Host-based email stores are local email archives stored on a computer, distinct from server-based email archives. These archives often contain valuable metadata, such as read status, flags, and message deletion information, alongside the email content itself.
Characteristics of Host-Based Email Archives
1. Index File and Message Store
Host-based email archives usually consist of two main components:
Index File: This acts as a table of contents, storing metadata about the emails like read status, flags, and reply or forward information.
Message Store: This is where the actual email messages, attachments, contacts, and calendar items are stored.
Both components are essential for a comprehensive review of the email archive.
2. Associated Email Clients
Local email archives are typically associated with installed email clients on a system. This association provides investigators with clues about where to find these archives by reviewing installed applications or searching for specific file extensions.
3. Backup and Quota Limits
In enterprises, IT departments often enforce mailbox size limits, prompting users to locally archive emails when they reach these limits. This practice results in users creating backup mail or contact lists, which can also be found during forensic investigations.
The Role of Outlook .PST Files
The Outlook .PST (Personal Storage Table) file is one of the most common host-based email archives.
Single Repository: .PST files serve as a single repository for emails, folders, attachments, contacts, and calendar items.
Size Limit: Newer versions of .PST files can store up to 50 GB of data, a significant increase from the 2 GB limit in older versions.
Encryption and Password Protection: .PST files offer encryption options ranging from "No encryption" to "High encryption," with the latter being the strongest. Additionally, users can password-protect their archives.
Recovery and Forensics: Deleted messages may still be present in .PST files, but specialized forensic tools are often required to scan and recover this data.
Understanding .OST Files
Outlook also uses .OST (Offline Storage Table) files, especially with features like "Cached Exchange Mode."
Offline Accessibility: .OST files allow users to access their emails even when offline, syncing changes with the Exchange server upon connection.
Location and Size: By default, .OST files from Outlook 2013 contain a cached version of the last 12 months of user Exchange data and can be up to 50 GB in size.
Recovery Challenges: Unlike .PST files, recovering data from .OST files can be challenging due to their compression and encryption methods. Conversion to .PST format using third-party tools is often required for easier access and analysis.
.PST File Locations:
1. Outlook 2019, Outlook 2016, Outlook 2013:
C:\Users\[username]\Documents\Outlook Files
2. Outlook 2010:
C:\Users\[username]\Documents\Outlook Files
3. Outlook 2007:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
4. Outlook 2003 and earlier:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
.OST File Locations:
1. Outlook 2019, Outlook 2016, Outlook 2013:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
2. Outlook 2010:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
3. Outlook 2007:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
4. Outlook 2003:
C:\Documents and Settings\[username]\Local Settings\Application Data\Microsoft\Outlook
Notes:
• Replace [username] with the actual username of the user profile.
• The AppData and Local Settings folders are hidden by default. You may need to enable the view of hidden files and folders in Windows Explorer to navigate to these locations.
• The locations mentioned above are default paths, but users can change the location of .PST and .OST files, so it's always a good practice to check the actual locations in Outlook settings or through the registry:
.PST Location Registry Key:
• HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook
• (Replace xx.0 with the version of Outlook you are using, e.g., 16.0 for Outlook 2016/2019 and 15.0 for Outlook 2013.)
.OST Location Registry Key:
• HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook
• (Again, replace xx.0 with your Outlook version.)
Look for the ForceOSTPath or ForcePSTPath values under these registry keys to find the custom paths set for .OST and .PST files, respectively
Registry and Forensic Tools
The HK_CURRENT_USER registry configuration can provide insights into the local email archives in use and the connected MS Exchange server. Forensic tools like FTK, EnCase, and specialized utilities like scanost.exe and pffexport can assist investigators in analyzing these archives.
Conclusion
Host-based email archives are invaluable sources of information in digital forensic investigations. Whether it's .PST or .OST files, understanding their structure, location, and associated challenges is crucial for extracting meaningful evidence. As technologies evolve, forensic tools and techniques also need to adapt to ensure efficient and accurate analysis of these archives.
Akash Patel
Comments