Re: Is it possible to recover recently deleted emails from an Outlook PST file?

From: Craig Earnshaw (Craig.Earnshawat_private)
Date: Thu Nov 14 2002 - 01:48:14 PST

Next message: Rod Hauser: "Re: 2 data recovery questions"

Previous message: Seth Arnold: "[woodyat_private: Office XP document numbers can be linked to individual machines]"
In reply to: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Next in thread: Burnette, Michael: "RE: Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes.

A PST file works in a similar way to a database - when a message is 
deleted it is only flagged up as having been deleted, and is therefore 
not shown to the user.  The message is only truly deleted from within 
the PST file when either a) another message overwrites it, or b) when 
the user compacts the mailbox.

In order to recover deleted messages from a PST file you need to do the 
following:

1) Make a backup copy of the PST file being examined.
2) Using a hex editor that you are familiar with replace bytes 7 to 13 
of the PST file with FF (they're usually set to 00).
3) Run a tool called "scanpst", which is usually resident in C:\Program 
Files\Common Files\System\Mapi\1033 on a windows box.  It might not be 
in this directory, but should be installed by default.
4) Open the PST file and any recovered messages should have been recovered.

Please note - it doesn't always work.

Best of luck.

Craig G Earnshaw
Head of Forensic Computing Services
Lee & Allen Consulting Limited
London - New York - Hong Kong

Carlos Capmany wrote:

> 
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi, 
>
>Does anybody know whether Outlook does actually keep inside the PST
>file the contents of a deleted email, as long as it is not
>overwritten by a new one (ie, in the fashion of what happens with the
>contents of a deleted file in a FAT partition)?
>
>Thanks, 
>
>Carlos
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.0.4
>
>iQA/AwUBPdLs1XKaFmwIEWWXEQKc0gCdFakj9o3HgAKbgXOtSQfQyc+NEeUAnjOg
>eLII+6COUbCm9bQlLDQABvBa
>=EF/m
>-----END PGP SIGNATURE-----
>
>
>-----------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com
>
>

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rod Hauser: "Re: 2 data recovery questions"
Previous message: Seth Arnold: "[woodyat_private: Office XP document numbers can be linked to individual machines]"
In reply to: Carlos Capmany: "Is it possible to recover recently deleted emails from an Outlook PST file?"
Next in thread: Burnette, Michael: "RE: Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Nov 17 2002 - 09:38:34 PST