Digital Forensics · · 5 min read

PST Files Under Legal Hold: Examination and Production Guide

Legal Hold PST Forensics FRCP 37(e)

PST files under legal hold require defensible preservation: SHA-256 hashing at receipt, read-only examination in a forensic tool that does not modify the source file, chain of custody documentation and court-ready production output. This guide covers the spoliation risks specific to PST (Outlook indexing, AutoArchive, repair operations), the defensible workflow and the production set for opposing counsel. Sherlock Forensics PST Viewer Forensic Edition at $67 lifetime produces the full forensic chain.

The Outlook .pst file is the most common email evidence artifact in corporate litigation. Most internal investigations, employment disputes, fraud cases, M&A due-diligence reviews and regulatory inquiries that touch corporate email eventually surface a PST. The same is true for individual matters where a custodian's personal Outlook profile is at issue.

This page is the practical guide for the legal administrator, e-discovery analyst or forensic consultant handling PST evidence under a legal hold.

The PST Legal Hold Obligation

When a litigation hold issues, every record relevant to the matter must be preserved in unaltered form. For PST files, this creates specific operational obligations:

Preserve the source file unmodified. Opening a PST in a live Outlook profile triggers indexing, view rebuilds and potentially auto-archive operations that modify the file. The first hash recorded on the file after the hold issues should not change. This typically means examination must occur in a read-only forensic tool, not in Outlook.

Document the chain of possession. Where the PST came from (custodian workstation, file server, backup tape, cloud storage), who has held it since, who has accessed it, when. The chain of possession is itself a deposition topic.

Cryptographic fingerprint at receipt. SHA-256 of the source PST computed before any access operation. This fingerprint anchors the chain, every later representation of the file can be tied back to this hash.

Reproducible extraction. Any extraction performed during the hold must be reproducible. The same PST passed through the same tool with the same configuration must produce the same output. Non-deterministic tools or undocumented configuration choices undermine reproducibility.

Encrypted-content handling. Password-protected PSTs require the password to examine, which in turn requires either the custodian's cooperation, the password from the custodian's stored credentials or legal process compelling disclosure. The encrypted content must be preserved unmodified during the period the password is being obtained.

Tools and workflows that meet these obligations explicitly are the only safe choices for legal-hold PST handling.

Spoliation Risks Specific to PST Examination

Spoliation, destruction, alteration or failure to preserve material evidence, is the catastrophic failure mode of PST examination under legal hold. FRCP 37(e) authorizes sanctions ranging from adverse inference instructions to dismissal for spoliation involving electronic evidence.

The spoliation risks specific to PST:

  1. Opening the PST in Outlook with a live profile triggers indexing and view rebuild. Outlook modifies the PST on first open. The file hash changes. Opposing counsel's expert documents the alteration and a motion follows.
  2. AutoArchive may move content out of the source PST. If the Outlook profile is configured for AutoArchive (default behavior in many Outlook versions), opening the PST can trigger automatic movement of older items to a separate archive PST. Now the source has changed.
  3. Anti-virus or DLP scanning during file open may modify metadata. Some endpoint security tools update file metadata when files are accessed. Hash changes.
  4. Tools that wrap Outlook through OLE Automation inherit Outlook's modification behavior. Many "PST viewer" tools invoke Outlook silently. The user sees a standalone interface but Outlook is running underneath modifying the PST.
  5. Repair operations on corrupted PSTs alter content. Microsoft's scanpst.exe utility repairs corrupted PSTs by modifying the file. This is appropriate for operational recovery; it is not appropriate for evidentiary examination because the repair operation cannot be reversed to recover the pre-repair state for verification.

The mitigating practices:

  1. Use a tool with a custom parser that does not invoke Outlook. Sherlock Forensics PST Viewer Forensic Edition's Rust parser opens PST files read-only without any Outlook dependency. The source file is not modified.
  2. Hash the source before and after every operation. Verify the hash is unchanged at each step. If the hash changes, the operation was not read-only.
  3. Document every action. Tool version, configuration, examiner identity, timestamps. Sherlock writes this log automatically to a signed JSON sidecar.
  4. Preserve corruption rather than repair. A corrupted PST is documented as corrupted. The examiner notes the limitation. Forced repair introduces new fact patterns opposing counsel will scrutinize.

Chain of Custody Documentation for PST Evidence

A defensible chain of custody for a PST examination contains:

  1. Source acquisition record. When the PST was received, from whom, in what form, on what media. SHA-256 at receipt.
  2. Custodian path. Every person who held the file between acquisition and examination. Names, dates, transfer mechanisms.
  3. Examiner identity and credentials. Who performed the examination, when, on what workstation, with what tool version.
  4. Operations performed. Read-only file open, content browsing, extraction to EML, hash computation. Each operation timestamped.
  5. Output artifacts. Every EML, MBOX, PDF and JSON file produced. SHA-256 of each, tied back to source artifacts.
  6. Storage and disposal. Where the source file lives after examination. Where the output artifacts live. Retention period.

Sherlock Forensics PST Viewer Forensic Edition produces items 4-6 automatically. Items 1-3 are administrative records the legal team maintains.

The forensic PDF report includes a chain-of-custody footer on every page that references the case-specific chain documentation. Auditors and reviewers can verify the cryptographic continuity without re-running the examination.

Production for Opposing Counsel

After examination and review, the production set delivered to opposing counsel typically includes:

  1. The EML directory tree with preserved mailbox folder hierarchy, one .eml file per email, folder structure mirrors the original PST.
  2. A load file mapping each EML to its Bates number, custodian, source path and per-artifact SHA-256.
  3. The forensic PDF report as the production cover-page-equivalent, demonstrating chain of custody for the extracted set.
  4. A privilege log for items withheld on privilege grounds, generated downstream by the review team.
  5. A redaction key if redactions were applied during review.
  6. A cover letter referencing the production set, Bates range and load files included.

Sherlock Forensics PST Viewer Forensic Edition produces items 1 and 3 directly. Items 2, 4, 5 and 6 are downstream review-team and counsel artifacts.

When Encrypted PSTs Block the Examination

Password-protected PSTs cannot be opened without the password. Options:

  1. Custodian voluntary disclosure. Ask. The password is often "password," the custodian's birthday or similar.
  2. Stored password recovery. Outlook stores PST passwords in Credentials Manager (Windows) or the user's profile registry. If the custodian's workstation is available, the password may be recoverable through forensic acquisition of that workstation.
  3. Legal process. Subpoena, search warrant or court order compelling password disclosure. In some jurisdictions, refusing to provide the password is itself sanctionable.
  4. Brute force. Practical for compressible-encryption PSTs (which use weak encryption); not practical for high-encryption PSTs without significant computational resources. Legal risk depends on the basis for the examination.
  5. Document inability and proceed without. Surface the encrypted-PST limitation in the forensic report. Note which items could not be examined.

Sherlock does not attempt password recovery or decryption. The product's posture is read-only forensic examination, not offensive password attack. Password-protected PSTs are detected and documented; the unsealed remainder of the PST is examined normally.

Cost Justification at the Litigation Tier

PST examinations in regulated-industry or high-stakes litigation involve six- to eight-figure legal budgets. Document review costs alone often exceed $500,000 per matter. In that context, the $67 cost of Sherlock Forensics PST Viewer Forensic Edition is below the threshold of any procurement review.

The cost question is not "is $67 too much." The cost question is "does this tool produce defensible output, save time over manual chain construction and reduce risk of spoliation findings." The answer is yes on all three.

By comparison, tools that lack chain of custody and SHA-256 hashing require the examiner to construct the forensic chain manually using separate hash utilities and separate documentation. Time cost per matter: 4-8 hours for the chain construction alone. At conservative paralegal rates, the manual approach exceeds the tool cost within the first matter.

For forensic consultants handling multiple matters per year, the per-case cost of Sherlock approaches zero, while the per-case time saved on chain construction compounds.

See Also