Forums
Main Category
General (Technical,...
Microsoft Release p...
 
Notifications
Clear all

Microsoft Release pst file format

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by harryparsonage 15 years ago
9 Posts
8 Users
0 Reactions
563 Views
RSS
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
Topic starter 24/02/2010 1:24 am  

http//msdn.microsoft.com/en-us/library/ff385210.aspx

Thanks to Harry Parsonage for the notice!


   
Quote
CFP001
 CFP001
(@cfp001)
Eminent Member
Joined: 16 years ago
Posts: 36
24/02/2010 7:45 am  

OK I still have the newbie tag so I guess I can ask a "stupid" question.

Since all of the tools parse the *pst file already, what does this get us in the end? Is it that we are only parsing what we (not me, the smart guys) can figure out?
Is there more information that can be gathered with the specifications?


   
ReplyQuote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
24/02/2010 9:15 am  

Well up until now, the parsing tools and techniques have been based on educated guesses based on inspection of the data. Now that the spec has been released, it's no longer a guess. This improves the reliability of any forensic evidence gleaned from a PST.


   
ReplyQuote
 seanmcl
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
24/02/2010 8:08 pm  

Is there more information that can be gathered with the specifications?

Most of the software that extracts data from PSTs uses Microsoft's MAPI which means that you are not dealing directly with the raw data (and that you have to have Outlook installed to use them). Those that do not, as Tony has suggested, are based upon reverse engineering and educated guesses (as well as a lot of hard work). Add to that the risk that MS will change the underlying format and not MAPI and you have a less than ideal situation.

I would expect that this would make it easier to support such things as the excellent libpst and lower the cost of software to manipulate PSTs for forensic purposes.


   
ReplyQuote
 douglasbrush
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
Topic starter 24/02/2010 9:10 pm  

Also, think of it that the more open the architecture the more effective we as examiners can be when dealing with proprietary files.


   
ReplyQuote
CdtDelta
 CdtDelta
(@cdtdelta)
Estimable Member
Joined: 17 years ago
Posts: 134
26/02/2010 8:21 am  

Should we start a betting pool as to which company updates their software to the spec first? )

Tom


   
ReplyQuote
 CStevens
(@cstevens)
Active Member
Joined: 16 years ago
Posts: 7
26/02/2010 1:54 pm  

Also consider the occasions, rare as they may be, where you need to manually recover or verify partial records which automated tools don't pick up.

Being able to say in court that you were working from the developers documentation will hold more weight than saying it was inferred from reverse engineering.

I'm currently facing this issue with a file format where I can show from basic testing that the reverse engineered "standard" is actually incorrect ( I'd kill (or at least commit assault) to get my hands on the manufacturer's doco!

Cheers,
Chris


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
26/02/2010 3:44 pm  

From the data recovery side, any spec is always a bonus.

Is there a library of similar documentation within the forum?


   
ReplyQuote
harryparsonage
 harryparsonage
(@harryparsonage)
Estimable Member
Joined: 20 years ago
Posts: 184
28/02/2010 11:42 pm  

From the data recovery side, any spec is always a bonus.

Is there a library of similar documentation within the forum?

Not in the forum but Microsoft have been releasing lots of their specifications like the pst for some while now -

http//msdn.microsoft.com/en-us/library/dd208104%28PROT.10%29.aspx

H


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: