Kernel for OST to PST is $249. Stellar Converter for OST is $99 to $399 per tier. Aryson is $69. SysTools sits at $99. The commodity tools handle the read-OST-and-display step. None of them produce the forensic infrastructure required when the workflow has to survive cross-examination, an opposing-counsel verification pass or a court declaration. Sherlock Forensics OST Viewer Forensic Edition at $67 lifetime delivers the forensic surface the commodity tier does not ship.
Court-ready forensic PDF reports
The Forensic Edition emits a branded forensic PDF with cover page, source-file metadata, artifact inventory, SHA-256 verification table, examiner attestation block and chain-of-custody footer on every page. The PDF generation pipeline is implemented in pure Rust against the printpdf crate (Echo's source audit confirms `report.rs` `PdfDocument::new` plus `write_title_page` and `write_email` are real PDF emitters, not stubs). The format is what e-discovery review platforms expect to ingest and what courts expect to see attached to a declaration.
Per-message SHA-256 hashing
Each email, attachment, contact record and calendar item is hashed at extraction. The hash is stored alongside the artifact in both the JSONL export and the PDF report. Re-extract the same OST file a year later and the hashes match. Proof the source was not altered between examination and production. Implementation: `hashing.rs` plus the verifiable container pipeline (`verifiable_container.rs`) walks each record and emits the cryptographic fingerprint as part of the standard extraction workflow.
Sender IP attribution from RFC-822 headers
The Forensic Edition parses Received headers from every message and extracts the source IP plus originating host. This anchors authorship attribution in phishing investigations, BEC litigation and insider-threat cases where the email-server-side audit log is unavailable but the message itself preserves the path. Implementation: `parse_received_attribution()` in `report.rs` extracts the IP plus host fields, wired through `eml.rs` for the export path. Commodity OST viewers do not attempt header forensics.
Chain-of-custody logging
Every artifact extracted from an OST file is tracked with timestamp, source-file hash, examiner identity and export destination. The log appends to the PDF report and exports as a separate signed audit document. The signed audit survives evidentiary review. Implementation: `chain_log.rs` is an append-only operation log that records every EXPORT_PDF, EXPORT_EML, EXPORT_JSONL and EXPORT_MSG action with full provenance.
Deleted-Item recovery via four carving methods
B-tree zombie recovery for soft-deleted records still flagged in the index, Heap-on-Node recovery for nodes whose blocks are still allocated, Unallocated-space carving for fragments in deallocated B-tree pages and Compressed-RTF body recovery for orphaned message bodies that lost their headers. The four methods run as a single scan and surface recovered items in a dedicated view with provenance flags so the examiner knows which method recovered which record.
Honest scope on what Pro adds vs the commodity tier
What the commodity tier does well: open an OST, list folders, view messages, dump to a flat file. What it does not ship: cryptographic per-message hash, chain-of-custody log, court-ready PDF, sender IP attribution, deleted-item recovery beyond Deleted Items folder enumeration, sensitive-data scanning, MAPI property explorer, communication-map graphing, activity-timeline anomaly detection, opt-in raw-body diagnostic for support-loop decoder cases. Pay the $67 difference if your workflow has any of those requirements. Pick the commodity tier if your need is one-off OST browsing without admissibility expectations.