Top 3 Forensic Recommendations for PST Tools

Carl Wilson | Last Modified: October 23rd, 2017 | Email Forensics

In this article, we are going to find out the best 3 set of features every PST forensic tools must possess to get the best results. Emails are the most favorable way of communicating with people living over long distances. So, it becomes necessary for the applications to analyze the files in a secure and reliable way.

Technology is touching lives everywhere, both; as advancement and as a risk. Considering technology also a risk can be justified by the fact that the rapid growth of crime over the web is largely becoming a threat. Cyber-based crimes are distinguishable into several categories, however, emails will always remain the most conventional target. Emails have been and still are the most preferred mediums of communicating with people within and outside our reach. Wireless transfer of media to faraway places is made easier with the MIME support in email clients, offering to share a variety of attachments.

Besides the easily and universally accessible web-based email applications, there is one more platform which is observed highly being used worldwide. Microsoft Outlook is a popular desktop-based email client. Installation of this application usually comes in a package of Office applications, yet it can be purchased as an individual tool. It is one of those most commonly used platform for emailing along with personal information storage and management. Thus, being the center of the target or source of e-crime besides all other desktop email clients is common.

Top Recommendations for PST Forensic Tools

Following is the forensic recommendations for PST tools, i.e. potential that applications like forensic PST viewer must have to be recommendable for PST file forensics. The list has been generated after detailed research on the requirements and challenges usually faced by investigators during the examination of Outlook Data File .pst.

Download Forensic PST Viewer

  • Retrieves Tampered Evidence

The means to tamper with evidentiary PST files are available quite easily online. Hard (permanent) deletion of emails from the data file or tampering of its header with a hexadecimal code editor are two of the handiest processes to make evidence irretrievable.

Thus, any/all applications built for the purpose of providing forensic analysis of Outlook PST file must be powerful enough to retrieve evidence from a data file, even if it has been tampered using the discussed means.

NOTE: Permanent deletion of emails does not take effect unless the white space left behind hasn’t been replaced. Thus, the emails are not actually deleted, they are just physically unavailable. Hence, a PST Forensic software claiming to have forensic potential must be capable enough to make available again.

  • Indexes Bulk of PST Files

Examining multiple Outlook Data Files is a common scenario to distinguish the ones having any connection with a case and the rest. This commonly happens when cases involving corporates and enterprises come up where all employ data files are examined in the process.

Also, spotting connection amongst users and discovering any act of evidence tampering is only possible if the involved PST files are examined parallelly.

Thus, investigators are regularly confronted with the inevitable yet evidently practical requirement of indexing a bulk of PST files altogether. This gives them the freedom of comparing the activities like exchange of emails, conversations, and connections between users within the organization (for instance), etc.

Therefore, applications having the potential of examining PST files in multiples would relatively be more highly demanded by Forensicators, than others.

  • Searches Traces Within & Across PST

Search for traces leads to evidence while evidence leads to suspects and motives behind acts that led to some kind of catastrophic consequences. Thus, the search is a very important part of an investigation, especially when emails are concerned, because they are commonly in large numbers when acquired.

The debates point out that even Outlook proves great forensically particularly when search is concerned, owing to its strong & very quick search feature. However, what lacks there is the ability to perform searches across PST files. Without knowing which data file stores the evidence, it is difficult to search for it.

This is where an application can boast its role the best. An application with the programming to search information within PST file/emails and across them is what most Forensicators demand for making the search effective and fruitful.


Though the list of recommendations for PST forensic tools does not end here, yet these were observed as being highly recommended qualities for email forensic applications by investigators on some of the top eDiscovery forums. Thus, for informational purpose, we have put together and elaborated their point of views to expose the exact benefits an application could contribute to, during an investigation by rendering the discussed recommendations as features.