[prev in list] [next in list] [prev in thread] [next in thread]
List: sleuthkit-users
Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date range
From: MATT PIERCE <matt.pierce () adtran ! com>
Date: 2014-09-25 20:35:42
Message-ID: 8D855A863B5D6C40A764F4CA55186F0A8FCC331D () ex-mb1 ! corp ! adtran ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
I'm really excited to see this coming along. Thank you for putting the time to add \
this capability. Search would be an amazing ability. The ability to carve an email \
into an evidence container with metadata intact would be ultimately amazing.
From: Joyce Nord [mailto:joyce.nord@gmail.com]
Sent: Thursday, September 25, 2014 2:04 PM
To: 'Jason Letourneau'
Cc: sleuthkit-users@lists.sourceforge.net
Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor \
crated date range
Hi Jason...
Gotcha..thank you. Wanted to make sure I didn't screw something up.
All the Best,
Joyce
************************************************************************************** \
***************************************************************************************************************
In accordance with applicable privacy protection laws, this email and its contents \
are a private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. If you \
have received this email in error or are not the intended recipient, securely destroy \
it (as well as all copies) and notify me via separate email immediately.
************************************************************************************** \
****************************************************************************************************************
From: Jason Letourneau [mailto:jletourneau@basistech.com]
Sent: Thursday, September 25, 2014 1:42 PM
To: Joyce Nord
Cc: sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor \
crated date range
Hi Joyce -
The email support in Autopsy isn't as robust as you might be looking for and have \
discovered. The PST parsing creates "artifacts" for each email, but not fully \
qualified files that get indexed for search. The result is the ability to browse \
through the email contents, but not do too much more than that at this point.
Jason
------------------------------------------------
Jason Letourneau
Product Manager, Digital Forensics
Basis Technology
jletourneau@basistech.com<mailto:jletourneau@basistech.com>
617-386-2000 ext. 152
On Sep 24, 2014, at 1:16 PM, Joyce Nord \
<joyce.nord@gmail.com<mailto:joyce.nord@gmail.com>> wrote:
So I've been paying with sleuthkit, and I can sort by date sent / date received, and \
select. However, when I select the emails within a given range by highlighting them, \
then right-clicking and choosing extract, it exports the entire pst again -- not just \
the ones I've selected. So apparently the extract file option is not to export the \
email messages individually.
If I tag the results, Autopsy bookmarks the entire file rather than the individual \
email.
So it does not appear there is a way to export individual emails inside Autopsy.
Can someone confirm this?
************************************************************************************** \
***************************************************************************************************************
In accordance with applicable privacy protection laws, this email and its contents \
are a private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. If you \
have received this email in error or are not the intended recipient, securely destroy \
it (as well as all copies) and notify me via separate email immediately.
************************************************************************************** \
****************************************************************************************************************
From: Jason Letourneau [mailto:jletourneau@basistech.com<http://basistech.com>]
Sent: Tuesday, September 23, 2014 9:20 AM
To: Joyce Nord
Cc: ajs; sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor \
crated date range
Sorry...I meant Joyce (better to look at the actual email rather than Autopsy parsed \
email for names) ;)
Jason
On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau \
<jletourneau@basistech.com<mailto:jletourneau@basistech.com>> wrote: Hi Albert -
It looks like your PST was parsed (see the Email node in the tree in one of your \
screenshots). I think your search isn't doing what you think it should which is why \
you are seeing no results. The "Name" field is searching for the file name, uncheck \
that box and see what results you get. I don't see any file with the name in the \
box, were you thinking that names the search/filter set?
