Live Chat
★ 4.6 / 5 from 1,408 verified reviews on G2, Capterra and Trustpilot

Email Forensics
Read-Only Inspection

PCDOTS Email Forensics Investigation Tool reads source mailbox bytes without modifying them. The wizard ingests 100+ file formats (EML, MBOX, PST, MSG, OLM, OST, EMLX, OFT, DBX) and auto-detects profiles from 20+ desktop email clients. Five view modes surface every byte: content, properties, message header, hex, raw RFC 5322. Export limited to PDF for hardcopy evidence and IMAP for analyst inbox transfer; the wizard never writes to the source.

Free Download Buy Now
  • Read-only: source bytes never modified.
  • 100+ file formats, 20+ clients.
  • Five views: content, header, hex, raw.
  • Trace X-Originating-IP, Received.
  • 5.0 / 5 across 100 verified reviews.
PCDOTS Email Forensics Investigation Tool v3.5
PCDOTS Email Forensics Investigation Tool showing source mailbox file picker Most Popular
WalkthroughWatch video tutorialReadStep-by-step guide
Software Traits

Architecture and Inspection Spec

A forensic tool stands or falls on three architectural decisions. Read-only ingestion means source mailbox bytes survive the inspection unmodified - any later evidentiary review confirms the wizard did not corrupt the chain of custody. Multi-view rendering exposes message content at every meaningful abstraction level: rendered HTML body for casual reading, header decode for sender provenance, hex view for byte-level audit, raw RFC 5322 for protocol-level inspection. Format coverage breadth means the analyst does not need a separate tool per source mailbox type - one wizard handles 100+ formats and 20+ desktop client profiles.

Read-Only Ingestion Architecture

Source mailbox files get opened with operating-system-level read-only file handles. Memory-mapped pages back the parser; the wizard never issues a write syscall against the source. PST and OST files specifically use the shared-read flag so an open file in Outlook still loads in the wizard for parallel inspection. Any later forensic review of the source disk image will confirm the wizard left no write-back, no journal entry, no metadata change. Critical for evidentiary chain of custody.

  • OS read-only file handles for source files
  • Shared-read flag for in-use PST/OST sources
  • No write-back, no journal entry, no metadata change

Five View Modes Per Message

Each loaded message renders in the operator's choice of view: content view (rendered HTML body with formatted headers above), properties view (structured metadata table - size, dates, flags, message ID), message header view (full RFC 5322 header block as decoded text), hex view (offset, byte hex, ASCII columns side-by-side), raw message view (unparsed RFC 5322 source as stored on disk).

  • Content view: HTML body with formatted headers
  • Properties view: structured metadata table
  • Hex view: offset, byte hex, ASCII triplet

Format and Client Coverage Matrix

Source coverage spans 100+ file formats (EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX, MBS, plus less common variants like Outlook Express DBX, IBM Notes NSF, Eudora MBX, Calypso, FoxMail) and 20+ desktop email client profiles auto-detected from the local Windows installation. Profile auto-detection reads each client's registry entries and standard data-folder paths to surface available accounts in a single dropdown.

  • 100+ source formats including EML, MBOX, PST, MSG
  • 20+ desktop client profiles auto-detected
  • Registry + standard-path detection per client

Message Header Inspection for Sender Provenance

Header view renders the full RFC 5322 header block as decoded text - From, Reply-To, Return-Path, Sender, Received chain (one line per relay hop), Message-ID, References, In-Reply-To, custom X-headers from the source server. The X-Originating-IP header (when present) carries the original sender IP behind the visible From address. The Received chain traces the message path from origin to delivery, with timestamps at each relay hop. Sender provenance falls out of header inspection.

Hex View for Byte-Level Audit

Hex view renders the message file as three side-by-side columns: byte offset (hex), the byte stream (hex pairs, 16 bytes per row), and the ASCII representation of those bytes (printable characters, dots for non-printable). Useful for verifying that bytes claimed in the header match bytes on disk, for spotting null-byte injection or other format anomalies, and for documenting evidentiary state at the byte level when a court reviewer asks "what was actually on the disk".

Raw RFC 5322 View for Protocol Inspection

Raw message view renders the unparsed RFC 5322 source as it sits in the mailbox file - exactly the bytes a SMTP server would have written when the message was delivered. Headers separated from body by the empty line, MIME multipart boundaries visible, base64-encoded attachment payloads visible, transfer encoding visible. Useful when the parsed views (content, properties, header) hide a relevant detail through their parsing - the raw view shows what the parser actually saw.

Properties View for Structured Metadata

Properties view presents per-message metadata as a structured table: message size in bytes, internal dates (Date header, Received timestamps, server-assigned arrival time), folder location within the source mailbox, attachment count and sizes, encryption flags, importance markers, read/unread state, message-ID, conversation thread ID, internet headers as a separate sub-table. Useful for cataloging across many messages where the analyst needs metadata facts without the full message body.

Quick Search Across Loaded Mailboxes

Quick search queries every loaded mailbox by sender address, recipient address, subject text, or message body content. Results return source filename, folder path, message position, matching field, and matching cell content. Useful for finding all messages from a specific suspected-phishing sender across multiple loaded source files, locating every message containing a specific URL or phrase, and sampling the message corpus before committing to a full forensic walk-through.

PDF Export for Hardcopy Evidence

For evidentiary documentation, the wizard exports selected messages to PDF with the full message header block printed at the top of each page, message body underneath, and any attachments embedded as additional PDF pages. Useful for court submissions where physical hardcopy is requested, internal incident reports where the full message context needs preservation, and case files where each PDF gets attached to a specific investigation ticket.

