This document discusses using open source and freeware tools to process PST files. It introduces two tools that can be used: Autopsy, a digital forensics platform, and MantaRay, a set of Python modules that automate various open source forensic tools including PST processing. MantaRay allows examiners to select multiple tools, set options, and have the tools run automatically. The document provides an example command to use the readpst tool to extract emails from a PST file. It also discusses potential workflow tweaks like integrating MantaRay's PST processing with Autopsy keyword searches.

1. z Processing PST
files with Open
Source /
Freeware Tools
OSIT In-Person Fall Meeting – October 3, 2018
NOTE: Opinions and view on products, services and/or
resources expressed in this presentation are mine alone
and do not necessarily reflect the views of my employer.

2. z
Goals
 Describe two open source / Freeware tools that can be used to
process PST files
 Stress importance of automation
 Not waste your time

3. z
Origin of Presentation
 Didn't want to be a lurker
 Original idea for a topic didn't pan out
 Looked at my personal pain points for inspiration
 As always....looked for ways to automate away pain

4. z
Data Exfil via Email
 Very common
 Costly Analysis Options: Encase, Intella, Axiom, Nuix etc.
 Expensive tools that don't lend themselves to workflow automation
 Free is good – especially as a backup
 Dongles break
 Dongle servers go down...right when you have a high priority case

5. z
Poll Time
 What commercial tools are used to process PST within
community:
 Encase
 NUIX
 AXIOM
 Intella
 Others - ????

6. z
PST Files
 Many large corporations use Microsoft Outlook as email client
 Outlook stores email in PST files
 From Wikipedia: Personal Storage Table (.pst) is an open
proprietary file format used to store copies of messages, calendar
events, and other items within Microsoft software such as Microsoft
Exchange Client, Windows Messaging, and Microsoft Outlook. The
open format is controlled by Microsoft who provide free
specifications and free irrevocable technology licensing.
 Office365 -> PST files reside in the cloud and must be pulled down to review
 Live systems will have OST files

7. z
M57 Jean Scenario
 Naval Post Graduate School Disk Image
 Data exfil scenario
 Corporate information is found on competitors website
 Email with that information was sent from Jean@m57.biz to
Alison@m57.biz
 Spreadsheet containg this information was m57biz.xls
 Full Disk image is provided

8. z
Option 1: Autopsy
 Freeware forensics tool from Basis Technology
 Brian Carrier literally wrote the book on file system forensics
 Autopsy has been around since 2000
 It keeps getting updated & improved

19. z
Autopsy – additional info
 Utilizes hash sets – custom and NSRL
 Basis Technology is very responisve to user input / questions
 Has timeline feature
 Full text indexing
 Scriptable – write your own module or leverage the generosity of
the open source community
 https://wiki.sleuthkit.org/index.php?title=Autopsy_3rd_Party_Modules
 https://github.com/markmckinnon/Autopsy-Plugins

20. z
Audience Poll
 Raise your hand if you love Linux

21. z
Free is GOOD!
Name
readpst - convert PST (MS Outlook Personal Folders) files to mbox and other formats
Synopsis
readpst [-D] [-M] [-S] [-V] [-b] [-c format] [-d debug-file] [-e] [-h] [-j jobs] [-k] [-o output-directory] [-q] [-r] [-t output-type-codes] [-u] [-w] pstfile
Description
readpst is a program that can read an Outlook PST (Personal Folders) file and convert it into an mbox file, a format suitable for KMail, a recursive mbox
structure, or separate emails.
Copyright
Copyright © 2002 by David Smith <dave.s@earthcorp.com>. XML version Copyright © 2008 by 510 Software Group
<carl@five-ten-sg.com>.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2, or (at your option) any later version.

22. z
Example command to run readpst
 readpst -o ~/ArchivedMessages -D -j 4 -r -tea -u -w -M -e
./Outlook.pst

23. z
MantaRay
 Set of Python modules that automate a number of open source
forensic tools
 Written and designed by forensic analysts (KISS)
 Allows examiner to select multiple tools, set options for each, click
go and walk away
 Designed to work with SIFT 3.0
 Code is on GitHub:
 → https://github.com/mantarayforensics

24. z
Triage Steps Automated by MantaRay
 PST Processing (NEW)
 Creating a Super Timeline
 Running Bulk_Extractor
 Extracting Registry Hives & running RegRipper
 Extracting EXIF Data
 Carving Unallocated space
 Scanning for high entropy files
 Review RAM using Volatility
 Extract GPS data from JPEGs and create .KML file
 Extract Jumplist data
 Extract NTFS system files
 Process user selected .plist files
 Perform Static Malware Analysis (SIFT + REMnux)
 Anti-Virus Scanning

36. z
Workflow Tweaks
 MantaRay bucketizes all the sent emails but you still have to
work through the emails to find the one you want
 Option 1 – load emails from bucket of interest into Autopsy as a
folder and then after they process you can do a keyword search
 Option 2 – use the power of Linux (grep –nr 'm57biz.xls')

37. z
Extending PST Processor module
 Adding in capability to automatically search the bucketized
folders for keywords
 Write script to watch a folder...when config file is dropped in
containing path to PST and emails of interest then script runs
and automatically processes the PST
 Sample
Code: http://timgolden.me.uk/python/win32_how_do_i/watch_dir
ectory_for_changes.html

39. z
MantaRay & SIFT
 Getting SIFT updated with all the tools that MantaRay calls can
be difficult....at least for me
 I have a fully built out VM on Google Drive
 Shoot me an email and I will send you the link

40. z
Contact Info
 Dougkoster@hotmail.com
 LinkedIn: https://www.linkedin.com/in/dougkoster/