Forensics: Recovering Deleted MSGs from PST files

  • Can deleted messages be recovered from PST files?  Yes
  • How do you recovered deleted MSGs from PST files? Using tools recover the data out of the “unallocated” space

PST files are compound files that contain email messages, contacts, tasks, etc. The PST files are read by Microsoft Outlook. Like other Microsoft files, PST files have their own file structure which includes “unallocated space” from within the file.

If an email is deleted within the PST file it moves to the “unallocated space” of the PST file, and therefore can be recovered. It remains there until it is overwritten.

For example:

A PST file has 1,000 messages, and is 100 mb in size.

Deletion of 100 mesages (10% of the data) will not reduce the size of the PST file to 90mb, but it will in fact stay the same size. The 100 messages are now in the “unallocated space” of the PST file (not the hard drive).

Tools

Recovering the messages, or access to these data, can be done via a variety of tools, including:

 

ScanPST is a free utility that comes with every Windows XP machine. Its a Microsoft utility that can repair PST files, at no cost.

The tool is incredibly easy to use, and its functionality is described on the MS Support site. While the PST file may not be corrupted, ScanPST will work on the file to recover everything it can, i.e the messages that has been deleted.

For computer forensics examiners working in the corporate sector recovery of messages within PST files can be critical to a case.

Advertisements

2 Responses to “Forensics: Recovering Deleted MSGs from PST files”

  1. Anonymous Says:

    Files don’t have unallocated space. I think you mean slack space

    • 585 Says:

      Not quite. While files have slack, some files effectively have unallocated space – especially files like PST. The slack the is hte difference between the physical and logical space, space within a file is best described as unallocated.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: