Hi all,
Do you know what tool can be used in digital forensic to correlate communication between certain email addresses when analyzing few .pst archives? I know that E-Discovery tools are doing the job, however I am looking for something "smaller".
Looking forward to your answering.
Thanks!
Karol
ProofFinder by Nuix (http//
From my experience, working with PST files directly is bad practice in most of the cases, because you have too much irrelevant data to handle and interact with.
Export all emails to standalone .eml files, do your analysis like that and always turn in only the relevant data. They will love you for this )
Intella does a good job.
"irrelevant data" is in the eyes of the beholder. However, I can tell you that my clients would rather have all the data and tell me to cull it down later, as opposed to giving them "relevant data" which carries different meaning to every person on the planet.
From my experience, working with PST files directly is bad practice in most of the cases, because you have too much irrelevant data to handle and interact with.
Export all emails to standalone .eml files, do your analysis like that and always turn in only the relevant data. They will love you for this )
What do you mean by "correlate"? If a time based "quick look correlation" is enough, Gephi with its networks-over-time feature will do the job. If it's something more complex, e.g. to identify out-of-band communication, avoid the push-button solutions. Extraction and correlation are easily developed in any programming language. Instead, the serious problem that should be carefully thought about and which is different from case to case is how to quantify what.
What do you mean by "correlate"? If a time based "quick look correlation" is enough, Gephi with its networks-over-time feature will do the job. If it's something more complex, e.g. to identify out-of-band communication, avoid the push-button solutions. Extraction and correlation are easily developed in any programming language. Instead, the serious problem that should be carefully thought about and which is different from case to case is how to quantify what.
I SO agree with the above statement. It's about the data, not the application. If you're using product X and everything looks like crap, there is a reason for that. Learn to code or hire someone who do.
However, getting Gephi to run as of v 0.8.2 is not so simple, i tried several versions of Java and different OS (and even different boxes), no combo worked so i abandoned it, The Gephi community is far from the best and updates are released as frequently as Peter Jackson makes Tolkien movies.
There are other solutions out there like setting up a local installation of Maltego (also free).