100+Source file formats
5.0 / 5Reviewer satisfaction
5View modes per message
20+Desktop client profiles
Simple 3-Step Process

Three Phases of Forensic Inspection

Load, inspect, document - the forensic workflow at the high level. Each phase exposes specific wizard surfaces (source picker, view-mode toggles, export dialog) that the eleven-step walkthrough later on this page covers in full detail.

1. Load the Source Mailbox

Click Open, then pick source type: Email Data Files (EML, MBOX, PST, MSG, OLM, OST file picker), Desktop Email Clients (auto-detected Outlook, Thunderbird, eM Client, Postbox profiles). Source files open under read-only handles - source bytes never get modified during inspection.

2. Switch Between View Modes

Click any loaded message, then toggle between the five views: content for rendered body, properties for metadata table, header for RFC 5322 decode, hex for byte-level audit, raw for unparsed source. Each view exposes a different abstraction level of the same underlying message bytes.

3. Document Findings to Hardcopy

For evidentiary documentation, click Export > PDF on selected messages. The wizard renders each message as a PDF with full header block printed, message body underneath, attachments embedded as additional pages. Trial caps export count for evaluation; licensed wizard exports unlimited counts of selected messages.

Software Compatibility

Source Format and View Mode Reference

Sources: 100+ file formats spanning common (EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX) and legacy/obscure (Eudora MBX, IBM Notes NSF, Outlook Express DBX, Calypso, FoxMail, MBS Outlook archive, Mailwasher cache, Incredimail, Chaos Intellect, OE Classic). Source profiles auto-detected from 20+ desktop email clients via Windows registry entries and standard data-folder paths. View modes: content (rendered HTML body with formatted headers), properties (structured metadata table), message header (decoded RFC 5322 header block), hex (offset/byte/ASCII triplet), raw message (unparsed RFC 5322 source). Export: PDF for hardcopy evidence, IMAP for analyst inbox transfer.

EML format
MBOX format
Outlook PST format
Outlook OLM format
MSG format
OFT format
iCloud
Google Takeout
Maildir
vCard
CommuniGate
Kerio
MDaemon
Zimbra
Input File Formats / Servers

Specialized and Tested Across Every Common Email Source

The Email Forensics Investigation Tool reads source mailboxes under OS-level read-only file handles for evidentiary integrity. Whether the source sits as an orphan PST on seized hardware, an exotic legacy format from a decommissioned mail client, or behind a Thunderbird profile auto-detected via Windows registry, the wizard parses it natively without requiring the original mail client installed at the analyst workstation.

PCDOTS Email Forensics Investigation Tool v3.5
PCDOTS Email Forensics Investigation Tool launch screen with Open menu and source picker All Sources
Complete Format Coverage

Source Format Compatibility Reference

Browse the full list of input file source mailbox formats and desktop client profiles the wizard ingests under read-only handles, plus the five view modes the analyst toggles between for inspection.

Email File Formats8 formats
FormatFull NameTypeDescription
PST Input & OutputPersonal Storage TableMicrosoft OutlookPrimary Outlook data file containing emails, contacts, calendar, tasks, and notes.
OST InputOffline Storage TableMicrosoft OutlookOffline cached copy of Exchange mailbox data. Supports inaccessible or orphaned OST files.
MBOX Input & OutputMailbox FormatThunderbird, Apple Mail, EudoraUniversal text-based mailbox format used by dozens of email clients and servers (see IETF RFC 4155 specification).
EML Input & OutputEmail MessageMultiple clientsIndividual RFC 822 email message files. Widely supported by Windows Mail, Outlook Express, and others.
MSG Input & OutputOutlook MessageMicrosoft OutlookSingle Outlook email message in Compound Document File format. Preserves all metadata.
OFT InputOutlook File TemplateMicrosoft OutlookOutlook email template files. PCDOTS converts OFT templates to any supported format.
OLM InputOutlook for Mac ArchiveMac OutlookNative archive format for Outlook on macOS. Contains emails, contacts, and calendar data.
DBX InputOutlook Express MailboxOutlook ExpressLegacy email storage format used by Microsoft Outlook Express (discontinued in 2006).
Desktop Email Clients9 clients
Email ClientPlatformStorage FormatInspection Support
Microsoft OutlookWindows / MacPST, OST, OLMFull: emails, contacts, calendar, tasks, notes, attachments
Mozilla ThunderbirdWindows / Mac / LinuxMBOXFull: all folders, subfolders, attachments, filters
MailbirdWindowsLocal profile storeFull: all mailbox data including multiple accounts
eM ClientWindows / MacLocal database fileFull: messages, contacts, calendar, attachments
MailspringWindows / Mac / LinuxLocal profile storeFull: all email data and account configurations
PostboxWindows / MacMBOXFull: Thunderbird-compatible MBOX format
Windows Live MailWindowsEML + WLMXFull: all message folders and account data
EudoraWindows / MacMBX (MBOX variant)Full: legacy Eudora mailbox files
IceWarpWindows / LinuxProprietaryFull: direct IceWarp server data export
Cloud & Webmail Services7 services
ServiceTypeDirectionAuth Method
Gmail / Google WorkspaceCloud WebmailInput & OutputOAuth 2.0 / App Password
Microsoft Office 365Cloud BusinessInput & OutputOAuth 2.0 / Modern Auth
Yahoo MailCloud WebmailInput & OutputApp-specific Password
iCloud MailCloud WebmailInput & OutputApp-specific Password
Hotmail / Outlook.comCloud WebmailInput & OutputOAuth 2.0
Google TakeoutExport ArchiveInputTakeout ZIP / MBOX
Any IMAP ServerUniversal ProtocolInput & OutputIMAP / SSL / TLS
Email Servers5 servers
ServerTypeStorage FormatNotes
ZimbraOpen Source ServerZimbra TGZSupports Zimbra Community & Enterprise editions
MDaemonWindows Mail ServerMDaemon MAIDirect MDaemon user folder access, no export needed
Kerio ConnectBusiness Mail ServerKerio IMAP StoreConverts Kerio data stores directly without server access
Communigate ProEnterprise ServerCommunigate CGPSupports all Communigate mailbox folder structures
Lotus Notes / HCLIBM/HCL PlatformNSFVia intermediary parser. Contact support for enterprise plans.
Output Destinations13 outputs
Output FormatCategoryBest Used For
PSTEmail FileImporting into Microsoft Outlook on any Windows PC
MBOXEmail FileThunderbird, Apple Mail, Postbox, or any MBOX-compatible client
EMLEmail FileWindows Mail, individual email archiving, or web uploads
MSGEmail FileSaving individual Outlook messages with full metadata
PDFDocumentLegal archiving, compliance, sharing non-editable email records
HTMLDocumentWeb-based email viewing, readable in any browser
CSVSpreadsheetExtracting email data for analysis in Excel or Google Sheets
vCard (VCF)ContactsExporting contacts to any address book or CRM
ICSCalendarExporting calendar events to Google Calendar, Apple Calendar
TXTPlain TextSimple archiving, text analysis, or importing into databases
GmailCloud ServiceDirect migration. Emails appear in Gmail inbox immediately
Office 365Cloud ServiceDirect migration to Microsoft 365 business mailboxes
IMAP ServerProtocolAny IMAP-compatible server: Dovecot, Postfix, Exchange, etc.
Advanced Filters

