There is a program called "Spider" and "Spider Bite" that I've used to look at OE 5.5 files (on Win2K Pro, Win98, and WinXP, but not sure if it'll work on Mac). I don't know if this will recover the emails, but it will investigate the index and dbx files. You can get it at http://www.fsm.nl/ward/ and it's freeware. BTW, it also will explore the IE cache (including what the user thinks has been deleted) and cookies. It should take you about 1 - 2 minutes of playing with it to make it work. Capt. Robin Berg MCSE Functional Systems Administrator HQ MSG/SO 7879 Wardleigh Rd Hill AFB, UT 84056 801-777-0585 DSN 777-0585 robin.bergat_private -----Original Message----- From: Dave [mailto:dm128at_private] Sent: Friday, December 13, 2002 4:30 PM To: forensicsat_private Subject: Re: Is it possible to recover recently deleted emails from an Outlook PST file? I realize that Outlook Express at least for windows goes about thing much the same way, and have been able to find utilies to preform similiar actions. However one of the Machines I have been looking at is a Mac sunning OE 5.5 on Mac OS X. and the files are all differnt and i've been having a signifigant amout of difficult ressurecting the messages from it. Does anyone have any information on the way the mac mailboxes in OE are structured or an app they'd recommend? -Dave Timothy M. Lyons wrote: > FYI - The following setting causes Outlook 2000 to completely remove > all deleted data when it is shut down. > > Registry Settings > User Key: > [HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\PST] Value > Name: PSTNullFreeOnClose Data Type: REG_DWORD (DWORD Value) > Value Data: (0 = default, 1 = clear deleted data) > > > --Tim > > > > --- > Timothy M. Lyons, CISSP > Managing Partner > Digitalvoodoo, LLC > > "Leave the beaten path and dive into the woods. > You are certain to find something interesting." > -- Alexander Graham Bell (1847 - 1922) > > > > > > -----Original Message----- > From: Craig Earnshaw [mailto:Craig.Earnshawat_private] > Sent: Monday, November 18, 2002 09:22 > To: forensicsat_private > Subject: Re: Is it possible to recover recently deleted emails from an > Outlook PST file? > > > > Yes. > > A PST file works in a similar way to a database - when a message is > deleted it is only flagged up as having been deleted, and is therefore > not shown to the user. The message is only truly deleted from within > the PST file when either a) another message overwrites it, or b) when > the user compacts the mailbox. > > In order to recover deleted messages from a PST file you need to do > the following: > > 1) Make a backup copy of the PST file being examined. > 2) Using a hex editor that you are familiar with replace bytes 7 to 13 > of the PST file with FF (they're usually set to 00). > 3) Run a tool called "scanpst", which is usually resident in > C:\Program Files\Common Files\System\Mapi\1033 on a windows box. It > might not be in this directory, but should be installed by default. > 4) Open the PST file and any recoverable messages should have been > recovered. > > Please note - it doesn't always work. > > Best of luck. > > Craig G Earnshaw > Head of Forensic Computing Services > Lee & Allen Consulting Limited > London - New York - Hong Kong > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For > more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:30 PST