Can I open MSG files without Outlook?

Yes. MSG is a Microsoft Compound Document Binary format that can be parsed by any tool that understands the format. Outlook is the most common viewer but is not required to read MSG content. For forensic examination Outlook is actually undesirable because it modifies the source file in some scenarios (read-receipt processing, flag changes, message-class normalization). A forensic-grade MSG viewer parses the compound document structure read-only without invoking Outlook. Sherlock Forensics MSG Viewer Forensic Edition parses MSG files directly without invoking Outlook and the source file SHA-256 is unchanged before and after examination.

Is MSG file evidence admissible in court?

Yes when the extraction follows defensible methodology with documented chain of custody. Court admissibility hinges on the examiner methodology and documentation rather than the specific tool brand. The required elements are SHA-256 fingerprint of the source MSG file at intake, per-attachment hash linking each embedded artifact to the source MSG hash, examiner attestation including tool version and configuration, plus a forensic PDF report documenting the full chain. Sherlock Forensics MSG Viewer Forensic Edition produces all of these as part of the standard workflow. For uncontested productions, generic MSG viewers may suffice. For productions where authentication of the MSG content may be challenged, the forensic chain resolves the authentication question at the threshold. SMTP header authentication results (SPF, DKIM, DMARC) preserved from the original delivery provide additional evidentiary weight.

What is the difference between MSG and EML for e-discovery?

MSG is Microsoft's Compound Document Binary format used by Outlook. It preserves MAPI properties beyond the visible email fields including creation time, modification time, conversation index, message class and the full set of Outlook-specific metadata. EML is the RFC 5322 plain-text email format that any email client can read. EML preserves the Internet headers and the message body but loses Outlook-specific MAPI properties because they are not part of the RFC 5322 standard. For e-discovery the format choice depends on the receiving party's review platform. Some platforms ingest MSG natively. Others prefer EML for cross-platform compatibility. Sherlock Forensics MSG Viewer Forensic Edition produces both formats from the same source MSG with hash chains tying both outputs back to the source file.

How do I extract attachments from MSG files?

MSG files contain attachments as embedded streams within the compound document structure. A forensic-grade tool reads each embedded stream and exports it to a destination directory as a separate file. Per-attachment SHA-256 hashes computed at extraction tie each extracted file back to the source MSG hash through the chain documentation. Recursive structures (MSG files containing other MSG files as attachments, common in forwarded-as-attachment scenarios) require the tool to drill into the nested structure and hash each level independently. Sherlock Forensics MSG Viewer Forensic Edition handles single and recursive MSG attachment extraction with per-level hashing. The forensic PDF report documents the attachment inventory with hashes for every level of the nested structure.

Forensic Examination of MSG Files in E-Discovery

MSG files arrive in e-discovery productions for a specific reason: someone wanted that exact email preserved as a standalone exhibit. The custodian dragged the message out of Outlook, the producing party saved it to disk, opposing counsel produced it as Bates-stamped evidence or the investigator captured it from a custodian's workstation. Whatever the path, the .msg file is now in the case file and needs to be examined defensibly.

This guide is for the e-discovery analyst, paralegal or forensic examiner handling MSG evidence in a defensible workflow.

Why MSG Files Show Up Separately From PST Productions

MSG and PST are both Outlook formats but they show up in productions for different reasons:

PST is a complete mailbox. When a custodian's full mailbox is produced, the format is typically PST. Productions involving thousands of messages, full date ranges or complete custodian coverage are PST-based.

MSG is a single message. When a specific message matters as a discrete exhibit (produced by Bates number, attached to a declaration or preserved out-of-band by the custodian or counsel) the format is MSG. Productions involving specific messages identified during prior review, hot-document exhibits or messages preserved before formal hold are typically MSG.

Common scenarios where MSG productions surface:

Custodian saved specific messages to disk before separation, often the messages they considered important enough to keep
Outside counsel saved specific messages from the mailbox during initial review as candidate exhibits
Producing party converted PST-mailbox subsets to MSG for production efficiency at the exhibit tier
Investigator captured specific messages from a workstation during forensic acquisition
Mail-forwarded-as-attachment scenarios produce MSG files inside other MSG files (recursive structure)

Each scenario carries different chain-of-possession requirements that the forensic examination has to document.

The Forensic Requirements for MSG Examination

Same chain-of-custody discipline as PST examination applies, with MSG-specific details:

Source MSG hash at intake. SHA-256 of each .msg file at receipt with chain of possession documented. For productions involving hundreds of MSG files, batch-hashing at intake produces a single source-state hash file that anchors the whole production.

Read-only examination. The MSG is opened in a tool that does not modify the source. Outlook itself modifies .msg files on open in some scenarios (read-receipt processing, flag changes). A forensic-grade tool does not.

Per-attachment hash extraction. MSG files contain attachments as embedded streams. Each attachment is hashed at extraction independently and tied back to the source MSG hash through the chain documentation.

Recursive MSG handling. A .msg file can contain another .msg file as an attachment (forwarded-as-attachment scenarios). Forensic extraction handles the nested structure correctly and hashes each level independently.

MAPI property surfacing. MSG files contain MAPI properties beyond the visible email fields (timestamps, transport headers, conversation index, message class). Some properties matter evidentially (sent time vs delivery time discrepancies, transport authentication results, original message class).

SMTP header preservation. The Internet headers a .msg file inherited from its source SMTP delivery are evidentially relevant. Spoofing analysis, transport chain analysis and SPF/DKIM/DMARC authentication results all depend on the headers being preserved unmodified.

A tool that handles MSG correctly preserves all of these. A tool that treats MSG as a simple email-text-and-attachments extractor misses evidentially relevant context.

