OUTLOOK
| | ||
Outlook, installed with the Microsoft Office suite, is often encountered in corporate investigations. E-mail created from Outlook is simple to re-create. Files with the extension .pst are called "Personal File Folders" and are used by Outlook to store e-mail. Files with the .ost extension are called "Offline Storage Folders" and are used by Outlook to store a user 's offline e-mail that is normally synced with an Exchange server. Users can have both types of e-mail folders on their computers using Outlook.
Outlook data files are among the most common e-mail data files investigated. It shouldn't come as a surprise that Outlook can be used for searching Outlook data files. This isn't forensically sound, but it's an effective-enough alternative for those in HR, Legal, and Physical Security who wish to conduct their own searches. Many times these people still want to look through data, but don't want to use forensic tools they are not familiar with. They prefer the familiar interface of Microsoft Outlook.
If this went to court , there are professionals that may destroy this method of searching because it's not exhaustive. The other side would say that you missed data that would exonerate their client because of details that are beyond the scope of this book. However, the truth is that in most organized corporate and government entities the employee under investigation has signed paperwork relinquishing the corporate or government entity of any liability. If not, the organization will get the employee to sign this kind of paperwork when they confront the employee with the actions that violated policy or broke the law. Those unfamiliar with these processes and the effectiveness of behavioral interviewing techniques will be surprised at the number of people that sign paperwork protecting the liability of an organization on exit. For these reasons and others, you will find HR, Legal, and Physical Security people who want to personally search e-mail. Here's one way to use Outlook to do this.
Implementation
After a suspect's Personal File Folders are located, you can open them by choosing File Open Outlook Data File.
After you select a file, it is mounted in the folder tree. You can then browse the e-mail, calendar, tasks , and contacts contained within these files without interference from other existing e-mail in Outlook. In the next screenshot, the folder titled "AHT Personal Folders Test" is a Personal File Folder opened from a discovered file on a pretend "Evil Internal Hacker" system.
MS Outlook data and configuration files are shown in Table 24-1. You may find that some of the folders have hidden attributes. You can change the Windows Explorer view to show hidden files by choosing Tools Folder Options View Show Hidden Files And Folders.
| Data and Configuration Files | Location |
|---|---|
| Outlook data files (.pst) | drive :\Documents and Settings\< user >\ Local Settings\Application Data\ Microsoft\Outlook |
| Offline Folders file (.ost) | drive :\Documents and Settings\< user >\ Local Settings\Application Data\ Microsoft\Outlook |
| Personal Address Book (.pab) | drive :\Documents and Settings\< user >\ Local Settings\Application Data\ Microsoft\Outlook |
| Offline Address Books (.oab) | drive :\Documents and Settings\< user >\ Local Settings\Application Data\ Microsoft\Outlook |
| Outlook contacts nicknames (.nk2) | drive :\Documents and Settings\< user >\ Application Data\Microsoft\Outlook |
| Rules (.rwz) | drive :\Documents and Settings\< user >\ Application Data\Microsoft\Outlook Note: If you use the rules import or export feature, the default location for .rwz files is drive :\Documents and Settings\< user >\ My Documents. |
| Signatures (.rtf, .txt, .htm) | drive :\Documents and Settings\< user >\ Application Data\Microsoft\Signatures |
| Dictionary (.dic) | drive :\Documents and Settings\< user >\ Application Data\Microsoft\Proof |
| Message (.msg, .htm, .rtf) | drive :\Documents and Settings\< user >\ My Documents |
| | ||
EAN: 2147483647
Pages: 175