Search for Evidence in OST File – An Email Forensics Approach
Challenges Faced in Analyzing OST Files
- OST Cannot Be Accessed Without Mapping: The user will not be able to access OST file folders if the encryption key value and relevant key value does not match with each other or it fails to map properly.
- Analyze The Binary Format File: The offline storage is in binary file type hence, requires the authority in responsibility of the file to know about the binary file type. Moreover, to open and read binary values the knowledge about hexadecimals values should be known.
- Origin Microsoft Exchange Server: The Exchange Server from to which the OST file belongs must be available in live mode.
- Opening Orphaned Outlook OST: It becomes more difficult to analyze the OST files, which are damaged or corrupted because of the failure in synchronization with server.
- Analyzing the OST File Attachment: Analysis of attachment is as important as examining the text/body of the mail. It is a challenging task to analyze the attachments because of the bulk quantity of emails, which makes it tedious for the examiner to study each of them.
Detailed Information of OST File
- Default Location of OST File
By default, the OST folders are synchronized with information available on the Exchange server. The default location of OST folder is:- On Windows 7 and Vista: drive:\Users\user\AppData\Local\Microsoft\Outlook
- On Windows XP: drive:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook
Investigation team may find this file from the specified location, which can be used for forensic purposes. Examiners must access the contents of the file for taking an overview of the offline storage and start further investigation.
- Prerequisites to Access OST
User can gain access to Outlook OST file only if the MAPI profile is created. It would not be accessible, if the file were unauthorized through its original profile. OST is an encrypted file, which is created with a unique ID of the server mailbox. This unique ID is only accessible when connection to the Server is established and the related keys are stored into the profile registry settings. When user clicks on the OST file to gain access of it, then encryption key at the server end and system registry matches proving both as identical, then only the OST profile can be accessed.Therefore, forensic experts must have administrative access to the server to be able to examine the parent mailbox as well as its corresponding OST profile on the client end. If the live environment access is gained, then only it will be possible to access the profile and analyze it for collecting evidence.NOTE: Imaging of the original piece of artifact must be done in priority to avoid evidence spoliation. - File Signature of Outlook OST
Since each file type, consists of a file signature for unique identification. Similarly, below-mentioned is the file signature of an OST file:- The File signature in Hexadecimal format is: 21 42 44 4e.
- The ASCII code of Outlook OST folder is: !BDN.
If the file signature of a standard OST file and the one being examined (that is with the end user) is non-identical, then it means that the latter file has been altered through some means.
- Cache Replica of Exchange Mailbox
In addition, when user uses an Exchange Server account, they are recommended to use Cache Exchange Mode to enable its offline access on the client end. This mode creates and uses OST file, which downloads as well as maintains a replica of all items that are updated when connection is re-established with the server.To open OST files, user requires Outlook application to be pre-installed on the client end along with active server connectivity. There may be another way to access such files, i.e. converting the OST files into PST file format.