Issue
User used the "deleted items" Outlook Express 5.0 folder to store mails he wanted to keep!
I know this does sound crazy, but it is what was happening.
Basically he would "delete" mails (i.e. send it to the "deleted items" folder) then he would access the "deleted items" folder and actually delete those he wasn't interesting with (keeping the ones he wanted to re-access later).
Obviously first time a "normal" colleague used his computer, he accidentally (but rightfully) right clicked and emptied the "deleted items" folder.
I have a copy of the "deleted items.dbx" files, and already managed to extract the .eml's from the .dbx using two different programs (I'll later check if the extracted data is identical or not).
undbx
http//
and a previous (freeware) version of dbxtract (4.5)
http//
http//
Now, what I know, as mentioned on the undbx page and verified with a hex-editor, is that in each file 4 bytes every 512 are overwritten (BTW by 2D2D2D2D ).
For the text or .html parts this is normally NOT a problem, as it is possible in most cases to "guess" what were the values before.
(though it would be nice if anyone could point me to some text viewer/hex editor/whatever capable of highlighting the 4 bytes every 512)
Problem comes to the encoded parts (like the base64 attachments).
Now, I was wondering if
- there is any program (possibly open Source/Freeware) that may be able to either decode the "corrupted" Base64 encoded data and later
- somehow fix the decoded data (mainly JPEG image attachments
- the approach I took is definitely a bad idea and there are better ways
Any insight, tip , hint towards available solutions/workaround for this issue are greatly appreciated.
jaclaz
Now, what I know, as mentioned on the undbx page and verified with a hex-editor, is that in each file 4 bytes every 512 are overwritten (BTW by 2D2D2D2D ).
Actually, Outlook Express overwrites these 4 bytes with the file offset to the previous 512-byte message chunk in the deleted message, and UnDBX replaces these with four dashes (—-), thus ensuring that the extracted message is printable, and that the internal rfc822 parser doesn't break.
For the text or .html parts this is normally NOT a problem, as it is possible in most cases to "guess" what were the values before.
(though it would be nice if anyone could point me to some text viewer/hex editor/whatever capable of highlighting the 4 bytes every 512)
Well, it's not exactly what you want, but on a Linux box (or a Cygwin shell on a Windows box) I'd use a pager such as less, hit /—- ENTER, which will highlight any four dash string.
Problem comes to the encoded parts (like the base64 attachments).
You may be able to get the base64 decoding to work by replacing the dashes with AAAA (AAAA == 0x000000), but you'll need to take care of missing line breaks and corrupted mimepart separators. Not my idea of fun.
Mind you - this will still leave you with corrupted binary files…
Any chance you have a backup of that user's account handy?
Good luck.
Problem comes to the encoded parts (like the base64 attachments).
You may be able to get the base64 decoding to work by replacing the dashes with AAAA (AAAA == 0x000000), but you'll need to take care of missing line breaks and corrupted mimepart separators. Not my idea of fun.
Nice idea!
I will try it, thanks.
In the meantime I have found this thingy here
http//
that does provide a "Desperate" mode.
I will compare results with and without the AAAA.
Mind you - this will still leave you with corrupted binary files…
Yep, but maybe the unencoded data (in the case of jpeg) can be somehow fixed later.
Any chance you have a backup of that user's account handy?
Well, no, from the description of the incident the level of the original user should have been clear, in a 0 to 10 scale he must be around -237 wink
jaclaz
Hallo
Have a look at Blade. I have used it to recover Outlook Express email messages from an encase image. It is quite impressive.
This video shows a recovery and it does recover the base64 attachments as well.
http//
Have a look at Blade. I have used it to recover Outlook Express email messages from an encase image. It is quite impressive.
Specifically deleted images from the "deleted items" dbx?
I had read the presentation here
http//
"touches" the topic, but doesn't specify if it's capable to recover anything from those.
However thanks, I'll look more into it. )
jaclaz
Hallo
I am sorry, I am not sure and do not know the answer, perhaps not. I am not at my office at the moment to try.
Well, 245 views and 2 (two) actual replies.
BUMP!
For the record, using the AAAAAAAA approach I now have at least complete (or almost complete) EXIF data. )
Should I assume that there is no software capable of recovering a jpeg with 4 "bogus" bytes every 512 ?
And thus that once you have deleted the mail in Outlook Express a jpeg attachment cannot be recovered from it?
Or that this problem never happened to any of our forensic experts?
Or that they all know how to do it and they simply won't tell?
jaclaz
461 views and no other reply. ๐ฏ
BUMP!
jaclaz
For the text or .html parts this is normally NOT a problem, as it is possible in most cases to "guess" what were the values before.
