The computer forensics software marketplace is one of those “atta boy/oh shoot” arenas: 100 great reviews or an outstanding reputation is completely undone by one “oh shoot” moment. Never mind that every case/lab/situation is unique; “everybody knows” thinking tends to carry the day once a few strong voices pass judgment. Given what we as practitioners do for a living, we ought to know better than to judge a book by a review of its cover, or just a few chapters. Case in point… Recently I was involved in a case where a customer supplied me with an OST (note, not your typical PST, but the offline version of the user’s email) file to analyze. It was important to the customer to find out what emails AND file attachments existed in this file.
My first task was to attempt to open the OST file with the usual OST and PST recovery tools many of you are familiar with. Those tools do what they do well, but I was asked to behave as if I were an attacker specifically going after the data in the OST. In my experience attackers use exactly what they need to in order to accomplish a task and no more, so I went forward assuming an attitude of “I don’t want to put too much effort into this and I want to do it for free if at all possible.”
I went looking for demo versions of single-function tools that worked with OST and PST files. Most of the demo versions showed me the emails, but they would not show if the file attachments were really attached or simply a placeholder where the file would be pulled from if the recipient attempted to open it. This was important because those files could be somewhere out of the reach of a (presumed) attacker.
I finally found a demo version of a tool (SysTools OST Recovery v4) that opened the OST file and the file attachments. Moreover, the tool would let me save the emails and file attachments at a limited (25) emails at a time. That was one task completed, which prompted a new and completely different customer request:
“We need copies of all emails in the OST file.”
There were hundreds of emails in the OST file and the level of effort required plus the cost of the full version of the aforementioned software were out of alignment. Instead I used AccessData’s Forensic Toolkit (FTK) v5 (for which we had a paid-up license).
I know what you are thinking: I’m on the same forensics mailing lists and forums you are, and FTK has been something of a punching bag for the last few years. At this stage of my investigation I could not afford to waste time with something buggy that didn’t work. Conveniently, none of the issues that have plagued FTK users in the past few years surfaced for me.
Installation was quick, as was importing the dataset. It took almost no time to extract all of the email from the OST file (with file attachments included) into MSG format for the customer as an appendix to my report. I was able to export every email, have it automatically renamed to its unique FTK ID (Bates) number, and produce a spreadsheet with the metadata the customer needed. The customer could easily use the spreadsheet to look up a specific email and open the corresponding MSG file with the same unique ID number and see it as someone would normally see it in Outlook. FTK took care of a lot of otherwise manual drudgery and allowed me to focus on writing my report vice fiddling around with data trying to make it more accessible to the customer.
Of course I double-checked my results with other tools and found FTK 5 produced the same amount of data the other tools reported in the OST file.
If you’re the sort of person who won’t go to a movie because a professional critic gave it a bad review then my experience may not resonate with you. I freely admit that when FTK 2, 3, and 4 came out I harbored a mental bias along with most everyone else I knew in the field, but after checking it out for myself I know one thing: FTK 5 will stay in my forensic toolbox.
(Neither the author nor Kyrus was compensated for this post.)