Microsoft Outlook Forensics
Investigate and Carve Evidence from Outlook PST File
Basics of PST File Format - Outlook PST Forensics
Microsoft Outlook enables the users to store all its email messages and attachments as a record in an encoded or compact format. The complete set of emails under a respective user account gets saved in PST (Personal Storage Table also known as Outlook Data File) file. Outlook provides users the ability to recover all deleted messages with the use of "Deleted Item" folder.
But situations in which recovery may not be possible are when the employee or user performs hard deletion on email messages, i.e. to delete all the available data (can be evidence to investigators) permanently. This may result in the need of recovery and extraction of email data by other available means, for further forensic investigation.
Outlook Forensics - Extract Evidence from PST File
Outlook has been supporting two formats of PST data file: ANSI and Unicode. The main variance between both the file types is its Storage Capacity. The ANSI PST file can save a maximum of 2 GB data and uses 32-bit values to denote the Block ID. Whereas, Unicode PST files have the ability to store data up to 50 GB and uses 64-bit values.
Microsoft Outlook primarily supports three message formats: - Plain Text, Rich Text Format, and HTML.
- Plain Text: This is a basic format that is supported by all email applications. It does not support any text formatting.
- HTML: It allows the user to add text formatting, image, hyperlink and many more elements in email messages.
Important: HTML format is mostly used by cyber crooks to perform spoofing and cyber bullying activities.
- RTF: Rich Text Format is similar to HTML format considering its formatting mechanism. When a user sends the email in RTF format, then Outlook automatically converts that message into HTML format.
Recovery of deleted emails with attachments is a very challenging assignment for investigators. A message that is deleted or purged by a suspect can be recovered, if it is available on the hard disk and has not been overwritten yet. Email artifacts always exist in Outlook PST file, therefore, there is a possibility to recover them by using manual process.
Microsoft Outlook provides an inbuilt Scan.pst tool to repair corrupt or inaccessible PST files. Scan.pst is a software program that recovers PST files from minor cases of corruption along with retention of the read and unread status of emails as well. However, it cannot deal with deleted item restoration which acts as a limitation of the utility.
Nevertheless, with advancement in technology, previous version in Windows 7 automatically creates multiple types of files or folders. This facility is by default available in Windows 7 and during Outlook forensics, using this investigator can easily restore all deleted or modified PST files.
Email messages that are "Hard Deleted" (by using Shift + Delete keys) or removed from "Deleted Items" folder cannot be recovered by using Outlook inbuilt tool. To perform Outlook email forensic and recover permanently deleted emails, experts need an email forensic tool.
is one of the most prominent email examiner tool that is well known for its ability to carve evidence from suspects' mailbox. The tool is capable to recover all tha hard deleted emails of Outlook. The best part of the software is that it is compatible with both desktop-based as well as web-based email clients in addition to mail servers and certain image file formats. On the basis of investigative requirements, the tool enables the examiner to analyze email artifacts into multiple views such as Hex view, MIME view, RTF view, so on.