Analyze OST File – Obtaining Evidentiary Messages from Orphan Replica

Simon | October 22nd, 2015 | Forensics

There is a variety of email programs available presently that includes Microsoft Outlook, which counts as the most common. The application not only comes from a renowned and long trusted brand of application providers, but also is a complete Personal Information Manager and not just an email client. Moreover, apart from working individually the client functions in a server environment, which enables an organization to create a private environment of employees for internal sharing, communication, and more and it also raise the need of Outlook OST forensics.

However, despite the high security deployed by Exchange Server environment user data preserved in mailboxes are put at stake due to their vulnerabilities. OST files, i.e. the offline mailbox replica of server side mailbox are more prone to getting affected by these conditions for the very reason that they reside on user machine and not on the server machine. Servers are comparatively more intensely protected than the end user’s machine.

Outlook OST Forensics And Possible Involvement in Digital Offense

OST files are the offline replica of user mailboxes residing on the server side. These mailbox copies enable users to work with / on their account via Offline Mode, when not in connection with its respective Exchange environment.

Whatever information is stored by an OST file is later updated / synchronized with its respective mailbox on Exchange Server when connection is regained. Therefore, while analyze OST file whatsoever is stored by database is there on the server mailbox too. However, this only happens when synchronization between the server and mailbox takes place.

OST files are encrypted or say tied to their respective Exchange environment with a MAPI profile. Therefore; during Outlook OST forensics, it is necessary that the same environment be made available for mounting the same OST file. Without Exchange, the OST file is orphan and cannot be mounted, as it will be unable to detect its server side mailbox to synchronize.

Moreover, connecting one such OST with the server may spoil the evidence it contains as modification of attributes may take place during synchronization.

Analyze OST file may require deploying a platform that is capable of reading its contents without compatibility issues, MAPI configuration, and by surpassing the security.

Analyze Orphaned Offline Mailbox

Analyze OST File

download

When orphaned from its respective Exchange environment an OST file needs external help to be read. OST viewer forensics acts as a similar platform that serves reading of an OST file in a way that the contents a readable and kept intact at the same time. The advanced programming of the software makes it capable of reading even the damaged offline data files. The tool offers multiple modes to get a detailed view of the data file contents, i.e. email. The various views include; hexadecimal and message header view as the two most important views. These preview modes help determine the genuineness of a message via its header based details and hexadecimal structure. While carrying out Outlook OST forensics, the application emerges as the bankable OST file investigation program for analyze OST file for a complete analysis.