Why You Cannot Just Double-Click a PST File
The instinct is to double-click the PST file and open it in Outlook. For IT purposes, that works. For forensic purposes, it destroys your evidence.
Microsoft Outlook modifies PST files when it opens them. It updates internal indices, repairs minor structural inconsistencies, adjusts timestamps and may compact the file to reclaim space. Every one of these operations changes the file's hash value. Once the hash changes, the file's forensic integrity is compromised. Opposing counsel can argue the file was tampered with, and you will have no technical rebuttal.
Forensic PST analysis requires a controlled process that preserves the original file in its exact state from the moment of collection through final reporting. This guide walks through that process step by step.
Step 1: Secure the Source Media
Before touching the PST file, secure the storage device it resides on. If the file is on a hard drive, SSD or USB device, connect the media to a hardware write blocker. Tableau, CRU and Wiebetech manufacture forensic write blockers accepted by courts in Canada and the United States.
If hardware write-blocking is not available, software write-blocking through the Windows registry or a tool like Arsenal Image Mounter provides an alternative. Document which write-blocking method was used and verify it is functioning before proceeding.
If the PST file was provided electronically (via secure file transfer or cloud export), skip write-blocking for the transfer medium but proceed directly to hashing the received file.
Step 2: Locate the PST File
Microsoft Outlook stores PST files in predictable locations. The default paths vary by Windows version:
| Windows Version | Default PST Location |
|---|---|
| Windows 10/11 | C:\Users\[username]\Documents\Outlook Files\ |
| Windows 10/11 (OST) | C:\Users\[username]\AppData\Local\Microsoft\Outlook\ |
| Windows 7 | C:\Users\[username]\Documents\Outlook Files\ |
| Roaming profiles | \\server\profiles\[username]\Documents\Outlook Files\ |
Users may also store PST files on network shares, external drives or non-default local paths. Check Outlook's account settings (File > Account Settings > Data Files) for the configured path. If working from a forensic image, use the file system browser in your imaging tool to navigate to these locations.
Record the exact file path, file size and file system timestamps (created, modified, accessed) in your examination notes.
Step 3: Hash the Original PST File
Before copying or moving the PST file, compute its SHA256 hash. This hash becomes the baseline against which all subsequent integrity checks are measured.
Use Sherlock Hash or any SHA256 calculator. Record the full hash value, the tool used to compute it and the exact date and time of computation.
SHA256 is the minimum acceptable algorithm for forensic hashing. MD5 and SHA1 have known collision vulnerabilities and are increasingly rejected by courts as sole integrity verification. Compute SHA256 as your primary hash. Add MD5 as a secondary hash if your agency or firm requires it for backward compatibility.
Step 4: Create a Forensic Copy
There are two approaches to obtaining a forensic copy of a PST file: logical acquisition and physical imaging.
Logical Acquisition
Logical acquisition copies the PST file itself from the source media to your forensic workstation. This is appropriate when the investigation is focused specifically on email content and you do not need to examine deleted files, unallocated space or other artifacts on the source drive.
Copy the PST file using a tool that preserves metadata (robocopy /COPY:DAT on Windows or cp -p on Linux). After copying, compute the SHA256 hash of the copy and verify it matches the hash of the original.
Physical Imaging
Physical imaging creates a sector-by-sector copy of the entire storage device. This preserves everything: the PST file, deleted emails that may have been removed from the PST, temporary Outlook files, swap data and file system metadata.
Use FTK Imager, dd or Guymager to create the forensic image. After imaging, mount the image as read-only and extract the PST file. Hash the extracted PST and verify it matches the hash from Step 3.
When to Use Each Method
- Use logical acquisition when:
- The scope is limited to email content within the PST. The custodian cooperated in providing the file. Court orders specify email-only collection. Proportionality favors targeted collection.
- Use physical imaging when:
- Deleted emails may be relevant and could exist outside the PST. The custodian's credibility is in question. The investigation may expand beyond email. You need to preserve the complete forensic environment.
Step 5: Open in a Forensic PST Viewer
Open the forensic copy (never the original) in Sherlock PST Viewer. The tool opens PST and OST files in strict read-only mode. No Outlook installation is required. No file modification occurs.
