Can PST files be used as evidence in court?

Yes. PST files are regularly admitted as evidence in Canadian and US courts. The key requirement is demonstrating the integrity of the file through hash verification and chain of custody documentation. A forensic examiner must show the PST was preserved without modification from collection through presentation. Sherlock PST Viewer Pro generates the SHA256 hashes and chain of custody reports needed to support admissibility.

What is a legal hold on PST files?

A legal hold (also called litigation hold) is a directive to preserve all potentially relevant information when litigation is reasonably anticipated. For PST files, this means preventing deletion, modification, auto-archiving or any automated process that could alter the files. The hold must be communicated to custodians and IT staff. Failure to implement a legal hold on PST files can result in spoliation sanctions.

How do I preserve PST files for eDiscovery?

To preserve PST files: identify all custodians with potentially relevant email, locate their PST and OST files on local drives and network shares, disable auto-archive and retention policies for those files, create forensic copies with SHA256 hash verification, store copies on secure write-once media and document the entire preservation chain. Use a forensic PST viewer that operates in read-only mode for any review.

What happens if PST files are deleted during litigation?

Deleting PST files after a legal hold is triggered constitutes spoliation of evidence. Under FRCP Rule 37(e), courts may order measures no greater than necessary to cure the prejudice, or if the court finds intent to deprive, may presume the information was unfavorable, instruct the jury accordingly, or dismiss the action. Canadian courts apply similar principles and may draw adverse inferences from destroyed electronic evidence.

Why are PST files still relevant when organizations use cloud email?

PST files remain relevant because users continue to create them for offline access, personal archives and backup purposes. Even organizations fully migrated to Microsoft 365 find legacy PST files on employee workstations, file servers and backup tapes containing years of historical email. These legacy archives frequently contain evidence relevant to disputes that predate the cloud migration. PST files will remain an eDiscovery concern for years to come.

PST Files in eDiscovery: What Lawyers Need

The PST Problem in Litigation

Microsoft Outlook remains the dominant email client in corporate environments. As of 2026, over 400 million users rely on Outlook for daily communication. Every one of those users potentially has PST files containing years of email history stored on local drives, network shares and backup media.

For litigators, this creates both opportunity and obligation. PST files are the richest source of email evidence available. They contain not just message content but metadata including timestamps, routing information, read receipts and attachment histories. They also contain deleted items that the user believed were gone but remain in the PST's internal structure until the file is compacted.

The obligation is preservation. When litigation is reasonably anticipated, organizations must preserve potentially relevant PST files. Failure to do so exposes the organization to spoliation sanctions that can alter the outcome of a case.

Why PST Files Are the Primary Email Evidence Source

Persistence

PST files are self-contained archives. Unlike server-based email that depends on Exchange or Microsoft 365 retention policies, PST files persist on local storage indefinitely. An employee who left the organization five years ago may have PST files on a decommissioned laptop sitting in a storage closet. Those files contain the original emails with original metadata, unaffected by any server-side retention policy.

Volume

A typical corporate user accumulates 2-5 GB of email per year. Long-tenure employees may have PST files exceeding 20 GB. A single PST file can contain 50,000 to 200,000 messages spanning a decade of correspondence. In fraud investigations and commercial disputes, this volume of historical communication is invaluable.

Metadata Richness

PST files preserve email metadata that may not survive migration to cloud platforms or export to other formats. Transport headers showing the exact routing path. Conversation threading information. Calendar entries with attendee responses. Contact records with notes. Task assignments with completion status. This metadata provides context that bare message content cannot.

Deleted Items

When a user deletes an email in Outlook, the message moves to the Deleted Items folder. When they empty the Deleted Items folder, the message is marked as deleted in the PST file's internal structure but the data remains until the file is compacted. Forensic tools can recover these soft-deleted messages. In fraud and misconduct investigations, deleted emails are frequently the most relevant.

Legal Hold Obligations for PST Files

A legal hold (litigation hold) is the obligation to preserve potentially relevant information when litigation is reasonably anticipated. This obligation arises before a lawsuit is filed. The moment an organization has reasonable notice that litigation may occur, preservation duties attach.

What Triggers a Legal Hold

Receipt of a demand letter or threat of litigation: The most obvious trigger. Any written communication threatening legal action triggers preservation obligations.
Filing or service of a complaint: If a lawsuit has been filed, preservation is mandatory.
Government investigation or regulatory inquiry: Subpoenas, civil investigative demands or regulatory inquiries trigger preservation.
Internal investigation of wrongdoing: When the organization discovers potential fraud, misconduct or policy violations that may lead to litigation or regulatory action.
Anticipation of dispute: A contract dispute, employment termination or business transaction that the organization reasonably expects will result in litigation.

Implementing a Legal Hold on PST Files

Once a legal hold is triggered, the following steps apply specifically to PST files:

Identify custodians. Determine which employees have potentially relevant email. Include former employees whose PST files may be in storage.
Locate PST files. Search custodian workstations, network shares, backup tapes and cloud storage for PST and OST files. Users often store PST files in non-default locations.
Disable auto-archive. Outlook's auto-archive feature moves old messages to archive PST files and can delete items from the primary mailbox. Disable this for all custodians under hold.
Disable retention policies. If Exchange retention policies delete messages after a set period, suspend those policies for custodians under hold.
Notify custodians. Issue written legal hold notices instructing custodians not to delete, move or modify their PST files.
Collect and preserve. Create forensic copies of identified PST files with SHA256 hash verification. Store on secure, write-once media.
Document everything. Maintain a record of every hold notice sent, every PST file identified, every copy created and every hash value computed.

