Every email investigation begins with a PST file. Microsoft Outlook stores years of correspondence, attachments, calendar entries and contact records inside a single Personal Storage Table file. In litigation, regulatory investigations and internal fraud cases, PST files are frequently the primary source of documentary evidence.
The problem is that most PST viewers were designed for IT administrators, not forensic examiners. They open files in read-write mode. They modify last-accessed timestamps. They provide no hash verification. They generate no chain of custody documentation. When opposing counsel challenges the integrity of your email evidence, a consumer-grade PST viewer gives you nothing to stand on.
Forensic soundness is not a feature. It is the baseline requirement. Without it, every email you present in court is vulnerable to a spoliation argument. The examiner must demonstrate that the evidence was collected, preserved and analyzed without modification. That demonstration requires verifiable hashing, documented procedures and a tool designed for the courtroom rather than the help desk.
The Cost of Getting It Wrong
In 2024, a BC Supreme Court proceeding excluded email evidence because the examiner could not demonstrate that the PST file had not been modified during analysis. The opposing expert identified timestamp changes consistent with read-write access. The emails were excluded under the best evidence rule and the case outcome shifted.
This scenario repeats across Canadian provincial courts and US federal proceedings. Judges are increasingly sophisticated about digital evidence integrity. The Federal Rules of Civil Procedure (FRCP) Rule 37(e) permits adverse inference instructions when electronically stored information is lost or altered due to failure to take reasonable preservation steps. Canadian courts apply similar principles under the Sedona Canada Principles Addressing Electronic Discovery.
A forensically sound PST viewer eliminates this risk at the point of analysis. Write-blocking ensures the file cannot be modified. Per-message hashing proves individual email integrity. Chain of custody documentation records every examiner action from file receipt through report delivery.
How Sherlock PST Viewer Maintains Forensic Integrity
Sherlock PST Viewer was built by forensic examiners who testify in court. Every design decision prioritizes evidentiary integrity over convenience.
Read-Only Access
Sherlock PST Viewer opens PST and OST files in strict read-only mode. The tool never writes to the source file. No timestamps are modified. No metadata is altered. The original file remains byte-for-byte identical before and after analysis. This is verifiable by comparing SHA256 hashes of the file pre- and post-examination.
SHA256 Per-Message Hashing
The Pro edition computes a SHA256 hash for every individual email message during analysis. This creates a cryptographic fingerprint for each piece of evidence. If opposing counsel questions whether a specific email was altered, the examiner can present the hash value computed at the time of analysis and demonstrate it matches the hash of the email in the original PST file.
Per-message hashing goes beyond whole-file hashing. A single PST file may contain 50,000 messages. Whole-file hashing proves the container was not modified. Per-message hashing proves each individual message was not modified. This granular verification is what courts expect from qualified forensic examiners.
Automated Chain of Custody Reports
The Pro edition generates a chain of custody report that documents the examiner name, examination date, source file path, source file SHA256 hash, every search query executed, every filter applied, every message exported and the SHA256 hash of each exported item. This report is generated automatically from the tool's internal audit log. No manual note-taking required. No gaps in documentation.
Batch Export with Integrity Verification
When exporting messages for production, the Pro edition exports in EML format with SHA256 hashes recorded for every exported file. The export manifest includes message metadata (sender, recipient, date, subject) alongside the hash value. This manifest becomes a verifiable index of produced evidence that can be independently validated.
What Makes Sherlock Different from Competitors
- Built by forensic examiners, not software developers
- Sherlock PST Viewer was designed by CISSP, ISSAP, ISSMP certified practitioners with over 20 years of courtroom experience. The feature set reflects what examiners actually need when testifying, not what a product manager guessed they might want.
- Priced for practitioners
- The Free edition handles basic PST viewing with full-text search. The Pro edition at $67 USD includes every forensic feature. Competing forensic PST tools from SysTools cost $299. FTK requires a full license. Sherlock delivers forensic-grade output at a fraction of the cost.
- No subscription. No annual renewal.
- One payment. Permanent license. Free updates for the current major version. No vendor lock-in. No recurring charges that inflate case costs.
