Can MSG exhibits be challenged in court?

Yes. Authentication challenges to MSG-format exhibits typically run along three patterns. First, the metadata-does-not-match-content challenge where opposing counsel argues the MAPI timestamps or transport headers are inconsistent with the message body claim. Second, the suspicious-transport-chain challenge where opposing counsel argues the Received header chain shows inconsistencies suggesting forgery. Third, the post-production-alteration challenge where opposing counsel argues the source MSG was modified post-receipt and pre-production. Each challenge type has a corresponding documentary response if forensic examination was performed proactively during production review. Reactive forensic work performed only after a challenge is filed costs more time and produces weaker output than proactive examination. Sherlock Forensics MSG Viewer Forensic Edition produces the per-exhibit chain-of-custody documentation that defends against all three patterns.

How do I authenticate a Bates-stamped MSG?

Authentication of a Bates-stamped MSG exhibit produces six documentary outputs. Source-MSG SHA-256 hash at intake recorded with the Bates number and the receiving party's chain of possession. Internal consistency check comparing PR_CREATION_TIME, PR_LAST_MODIFICATION_TIME, PR_MESSAGE_DELIVERY_TIME and PR_CLIENT_SUBMIT_TIME for timestamp coherence. SMTP transport chain reconstruction with the Received header sequence reversed into chronological order. SPF, DKIM and DMARC authentication results surfaced from the Authentication-Results header where present. Attachment inventory with per-attachment SHA-256 hashing for any embedded files. Examiner attestation documenting identity, credentials, tool version and configuration. The forensic PDF report bundles all six into a court-ready output. Sherlock Forensics MSG Viewer Forensic Edition produces this examination output in a single tool pass per MSG exhibit.

What is the difference between PST and MSG examination workflows?

PST examination is about discovering what is in the mailbox. The examiner does not know which messages will matter until the review begins. MSG exhibit examination is about authenticating specific messages that have already been identified as relevant. The examiner knows the message matters and the question is whether it is authentic, complete and properly preserved. For MSG exhibits the workflow inverts. Authentication and chain-of-custody verification become the primary work. Content review is secondary because relevance was already established at production. Specific MAPI properties (timestamps, message class, conversation index) get scrutinized for tampering signals. SMTP transport chain verification matters more because individual exhibits get challenged on authenticity. A tool optimized for PST mailbox examination handles MSG files but treats them as just-another-format. A tool built for MSG-exhibit examination surfaces the authentication-relevant detail prominently.

Does Sherlock MSG Viewer apply Bates numbers?

No. Bates stamping is a production-set operation rather than a forensic-extraction operation. Sherlock Forensics MSG Viewer Forensic Edition does not stamp Bates numbers on source MSGs. Bates numbering happens downstream in the e-discovery review platform (Relativity, Logikcull, Concordance, Reveal or Everlaw) after the forensic chain of custody is established. The relationship between Bates and forensic chain runs in four steps. The source MSG arrives in the production with a Bates number assigned by the producing party. Forensic examination produces the chain-of-custody documentation tying the Bates-numbered MSG to its hash and metadata. The review platform maintains the Bates-to-content mapping during review. Production-out to opposing parties or to court submission references both the Bates number and the forensic chain documentation. The chain-of-custody documentation Sherlock produces becomes a load-file companion to the Bates-stamped production set.

Bates-Stamped MSG Exhibit Examination in Litigation

When specific emails matter in litigation, they arrive as MSG-format exhibits. A custodian saved them, outside counsel produced them, opposing counsel cited them or the court ordered them. Each MSG carries a Bates number, a production date and a chain of provenance that has to hold up under scrutiny.

This guide is for the paralegal, e-discovery analyst or forensic consultant handling Bates-stamped MSG exhibits as part of litigation discovery, motion practice or deposition preparation.

How MSG Exhibits Differ From Bulk PST Productions

PST productions are bulk mailbox archives. MSG productions are curated exhibits where someone decided each specific message mattered enough to preserve as a discrete file. The handling implications differ:

PST examination is about discovering what is in the mailbox. The examiner does not know which messages will matter until the review begins.

MSG exhibit examination is about authenticating specific messages that have already been identified as relevant. The examiner knows the message matters. The question is whether it is authentic, complete and properly preserved.

For MSG exhibits the workflow inverts:

Authentication and chain-of-custody verification become the primary work
Content review is secondary (the relevance was already established at production)
Specific MAPI properties (timestamps, message class, conversation index) get scrutinized for tampering signals
SMTP transport chain verification matters more because individual exhibits get challenged on authenticity

A tool optimized for PST mailbox examination handles MSG files but treats them as just-another-format. A tool built for MSG-exhibit examination surfaces the authentication-relevant detail prominently.

What Authentication Looks Like for an MSG Exhibit

For each Bates-stamped MSG arriving in a production, the examination produces:

Source-MSG SHA-256 hash at intake. Recorded with the Bates number, the production date and the receiving party's chain of possession.

Internal consistency check. Does the MSG's internal MAPI metadata (PR_CREATION_TIME, PR_LAST_MODIFICATION_TIME, PR_MESSAGE_DELIVERY_TIME, PR_CLIENT_SUBMIT_TIME) tell a coherent story? Timestamp discrepancies are tampering signals.

SMTP transport chain reconstruction. The Received header chain reversed into chronological order shows the actual transport path. Forgery investigations look for inconsistencies between the claimed sender domain and the actual originating IP.

SPF / DKIM / DMARC authentication results. Surfaced from the Authentication-Results header where present. A bank email that fails DKIM is structurally inconsistent with claimed authorship.

