We're trying to process a PST file larger then 2.0 GB using FTK 3.0.4, and we're unable to expand the archive. FTK sees the PST as a single file in the Overview Tab, and it won't expand the file. We have tried using the pre or additional processing option to expand files with no luck. We're wondering if the PST is corrupt, but other tools can see mails and folders within the PST.
Are we doing something wrong?
Anyone else ever have a problem processing a large PST?
FYI We're NEW…very new to FTK. Fresh out of training, so we welcome any additional recommendations or suggestions for good websites to use for FTK related tips and forums.
I don't use FTK. But as a shortcut if you can see all the emails using other tools, can't you make a copy of the PST and split it into a number of smaller PST files? Or try scanpst? You'd still have the original safe and sound.
Just a thought
Second the recommendation to run SCANPST first. I have had a few instances where the PST files have been corrupt on the image, but once restored and repaired using SCANPST, FTK has no problem.
I'm not sure that size is the issue as I have handled 15 Gbyte PST files with no problems (once SCANPST has been run).
We're trying to process a PST file larger then 2.0 GB using FTK 3.0.4, and we're unable to expand the archive. FTK sees the PST as a single file in the Overview Tab, and it won't expand the file. We have tried using the pre or additional processing option to expand files with no luck. We're wondering if the PST is corrupt, but other tools can see mails and folders within the PST.
Are we doing something wrong?
Anyone else ever have a problem processing a large PST?FYI We're NEW…very new to FTK. Fresh out of training, so we welcome any additional recommendations or suggestions for good websites to use for FTK related tips and forums.
We observed the same problem with earlier versions of FTK and large dbx files. Encase was able to expand them but had a number of code page errors.
Ok. Step 1 - try the SCANPST tool first. If that doesn't work - I've had this problem before in my last life as the Exchange Admin, and we used this tool to resolve the issue.
2 GB Truncation Utility
http//
I guess I should have asked if the file was created with Outlook 2002 or earlier?
We're not sure, but we suspect the PST was originally created in Outlook 2000 and the user continued to use it after upgrading to Outlook 2003.
We're not sure, but we suspect the PST was originally created in Outlook 2000 and the user continued to use it after upgrading to Outlook 2003.
Too bad. Outlook PSTs created under the old system can grow above 2 Gbytes but become unusable and can't be upgraded. Guess you're going to have to try splitting it using the Microsoft tool (hack).
Make sure you document what you do since I would guess you might be challenged on this.
Exactly, and this is why we advocated to management that PST usage be banned, but trying to convince the non-technical folks is like talking to crazy people at times.
Are there any other forensic tools we might consider for PST examinations?
Paraben Email Examiner.
Specifically made to forensically review email in a PST file, Paraben Network Email Examiner for reviewing EDB and Lotus Notes server email files.