Corporate email investigations rarely involve a single file format. A typical engagement surfaces a custodian's mailbox archive as a .pst, supplemental orphan caches as .ost from decommissioned workstations, individual exhibits as .msg files dragged out of Outlook and review-platform productions as .eml directories. The competent examiner needs tooling for all four.
This guide covers the integrated workflow for examining Microsoft email artifacts across the four common formats. It applies whether the matter is a litigation production, an internal investigation, an HR matter, an M&A diligence pass or a regulatory inquiry.
The Four Formats and When Each Shows Up
PST (Personal Storage Table), the most common email artifact in corporate cases. A complete Outlook mailbox in a single file. Shows up as: custodian's exported mailbox, archive of an old mailbox kept after migration, backup of a personal Outlook installation, produced artifact in litigation.
OST (Offline Storage Table), Outlook's cached copy of an Exchange or Microsoft 365 mailbox. Shows up as: terminated employee's workstation acquisition, decommissioned server's orphan caches, forensic acquisition of a workstation. Often the only surviving copy when the server side is gone.
MSG (Outlook Message), a single Outlook item saved as an individual file. Shows up as: emails forwarded as attachments preserving original headers, Bates-stamped exhibits in productions, individual messages saved out of a mailbox.
EML (RFC 5322 internet mail), the e-discovery review platform standard. Shows up as: productions from opposing counsel, exports from non-Microsoft mail clients (Thunderbird, Apple Mail), output from Microsoft email tools when configured for portable format.
A single matter may involve all four. A litigation production for a former employee might include: their .pst archive (mailbox at termination), their .ost orphan (workstation cache after their M365 account was deleted), several .msg exhibits from specific high-relevance messages and an .eml production of the privilege-reviewed subset delivered to opposing counsel.
The Forensic Requirements Common Across Formats
Every email-artifact examination in an evidentiary context shares the same requirements:
- Source artifact hash at intake. SHA-256 of the file as received. Timestamp, examiner identity, source path.
- Read-only examination. The source file must not be modified during examination. The hash before and after operation must match.
- Per-artifact extraction hash. Each message, attachment, contact and calendar item hashed independently at extraction.
- Chain of custody documentation. Operations performed, by whom, when, with what tool. Output destinations.
- Defensible export format. EML with preserved folder hierarchy is the e-discovery review-platform standard.
- Court-ready forensic report. Branded PDF with cover page, source metadata, hash verification table, examiner attestation, chain-of-custody footer.
These requirements do not change based on which format the source artifact uses. The tooling has to support each format with the same forensic discipline.
The Sherlock Forensics Email Toolkit
Sherlock Forensics handles all four formats across two products at the $67-each tier:
Sherlock Forensics PST Viewer Forensic Edition ($67 lifetime) reads PST (ANSI and Unicode), OST (orphan and active), MSG and EML files. Custom Rust parser, no Outlook installation required. Forensic-grade output with SHA-256, chain of custody, court-ready PDF reports, SMTP transport chain visualization, SPF/DKIM/DMARC authentication results.
Sherlock Forensics MSG Viewer Forensic Edition ($67 lifetime) is built specifically for high-volume single-message MSG examination. Same forensic discipline as the PST Viewer, optimized workflow for the MSG-specific use case (Bates-stamped exhibit review, batch-MSG production analysis, single-message investigations).
For most corporate-forensic practices, the PST Viewer alone covers all four formats. The MSG Viewer adds value when the matter is MSG-heavy: an HR investigation where evidence arrives as a folder of .msg files saved by the reporting party, an e-discovery production where the opposing counsel exported messages individually rather than as a full mailbox or a fraud investigation where specific messages were preserved out-of-band by the custodian.
For practices handling multiple matters per year with MSG-heavy patterns, both products at $134 total covers every Microsoft email format with no functional gap.
Cross-Format Workflow
The integrated workflow that operates across all four formats:
- Intake every artifact with SHA-256. Hash everything received. Document source, custodian, date, examiner.
- Examine each artifact in the matching Sherlock tool. PST/OST/EML in the PST Viewer Forensic Edition. MSG files in either tool depending on volume and use case.
