HomeSupport Home
Start TicketStart Ticket
View TicketView Ticket
Sales QuotesInfo Request
Info RequestInfo Request
Video TrainingFree Video Training
DownloadsFree Video Training
FAQFAQ
Contact UsContact Us

Paraben's E-mail Examiner FAQs

For registration questions, please visit the Registration FAQ page.

Q: What types of evidence files can E-mail Examiner view?
A: The current version of E-mail Examiner allows you to open the following types of evidence:
  • America On-line (AOL) databases
  • Microsoft Outlook (PST or OST)
  • The Bat! Information stores (version 3.x and higher)
  • Thunderbird
  • Outlook Express
  • Eudora databases
  • E-mail file (EML)
  • Windows mail databases
  • Support for more than 750 MIME Types and related File Extension
  • Plain Text mail
  • Maildir database
Q: What types of reports can be generated within E-mail Examiner?
A: To make information stored in the case suitable for printing, e-mailing, etc., you can generate one of the following types of reports:
  • HTML Investigative Report: This type of report includes any information defined by the user (evidence of different types, bookmarks, supplementary files). Data is shown in HTML format without hyperlinks. This report can be used for printing.
  • Simple Text Report: This type of report includes the same information as an HTML Investigative Report shown in a similar way, but it has a *.txt extension.
  • HTML Evidence Summary Report: This report includes information about all evidence added to a case and information about the Investigator (optional) and supplementary external files. Data is shown in HTML format.
  • CSV Text Report: This type of report represents information in a tab delimited format and can be opened in Microsoft Excel.
Q: Can I recover deleted emails?
A: Deleted emails can be recovered from Outlook, Thunderbird, and The Bat! email archives.

Q: What is the raw mode option within E-mail Examiner?
A: Raw mode: Shows all database content including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect.

Q: What is a Batch Export?
A: This feature allows you to perform searches in multiple mail storages of different formats and export search results to EML, EMX, MSG, PST, MHTML, and Attachments only formats.

Q: How do I auto detect a mail storage format within E-mail Examiner?
A: Paraben's E-mail Examiner allows you to autodetect the format of the mailstorage being added to the case.

To autodetect mailstorage format, do the following:
  1. Start the Paraben's E-mail Examiner.
  2. Create a new case (for more information, see the help file).
  3. In the main menu, select File - Add Evidence, or click on the Add New Evidence button on the toolbar, or press CTRL+D, or right-click on the case node in the Case Explorer pane and select Add New Evidence in the context menu.
  4. The Add New Evidence dialog window opens. In the Source type list, select the Auto-detect e-mail database option and click on the OK button.
  5. In the Select source for mounting window, select whether the evidence is found in a File or Folder and click on the OK button.

    The following mailstorages are stored in files:
    • AOL database (example: mailbox.pfc)
    • PST database (example: mail.pst)
    • The Bat Database (example: inbox.tbb)
    • Outlook Express database (example: outbox.dbx)
    • E-mail file database (example: paraben.eml)
    • E-mail Examiner archive (example: inbox.pmx)
    • Eudora database (example: outbox.mbx)
    The following mailstorages are stored in folders:
    • The Bat database
    • Thunderbird database
    • Outlook Express database
    • Eudora database
    • E-mail file database (*Found in directory containing .eml file)
    • Windows mail database
    • Maildir database (*Found in directory containing .eml file)
  6. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the mailstorage and click on the Open button. If you select the File option, in the standard Open window, navigate to the file and click on the Open button.
Q: How do I access E-mail Database Settings within E-mail Examiner?
A: To view E-mail Examiner options, select Tools>Options, or click Options on the E-mail Examiner Welcome Page, or click on the Options button on the toolbar. The Options window opens. It consists of two panes. In the left pane, the groups of options are displayed. In the right pane, the corresponding options are defined.

Select the E-mail Database Settings option. A number of options and two tabs become available.

Common tab: Displays the settings that can be applied to any type of database.
  • Raw mode: Shows all database content including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect.
PST tab: It displays the settings for Microsoft Outlook databases (PST Format).
  • Scan the database for deleted messages (slows down opening): If this option is checked, deleted messages in the database will be found and recovered.
Note: This process may take a long time if selected.

Q: How do I add a bookmark within E-mail Examiner?
A: Bookmarks can be added in two ways:
  • Directly from the data.
  • From the bookmarks folder.
To add a bookmark directly from the data:
  • Select the data to be bookmarked. It can be a node in the Tree View pane, text in the Text or Hex viewer, data in the Data View pane (use multiselect to add bookmarks to several lines simultaneously), or data in the Search Results pane.
  • Select Tools-Bookmarks-Add Bookmark or click on the Add Bookmark button or press Ctrl-B or select Add Bookmark in the right-click menu.
  • The Add Bookmark window appears.
  • Type the name (short description) of the bookmark and its detailed description (this is not required). In the Parent folder pane, select which user-created folder the bookmark will be stored in. Click on the OK button.

