What can a forensic expert find in an Outlook data file? Can they recover deleted emails, contacts and appointments from Microsoft Outlook? Can users erase unwanted correspondence from Outlook? In this article, we’ll demonstrate how experts can recover valuable information from Outlook data files (PST/OST), including deleted emails, contacts, attachments, and appointments. Even when users attempt to erase unwanted correspondence, traces often remain within the database. With the right tools, experts can extract and analyze this hidden data to uncover critical evidence.

In arbitration or civil disputes, courts may order the disclosure of business and personal correspondence, including evidence from digital devices. Before submitting a device for examination, users often delete unwanted bits of data from Outlook PST and OST files. Outlook lacks features to restore deleted items, making it easy for the end user to hide unwanted emails. However, specialized third-party forensic tools like Outlook Forensic Toolbox can analyze these files, recover deleted data, and save it separately.

There are several issues to deal with. First, Microsoft Outlook does not maintain historic snapshots of the data; there is nothing like Apple’s Time Machine to protect messages. Once the user cleans up the Deleted Items folder, there is no easy way to restore the deleted bits. In other words, simply deleting emails from Microsoft Outlook and cleaning up the Deleted Items folder makes the data gone. To access such deleted data, you will require a specialized third-party tool.

How Outlook Forensic Toolbox Works

Outlook Forensic Toolbox scans and analyzes Outlook data files (PST/OST), sorting data into two categories: visible and hidden. The source file is not modified during the process, and all recovered data is saved separately in formats like PST, MSG, EML, TXT, or VCF.

Forensic Analysis Steps:

1. Pass 1: Read data visible to the end user in Outlook.
2. Pass 2: Scan data blocks that are not accessible to the end user.
3. Pass 3: Analyze hidden data from step 2.
4. Pass 4: Reconstruct objects from fragmented data.
5. Pass 5: Identify recovered objects (emails, contacts, etc.).
6. Pass 6: Verify data integrity.
7. Pass 7: Save recovered data to a new PST file.

The recovered data, including deleted emails, contacts, and file fragments, can then be viewed, searched and analized in Microsoft Outlook or a third-party forensic tool compatible with the PST data format.

Conclusion

Outlook Forensic Toolbox is a powerful tool for recovering deleted data from Microsoft Outlook PST and OST files. By thoroughly analyzing and sorting both accessible and deleted data, it enables forensic experts to retrieve emails, contacts, attachments, and other crucial information that may otherwise remain inaccessible. This tool is invaluable in legal investigations, helping uncover evidence while ensuring data integrity throughout the process.