So, I was given a 64GB flash drive containing a .pst. Rather than imaging the drive the traditional way, I decided to do it using Cellebrite Touch2 because it has a mass storage extraction function that I haven't used in the past. Apparently, Cellebrite can't parse this data (yet, or so I was told by their rep).Â
I then tried to import just the .pst into Autopsy, but the email module didn't execute properly. Finally, I zipped the entire folder that Cellebrite extracted and ran it through Autopsy again. It looks like I'm getting some results, but the .pst is ~48GB 😳 .Â
Is there a more efficient way of parsing this information? I've read about some other solutions, and other folks have even just imported it into Outlook for viewing. Problem is, I need to export into a report and to my knowledge I can't do this in Outlook.Â
Anyone has any tools or methods they'd like to share? Maybe I'm even doing this all wrong? Thanks for any feedback!
Without knowing what you're doing this for (is it evidence of some form?) it's hard to advise.
However, bearing in mind the PST is the majority of the size of the drive anyway - I'd just have imaged it to an E01 (or similar) and gone from there.
At least that way you've got it in a unmodifiable container, with hashes for later verification, and can process it in your tool of choice. Potentially then exporting a copy of the PST back out of the E01 for processing with something (might be faster possibly getting rid of that layer of nesting when processing). Safe in the knowledge you have the original preserved.
I'd use NUIX for processing/exporting from a PST but it is expensive (I suspect you don't have that or you've probably have mentioned it). Others can probably suggest the best cheaper option if you need one (a few recommendations on here - https://www.forensicfocus.com/forums/forensic-software/pst-search-tools/ ). You'll find loads of other possibilities via Google too. I've not used this one personally, for example, but looks like it might be quite nice: https://www.aid4mail.com/buy-now/email-forensics-ediscovery
@rich2005 I really appreciate the response! Yes, it is for evidence. I decided to attempt an extraction with Cellebrite mainly because I don't have a USB port or adapter for the Ultradock blocker I'm using. CRU does have a stand-alone USB write blocker, but I won't purchase it unless it's necessary. I have made registry shortcuts on my desktop to toggle between on/off writing to USB, but I'm concerned whether or not this is a forensically sound method.
Anyway, I agree that maybe I should just image it to E01, especially given the size. I haven't worked with PST's in the past, so 48GB caught me off guard lol. As far as exporting, I downloaded this free program from Sysinfotools. It allows exporting to HTML, but again, I'm sorta concerned with the admissibility into court since it's a random third-party application. I'm definitely gonna take a look at the 2 you mentioned.
 Â
Is there a more efficient way of parsing this information?
Zipping a file before processing it certainly isn't efficient. As any possible processing will require the file to be unzipped first.
USB drives also aren't typically very fast. Converting to an E01 also doesn't help (from a speed point of view).
Write block the USB drive and copy the PST file to the fastest SSD you've got (preferable a M2 NVMe drive).
The best processing method depends on what you need to do. Are you looking for just a small number of Emails / attachments (a needle in a haystack) or is the goal to convert the entire PST file to some other format. Pretty much any other format will be less efficient for viewing and searching however. Conversion also risks data loss of stuff like calendar entries and To Do lists. Which begs the question, what's wrong with the initial PST format?
Â
@passmark Thanks for the reply. I'm not attempting to convert the .pst at all, I'm just trying to dump it into a program that can parse and report the info. I basically imaged the original USB with the .pst to a working drive, both are rated 3.0, and then I used Autopsy to parse the .pst. It returned thousands of emails, but Autopsy's reporting doesn't allow me to add certain data set fields that the law firm has requested.
To be honest, I'm not very impressed with Autopsy's reporting at all, so I'm working on obtaining a demo license from FTK.
but Autopsy's reporting doesn't allow me to add certain data set fields that the law firm has requested.
What was the requirement for additional data fields?
Just curious if our own solution would have worked.
What was the requirement for additional data fields?
Just curious if our own solution would have worked.
Sorry for the slow responses, I'll get better at it lol.
There were several additional fields that they requested, but I'm not aware of any program that could parse out all of this extra info. What solution do you have?
I have since opened the PST with Stellar PST Viewer and it has returned over 200,000 messages. I'm hoping I can save this out into a report of some kind since it also lists the entire directory tree.
Autopsy only dumped the contents of the Deleted folder, so I'm trying to research the cause of that. Seems strange that it would only return deleted results. Anyway, thanks again for your remarks. They've been very helpful!
Take a look at Vound Intella. It can index the PST and has a number of options regarding exporting a report, PDF, PST, or CSV file.