What Else the Wizard Surfaces During Investigation

Beyond the five core view modes, several secondary capabilities matter during forensic work. Sender identity tracing: the header view automatically resolves the From address against the Reply-To and Return-Path headers and surfaces any mismatch (a common phishing tell where the visible From shows a trusted sender but Reply-To routes to an attacker-controlled mailbox). The X-Originating-IP header value (when present) gets cross-referenced against geolocation databases for a city-level origin estimate; this is informational only and does not call out to any external service from the analyst workstation.

Received chain analysis: each Received header line records one relay hop in the SMTP delivery path, with a timestamp. The wizard parses the chain top-to-bottom (origin to destination) and renders it as a numbered list with hop count, relay hostname, relay IP, and inter-hop timestamp delta. Useful for spotting forged Received headers (timestamps that go backwards in time, hostnames that do not resolve, IP addresses inside ranges that do not match the claimed hostname).

Attachment isolation: each attachment in a loaded message gets surfaced separately with filename, declared Content-Type, declared size, actual byte size, and Content-Disposition value. The analyst can spot mismatches (a file named invoice.pdf with Content-Type application/x-msdownload is suspect) without opening the attachment. Attachments are NOT auto-extracted to disk during inspection - the analyst commits explicitly via the Extract option, which writes to an operator-chosen folder for further sandboxed analysis.

PCDOTS Email Forensics Investigation Tool v3.5
PCDOTS Email Forensics Investigation Tool quick search interface Smart Search
Why Users Switch to PCDOTS

Five Forensic Inspection Blockers and Their Fixes

Forensic email inspection runs into specific blockers that other workflows do not. The analyst needs to read bytes that the original mail client may no longer render, document what was on disk without contaminating the evidence, and trace sender provenance through headers most users never see. Five recurring blockers that this wizard handles where lighter tools do not.

Problems You're Facing

Original mail client is gone but the mailbox file remainsA seized workstation has a 15-year-old Outlook Express DBX file, an Eudora MBX archive, or an Incredimail folder. The original client does not run on modern Windows. Generic forensic viewers handle PST and MBOX but not the long tail of legacy formats. The wizard parses 100+ source formats including the legacy ones, so the analyst does not need to install obsolete software just to read evidentiary data.
Forensic viewer modifies source bytes during inspectionLighter tools mark messages "read", update the mailbox's last-modified timestamp, or rewrite specific PST internal pointers as a side effect of parsing. Any of these constitutes a chain-of-custody violation that opposing counsel will surface in court. The wizard's OS-level read-only file handles guarantee no write syscalls reach the source - kernel rejects writes regardless of what wizard code might attempt.
Visible From address looks legitimate but the message is fakeThe displayed From address is just one header among many. Sophisticated phishing fakes the From while routing replies elsewhere via Reply-To, or fakes both visible-sender headers while leaving the Return-Path pointing at the real attacker mailbox. The wizard's header view surfaces all six sender-related headers (From, Sender, Reply-To, Return-Path, X-Sender, X-Originating-IP) side by side; mismatches become visible at a glance.
Need byte-level audit of message file but only have a viewerA reviewer asks "what bytes were actually on disk for this message". A standard mail client renders parsed content - byte-level evidence has been transformed before display. The wizard's hex view shows offset, byte hex, and ASCII representation side by side at every disk position in the message file; null-byte injection, MIME boundary tampering, and similar byte-level anomalies surface immediately.
Court submission needs hardcopy with full header chainPrint-to-PDF from a standard mail client produces output that shows the visible message body only, dropping the technical headers that matter for evidentiary purposes. The wizard's PDF export prints the full RFC 5322 header block at the top of each message PDF, the body underneath, and attachments as additional embedded pages. Court reviewers receive a single PDF capturing both human content and technical evidence.

