Updated on 28 Jan,2025
When investigating emails during digital forensic analysis, knowing where and how emails are stored locally can make all the difference. Unlike server-based emails that are stored remotely, host-based email stores are archives saved directly on a computer. These archives can be either a single large file (like Microsoft Outlook's .OST files) or multiple files where an index file helps organize metadata such as read status, flags, and replies.
-------------------------------------------------------------------------------------------------------
Why Local Email Archives Matter in Investigations
Even when companies use server-based email solutions, local email archives are still valuable sources of information. Here’s why:
Many organizations limit mailbox sizes, leading users to archive old messages locally.
Employees may store backup emails or contact lists imported from other systems.
Deleted emails can often be recovered from these local archives.
-------------------------------------------------------------------------------------------------------
How to Identify Local Email Archives
Since local email archives are almost always tied to an installed email client, you can start by checking the system's installed applications. Other useful techniques include:
File extension searches (e.g., looking for .OST, .PST, or .NST files).
Reviewing email client configurations and registry settings on Windows.
Using forensic tools that can automatically detect known email archives.
Some email clients allow password protection, but these usually just lock access to the application—not the email archive itself. If you need to retrieve email client passwords, Mail PassView from NirSoft is a useful tool.
-------------------------------------------------------------------------------------------------------
Microsoft Outlook: The Dominant Email Client
For Windows users, Microsoft Outlook dominates the email client market. From a forensic standpoint, this is great news because Outlook’s email storage formats are well-documented and widely supported by forensic tools.
Outlook’s Three Email Storage Formats
.OST (Offline Outlook Data File): Used by Microsoft 365, Exchange, IMAP, and Outlook.com accounts.
.PST (Outlook Data File): Used for POP email accounts, archives, and exported email backups.
NST (Outlook Group Storage File): Stores group conversations and calendar data for Microsoft 365 Groups.
-------------------------------------------------------------------------------------------------------
Understanding Outlook’s Email Storage Formats
PST Files: Once the standard format for Outlook, these files store emails, attachments, contacts, and calendar entries. While newer versions of Outlook favor .OST files, .PST files are still used for email backups and archives.
OST Files: Now the default for Microsoft 365 and Exchange accounts, these files act as local copies of server-based mailboxes. Unlike .PST files, OST files cannot be opened separately without Outlook.
NST Files: A newer format designed for Microsoft 365 Groups. Unlike the other two, NST files do not store emails permanently but instead cache group conversations and calendar events.
-------------------------------------------------------------------------------------------------------
Where to Find Outlook Email Files
The location of these files depends on your Outlook version and Windows setup. Typically, you can find them here:
.PST File Locations:
1. Outlook 2019, Outlook 2016, Outlook 2013:
C:\Users\[username]\Documents\Outlook Files
2. Outlook 2010:
C:\Users\[username]\Documents\Outlook Files
3. Outlook 2007:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
4. Outlook 2003 and earlier:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
.OST File Locations:
1. Outlook 2019, Outlook 2016, Outlook 2013:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
2. Outlook 2010:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
3. Outlook 2007:
C:\Users\[username]\AppData\Local\Microsoft\Outlook
4. Outlook 2003:
C:\Documents and Settings\[username]\Local Settings\Application Data\Microsoft\Outlook
-------------------------------------------------------------------------------------------------------------
Update location as per 28 Jan 2025
%UserProfile%\Documents\Outlook
%UserProfile%\AppData\Local\Microsoft\OutlookOlder versions of Outlook may store archives in
%UserProfile%\AppData\Roaming\Microsoft\OutlookWindows registry key at can help locate non-default storage locations.
NTUSER\Software\Microsoft\Office\16.0\Outlook\Notes:
• It's always a good practice to check the actual locations in Outlook settings or through the registry:
-------------------------------------------------------------------------------------------------------------
.PST Location Registry Key:
• HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook
• (Replace xx.0 with the version of Outlook you are using, e.g., 16.0 for Outlook 2016/2019 and 15.0 for Outlook 2013.)
.OST Location Registry Key:
• HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook
• (Again, replace xx.0 with your Outlook version.)
Look for the ForceOSTPath or ForcePSTPath values under these registry keys to find the custom paths set for .OST and .PST files, respectively
-------------------------------------------------------------------------------------------------------------
Recovering Deleted Emails from Outlook Archives
Outlook email files can be massive—modern versions support up to 50 GB per file (compared to the 2 GB limit in Outlook 2003 and earlier). Deleted emails often linger within these files and can be recovered using forensic tools, even if they were “hard deleted” (permanently removed).
Key Takeaways for Investigators
Local email stores are a goldmine for forensic analysis, even in cloud-based environments.
Outlook dominates the Windows email client market, making its archives crucial for investigations.
Deleted emails and metadata can often be recovered with the right tools.
File location and registry analysis can help track down hidden email archives.
****************************************************************************************************************
When it comes to email forensics, it's nearly impossible to prepare for every single email client out there. However, focusing on the more common ones is a great starting point.
Step 1: Identify Installed or Previously Used Email Clients
One of the first steps you can take is to look for email programs installed or previously used on the system. The Windows registry, as well as execution artifacts like Prefetch files, can be a goldmine of information. They might even reveal references to email clients that were installed and later removed. If you're unsure about an unfamiliar program, a quick internet search can often provide details about its file types or archive structures.
Step 2: Understand Email Archive Formats
Most email clients store their data in clear-text archive formats, making it easier to access the contents. Outlook’s PST/OST files are among the few exceptions. Forensic suites excel at locating and parsing these archives, and they often come with robust searching capabilities.
Some email archive formats include unallocated space, meaning even emails that were hard-deleted might still be recoverable.
Step 3: Don’t Forget Other Data
Email clients are often more than just tools for sending and receiving emails. Many are complete productivity hubs, featuring calendars, address books, and task lists. These features can generate additional artifacts, which might also be exported into various formats. These can provide useful context during an investigation.
--------------------------------------------------------------------------------------------------------
Conclusion
By understanding how host-based email storage works, forensic investigators can uncover crucial evidence, even when emails seem lost or deleted.
----------------------------------------Dean------------------------------------------------------
Kommentare