Notifications
Clear all

.PST/.OST analysis

18 Posts
11 Users
0 Likes
2,700 Views
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

I'm dealing with an allegation of deleted emails. The 'victim' uses MS Outlook.

I have recovered the .PST file from the usual destination, but when this is re-assembled it shows exactly how the user said it did i.e. all the inbox & sent items folders empty. The .PST file is much smaller than I expected and the only information within it is the calander entries and address book.

I ascertained the user set up their email accounts with an exchange server. As a result, I recovered the .OST file, much larger in size and when reconstructed contained all the emails from their inbox and sent items as per the information. [They were unable to see these when they had opened Outlook on their computer]

Does the exchange server only ever use the OST file? or would there be any other reason that the PST file was virtually empty?

PS - does anyone know an o********t conversion tool that actually works??? evil

 
Posted : 25/09/2014 10:24 pm
(@paraben)
Posts: 47
Eminent Member
 

Paraben's Email Examiner will convert PST to OST. It will also recover deleted email

https://www.paraben.com/email-examiner.html

 
Posted : 26/09/2014 2:16 am
(@joachimm)
Posts: 181
Estimable Member
 

Using a conversion tool is rarely a good idea when recovering deleted content is important.

> Does the exchange server only ever use the OST file?
The Exchange server does NOT use the OST file, Outlook does to sync with the Exchange server.

> or would there be any other reason that the PST file was virtually empty?
In case of an Exchange server there is no need to store emails on the server, in the OST and then again in PST files. So this really depends on what is the PST used for.

> PS - does anyone know an o********t conversion tool that actually works???
No, because from a forensic point of view converting an OST into a PST is a broken way to approach the problem.

 
Posted : 26/09/2014 10:53 am
(@francesco)
Posts: 79
Trusted Member
 

I haven't tested it yet but it appears Autopsy 3.1 will ingest both PST and OST files.

 
Posted : 26/09/2014 1:05 pm
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

Many thanks!
All very interesting and helpful D

 
Posted : 26/09/2014 5:32 pm
(@francesco)
Posts: 79
Trusted Member
 

Many thanks!
All very interesting and helpful D

Remember that PST files have a special folder that the user can't see containing deleted mails up to an X number of days (which I currently don't remember), OST files probably have that mechanism as well (so does the Exchange database).

 
Posted : 26/09/2014 5:38 pm
 Mobo
(@mobo)
Posts: 15
Active Member
Topic starter
 

Thanks again Francesco.

I appear to have pulled back all the emails the user was not able to see [assumed deleted] from the .OST file.

 
Posted : 26/09/2014 5:43 pm
(@cults14)
Posts: 367
Reputable Member
 

[quote="francesco]Remember that PST files have a special folder that the user can't see containing deleted mails up to an X number of days (which I currently don't remember), OST files probably have that mechanism as well (so does the Exchange database).
New one on me - not for the first time though ) I know that Exchange has a default for retaining items emptied form Deleted Items (aka Dumpster or Recovered Items), but didn't know about that feature in PSTs and OST.

Would be very interested in exploring this

Regards

 
Posted : 26/09/2014 8:47 pm
(@francesco)
Posts: 79
Trusted Member
 

[quote="francesco]Remember that PST files have a special folder that the user can't see containing deleted mails up to an X number of days (which I currently don't remember), OST files probably have that mechanism as well (so does the Exchange database).


New one on me - not for the first time though ) I know that Exchange has a default for retaining items emptied form Deleted Items (aka Dumpster or Recovered Items), but didn't know about that feature in PSTs and OST.

Would be very interested in exploring this

Regards

Wait, I mixed things up 8O, I got too much used to export everything to PST. OST files should have the special folder (that can be shown with the DumpsterAlwaysOn registry key).

 
Posted : 26/09/2014 9:53 pm
(@joachimm)
Posts: 181
Estimable Member
 

hard deleted emails can also be recovered from the format. See
https://googledrive.com/host/0B3fBvzttpiiScU9qcG5ScEZKZE0/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf

 
Posted : 27/09/2014 1:06 am
Page 1 / 2
Share: