Knowledgebase: E3
Investigating Microsoft Outlook Mailstorage
Posted by Jack H. Ward, Last modified by Jack H. Ward on 06 February 2018 03:11 AM
Microsoft Outlook mailstorage is stored in *.pst or *.ost files (offline mailstorage).

Attachments in deleted messages in Microsoft Outlook mailstorages aren't restored and can't be viewed. Deleted messages that had attachments have a special icon in the Attachments column.

Mailstorage default location:

Windows 7, 8, 8.1, 10


 Offline mailstorage default location:

Windows 7, 8, 8.1, 10


The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

To investigate the Microsoft Outlook mailstorage, do the following:

1. Have the Add New Evidence window open.
2. In the Category list, select E-mail Database. In the Source Type list, select MS Outlook database (*.pst file) or MS Outlook offline database (*.ost file). Click OK.

3. In the standard Open window, navigate to the desired *.pst or *.ost file. Click OK.
4. Enter the Evidence name (by default, the name of the file to be added) and click OK.
5. Define the MS Outlook Database Settings and click OK.

  • Raw mode: Shows all database contents including system, orphaned, and deleted items. You will have to re-open the database (re-add it as evidence or re-open the case) for this option to take effect.
  • Scan database for deleted messages (slows down opening): If this option is selected, deleted messages in the database will be found and recovered. This can take a long time.
6. The Microsoft Outlook mailstorage is added to the case.
7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

8. The restored deleted messages can be viewed in the Outlook storage root node.
9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (at the bottom).
10. You can view the message contents in different formats and/or view the attachments.