Preservation: The Technical Process

Preservation of PST files requires more than simply copying them to a folder. The copies must be forensically sound.

Step	Action	Purpose
1	Hash the original PST (SHA256)	Establish baseline integrity
2	Copy to preservation storage	Create working copy
3	Hash the copy (SHA256)	Verify copy matches original
4	Store on write-protected media	Prevent modification
5	Document chain of custody	Prove preservation integrity
6	Retain original in place	Avoid spoliation argument

Use Sherlock Hash or any SHA256 tool for hashing. For review and analysis, use Sherlock PST Viewer which operates in read-only mode to prevent modification during review.

Common Pitfalls That Lead to Sanctions

Pitfall 1: Relying on Server-Side Preservation Only

Organizations that preserve Exchange mailboxes but ignore local PST files risk losing evidence that exists only in the PST. Users archive messages to PST files specifically to remove them from the server mailbox. Those archived messages exist nowhere else.

Pitfall 2: Allowing Outlook to Modify PST Files

Opening a PST file in Outlook modifies it. Internal indices are updated. Timestamps change. If a preserved PST file is opened in Outlook for review, the hash will no longer match the original. Use a forensic PST viewer that operates in read-only mode.

Pitfall 3: Missing Departed Employee PST Files

When employees leave, IT may reimage their workstations without checking for PST files. If the departed employee is a custodian in pending or anticipated litigation, those PST files are now gone. Include PST file preservation in the offboarding checklist for any employee who may be a custodian.

Pitfall 4: Auto-Archive Destroying Evidence

Outlook's auto-archive feature runs on a schedule and moves old messages to archive.pst while optionally deleting them from the primary mailbox. If auto-archive runs after a legal hold is triggered but before the PST is preserved, evidence may be lost or fragmented across multiple files.

Pitfall 5: PST Files on Backup Tapes

Backup rotation policies may overwrite tapes containing PST files. When a legal hold is triggered, ensure backup tapes containing relevant PST files are pulled from rotation and preserved.

The Sherlock eDiscovery Workflow for PST Files

Sherlock Forensics uses the following workflow for PST-based eDiscovery engagements.

Custodian identification. Work with counsel to identify all custodians with potentially relevant email. Include former employees.
PST file mapping. Scan custodian workstations, network shares and backup media for PST and OST files. Document file paths, sizes and dates.
Forensic collection. Create SHA256-verified copies of all identified PST files using write-blocking procedures. Detailed collection procedure here.
Processing. Load collected PST files into Sherlock PST Viewer Pro for keyword search, date filtering and custodian-based review.
Review. Identify responsive documents. Flag privileged communications. Apply agreed-upon search terms.
Production. Export responsive messages with per-message SHA256 hashes. Generate production manifest and chain of custody report.
Expert support. Provide expert witness testimony on collection methodology, tool operation and evidence integrity if challenged.

Cost Considerations for Law Firms

PST-based eDiscovery does not require expensive forensic suites. The Sherlock PST Viewer Pro at $67 USD provides all the forensic features needed for PST analysis: read-only access, SHA256 per-message hashing, batch export and chain of custody reporting.

For comparison:

Approach	Cost	Forensic Grade
Sherlock PST Viewer Pro	$67 USD one-time	Yes
SysTools PST Viewer	$299 USD	No
FTK full suite	$3,000+ USD/year	Yes
eDiscovery platform (Relativity)	$18+ USD/GB/month	Yes
Outsourced forensic collection	$2,000-10,000+ per custodian	Yes

For firms handling PST review in-house, Sherlock PST Viewer Pro eliminates the need for expensive platforms or outsourced collection for straightforward PST analysis. For complex multi-custodian matters with terabytes of data, a full eDiscovery platform may be warranted, but the PST collection and verification phase can still be handled by Sherlock at minimal cost.

Regulatory Context

Canada

The Sedona Canada Principles Addressing Electronic Discovery provide the framework for electronic discovery in Canadian courts. Principle 3 establishes that parties should take reasonable and good faith steps to preserve potentially relevant electronically stored information. PST files fall squarely within the definition of ESI.

Under PIPEDA (Personal Information Protection and Electronic Documents Act), PST files containing personal information of third parties must be handled according to privacy obligations even during litigation. Redaction of non-responsive personal information may be required.

United States

FRCP Rules 26(b)(1) and 34 govern the scope and production of electronically stored information including PST files. Rule 37(e) addresses sanctions for failure to preserve ESI. The 2015 amendments to Rule 37(e) require courts to find prejudice before imposing curative measures and intent before imposing more severe sanctions.

State courts generally follow similar principles. California Code of Civil Procedure Section 2031.010 governs inspection demands for electronically stored information. New York CPLR Section 3101 requires disclosure of all evidence material and necessary. Texas Rule of Civil Procedure 196.4 addresses electronic discovery.

PST Files in eDiscovery: What Lawyers Need to Know