PST-OST Extended Media Email Recovery


view larger version

Microsoft Outlook Advanced Salvage is an ILookIX exclusive capability that opens doors to information never before thought possible. In the 14 years since three individuals at Microsoft first invented the Outlook Object Model and storage mechanism system, little from Microsoft has ever been released about how the system worked, or in what form it used the underlying operating system and filesystem.  Microsoft has even recently declined officially to reveal any details of the email client, or the storage mechanisms involved in the application.   

After over a decade of continuous research, Perlustro has stepped to the forefront of the world’s most ubiquitous email client and powered the analyst with a tool unlike anything that exists.  For example, the salvage of Outlook email from a machine that has been running Outlook for a year, will invariably now disclose to this processing,  a volume of Email that in many many real world cases, far exceeds the entire visible or extractable contents of an active PST or OST file, in particular long ago deleted email and email which the user is not even aware was on the machine.   The recovery also is little effected by destructive processes such as defragmentation and attempts to forcibly erase files.

Operation of the function in ILookIX is simple and straighforward.  Just a single click on the toolbox option and one on the media item are all that is needed.  But, the mysteries it takes to form the final output, like in this screen, were years in the making. There are some emails in freespace that others often capture, but there is additional email in other places, that no other process captures or brings to the fore of an investigation.

The output in this screen example came from a practically unused system, where the mail was not routine, not in abundance, and not visible to other forensics tools at any level. The process recoverd not only well-formed mails, but also the attachments that accompanied them. Even where mail is salvaged, but cannot be fully recovered to every byte, every last byte that exists to be salvaged – is salvaged into the output streams !