Exchange OST File Viewer – An Exceptional Mode to Probe OST File!
Need of Exchange OST File Viewer!
While interrogating with the organizational level of forensics investigations, the Exchange server is the most commonly procured emailing application. Although most of the investigation part is done on the Server level there are various cases and plots where investigator has to deal with the email client-side email files also perform the analysis and search for evidence trails.
This interrogation involves the most commonly used email client with Microsoft Exchange i.e. Microsoft Outlook which creates an OST file for the configured Exchange profile mailbox. This Exchange OST file comprises emails and other relevant data like contacts, calendars, tasks, etc. which can be inspected effectively to drag any traces as evidence.
Exchange OST Inoperability Issues
Unfortunately, this OST file has some inaccessibility issues and it cannot be accessed when taken to another platform for examination. Unlike the PST file which is easy to add to the forensic investigation workstation, the OST file cannot be added or moved to any others system, and hence it is quite troublesome to perform the investigation on it. In order to understand the mechanism, accessibility, and other traits of the OST file, it is important to know when it is created and why it cannot be accessed in other systems.
Microsoft Exchange emails at the front-end can be accessed in either online mode or cached offline mode. In online mode, users can access the Exchange emails directly and no local file is created. In case the user wants to create a local cache for Exchange account emails, this cached mode option has to be enabled, and only then the OST file will be created. This OST file comprises of all the data of the Exchange profile to which it is configured. And the file is completely bound to the MAPI Exchange profile to which it is configured and can be accessed in the system where it has been configured.
In such situation it is suggested to utilize an external email parsing utility Exchange OST Reader which can support corrupted as well as orphan OST file letting investigators to view emails of Exchange OST file.
Exchange OST File Viewer – Steps to Parse Exchange OST Emails
- Launch Exchange OST File viewer and click on Add OST option available in the main menu.
- Click on Add File option, which will open another window where the OST file can be added. Click on the Browse option and navigate to the OST location. Select Advance Scan in order to recover Deleted as well as Corrupted OST emails for viewing. This Advance scanning option allows users to carve out emails that were initially not visible.
- A complete preview of the folders is displayed in Left-Pane which can be further viewed with listed emails in Right-Pane. Emails can also be viewed individually along with the embedded attachment.
Exchange OST file viewer targets the OST file which is completely inaccessible in several situations. It focuses on displaying emails of orphan, inoperative, or corrupted Exchange offline mailbox files without needing Exchange platform or account availability. Deleted item recovery is another aspect on which the tool focuses which is extremely important in email investigations.