OST vs PST Forensics: Tools, Methods, and Best PracticesEmail remains one of the most important sources of digital evidence in civil litigation, criminal investigations, insider threat probes, and regulatory compliance audits. Microsoft Outlook stores mailbox data primarily in two file formats: OST (Offline Storage Table) and PST (Personal Storage Table). Although both contain emails, calendars, contacts, and other mailbox items, their structure, lifecycle, and forensic significance differ. This article explains how OST and PST files differ, what investigators should look for, which tools and methods are most effective, and practical best practices for handling these artifacts.
What are OST and PST files?
-
PST (Personal Storage Table): A user-created or exported Outlook data file that stores mailbox items locally. PSTs are commonly used for backups, archiving, or exporting mailbox content. They are standalone files that can be opened in Outlook or by forensic tools and typically reflect the mailbox state as of the time they were created or last modified.
-
OST (Offline Storage Table): A synchronized local copy of an Exchange or Microsoft 365 mailbox that enables Outlook to work offline. OSTs map to a mailbox on a server, storing a cached snapshot of mailbox contents. OSTs are tied to the original user profile and mailbox account; they are not designed to be portable or imported directly into another mailbox without conversion.
Key fact: OST files represent a synchronized local cache tied to an account; PST files are portable exports/archives.
Why OST and PST matter in investigations
- Time and context: Both file types contain timestamps, message headers, folder structures, and metadata (read/unread status, flags, categories) that can corroborate user actions and timeline events.
- Deleted and residual data: Deleted items or remnants may persist inside PST/OST files or in embedded structures, offering recovery opportunities.
- Source attribution: PSTs may help identify intentional exfiltration or archival behavior; OSTs can reveal a user’s synchronized activity and local actions that occurred while disconnected from the server.
- Encryption and protection: Both can be password-protected or encrypted; understanding protections and lock states is critical for access and chain-of-custody.
Common forensic artifacts inside OST/PST
- Email headers (From, To, CC, BCC, Date, Subject) — useful for sender/recipient attribution.
- Message body and attachments — primary source of content evidence.
- Timestamps — message sent/received, creation/modification, and local access times.
- MAPI properties — internal metadata such as PR_ENTRYID and PR_MESSAGE_FLAGS.
- Deleted item streams and free/bad sectors — potential for recovering deleted records.
- Folder hierarchy and message flags — provide context (e.g., drafts, flagged items).
- Auto-complete/Nicknames cache — may reveal addresses previously used but not present in the mailbox.
- OST-specific logs and synchronization metadata — can show sync timing and server interactions.
Differences that matter for examination
- Portability: PSTs are portable; OSTs are not. OSTs are tied to the original mailbox and profile; converting or opening an OST often requires specialized tools.
- Conversion needs: To analyze an OST as a standalone artifact, investigators frequently convert OST to PST or use tools capable of reading OST directly.
- Synchronization artifacts: OSTs often contain sync logs and delta changes that can show when mailbox synchronization occurred, which PSTs lack.
- Orphaned OSTs: OSTs left from disabled or deleted accounts can still contain data useful for investigations, but proving currency or correlation to server copies requires careful documentation.
Tools for OST & PST forensics
Below is a concise comparison of categories and representative tools. Choose tools that produce reliable, auditable output and that your lab can validate.
| Tool category | Representative tools | Strengths |
|---|---|---|
| Commercial forensic suites | AccessData Forensic Toolkit (FTK), Magnet AXIOM, Cellebrite Pathfinder | Integrated workflows, automation, validated parsing, good reporting |
| Email-focused converters/extractors | Kernel for OST to PST, Stellar Converter for OST, SysTools OST Recovery | Fast OST→PST conversion, extraction of attachments/headers |
| Open-source libraries/tools | libpst, pff-tools (readpst), Mfetools | Transparent, scriptable, no license cost; may have format coverage limits |
| Low-level analysis | EnCase, X-Ways Forensics | Raw disk-level recovery and carving of PST/OST artifacts |
| Forensic viewers/parsers | MailXaminer, Aid4Mail, MailRaider Pro | Focused email analysis, search, and export functions |
Methods: step-by-step workflow
- Preserve original evidence
- Create bit-for-bit images of storage media before interacting with OST/PST files.