Verify the tool reports the file as opened in read-only mode. The status bar should confirm read-only access. If any tool attempts to open the file in read-write mode, stop immediately and use a different tool.
Step 6: Conduct Your Analysis
With the PST open in read-only mode, conduct your analysis using the search and filtering capabilities of the viewer.
Document every action. Record each search term, date range, sender filter and recipient filter you apply. The Pro edition of Sherlock PST Viewer logs these actions automatically in the chain of custody report. If using the Free edition, maintain a manual examination log.
Common forensic search strategies for PST analysis:
- Keyword searches for terms relevant to the investigation (names, account numbers, project codes)
- Date range filtering to isolate messages from the relevant time period
- Sender/recipient filtering to identify communications between specific parties
- Attachment type filtering to locate documents, spreadsheets or images
- Domain filtering to identify external communications
Step 7: Export Results with Hash Verification
Export relevant messages in EML format. The Pro edition ($67) computes a SHA256 hash for each exported message and generates an export manifest listing every message with its metadata and hash value.
This manifest serves as a verifiable inventory of produced evidence. Any recipient can independently hash the exported EML files and compare against the manifest to confirm nothing was altered after export.
Step 8: Generate Chain of Custody Report
The chain of custody report documents the complete examination history from file receipt through analysis completion. The Pro edition generates this automatically. The report includes:
- Examiner name and credentials
- Examination start and end times
- Source file path and SHA256 hash
- Working copy SHA256 hash (verified match)
- Every search query executed
- Every filter applied
- Every message exported with individual SHA256 hash
- Post-examination hash verification of working copy
Step 9: Verify Source Integrity
After completing your analysis, re-hash the working copy and compare to the hash from Step 4. They must match. If they do not match, your analysis tool modified the file and your examination is compromised.
If you used write-blocking on the original media, also re-hash the original file to confirm it remains unchanged. Document the verification in your examination notes.
Common Mistakes That Destroy PST Evidence
| Mistake | Consequence | Prevention |
|---|---|---|
| Opening PST in Outlook | File modified, hash changed | Use read-only forensic viewer |
| No write-blocking | OS may modify source media | Always use hardware or software write blocker |
| No pre-analysis hash | Cannot prove file integrity | Hash before any access |
| Working on original file | Original at risk of modification | Always work on verified copy |
| No examination log | Cannot document methodology | Use tool with automatic logging or maintain manual log |
| MD5-only hashing | Hash collisions possible | Use SHA256 as primary hash |
| Skipping post-analysis hash | Cannot verify file was not modified | Always re-hash after examination |
Legal Requirements: Canada and the United States
Canada
Under the Canada Evidence Act (Section 31.1-31.8), electronic documents are admissible if the party seeking to admit them can demonstrate their integrity. Integrity is established by showing the electronic document has not been modified since it was created or collected. SHA256 hash verification before and after analysis provides this demonstration.
The Sedona Canada Principles Addressing Electronic Discovery (Third Edition, 2022) provide guidance on proportional preservation and production of electronically stored information. PST files fall squarely within the scope of these principles. Principle 5 addresses preservation obligations. Principle 8 addresses production format.
Provincial rules of court vary. In British Columbia, the Supreme Court Civil Rules Rule 7-1 governs document disclosure including electronic documents. In Ontario, Rule 29.1 addresses electronic discovery. Consult jurisdiction-specific rules for procedural requirements.
United States
The Federal Rules of Evidence (FRE) Rule 901(b)(9) requires authentication of evidence produced by a process or system. The forensic workflow described in this guide satisfies this requirement by documenting the process (write-blocking, hashing, read-only analysis) and demonstrating the system produces accurate results (hash verification).
FRCP Rule 37(e) addresses the failure to preserve electronically stored information. If PST files are lost or altered due to failure to take reasonable preservation steps, courts may impose sanctions including adverse inference instructions or case-dispositive sanctions for intentional conduct.
State rules vary. California, New York and Texas have adopted electronic discovery guidelines that align with the federal rules. Check local rules for specific requirements.