Wednesday, July 18, 2007

Outlook Email Forensics

I have done this previously and can't recall everything, however I would like to share here about what I have done before I'm out of memory. I myself don't use outlook mail client therefore I need to convert it to unix mbox mail format so that I can examine them, I found libpst that can do the job for me and install it via FreeBSD port -

shell>pkg_add -vr libpst

To extract all the emails from outlook pst file, run -

shell>readpst Monitoring.pst -o Email-Forensic

shell>ls -la Email-Forensic
-rw-r--r-- 1 geek00l geek00l 5104848 Mar 21 17:52 Backup and remove
-rw-r--r-- 1 geek00l geek00l 5693288 Mar 21 17:52 Deleted Items
-rw-r--r-- 1 geek00l geek00l 691007 Mar 21 17:52 Noc
-rw-r--r-- 1 geek00l geek00l 201746 Mar 21 17:52 Root
-rw-r--r-- 1 geek00l geek00l 441450 Mar 21 17:52 Junk
-rw-r--r-- 1 geek00l geek00l 10521973 Mar 21 17:52 Alert

shell>file *
Backup and remove: ASCII mail text
Deleted Items: ASCII mail text, with very long lines
Noc: ASCII mail text
Root: ASCII mail text
Junk: ASCII mail text
Alert: ASCII mail text

That's possible to retrieve Outlook 2003 email but it requires more works and the pst file size must less than 2G or you will have to split it before converting it back to older pst format so that it can be parsed by readpst.

I should have read Real Digital Forensics so that I won't need to google around because it is introduced in Real Digital Forensics book as well, anyway have fun.

Cheers ;]

No comments: