TL;DR: Each Outlook message carries 200+ MAPI properties. File Save As preserves about 20 of them. Forensic examiners pull the rest from the PST file directly. The properties that matter for litigation, HR investigations plus incident response are listed below.
What MAPI Actually Is
MAPI (Messaging API) is Microsoft's interface for messaging clients to interact with messaging stores. Outlook is the most visible MAPI client; Exchange Server plus Office 365 are the most visible MAPI servers. The PST file format is the on-disk persistence layer for MAPI message data. Every Outlook message is a structured collection of MAPI properties identified by 32-bit tags plus carrying typed values.
The properties a normal user sees in Outlook are the smallest fraction of what the message actually contains. From, To, Cc, Subject, Body plus the high-level header fields are the visible surface. The full property set covers conversation threading state, read plus reply tracking, delivery status, attachment provenance, calendar interaction state, voting state, server-side processing flags plus internal Exchange metadata that the application stack uses but never displays to the user.
The Ten MAPI Properties Every Examiner Pulls
Forensic examination of a PST file rarely needs to walk all 200+ properties on every message. The properties below cover most investigative needs.
1. PR_INTERNET_MESSAGE_ID (PT_STRING). The RFC-822 Message-ID header. Globally unique per message at send time. The examiner uses this to cross-reference recipient mailboxes when reconstructing a multi-party conversation.
2. PR_LAST_VERB_EXECUTED (PT_LONG). The last user action performed on the message: Reply (102), Reply All (103), Forward (104), Resend (105). Set plus surfaced regardless of whether the action was eventually sent. A message marked Reply (102) but with no corresponding Sent Items entry indicates the user composed but did not send the reply, which is often forensically interesting.
3. PR_CONVERSATION_INDEX (PT_BINARY). The Outlook conversation threading identifier. Each reply appends 5-byte time-delta blocks to the parent's conversation index. Examiners reconstruct the full conversation tree from PR_CONVERSATION_INDEX even when individual messages have been deleted.
4. PR_TRANSPORT_MESSAGE_HEADERS (PT_STRING). The full RFC-822 header block including all Received hops, SPF, DKIM plus DMARC results, Authentication-Results, X-Originating-IP plus the message routing path. This is the field forensic examiners pull first when authenticating an email.
5. PR_RECEIVED_BY_NAME plus PR_RECEIVED_REPRESENTING_NAME. The actual recipient mailbox name versus the on-behalf-of representation. Delegation scenarios produce divergence between these two fields that examiners use to identify mailbox-delegate forwarding configurations.
6. PR_MESSAGE_DELIVERY_TIME plus PR_CLIENT_SUBMIT_TIME. Server-side delivery timestamp versus client-side submit timestamp. Divergence reveals timezone discrepancies, system clock manipulation or queue delays. Examiners compare both against the Received header chain.
7. PR_ATTACH_LONG_FILENAME plus PR_ATTACH_CONTENT_ID. Per-attachment filename plus inline-content identifier. The content-ID matters when investigating embedded images that reference external URLs (the inline-image-tracking-pixel pattern).
8. PR_HASATTACH (PT_BOOLEAN) plus PR_ATTACH_NUM. Whether the message has attachments plus how many. Useful for triaging large PST files to focus on messages with attachments first.
9. PR_SENT_REPRESENTING_EMAIL_ADDRESS plus PR_SENDER_EMAIL_ADDRESS. The Send-As versus the actual sender email address. Divergence indicates delegation or impersonation. Phishing investigations always pull both.
10. Named property tags PidNameContentType plus PidNameAuthor (under PSETID_PublicStrings). Outlook stores additional metadata in named properties beyond the standard tag space. The Content-Type plus Author named properties surface attachment provenance plus authoring application details that File Save As does not export.
Why Outlook File Save As Loses This Data
Outlook's File Save As function exports the message body plus a handful of standard headers in the chosen output format (MSG, EML, HTML, plain text). The export deliberately strips most MAPI properties because the destination format does not carry them. MSG export retains the most properties; EML strips down to RFC-822 headers; HTML plus plain text reduce further. None of the export formats preserves the full MAPI property set.
The forensic implication is straightforward: an investigator who works from File Save As output instead of the original PST file is missing 80 percent of the message metadata. That missing metadata is often the evidence that makes or breaks a case. The Sherlock PST Viewer Forensic Edition reads the PST file directly plus exposes the full MAPI property explorer.
Practical Takeaway
If you are an HR investigator, eDiscovery specialist, defense attorney or incident responder working with email evidence, do not accept File Save As exports as the working copy. Always request the original PST file (or the source Exchange archive). The full MAPI property set is the difference between a defensible forensic record plus a partial reconstruction.
If you handle Outlook PST evidence regularly, the PST Viewer Forensic Edition at \$67 USD lifetime license is the tool that exposes the MAPI property explorer plus produces court-ready PDF reports with per-message MAPI property dumps. Free viewer for basic triage; Forensic Edition for the property explorer plus the export plus the chain-of-custody documentation.