[DFSci] recovering outlook pst

Marc Fisher dfsci at ioudas.net
Thu Apr 7 02:13:41 PDT 2011 

Hello,
I just found this list when I was looking for file carcing (foremost)
community.
I had my first file carving job yesterday when a disgrunted employee decided
to delete her whole outlook contents before leaving the company. The IT
manager was called to recover the data and said it wasn't possible, so I
decided to give it a try (I'm not IT guy by the way).

Outlook stores personal folders in pst file, the problem was that the file
wasn't deleted, only reduced in size (considerably).
After some research I decided that foremost was the tool for this task,
although I was quite sceptical at first that this was possible.

Recovering pst files has big advantage because there are tools to repair
damaged files, even extract information out of completely garbled pst files,
theoretically I could run such tool on the HDD image :D but this would be
extremelly slow(days) and could even crash the repair tool half-way. So I
basically needed foremost to identify the most interesting sectors.

I checked the foremost.conf and found preconfigured line for PST's. However
the header was different from what I found in pst's on my pc.
foremost.conf:
pst y 400000000 \x21\x42\x4e\xa5\x6f\xb5\xa6

my pst files start:
21 42 44 4e 98 af d7

Also I though that limiting files by extension could miss swap contents and
perhaps the space that was freed after the file was reduced. So I added one
more line to the default one:
. y 400000000 \x21\x42\x44\x4e

It worked well for my purpose, but the problem is that I didn't really know
what I was doing, and I'm very curious, thats why I decided to ask someone
who has a little but more experience and knowledge in this area.

Two biggest questions are:
1) Lets say foremost runs into the bytes 21 42 44 4e, how does it know where
to stop? I got several files in the output, some of them garbage but the
real files were of different size. Some were 10MB and some 70MB. I
understand that's what the footer is for, but I didn't set any in my conf.
2) I'm not sure yet whether I recovered the data from the space that was
freed after the file reduction or data from different PST files. Is it
possible at all in your opinion to recover data from reduced file - not from
deleted file?

Thank you very much for any info on this topic. Learning material is really
hard to come by on google! Perhaps not many people are hardcore enough to
really understand file carving in detail?

Thanks again,
Marc

More information about the DFSci mailing list