Jason
On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord \
<joyce.nord@gmail.com<mailto:joyce.nord@gmail.com>> wrote: I tried adding it as a \
data source before I asked the group and and no results are produced which fall into \
the known data set:
Here are the search parameters:
<image001.png>
And, here are the results:
<image002.png>
The email ingest option was turned on because if I look manually I can see:
<image003.png>
Yet if I open the pst in outlook, I see:
<image004.png>
************************************************************************************** \
***************************************************************************************************************
In accordance with applicable privacy protection laws, this email and its contents \
are a private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. If you \
have received this email in error or are not the intended recipient, securely destroy \
it (as well as all copies) and notify me via separate email immediately.
************************************************************************************** \
****************************************************************************************************************
From: ajs [mailto:anthony.j.snow@gmail.com<mailto:anthony.j.snow@gmail.com>]
Sent: Monday, September 22, 2014 9:06 PM
To: Jason Letourneau; Joyce Nord
Cc: sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sentor \
crated date range
Thanks. I don't recall if i added it as a data source specifically in my case but it \
never pulled anything for me. I'll try again to see what I can get. \
________________________________
From: Jason Letourneau<mailto:jletourneau@basistech.com>
Sent: 9/22/2014 7:17 PM
To: Joyce Nord<mailto:joyce.nord@gmail.com>
Cc: ajs<mailto:anthony.j.snow@gmail.com>; \
sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: Re: [sleuthkit-users] Parse outlook pst file to locate emails by sentor \
crated date range Libpst is integrated into Autopsy 3.1 so you should be able to add \
the PST file as a data source (logical file) and get it parsed as long as you enable \
the email parser ingest module - there are some limitations with Libpst in terms of \
file and version support, so you may need to see if your file is in their supported \
version set
Jason
On Monday, September 22, 2014, Joyce Nord \
<joyce.nord@gmail.com<mailto:joyce.nord@gmail.com>> wrote: Thank you.
Trying to do it with open source right now to prove it can be done. Looks like my \
options are readpst and then grepmail or even perhaps regular grep and scripting \
moving the files matching the attribute pattern.
grepmail looks like it might work but I keep getting the error "invalid config \
variable: todayismidnight
Which was supposedly rectified back in 2010 or 11, but apparently not.
************************************************************************************** \
***************************************************************************************************************
In accordance with applicable privacy protection laws, this email and its contents \
are a private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. If you \
have received this email in error or are not the intended recipient, securely destroy \
it (as well as all copies) and notify me via separate email immediately.
************************************************************************************** \
****************************************************************************************************************
From: ajs [mailto:anthony.j.snow@gmail.com]
Sent: Monday, September 22, 2014 6:30 PM
To: Joyce Nord; sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: RE: [sleuthkit-users] Parse outlook pst file to locate emails by sent \
orcrated date range
In my limited experience, no. I asked about this a week or two ago and didn't hear \
anything back. If you have IEF or FTK, both if those handle it well. \
________________________________
From: Joyce Nord
Sent: 9/22/2014 6:07 PM
To: sleuthkit-users@lists.sourceforge.net<mailto:sleuthkit-users@lists.sourceforge.net>
Subject: [sleuthkit-users] Parse outlook pst file to locate emails by sent orcrated \
date range Is there a way to do this within Autopsy 3.0? I have a PST I need to \
parse, not an entire image.
************************************************************************************** \
***************************************************************************************************************
In accordance with applicable privacy protection laws, this email and its contents \
are a private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. If you \
have received this email in error or are not the intended recipient, securely destroy \
it (as well as all copies) and notify me via separate email immediately.