- Expert witness support included
- If you need expert testimony to support findings generated by Sherlock PST Viewer, the same team that built the tool provides expert witness services. Your expert understands the tool at the code level because they wrote it.
Forensic PST Analysis Workflow
The following workflow represents the standard operating procedure used by Sherlock Forensics examiners when analyzing PST files for litigation or investigation purposes.
| Step | Action | Tool | Output |
|---|
| 1 | Document source and custodian | Case management | Intake form with custodian details |
| 2 | Create forensic image of storage media | FTK Imager / dd | Bit-for-bit image with hash verification |
| 3 | Extract PST file from image | FTK Imager / Autopsy | PST file with documented extraction path |
| 4 | Hash the extracted PST | Sherlock Hash | SHA256 hash of source PST |
| 5 | Create working copy | File system copy | Working copy with matching SHA256 |
| 6 | Open in Sherlock PST Viewer | Sherlock PST Viewer Pro | Read-only access confirmed |
| 7 | Search, filter and review | Sherlock PST Viewer Pro | Relevant messages identified |
| 8 | Export with hashing | Sherlock PST Viewer Pro | EML files with SHA256 manifest |
| 9 | Generate chain of custody report | Sherlock PST Viewer Pro | Complete examination record |
| 10 | Verify source PST unchanged | Sherlock Hash | SHA256 match confirmed |
Case Study: Corporate Fraud Investigation
A Vancouver-based financial services firm retained Sherlock Forensics to investigate suspected embezzlement by a senior manager. The investigation centered on email communications between the subject and external co-conspirators.
Collection
IT provided a forensic image of the subject's workstation. The Outlook PST file was 12.4 GB containing approximately 87,000 messages spanning four years. A second OST file contained an additional 23,000 messages from the subject's Exchange cache.
Analysis
Using Sherlock PST Viewer Pro, the examiner searched both archives for keywords related to wire transfers, account numbers and vendor names identified by the client. Date range filtering narrowed the review to a 14-month window. The tool identified 342 responsive messages across both archives.
Production
All 342 messages were exported in EML format with individual SHA256 hashes. The chain of custody report documented every search query, filter and export action. The source PST and OST files were re-hashed after analysis and matched their original values, confirming no modification occurred.
Outcome
The email evidence was admitted without challenge. The chain of custody documentation preempted any spoliation argument. The examiner testified as to the methodology and the subject settled before trial. Total tool cost: $67.
Supported File Formats and Capabilities
| Feature | Free Edition | Pro Edition ($67) |
|---|
| Open PST files | Yes | Yes |
| Open OST files | Yes | Yes |
| Full-text search | Yes | Yes |
| Individual email export | Yes | Yes |
| SHA256 per-message hashing | No | Yes |
| Batch export | No | Yes |
| Chain of custody report | No | Yes |
| Advanced date/keyword filters | No | Yes |
| Attachment extraction | No | Yes |
| Corrupted PST recovery | No | Yes |
| Priority support | No | Yes |
Legal Standards and Compliance
Forensic PST analysis must satisfy the evidentiary standards of the jurisdiction where the evidence will be presented. Sherlock PST Viewer Pro was designed to meet or exceed the following frameworks.
- Federal Rules of Evidence (US) - Rule 901(b)(9)
- Requires authentication of evidence produced by a process or system. SHA256 hashing and chain of custody documentation satisfy this requirement by demonstrating the integrity of the analytical process.
- Federal Rules of Civil Procedure (US) - Rule 37(e)
- Addresses spoliation of electronically stored information. Read-only access and pre/post analysis hash verification demonstrate that no spoliation occurred during examination.
- Canada Evidence Act - Section 31.2
- Addresses the authentication of electronic documents. The chain of custody report generated by Sherlock PST Viewer Pro provides the documentation needed to satisfy authentication requirements.
- Sedona Canada Principles
- Provides guidance on proportionality, preservation and production of electronic evidence. Sherlock PST Viewer Pro's targeted search and export capabilities support proportional production.
External Resources
For additional guidance on forensic email analysis and electronic evidence handling:
