• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

E-mail Recovery in Outlook Express

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response

View previous topic :: View next topic  
Author Message
Neko
Just Arrived
Just Arrived


Joined: 07 Oct 2007
Posts: 0


Offline

PostPosted: Sun Oct 21, 2007 6:15 pm    Post subject: E-mail Recovery in Outlook Express Reply with quote

Hi,

I am trying to help out a friend, who suspects that one of his employees may be doing something malicious, recover some deleted email. They use Outlook Express to manage their email and it appears that this employee is deleting his email, compressing the .dbx files, and then deleting the .dbx files on a daily basis. I've been able to recover the deleted .dbx files, and ran DBXpress on them but I not getting any data. We don't know for sure if any wrong doing is taking place and just want to find out whats going on, but it seems to me that his employee is being excessively tidy. Any help/tips would be greatly appreciated.

*EDIT*

I forgot to mention that we are working with the email server admin to see if they can recover anything on their end.
Back to top
View user's profile Send private message
Neko
Just Arrived
Just Arrived


Joined: 07 Oct 2007
Posts: 0


Offline

PostPosted: Tue Oct 23, 2007 7:43 am    Post subject: Reply with quote

Well nm on that. He's just going to send the HDD off to a data recovery team. I'd still be interested in any suggestions anyone may have for future use though.
Back to top
View user's profile Send private message
v
Just Arrived
Just Arrived


Joined: 21 Feb 2007
Posts: 0
Location: #openbsd @ irc.freenode.net

Offline

PostPosted: Tue Oct 23, 2007 8:46 am    Post subject: Reply with quote

How about:
Recover deleted Outlook e-mail by corrupting the PST file ? Smile
Other possible solutions:
http://www.google.com/search?q=outlook+undelete+recovery
http://www.google.com/search?hl=en&q=recover+deleted+email++Outlook&btnG=Search

Goodluck.
Back to top
View user's profile Send private message
Neko
Just Arrived
Just Arrived


Joined: 07 Oct 2007
Posts: 0


Offline

PostPosted: Tue Oct 23, 2007 3:41 pm    Post subject: Reply with quote

I read that about the .pst files for Outlook, which worked OK when I tested it out on my machine, but this guy is using Outlook express which uses a .dbx file, so the same thing won't work unfortunately.

I did some google searches for ways to recover .dbx files but all I saw was software to purchase which may or may not work. DBXpress seemed to work OK when I tested it out on my machine, but when I ran it on this guys I came up with nothing. And I used the recovery tool from ERD Commander to recover the deleted .dbx files, which worked fine.
Back to top
View user's profile Send private message
Sysops
Just Arrived
Just Arrived


Joined: 15 Dec 2007
Posts: 0


Offline

PostPosted: Sat Dec 15, 2007 6:59 pm    Post subject: Reply with quote

My friend just recently lost all of her emails, I believe it was through the server so I told the administrator to get them through the host; but of course they said they think the host is non-helpful so didn't even ask..
Back to top
View user's profile Send private message AIM Address
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Tue Dec 18, 2007 9:51 am    Post subject: Reply with quote

this is a job for forensics proffesional as recovering the deleted dbx file is only the easy part.

You will probably need some "re-built" tools , to work on hexadecimal level , not to mention that you will have to be very carefull while re-building the lost data (FROM A TAKEN IMAGE!!!) so you wont alter the data in hand.

Also take under some serious consideration, that , if the user thinks that his rights got violated (we are talking about privacy and emails here) , he can go in court and then the company might face serious impacts from these actions.

My advice:...

Get a proffesional forensics investigator , if your company thinks that those emails are suspected for industrial espionage or other serious offences.


Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
ThePsyko
SF Mod
SF Mod


Joined: 17 Oct 2002
Posts: 16777178
Location: California

Offline

PostPosted: Wed Dec 19, 2007 7:35 pm    Post subject: Reply with quote

Or, grab it at the server level. What mail server is being used? If the emails are passing through the company server, then they technically belong to the company at that point (hopefully you had an AUP signed as a condition of employment) and can be split off and archived from there.
Back to top
View user's profile Send private message Send e-mail
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Thu Dec 20, 2007 8:33 am    Post subject: Reply with quote

ThePsyko...

Οutlook Express usually is not leaving any copies on server unless it is setup to do so.

In addition to that , no matter where you "grab" those emails, from the moment they leave the sender's mailbox to the moment they arrive to the recepients mailbox , they are considered to be protected with Privacy rights , both in U.S. ( i do not remember the exact federal law by heart since i live in E.U.) and E.U. (law about individual rights according to the E.U. constitution).

You are never sure that those emails contain vital info about company issues , so by the time you are going to conduct a forensic search , you should be ready to support this search with proper procedures recorded and justified according local laws.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Sysops
Just Arrived
Just Arrived


Joined: 15 Dec 2007
Posts: 0


Offline

PostPosted: Sun Jan 27, 2008 3:31 am    Post subject: Reply with quote

The_Real_Gandalf wrote:
ThePsyko...

Οutlook Express usually is not leaving any copies on server unless it is setup to do so.

In addition to that , no matter where you "grab" those emails, from the moment they leave the sender's mailbox to the moment they arrive to the recepients mailbox , they are considered to be protected with Privacy rights , both in U.S. ( i do not remember the exact federal law by heart since i live in E.U.) and E.U. (law about individual rights according to the E.U. constitution).

You are never sure that those emails contain vital info about company issues , so by the time you are going to conduct a forensic search , you should be ready to support this search with proper procedures recorded and justified according local laws.

Gandalf


I really don't think you would need to jump through that many loops, to recover your ... "your" emailed from your hosting company; considering you are paying them to maintain your account.
Back to top
View user's profile Send private message AIM Address
The_Real_Gandalf
Trusted SF Member
Trusted SF Member


Joined: 14 Apr 2004
Posts: 0
Location: Athens,Greece

Offline

PostPosted: Thu Feb 07, 2008 3:44 pm    Post subject: Reply with quote

yes...

you can retreive them , however messing with their contained data in messages , is a whole different story.

ISPs wont refuse to handle emails to you , (if they do exist on their servers) but from that point to the point of investigating personal mails, you will have to comply with local laws..... Unless of course you do not care ending up in a law court room as the accused person instead of being the accuser.

Gandalf
Back to top
View user's profile Send private message Visit poster's website AIM Address
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Computer Forensics and Incident Response All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register