[DFSci] recovering outlook pst
Troy Larson
troyla at microsoft.com
Thu Apr 7 09:26:50 PDT 2011
The PST internals are documented here: http://msdn.microsoft.com/en-us/library/ff385210(v=office.12).aspx Searching the MSDN for data types will often fill in the little details in the specification.
Troy
-----Original Message-----
From: dfsci-bounces at lists.dfrws.org [mailto:dfsci-bounces at lists.dfrws.org] On Behalf Of Marc Fisher
Sent: Thursday, April 07, 2011 2:14 AM
To: dfsci at lists.dfrws.org
Subject: [DFSci] recovering outlook pst
Hello,
I just found this list when I was looking for file carcing (foremost) community.
I had my first file carving job yesterday when a disgrunted employee decided to delete her whole outlook contents before leaving the company. The IT manager was called to recover the data and said it wasn't possible, so I decided to give it a try (I'm not IT guy by the way).
Outlook stores personal folders in pst file, the problem was that the file wasn't deleted, only reduced in size (considerably).
After some research I decided that foremost was the tool for this task, although I was quite sceptical at first that this was possible.
Recovering pst files has big advantage because there are tools to repair damaged files, even extract information out of completely garbled pst files, theoretically I could run such tool on the HDD image :D but this would be extremelly slow(days) and could even crash the repair tool half-way. So I basically needed foremost to identify the most interesting sectors.
I checked the foremost.conf and found preconfigured line for PST's. However the header was different from what I found in pst's on my pc.
foremost.conf:
pst y 400000000 \x21\x42\x4e\xa5\x6f\xb5\xa6
my pst files start:
21 42 44 4e 98 af d7
Also I though that limiting files by extension could miss swap contents and perhaps the space that was freed after the file was reduced. So I added one more line to the default one:
. y 400000000 \x21\x42\x44\x4e
It worked well for my purpose, but the problem is that I didn't really know what I was doing, and I'm very curious, thats why I decided to ask someone who has a little but more experience and knowledge in this area.
Two biggest questions are:
1) Lets say foremost runs into the bytes 21 42 44 4e, how does it know where to stop? I got several files in the output, some of them garbage but the real files were of different size. Some were 10MB and some 70MB. I understand that's what the footer is for, but I didn't set any in my conf.
2) I'm not sure yet whether I recovered the data from the space that was freed after the file reduction or data from different PST files. Is it possible at all in your opinion to recover data from reduced file - not from deleted file?
Thank you very much for any info on this topic. Learning material is really hard to come by on google! Perhaps not many people are hardcore enough to really understand file carving in detail?
Thanks again,
Marc
_______________________________________________
DFSci mailing list
DFSci at lists.dfrws.org
http://lists.dfrws.org/listinfo.cgi/dfsci-dfrws.org
More information about the DFSci
mailing list