creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-15 15:34:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/analyzing-outlook-pst-for-email-forensics/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

2.5 KiB
Raw Blame History

API Reference: Outlook PST Email Forensics

pypff (libpff Python bindings)

Installation

pip install libpff-python

Opening a PST File

import pypff

pst = pypff.file()
pst.open("mailbox.pst")
root = pst.get_root_folder()

Navigating Folders

for i in range(root.number_of_sub_folders):
    folder = root.get_sub_folder(i)
    print(f"{folder.name}: {folder.number_of_sub_messages} messages")

Extracting Messages

msg = folder.get_sub_message(0)
print(msg.subject)
print(msg.sender_name)
print(msg.delivery_time)
print(msg.transport_headers)
print(msg.plain_text_body)
print(msg.html_body)

Extracting Attachments

for i in range(msg.number_of_attachments):
    att = msg.get_attachment(i)
    print(f"Name: {att.name}, Size: {att.size}")
    data = att.read_buffer(att.size)

pffexport (CLI)

Syntax

pffexport mailbox.pst                    # Export all to current dir
pffexport -m all mailbox.pst             # Export all message types
pffexport -t target_dir mailbox.pst      # Export to target directory
pffexport -f text mailbox.pst            # Export as text format

Output Structure

Export/
  Inbox/
    Message001/
      Message.txt
      Attachment001.pdf
  Sent Items/
  Deleted Items/

readpst (libpst)

Syntax

readpst -o output_dir mailbox.pst        # Extract to dir
readpst -e mailbox.pst                   # Extract attachments
readpst -r mailbox.pst                   # Recursive extraction
readpst -j 4 mailbox.pst                # Parallel (4 threads)
readpst -S mailbox.pst                   # Separate files per message

PST File Structure

Component Description
NDB Layer Node Database - raw data storage
LTP Layer Lists/Tables/Properties - message properties
Messaging Layer Folders, messages, attachments

Key Message Properties

Property MAPI Tag Description
Subject PR_SUBJECT (0x0037) Email subject
Sender PR_SENDER_NAME (0x0C1A) Sender display name
From PR_SENT_REPRESENTING_EMAIL (0x0065) Sender email
Delivery Time PR_MESSAGE_DELIVERY_TIME (0x0E06) When delivered
Headers PR_TRANSPORT_MESSAGE_HEADERS (0x007D) Full SMTP headers

Forensic Considerations

  • Deleted Items folder may contain evidence
  • Recoverable Items (dumpster) requires special extraction
  • Calendar/Contacts may contain relevant data
  • Journal entries can provide timeline evidence
Reference in New Issue View Git Blame Copy Permalink