Logo
Home Products Support Contact About Us
arrow1 Forensic

Email Forensics Tool: Search Email Evidence in PST, EML, and MBOX

 

A forensic examiner receives a disk image, a seized laptop, or an exported mailbox and has to answer one question fast: which emails matter? The evidence is scattered across PST and OST archives, loose EML and MSG files, and MBOX backups — tens of thousands of messages, often with no Outlook profile attached. Enterprise forensic suites do this, but they cost thousands per seat and take training to drive.

Mail Terrier is a lightweight email forensics tool that searches every email archive on a drive by keyword, date, and participant — entirely offline, with the original files left untouched. Find the relevant messages in seconds and export them, with full headers and metadata, to PDF or Excel for your report.

Quick answer: To run an email forensic search, install Mail Terrier on your examination workstation, point it at the folder or image-mounted volume holding the PST, OST, EML, MSG, or MBOX files, then search by keyword with AND/OR/NOT rules plus a date or sender filter. It reads the files read-only, shows each hit with full metadata, and exports results to PDF or Excel for evidence reports — no Outlook and no internet needed.

What Is Email Forensics?

Email forensics is the practice of recovering, searching, and analyzing email evidence for investigations — incident response, insider-threat cases, fraud, HR matters, and litigation support. The examiner has to locate relevant messages across mixed archive formats, preserve their metadata (sender, recipient, timestamps, message-ID, attachments), and produce a defensible record of what was found and how.

The hard part is that email evidence almost never arrives in one clean format. A single custodian can leave a PST from Outlook, an OST cache, an MBOX from a Gmail Takeout, and loose EML or MSG files pulled from webmail. Opening each in its native client — if a client even exists for it — risks altering timestamps and read flags. A forensic search tool reads the archives directly, without a mail client and without modifying the source.

Download Now!

(includes 30 day FREE trial)

Buy License

(only $199.00)

How to Search Email Evidence Step by Step

  • Step 1. Mount or copy the evidence. Place the PST, OST, EML, MSG, MBOX, or EMLX files on your examination workstation (or mount the disk image read-only). Mail Terrier never needs Outlook or Thunderbird installed.
  • Step 2. Point Mail Terrier at the folder. Add one folder or a whole drive. Multiple archives and formats can go into the same search session.
  • Step 3. Build the query. Enter keywords and combine them with AND, OR, and NOT. Add a date range to match the incident window and a sender or recipient filter to focus on the custodians of interest.
  • Step 4. Review the hits. Each matching email shows sender, recipient, subject, date, file path, and a content preview, so you can confirm relevance before exporting.
  • Step 5. Export for the report. Save matching messages to PDF (with headers intact) for exhibits, or to XLS for a structured index. EML and MSG export preserves the message as a standalone file with its attachments.

Every search is logged with its exact terms, date range, and filters, so you can reproduce and document the methodology if the findings are challenged.

Why Use Mail Terrier for Email Forensics?

Read-Only, Fully Offline

Mail Terrier runs entirely on the local workstation and reads the source archives without writing back to them. Evidence never leaves the machine and is never uploaded to a cloud service — critical for chain of custody and for confidential or privileged material.

Metadata Preserved

Results carry the full header set: sender, recipient, subject, send and receive timestamps, and attachment names. PDF and EML exports keep this metadata so the evidence stays meaningful in a report or exhibit.

Reproducible Searches

The search history records every query you ran. When methodology matters, you can show exactly which terms found which documents and when the search was performed.

Email Forensics Tool vs Enterprise Platform

FeatureEnterprise Forensic SuiteMail Terrier
PriceThousands per seat / year$199 one-time (free at home)
FormatsVariesPST, OST, EML, MSG, MBOX, EMLX
Boolean keyword searchYesYes (AND, OR, NOT, proximity)
Date and custodian filtersYesYes
Source modifiedDepends on workflowNo — read-only
Cloud dependencyOftenNone — 100% local
ExportPlatform-dependentPDF, XLS, DOC, TIFF, EML, MSG
SetupDays to weeksInstall and search in minutes

When Do You Need an Email Forensics Tool?

Incident response. After a phishing compromise, you need every message from a malicious sender or carrying a known subject line across the affected mailboxes. Mail Terrier searches the exported PST and OST files by sender and keyword and exports the hits for the incident report.

Insider threat and data exfiltration. An employee under investigation may have emailed confidential files out. Search their archive for attachment names, external recipients, and trigger keywords, with a date range around the suspected window.

Internal and HR investigations. A complaint references specific exchanges. Search the relevant mailboxes by keyword and participant, producing a tight set of relevant emails without exposing the matter to extra staff.

Fraud and compliance. Auditors or investigators ask for communications mentioning a transaction, account, or counterparty. Mail Terrier scans every archived mailbox and exports a structured Excel index for review.

Download Now!

(includes 30 day FREE trial)

Buy License

(only $199.00)

Email Forensics Tool — FAQ ▼

An email forensics tool searches and analyzes email evidence across archive formats for investigations. Mail Terrier reads PST, OST, EML, MSG, MBOX, and EMLX files directly from disk, finds messages by keyword, date, and participant, and exports the hits with full metadata for a report.
Install Mail Terrier on your workstation and point it at the folder or mounted image that holds the email files. It parses PST and OST archives on its own, with no Outlook, Thunderbird, or mail profile required, and shows each hit with sender, recipient, date, and subject.
No. Mail Terrier reads the source archives without writing back to them, so timestamps and read flags are preserved. The evidence stays on the local machine and is never uploaded, which keeps chain of custody intact.
Yes. Combine keywords with AND, OR, and NOT, match exact phrases in quotes, and use proximity search to find terms near each other. Layer a date range and a sender or recipient filter on top to focus on the custodians and the incident window.
Mail Terrier searches PST, OST, EML, MSG, MBOX, and EMLX in a single session, so a custodian with an Outlook PST, a Gmail Takeout MBOX, and loose EML files can be searched together without converting anything first.
Export matching messages to PDF with headers intact for exhibits, to XLS for a structured index or privilege log, or to EML and MSG to preserve each message with its attachments. Every search is logged so the methodology can be reproduced.
Mail Terrier is free for personal use at home. For commercial, forensic, legal, or compliance work the license is a one-time 199 dollars, with no subscription or per-seat fees.

 

Start working now!

Download free trial and convert your files in minutes.
No credit card or email required.

⬇ Download Free Trial Windows 7/8/10/11 • 104 MB

Support
Mail Terrier Preview1
Mail Terrier Preview2

Latest News

Newsletter Subscribe

No worries, we don't spam.


© 2026. All rights reserved. CoolUtils File Converters

Cards