(though it would be nice if anyone could point me to some text viewer/hex editor/whatever capable of highlighting the 4 bytes every 512)
No idea. Personally I would write a small shell script that makes the changes for me.
[*]there is any program (possibly open Source/Freeware) that may be able to either decode the "corrupted" Base64 encoded data and later
Base64 has no build-in recovery data, so your probably better of handling the corruption at the jpeg level; like you did with HTML. However the character set of base64 is limited so the original bytes could be guessed with some probability. To think of it this would make some interesting research subject.
I'm not sure about this, but I think there are base64 decoders that corruption tolerant. However what you probably want is a decoder that adds some recognizable replacement character and not one that ignores corrupted bytes. You could use the method proposed by ZungBang or grab yourself an Open Source base64 decoder and change the code your liking.
Sometimes the unallocated space of a dbx itself or volume it was stored on contain older versions of the base64 data, which can be used to patch up the corrupted mail. Although this might be finding a needle in a haystack.
[*]somehow fix the decoded data (mainly JPEG image attachments
As long as all bytes are decoded most jpeg tools will read the files even with a few corruption.
Be sure to check the attachment size with the decoded file. Base64 roughly has 4/3 ratio with the binary data.
One of the problems can be corruption in the JPEG file structure, but this can be corrected by hand if you know the structure a bit. But I think there are jpeg recovery tools out there that could do the job for you.
[*]the approach I took is definitely a bad idea and there are better ways
I cannot follow you, what is so bad about your approach ?
It is transparent and it largely solves your problem. It might take a bit of effort, but there isn't an off the shelf solution for everything.
No idea. Personally I would write a small shell script that makes the changes for me.
Yep, I'm already going in that direction. D
Base64 has no build-in recovery data, so your probably better of handling the corruption at the jpeg level; like you did with HTML. However the character set of base64 is limited so the original bytes could be guessed with some probability. To think of it this would make some interesting research subject.
This is very interesting.
I haven't studied at all the Base64 algorithm, I had the impression that since *somehow* ANY "original" value 0รท255 can be encoded in a text string there was the "same variability" as in the "original binary" data.
I'm not sure about this, but I think there are base64 decoders that corruption tolerant. However what you probably want is a decoder that adds some recognizable replacement character and not one that ignores corrupted bytes. You could use the method proposed by ZungBang or grab yourself an Open Source base64 decoder and change the code your liking.
Yes, that's another direction that has merits and is worth to try following, I already started something in this direction.
Sometimes the unallocated space of a dbx itself or volume it was stored on contain older versions of the base64 data, which can be used to patch up the corrupted mail. Although this might be finding a needle in a haystack.
Probably, yes, don't think this particular approach will be practical/feasible.
[*]somehow fix the decoded data (mainly JPEG image attachments
As long as all bytes are decoded most jpeg tools will read the files even with a few corruption.
No, unfortunately it doesn't seem like *ANY* tool is capable of doing so the corrupted 4 bytes every 512 seem like being too much for any of the apps I tried.
Be sure to check the attachment size with the decoded file. Base64 roughly has 4/3 ratio with the binary data.
Yes, right now I simply "forgot" (temporarily) the actual problem, and I am experimenting with a small set of very small pictures that I intentionally corrupted in the same way.
One of the problems can be corruption in the JPEG file structure, but this can be corrected by hand if you know the structure a bit. But I think there are jpeg recovery tools out there that could do the job for you.
Yes, point is WHICH jpeg recovery tools?
I tried quite a few of them and the most promising is jpegsnoop
http//
which seems to parse a corrupted image and actually *somehow* (I still need to study and experiment a bit) tells you WHAT is wrong.
All the others I tested are more of the "binary" kind, either
- "OK, I managed to fix it."
- "Too bad, cannot open image."
or
[*]the approach I took is definitely a bad idea and there are better ways
I cannot follow you, what is so bad about your approach ?
It is transparent and it largely solves your problem. It might take a bit of effort, but there isn't an off the shelf solution for everything.
I only meant it as a possibility, but - and probably I am still missing something - I thought that this kind of chore (recovering images from attachments in a "deleted" .dbx) was something that was an everyday activity for computer forensic investigators, and that there actually were a number of "off the shelf" solutions.
In other words, I was/am very surprised that this specific topic about recovering images from an emptied/deleted Outlook Express .dbx wasn't already talked about at large and was already "finalized" giving birth to either an "off the shelf" solution, or a guideline/tutorial or a definite statement that I am completely losing my time as it is impossible or very, very improbable to get anything from the corrupted data.
My small scale experiments with small and simple images seem like giving a little hope, though.
jaclaz