Microsoft Outlook Forensic Analysis
Corporate sectors and enterprises mostly use desktop email clients amongst which MS Outlook application is most popularly used. This application is also utilized at personal level usage. Investigators often come across cases where MS Outlook application generated files and information is needed for analysis. Different method and techniques for attainment of associated cache or storage files and parsing PST files is incurred while such investigation.
Understanding Outlook Storage File
Microsoft Outlook email client uses PST as mail storage format. This file is when MS Outlook application is configured with any PPO3, IMAP or any other protocol accounts. PST file structure can be logically divided into three parts or layers; NDB, LTP and Messaging Layer. NDB also known as Node database comprises of nodes which directs to lower-level objects for storage including; blocks, headers, nodes, file allocation details, BTrees. The LTP i.e. Lists, Table and Properties comprises of higher-level notions which enwraps Property Context and Table Contexts. The Messaging layer comprises of higher-level bodies like Message objects, attachments, properties objects, folder objects etc. Understanding this layer concept helps users to know about integrity of PST file.
Where to Find Outlook File Location?
At an investigator’s point of view, reaching to the email file is the most important and foremost step. By default the MS Outlook PST file is stored in below mentioned location;
For Windows 8;
For Windows 7 / Windows Vista;
C:\Users\<username>\My Documents\Outlook Files
Previous versions of MS Outlook storage file stored the PST file in following locations;
Windows 8 / Windows 7 / Windows Vista
C:\Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Outlook
It is not necessary that the suspect has the Outlook storage file located to the same default location. There are chances that the file is stored in some other location. In that condition, one can find the location of MS Outlook application by going to;
File>> Account Settings >> Data Files tab. Here the path of the PST file can be viewed.
How to Find Headers of MS Outlook?
Email header is considered to be the most important asset to find the resourceful evidentiary elements. This header structure is located at the beginning of the PST (absolute file offset 0) comprising the Metadata of PST file. MS Outlook 2013 application displays email header information through following procedure;
- Open the email in the MS Outlook 2013 application. Go to File and double-click on Properties.
- This will open another window where the technical properties of the email will be visible along with the Email Header labeled as “Internet headers”.
- MS Outlook email header represents several loopholes of the email. One can validate the sender, recipient, source, IP address, service used, time/date-stamp, etc. through this Internet Message Header.
To investigate particular emails of MS Outlook application there is also an added functionality of exporting or archiving emails to another PST file. Analyzing the MS Outlook emails header elements; one can reach to the email forging. Many elements available like Message ID, sender validation, In reply-to, DKIM Signature etc. Such elements can lead to any forging done with the emails and genuineness of the email origin. Cybercriminals manipulate emails and headers for illegitimate purposes which makes the investigation eve more difficult. In order to perform thorough investigation advance techniques and methods should be utilized to dig out the truth unearthing the visible deceptions.