Attachment inventory with per-attachment SHA-256. Each embedded attachment hashed independently and tied to the source MSG hash through the chain log.

Examiner attestation. Documented identity, credentials, tool version and configuration. Required for the forensic report's authentication-block content.

Forensic PDF report. Court-ready, branded, includes all the above with chain-of-custody footer.

The Sherlock Forensics MSG Viewer Forensic Edition workflow produces this examination output in a single tool pass per MSG exhibit. For an exhibit batch of 50 to 200 MSGs (typical pre-trial production), the workflow scales by batching against a directory of source MSG files.

The Bates Number Question

Bates stamping is a production-set operation rather than a forensic-extraction operation. Sherlock does NOT stamp Bates numbers on the source MSGs. That step happens downstream in the e-discovery review platform after the forensic chain of custody is established.

The relationship between Bates and forensic chain:

Source MSG arrives in the production with a Bates number assigned by the producing party
Forensic examination produces the chain-of-custody documentation tying the Bates-numbered MSG to its hash and metadata
Review platform (Relativity, Logikcull, Concordance, Reveal or Everlaw) maintains the Bates-to-content mapping during review
Production-out to opposing parties or to court submission references both the Bates number and the forensic chain documentation

The chain-of-custody documentation Sherlock produces becomes a load-file companion to the Bates-stamped production set. Reviewers can verify any specific Bates-numbered MSG by re-hashing the source and matching against the load-file entry.

The Forwarded-As-Attachment Trap

MSG exhibits frequently contain other MSG files as attachments. The "forwarded as attachment" scenario is common where a custodian sent an earlier message as a preserved attachment rather than inline-quoted. Each layer carries its own provenance:

The outer MSG: sender, recipients, transport chain and timestamps for the forwarding event
The inner MSG (attachment): the original sender, recipients, transport chain and timestamps for the original delivery
Possibly further nesting: a forwarded-as-attachment chain that includes additional inner MSGs

Examination has to surface each layer's authentication record independently. The outer MSG's transport chain is one fact pattern. The inner MSG's transport chain is a separate fact pattern. Mixing them or losing the nested structure produces evidentially confused output.

Sherlock MSG Viewer Forensic Edition handles recursive MSG-in-MSG structures by drilling into each level, hashing the level's content independently and surfacing the per-level provenance in the forensic report. For a custodian who forwarded a chain of three or four nested MSGs, all four layers get separate examination records.

Authentication Challenges and Counter-Challenges

Opposing counsel challenges to MSG exhibits typically run along three patterns:

Pattern 1: "The metadata does not match the content." Opposing counsel argues that the MAPI timestamps or transport headers are inconsistent with the message body claim. Examination response: surface the actual metadata, document the chain-of-custody from source MSG to extracted content and demonstrate that the metadata genuinely reflects what is in the source rather than tool-introduced artifact.

Pattern 2: "The transport chain is suspicious." Opposing counsel argues the Received header chain shows inconsistencies suggesting forgery. Examination response: full transport chain reconstruction with each hop's IP, hostname and timestamp surfaced. If the chain is internally consistent, the response is documentary. If the chain is genuinely inconsistent, the response is also documentary but in the opposite direction.

Pattern 3: "The producing party altered the MSG before production." Opposing counsel argues the source MSG was modified post-receipt and pre-production. Examination response: PR_CREATION_TIME vs PR_LAST_MODIFICATION_TIME comparison surfaces post-creation modification. If creation and modification times are identical, the file was not modified after creation. If they differ, the timing of the difference matters.

For each pattern, the defense relies on having the forensic examination output AVAILABLE before the challenge is filed. Reactive forensic work (examining a Bates-stamped MSG only after opposing counsel challenges its authenticity) costs more time and produces weaker output than proactive examination during production review.

When This Examination Workflow Is the Right Approach

Pre-trial productions involving MSG-format exhibits where authentication challenges are anticipated
Regulatory inquiries that produce specific-message MSG exhibits subject to authentication standards
Internal investigations where individual messages get cited as findings of fact
Motion practice where MSG exhibits anchor the factual record
Deposition preparation where MSG content will be put to witnesses

For these scenarios, Sherlock Forensics MSG Viewer Forensic Edition at $67 lifetime produces the chain-of-custody documentation that defends the exhibit and costs less than a single hour of attorney time per case.

When Generic MSG Reading Is Sufficient

The MSG exhibit will not be challenged on authenticity (uncontested matters or agreed-on-stipulations cases)
The MSG is being read for content review only rather than for authentication purposes
The downstream use of the MSG content does not require chain of custody (internal information retrieval, settlement-summary preparation and the like)

For these scenarios, generic MSG readers handle the work and Sherlock is overspending.

Cross-Product Workflow

MSG-exhibit examination at scale often pairs with broader e-discovery work:

MSG exhibits plus PST mailbox review. Pair Sherlock MSG Viewer for the exhibit batch with Sherlock PST Viewer Forensic Edition for the underlying mailbox archive (PST Viewer also handles MSG as one of four input formats. MSG Viewer's specialization is MSG-heavy workflows specifically).
MSG exhibits plus scanned document evidence. Pair with Sherlock OCR Reader Forensic Edition for the document-side production.
MSG exhibits plus browser history evidence. Pair with Sherlock Browser Viewer Forensic Edition for the workstation-side context.

For practices building the Sherlock email-forensics toolkit, MSG Viewer at $67 plus PST Viewer at $67 plus OCR Reader at $67 covers the email-and-document axis at under $200 lifetime combined.