Digital Forensics · · 6 min read

PST File Forensic Examination: The Practitioner's Guide

PST Forensics Chain of Custody E-Discovery

PST file forensic examination requires read-only access, SHA-256 hashing of every extracted artifact, chain of custody logging and court-ready report output. This guide walks through the defensible workflow for evidence-grade PST extraction including SMTP transport chain analysis and SPF/DKIM/DMARC authentication surfacing. Sherlock Forensics PST Viewer Forensic Edition at $67 lifetime produces the full forensic chain.

PST files are the most common email forensic source in the corporate world. Microsoft Outlook has produced them since 1996 across multiple major format revisions. Every internal investigation, every employment dispute, every M&A due diligence, every fraud case, every harassment complaint that touches corporate email eventually surfaces a .pst file as the artifact in question.

This guide is for the examiner who needs to extract evidence from a PST file in a way that survives review by opposing counsel, regulators or a court.

Why PST Examination Trips Up Standard Workflows

PST is technically a Microsoft-documented format (MS-PST is published), but practical examination still creates predictable problems:

Opening a PST in Outlook modifies the file. Outlook indexes the PST on first open, rebuilds views, runs auto-archive if configured and synchronizes folders if the PST is associated with an active account. The original file hash changes the moment Outlook touches it. For evidentiary use, this is spoliation.

ANSI vs Unicode PSTs behave differently. PSTs created by Outlook 2002 and earlier (and Outlook 2003 Personal Folders) use the ANSI format with a 2 GB file size limit. Outlook 2003 with Unicode option and all later versions use the Unicode format with a 50 GB cap. The internal structures differ. Tools that handle one cleanly may mishandle the other or refuse to open it at all.

Encrypted and password-protected PSTs require key material. Outlook supports compressible-encryption and high-encryption password protection on PSTs. Without the password, opening the PST requires either brute-forcing (which is expensive and may be legally restricted) or obtaining the password through legal process.

Corrupted PSTs are common. Power failures during writes, hardware errors, anti-virus interference and improper-shutdown events leave PST files in partially-corrupted states. Outlook's scanpst.exe utility can repair them, but repair operations alter the file, they are not appropriate for evidentiary examination.

Embedded message content can include items that execute on view. Rich-text formatted messages can contain OLE objects, embedded scripts or other active content. Opening a PST in Outlook can trigger this content. A forensic examination should be read-only with no active-content execution.

The Defensible PST Examination Workflow

A workflow that survives review:

  1. Source PST intake with SHA-256 fingerprint. Hash recorded with timestamp, examiner identity, source path or media.
  2. Read-only examination in a forensic tool. Sherlock Forensics PST Viewer Forensic Edition opens the .pst, .ost, .msg or .eml file without modifying it. The custom parser handles ANSI and Unicode PSTs, surfaces version-mismatch issues with diagnostic detail and reports encryption presence without attempting decryption.
  3. Browse or filter content within case scope. Date ranges, sender/recipient, keyword filters as authorized by the examination scope. Each operation logged automatically.
  4. Per-message SHA-256 at extraction. Each email, attachment, contact and calendar item is hashed independently and stored alongside the artifact.
  5. EML export with preserved folder hierarchy. Each message exports as a standards-compliant .eml file into a directory tree that mirrors the original PST mailbox folders. The folder structure is part of the evidentiary record.
  6. Signed JSON chain-of-custody sidecar. Source PST hash, per-artifact hashes, timestamps, examiner attestation, all written to a single signed JSON file that travels with the production set.
  7. Forensic PDF report. Court-ready PDF with branded cover, source PST metadata (path, size, hash, format version), full artifact inventory, SHA-256 verification table, examiner attestation, chain-of-custody footer on every page.
  8. Production set assembly. EML directory + signed JSON sidecar + forensic PDF, bundled for transfer.
  9. Hash list at delivery. When the production goes to opposing counsel, the regulator or the review platform, the hash list accompanies it.

The Sherlock Forensics PST Viewer Forensic Edition produces items 2-7 directly. Items 1, 8 and 9 are administrative wrap-around steps.

SMTP Transport Chain Analysis

A capability specific to PST examination that adds investigative value beyond format conversion: SMTP transport chain analysis.

Every email in the PST contains internet headers documenting the SMTP transport path from sender to recipient. The Received headers, in particular, document each mail server that handled the message, in reverse chronological order. The originating IP address, the timestamps at each hop and the relay hosts are evidentially relevant in many investigations.

