Hello everyone my name is Anthony and I am currently a DF major at Champlain College. I am working for a private firm and we are working on a closed case. I was searching through about 8-10 hard drives recovering PST and OST files and I was wondering your personal favorite program to view and examine these in.
In my opinion, EnCase is not that fantastic with viewing these, I have been looking at the following
Paraben's Email Examiner/Network Examiner
NUIX though, I have yet to see a trial of this (hoping to get some opinions of this software)
and finally Vound's Intella which I just signed up hoping test it out soon (looking for opinions as well).
Opinions?
I use Kernal o********t when having to extract the MSGs from the OST. The program will turn the ost messages into a PST. Depending on what you want to look at for the PST files, I use Aid4Mail to extract messages for specific date ranges and keywords. Hope this helps.
Hey Anthony,
I used Nuix since some of the earlier versions at my previous job, and it was pretty good. The only downside (and its a big one) is its price. IMO it is crazily overpriced for what it does, but I'd get a trial and have a good play then it comes down to cost v benefit.
It also depends on what you need to do. Is it possible to give an general idea of what your after from the software?
Hi Anthony,
I use FTK 2.2 or 2.0 itself to view PST files and its images…
It works pretty well… I can even get to know the attachments with Hash values which helps me here to solve most of my cases..
Regards,
Sudha
Hey Anthony,
I used Nuix since some of the earlier versions at my previous job, and it was pretty good. The only downside (and its a big one) is its price. IMO it is crazily overpriced for what it does, but I'd get a trial and have a good play then it comes down to cost v benefit.
It also depends on what you need to do. Is it possible to give an general idea of what your after from the software?
Having seen Nuix demo'd in anger, I feel some context is needed here…
If all you want is a tool to extract and view emails, yes it is expensive. Maybe there is a market here for NUIX to produce a "subset tool" just for this??
If however you want an investigative tool, which allows you to plot and map emails across an enterprise / investigation involving multiple email accounts, then it is actually more reasonibly priced and IMHO by far the best tool out there.
If all you want is a tool to extract and view emails, yes it is expensive. Maybe there is a market here for NUIX to produce a "subset tool" just for this??
If however you want an investigative tool, which allows you to plot and map emails across an enterprise / investigation involving multiple email accounts, then it is actually more reasonibly priced and IMHO by far the best tool out there.
Thanks Wardy, I completely agree with what your saying here.
I do actually really like Nuix (and I really miss not currently being able to use it!). It does do some really cool things quite well, including the network mapping and timeline analysis you refer to. The reporting is OK, but not brilliant, although you can hack it around a fair bit with some good HTML know-how.
I was lucky enough that the company I worked for managed to get in quite early when the cost was far lower than it is now. We actually looked into purchasing another license about 12 months later, and the price had doubled (literally) and was out of our budget.
I think Nuix noticed the hole in the market, particularly in regards to EDiscovery, and have taken advantage of it - as any smart business would. I think there are probably more cost-effective solutions out there for the non-enterprise level investigations, such as Intella which looks very promising (I am testing it now in fact).
That'll teach me for trying to do quick posts late at night!
The problem I have found is that each tool does 85%-90% of the job.
Paraben EMX recovers deleted e-mails, great search functionality but will not search attachments. You have to extract the attachments and search them separately. We have a process to link the responsive attachments back to the original e-mails, which is important because the entire package (e-mail and attachment) needs to stay together.
Encase recovers deleted e-mails and you can search e-mails and attachments. But when you mount the e-mail store you get so much junk and so many objects that it gets confusing. Furthermore, if you find a responsive attachment and tag it for output, the message it is associated with doesn't come along automatically.
FTK recovers deleted e-mail but in my opinion it is the worst for extracting data and providing it to the client. Also, while I have heard this is fixed in the newest version, if you have a responsive attachment, the e-mail isn't extracted automatically.
Trident by far and away the best tool for producing the results in a reviewable format for the client. Search functionality can be a bit of a pain, though, as the interface is rather dumbed down. But it won't searched deleted messages and it is limited to PSTs and NSFs. Nice deduping features.
Kernel OST/PST Nice tool but you have to set your timezone to GMT-0 in order to not screw up the dates on the e-mails.
The vast majority of our searches are PST/NSF so we tend to use Trident. For recovery of deleted messages, we will use Encase to extract deleted messages and feed them back into Trident.
One caveat to the above is Paraben's P2 command which does recover deleted e-mails and does have the ability to search attachments. I have not really tested it fully so I recommend you do so before trying. They do offer a 30 day trial.
My preference would be Intella, awesome product
Loads of features that are extremely useful and the application is very intuitive to use. Keep a watchful eye on this forensic tool cause I think you will see some great additions to the features list.
Having seen Nuix demo'd in anger, I feel some context is needed here…
it is actually more reasonibly priced and IMHO by far the best tool out there.
Hmmm, having seen and used Intella I think NUIX may be a little overpriced IMHO.
I used to use Paraben Email Examiner to search through PST files until I noticed that it was missing a large number of emails during keyword searches that it should have been catching….that and it doesn't search inside attachments. 😯
Now I am using Intella by Vound. It allows for indexing PST, OST etc. etc. and does a really great job. It indexes all the emails which makes searching incredibly fast. The coolest feature though is the cluster mapping which allows you to visually see where your keywords are interacting with each other.
Other than that, you can search by attachment metadata, by people, by hash value, by file type etc. etc.
It's a great tool with a reasonable price. I've not used NUIX before, so I can't compare the two, but I'd recommend downloading a trial version of Intella and having at your email pile. It works like a charm for me!
Ryan