Email parser module

scoggnito · June 11, 2020, 1:51am

I’ll cut to the chase. I was given a flash drive with a single PST file and I imaged it to an E01. Upon running it through the email module, the only results that it gave me were from the Deleted folder; ~15k messages.

I have since began opening the PST using Stellar PST Viewer, and it has already returned more than 200,000 results.

Does anyone know why it only returned results from this directory? One thing that I noticed was that the Deleted folder is at the top of the root directory, but so are others.

Any thoughts? Thanks in advance!

lfcnassif · June 15, 2020, 11:25pm

I think Autopsy uses java-libpst-0.9.3/4 library and it is very broken, at least with OST files, see https://github.com/rjohnsondev/java-libpst/issues/60

You should be more lucky using pffexport from libpff library, maybe that was used by autopsy to recover the deleted emails. You also could try iped forensic tool, it uses pffexport when java-libpst fails.

scoggnito · June 18, 2020, 2:12am

Thanks for the response! I’ll def take a look!

Topic		Replies	Views
Pst deleted e-mails Autopsy Feature Requests	0	912	November 12, 2019
E-mail parser module does bring any results Autopsy Help	2	558	July 18, 2020
E-mail message artifacts Autopsy Help	12	1486	April 6, 2024
Issue with Email Parser Autopsy Help	7	3418	January 22, 2020
Email extraction from pst file Autopsy Help	4	813	November 26, 2022

Email parser module

Related topics