Exchange OST File Viewer – An Exceptional Mode to Probe OST File!
While interrogating with organizational level of forensics investigations, Exchange server is the most commonly procured emailing applications. Although most of the investigation part is done on the Server level but there are various cases and plots where investigator has to deal with the email client side email files also to perform the analysis and search for evidence trails.
This interrogation involves the most commonly used email client with MS Exchange i.e. MS Outlook which creates an OST file for the configured Exchange profile mailbox. This Exchange OST file comprises of the emails and other relevant data like contacts, calendars, tasks, etc. which can be inspected effectively to drag any traces as evidences.
Exchange OST Inoperability Issues
Unfortunately this OST file has some inaccessibility issues and it cannot be accessed when taken to another platform for examination. Unlike PST file which is easy to add to the forensic investigation workstation, OST file cannot be added or moved to any others system and hence it is quite troublesome to perform the investigation on it. In order to understand the mechanism, accessibility, and other traits of OST file, it is important to know when it is created and why it cannot be accessed in other systems.
MS Exchange emails at front-end can be accessed in either online mode or cached offline mode. In online mode user can access the Exchange emails directly and no local file is created. In case user wants to create a local cache for Exchange account emails, this cached mode option has to be enabled and only then the OST file will be created. This OST file comprises of all the data of Exchange profile to which it is configured. And the file is completely bound to the MAPI Exchange profile to which it is configured and can be accessed in the system where it has been configured.
In such situation it is suggested to utilize an external email parsing utility Exchange OST File Viewer which can support corrupted as well as orphan OST file letting investigators to view emails of Exchange OST file.
Steps to Parse Exchange OST Emails
- Launch the OST File viewer and click on Add OST option available in main menu.
- Click on Add File option, which will open another window where OST file can be added. Click on Browse option and navigate to the OST location. Select Advance Scan in order to recover Deleted as well as Corrupted OST emails for viewing. This Advance scanning option allows users to carve out emails which were initially not visible.
- A complete preview of the folders is displayed in Left-Pane which can be further viewed with listed emails in Right-Pane. Emails can also be viewed individually along with the embedded attachment.
Exchange OST file viewer targets the OST file which is completely inaccessible in several situations. It focuses on displaying emails of orphan, inoperative, or corrupted Exchange offline mailbox file without needing Exchange platform or account availability. Deleted item recovery is another aspect to which tool focuses which is extremely important in email investigations.