I realize that Outlook Express at least for windows goes about thing much the same way, and have been able to find utilies to preform similiar actions. However one of the Machines I have been looking at is a Mac sunning OE 5.5 on Mac OS X. and the files are all differnt and i've been having a signifigant amout of difficult ressurecting the messages from it. Does anyone have any information on the way the mac mailboxes in OE are structured or an app they'd recommend? -Dave Timothy M. Lyons wrote: > FYI - The following setting causes Outlook 2000 to completely remove > all deleted data when it is shut down. > > Registry Settings > User Key: > [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\PST] Value > Name: PSTNullFreeOnClose Data Type: REG_DWORD (DWORD Value) > Value Data: (0 = default, 1 = clear deleted data) > > > --Tim > > > > --- > Timothy M. Lyons, CISSP > Managing Partner > Digitalvoodoo, LLC > > "Leave the beaten path and dive into the woods. > You are certain to find something interesting." > -- Alexander Graham Bell (1847 - 1922) > > > > > > -----Original Message----- > From: Craig Earnshaw [mailto:Craig.Earnshawat_private] > Sent: Monday, November 18, 2002 09:22 > To: forensicsat_private > Subject: Re: Is it possible to recover recently deleted emails from an > Outlook PST file? > > > > Yes. > > A PST file works in a similar way to a database - when a message is > deleted it is only flagged up as having been deleted, and is therefore > not shown to the user. The message is only truly deleted from within > the PST file when either a) another message overwrites it, or b) when > the user compacts the mailbox. > > In order to recover deleted messages from a PST file you need to do > the following: > > 1) Make a backup copy of the PST file being examined. > 2) Using a hex editor that you are familiar with replace bytes 7 to 13 > of the PST file with FF (they're usually set to 00). > 3) Run a tool called "scanpst", which is usually resident in > C:\Program Files\Common Files\System\Mapi\1033 on a windows box. It > might not be in this directory, but should be installed by default. > 4) Open the PST file and any recoverable messages should have been > recovered. > > Please note - it doesn't always work. > > Best of luck. > > Craig G Earnshaw > Head of Forensic Computing Services > Lee & Allen Consulting Limited > London - New York - Hong Kong > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Dec 14 2002 - 17:21:01 PST