How PCDOTS Fixes It

100+ source formats including legacy and obscureEML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX covers the standard formats. The long tail covers what shows up on seized legacy hardware: Eudora MBX, IBM Notes NSF, Outlook Express DBX, Calypso, FoxMail, MBS Outlook archive, Mailwasher cache, plus profiles from clients no longer in production (Incredimail, Chaos Intellect, OE Classic). One wizard, every source you encounter in the wild.
OS-level read-only handles guarantee no source mutationSource files open with FILE_SHARE_READ + GENERIC_READ access flags via the Win32 CreateFile API. The OS kernel grants the wizard a read-only handle and refuses any write or modify-attribute syscall against the source descriptor. PST and OST sources additionally use shared-read mode so an open Outlook session does not block the wizard from inspecting the live file - both processes read the same bytes simultaneously.
Direct MBOX to Gmail migration in a single click.Connect your Gmail account inside the converter. PCDOTS pushes the messages straight into your inbox without a download and re-upload step.
Five view modes for byte to header to body inspectionContent view for casual reading. Properties view for structured metadata catalog. Message header view for sender provenance and Received chain. Hex view for byte-level audit. Raw RFC 5322 view for protocol-level inspection. The same loaded message exposes all five abstractions; the analyst toggles between them based on what the current investigation step requires.
PDF export with full header block embeddedSelected messages export to PDF with the full RFC 5322 header block printed at the top of each page (From, Reply-To, Return-Path, Date, Subject, Message-ID, References, In-Reply-To, Received chain entries, X-Originating-IP, custom X-headers from the source server). Body underneath, attachments embedded as additional PDF pages. Court submissions, internal incident reports, case-file documentation - all get the full evidentiary record in a single shareable file.
Real-World Applications

Six Investigation Workflows the Wizard Supports

Forensic email inspection covers more workflows than the courtroom-evidence framing might suggest. The phishing analyst tracing a suspicious link, the fraud examiner reconstructing a vendor-impersonation scam, the IT incident-responder triaging a compromised account, the HR investigator documenting a harassment complaint - all of these involve reading email bytes carefully without modifying them. Six recurring scenarios where read-only inspection earns its place.

Phishing Email Provenance Analysis

A user reports a suspicious email claiming to be from a bank, vendor, or internal executive. The security analyst loads the user's mailbox, switches to header view on the suspect message, traces the Received chain top-to-bottom, and compares the visible From address against the Reply-To and Return-Path values. Mismatches between visible-sender and reply-routing surface immediately. The X-Originating-IP header (when present) places the actual sender geographically, which often disconfirms the claimed identity.

PST to Office 365Exchange migration

Vendor-Impersonation Fraud Investigation

A finance team gets a payment-redirect email apparently from a known vendor changing the bank account for an upcoming invoice. The fraud examiner loads the inbox, opens the suspect message in raw RFC 5322 view to see the full unparsed source, and compares Received headers against legitimate prior messages from the same vendor. Forged Received headers (timestamps going backward, hostnames not matching IP ownership) confirm the message did not actually originate from the vendor's mail server.

PDF exportGDPR compliance

Compromised Account Incident Response

IT detects anomalous email activity on an employee account - sent messages the user does not remember, forwarding rules they did not configure, login activity from unusual geographies. The incident responder loads the account's sent folder and sieves through messages that posted during the suspected compromise window. Hex view confirms whether the messages' raw bytes match what the legitimate account holder would write or whether automated tooling generated them.

Corrupted PSTForensic recovery

HR Investigation Documentation

An HR investigation needs to document specific email evidence in an internal misconduct complaint - harassing messages, after-hours communication, suspicious attachment exchanges. The investigator loads the relevant mailboxes, switches to properties view to catalog metadata across the message corpus, exports the relevant subset to PDF with full headers preserved, and attaches the PDFs to the case file with chain-of-custody documentation showing source files were never modified during inspection.

MBOX to PSTEML to MSG

Litigation Support and E-Discovery

Outside counsel requests specific custodian email in support of pending litigation under FRCP Rule 34. The litigation-support team loads the custodian's archived mailboxes, runs quick search across the corpus for relevant senders/recipients/subjects, validates message authenticity through hex and raw RFC 5322 views, and exports the responsive set to PDF for production. Read-only ingestion ensures the produced set matches the custodian's on-disk source byte-for-byte.

HIPAAHealthcare archives

Suspicious Attachment Examination

A user opens a questionable attachment and the security team needs to assess what was actually delivered. The analyst loads the message, switches to properties view to inspect attachment metadata (declared Content-Type vs filename extension, declared size vs actual byte size), then uses hex view to inspect the attachment header bytes for magic-number mismatches (a file named invoice.pdf with the MZ executable header is a payload, not a document). Attachments stay isolated until the analyst explicitly extracts.

Contact extractionCRM enrichment
Why Customers Choose This Tool

Eight Capability Specs Worth Knowing

Forensic email tools split into two architectural camps. The lighter camp converts source mailboxes to a single output format and lets the analyst read the converted output - which means the inspection sees the converter output, not the original bytes. The heavier camp preserves source bytes and surfaces them through multiple parsing layers - which means the inspection sees what was actually on disk. PCDOTS sits firmly in the heavier camp. Eight capability specs that distinguish a serious forensic tool from a lighter converter-with-viewer.

Read-Only File Handles, Not Just Read-Only Intent

Most "read-only" claims in forensic-tool marketing are policy-level: the tool does not write to source files because the developer chose not to add a write code path. PCDOTS goes one layer deeper: the wizard requests OS-level read-only handles from the file system, which means even a hypothetical bug in the parser cannot accidentally issue a write syscall against the source. The OS rejects writes at the kernel layer regardless of what the wizard might try to do.

Five Distinct View Modes Per Message

Lighter forensic viewers expose two view modes (rendered body + raw text). PCDOTS exposes five: content view (HTML body with formatted headers), properties view (structured metadata table), message header view (decoded RFC 5322 header block), hex view (offset/byte/ASCII triplet), raw message view (unparsed RFC 5322 source). Each view exposes a different abstraction level; relevant evidence sometimes hides at one level and surfaces immediately at another.

X-Originating-IP and Received-Chain Tracing

Sender provenance lives in the Received chain - one header line per relay hop in the SMTP delivery path. The wizard renders the chain as a numbered list (origin to destination) with timestamps, hostnames, and IP addresses at each hop. Forged Received headers (backwards timestamps, hostnames not resolving to claimed IPs, IP geolocation outside the claimed origin) become visible without manual header parsing.

Hex View With Side-by-Side ASCII

The hex view renders the message file as three columns: byte offset (hex), byte stream (hex pairs, 16 bytes per row), ASCII representation (printable characters, dots for non-printable). Useful for confirming bytes claimed in the parsed header match bytes on disk, for spotting null-byte injection between MIME parts, and for documenting evidentiary state at the byte level when court reviewers ask "what was actually on the disk".

100+ File Formats, 20+ Client Profiles

Source coverage spans 100+ formats (EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX, Eudora MBX, IBM Notes NSF, Outlook Express DBX, Calypso, FoxMail, plus less common variants) and 20+ desktop client profiles auto-detected from the local Windows installation (Outlook, Thunderbird, eM Client, Postbox, MailBird, MailSpring, IceWarp, Lotus Notes, Windows Live Mail, SeaMonkey, Sylpheed, Evolution, Opera Mail, IncrediMail, Chaos Intellect, OE Classic). One wizard, every common source.

Auto-Detect Client Profiles From Registry

Profile auto-detection reads each supported client's registry entries (HKCU\Software\Microsoft\Office for Outlook, HKCU\Software\Mozilla for Thunderbird, etc.) and standard data-folder paths (%APPDATA%, %LOCALAPPDATA%, %USERPROFILE%) to surface available accounts in a single dropdown. The analyst does not need to manually locate the PST file or Thunderbird profile folder - the wizard finds the source mailboxes that actually exist on the workstation.

PDF Export Embeds Full Header Block

Most forensic-tool PDF exports render the visible message body only, dropping the technical headers that matter for evidentiary purposes. PCDOTS PDF export prints the full RFC 5322 header block at the top of each message PDF, the message body underneath, and any attachments as additional embedded pages. Court reviewers receive a single PDF that captures both the human-readable content and the technical-evidence header chain.

Compatible With Windows 7 Through Windows 11

Wizard runs on Windows 11, 10, 8.1, 8, 7, Vista, XP and Windows Server 2008/2012/2016/2019/2022. .NET Framework 4.5 is the only runtime requirement. Useful for forensic work on seized legacy hardware (XP-era desktops, Server 2003 mail hosts) where the source mailbox might be in a format the original mail client no longer renders cleanly but the wizard still parses without issue.

Technical Specs

System and Software Requirements

What you need to run the Email Forensics Investigation Tool for Windows, plus the trial limitations.

Software NamePCDOTS Email Forensics Investigation Tool
Current Version3.4
ProcessorPentium-class or higher
RAMMinimum 2 GB
Hard Drive Space100 MB free space
Operating SystemWindows 11, 10, 8.1, 8, 7, Vista, XP. Server 2019, 2016, 2012, 2008, 2003 and earlier.
Email Clients & FormatsExport options · Product guide
Install / UninstallInstall (PDF) · Uninstall (PDF) · Refund policy

Trial limitation: the demo edition caps PDF export at 25 messages per session; all five view modes work without restriction so you can verify accuracy on real data before purchasing. The full edition has no limits and ships with a lifetime license.

Trial vs Full

Trial vs Licensed Edition for Forensic Work

Trial and licensed editions ship the same binary - identical source ingestion paths, identical 100+ format support, identical five view modes, identical search. The trial caps PDF export at 25 messages per session for evaluation; all view modes work without restriction so the analyst can verify the wizard handles the actual source mailboxes the investigation uses. Licensed edition runs $49 one-time per workstation; the license is perpetual and ships lifetime updates. Multi-seat lab licenses available on request for incident response teams running parallel investigations across several analyst workstations.

FeatureTrial VersionFull Version
Read-Only Forensic Inspection10 items per folder Unlimited
Quick Search and Advanced Search
Five View Modes Per Message
100+ Source File Formats
Lifetime License ValidityNo
24/7 Customer SupportNo
Windows 32-bit and 64-bit Editions
PriceFree$49
30-Day Refund PolicyDownloadBuy Now
Honest Comparison

How PCDOTS Compares to Other Forensic Email Tools

Forensic email tools split across capability tiers. Built-in mail client viewers (Outlook reading view, Thunderbird message source) handle one source format and skip the technical headers users do not normally see. Free hex editors (HxD, 010 Editor) read raw bytes but offer no email-specific parsing. Forensic suites (EnCase, FTK Imager, X-Ways) handle email but bundle it inside larger general-purpose forensic platforms with corresponding price tags. Standalone forensic email tools include PCDOTS, MailXaminer, Aid4Mail Forensic, and a few smaller offerings - the matrix below isolates this category and surfaces capability differences.

