email #3
DOCID 0004 Attachment to Email #1
DOCID 0005 Attachment to Email #2
DOCID 0006 Attachment to Email #3
The problem with the above DOCID number sequence is that production Bates numbers should actually follow this (thus maintaining the correct Parent-Child sequence
DOCID 0001 Email #1
DOCID 0004 Attachment to Email #1
DOCID 0002 Email #2
DOCID 0005 Attachment to Email #2
DOCID 0003 Email #3
DOCID 0006 Attachment to Email #3
Opposing counsel will definitely raise an issue if produced email attachments do not follow the correct parent email.
** You should be particularly careful to make sure that you have PROPIGATED PRIVILEGE TAGS across families. If an attorney tagged Email #1 above as Privileged, most tools will NOT automatically assign a Privileged tag to Email #1's attachment, which is very bad. If an attorney tags a parent email as privileged then they will want all attachments to that privileged tagged email marked privileged and withheld as well.
You should create a privilege log of all Parent-Children documents marked Privileged and provide that to your attorney to review and produce. A privilege log will include usually the Production Bates Number, To/From/CC/Subject/File name and the Privilege claim. Do NOT include the privileged content in the log obviously.
Conversely, if an attorney marks a parent email as responsive-produce, they typically also want to produce all children attachments.
** A great QC search/step to run is to see if there are any conflicting tags BEFORE sending out the final production set. Conflicting tags would be a "responsive/produce" parent email and a privilege/withhold email attachment. These conflicts need to be worked out by the attorneys and fixed before production.
I recommend that you tag and create a small production set and test if the Parent-Child numbering is being created correctly.
You will also want to confirm the delivery specification before you make a production. An example of a delivery specification can be found here https://
In the linked specification, you will see delivery fields defined in Addendum A along with references to the Parent-Child relationships
FIRSTBATES example = EDC0000001 First Bates number of native file document/email
LASTBATES example = EDC0000001 Last Bates number of native file document/email
**The LASTBATES field should be populated for single page documents/emails.
ATTACHRANGE example = EDC0000001 - EDC0000015 Bates number of the first page of the parent document to the Bates number of the last page of the last attachment “child” document
BEGATTACH example = EDC0000001 First Bates number of attachment range
ENDATTACH example = EDC0000015 Last Bates number of attachment range
PARENT_BATES example = EDC0000001 First Bates number of parent document/Email
**This PARENT_BATES field should be populated in each record representing an attachment “child” document
CHILD_BATES example = EDC0000002; EDC0000014 First Bates number of “child” attachment(s); can be more than one Bates number listed depending on the number of attachments
**The CHILD_BATES field should be populated in each record representing a “parent” document
If you need more help, please send me a PM.
Regards,
Larry