Sherlock parses the Received header chain, reverses it into chronological order and presents it as a sequenced transport diagram. The examiner can see:

  • The original sender's IP and the hostname they connected from
  • The intermediate relay hosts
  • The recipient organization's inbound mail gateway
  • The internal delivery to the recipient's mailbox

Spoofed emails, social-engineering attempts and phishing campaigns frequently betray themselves in the transport chain. A "Bank of America" email with a Received chain originating from a residential IP in a country the bank does not operate in is structurally inconsistent and worth flagging.

SPF, DKIM and DMARC Analysis

For each message, Sherlock surfaces:

  • SPF (Sender Policy Framework) result. Did the message originate from an IP authorized by the claimed sender domain's SPF record at the time of the message?
  • DKIM (DomainKeys Identified Mail) signature. Is the message's DKIM signature valid against the claimed sender domain's published DKIM key?
  • DMARC (Domain-based Message Authentication, Reporting and Conformance) policy. What was the sender domain's DMARC policy at the time and did the message pass alignment?

Authentication results are present in the Received-Authentication-Results or Authentication-Results headers when the receiving mail gateway computed them. Sherlock parses these and surfaces the results in the message detail view.

For investigations involving suspected forgery or impersonation, authentication failures in the headers are documentary evidence. For investigations involving authorized communications, authentication passes corroborate the source.

Encryption and Password-Protected PSTs

When a PST is password-protected, Sherlock detects the protection type (compressible encryption or high encryption) and surfaces it. The encrypted PST cannot be examined without the password.

The options for obtaining the password:

  1. Custodian voluntary disclosure. If the custodian is cooperative, ask. Surprisingly often, the password is "password" or similar.
  2. Stored password in the custodian's Outlook profile. Outlook stores PST passwords in the user's Credentials Manager on Windows or in Outlook's profile registry. If the custodian's workstation is available, the password may be recoverable.
  3. Legal process. Subpoena, search warrant or court order compelling password disclosure. In some jurisdictions, the custodian's refusal to provide the password is itself sanctionable.
  4. Brute force. Technically possible for compressible-encryption PSTs (which use weak encryption), commercially impractical for high-encryption PSTs. Legal risk depends on jurisdiction and the basis for the examination.
  5. Document inability and proceed without. Surface the encrypted-PST limitation in the forensic report. Note which items could not be examined. The opposing party knows the PST exists and that we could not open it; they can pursue the password through their own channels.

Sherlock does not attempt password recovery or decryption. The product's posture is read-only forensic examination, not offensive password attack. Password-protected PSTs that cannot be opened with available credentials are documented as such.

Chain of Custody From Source to Production

The PST file moves through a chain that includes:

  • Source workstation or backup tape where the file originated
  • Forensic intake where the file is received and hashed
  • Examination environment where the file is analyzed in Sherlock
  • Output artifacts (EML directory, signed JSON, forensic PDF)
  • Review platform ingestion (Relativity, Logikcull, Concordance, Reveal, Everlaw)
  • Production set delivered to opposing counsel or destination party

At each stage, hash continuity should be verifiable. The Sherlock-produced signed JSON sidecar provides the cryptographic backbone for stages 2-4. Downstream stages typically have their own chain documentation through the review platform's audit log.

Where the chain breaks, the production becomes vulnerable to FRE 901 authentication challenge. The most common break is undocumented manual handling between the source and the examination workstation, files copied between drives without hash verification, files transferred over networks without integrity checks, files stored on shared drives accessible to non-examiners.

The administrative discipline of hashing at every transition matches the cryptographic discipline of the tool. Both are required.

When Sherlock Is the Right Choice for PST Examination

  • The PST will be used as evidence or production.
  • The examination must be defensible to opposing counsel, regulators or a court.
  • Chain of custody documentation is required.
  • The examiner needs SMTP transport chain analysis for investigation context.
  • SPF/DKIM/DMARC authentication results matter for the matter at hand.
  • The output format must be EML for ingestion into modern e-discovery review platforms.

When Sherlock Is Not the Right Choice

  • One-off curious read of a personal PST. The free tier handles this.
  • Bulk migration of PST files to Office 365 without forensic accountability. Microsoft's Network Upload service is purpose-built for this.
  • Personal archive consolidation with no scrutiny expected. Use a free tool.
  • Active Outlook profile management. Sherlock is for examination, not for ongoing mailbox use.

Cost in Context

Sherlock Forensics PST Viewer Forensic Edition is $67 lifetime. For a single forensic case at standard billing rates, the tool pays for itself in the time it saves on manual chain-of-custody construction. For a forensic practice running multiple cases per year, the cost is below the threshold of standard procurement review.

The comparison to consider is not "Sherlock at $67 vs free viewer at $0." The comparison is "Sherlock at $67 plus the chain of custody it produces vs free viewer at $0 plus 8-15 hours of manual chain documentation per case." The math favors Sherlock the first time a real case lands.

See Also