The forensic examination of digital media from a desktop computer, laptop, or network server can lead to recovery of information, in conjunction with deleted Outlook emails and attachments. Outlook is a database that stores email, contacts, notes, and attachments as a record in a compressible, encrypted format. Outlook .pst file has some functional limits to the size, which carries all personal private folders of Outlook users. Approaching the size limit, the mail must be backed up or archived otherwise it becomes inaccessible. It is prevalent for a corporate user to have an active .pst file with multiple archives if the storage quotas are restricted.
Every MS Outlook user can delete email messages with their attachments. On a desktop with Outlook installed as an email client, the competence for Outlook to recover deleted items is only set up on the deleted items folder. So if the email gets deleted inadvertently, it may recovered easily by the user. But if the user sends a proprietary secret as an email attachment and carries out a “hard deletion” (by using SHIFT + DELETE keys) of the message, the user can’t recover that message. In that instance, forensic software helps you retrieve deleted emails from Outlook with their attachments and other related attributes.
Now how these Forensic Tools work on your database, when documents are written to a hard disk of a computer, it creates a directory entry (what the user sees as an entry in a folder). If data has been deleted and not been overwritten by another document, then at that instant a recovery process is a relatively trivial part of data recovery or e-discovery. But when data of interest is from removed email, the discovery process is fairly different from the data recovery. Individual emails are restored differently than individual files. Distinct types of email program stores data distinctly on the User’s hard disk and require distinct schemes for detecting information. As a result deletion of emails and recovering not only differ for other types of documents but also for the different types of email programs.
There are mainly three types of emails in common usage – Microsoft Outlook, text-based email, and web-based email.
In Outlook all emails are stored in one large, nontext, encrypted file PST (personal storage table). Outlook has supplementary functionality and content as well. There are multiple mailboxes, address books, calendars, and schedulers all of which are stored in a PST file. When someone looks into an Outlook data file with a word processing application or editor, there is nothing comprehensible to the human eye. The content of the file looks like a virtually random character.
In general PST files must be loaded into Microsoft Outlook to be read. When an email message is deleted or purged, it may to stored with the body of a single large file but become inaccessible to the program. These deleted emails may be recovered by manipulating files through a manual method, repairing the resultant file, and loading them back into MS Outlook.
Forensic Outlook Recovery Software is best suited in circumstances of hard deletion. It easily recovers hard deleted items of Outlook data files with its additional attributes like to, subject, bcc, cc, action, attachments, etc. in a much more proficient manner.
There is a chance that the remaining deleted files may be overwritten, due to this probability, it is best to instantly turn off the system where the data recoverability is in question. As longer computer remains in use the probability of data being irreparably destroyed. If the user system is inspected at the time of legal matter or document discovery is expected, the system should be turned off immediately to avoid evidence spoliation. If the precaution is taken after deleting Outlook items then it can be recovered with its metadata through different methodologies available to digital forensic specialists.