RE: Is it possible to recover recently deleted emails from an Outlook PST file?

From: Timothy M. Lyons (lyonsat_private)
Date: Tue Nov 19 2002 - 21:44:34 PST

Previous message: KEVEN M MURPHY: "Re: Large file support in TASK"
In reply to: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
Next in thread: Meritt James: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FYI - The following setting causes Outlook 2000 to completely remove all
deleted data when it is shut down. 

Registry Settings 
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\PST]
Value Name: PSTNullFreeOnClose
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = default, 1 = clear deleted data) 


--Tim



---
Timothy M. Lyons, CISSP
Managing Partner
Digitalvoodoo, LLC

"Leave the beaten path and dive into the woods.   
You are certain to find something interesting."
	-- Alexander Graham Bell (1847 - 1922)


 


-----Original Message-----
From: Craig Earnshaw [mailto:Craig.Earnshawat_private] 
Sent: Monday, November 18, 2002 09:22
To: forensicsat_private
Subject: Re: Is it possible to recover recently deleted emails from an
Outlook PST file?



Yes.

A PST file works in a similar way to a database - when a message is
deleted it is only flagged up as having been deleted, and is therefore
not shown to the user.  The message is only truly deleted from within
the PST file when either a) another message overwrites it, or b) when
the user compacts the mailbox.

In order to recover deleted messages from a PST file you need to do the
following:

1) Make a backup copy of the PST file being examined.
2) Using a hex editor that you are familiar with replace bytes 7 to 13
of the PST file with FF (they're usually set to 00).
3) Run a tool called "scanpst", which is usually resident in C:\Program
Files\Common Files\System\Mapi\1033 on a windows box.  It might not be
in this directory, but should be installed by default.
4) Open the PST file and any recoverable messages should have been
recovered.

Please note - it doesn't always work.

Best of luck.

Craig G Earnshaw
Head of Forensic Computing Services
Lee & Allen Consulting Limited
London - New York - Hong Kong




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Previous message: KEVEN M MURPHY: "Re: Large file support in TASK"
In reply to: Craig Earnshaw: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
Next in thread: Meritt James: "Re: Is it possible to recover recently deleted emails from an Outlook PST file?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 21 2002 - 18:41:41 PST