Parse and Extract PST and OST Mailboxes

Libpff is a powerful mail examination tool. The tool will allow you to examine and extract data without having to attach the PST to Outlook and has the ability to view emails that are encrypted. In my example below, I will be using the tool via the SANS SIFT workstation as it is already installed. If you want to the program on a different distribution, the source code can be found at https://github.com/libyal/libpff. While I have an example below of parsing the information, I encourage you to check out the man pages as it is pretty short and straightforward.

Note: the PST I am using is called target_pst.pst

1) Export the PST.

2) Verify that a target.pst.export, target.pst.orphans, and target.pst.recovered directory are now present.

3) Change directory to the target.pst.export directory.

4) Take a second to look at the files and directories within the directory.

5) Change directory to the Personal Folders directory.

6) Take a second to look at the files and directories within the directory.

7) If we have key words we want to search for, we can use grep and show what file the word appears in and on what line (n), not worry about the case of the word (i), and search recursively (-r). If not, we can continue to step 8.

8) Change directory into the Sent Items directory.

9) Look at the directories present. Depending on the size of the PST, there may be a lot of Message folders present.

10) Look at the files within the directory. Of those listed, the two that will offer the most information are Recipients.txt and OutlookHeaders.txt.