************************************************************************************** \
****************************************************************************************************************
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<base href="x-msg://5192/"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I'm \
really excited to see this coming along. Thank you for putting the time to add \
this capability. Search would be an amazing ability. The ability to carve \
an email into an evidence container with metadata intact would be ultimately \
amazing.<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Joyce \
Nord [mailto:joyce.nord@gmail.com] <br>
<b>Sent:</b> Thursday, September 25, 2014 2:04 PM<br>
<b>To:</b> 'Jason Letourneau'<br>
<b>Cc:</b> sleuthkit-users@lists.sourceforge.net<br>
<b>Subject:</b> Re: [sleuthkit-users] Parse outlook pst file to locate emails by \
sentor crated date range<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi \
Jason...<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Gotcha..thank \
you. Wanted to make sure I didn't screw something up.<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All \
the Best,<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Joyce<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
**********************************************************************************************************************<o:p></o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">In \
accordance with applicable privacy protection laws, this email and its contents are a \
private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written consent. \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">If \
you have received this email in error or are not the intended recipient, securely \
destroy it (as well as all copies) and notify me via separate email immediately. \
<o:p></o:p></span></p> <p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
***********************************************************************************************************************</span><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Jason \
Letourneau [<a href="mailto:jletourneau@basistech.com">mailto:jletourneau@basistech.com</a>]
<br>
<b>Sent:</b> Thursday, September 25, 2014 1:42 PM<br>
<b>To:</b> Joyce Nord<br>
<b>Cc:</b> <a href="mailto:sleuthkit-users@lists.sourceforge.net">sleuthkit-users@lists.sourceforge.net</a><br>
<b>Subject:</b> Re: [sleuthkit-users] Parse outlook pst file to locate emails by \
sentor crated date range<o:p></o:p></span></p> </div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Joyce - <o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The email support in Autopsy isn't as robust as you might be \
looking for and have discovered. The PST parsing creates "artifacts" \
for each email, but not fully qualified files that get indexed for search. The \
result is the ability to browse through the email contents, but not do too much more \
than that at this point.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Jason<o:p></o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:13.5pt"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black">------------------------------------------------<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black">Jason \
Letourneau<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black">Product \
Manager, Digital Forensics<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black">Basis \
Technology<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><a \
href="mailto:jletourneau@basistech.com">jletourneau@basistech.com</a><o:p></o:p></span></p>
</div>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black">617-386-2000 \
ext. 152<o:p></o:p></span></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Sep 24, 2014, at 1:16 PM, Joyce Nord <<a \
href="mailto:joyce.nord@gmail.com">joyce.nord@gmail.com</a>> wrote:<o:p></o:p></p> \
</div> <p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So \
I've been paying with sleuthkit, and I can sort by date sent / date received, and \
select. However, when I select the emails within a given range by highlighting \
them, then right-clicking and choosing extract, it exports the entire pst again -- \
not just the ones I've selected. So apparently the extract file option is not \
to export the email messages individually.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If \
I tag the results, Autopsy bookmarks the entire file rather than the individual \
email.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">So \
it does not appear there is a way to export individual emails inside \
Autopsy.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Can \
someone confirm this?</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
**********************************************************************************************************************</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">In \
accordance with applicable privacy protection laws, this email and its contents are a \
private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written \
consent.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">If \
you have received this email in error or are not the intended recipient, securely \
destroy it (as well as all copies) and notify me via separate email \
immediately.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
***********************************************************************************************************************</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
class="apple-converted-space"><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Jason \
Letourneau [mailto:jletourneau@<a href="http://basistech.com"><span \
style="color:purple">basistech.com</span></a>]<span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>Tuesday, September 23, 2014 9:20 AM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Joyce Nord<br> \
<b>Cc:</b><span class="apple-converted-space"> </span>ajs;<span \
class="apple-converted-space"> </span><a \
