analyzing-outlook-pst-for-email-forensics

by mukul975

analyzing-outlook-pst-for-email-forensics is a digital forensics skill for examining Outlook PST and OST files for message content, headers, attachments, deleted items, timestamps, and metadata. It supports email evidence review, timeline reconstruction, and defensible investigation workflows for incident response and legal cases.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryDigital Forensics

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-outlook-pst-for-email-forensics

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who need PST/OST email forensics support. The repository gives enough real workflow and tooling detail to help an agent trigger the skill correctly and perform extraction-oriented investigations with less guesswork than a generic prompt.

78/100

Strengths

Clear forensic scope for PST/OST analysis, including messages, headers, attachments, deleted items, and metadata.
Concrete tool and API references for pypff/libpff, pffexport, and readpst improve operational usability.
A scripted agent and workflow docs provide executable structure for evidence extraction and chain-of-custody tasks.

Cautions

The SKILL.md excerpt shows no install command, so users may need extra setup guidance before use.
Some guidance appears broad rather than tightly procedural, so complex investigations may still require domain expertise.

Outlook Microsoft 365 Office365 Email Email Forensics Pst Ost Libpff

Overview

Overview of analyzing-outlook-pst-for-email-forensics skill

What this skill does

The analyzing-outlook-pst-for-email-forensics skill helps you examine Microsoft Outlook PST and OST files for email evidence: message content, headers, attachments, deleted items, timestamps, and metadata. It is aimed at digital forensics, incident response, and legal or internal investigations where Outlook mail stores are part of the evidence set.

Who it is for

Use the analyzing-outlook-pst-for-email-forensics skill if you need a structured way to extract and review mailbox artifacts without building a parser workflow from scratch. It fits investigators who want faster triage, better repeatability, and a clearer path from raw PST/OST files to defensible findings.

Why it is worth installing

This skill is more useful than a generic prompt when you need workflow guidance around chain of custody, artifact extraction, and header analysis. It is especially relevant when the case depends on reconstructing communication timelines or preserving evidence from recovered and deleted mailbox items.

Main constraints to know

The skill is strongest on PST/OST analysis, not on broad endpoint forensics or full eDiscovery review. If your source data is mostly EML, MBOX, Gmail exports, or cloud mailbox audit logs, this skill is probably a mismatch.

How to Use analyzing-outlook-pst-for-email-forensics skill

Install and inspect the skill

Install with:
npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill analyzing-outlook-pst-for-email-forensics

After install, read SKILL.md first, then inspect references/api-reference.md, references/workflows.md, and references/standards.md. The repository also includes scripts/agent.py, which is worth reviewing if you want to understand the extraction flow the skill is built around.

Feed it the right case details

For best analyzing-outlook-pst-for-email-forensics usage, give the skill a concrete investigation goal, not just “analyze this PST.” Strong inputs include file type, case purpose, time window, suspected correspondents, keywords, and any legal or operational limits.

Example prompt shape:
Use the analyzing-outlook-pst-for-email-forensics skill to triage this PST from a phishing investigation. Focus on messages from 2024-03-01 to 2024-03-10, header routing, attachments, deleted items, and any sender/IP clues. Summarize findings in an evidence-oriented format.

Follow the workflow order

A practical analyzing-outlook-pst-for-email-forensics guide starts with preservation, then extraction, then interpretation. Hash the source file first, export or parse mailbox content, review headers and attachments, then build a timeline and document chain-of-custody notes. This order reduces contamination and makes your output easier to defend.

Use the repo files as guardrails

references/workflows.md is the best starting point for task order, while references/api-reference.md shows how the skill expects PST access and extraction to happen. references/standards.md helps you align findings with common forensic expectations, including artifact types and tool choices.

analyzing-outlook-pst-for-email-forensics skill FAQ

Is this only for digital forensics?

Yes, mostly. The analyzing-outlook-pst-for-email-forensics skill is designed for email forensics, incident response, and evidence handling. It can help with security investigations, but it is not a general Outlook productivity tool.

Do I need to be a Python user to benefit?

No. The skill can still guide workflow and analysis decisions even if you do not run code directly. That said, the repository includes Python-oriented tooling and CLI references, so technical users will get the most out of the install.

How is this different from a normal prompt?

