Forensics: How do you view a PST in EnCase?

PST files, are one of the most important file types in corporate investigations, with the vast majority of  email data, and therefore the majority of communications, being held in PST files (assuming the company is running Exchange servers).

However, despite the importance of PST files, Encase, the most popular forensics tool on the market, has not traditionally handled PST files very well.

If a standard keyword search is conducted against a hard drive by a EnCase  and the relevant documents containing the keywords are an email, or an email attachment, EnCase will not find them.

E.g if the keyword was “bomb” and an email, within a PST file, contained the phrase “I have the bomb“,  a standard  keyword search for “bomb” was conducted across a hard drive with Encase, the word bomb would not be found, and the email would not be located.

This is because a PST file is a compound file, and the data needs to be expanded before it can searched properly. Within EnCase, there are several different ways of doing this.

1) Mount the file. The PST can be found and the contents of the file viewed. This is done by right clicking the PST file and selecting View File Strucutre. This then expands out the data.  Once this has been done the hard drive can be searched as normal

2) All compound files can be expanded automatically using the file mounter EnScript. This is a good tool for small data sets, however if there is a large amount of data, e.g 20 PST files, this will cause problems as so much data will be loaded into RAM. Once this has been done the hard drive can be searched as normal

3) Index the data. EnCase now has an index function that will mount all of the compound files, and search within them, allowing rapid searching of all data. Anybody using the indexing function in Encase 6.x is aneternal optomist. Wait until EnCase 7.x. If indexing is required, there are many other tools that index quickly. DTSearch is phenomenally cheap, very poweful and very quick.

4) Email Searching. EnCase 6 has the ability to open PST files and load them as records. This is an excellent function for handling PST files, though caution should be used with large data sets.

Note:EnCase is an excellent tool, though it is not brilliant at handling PST files.

Many other tools specialise in handling emails, with advanced search functionality, de-duplicaiton, and superior export functionality.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: