SecureArtisan

My Road to Digital Forensics Excellence

Enscript – PST TLN output

Posted by Paul Bobby on July 30, 2010

Another new enscript (See the My Files section). This enscript can be used to produce a five-field TLN format of the timeline data in a PST file. This format can be used as input to the Log2timeline tool.

I had considered writing an input module for Log2timeline, but processing PST files is hard. I then considered pre-processing the data in to MSG format – but that’s hard also. So I made use of the ability to mount a PST in Encase and process the ‘record’ data at runtime. Each email message has four timestamps, when the email was created, sent, received and last modified.

I learnt a couple of techniques when writing this enscript:

1. v.GetRecords(recs)

After mounting a ‘compound file’, the GetRecords() method forces Encase to generate record entries at runtime (the very same data that populates the records tab). Which leads to

2. forall (DataPropertyClass p in rec.DataPropertyRoot())

Each record entry is a series of key-value pairs. The ‘type’ of the key is binary, ascii, date etc (see the enscript help), and then the value can be processed.

Unfortunately the dates for each email are stored as text strings, and I had to convert text based timestamps to actual DateClass() objects to be manipulated by enscript. No built in methods exist, but I found two methods written by “ohopli” on the guidance forums.

As always, the enscript is provided as source code and not enpacked. Feel free to play, experiment and fix bugs 🙂 I have tested the enscript against 3 1Gigabyte PST files and not broken anything.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: