Recover Deleted Email

Contributed by Randall Shane,
Certified Fraud Examiner and PhD candidate, Palm Coast, Florida (rshane@ureach.com)
Member of Northeast Chapter

http://www.htcia.org/pdf_files/vol3iss2.PDF

 1 Identify the *.pst file. (Don't forget to work only on a copy of the original storage media; keep the original version of the data safe and untouched.)

 2 Open the *.pst file with a hexadecimal editor. There are many hex editors out there. I use a program called Binary Editor ("bed") in a Linux environment, but AXE is an Excellent freeware tool for Windows. Check the CNET.com downloads section if you need one of these. (Note that this article is not intended to promote any specific software or any other product, I am merely advising you on what I have found useful.)

 3 Next, use the space bar to blank out the 7th through 13th positions. How do you do this? Remember here that you are working in hexadecimal code. This means your numerical system is "base 16." Hence, the available characters for each "digit" in a hexadecimal format can run from "0" through "9" and then "a" through "f". (After all, that is how you get 16 different characters.) It also means you are not simply blanking out 7 different positions (counting from 7 through 13 in decimal format), but since you're in hexadecimal code you are actually blanking out 13 positions. So the positions you will be blanking out when you use the space bar for "positions 7 through 13" will be: 00007, 00008, 00009, 0000a, 0000b, 0000c, 0000d, 0000e, 0000f, 00010, 00011, 00012 and 00013. One more thing to remember when you do this. Characters displayed hexadecimally are always visually represented on the computer screen by a two-digit code, so each time you hit the space bar, the code "20" will appear. This is normal and is exactly what you should see when you perform this step.

4 Save the now modified *.pst file. Congratulations, you have just corrupted your e-mail!

 5 Common in virtually every version of Microsoft Office is a group of tools which are often transparent to the unknowing typical user of the application. One such tool is an inbox repair program called "SCANPST.exe". In my system, it was located in the directory: C:\ProgramFiles\CommonFiles\System\Mapi\1033\NT\SCANPST.EXE. You can always take the easy way out in locating the program by conducting a simple search of your version of MS Office.

 6 Using the repair tool called SCANPST.exe will do the following:

    a) Scan the now-corrupted *.pst file

    b) Prompt you to make a *.bak backup file

    c) Repair the file

    d) Create a log file

    e) Remake the *.pst file

 7 Now open the new *.pst file in Outlook and the recently-deleted messages will be visible in the deleted items folder.

  Valid CSS! Valid XHTML 1.0!
Last edited 07 March, 2010
Links verified 21 July, 2004