Outlook 2013 Email Forensics — PST File
Outlook® is a Personal Information Management System that is a part of MS Office Suite. Along with association with a renowned brand, what made this desktop mail client so popular with time is the continuous up-dations in its editions that gave a wonderful set of features for emailing and data management. Its updated version is Outlook 2013 that is available with Office 2013 Suite. Being one of the most preferred application by the users, an urgent need of Outlook 2013 email forensics is increasing in the market.
How Outlook® Stores Information?
Outlook stores all its data and information in folders. However, unlike the normal folders that are used for storing word documents or Excel spreadsheets, these folders are saved in the file system in Personal Storage File. These files get saved in .pst file extension either on local machine or on network share. The Outlook folders store emails, contacts, calendars, tasks, journal items, and notes in a standard structure. This gives rise to need of Outlook 2013 mailbox forensics.
PST file in MS Outlook gets created whenever any POP3, IMAP, or HTTP mail account is accessed. Basically, there are two types of PST files that can be created or accessed in Outlook 2013: ANSI and Unicode formatted. The basic difference between both the file formats is how the internal strings are interpreted in the PST file. Other than that, there is difference in the size of data elements in the NDB layer of the logical layer of the PST file.
While the ANSI PST uses 32-Bit values for representing the Block ID, the Unicode uses 64-Bit values. In concern to the size limit while ANSI can save up to 2 GB of database, Unicode PST can store up to 20GB, 50 GB, and more depending upon the version of Outlook used.
Supported Email Formats
There are three e-mail formats that are supported by Outlook for both formatted and un-formatted message composition:
Plain Text: An un-formatted email that every email client understands.
HTML: A properly formatted email can be created (just like a web page) where there is provision to add images, hyperlinks, customize text etc. This email format is adopted by most of the modern mail clients and is highly targeted for spamming due to ability to add links to text and images.
RTF: It is a proprietary email format introduced by Microsoft that allows creating a well-formatted message. However, the limitation of an email in RTF format is it can be accessed either in Outlook or some Microsoft’ mail clients like Eudora, Windows Live Mail etc.
Related File Formats with Outlook
How to Detect State of a PST File?
A file saved on machine is vulnerable to ‘N’ number of inconsistencies. If a PST file is corrupt, Outlook will deny opening it, reverting back with errors. However, if MS Outlook is unavailable, the below mentioned trick can be used to find out if the PST file is in healthy or corrupt state.
Download hex editor and open PST file in it. A hexadecimal coding for PST file will be available with corresponding information at right-hand side. The dots represent special characters in the email.
Notice the starting bytes of the PST file header (highlighted in the image). It is the PST signature and is similar for all PST files in healthy state.
On the other hand, if a corrupt PST file is added to hex editor, its initial bytes (signature of PST file) will vary. For example:
Restore a Deleted PST File :
Outlook 2013 can be installed only on Windows 7 and Windows 8. Both these Windows OS include facility that can help to get back deleted PST file.
Note: This trick will be helpful only when there is access to the machine where Outlook 2013 is installed or when there is access to the machine saved on network.
Previous Version in Windows 7 : As a technique of creating restore point, Windows generate multiple versions of files and folders. The previous version in Windows 7 can be used to either restore files or folders that have been deleted, modified, or were corrupted. The previous versions of files and folders can be copied, restored, or opened in Outlook.
Note: By default, this facility is activated in Windows 7 and the user can be choose the time span after which next version of the file/folder should be created.
PST Files Present in Outlook Folder –
PST Files in Outlook Folder of Previous Version –
File History in Windows 8 : Similar to the Previous Version option in Win 7, there is File History in Win 8 that backs up drive data by saving different versions of file. However, this option has to be manually enabled in Win8 for a particular drive for saving versions of its file (s) and folder (s).
Note: File History option for drives on a machine is not activated by default. It has to be turn off so that Windows can take backup of files and folders on specified drive.
However, if the needed file couldn’t be found, then it can only be restored from hard drive. Tools that recover data from hard drives can be used to get back deleted PST files from machine.
Restore Permanently Deleted Emails :
Previous Versions and File History options can help to regain access to deleted folders on a drive and this can work in case of data in the files. By restoring or retrieving different versions of a file, the previously saved data in it (most probably the permanently deleted one) can be restored. However, it is helpful to get back recent data only.
Windows 7 :
Windows 8 :
Another option that can be used to restore shift+del emails and other items from PST file is by using hex editor in collaboration with the Inbox Repair Tool (Scanpst.exe). Download hex editor, add PST file to it, and follow the steps mentioned below:
Step #1 : Add PST file to the hex editor. Select the block 7 through 13 (shown in the image).
Step #2 : From the menu bar, click on “Edit” and then choose “File Selection”. Click OK. This will replace the selected values with 00.
Saving the PST File :
Step #3 : This will also distort the header of PST file, making it inaccessible. To rebuild header of the PST file, Microsoft has provided the Scanpst.exe utility. For Outlook 2013, the Scanpst.exe is located at: C:\Program Files\Microsoft Office\Office 15
Spam Filtering in MS Outlook :
Outlook uses Bayesian and other statistical algorithms to detect a spam. A spam filter generally analyzes emails that are received every day, checks for some common phrases like company name, website, email address etc. With passing time, it becomes familiar about which mails to trust and those to be distrusted.
Bayesian filters calculate the possibility of an e-mail being a spam on the basis of previous analysis of messages being deleted or kept unread. This probability and the frequency of a certain kind of mail deletion are then defined as rules for filtering incoming emails. However, different messages are analyzed for defining a new spam.
Outlook also tells the Bayesian filter by giving option to add addresses into safe sender, safe recipient, or block senders list. At first, when the filter considers message to be a spam, it blocks links and attachments in the message with a message that states:
However, if sender of messages with such warnings is added to the safe senders’ list once or twice, it gives the Bayesian filter an indication that the email is not a spam. The spam filtering techniques used by Outlook are quite strong and thus it does not require any third party security program to be integrated for security but still by using some smart tricks, hackers remain successful in sending spam messages and making the recipients read it.
Conclusion : The tips and tricks shared above can be helpful in evidence collection and initializing the investigation process. However, Outlook 2013 email forensics can be accompanied by email analysis tools that helps reading corrupt PST files and filter out messages using advanced techniques.