FeatureBest ChoicePCDOTSOther Paid ToolsAid4Mail, Stellar, etc.Free Tools / Online
100+ Source File Formats25+10 to 40+2 to 5
No Client Application RequiredYesPartialNo
OS-Level Read-Only File HandlesYesYesNo
Auto-Detect Client ProfilesYesPartialNo
Five View Modes Per MessageYesPartialNo
Hex View With Side-by-Side ASCIIYesPartialNo
Quick Search and Advanced SearchYesLimitedNo
Received-Chain TracingYesPartialNo
Free Trial AvailableYesYesYes
Lifetime LicenseYesNoN/A
PDF Export With Full Header BlockYesVariesNo
24x7 Customer SupportYesLimitedNo
30-Day Refund PolicyYesVariesN/A
Starting Price$49$49 to $149+Free (limited)

Matrix sourced from competitor product documentation as of October 2025. Standalone field includes MailXaminer, Aid4Mail Forensic, and several smaller utilities; cells reflect each vendor stated capability for forensic email inspection on Windows. General-purpose forensic suites (EnCase, FTK Imager, X-Ways) are excluded since they bundle email inspection inside larger platforms with different pricing models. Reviewer count: 100 verified responses across G2, Capterra and Trustpilot.

Video Tutorial

See the Wizard in Action

A short walkthrough of source loading, view-mode switching across the five inspection layers, and PDF export with full header block embedding.

PCDOTS Email Forensics Investigation Tool video tutorial, click to play
5 min walkthrough YouTube
Real Performance Numbers

Forensic Tool Performance Reference

Two data sources feed the numbers below. The first is internal regression test runs against synthetic forensic case files: small mailboxes (1,000 messages) through stress tests (500,000 messages), every supported source format validated against parser correctness, and read-only handle verification through Win32 API call tracing. The second is post-investigation analyst survey responses (100 valid responses) reporting on view mode usefulness during actual case work and chain-of-custody documentation quality.

85%

Customer Satisfaction

93%

Output Accuracy

99%

Successful Test Runs

How It Works

Eleven-Step Forensic Inspection Walkthrough

The walkthrough below covers every dialog the wizard puts in front of the analyst from launch through evidentiary export, with the matching screenshot for each. Analyst time per investigation runs from a couple of minutes (single suspicious message, header view inspection only) to about ten minutes per investigation phase plus the actual reading time spent in each view mode (which varies wildly with case complexity).

Written by Reviewed by Leena Taylor Paul

Launch the Email Forensics Tool

Run the wizard from the Start menu shortcut or desktop icon. The source-selection panel opens with the Open button at the top of the toolbar. The navigation pane on the left stays empty until a source mailbox is loaded; the preview pane on the right also stays empty.

Pick the Source Type

Click Open. Dropdown offers Email Data Files (file picker for EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX, plus 90+ legacy formats) or Desktop Email Clients (auto-detected list of installed Outlook, Thunderbird, eM Client, Postbox, MailBird, MailSpring profiles found via registry and standard data-folder paths).

Load the Source Mailbox

For local files: pick the source from the file picker. The wizard opens it under read-only file handles via the Win32 CreateFile API with FILE_SHARE_READ + GENERIC_READ access flags. For desktop clients: pick a profile from the auto-detected list. Loaded mailbox structure renders in the navigation pane: folders on the left, messages on the right.

Click a Message to Render Content View

Click any message in the navigation pane. The preview pane renders the message in content view by default - HTML body with formatted headers above (From, To, Subject, Date). Five view-mode tabs sit above the preview area: Content (active), Properties, Message Header, Hex, Raw Message. Click any tab to switch the rendering at any time without re-loading.

Switch to Message Header View

Click the Message Header tab to render the full RFC 5322 header block as decoded text. From, Sender, Reply-To, Return-Path, Date, Subject, Message-ID, References, In-Reply-To, the Received chain (one line per relay hop with timestamps), and custom X-headers (X-Originating-IP, X-Mailer, X-Spam-Score, X-Priority, plus any source-server-specific headers). Sender provenance falls out of careful header reading.

Switch to Hex View for Byte-Level Audit

Click the Hex tab to render the message file as three side-by-side columns: byte offset (hex), the byte stream (hex pairs, 16 bytes per row), and ASCII representation (printable characters, dots for non-printable). Useful for verifying bytes claimed in parsed views match bytes on disk, spotting null-byte injection between MIME parts, and documenting evidentiary state at the byte level.

Switch to Raw RFC 5322 View

Click the Raw Message tab to see the unparsed RFC 5322 source as stored on disk - exactly the bytes a SMTP server would have written when the message was delivered. Headers separated from body by the empty line, MIME multipart boundaries visible, base64-encoded attachment payloads visible, transfer encoding visible. Useful when parsed views hide a relevant detail through their parsing layer.

Run Quick Search Across the Mailbox

For finding specific messages within a large source, the Quick Search box at the top of the navigation pane queries every loaded mailbox by sender address, recipient address, subject text, or message body content. Hits return source filename, folder path, message position, matching field, and matching cell content. Useful for tracing a specific suspected-phishing sender across multiple loaded source files.

Select Messages and Click Export to PDF

Check the boxes next to messages relevant to the investigation. Click Export, then PDF. The export dialog opens with destination folder picker, file naming options (default: subject-based filename, alternative: Message-ID-based for evidentiary work), and embed-attachments toggle. Trial caps at 25 messages per session; licensed wizard exports unlimited counts.

Watch the Live Export Progress

During PDF export, the live progress report shows messages processed against total selected, output PDFs written, bytes written, and estimated time remaining. For large export sets (1,000+ messages), the report updates every second so the analyst can monitor progress without staring at a frozen screen. Output writes incrementally - a partial export is recoverable if the run gets interrupted.

Spot-Check the Exported PDFs

When export finishes, the wizard's Open folder when complete toggle (default ON) opens the destination in Windows Explorer. Spot-check the output: PDF count matches selected message count, each PDF's first page shows the full RFC 5322 header block, message body renders below, attachment pages appear after the body. The PDFs are now case-file-ready evidentiary artifacts.

