Outlook OST and PST files are among the richest forensic artifacts on a Windows system — they contain complete email archives including messages with full headers, file attachments, calendar entries, contacts, and tasks. A single PST file can contain years of communication history, making it the primary evidence source in business email compromise, insider threat, and intellectual property theft investigations.
What Are Outlook OST/PST Files?
Microsoft Outlook stores email data in two file formats: OST (Offline Storage Table) files are local caches of Exchange/Office 365 mailboxes that synchronize with the server, while PST (Personal Storage Table) files are standalone portable archives that exist independently of any server. Both use the Microsoft Personal Folders File format documented in the MS-PST specification, a proprietary MAPI-based compound file structure with B-tree indexing.
OST files are automatically created when Outlook connects to an Exchange or Office 365 mailbox in Cached Exchange Mode. They mirror the server mailbox contents and are recreated if deleted. PST files are user-created archives that can be attached to any Outlook profile and transported between systems. In forensic investigations, PST files are frequently found on USB drives, personal cloud storage, and departing-employee laptops — often containing exported copies of corporate email that should not have left the organization.
Both formats store complete MAPI message objects including full RFC 5322 headers (From, To, CC, BCC, Message-ID, Received chains), HTML/RTF/plaintext message bodies, file attachments with original filenames, calendar appointments with attendee lists, contact records, task items, and journal entries. Deleted items remain in the “Deleted Items” folder or in the recoverable items dumpster until purged.
OST files are recreated if deleted (they are just caches). PST files are unique — if a PST is the only copy of an archive, deleting it destroys the data permanently. The distinction between OST (replaceable cache) and PST (unique archive) is critical for both investigation scope and evidence preservation.
Location & Format
| File Type | Default Path | Notes |
|---|---|---|
| OST (Outlook 2013+) | C:\Users\{user}\AppData\Local\Microsoft\Outlook\*.ost | Cached Exchange Mode offline store; recreatable from server |
| OST (Outlook 2010) | C:\Users\{user}\AppData\Local\Microsoft\Outlook\*.ost | Same path; older Unicode format |
| PST (default) | C:\Users\{user}\Documents\Outlook Files\*.pst | User-created archives; may also be on network shares or USB |
| PST (legacy) | C:\Users\{user}\AppData\Local\Microsoft\Outlook\*.pst | Older Outlook versions stored PST alongside OST |
| AutoArchive PST | C:\Users\{user}\Documents\Outlook Files\archive.pst | Automatic archive file created by Outlook AutoArchive feature |
Format Details
| Property | ANSI PST (Legacy) | Unicode PST/OST (Modern) |
|---|---|---|
| Max file size | 2 GB | 50 GB (default), configurable to 4 TB via registry |
| Character encoding | ANSI (single-byte) | Unicode (UTF-16LE) |
| Encryption | Compressible/High (XOR-based, trivially reversible) | Same; password protection is advisory only |
| Index structure | B-tree with 32-bit node IDs | B-tree with 64-bit node IDs |
| Outlook version | Outlook 97–2002 | Outlook 2003+ |
PST “password protection” does not encrypt the file contents. It stores a CRC32 hash of the password in the file header. The actual data uses XOR-based “compressible encryption” that is trivially reversible by any forensic tool. Password-protected PST files are fully accessible to forensic parsers without needing the password.
What It Reveals
- Complete email communications — Every sent, received, and drafted message with full headers, bodies, and attachments.
- Email headers for attribution — Full RFC 5322 headers including Received chains, Message-ID, X-headers, and SPF/DKIM results for phishing analysis.
- File attachments — Original attachments with filenames, MIME types, and sizes; extractable from the PST/OST for malware analysis or document review.
- Deleted messages — Items in the Deleted Items folder or recoverable items dumpster; may contain evidence the user attempted to destroy.
- Calendar entries — Meeting invitations, appointments, and attendee responses revealing scheduling and coordination patterns.
- Contact records — Address book entries with phone numbers, email addresses, and notes.
- Folder structure — User-created folder hierarchy reveals organizational patterns and subject-matter categorization.
- PST creation/modification timestamps — File system timestamps on PST files reveal when archives were created or last accessed.
Forensic Use Cases
1. Business Email Compromise (BEC) Investigation
A CFO receives a wire transfer request from a compromised vendor email account. The OST file contains the original phishing email with full headers showing the actual sending infrastructure (IP addresses in Received headers), the spoofed display name, and the reply-to address redirecting to an attacker-controlled domain. Header analysis proves the email did not originate from the legitimate vendor’s mail servers.
2. Intellectual Property Exfiltration via Email
A departing employee forwards 2,300 emails with proprietary attachments to a personal Gmail account over 6 weeks. The OST file’s Sent Items folder contains every forwarded message with timestamps, recipient addresses, and the original attachments. The folder structure shows the employee created a “Personal Backup” folder to stage messages before forwarding.
3. PST Files on Unauthorized Media
During an insider threat investigation, a 12 GB PST file is discovered on a personal USB drive. The PST contains a complete export of the employee’s corporate mailbox, including messages from privileged distribution lists. File system timestamps show the PST was created at 22:47 on the employee’s last day, and the PST metadata reveals it was exported using Outlook’s Import/Export wizard.
4. Deleted Email Recovery
A subject deletes incriminating emails from their mailbox. The OST file’s Deleted Items folder or the recoverable items dumpster (if Exchange Online retention policies are in effect) still contains the messages. Even if the Deleted Items folder was emptied, MAPI-level recovery tools can sometimes extract deleted message fragments from PST/OST free space.