href="mailto:sleuthkit-users@lists.sourceforge.net"><span \
style="color:purple">sleuthkit-users@lists.sourceforge.net</span></a><br> \
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [sleuthkit-users] \
Parse outlook pst file to locate emails by sentor crated date \
range</span><o:p></o:p></p> </div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Sorry...I meant Joyce (better to look at the actual email rather \
than Autopsy parsed email for names) ;)<o:p></o:p></p> </div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Jason<o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">On Tue, Sep 23, 2014 at 9:19 AM, Jason Letourneau <<a \
href="mailto:jletourneau@basistech.com" target="_blank"><span \
style="color:purple">jletourneau@basistech.com</span></a>> wrote:<o:p></o:p></p> \
</div> <div>
<div>
<p class="MsoNormal">Hi Albert - <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">It looks like your PST was parsed (see the Email node in the \
tree in one of your screenshots). I think your search isn't doing what you \
think it should which is why you are seeing no results. The "Name" \
field is searching for the file name, uncheck that box and see what results you \
get. I don't see any file with the name in the box, were you thinking that \
names the search/filter set?<o:p></o:p></p> </div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888"> </span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="color:#888888">Jason</span><o:p></o:p></p>
</div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">On Tue, Sep 23, 2014 at 12:01 AM, Joyce Nord <<a \
href="mailto:joyce.nord@gmail.com" target="_blank"><span \
style="color:purple">joyce.nord@gmail.com</span></a>> wrote:<o:p></o:p></p> </div>
<div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I \
tried adding it as a data source before I asked the group and and no results \
are produced which fall into the known data set:</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Here \
are the search parameters:</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><image001.png></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And, \
here are the results:</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><image002.png></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The \
email ingest option was turned on because if I look manually I can \
see:</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><image003.png></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Yet \
if I open the pst in outlook, I see:</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><image004.png></span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
**********************************************************************************************************************</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">In \
accordance with applicable privacy protection laws, this email and its contents are a \
private communication and are intended only for the expressed recipient. I do \
not authorize disclosure to a third party without my direct written \
consent.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4">If \
you have received this email in error or are not the intended recipient, securely \
destroy it (as well as all copies) and notify me via separate email \
immediately.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#548DD4"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Calibri","sans-serif";color:#5 \
48DD4">******************************************************************************* \
***********************************************************************************************************************</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
class="apple-converted-space"><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">ajs \
[mailto:<a href="mailto:anthony.j.snow@gmail.com" target="_blank"><span \
style="color:purple">anthony.j.snow@gmail.com</span></a>]<span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>Monday, September 22, 2014 9:06 PM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Jason Letourneau; Joyce \
Nord<br> <b>Cc:</b><span class="apple-converted-space"> </span><a \
href="mailto:sleuthkit-users@lists.sourceforge.net" target="_blank"><span \
style="color:purple">sleuthkit-users@lists.sourceforge.net</span></a></span><o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><br>
<b>Subject:</b><span class="apple-converted-space"> </span>RE: [sleuthkit-users] \
Parse outlook pst file to locate emails by sentor crated date range<o:p></o:p></p> \
</div> </div>
</div>
</div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Thanks. \
I don't recall if i added it as a data source specifically in my case but it never \
pulled anything for me. I'll try again to see what I can get.</span><o:p></o:p></p> \
</div> </div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">From:<span \
class="apple-converted-space"> </span></span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a \
href="mailto:jletourneau@basistech.com" target="_blank"><span \
style="color:purple">Jason Letourneau</span></a></span><br>
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Sent:<span \
class="apple-converted-space"> </span></span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">9/22/2014 \
7:17 PM</span><br> <b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">To:<span \
class="apple-converted-space"> </span></span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a \
href="mailto:joyce.nord@gmail.com" target="_blank"><span style="color:purple">Joyce \
Nord</span></a></span><br> <b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Cc:<span \
class="apple-converted-space"> </span></span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif""><a \
href="mailto:anthony.j.snow@gmail.com" target="_blank"><span \
style="color:purple">ajs</span></a>;<span \
class="apple-converted-space"> </span><a \
href="mailto:sleuthkit-users@lists.sourceforge.net" target="_blank"><span \
style="color:purple">sleuthkit-users@lists.sourceforge.net</span></a></span><br> \
<b><span style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Subject:<span \
class="apple-converted-space"> </span></span></b><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">Re: \
[sleuthkit-users] Parse outlook pst file to locate emails by sentor crated date \
range</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal">Libpst is integrated into Autopsy 3.1 so you should be able to \
add the PST file as a data source (logical file) and get it parsed as long as you \
enable the email parser ingest module - there are some limitations with Libpst \
in terms of file and version support, so you may need to see if your file is in \
their supported version set <o:p></o:p></p> </div>
<div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal">Jason<br>
<br>
On Monday, September 22, 2014, Joyce Nord <<a href="mailto:joyce.nord@gmail.com" \
target="_blank"><span style="color:purple">joyce.nord@gmail.com</span></a>> \
wrote:<o:p></o:p></p> </div>
<div>
<div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Thank you.</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Trying to do it with open source \
right now to prove it can be done. Looks like my options are readpst and then \
grepmail or even perhaps regular grep and scripting moving the files matching the \
attribute pattern.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">grepmail looks like it might work \
but I keep getting the error "invalid config variable: \
todayismidnight</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D">Which was supposedly rectified back \
in 2010 or 11, but apparently not.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4">************************************************ \
************************************************************************************** \
***************************************************************</span><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#548DD4">In accordance with \
applicable privacy protection laws, this email and its contents are a private \
communication and are intended only for the expressed recipient. I do not \
authorize disclosure to a third party without my direct written \
consent.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#548DD4">If you have received \
this email in error or are not the intended recipient, securely destroy it (as well \
as all copies) and notify me via separate email immediately.</span><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4">************************************************ \
************************************************************************************** \
****************************************************************</span><o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><span style="color:#1F497D"> </span><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
class="apple-converted-space"><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span></span><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">ajs \
[<a href="mailto:anthony.j.snow@gmail.com"><span \
style="color:purple">mailto:anthony.j.snow@gmail.com</span></a>]<span \
class="apple-converted-space"> </span><br> <b>Sent:</b><span \
class="apple-converted-space"> </span>Monday, September 22, 2014 6:30 PM<br> \
<b>To:</b><span class="apple-converted-space"> </span>Joyce Nord;<span \
class="apple-converted-space"> </span><a \
href="mailto:sleuthkit-users@lists.sourceforge.net"><span \
style="color:purple">sleuthkit-users@lists.sourceforge.net</span></a><br> \
<b>Subject:</b><span class="apple-converted-space"> </span>RE: [sleuthkit-users] \
Parse outlook pst file to locate emails by sent orcrated date \
range</span><o:p></o:p></p> </div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">In my limited experience, no. I asked about this a week or two \
ago and didn't hear anything back. If you have IEF or FTK, both if those handle it \
well.<o:p></o:p></p> </div>
</div>
<div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="100%" align="center">
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><b>From:<span \
class="apple-converted-space"> </span></b>Joyce Nord<br> <b>Sent:<span \
class="apple-converted-space"> </span></b>9/22/2014 6:07 PM<br> \
<b>To:<span class="apple-converted-space"> </span></b><a \
href="mailto:sleuthkit-users@lists.sourceforge.net"><span \
style="color:purple">sleuthkit-users@lists.sourceforge.net</span></a><br> \
<b>Subject:<span class="apple-converted-space"> </span></b>[sleuthkit-users] \
Parse outlook pst file to locate emails by sent orcrated date range<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal">Is there a way to do this within Autopsy 3.0? I have a PST \
I need to parse, not an entire image.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4">************************************************ \
************************************************************************************** \
***************************************************************</span><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#548DD4">In accordance with \
applicable privacy protection laws, this email and its contents are a private \
communication and are intended only for the expressed recipient. I do not \
authorize disclosure to a third party without my direct written \
consent.</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;color:#548DD4">If you have received \
this email in error or are not the intended recipient, securely destroy it (as well \
as all copies) and notify me via separate email immediately.</span><o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;color:#548DD4">************************************************ \
************************************************************************************** \
****************************************************************</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>
[Attachment #4 (--===============0068035090909065879==)]
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
sleuthkit-users mailing list
https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
http://www.sleuthkit.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic