Sorry if this is a basic question that belongs elsewhere, but I am doing a little research for a colleague and am not sure of the answer.
When doing a collection of PSTs off of someone's laptop/desktop, what difference, if any, is there between navigating out to the directory and copy out that PST file vs. going into Outlook and doing an export of the .PST file?
Does one contain a more complete set of data? I would think that both would give you exactly the same, but I would like to be sure.
Also, are there any other files that you should be sure to copy if going the first route? I believe the user in question has also archived data, so I am assuming that you would have to grab those files as well. Do those get exported when using the export tool?
Thanks!
It sounds like this is a corporate environment from the description. You have files local to the device and a file on a Exchanger Server. The files on the local device would most likely be Personal Folders and or Archive folders. The Exchange Server is your inbox, calendar, notes, etc.
If you are looking to investigate all emails related to this user, you will need to copy all the local PST files from the device along with the export of the Exchange Server account.
For an example, if the user logged on to a different device, they would still be able to get to their Exchange Server account. They would however be unable to access their personal folders and or archive folders from that device as the files reside on the other device.
Hope this helps.
Thanks, Bob
Bob,
Thanks for the reply. In this instance, they are not concerned about the exchange server as they have already dealt with that data. They are just wanting to be sure that they collect everything from the user's laptop.
If they were to export out of Outlook, would that be the best way to grab the complete set of active data? Or, does the PST that already resides on the laptop contain everything? Obviously any archive folders would either have to be copied or exported as well.
It would most Definatly be worth looking at the original file, on the original PC, in a forensic environment. If you export the file using outlook you will not be able to look at the slack space of a file. Also, if you can look at the entire PC / image of the PC in a forensic environment you will also be able to run file carving software to recover emails that may have previously been deleted.
Your best method here would be to grab all the PST files from the device. If you are concerned about deleted emails within the PST itself, there are ways to recover these emails. There is software out that can do this or you could corrupt and repair the PST to recover those deleted items.
I would also suggest you export the PSTs out to MSGs, and use something other than Outlook or Express.
This extra step may be time consuming, but will save you from headaches later during analysis.
PSTs are notoriously easy to corrupt, and slow through MAPI in my experience.
Just grab the PSTs from the device (and any 'homedrive') and process them. They contain everything.
Thanks for the input, everyone. It is greatly appreciated.
