My company is having a lawsuit and asked to provide communication log  which can only be found in an email of our employee's.  This email has been downloaded to the local MS outlook 2007 and deleted on the server. But the judge doesn't accept the email as evidence, because he  suspects that the PST file has been tampered with. He accepts an email as evidence only when he sees it via web mail on the email server.  We are using a third party email service vender (not exchange) and they are not able to recover the email because it was too old ( in 2012 ).  I, as an IT engineer, have never heard that a PST file can be tampered with.  Am I right ? If yes, can you illustrate the reason as explict as possible ? Thanks a million!  

Hey Benny Zhao,

Considering your situation, I wouldfirst of all like to bring into your notice that a PST file CAN be tampered with. There are plenty of ways to do so(most of which cost no penny at all and are absolutely easy) and I have explained some of them briefly below, to justify the same. Have a look:

1. A suspect can easily modify Outlook Data File contents (preferably, emails) by firstly importing the evidentiary PST file on Outlook and then tamper with it by deleting messages/folders permanently that store crucial information leading to suspect(s).

2.Someone with a good understanding of hexadecimal values and an internet connection can make changes to a PST file, especially the header, to tamper with it. This can be done using a hex editor which is available online very easy and absolutely free of cost too.

3.Similar to a hex editor, there are plenty of third party freeware/shareware utilities that claim to help you view or modify PST file contents as per your requirement at a mere investment.

So, by this we come to a conclusion that it is not rocket science to play around with evidences stored in a PST file and even someone with least possible technical know how can do it. In your situation, losing all the messages from the server, but having a copy of the same in a PST file on the local machine, may not prove so helpful to testify the genuineness of evidences that it stores.

However, you can proceed to a different level of investigating emails where they are monitored every time to know the activities that has been performed on them, in ways whatsoever.

But as far as your situation is concerned, the complete denial of PST as the sole source of evidence may seem prevalent if presented without facts that justify the statement. In support of the same, you can go for an Email Forensic Examination tool. And MailXaminer is one that I am aware of and shall suit your condition too. The application is permitted and absolutely admissible in the court of law and can help you out.

Even if evidence has been tampered, like say, emails are deleted (hard deleted), the tool can restore them back in the same folder and with the original attributes. To distinguish them easily amongst all the other emails present in the PST file, it highlights them with RED color.

I would suggest you use the tool to prove your point that PST file IS a legally a probative set of evidence.

Thanks & Regards

Clark Kent

• Edited by Clark445Kent Thursday, April 09, 2015 7:00 AM

try exporting the outlook msg to eml file.

Ask your email service provider if they can import the eml file to their server.

If the email service provider said its possible then go ahead with this procedure, once its done check if you are able to see the email via webmail.

if you can see it via webmail then present it to the