This is a school project.
Autopsy 4.5 (which I am using) and Autopsy 4.6 (the latest version) are unable to process OST files from Office 365. I used Kernel to convert them from o********t files so that Autopsy could analyze them. Does the conversion modify or alter the contents and/or metadata of the individual emails inside or just the method by which the emails are encapsulated? I am certain this is not forensically sound, but I could not afford EnCase, FTK, or X-Ways.
This is a school project.
Autopsy 4.5 (which I am using) and Autopsy 4.6 (the latest version) are unable to process OST files from Office 365. I used Kernel to convert them from o********t files so that Autopsy could analyze them. Does the conversion modify or alter the contents and/or metadata of the individual emails inside or just the method by which the emails are encapsulated? I am certain this is not forensically sound, but I could not afford EnCase, FTK, or X-Ways.
Quick and dirty but can't you open the OST and PST in Outlook or whatever and compare some dates and times? Not really good enough for casework but if it's research…
What I have done already is load the PSTs into Autopsy, but I also made copies of the PSTs to mount in Outlook. I'm using the search features in Outlook and then taking those finding and searching in Autopsy. Autopsy's email searching is quite limited compared to Outlook. I do not know how Outlook can damage a PSTs forensic integrity, but I'd prefer to do the one change through the conversion instead of constantly probing and prodding the OST or PST via Outlook to find evidence.