5. Phishing Campaign Analysis
After a successful phishing attack compromises multiple employees, their OST files are collected to identify the full scope of the campaign. Search across all OST files for the phishing sender address, subject line, or attachment hash reveals every recipient and whether they interacted with the message (replies, forwards).
Acquisition Methods
Outlook locks the OST file while running. The file cannot be copied while Outlook is open. Close Outlook first, or use VSS/raw-copy tools. PST files that are currently mounted in Outlook are also locked. For remote collection, KAPE with the Outlook target collects both OST and PST files.
:: Collect OST and PST files using KAPE kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target Outlook :: Manual collection (Outlook must be closed) copy "C:\Users\jdoe\AppData\Local\Microsoft\Outlook\*.ost" C:\Evidence\Outlook\ copy "C:\Users\jdoe\Documents\Outlook Files\*.pst" C:\Evidence\Outlook\ :: Search for PST files anywhere on the system dir /s /b C:\*.pst
Parsing Tools & Analysis
| Tool | Author | License | Notes |
|---|---|---|---|
| libpff | Joachim Metz | Open source (C) | Linux-native PST/OST parser; pffexport extracts all messages to EML |
| Kernel PST Viewer | Kernel Data Recovery | Free (viewer) | Windows GUI; browse PST contents without Outlook |
| pst-utils (readpst) | libpst project | Open source | Converts PST to mbox, EML, or individual files |
| Stellar PST Repair | Stellar | Commercial | Repairs corrupted PST files; recovers deleted items |
| X-Ways Forensics | X-Ways | Commercial | Native PST/OST parsing with email search and export |
| Nuix | Nuix | Commercial | Enterprise eDiscovery; processes PST at scale with deduplication |
# Extract all messages from PST to EML format using libpff pffexport /analysis/outlook/archive.pst # Convert PST to mbox format using readpst readpst -o /analysis/outlook/mbox_output/ -e /analysis/outlook/archive.pst # Search extracted EML files for specific sender grep -rl "attacker@evil.com" /analysis/outlook/mbox_output/
Retention & Persistence
| Property | OST Files | PST Files |
|---|---|---|
| Persistence | Recreatable from Exchange server | Unique; not backed up unless explicitly |
| Size limit | 50 GB default (configurable via registry) | 50 GB default (configurable) |
| Survives Outlook uninstall | Files remain on disk | Files remain on disk |
| Deleted items | Depend on Exchange retention policy | Persist until user permanently deletes |
| AutoArchive | N/A | Creates archive.pst with older messages |
Version Differences
| Feature | Outlook 97–2002 | Outlook 2003–2010 | Outlook 2013+ |
|---|---|---|---|
| PST format | ANSI (2 GB max) | Unicode (20–50 GB) | Unicode (50 GB, configurable) |
| OST support | Limited offline mode | Cached Exchange Mode | Cached Exchange Mode (default) |
| Deleted item recovery | Deleted Items folder only | Recoverable Items dumpster | Recoverable Items with litigation hold |
| Encryption | Compressible XOR | Compressible XOR | Compressible XOR (password is CRC32) |
Anti-Forensics Resilience
| Action | Effect on PST/OST | Recovery |
|---|---|---|
| Delete email in Outlook | Moves to Deleted Items; recoverable | Check Deleted Items folder and Recoverable Items |
| Empty Deleted Items | Removed from folder; may persist in free space | MAPI-level carving; PST repair tools |
| Delete PST file | File removed from disk | File carving from unallocated; $MFT entry |
| Delete OST file | File removed; Outlook recreates from server | Server-side mailbox still has all data |
| Compact PST (Outlook) | Reclaims free space; destroys deleted fragments | Limited recovery after compaction |
MITRE ATT&CK Detection Mapping
| Technique | Name | Outlook Evidence |
|---|---|---|
T1114.001 T1114.001 | Local Email Collection | PST files on removable media or unusual paths indicate email collection |
T1566.001 T1566.001 | Spearphishing Attachment | Phishing emails with malicious attachments in OST Inbox |
T1048 T1048 | Exfiltration Over Alternative Protocol | Forwarded emails with attachments to external addresses |
T1530 T1530 | Data from Cloud Storage | OST file contains cloud mailbox data cached locally |
Related Artifacts & Cross-References
| Artifact | Relationship | Cross-Correlation Value |
|---|---|---|
| Exchange Message Tracking | Server-side logs of email delivery | Confirms send/receive timestamps independently of client |
| SRUM.db | Outlook.exe network transfer volumes | Large outbound transfers from Outlook correlate with bulk forwarding |
| $Recycle.Bin | Deleted PST files may be in Recycle Bin | Recovers PST files the user attempted to destroy |
| USB History | USB device connections around PST creation time | Links PST export to specific removable media |
| Prefetch | OUTLOOK.EXE execution records | Confirms when Outlook was running |
References
- Microsoft, “MS-PST: Personal Storage File Format” — learn.microsoft.com
- Joachim Metz, “libpff” — github.com/libyal/libpff
- libpst project, “readpst” — five-ten-sg.com/libpst
- SANS Institute, “Email Forensics” — sans.org
- Microsoft, “Outlook Data Files (.pst and .ost)” — learn.microsoft.com
Mjolnir Security — Digital Forensics & Incident Response
Mjolnir Security provides 24/7 incident response, digital forensics, and expert witness testimony. Our DFIR team specializes in email forensics, BEC investigations, and PST/OST analysis for insider threat and IP theft cases.
mjolnirsecurity.com — 24/7: +1 833 403 5875