A Guide On Outlook OST Forensics
Investigate Offline OST File with OST Forensics Tool
Emailing being most common mode of communication in corporate and business sectors is hard core proof of investigation for forensic investigators. And utmost common scenarios require to investigate data from platforms like Exchange Server & MS Outlook. So digital examination & analysis scenario in the arena of Exchange Server & Outlook OST Forensics discussed here. To investigate falsified and spoofing done in Outlook emails an investigator needs to execute some steps those are discussed in this upcoming segment.
MS Outlook and Exchange server are widely used in organizations to set a flawless communication platform for users. Outlook can be used in two different modes i.e. online and cached mode, when Outlook is configured with Exchange Server it forms a local copy of user's mailbox on local desktop which is OST file. This Offline Storage Table file gets store on local hard drive of computers and permit users to work in offline mode when connectivity with Exchange server is not available. To make it permanently accessible convert offline OST to PST.
Overview of OST File Forensics
The chart below shows a default location of OST file on different Outlook versions:
An OST file works integrally with Exchange authentication; basically it is encrypted by default and before Outlook connects all mailbox contents to preview to users, it requires an authentication. An encryption key is used to provide authentication between Exchange mailbox and Outlook account, which is MAPIEntryID GUID. The key gets stored at two locations:
While working in offline mode, the encryption key for OST file is matched from the registry and gets verified with the mailbox saved on Server. If both values found equal, then it allows users to access OST file items and sync with mailbox on Server. In case both values found different (Due to any reasons like recreation of profiles or deletion), OST file will not be accessible and fail to sync with Exchange mailbox. To investigate in such situations, converting OST file data in PST format might help to investigate mailbox data forensically.
Sometimes it happens when investigators find an encrypted OST file for investigating the crime that contains important emails or other elements. In such cases it becomes important for them to know in detail about encryption feature provided in Outlook versions. OST files can be easily encrypted in some older versions of MS Outlook i.e. 2000, 2002 and 2003 as the encryption feature is built-in in these versions.
How To Apply Encryption?
Types Of Encryption In OST Files
Any of the encryption type can be applied on OST files and change accordingly whenever required. In older Outlook versions, users can use only one account at a time but when it requires they can delete existing one and create new account. But if the first account OST file was encrypted it will take the encryption settings of deleted which cannot be changed. But if Outlook 2003 is used then users can set encryption settings while creating account and do not required changing the settings. In upgraded Outlook versions like 2007 this encryption feature was removed and EFS (Encrypted File System) and Bit-Locker Encryption was introduced to encrypted OST files.
OST emails can be saved composed and saved in 3 file formats, by default Outlook uses HTML view to send emails, but if required they can be composed in Plain text (TXT) and Rich text format (RTF) respectively.
If an OST email is composed in HTML format, then attached file will appear in header of email, whereas when an email is composed in RTF file format then the attached file will appear in body of message. Using plain text format for composing emails will not include any formatting in emails like background images and other formatting align on OST email will be lost.
Other Related Formats Include:
The method to analyze OST file emails play vital role in examining the falsified done in cyber arena. Within the whole source of OST File analysis, OST emails can be considered as important source to collect structured and unstructured data. Comparatively, the unstructured data like source network, hash values, inter-networking devices and identification of keys are more useful when forensics investigation is to be done.
Below shown is examination of OST file header that contains IP address, Message ID, MIME version, source code, subject, content type, content transfer, path traversed, accept-language and Date etc, using which an investigator can judge the artifacts about flow of OST file.
Header of OST file can extract to ascertain information about number of emails, associated item, attachment size details embedded in mail items.
Open Outlook and click on Send/Receive menu, choose Send/Receive Menu » Define Send/Receive Groups.
Select particular mail folders and choose 'Download headers only' option from default settings.
'Download headers' only option is applicable for those investigators who are into inspection of huge Exchange mailboxes stored locally on machine of user. Mail header is used to get information about number of email items, size of each mail and additional information like if there are any email attachments etc.
Deleted Items Recovery From OST File
Recovery of deleted items from OST data is also a part of OST file forensics investigation, therefore sound proof knowledge is required to know how to restore deleted items & thereby repairing OST File. By default, Outlook provides option to restore deleted items from OST using 'Recover Deleted Items' option. However, the option works in certain conditions depending upon the version of Outlook and Exchange and settings imposed by Exchange administrator.
Retention Period Policy: The deleted items retention feature enables users to restore deleted items even if the items are hard deleted (Shift+ Delete) which is also called 'Dumpster'. Exchange provides the facility of settings retention for deleted items, which allows restoring items for certain period.
If OST file is required to examine in some other aspects like deep analysis of header, deletion study and MD5 values then there are commercial tools available for performing OST file forensics & free OST viewer in market. One of the expert and recommended OST Forensics Tool is that provides complete examination of OST file with multiple artifacts and values needed in forensic evaluation of files.