Paraben Email Examiner.
Specifically made to forensically review email in a PST file, Paraben Network Email Examiner for reviewing EDB and Lotus Notes server email files.
I use both of the Paraben programs in parallel with EnCase. I generally take an image and export via FTK imaiger the PSTs and/or EDBs and run them in one or both of the programs while processing the image in EnCase as well. Kind of gives "more eyes" to the files and I can get a better fell for what and where to search between the two platforms.
Exactly, and this is why we advocated to management that PST usage be banned, but trying to convince the non-technical folks is like talking to crazy people at times.
Are there any other forensic tools we might consider for PST examinations?
Encase does a pretty good job on pst files but requires an extra step that is 'automated' in FTK.
There a re number odf open source tools to read pst files as well, if you want to go that route.
Greetings,
I've found EnCase's support for PSTs to be seriously lacking. Not only is there the extra step required, it doesn't do well determining relationships between attachments and messages, handling threads, and some other basic analysis. I almost always export PSTs out of EnCase and use something else.
-David
Exactly, and this is why we advocated to management that PST usage be banned, but trying to convince the non-technical folks is like talking to crazy people at times.
Are there any other forensic tools we might consider for PST examinations?
I've also used MessageViewerPro, Nuix and Ontrack PowerControls. But none of these can (forensically) repair an Outlook PST which has the 2 GByte limit. The problem lies in the fact that the data written past the 2 Gbyte limit can be corrupted the minute the user tries to manipulate the file.
There are tools such as OutlookFix and RepairPST which claim to be able to recover data past the 2Gbyte mark but I don't know how these claims could be verified, in a forensic sense. There is a difference between being able to recover some data and all data.
You figure that if it was actually possible to take a PST file with the 2 Gbyte limitations and convert it to a format which does not have this limitation, Microsoft would have supported this, themselves, in the upgrade to Outlook. The only thing that you can reliably (forensically) do is migrate an earlier PST file to the newer format BEFORE it exceeds 2 Gbytes.
Greetings,
I've found EnCase's support for PSTs to be seriously lacking. Not only is there the extra step required, it doesn't do well determining relationships between attachments and messages, handling threads, and some other basic analysis. I almost always export PSTs out of EnCase and use something else.
-David
I haven't noticed this as I ususally only triage compound files in Encase and pull them apart with other task specific tools later, as you seem to do. What were the types of situations you noticed Encase choking on pst's? I know I see code page errors on large pst and dbx files and sometimes it will really grind on those to the point that it looks like Encase has locked-up. I am curious about your observations as I am arguing with 'the powers that be' that our new people should not rely on one tool because of the type of problem you noted.
Thanks Everyone!!
Greetings,
My issues with EnCase and PSTs were
1) Poor GUI so presentation of information was sub optimal.
2) Ditto for reporting.
3) Having to specifically open PSTs (and registry hives, and and and …) with the accompanying concerns about EnCase locking up, remembering to do this before running searches, etc.
Basically, I don't have faith that it is doing the right thing due to errors and information presentation and it locks up on large PSTs. Other tools will get the job done more reliably so I don't even bother with EnCase for email these days. And am using it less and less for other things.
-David