Search for Evidence in OST File – An Email Forensics Approach
The most popular topic of discussion among forensic experts is how to perform OST file forensics approach for searching an evidence. Offline Storage Table (OST) file is a storage data file of Microsoft Outlook, which is a cache replica of Exchange Server mailbox on local machine. Its file extension is .ost and is generated on enabling the cache exchange mode while configuration of a new user profile with Microsoft Outlook. OST file allow users to maintain offline availability of data, which is a fundamental feature of Outlook. It uses Message Access Programming Interface (MAPI) protocol allows to maintain synchronization between Microsoft Outlook desktop application and Exchange Server user mailbox. MAPI client can make usage of this protocol by storing information and accessing them in offline mode.
Challenges Faced in Analyzing OST Files
- OST Cannot Be Accessed Without Mapping: The user will not be able to access OST file folders if the encryption key value and relevant key value does not match with each other or it fails to map properly.
- Analyze The Binary Format File: The offline storage is in binary file type hence, requires the authority in responsibility of the file to know about the binary file type. Moreover, to open and read binary values the knowledge about hexadecimals values should be known.
- Origin Microsoft Exchange Server: The Exchange Server from to which the OST file belongs must be available in live mode.
- Opening Orphaned Outlook OST: It becomes more difficult to analyze the OST files, which are damaged or corrupted because of the failure in synchronization with server.
- Analyzing the OST File Attachment: Analysis of attachment is as important as examining the text/body of the mail. It is a challenging task to analyze the attachments because of the bulk quantity of emails, which makes it tedious for the examiner to study each of them.
Detailed Information of OST File
- Default Location of OST File
By default, the OST folders are synchronized with information available on the Exchange server. The default location of OST folder is:- On Windows 7 and Vista: drive:\Users\user\AppData\Local\Microsoft\Outlook
- On Windows XP: drive:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook
OST File Location in Windows 7/Vista/8/10
Investigation team may find this file from the specified location, which can be used for forensic purposes. Examiners must access the contents of the file for taking an overview of the offline storage and start further investigation.
- Prerequisites to Access OST
User can gain access to Outlook OST file only if the MAPI profile is created. It would not be accessible, if the file were unauthorized through its original profile. OST is an encrypted file, which is created with a unique ID of the server mailbox. This unique ID is only accessible when connection to the Server is established and the related keys are stored into the profile registry settings. When user clicks on the OST file to gain access of it, then encryption key at the server end and system registry matches proving both as identical, then only the OST profile can be accessed.Therefore, forensic experts must have administrative access to the server to be able to examine the parent mailbox as well as its corresponding OST profile on the client end. If the live environment access is gained, then only it will be possible to access the profile and analyze it for collecting evidence.NOTE: Imaging of the original piece of artifact must be done in priority to avoid evidence spoliation. - File Signature of Outlook OST
Since each file type, consists of a file signature for unique identification. Similarly, below-mentioned is the file signature of an OST file:- The File signature in Hexadecimal format is: 21 42 44 4e.
- The ASCII code of Outlook OST folder is: !BDN.
If the file signature of a standard OST file and the one being examined (that is with the end user) is non-identical, then it means that the latter file has been altered through some means.
- Cache Replica of Exchange Mailbox
In addition, when user uses an Exchange Server account, they are recommended to use Cache Exchange Mode to enable its offline access on the client end. This mode creates and uses OST file, which downloads as well as maintains a replica of all items that are updated when connection is re-established with the server.To open OST files, user requires Outlook application to be pre-installed on the client end along with active server connectivity. There may be another way to access such files, i.e. converting the OST files into PST file format.
Observation
It is very essential to know where to start with an approach of email forensics in OST file. Gathering information about the file and observing the file structure is a part of the investigation procedure however, it isn’t completely relevant to conclude it too. Hence, we require a tool that provides functioning in such a manner, which analyzes the file structure, the attachments involved with each mail and other factors too. One such software is MailXaminer, which seamlessly performs OST file analysis without requiring the environment for access it. Moreover, provides quick and fast functioning, as a resultant the investigator gets ample of time to focus on the study of gathered evidence.