Outlook Forensic Toolbox Helps Access Deleted Messages

October 15th, 2024 by Vladimir Katalov
Category: «General»

What can a forensic expert find in an Outlook data file? Can they recover deleted emails, contacts and appointments from Microsoft Outlook? Can users erase unwanted correspondence from Outlook? In this article, we’ll demonstrate how experts can recover valuable information from Outlook data files (PST/OST), including deleted emails, contacts, attachments, and appointments. Even when users attempt to erase unwanted correspondence, traces often remain within the database. With the right tools, experts can extract and analyze this hidden data to uncover critical evidence.

In arbitration or civil disputes, courts may order the disclosure of business and personal correspondence, including evidence from digital devices. Before submitting a device for examination, users often delete unwanted bits of data from Outlook PST and OST files. Outlook lacks features to restore deleted items, making it easy for the end user to hide unwanted emails. However, specialized third-party forensic tools like Outlook Forensic Toolbox can analyze these files, recover deleted data, and save it separately.

There are several issues to deal with. First, Microsoft Outlook does not maintain historic snapshots of the data; there is nothing like Apple’s Time Machine to protect messages. Once the user cleans up the Deleted Items folder, there is no easy way to restore the deleted bits. In other words, simply deleting emails from Microsoft Outlook and cleaning up the Deleted Items folder makes the data gone. To access such deleted data, you will require a specialized third-party tool.

How Outlook Forensic Toolbox Works

Outlook Forensic Toolbox scans and analyzes Outlook data files (PST/OST), sorting data into two categories: visible and hidden. The source file is not modified during the process, and all recovered data is saved separately in formats like PST, MSG, EML, TXT, or VCF.

Forensic Analysis Steps:

  1. Pass 1: Read data visible to the end user in Outlook.
  2. Pass 2: Scan data blocks that are not accessible to the end user.
  3. Pass 3: Analyze hidden data from step 2.
  4. Pass 4: Reconstruct objects from fragmented data.
  5. Pass 5: Identify recovered objects (emails, contacts, etc.).
  6. Pass 6: Verify data integrity.
  7. Pass 7: Save recovered data to a new PST file.

The recovered data, including deleted emails, contacts, and file fragments, can then be viewed, searched and analized in Microsoft Outlook or a third-party forensic tool compatible with the PST data format.

Analyzing Extracted Data

All deleted and hidden data is extracted into a single PST file, which can be opened in Outlook for review. Alternatively, the data can be saved as a bunch of individual files such as MSG, EML, TXT, VCF, and so on. Data is categorized into specific folders like:

  • Recovered contacts
  • Recovered journal items
  • Recovered mail items
  • Recovered sticky notes
  • Recovered tasks

Items failing integrity checks are saved in the Recovered Files folder, containing files with various extensions. These may include incomplete email messages, text fragments in .htm or .txt format, service headers as .txt files, and partially recovered emails without recipients or subject.

Partially Recovered Data

Some data may be incomplete and saved as fragments in the Recovered Files folder:

  • Email fragments as .htm or .txt files
  • Service headers as .txt files
  • Partially recovered emails without recipients or subject saved as .htm files

Recovered Files

This folder holds valuable data such as:

  • Attachments
  • HTML versions of emails
  • Images, videos, and presentations
  • Email headers and text fragments

The Recovered Files folder is perhaps the most important part for the investigator. One may want to adjusting Microsoft Outlook settings for conveniently viewing the recovered data. Click the “” symbol in the lower left corner:

Next, click “Folders“:

Deleted Emails

The Recovered Mail Items folder contains deleted emails that have been fully or nearly fully restored, including their original subject, date, recipients, body, and headers.

Folders

Restoring folder structures is often not possible, as folders are typically emptied but not deleted. As a result, the final PST may lack the original folder tree.

Conclusion

Outlook Forensic Toolbox is a powerful tool for recovering deleted data from Microsoft Outlook PST and OST files. By thoroughly analyzing and sorting both accessible and deleted data, it enables forensic experts to retrieve emails, contacts, attachments, and other crucial information that may otherwise remain inaccessible. This tool is invaluable in legal investigations, helping uncover evidence while ensuring data integrity throughout the process.