Interpreting the Structure of Outlook PST File
Three-tier logical arrangement of a PST file is:
- NDB (Node Database) layer
- LTP (Lists, Tables, and Properties) layer
- Messaging layer
1. NDB Layer
NDB (Node Database) Layer is the database of nodes representing the lower layer storage facilities of the PST files. The layer is composed of a header; various information about file allocation, nodes, blocks, and two BTrees: the Node BTree (NBT) and the Block BTree (BBT).
The BTree implementation of NBT and BBT improves the search efficiency for a block or node. The NBT consists of reference to all the nodes in the PST file. Each node is referenced by a set of properties – NID, parent NID, data BID, and sub-node BID.
BBT consists of reference to all the blocks in the PST file and each block is referenced by its BID, IB, CB, and CREF. CREF is the count of reference to the data stored in the block. IB is the Offset and CB is the Count of Bytes within the block.
2. LTP Layer
This layer is concerned with properties of PST files. The core elements of the LTP layer are Property Context (PC) and Table Context (TC). PC is the collection of properties whereas, TC is the two dimensional collection of properties. Rows are the collection of properties and column is the properties within the row.
Two data structures are used in this layer: Heap-on-Node (HN) and BTree-on-Heap (BTH).
HN is a Heap structure on the top of a node for allocating data stream of a node into small, variable-sized fragments. BTH is exists within an HN and BTH provides an easy way to access data.
3. Messaging Layer
Messaging layer is the rules and logics to combine the NDB layer and LTP layer Folder Objects, Message Objects and its Properties. The rules and requirements to modify a PST file are defined in the messaging layer.
The physical structure of a PST file deals with header, Density List (DList) and various map pages. The map pages are Allocation Map (AMap), Page Map (PMap), Free Map (FMap), and Free Page Map (FPMap).
Normally Data Structures are used to hold data in a specific format some of the structures used in PST files are Blocks, Nodes, BTree, PC Records, etc.
The Header resides at the beginning of the file and contains Metadata, root record, and initial free map (FMap) and free page map (FPMap) concerning the PST file.
Allocation Map keeps track of the allocation status of the data, which is often a fixed size page. AMap pages are an array of bits in hexadecimal value.
Density list is the ascending order list of references to Allocation Map page. There can be only one DList in a PST file.
Page Map is a 64 byte Allocation Map used to store the metadata of the PST file. Free Map is for finding continuous free space whereas the Free Page map finds the free pages.
Blocks are the fundamental structure used to store the data at NDB layer. Nodes consist of the data blocks and are used to divide PST file to logical streams.
The underlying structure of a PST file is complex and the extraction of data from PST file is therefore cumbersome. Various PST viewers and converters are now a days available online, which make the respective task easier.