    Note: Do not change the path information; it may cause the bookmark to stop working.
  • Bookmarks can be seen in the Bookmarks pane. The properties of the bookmarked data can be seen in the Properties pane.
  • To navigate to a bookmarked part of the case, double-click on the bookmark.
To add a bookmark from the bookmarks folder:
  • In the Bookmarks pane, select the folder to which a bookmark will be added.
  • Select Tools-Bookmarks-Add Bookmark or click on the Add Bookmark button or press Ctrl-B or select Add Bookmark in the right-click menu.
  • The Add Bookmark window appears.
  • Enter all required information including the bookmarks path.
  • Click on the OK button.
Q: How do I run E-mail Examiner in Windows Vista or Windows 7?
A: To run E-mail Examiner in Windows Vista or Windows 7, please do the following:
  1. Install E-mail Examiner on your computer using the standard installation procedure. Restart the computer at the end of the installation process.
  2. If the User Account Control (see Computer-Properties-Security center) is turned off, then E-mail Examiner can be launched in the standard way (double-clicking on its icon).
  3. If the User Account Control is turned on, right-click on the E-mail Examiner icon and select Run as administrator.
If you have problems running E-mail Examiner under Vista or 7, please try to do the following:
  1. In the Start menu, select the Control Panel.
  2. In the Control panel window, select System and Maintenance.
  3. Select System page and click on the Change Settings.
  4. In the System Properties window, select the Advanced tab.
  5. Click the Settings button for the Performance options.
  6. In the Performance Options window, select the Data Execution Prevention tab.
  7. Select the Turn on DEP for all programs and services except those I select option.
  8. Click Add and navigate to the E-mail Examiner execution file.
  9. Click OK and restart the computer.
Q: How do I perform Boolean searches within E-mail Examiner?
A: A Boolean search allows the user to search complicated expressions in text following the rules of boolean logic. Searching is performed by the rules of boolean logic applied to text data inside units.

The following options are used for logical searches:


Note: Functions must be written using all capital letters; otherwise they will be interpreted as part of your search. Function: X AND Y

Meaning: There is at least one x and at least one y in the unit.

Results:
Search parameters: a AND b
Possible search results: “able”, “black”
The following data will not be found: “borrow”, “any aim”, “else”

Function: x OR y

Meaning: There is either at least one x or at least one y in the unit.

Results:
Search parameters: a OR b
Possible search results: “borrow”, “any aim”, “black”
The following data will not be found: “Else”, “No time left!”

Function: NOT x

Meaning: There is no x in the unit.

Results:
Search parameters: NOT b
Possible search results: “This is great!”, “Time over”
The following data will not be found: “blue blob of ink”, “remember”

Function: x NEAR /n y

Meaning: Selects documents containing specified search terms within close proximity to each other. There is x and y in the unit and there are not more than n symbols between them. Note: There must be a space between NEAR and the slash mark (not "NEAR/5", but "NEAR /5").

Results:
Search parameters: a NEAR /1 b
Possible search results: “back”, “above”
The following data will not be found: “a book”, “big apple”
Or
Search parameters: a NEAR /2 b
Possible search results: “a book”, “above”
The following data will not be found: “a book”, “big apple”

Note: By default, the priority of the operations is the following: NOT, AND, NEAR, OR
Note: Use brackets "()" to define other operation's priorities.
Note: Use quotation marks "" to define an expression that should be found exactly as it is. For example: "e AND b" will find "white AND black", but will not find "to be"

Q: How do I change time parameters in the mailstorage?
A: Paraben's E-mail Examiner allows you to change time parameters in the mailstorages, if necessary. This allows you to define the time zone in which time properties of data added to E-mail Examiner will be displayed.

To change time parameters, do the following:
  1. Start the Paraben's E-mail Examiner.
  2. Create a new case.
  3. Add a mailstorage database to the case.
  4. The mailstorage structure is displayed in the Case Explorer pane (to the left), messages stored in the mailbox are displayed in the Data Viewer pane (to the right).
  5. To change the time parameters in the mailstorage, select Tools - Options in the main menu, or click on the Options button on the toolbar.
  6. The Options window opens.
  7. Select the Time Settings group of options (to the left). The corresponding options are displayed to the right of the Options pane.
  8. To define time zone settings, do one of the following:
    • Select the Use current time zone option to use the time zone defined on the computer, on which E-mail Examiner is installed.
    • Select the Use GMT standard time option to convert time to GMT format.
    • Select the Use selected time zone option to use the specified time zone format. Select the required format from the drop-down list.
  9. Click on the OK button to apply the settings. Click on the Refresh All button on the toolbar. Time parameters are changed.
Lost Password