Executive Summary for InstantDoc ID 100556

Executive Summary:

Here’s a tip for recovering Microsoft Office Outlook email messages when an employee tries to destroy them. Try using a hex editor and running ScanPST.


What happens when an employee deletes emails to hide suspect communications? Well, if the content was on a Microsoft Exchange server, the administrator controls potential access to what a user deletes. Administrators can ensure that even when users think they have purged embarrassing or illegal evidence, management can still access historical email communications. From the server side, this may be achieved through archiving or Exchange journaling. In Exchange, there's even an option to not purge deleted content until it's saved to a backup set. Restoring a backup from a period just prior to the user deleting the offending emails or using Recover Deleted Items after a restore are both possible options.

But what if the user deletes emails in a .pst file, and empties the Deleted Items folder? I was playing around with .pst files using a hex editor to try to remove the password from password protected .pst files. I found that if I corrupted the first bits using a hex editor and then ran ScanPST, I was able to recover items that were deleted. This works when the .pst file has not yet been compacted.

Use a backup copy of the .pst file for this. I opened the .pst file in a hex editor and changed the first 8 bits to 00 or ff. Figure 1 shows a sample using a free tool called Hex Editor XVI32. The first 8 bits are now ff. Outlook will no longer recognize this file as a .pst file. Trying to open it in Outlook will return the error shown in Figure 2. At this point, run ScanPST on the file. (See Figure 3.) ScanPST recreates the pointers for items that have been deleted but are still resident in the file. After ScanPST has completed its recovery efforts, you can open the .pst file in Outlook. Items emptied from the Deleted Items folder are now restored to the Deleted Items folder. This test worked for ANSI and Unicode .pst files of about 1GB.

Items that were overwritten by new data within the personal folders file are not going to be recoverable. There are also several third party applications that can recover items purged from the Deleted Items folder of a .pst file, such as the Stellar Phoenix PST Repair utility and Advanced Outlook Repair by Datanumen. Some do so as part of recovery efforts from .pst file corruption.