readpst – Backtrack 5 – Forensics – Forensics Analysis Tools – readpst

We have had a couple requests to write a post about readpst which is included in the default path of Backtrack 5 and also located in the Backtrack menu underneath Forensics/Forensics Analysis Tools. The readpst application will read PST files which are also known as Microsoft Outlook Personal Folders and convert them to mbox, MH, or KMail formats. There are various other switches that can be used to output each email into a separate file, include attachments, modify contact formats, be recursive, etc. I will explain basic functionality below along with a couple of the formats and various switches.

First off you must obtain a PST file to use as the input source but we will assume you already have the PST file since you are reading this article. If someone needs assistance finding the location of PST files on any operating system just leave a comment below and someone will provide an answer of the default location for PST files on that OS.

readpst Version As Of Backtrack v5r3:

Above we have used the -v switch to output the current version of readpst, which is readpst v0.6.41, installed on Backtrack Linux version 5 release 3 or BT5r3. I always like to include version just in case something has changed whomever is reading the article will know that the information within the article worked with XyZ version. Anyhow below there is example output of the most basic version of readpst usage that is not using any specific switches and is processing a PST file named archive.pst.

Basic readpst Usage:

What the above command has accomplished is to generate files named for the folder names in the output above that are in standard mbox format and can be read using something like cat or mail from the command line or by using a GUI application that can read the mbox format. Below is an example of what an mbox file will display when processed with the command line application mail.

Read mbox File Output By readpst With mail:

As you can see above there are three emails located in folder6 and you could read each message separately using mail with the -f switch. My personal preference with readpst is to output each mail message individually but have them organized by folder. This provides me an easier way to recursively grep the entire directory tree and quickly find individual messages with the content I am seeking. Also with individual messages you can open them using Thunderbird and forward them to yourself easily. Below is an example of readpst using the -s switch along with the -r switch to be recursive.

Use readpst To Process PST File Into Single Files Per Email:

This time the output is all underneath of an Archives folder and each separate email is its own file.

Sub Folder Contents After Processing PST File Using readpst And -s Switch:

Notice how there are RTF, JPG, and GIF files which have been separated out because they were attachments to the messages that correlate with the number preceding their filename. This is the type of command I would use to investigate a PST file and then I would use grep from the root of the Archives folder to search for specific content such as “password”. If you wanted to look at the contents of an email including the header information you could simply use cat as demonstrated below.

Use cat To Display Email Details After Converting PST File With readpst:

So thats really it. There are more switches that can be used to accomplish different tasks such as not outputting the attachments from emails or other tasks but overall readpst is simply just an application that converts PST files into formats that we can easily search and/or read on Linux.