Independent Validation

Reviewed and Awarded by Trusted Software Sites

Independent third-party verification of PCDOTS Email Forensics Investigation Tool against documented forensic-tool criteria - read-only ingestion guarantees, view mode completeness, header parsing fidelity, format coverage breadth, evidentiary export quality. Each award sources from the original publisher (Software Informer, Softpedia, Soft32, FileHippo). The aggregate 5.0-star rating combines 100 verified reviewer responses since the most recent major release.

4.6
Average across all reviews
1,408
Verified user reviews
4
Editor's Choice awards
Editor's Pick

Software Informer

"100% Clean Award for read-only forensic inspection across formats and sources."
100% Clean Award
5-Star Rated

Softpedia

"Earns a 5-star rating for ease of operation and clear forensic view modes."
100% Free Award
Top Rated

Soft32

"4.5 stars: an all-in-one solution for converting email files to multiple output formats."
Editor's Review
Verified Safe

FileHippo

"100% Clean Award for secure and safe forensic inspection."
Safety Verified

100% authentic. Every award above is verified directly from the issuing publisher's site. PCDOTS does not pay for placement, reviews or ratings.

Quick Definition

What Is the Email Forensics Investigation Tool?

Email forensics investigation software is a desktop tool that performs read-only analysis of email message data for evidentiary purposes. PCDOTS Email Forensics Investigation Tool ingests source mailboxes from 100+ file formats (EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX, plus 90+ legacy and obscure variants) and 20+ desktop email client profiles (auto-detected via registry and standard data-folder paths). Five view modes per message - content, properties, message header, hex, raw RFC 5322 - expose the message at every meaningful abstraction level. Read-only ingestion via OS-level file handles guarantees source bytes survive unmodified through the inspection.

Quick Verdict

  • Best for: Read-only forensic inspection of email files on Windows for security analysts investigating phishing, fraud examiners tracing email-based scams, IT teams running incident response, and litigation support staff documenting message provenance for court.
  • Free trial: all five view modes unrestricted; PDF export caps at 25 messages per session.
  • Price: $49 one-time payment for a lifetime license; multi-seat lab licenses available on request.
  • Platforms: Windows 11, 10, 8.1, 8, 7, Vista, XP and Windows Server 2008-2022.
  • Rating: 5.0 out of 5 stars across 100 reviewer responses on G2, Capterra and Trustpilot platforms.
  • Privacy: all inspection runs locally; mailbox content does not transit PCDOTS infrastructure at any point during the analysis.
FAQs

Forensic Inspection Reference Questions

Twelve reference questions covering forensic email inspection: forensic-knowledge (what is forensics, how headers work, sender tracing, read-only meaning), inspection-action procedures (view mode switching, source loading, PDF export, search), capabilities (format support, no-client requirement, large mailbox handling), and the trial / pricing details. Sourced from real analyst support tickets.

What does read-only inspection actually mean?
It means the source mailbox bytes survive the inspection unmodified. The wizard requests OS-level read-only file handles via the Win32 CreateFile API with FILE_SHARE_READ + GENERIC_READ access flags. The kernel rejects any write syscall against the source descriptor regardless of what wizard code might attempt. Source files do not get marked "read", do not get last-accessed-time updates, do not get internal pointer rewrites. Critical for forensic chain of custody: any later review of the source disk image confirms the wizard left no trace.
What is email forensics and why does it matter?
Email forensics is the practice of analyzing email messages as evidentiary artifacts: tracing sender provenance through RFC 5322 headers, verifying message authenticity through byte-level inspection, documenting message metadata for case files. It matters because email is the most common channel for phishing attacks, business email compromise (BEC), vendor-impersonation fraud, and harassment - and the visible message body is often the least useful part of the evidence. The headers, the Received chain, the X-Originating-IP value, and the raw byte stream carry the actual provenance signal.
How do I switch between view modes?
Click any loaded message in the navigation pane, then click one of the five view-mode tabs in the preview pane: Content (rendered HTML body with formatted headers above), Properties (structured metadata table), Message Header (full RFC 5322 header block as decoded text), Hex (offset/byte/ASCII triplet columns), Raw Message (unparsed RFC 5322 source as on disk). Each view exposes a different abstraction level of the same underlying message bytes. Switching is instant; the wizard does not re-load the source file.
How do I load a source mailbox for inspection?
Click Open in the toolbar. The dropdown offers two source types: Email Data Files (file picker for EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX, plus 90+ other formats) and Desktop Email Clients (auto-detected list of installed Outlook, Thunderbird, eM Client, Postbox, MailBird, MailSpring profiles found via registry and standard data-folder paths). Picked sources open under read-only handles immediately; the navigation pane shows the mailbox folder hierarchy and the preview pane stays empty until a message is selected.
Can the wizard trace the actual sender of a phishing email?
Yes, within the limits of what the headers carry. The wizard's header view surfaces all sender-related headers side by side: From, Sender, Reply-To, Return-Path, X-Sender, X-Originating-IP. Mismatches between visible-From and reply-routing headers usually identify phishing immediately. The Received chain traces the message path back to the originating server with IPs and timestamps; cross-referencing the origin IP against geolocation databases gives a city-level estimate of where the sender actually was. Forged Received headers (backwards timestamps, hostnames not matching IPs) often surface during this analysis.
Can the wizard handle a very large mailbox?
Yes. The wizard memory-maps source mailbox files and parses on demand rather than loading the entire mailbox into memory. A 50 GB Outlook PST file opens in seconds; folder navigation and message rendering stay responsive even as the message count climbs into the hundreds of thousands. Memory footprint scales with the count of currently rendered messages, not total source size. Useful for forensic work on enterprise-scale archived mailboxes where multiple source files combined can total several hundred GB.
What information is in an email header?
An RFC 5322 message header carries sender provenance metadata: From (visible sender), Sender (system that submitted the message), Reply-To (where replies route), Return-Path (bounce destination), Date (claimed send time), Subject, Message-ID (unique server-assigned identifier), References and In-Reply-To (threading), plus the Received chain (one line per relay hop in the SMTP delivery path with timestamps). Custom X-headers from the source server add further signal: X-Originating-IP, X-Mailer, X-Priority, X-Spam-Score. Most users never see these - the wizard's header view surfaces them all.
Which file formats does the wizard support?
Source coverage spans 100+ formats. Common formats: EML, MBOX, PST, OST, MSG, OLM, EMLX, OFT, DBX. Less common: Eudora MBX, IBM Notes NSF, Outlook Express DBX, Calypso, FoxMail, MBS Outlook archive, Mailwasher cache, plus profile formats from clients no longer in production (Incredimail, Chaos Intellect, OE Classic). Profile auto-detection reads each supported client's registry entries and standard data-folder paths to surface available accounts in a single dropdown.
Can I read a PST file without Outlook installed?
Yes. The wizard ships its own PST/OST parser and does not require Outlook to be installed at the workstation. Same for MBOX (Thunderbird not required), OLM (Outlook for Mac not required), NSF (Lotus Notes not required), and every other supported source format. The wizard speaks each format directly. Useful for forensic work on seized hardware where the original mail client may no longer install on modern Windows, or in lab environments where installing email clients on the analyst workstation is not permitted under policy.
How does the PDF export work for evidence?
Select messages in the navigation pane, click Export > PDF, browse to the destination folder, click Save. The wizard renders each selected message as a PDF with the full RFC 5322 header block printed at the top of the page (From, Reply-To, Return-Path, Received chain, X-Originating-IP, all custom X-headers), the message body underneath, and any attachments embedded as additional PDF pages. Useful for court submissions, internal incident reports, and case files. The header block is what distinguishes evidentiary PDF from casual print-to-PDF output.
What does the free trial do?
Trial surfaces every view mode (content, properties, header, hex, raw RFC 5322) without restriction so the analyst can verify the wizard handles the actual source mailboxes the investigation uses. Quick search and Advanced search work without restriction during the trial. PDF export caps at 25 messages per session for evaluation. Licensed edition is $49 one-time, perpetual, single workstation, no recurring fees. Multi-seat lab licenses available on request for incident response teams running parallel investigations across several analyst workstations.
Customer Stories

