Email Investigations and Forensic Analysis of Outlook/Exchange email files

Email is the most utilized form of communication for businesses and individuals nowadays, and it is often exposed to illegitimate uses. If you are a forensic investigator, you are probably need to be able to determine if an email has or has not been falsified. This article will explore a few basic methods on how to gather and analyze data related to an email investigation and forensic analysis.

The first steps in any email investigation are to identify all the potential sources of information. Email messages contain numerous metadata fields(MAPI properties) that can be useful for digital forensic analysis of emails. There are a few MAPI properties that are frequently extracted by computer forensics and e-Discovery software:

1. The email date

At the time a sender submits an e-mail, it gets stamped with the date and time in the PR_CLIENT_SUBMIT_TIME property. When that e-mail reaches the recipient’s mailbox, Outlook/Exchange stamps the PR_MESSAGE_DELIVERY_TIME and PR_CREATION_TIME properties. If the e-mail remains unaltered, the PR_LAST_MODIFICATION_TIME will match the PR_CREATION_TIME property. Obviously if these two properties do not match, it means the e-mail was modified by the user as no other process will update this property.

Convert .pst to .eml files

2. The email body

Email can be sent in several formats the most common being plain text, RTF and HTML. Both RTF and HTML formats use formatting codes. Using these formatting codes we did a low-level analysis of the body text.

3. Conversation index

The email conversation index property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message. Information extracted from the Conversation index property can help answer key questions such as:

  • Is the message in question a new message, or was it created by replying to or forwarding another message?
  • If the message is part of an e-mail thread, when was the thread started?
  • When were other messages in the e-mail thread created?


Combined with additional evidence from the email server or internal email metadata, the information contained in the email MAPI properties can be very helpful in the forensic analysis of emails.