@MicrosoftPress tweet’d this earlier today: ‘Paul Lorimer, Group Manager, MS Office Interoperability: “…we will be releasing documentation for the .pst file format.” http://ow.ly/wHqE‘.
It looks like the specification for the Outlook Personal Folder (.PST ) file format will be released under Microsoft’s OSP. The original blog post is “Roadmap for Outlook Personal Folders (.pst) Documentation” (at the Microsoft Interoperability blog).
Since email can easily play a vital role during an investigation, releasing this specification can provide investigators, examiners, analysts, and digital forensic tools, with a better understanding of the evidence at hand.
The Microsoft to Release the .PST File Format by Forensic Computing, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 3.0 United States License.
{ 2 comments… read them below or add one }
Hi Mike,
Until the standard is released, how did the forensic examiners manage to extract the emails data from damaged pst files? In situations when neither scanpst, pffrecover/pffexport, etc. work how do you extract the contents of the file?
Cheers,
Luke
Hi Luke,
There are a few options. If the tool runs on Microsoft Windows, the Messaging API (MAPI) provides programmatic access to Microsoft Outlook. Another approach is to attempt and reverse engineer the format, and develop analysis code based on the author’s understanding of the format. Alternatively, techniques such as file carving can also be used.