Searching for Outlook Compressible Encryption (PST Data) in the Unallocated Clu

sunyke

Creating Search Terms with Outlook Compressible Encryption (OCE) Code Page Viewing Search Hits with (OCE) Code Page Bookmarking (OCE) Search Hits with (OCE) Code Page

Return to Main Forensics Help Page

When PST data rolls off the PST file and becomes located in unallocated clusters, various methods can be used to recover it, some successfully and some not.  Usually these are shotgun approaches that fail.  If you use a precise "rifle shot" approach, you can recover email data with good success.  In essence the above three steps are the three key elements in getting the job done.  If any images below are too small right click on the image and save the picture to your system to view in whatever size format that works for you. What makes all this possible is the judicious use of EnCase's Outlook Compressible Compression Code Page.  With it, you can fashion a precise search for PST data. The first step is to create a keyword and to create it using the Outlook compressible encryption code page.  The below two diagrams show the creation of the keyword and code page.  Turn on Unicode as it will then find both Unicode and non-Unicode occurrences and turn off the Active Code page to limit your search hits to the OCE code page. Once you have created your keyword with the OCE code page, select the unallocated clusters for your search.  You could search other places as well, but for now, let's stick with UC for demonstration purposes. Click on the search button to setup your search criteria, as shown below: Run your search and then visit the search hits view to see what you found.  When you look at the search hits that are found in OCE (PST data), they appear as gibberish when viewing through any of the establishing text styles as shown below. To view them, you need to create and apply an OCE text style.  Go the the text styles view, right click and choose new.  Set it up as shown below: Make sure you visit the code page tab and turn off the Unicode, choose "other", and choose #48 "Outlook Compressible Encryption".  Once you have created the code page, click ok and then select that newly created code page.  When you do, the data will be viewed through this code page and the gibberish will snap into clear text as shown below. Select any text you wish to bookmark, right click and choose to bookmark the data as seen below. Once you are in the bookmark dialogue box, the OCE code page that you just created is now available as a view type.  Select that view type and your bookmarked data will have the OCE code page applied and you have now successfully search for, located, and bookmarked OCE (PST data) in the unallocated clusters.  It's all made possible via the OCE code page.