.PST/.OST analysis

hard deleted emails can also be recovered from the format. See
https://googledrive.com/host/0B3fBvzttpiiScU9qcG5ScEZKZE0/PFF%20Forensics%20-%20analyzing%20the%20horrible%20reference%20file%20format.pdf

Recent versions of Outlook (since 2010 I think) seem to compact the file in background so you're likely not going to find much without using a tool that scans the disk for the messages. Plus the headers, message text and attachments aren't stored next to each another and worse of all the text is encoded according to a "permutative table" so you can't simply search the strings on disk (if I remember well Encase allows settings a special encoding for cases like this). Too bad there don't seem to be valid opensource Outlook PST/OST mail recovery tools available even though Microsoft made all the specs public several years ago.

Hi ,
I want to share my experience regarding o********t file conversion. I in my previous organisation,where i was working as network analyst. There I had a collection of some orphan file which are need to be recovered. Though I dint had the access to exchange server and still want to recover the files.
For this purpose, I searched for the tools and did a demo with them. I found that following tools works very sufficiently in recovering the deleted OST file

1)Systools OST Recovery Tool
2)Pcvita Software OST Recovery Tool
3)StellarInfo OST recovery Tool.

These tools are helpful in recovering OST file.I have recovered the file and found that the file contains important contact and messages.

—–
Thanks

Recent versions of Outlook (since 2010 I think) seem to compact the file in background so you're likely not going to find much without using a tool that scans the disk for the messages.

The scan for the encoded data approach does not work with deflate compressed OST files. The approach was not fool proof in the first place since it only worked with 1 variant of the encoding PST/OST supports.

If you want to apply a similar approach for deflate compressed data use bulkextractor.

Too bad there don't seem to be valid opensource Outlook PST/OST mail recovery tools available even though Microsoft made all the specs public several years ago.

So the MS specs are incomplete, see my work on PFF format for comparison.

Also not sure what you mean "by valid opensource Outlook PST/OST mail recovery tools"
* pffexport will recover email from a PST/OST
* you can use a carver to recover PST/OST files

[quote="francesco]Remember that PST files have a special folder that the user can't see containing deleted mails up to an X number of days (which I currently don't remember), OST files probably have that mechanism as well (so does the Exchange database).

New one on me - not for the first time though ) I know that Exchange has a default for retaining items emptied form Deleted Items (aka Dumpster or Recovered Items), but didn't know about that feature in PSTs and OST.

Would be very interested in exploring this

Regards

Wait, I mixed things up 8O, I got too much used to export everything to PST. OST files should have the special folder (that can be shown with the DumpsterAlwaysOn registry key).
This isn't true. The dumpster is on the server its not local in the OST file.

To recover Server's OST file and Outlook's PST file, you may try inbuilt repair utilities provided by Microsoft Scanost.exe and Scanpst.exe

These programs scan and repair corrupt mailbox folder. One of the reasons to convert o********t is recovering data from corrupted OST file.

Convert o********t

Methods to convert o********t includes archiving OST file, exporting data from OST file to new PST file or converting OST file into new PST file.

I believe it is several things that are discussed here.

1) OST2PST conversion.

Yes - it is possible offlien without the access to the Exchange server. Several tools can do it.

A. Transend Migrator - a general benchmark for all forensic format conversions. Constantly updated. I often got the best results (various types of conversions) with it.
B. Paraben Email Examiner - both analysis and conversion tool
C. And a bunch of others Kernel, Stellar, Outlook Recovery Toolbox, Aid4Mail and loads of others that are there. Not sure if I have seen real comprehensive testing of (almost) everything

2) Analysis/recovery of deleted email from a .PST file.

- again, several tools can recover deleted content; it is difficult to benchmark just by quantity - some tools tend to add more items as recovered, even if only scraps of the message exist
- the actual recovery and the format is described in various ideas/paper of Joachim Metz - please read it
- you can actually corrupt a .PST file on purpose (by modifying the first bytes) and then use the native Microsoft tool scanpst.exe to recover emails; you have to be able to compare the source .PST and the recovered .PST through some tool/export of single messages (hash, subject_date, messageid)

3) Dumpster - that notion is related to Exchange server file and not an email archive (.PST on a local drive) or an offline copy (.OST)

It seems like all roads instead of leading to Rome lead nowadays to some Systools (not necessarily "Premium") software. 😯

jaclaz

Advanced Exchange Recovery works Well and i believe has the ability to run recovery.

It's worth checking out.