Regular readers will know that I champion Encase for most forensic tasks but I have to admit that my favourite forensic tool does not handle the investigation of email very well.
My friend Oliver Smith, over at Cy4or, had cause to run a keyword search across a number of emails. These emails were contained in a number of email containers including dbx and pst files and the Encase email search had been carried out. The emails were reviewable in the records tab. There was a need however for the client to review emails that contained certain keyword hits. Encase provides an export to .msg facility whereby emails can be exported in the .msg format allowing a review using Microsoft Outlook. It is a therefore a simple task to filter the records tab to display only email with search hits (that is those with a value in the Search Hits column). Then by selecting those records you can export them as .msg files.
The problem with this approach is that it is difficult to marry up the exported .msg files to a report detailing each msg files provenance. So in a case where many thousands of emails have been exported it is a real pain to provenance the relevant emails after the client's review. Depending on the email container concerned (e.g. pst, dbx etc.) Encase names the .msg file either by its subject or by some arbitrary description (Inbox.dbx-0.msg, Inbox.dbx-1.msg and so on). In situations where the client has copied notable emails out of the original export directory it can be very difficult to quickly trace the source email container.
To address this problem Oliver has written an enscript to export selected emails to .msg along with a report detailing their provenance.