Hi all,
Its been a while since we last spoke!!
I am currently looking at a laptop that has been 'wrecked' by a previous virus removal procedure and long story short I need to do all I can to recover my friends Outlook.pst file. I have secured an image of the disc and I can see one such file in the clear but obviously its not the one I want as it was created after the 'wrecking'.
I have a 25gb unallocated area and any ideas as to how I can locate this file, if still in one piece, would be very welcome. I am aware of the custom header and footer function in EnCase but have had difficulty defining the said headers and footers!
Thanks
The following is consistent with all my pst headers - "count starts at 1"
bytes 1-4 !BDN
bytes 9-16 SMx0ex00x13x00x01x01
I know of no reliable trailer identifier. I have found small pst files to contain a lot of null x00 at the end of the pst – 512+ bytes. I am not sure of when this space becomes occupied with data. Normally, pst files contain "encrypted data" in the last sector. I have used libpst to look at possible recovered pst files. When I find a good candidate, I then copy the file and run the outlook mailbox repair utility on the copy. The utility usually throws out a lot of trash and makes the file readable. For some strange reason the last pst I recovered I could only read and forward. I was unable to copy or move mail items to other folders.
If you are inclined the libpst linux program has some documentation on how the pst is constructed. I tried once to follow the documentation and break down a test pst – I gave up after a couple of days.
Good luck - hope this helps.
Thanks for the tips, I am having some success!
The problem with .pst files is that by their very nature they will almost always be fragmented. The good news is that every Windows user already has a good tool for recovering them. Search for scanpst.exe. Copy out or mount your image and run scanpst across it.