- Preserve original OST/PST files in a read-only manner. Record hashes (MD5/SHA256).
- Establish context
- Identify the source (user machine, backup, server export) and chain-of-custody.
- Note Outlook versions, Exchange/Office 365 details, and whether the account used IMAP/POP/Exchange.
- Preliminary triage
- Use lightweight readers to confirm contents and assess relevance.
- Extract basic metadata (file size, modified time, header info).
- Use validated tools for parsing
- Prefer forensic tools that preserve metadata and generate audit logs.
- Convert OST to PST only when necessary and document the conversion process.
- Extract artifacts
- Export messages, attachments, and metadata to target formats (EML, MBOX).
- Recover deleted items by analyzing free-space and internal PST/OST record tables.
- Timeline & correlation
- Normalize timestamps to UTC and correlate with other evidence (logs, server data).
- Use message headers to trace SMTP relays and IP addresses if available.
- Reporting and preservation
- Generate reproducible reports and export evidence in standard formats.
- Store extracted items and logs with hashes to maintain integrity.
Common challenges and how to address them
- Password-protected files: Use legal authority or client-provided passwords; if unavailable, perform brute-force or dictionary attacks with specialized tools, documenting attempts and limitations.
- Large mailstores: Break analysis into focused tasks (date ranges, senders) and use indexing/search-capable tools to reduce workload.
- Corrupt or orphaned OSTs: Use specialized recovery and repair tools; consider server-side corroboration (Exchange/365 message trace) to confirm findings.
- Timezone and timestamp inconsistencies: Normalize all times to UTC and capture local timezone context from system artifacts.
- False positives from conversions: Conversion processes can change metadata. Where possible, analyze original files and log conversion steps with hashes before and after.
Best practices for investigators
- Always image and work from copies; never modify original evidence.
- Use multiple tools to corroborate critical findings (at least two independent parsers when results affect case outcome).
- Maintain a clear audit trail: tool versions, command lines, timestamps, hashes.
- Preserve surrounding system artifacts (registry, Outlook profiles, OST lock files) to help demonstrate user context and timeline.
- Validate tools: run known test files to confirm a tool’s parsing accuracy before relying on it in a case.
- Keep timezone, DST, and locale information documented for accurate timeline reconstruction.
- If demonstrating email authenticity, correlate PST/OST contents with server logs, MTA headers, backups, and third-party archives.
Practical examples
- Insider data theft: A large PST found on a USB drive shows numerous confidential attachments and a pattern of export around a job transition date. Hashes and metadata support timeline reconstruction; email headers and local file timestamps help prove exfiltration.
- Deleted message recovery: An OST from a user’s laptop contains fragmented records of deleted messages that don’t exist on the server backup. Carving and MAPI property analysis recovered message bodies and attachments relevant to the investigation.
- Cross-correlation with server data: A converted OST revealed sent items timestamped earlier than server logs. Comparing message IDs and SMTP headers allowed investigators to identify deliberate client-side manipulation.
Legal and ethical considerations
- Respect privacy and legal restrictions. Acquire appropriate warrants or authorizations.
- Be prepared to explain methods, tool validation, and limitations in court.
- Maintain defensible chain-of-custody and documented decisions for conversions, password cracking, and data destruction.
Conclusion
OST and PST files are rich sources of evidentiary information but require careful handling, validated tools, and methodical workflows. Understanding the differences—OST as synchronized cache tied to a mailbox, PST as a portable archive—helps investigators choose the right approach. Combine forensic best practices (preserve originals, verify with multiple tools, document thoroughly) with specific techniques for recovery and analysis to produce reliable, defensible results.
Leave a Reply