Forensic Processing of Recovering Deleted Items
The forensic examination of digital media from a desktop computer, laptop, or network server can lead to recovery of information, in conjunction with deleted Outlook emails and attachments. Outlook is a database that stores email, contacts, notes and attachments as a record in a compressible, encrypted format. Outlook .pst file has some functional limits to the size, which carries all personal private folders of Outlook user. Approaching size limit, the mail must be backup or archived otherwise it becomes inaccessible. It is prevalent for corporate user to have active .pst file with multiple archives if the storage quotas is restricted.
Every MS Outlook user can delete email messages with their attachments. On a desktop with Outlook installed as an email client, competence for Outlook to recover deleted items is only set up on deleted items folder. So if the email gets deleted inadvertently, it may recovered easily by the user. But if the user send a proprietary secret as an email attachment and carry out a "hard deletion" (by using SHIFT + DELETE keys) of message, user can't recover that message. At that instant forensic software helps you in retrieving the deleted emails of Outlook with their attachments other related attributes.
Now how these Forensic Tools work on your database, when documents are written to a hard disk of computer, it creates a directory entry (what user sees as entry in folder). If a data has been deleted and not been overwritten by another document, then at that instant a recovery process is a relative trivial part of data recovery or e-discovery. But when data of interest is from removed email, the discovery process is fairly different from the data recovery. Individual emails are restoring differently than individual files. Distinct types of email program stores data distinctly on User's hard disk and require distinct schemes for detecting information. As a result deletion of emails and recovering not only differ for other types of documents but also for the different types of email programs.
There are mainly three types of emails in common usage - Microsoft Outlook, text based email and web based email.
In Outlook all emails are stored in a one large, non text, encrypted file PST (personal storage table). Outlook has supplementary functionality and content as well. There are a multiple mailboxes, address book, calendar and scheduler all of which stored in a PST file. When someone looks into an Outlook data file with a word processing application or editor, there is nothing comprehensible to the human eye. The content of file looks like virtually random character.
In general PST file must be loaded into Microsoft Outlook to be read. When an email message is deleted or purged, it may to stored with body of a single large file, but become inaccessible to program. These deleted emails may be recovered by manipulating files through a manual method, repairing resultant file and loading back into MS Outlook.
Forensic Outlook Recovery Software is best suited in circumstance of hard deletion. As it easily recovers hard deleted items of Outlook data file with its additional attributes like to, subject, bcc, cc, action, attachments etc in a much proficient manner.
There is a chance that remaining deleted files may be overwritten, due to this probability, it is best to instantly turn off the system where the data recoverability is in question. As longer computer remains in use the probability of data being irreparably destroyed. If user system inspected at the time of legal matter or document discovery is expected, the system should be turned off immediately to avoid evidence spoliation. If the precaution is taken after deleting an Outlook items than it can be recovered with its metadata through different methodologies available to digital forensic specialists.
