A Guide On Outlook OST Forensics

Investigate Offline OST File with OST Forensics Tool

Emailing being most common mode of communication in corporate and business sectors is hard core proof of investigation for forensic investigators. And utmost common scenarios require to investigate data from platforms like Exchange Server & MS Outlook. So digital examination & analysis scenario in the arena of Exchange Server & Outlook OST Forensics discussed here. To investigate falsified and spoofing done in Outlook emails an investigator needs to execute some steps those are discussed in this upcoming segment.

MS Outlook and Exchange server are widely used in organizations to set a flawless communication platform for users. Outlook can be used in two different modes i.e. online and cached mode, when Outlook is configured with Exchange Server it forms a local copy of user's mailbox on local desktop which is OST file. This Offline Storage Table file gets store on local hard drive of computers and permit users to work in offline mode when connectivity with Exchange server is not available. To make it permanently accessible convert offline OST to PST.

OST File Forensics

Overview of OST File Forensics

Default Location And Working Of OST Files

The chart below shows a default location of OST file on different Outlook versions:

OST File Location

An OST file works integrally with Exchange authentication; basically it is encrypted by default and before Outlook connects all mailbox contents to preview to users, it requires an authentication. An encryption key is used to provide authentication between Exchange mailbox and Outlook account, which is MAPIEntryID GUID. The key gets stored at two locations:

  • MAPI (Messaging Application Programming Interface) settings of registry
  • Mailbox on Exchange Server

While working in offline mode, the encryption key for OST file is matched from the registry and gets verified with the mailbox saved on Server. If both values found equal, then it allows users to access OST file items and sync with mailbox on Server. In case both values found different (Due to any reasons like recreation of profiles or deletion), OST file will not be accessible and fail to sync with Exchange mailbox. To investigate in such situations, converting OST file data in PST format might help to investigate mailbox data forensically.

Investigating with OST File Encryption Settings!

Sometimes it happens when investigators find an encrypted OST file for investigating the crime that contains important emails or other elements. In such cases it becomes important for them to know in detail about encryption feature provided in Outlook versions. OST files can be easily encrypted in some older versions of MS Outlook i.e. 2000, 2002 and 2003 as the encryption feature is built-in in these versions.

How To Apply Encryption?

  • Go to 'Control Panel' and open 'Mail'
  • Click on E-mail accounts » Add a new e-mail account » Next.
  • Select 'Microsoft Exchange Server' and then click on 'Next'.
  • Provide a server name and user name, then go to More Settings » Advanced » Offline Folder File Settings.

Types Of Encryption In OST Files

  • In No Encryption option, OST file is not encoded and hence can be viewed using Text-editor program or Hexadecimal program.
  • Compressible Encryption will encode OST file and users are not allowed to view its data. This type of encryption can be easily hacked by online fraudulent people.
  • In High Encryption option encoding applied on OST file cannot be easily defeated and hence is considered as safest way of protecting OST file data.

Any of the encryption type can be applied on OST files and change accordingly whenever required. In older Outlook versions, users can use only one account at a time but when it requires they can delete existing one and create new account. But if the first account OST file was encrypted it will take the encryption settings of deleted which cannot be changed. But if Outlook 2003 is used then users can set encryption settings while creating account and do not required changing the settings. In upgraded Outlook versions like 2007 this encryption feature was removed and EFS (Encrypted File System) and Bit-Locker Encryption was introduced to encrypted OST files.

Associated File Formats in OST File

OST emails can be saved composed and saved in 3 file formats, by default Outlook uses HTML view to send emails, but if required they can be composed in Plain text (TXT) and Rich text format (RTF) respectively.

If an OST email is composed in HTML format, then attached file will appear in header of email, whereas when an email is composed in RTF file format then the attached file will appear in body of message. Using plain text format for composing emails will not include any formatting in emails like background images and other formatting align on OST email will be lost.

HTML View


RTF View

Other Related Formats Include:

  • MSG: A single message format for Outlook OST emails
  • VCF: File format for sharing Outlook contacts
  • ICS: File format for sharing Calendar and schedules over internet.

Analyzing OST File Header Values

The method to analyze OST file emails play vital role in examining the falsified done in cyber arena. Within the whole source of OST File analysis, OST emails can be considered as important source to collect structured and unstructured data. Comparatively, the unstructured data like source network, hash values, inter-networking devices and identification of keys are more useful when forensics investigation is to be done.

Below shown is examination of OST file header that contains IP address, Message ID, MIME version, source code, subject, content type, content transfer, path traversed, accept-language and Date etc, using which an investigator can judge the artifacts about flow of OST file.

OST File Forensics

Header of OST file can extract to ascertain information about number of emails, associated item, attachment size details embedded in mail items.

How To Use 'Download Headers Only' Option

Open Outlook and click on Send/Receive menu, choose Send/Receive Menu » Define Send/Receive Groups.

Send Receive Group

Select particular mail folders and choose 'Download headers only' option from default settings.

Download Header Only

'Download headers' only option is applicable for those investigators who are into inspection of huge Exchange mailboxes stored locally on machine of user. Mail header is used to get information about number of email items, size of each mail and additional information like if there are any email attachments etc.

Deleted Items Recovery From OST File

Recovery of deleted items from OST data is also a part of OST file forensics investigation, therefore sound proof knowledge is required to know how to restore deleted items & thereby repairing OST File. By default, Outlook provides option to restore deleted items from OST using 'Recover Deleted Items' option. However, the option works in certain conditions depending upon the version of Outlook and Exchange and settings imposed by Exchange administrator.

Recover Deleted Items

Retention Period Policy: The deleted items retention feature enables users to restore deleted items even if the items are hard deleted (Shift+ Delete) which is also called 'Dumpster'. Exchange provides the facility of settings retention for deleted items, which allows restoring items for certain period.

Retention Period

Conclusion

If OST file is required to examine in some other aspects like deep analysis of header, deletion study and MD5 values then there are commercial tools available for performing OST file forensics & free OST viewer in market. One of the expert and recommended OST Forensics Tool is that provides complete examination of OST file with multiple artifacts and values needed in forensic evaluation of files.