Outlook Blog

Investigating Outlook Windows Application

04/10/2021 Monday

Microsoft Outlook is an email application that provides personal information management, task managing, contact managing, email client, calendaring, note-taking, and web browsing. Microsoft Outlook was developed by Microsoft Corporation. Outlook is available for desktop (Windows and macOS) and mobile devices (Android, iOS, and Windows).

Digital Forensics Value of Outlook Artifacts

Mailboxes make an essential part of our lives since it is considered one of the most important methods of communication in the 21st century. In accordance, the forensics of mailboxes is a crucial part of digital forensics. Forensic searches are carried out to investigate and find any leads of a felony or wrong acts which helps in solving a case or problem.

Location of Outlook Artifacts

Microsoft Outlook stores email artifacts at the following locations:

c:\Users\%username%\Appdata\Local\Microsoft\Outlook\*.pst
c:\Users\%username%\Appdata\Local\Microsoft\Outlook\*.ost

Structure of Outlook Artifacts

Outlook consists of two data storage folders, the Personal Storage File (PST) and the Offline Outlook Data File (OST). The Personal Storage Table also known as Outlook Data File has the capability of storing all email data as a record in a compact format and is in the user’s local disk, while the OST files save data for offline use. Both files can be converted for the other when needed. Generally, email artifacts always exist in Outlook PST file such as email messages data and attachments.

Analyzing Outlook Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast to extract Outlook artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Outlook Artifacts:

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of the Outlook artifacts in ArtiFast Windows.

PST/OST Artifact

This artifact contains information of the Offline Outlook Data File (*.ost) and Personal Storage File (*.pst) for older versions of Microsoft Outlook. The details you can view include:

Message Date - The date and time of the message.
Message Importance - It indicates the message's importance.
Message Size - Message size.
Folder - The folder the email is in.
Has Attachments - Indicates whether it has an attachment.
Message Body - Message body.
Message From Address - Message from address.
Message Receiver Name - Message receiver name.
Message Sender Name - Message sender name.
Message Subject - Message subject.
Message To Address - Message to address.

Outlook PST/OST Artifact

This artifact contains information of the Offline Outlook Data File (*.ost) and Personal Storage File (*.pst). The details you can view include:

Message Date - The date and time of the message.
Sender Name - Message sender name.
Sender Email - Message from name and address.
Recipients - Message to name and address.
Subject - Message subject.
CC - Message CC.
BCC - Message BCC.
Body - Message body.
Importance - It indicates the message's importance.
Priority - Message priority.
Size - Message size.
Folder - The folder the email is in.
Has Attachments - Indicates whether it has an attachment.
Attachments - Attachments.
Header - Message header.
Receiver Name - Message receiver name.
Create Date - The date and time the message was created.

Outlook MSG Artifact

This artifact contains the .msg file information that is intended for single message objects, such as an email, an appointment, a contact, and a task. The details you can view include: