SANS Digital Forensics and Incident Response Blog: Category - eDiscovery

Analysis of e-mail and appointment falsification on Microsoft Outlook/Exchange

Author: Joachim Metz


In digital forensic analysis it is sometimes required to be able to determine if an e-mail has or has
not been falsified. In this paper a review of certain Outlook Message Application Programming
Interface (MAPI)
is provided which can help in determining falsified e-mails or altered
appointments in an Microsoft Outlook/Exchange environment.

About the libpff project

In 2008 Joachim Metz a forensic investigator at Hoffmann Investigations started the libpff project.
At that time the best source about the Personal Folder File (PFF) format in the public domain was
the libpst project. The libpst project dated back to 2002 and had been contributed and


Perl Fu: Email Discovery

Hal Pomeranz, Deer Run Associates

I hope Mike Worman doesn't hate on me for stealing his "Perl Fu" idea, but I recently have been dealing with a task that is perfect for Perl. One of my customers is having to do a laborious discovery process through a huge email archive that is in "Unix mailbox format"- meaning large text files with the email messages all concatentated togther. They need to find any one of a list of relevant keywords in messages stored in these hundreds of gigabytes of large text files and output the entire text of the matching email messages.

Unix mailbox format is a file format that I've dealt with a lot, and I've written many scripts to parse these kinds of files. So it probably took me less time to write the script to do this than it's going to take me to write this blog post. But I


Forensics and Data Access Auditing

by Craig Wright

Data access auditing is a surveillance control that intersects with forensics and incident handling. In all events, the same level of care needs to be taken as any event can lead to a forensic engagement. By monitoring access to all sensitive information contained within the database, suspicious activity can be brought to the examiner's awareness. Databases commonly structure data as tables containing columns (think of a spreadsheet, only more complex). Data access examinations should address six questions:

  1. Who accessed the data?
  2. When was the data accessed?
  3. How was the data accessed? (This is what computer program or client software was used?)
  4. Where was the data accessed from (this is the location on the network or Internet)
  5. Which SQL query was used to


SQL, Databases and Forensics

by Craig Wright

For the most part, databases have become an integral part of any organization. More importantly, they have become mission critical. On top of this, many enterprise level databases are far larger than any disk you are likely to encounter. As an example, I was required to image a database that belonged to an insurance company. This database was 68TB in total size and it was business critical. The consequence is that you need to start thinking of other ways to do forensic work on databases.

As with all live system forensics, begin with gathering the evidence required starting from the most volatile and working toward that which is unlikely to change. When doing this, remember to:

  • Protect the Audit Trail - Protect the audit trail so that audit information cannot be added, changed, or deleted.

Robocopy - a Computer Forensics tool?

The usual practice for obtaining potential evidence would be to acquire a bit for bit forensic image of the drive and to lock the image up in an evidence safe. Depending upon the legal team's request, one may also replace the original hard drive and keep it in the safe instead of just an image. Another option I like is having a third party acquire the drive on our behalf and keep it in their secure area for us. Sometimes, however, for various reasons, a forensic image may not be feasible. So, then, what is another option?

In a recent e-mail exchange with Rob Lee, I asked him what he thought about using