What Changed in v0.1.6
The PST Viewer now reads three additional email formats:
- Individual .msg files (Outlook message format)
- Individual .eml files (RFC-822 standard)
- Entire folders of .msg and .eml files with optional recursive scanning
No extra installation. No plugins. The same viewer that handles 50 GB PST archives now opens a single forwarded email or a folder of ten thousand exported messages.
The Forensic Differentiator
Every MSG or EML file gets an automatic forensic readout.
SMTP Transport Chain
Every Received: header is parsed into a visual hop-by-hop trail showing from HOST [IP] to RECEIVING-MTA with protocol. Chronological order. A single-line origin-to-destination summary answers "where did this message actually come from and where did it land" without reading raw headers.
For incident response teams triaging phishing emails this means immediate visibility into whether the message originated from a legitimate mail server or a compromised host.
Authentication Results
SPF, DKIM and DMARC verdicts are extracted and displayed with plain-English explanations. The examiner sees at a glance whether the sender domain's authentication passed or failed at the time of delivery.
Anomaly Detection
The viewer flags conditions that warrant examiner attention:
- Missing sender fields
- Authentication failures (SPF fail, DKIM fail)
- Internal-only Exchange messages with X.500 DN senders
- Signed messages where the signature cannot be verified
- Message-ID and sender domain mismatches
These flags surface during browse without requiring the examiner to know what to look for.
MAPI Timestamps
MSG files carry four MAPI timestamps: Created, Modified, Submit and Delivery. The viewer displays all four side-by-side. Divergences between these timestamps can indicate message tampering, forwarding artifacts or timezone manipulation.
MSG Encoding Detection
Unicode vs ANSI encoding is detected and surfaced. This matters for evidence containing non-Latin characters where encoding misidentification can alter message content.
Three Workflows
Single File Triage
Drop a .msg or .eml on the viewer. Full preview with forensic readout loads in under a second. Use this when opposing counsel produces a single email or when a user forwards a suspicious message to the security team.
Folder Mode
Point the viewer at a directory. Every .msg and .eml inside becomes a browsable list. Enable recursive scanning for nested directory structures copied from evidence mounts or live mailbox exports. Sort and filter by sender, date, subject or anomaly flags.
Selective Reporting
Check the messages that matter. Click Report. The Forensic Edition produces a court-ready PDF covering only the selected items with full forensic metadata, SHA-256 hashing and chain of custody documentation.
What Stays Free vs Forensic Edition
- Free
- Read any MSG, EML or folder of messages. See attachment names, sizes and MIME types. Full forensic analysis (transport chain, authentication, anomalies, timestamps). SHA-256 hashing per file. Chain of custody logging.
- Forensic Edition ($67)
- Everything free plus byte-level attachment extraction (single + bulk with per-attachment SHA-256). PDF report generation. Mbox export. Priority support.
Use Cases
Incident Response
A user reports a phishing email. The analyst opens it in Sherlock Forensics PST Viewer, sees the transport chain shows the message originated from a compromised server in a different country than the claimed sender, SPF failed and the Message-ID domain does not match the From: domain. Total triage time: under 30 seconds.
eDiscovery
A law firm receives 8,000 MSG files exported from an Exchange server. Folder mode loads them all. The paralegal filters by date range and sender, marks the responsive documents and generates a forensic PDF report for each custodian.
Forensic Examination
An examiner mounts a disk image and finds EML files in a user's Downloads folder. Recursive folder mode picks up every email. The transport chain analysis reveals several emails were not received through normal delivery but were manually placed on the system.
Download
Both editions are available at the Sherlock Forensics PST Viewer product page.
SHA-256: 14f14fb50fe2bf4c2a2b9232c8e06d37469a302fc79459ba11a9b88439497bc4