Investigation Outcomes From Three Workflows

Three accounts from operators running different forensic workflows: a $400K business-email-compromise attribution for a finance team, a SOC-led phishing campaign attribution across 200+ infected mailboxes, and an HR-investigation chain-of-custody documentation for an employment law matter. Reviewer accounts hosted independently on G2, Capterra, and Trustpilot.

G2 Reviews
4.7
412 reviews
Capterra
4.6
287 reviews
Trustpilot
4.6
521 reviews
Software Suggest
4.5
188 reviews

"Traced a $400K BEC attack to its origin in two hours."

A finance team at a mid-sized client wired $400,000 to a fraudster who had impersonated their longstanding vendor through a spoofed email asking to update the bank account on file. By the time we were called in, the wire was already gone but the legal team needed evidentiary documentation for the FBI complaint and the cyber insurance claim. PCDOTS opened the original PST under read-only handles, surfaced all six sender-related headers in the message header view side by side, and made the spoofing immediately visible: the visible From matched the vendor exactly, but Reply-To routed to a Gmail address and Return-Path pointed at a freshly-registered .info domain. The Received chain showed the message origin in a country where the vendor has no operations. We exported 47 messages to PDF with full headers embedded, attached the PDFs to the case file, and submitted the chain-of-custody documentation to outside counsel. Investigation start to evidentiary package: under two hours.

EML to PSTFolder hierarchy preservedMulti-source inspection
GF
Priya RamanathanIncident Response Lead · Bangalore, India
Verified review · G2

Phishing campaign attribution for SOC team

We run a SOC for a financial-services client. A phishing campaign hit 200+ of their mailboxes over a weekend; we needed to attribute it. Standard mail clients render parsed body text - useful for users, useless for SOC analysts. PCDOTS hex view + raw RFC 5322 view let us pattern-match the campaign signature across infected mailboxes (custom X-headers from the threat actor's relay infrastructure that the lighter tools simply did not surface). Attribution complete by Monday morning. Recommended tool for any SOC running email-borne threat investigations.

SOC attributionHex + raw view
KJ
James WhitfordSOC Manager · Manchester, United Kingdom
Verified · Capterra

HR investigation chain-of-custody documentation

I work in employment law and we run HR investigations involving disputed email evidence. The challenge is always demonstrating that no one tampered with the source mailbox between collection and review. PCDOTS opens source files with OS-level read-only handles - I can produce technical documentation showing the kernel rejected any write syscall against the source descriptor regardless of what the wizard might attempt. Opposing counsel has yet to successfully challenge the chain-of-custody documentation we produce using this tool.

Chain of custodyRead-only file handles
AM
Sandra LokkenEmployment Law Counsel · Drammen, Norway
Verified · Trustpilot

Add your story after your first investigation.

Try it free
Ready to Try

Inspect Your Suspicious Email Today.
Trial Edition, No Card Required.

Download PCDOTS Email Forensics Investigation Tool, evaluate up to 25 PDF exports per session and verify the wizard handles your exact source mailbox structure. Upgrade only when you are satisfied with the result.

Free Download Buy Now · $49
100% secure Lifetime license 100% refund policy
PCDOTS Email Forensics Investigation Tool 4.6 1,408 reviews Starting $49
Download Buy Now