fatcousin
// evidence type

email mbox / pst / eml

mailbox export · pst from outlook · eml bundle · header-only capture. thread reconstruction, spoofing checks, attachment carving — BEC and harassment staples.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. email header analyzerpaste raw email headers · trace hop-by-hop routing · SPF · DKIM · DMARC · detect spoofing · visualize delivery path · runs locally
  2. .eml / .msg email header chain analyzerdrop eml or msg email file or paste raw headers · parse all headers · reconstruct the full routing chain · extract all forensically significant fields · surface inconsistencies in the header chain · runs locally
  3. email thread reconstructordrop multiple .eml files · Message-ID References In-Reply-To tree · missing parent flags · flat timeline · CSV export · runs locally
  4. mbox analyzerdrop an mbox file · parse all messages · timeline · sender network · search · attachment inventory · runs locally
  5. mbox readerdrop a .mbox archive (Thunderbird · Gmail Takeout) · list all messages · headers · body · attachments · export individual .eml files · runs locally
  6. pst / ost readerdrop an Outlook .pst or .ost file · detect magic bytes · extract readable strings · heuristic message structure detection · export addresses and subjects · runs locally
  7. PST / MBOX artifact timeline builderdrop mbox file or pst csv export · parse all email records · build chronological message timeline · surface communication patterns gaps and anomalies · reconstruct folder structure and label history · runs locally
  8. email spoofing and SPF/DKIM/DMARC header validatorpaste raw email headers or drop eml file · validate authentication headers · detect spoofing indicators · surface spf dkim and dmarc results · identify header inconsistencies indicating spoofed or forged email · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. phishing email header analyzerpaste email headers · trace delivery hop chain · flag SPF · DKIM · DMARC mismatches · extract sender IPs · detect header injection · identify spoofing · runs locally
  2. email attachment scannerdrop .eml or .msg · extract every attachment · check MIME type vs actual content · flag macro-enabled docs · executables disguised as other formats · export inventory · runs locally
  3. email HTML payload extractor and analyzerdrop eml files · extract html body from mime · analyze html structure for malicious patterns · surface embedded scripts iframes tracking pixels and obfuscated content · runs locally
  4. mailer and email client fingerprint identifierdrop eml files or paste headers · identify the email client or service that sent the message · detect inconsistencies between claimed and actual mailer · surface forged x-mailer headers and mailer fingerprint mismatches · runs locally
  5. dkim verifierpaste raw email and DKIM public key · relaxed canonicalization · body bh hash · WebCrypto RSA verify · step-by-step results · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready