Q. Scan a PST for viruses before processing or loading into a database?
- Avast comes with free trial;
- ScanPST by Microsoft can be used to repair damaged PST;
- One should be aware of the forensics implications of using any software that changes the data.
A. Following is a list of various approaches, especially valuable since it comes from the practitioners in this area:
- Each exception is assigned an internal doc id and the exceptions are provided in a report with docid|hash|filename|ExceptionDescription. The exception may be zero byte files, unrecognized type, and password/encryption, and may require manual work;
- We generate a list of files with enough detail that the client can go back to the custodians and try to collect passwords. This is far more efficient and less costly than brute force password cracking efforts;
- Remove non user created and system files, process the remainder per the job specs and provide exception reporting. This allows us and the client to understand the status of every single file we received and processed;
- Review the file and try to TIFF up to four times. Attempt to crack password with dedicated system. For obscure file types, we look for free viewers or license the product so that it can be implemented in the TIFF process. Finally if none of the above works, we provide it in the exception report;
- Have seen exception files from vendors that were claimed to be "unprocessable" even after hours of manual investigation, but in the hands of another professional they were opened in seconds. The files ended up being a version of CAD that were very much relevant to the matter;
- There are pros and cons in automatic handling of exception versus more expensive manual handling.