- Filter to case scope. Date ranges, custodians, keywords, sender/recipient as authorized by the examination protocol.
- Extract to EML with preserved folder hierarchy. This is the universal output format for downstream review-platform ingestion. Both Sherlock products produce this format.
- Generate the forensic PDF report. One per source artifact. Court-ready, branded, includes the chain of custody footer.
- Bundle the production set. EML directory tree + signed JSON chain-of-custody sidecar + forensic PDF reports per source artifact + administrative documents (cover letter, load file, privilege log placeholder).
- Deliver via approved channel. SFTP, encrypted USB in person, secure managed file transfer. Email of PHI or PII as attachments is not an approved channel without specific encryption.
- Retain source artifacts indefinitely in cold storage with documented chain. The source artifacts may be requested back years later for unforeseen reasons.
The workflow is the same regardless of how many of the four formats the matter involves. The Sherlock products produce compatible output across formats, an examination that combines PST and EML and MSG artifacts generates one unified production set rather than three incompatible deliverables.
Format-Specific Considerations
A few format-specific details that affect the workflow:
For PST files: Both ANSI (Outlook 2002 and earlier) and Unicode (Outlook 2003+) variants exist. The Sherlock parser routes by the file header's wVer field. Encrypted PSTs are detected but cannot be examined without the password.
For OST files: The file is tied to a specific Outlook profile. Orphan OST (no live profile, no live Exchange) requires a tool that opens the file independently. Sherlock does this.
For MSG files: A single .msg may contain attachments that are themselves .msg files (forwarded messages preserving the original Outlook item). Recursive extraction may be needed; both Sherlock products handle this.
For EML directories: When the production from opposing counsel arrives as an EML directory tree, the folder structure is part of the evidentiary metadata. Importing the tree into the review platform must preserve the folder hierarchy or the metadata is lost.
Beyond Email : The Broader Sherlock Forensics Toolkit
Email forensics is one capability within the broader Sherlock Forensics toolkit. Adjacent forensic tools at similar price tiers:
- Sherlock Forensics Universal Events Viewer Forensic Edition ($97), Windows event log triage and incident response analysis
- Sherlock Forensics NSF Viewer Forensic Edition ($297, launching), Lotus Notes archive examination with the same forensic discipline
- Sherlock Forensics Browser Viewer Forensic Edition ($29), Browser history, bookmarks, downloads forensic extraction
- Sherlock Forensics Android Acquirer Forensic Edition ($399), Android logical acquisition with court-ready reports
For practices handling diverse forensic engagements, building the Sherlock toolkit incrementally as cases require is typically more economical than purchasing enterprise tools at the $5,000-$20,000+ tier.
Cost Comparison Across the Toolkit
| Capability | Sherlock | Comparable enterprise tool |
|---|---|---|
| PST examination with chain of custody | $67 (lifetime) | $5,000-$20,000/year |
| MSG examination at scale | $67 (lifetime) | Bundled in enterprise email forensic suite |
| Windows event log incident response | $97 (lifetime) | $1,000-$5,000/year for SIEM-adjacent tools |
| Lotus Notes archive forensics | $297 (lifetime, launching) | $5,000+ for enterprise NSF tools |
| Android logical acquisition | $399 (lifetime) | $5,000-$20,000+ for Cellebrite UFED, MSAB |
| Browser forensic extraction | $29 (lifetime) | Bundled in enterprise IR suites |
For a corporate forensic team running 10-50 cases per year across diverse evidence sources, the full Sherlock toolkit at under $1,000 lifetime delivers the same forensic-grade output as enterprise tools that cost five-figures per year.
See Also
- Sherlock Forensics PST Viewer Forensic Edition, product page
- Sherlock Forensics MSG Viewer Forensic Edition, product page
- PST vs OST vs MSG vs EML: Outlook File Format Comparison, format identification guide
- PST File Forensic Examination: The Practitioner's Guide, deeper PST workflow
- How to Open PST Files Without Outlook, practical workflow guide
- How to Open an Orphan OST File Without Exchange, OST-specific workflow
- PST Files Under Legal Hold and in Litigation, regulated-industry legal-hold workflow
- Sherlock PST Viewer vs Kernel PST Viewer, vendor comparison