The Sherlock Forensics MSG Examination Workflow

Sherlock Forensics MSG Viewer Forensic Edition is built for this examination at the $67 lifetime tier, matching PST Viewer's pricing and using the same forensic infrastructure (chain of custody log, court-ready PDF reports, signed JSON sidecar).

The workflow:

Source MSG intake. Hash each .msg file at receipt. For large MSG productions, batch SHA-256 the entire production set and store the hashes alongside the source files.
Open in Sherlock MSG Viewer Forensic Edition. The tool parses the .msg compound document structure read-only without invoking Outlook. The source file SHA-256 is unchanged before and after examination.
Surface the MSG structure. Headers (To, From, CC, BCC, Subject, dates), body (text and HTML variants), attachments, MAPI properties, SMTP transport chain and authentication results all surfaced in a structured view.
Examine recursive attachments. If the MSG contains nested .msg files, examination drills into the nested structure. Each level is hashed and reported independently.
Extract attachments. Each attachment is exported to a destination directory with per-attachment SHA-256 hash logged.
Generate the forensic PDF report. Branded report with cover page, source MSG metadata, header inventory, MAPI property surfacing, attachment inventory with hashes, examiner attestation and chain-of-custody footer.
Production set assembly. Source MSG plus extracted attachments plus forensic PDF report plus signed JSON sidecar with the cryptographic chain.

For productions involving hundreds of MSG files, the workflow scales by batching. Sherlock processes a directory of MSG files and produces an aggregated forensic report covering the full production set with per-file detail.

SMTP Transport Chain and Authentication Analysis

MSG files preserve the Internet Headers from the original SMTP delivery. Sherlock surfaces:

Received header chain. Reversed into chronological order showing the actual transport path from sender to recipient.
SPF result. Did the message originate from an IP authorized by the claimed sender domain's SPF record at the time of the message?
DKIM signature. Is the message's DKIM signature valid against the claimed sender domain's published DKIM key?
DMARC alignment. What was the sender domain's DMARC policy and did the message align?
Authentication-Results header. Parsed and surfaced with each authentication method's result.

For matters involving suspected forgery, impersonation or social engineering, the authentication results are documentary evidence. A claimed-from-bank-of-america email with a Received chain originating from a residential IP and a DKIM-fail authentication result is structurally inconsistent in a way the message body alone does not surface.

MAPI Property Surfacing

MSG files preserve MAPI properties that do not surface in standard email viewing:

PR_CREATION_TIME and PR_LAST_MODIFICATION_TIME. When the MSG file was created on disk vs when it was last modified. Often reveals post-saving alteration when these differ from the email's Date header.
PR_MESSAGE_DELIVERY_TIME vs PR_CLIENT_SUBMIT_TIME. Delivery time vs submission time. Significant discrepancies can indicate clock manipulation or transport problems.
PR_CONVERSATION_INDEX. Identifies the message thread position. Useful for reconstructing conversation flow when only some messages from a thread are produced.
PR_MESSAGE_CLASS. Outlook message class (IPM.Note for standard email, IPM.Note.SMIME for signed, IPM.Note.SMIME.MultipartSigned for signed-and-encrypted and others).
PR_INTERNET_MESSAGE_ID. The RFC 5322 Message-ID from the original SMTP delivery.

For e-discovery productions where the MSG was produced as a discrete exhibit, the MAPI property layer often answers authentication questions the email body alone leaves open.

Production for Opposing Counsel

When MSG files are part of a production to opposing counsel:

Source MSGs preserved unmodified, with intake hashes documented
Searchable EML conversion if the receiving party's review platform prefers EML. Sherlock produces standards-compliant EML alongside the source MSG.
Extracted attachments in a parallel directory tree with per-file hashes
Forensic PDF report as the production cover for the MSG set
Signed JSON sidecar with the full hash chain for downstream chain-of-custody verification
Bates stamping applied in the review platform downstream rather than by Sherlock. Bates numbering is a review-process step, not an extraction step.

When Sherlock MSG Viewer Is the Right Choice

E-discovery productions involving MSG-format exhibits
Forensic examinations where individual messages are produced as standalone evidence
Internal investigations where specific messages need defensible documentation
Cases involving suspected email forgery or impersonation where SMTP authentication analysis matters
Practices handling MSG productions regularly where the per-case time savings on chain construction compound

For these scenarios, the $67 lifetime cost recovers within the first matter and the per-case marginal cost approaches zero afterward.

When Generic MSG Tools Are Sufficient

One-off reading of a single MSG file with no anticipated production scrutiny
Internal information retrieval where chain of custody is not relevant
Casual conversion of MSG to other formats for personal-use access

For these scenarios, free MSG viewers from NirSoft, Aid4Mail or others handle the read. Sherlock is overspending.

Cross-Product Cluster Integration

MSG examination rarely happens in isolation. Common pairings:

MSG plus PST. Custodian's PST mailbox plus individual MSG exhibits produced separately. Pair Sherlock MSG Viewer with Sherlock PST Viewer Forensic Edition for full coverage.
MSG plus EML. Productions that mix MSG and EML are common when different custodians use different export methods. Both formats parse cleanly in Sherlock PST Viewer Forensic Edition (which handles MSG and EML in addition to PST and OST).
MSG plus Browser history. Email forensic examinations often pair with workstation browser examination for context. Pair with Sherlock Browser Viewer Forensic Edition.

For practices building the Sherlock email-forensics toolkit, PST Viewer ($67) covers the full PST/OST/MSG/EML format range and MSG Viewer ($67) adds the dedicated MSG-heavy workflow optimization. Many practices buy both: PST Viewer for general email examination, MSG Viewer for matters that are MSG-heavy enough to benefit from dedicated workflow.