A normal prompt may summarize a PST conceptually, but this skill gives you a more reliable analysis path: which artifacts to extract, what to verify, and how to preserve evidence. For analyzing-outlook-pst-for-email-forensics for Digital Forensics, that structure matters more than a generic summary.

When should I not use it?

Do not use it when your source data is already normalized into another mailbox format, when you need tenant-level cloud email investigation, or when the main task is policy review rather than artifact analysis. In those cases, a different skill or a broader investigative workflow will fit better.

How to Improve analyzing-outlook-pst-for-email-forensics skill

Give sharper evidence context

The biggest quality jump comes from telling the skill what question the evidence must answer. Instead of “analyze this file,” ask for sender attribution, message reconstruction, attachment review, keyword hunting, or deleted-item recovery. Clearer case goals produce tighter output.

Specify your review priorities

If you care most about phishing, exfiltration, insider risk, or timeline reconstruction, say so up front. The analyzing-outlook-pst-for-email-forensics skill can then weight headers, attachments, or deleted folders appropriately instead of spreading attention evenly across everything.

Add source and environment details

Tell the skill whether the file is PST or OST, whether it came from a workstation or exported mailbox, and whether you can use command-line tools such as pffexport or readpst. Those details affect what extraction path is realistic and which repository references matter most.

Iterate on the first output

If the first pass is too broad, ask for a narrower forensic deliverable: a message timeline, suspicious attachment list, header anomalies, or a recovery-focused review of deleted items. For analyzing-outlook-pst-for-email-forensics, the best results usually come from one artifact class at a time rather than one oversized request.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

extracting-browser-history-artifacts

by mukul975

extracting-browser-history-artifacts is a Digital Forensics skill for extracting browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge. Use it to turn browser profile files into timeline-ready evidence with repeatable, case-focused workflow guidance.

Digital Forensics

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

deobfuscating-javascript-malware

by mukul975

deobfuscating-javascript-malware helps analysts turn heavily obfuscated malicious JavaScript into readable code for malware analysis, phishing pages, web skimmers, droppers, and browser-delivered payloads. Use this deobfuscating-javascript-malware skill for structured deobfuscation, decode tracing, and controlled review when simple minification is not the issue.

Malware Analysis

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-macro-malware-in-office-documents

by mukul975

analyzing-macro-malware-in-office-documents helps malware analysts inspect malicious VBA in Word, Excel, and PowerPoint files, decode obfuscation, and extract IOCs, execution paths, and payload staging logic for phishing triage, incident response, and document malware analysis.

Malware Analysis

Favorites 0GitHub 0

collecting-indicators-of-compromise

by mukul975

collecting-indicators-of-compromise skill for extracting, enriching, scoring, and exporting IOCs from incident evidence. Use it for Security Audit workflows, threat intel sharing, and STIX 2.1 output when you need a practical collecting-indicators-of-compromise guide instead of a generic incident-response prompt.

Security Audit

Favorites 0GitHub 0

analyzing-golang-malware-with-ghidra

by mukul975

analyzing-golang-malware-with-ghidra helps analysts reverse engineer Go-compiled malware in Ghidra with workflows for function recovery, string extraction, build metadata, and dependency mapping. The analyzing-golang-malware-with-ghidra skill is useful for malware triage, incident response, and Security Audit tasks that need practical, Go-specific analysis steps.

Security Audit

Favorites 0GitHub 0

building-incident-timeline-with-timesketch

by mukul975

building-incident-timeline-with-timesketch helps DFIR teams build collaborative incident timelines in Timesketch by ingesting Plaso, CSV, or JSONL evidence, normalizing timestamps, correlating events, and documenting attack chains for incident triage and reporting.

Incident Triage

Favorites 0GitHub 6.1k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

detecting-rootkit-activity

by mukul975

detecting-rootkit-activity is a Malware Analysis skill for finding rootkit indicators such as hidden processes, hooked system calls, altered kernel structures, hidden modules, and covert network artifacts. It uses cross-view comparison and integrity checks to help validate suspicious hosts when standard tools disagree.

Malware Analysis

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k

hunting-advanced-persistent-threats

by mukul975

hunting-advanced-persistent-threats is a threat-hunting skill for detecting APT-style activity across endpoint, network, and memory telemetry. It helps analysts build hypothesis-driven hunts, map findings to MITRE ATT&CK, and turn threat intel into practical queries and investigation steps instead of ad hoc searches.

Threat Hunting

Favorites 0GitHub 0