[DFSci] recovering outlook pst

Christophe GRENIER grenier at cgsecurity.org
Thu Apr 7 02:28:03 PDT 2011 

On Thu, 7 Apr 2011, Marc Fisher wrote:

> Hello,
> I just found this list when I was looking for file carcing (foremost)
> community.
> I had my first file carving job yesterday when a disgrunted employee decided
> to delete her whole outlook contents before leaving the company. The IT
> manager was called to recover the data and said it wasn't possible, so I
> decided to give it a try (I'm not IT guy by the way).
>
> Outlook stores personal folders in pst file, the problem was that the file
> wasn't deleted, only reduced in size (considerably).
> After some research I decided that foremost was the tool for this task,
> although I was quite sceptical at first that this was possible.
>
> Recovering pst files has big advantage because there are tools to repair
> damaged files, even extract information out of completely garbled pst files,
> theoretically I could run such tool on the HDD image :D but this would be
> extremelly slow(days) and could even crash the repair tool half-way. So I
> basically needed foremost to identify the most interesting sectors.
>
> I checked the foremost.conf and found preconfigured line for PST's. However
> the header was different from what I found in pst's on my pc.
> foremost.conf:
> pst y 400000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
>
> my pst files start:
> 21 42 44 4e 98 af d7
>
> Also I though that limiting files by extension could miss swap contents and
> perhaps the space that was freed after the file was reduced. So I added one
> more line to the default one:
> . y 400000000 \x21\x42\x44\x4e
>
> It worked well for my purpose, but the problem is that I didn't really know
> what I was doing, and I'm very curious, thats why I decided to ask someone
> who has a little but more experience and knowledge in this area.

To recover pst files, PhotoRec (I am the main author) uses the same 4 four
bytes signatures you are using. With your signature, Foremost limits the
filesize to 400MB but PhotoRec gets the correct filesize from the pst header.
Since Outlook 2003 pst can be bigger than 2GB.

If you think the pst bigger than 400MB, you should give it a try.
http://www.cgsecurity.org/wiki/TestDisk_Download

 	Christophe

-- 
    ,-~~-.___.     ._.
   / |  '     \    | |--------.   Christophe GRENIER
  (  )         0   | |        | grenier at cgsecurity.org
   \_/-, ,----'    | |        |
      ====         !_!-v---v--.
      /  \-'~;      .--------.   TestDisk & PhotoRec
     /  __/~| ._-""||        |   Data Recovery
   =(  _____|_|____||________|   http://www.cgsecurity.org

More information about the DFSci mailing list