How do people present emails in a report? For the odd one or two, EnCase's reports can be hacked away to get at the real information (although very frustrating) and FTK presents them better with links to the attachments but both are impractical for more than a handful of emails.
In many cases the computer examiner simply doesn't have the overview of the wider investigation to fully evaluate all emails and so they will have to be turned over to the OIC. I'd like to know how people do this in a way that doesn't require
1) Giving up a license for forensic software
2) The OIC having to click through thousands of links to see all the emails
Or is it simply better to cherry pick the best emails and accept that you can't present everything and the OIC probably won't have time to sift through the emails anyway?
I've run into the same problem with several email investigations and have found that the answer is to narrow the scope of the production rather than try to find a way to presents thousands of files.
First, narrow the number of responsive files/emails that need to be produced. I do this by using a good keyword list and date range. If you have a well thought out approach and know what you are looking for, the number of emails should not be so high. When I consult with a client, I make sure that I have a concise list of keyword expressions that will not return thousands or even millions of false positives. Sometimes clients come to me with a list of 70 expressions some of which are three letter acronyms to which I immediately warn them of the risk of getting back a large number of false positives. Usually, the client understands the risk and works with you to create a "good" list.
Then, if a timeline is used to target the date/time frame in which a responsive email could have been sent or received, I get one so that I can further narrow the scope of my production. Sometimes you'll find false positive results that are nowhere near the date/time a custodian was even employed, etc.
In the end you can obviously use several options to present the responsive material to your client. You can extract the emails from EnCase's Records tab as MSG files or you can use FTK's master report. As you stated, these tools are good when you don't have thousands of results. I've found that the answer to this dilemma is to get more concise and targeted rather than making someone manually do what the keyword search or index is meant to do.