Monday, June 4, 2012

Deleted Email. Are you looking in the right place?

Those of us who live in the forensic world know that when you delete an email, it is not really deleted. Not right away. Most, however, don’t know where to look and may be looking in the wrong places.

Let’s start with where one won’t find deleted email. Individual deleted emails usually don’t reside the computer’s hard drive as individual emails. Not as single files. So, if you are conducting a forensic recovery of a hard drive and are looking for individual emails, you might be looking in the wrong place. The operating system keeps track of where files are placed on the hard drive. In the case of email, the hard drive MAY contain a single file containing many emails. Where to look is largely going to depend upon what email system is being used and how that system is configured. For the purposes of this discussion, we will assume the email platform is Microsoft Outlook. In this case, we will use the example of a laptop computer that is configured to manage email within an OST file. An Outlook Storage Table (.ost) file is an offline folder file utilized by Microsoft Outlook. Offline folders make it possible for the user to work offline and then to synchronize changes with the Exchange server the next time they connect.

Another type of file in Outlook is the PST file, which is simply stored on the client or a server other than the Exchange server. A Personal Storage Table, better known as the “PST” (.pst), is an archive file that Microsoft Outlook users use to manage email messages, calendar items and other things normally managed by Outlook. A PST file is usually stored on a user’s hard drive, or on a network share, as opposed to archived email managed by Microsoft Exchange. A PST email archive is usually created by individual users to store email outside of the corporate email environment and circumvent server storage quotas. What is the difference between an OST and PST file? An OST file starts as a mirror image of a user’s folders on the Exchange Server, and works in conjunction with the Exchange Server during synchronization. A set of PST files, on the other hand, is simply a storage location on the hard disk or a server other than the Exchange Server. When a user works offline, that user can add, delete, and modify the contents of an OST file exactly as that user would with a folder on a server. For example, a user can change and move items in the offline Inbox, send messages that are placed in the offline Outbox, and read offline public folders. In the meantime, information on the server is still processing. The user continues to receive new messages in the mailbox while other users can add, delete, and change items in public folders. However, the user is not aware of these changes on the server until a connection to the network is reestablished. It should be noted that while both OST and PST files are commonly referred to as "container" files, they are actually tables containing database entries (email text and metadata) and objects (attachments).

When a user is managing email using an OST or PST and deletes an email, the pointer to that email (and any attachments) are first moved to the “deleted items” folder within the tables. The pointer and the email will remain in that folder until the user “dumps” the deleted file folder. This act simply removes the pointer to that email from the “deleted items” folder within that PST or OST file. The pointer to the table entry containing the information relating to the email is removed and not the information itself (the text, metadata and associated objects). The email and the attachment (objects) will remain within the “slack space” of that OST or PST file until the user “compacts” that file, which will physically remove the information for those records within the tables. Most users don’t know how to perform a compact, so it is likely that any and all deleted email will remain in that file until the entire container file is deleted. There is no individual email file managed outside that OST or PST, so an attempt to recover from the hard drive of the device you are examining will not recover individual emails directly. Rather, what one would recover is, for example, an entire OST or PST file that a user has deleted. It is important to look for and recover entire OST and PST files from the hard drive, by the way, so don’t skip that step. If you do, you will be missing potentially important information.

Recovering email from the slack space of an OST or a PST recovers those orphans and is a step that is routinely missed by most in this business. Most tools and processes don’t look in the right place. Are you missing important evidence by not looking in the right place?

13 comments:

Email archiving system said...

That's why i always use email archiving. There is backup option, no worry about lost email...

Annie said...

Well, there is lot of options when ever someone lost or delete e-mails or inbox. Recovery and pst repair tools give perfect results in this type of situation. So this is the age where there is no worry about data recovery and data security because of reliable software.

Unknown said...

Hello,
The above discussed article is quite good regarding loss and recovery of emails.
But there are some more recovery tools which can effectively perform lost emails recovery without any help of skillful professionals.
One such effective tool is Outlook PST file recovery which can recover lost or deleted emails.
In order to download the software you can click here.
Thanks,
Carter

Unknown said...

In order to export OST to PST or in other available format use advance OST to PST exporter tool. It perfectly recover OST file and fix OST file to PST Outlook. Against any obstruction OST file converter program brilliantly performs over inaccessible OST file and save OST to PST. Best OST extractor tool is an efficient solution to convert OST to PST without changing TXT, RTF and HTML format. With the help of superlative OST extractor you can easily regain corrupt OST data in working condition with new an accessible PST file format.

http://www.ostrecoverytool.com/

John said...

eDiscovery is only going to get bigger and more advanced, seeing how practically everything has gone digital & gets recorded.

Unknown said...

You can successfully export all data items from OST file to Outlook PST format with the help of OST to PST tool, which can be easily works with all Outlook editions as well as Windows platforms. You can try it.

www.ost-to-pst.com

Unknown said...

Another OST to PST Converter which can easily recover all inaccessible OST file data such as Inbox, Outbox, Sent Items, Deleted Items, Draft, Journals, Tasks, Calendars, Notes, Contacts etc . It can perfectly extract data to convert OST to PST, EML, MSG and HTML file format.

If you want to satisfied with Demo version of OST to PST Converter Software then you can purchase and get full version

Download now: http://www.osttopstconverter.recoverydeletedfiles.com


avinag said...

You can directly import OST to PST format by using this wonderful OST to PST Converter software that securely fix all OST File issues, repair corrupted and damaged OST File to PST, EML, MSG, HTML, EMLX and vCard format with emails, contacts, calendars, task, notes, inbox items, outbox items and appointments. Software enables users view the preview of OST emails and other data to get satisfied result.

get more info:- OST to PST

Unknown said...
This comment has been removed by the author.
Unknown said...

Regza is the best tool to recover your OST damaged files and convert into Outlook PST,EML,HTML,MBOX,MSG,EMLX & vCard. also convert your mailbox items like :- outbox,journals,appointment etc.

get more info:- OST to PST Converter Tool

kirajennifer said...

SysInspire is a very helpful software its recover work is very good and 100% safe & secure without any issues facing. Convert all recover damaged, corrupted OST file into PST Outlook data. The OST to PST Converter software allows convert selective folders from OST file and restore all OUtlook data into PST, EMLX, MSG, EML, MBOX, HTML and VCF. It supported all MS Outlook version:- 97, 2000, 2002, 2003, 2008, 2009, 2010, 2013, 2016 and 2019.

Try to Free demo version visit this link:- https://www.products.sysinspire.com/free-ost-to-pst.html

Mariejohn said...
This comment has been removed by the author.
jonhwillam said...

export edb to pst software
exchange server recovery