Summary: In this blog, we have discussed various aspects of how different email clients and services, such as Microsoft Outlook, Office 365 work and how to can we recover deleted emails for forensic email investigation. Apart from this, we have also highlighted how an eDiscovery and email investigation software, such as Stellar Email Forensics, can help in recovering of deleted emails.
Regarding email forensics, investigators aim to leave no stone unturned in collecting data for investigation. They try to look for relevant data in all possible sources and recover any deleted data. Deleted emails, for instance, may contain crucial case-related information and smoking guns. This is why recovering deleted emails is an integral part of the job of forensic investigators.
Below, we will discuss how different email clients and services work and how to recover deleted emails for forensic investigation.
1. Microsoft Outlook
Recover deleted emails from PST file
When configured with a POP account, Microsoft Outlook stores the emails and other data in a Personal Storage Table (.PST) file. You might think you need an Outlook or a PST viewer app to open the PST file and access its contents. However, if an email is deleted from Outlook, it becomes inaccessible to the application but is retained within the PST file. So, you can use email investigation software for the Deleted Email Recovery from the PST file.
Recover deleted emails from OST file
MS Outlook, when configured with Exchange, IMAP, Office 365, and Outlook.com accounts, stores a local cache of the user’s mailbox in the Offline Storage Data (.OST) file. This OST file allows the user to access the mailbox without server connectivity.
If an Exchange mailbox is deleted (purged) and there is no backup, one of the most cost-effect ways to recover the deleted emails is through the OST file. However, you cannot open an OST file without the associated Exchange account. In that case, you can use advanced email recovery software, such as Stellar Email Forensic. This email investigation software converts the inaccessible OST and extracts the data in a PST file, allowing the recovery of deleted emails from Outlook OST.
2. Office 365
Recover deleted emails from EDB file
Data Protection Manager (DPM) is an application to back up and recover Exchange data. DPM is an integral step for Mailbox Exchange Recovery. You can also use the New-MailboxRestoreRequest, a PowerShell cmdlet, to restore mailboxes in Exchange.
One more cost-effective way is to recover deleted emails or mailboxes from damaged and corrupted Exchange Database (EDB) files. You can use an advanced eDiscovery and email investigation software called Stellar Email Forensics. One of the great features of this email forensics software is that it allows the forensic investigator to recover deleted emails, notes, calendars, contacts, tasks, attachments, and many more while maintaining the folder hierarchy. It also allows for bulk email forensics and saves the investigation results in legally acceptable formats, such as PST, PDF, EML, HTML, MSG, and RTF. Another great feature of Stellar Email Forensics is that it allows case management during criminal investigations through tagging, bookmarking, and logs. Stellar Email Forensic is an advanced email forensics software in which the evidence is preserved with MD5 and SHA1 hash values while extracting and analyzing the data.
3. Web-Based Email Services
Web-based email services, such as Gmail and Yahoo Mail, store email messages on the cloud. So, it would help if you were online to access your mailbox. However, any changes you make in the mailbox, like receiving or deleting emails, are also done remotely.
Since webmail servers may host millions of mailboxes, their storage is volatile and subject to countless reading and writing processes. If a particular email is deleted from a webmail mailbox, the unallocated space generated in the storage usually gets overwritten by new files quickly. So, it’s nearly impossible to recover that email from the server. There is a slight chance of recovering that email from a temporary file or a buffer file generated on the custodian’s local computer. However, recovering the deleted email from these files requires advanced tools and expertise in data recovery.
Things to Remember When Recover Deleted Emails
- Whenever a situation requires recovering deleted data from a computer or any storage device, it’s strongly advised to stop using it. If you continue using the system or device, it may lead to overwriting data and reduce the chances of recovering the deleted data.
- You can look for other sources if a deleted email can’t be recovered. For instance, you can check the mailbox in a backup file and try to extract the deleted email from the file. In the same way, the email might be deleted from the online mailbox, but the local machine may have a copy of the email on the hard drive.
You must have in-depth knowledge of recovering deleted emails from resolving cybercrime cases and conducting workplace investigations. In addition, you must have the right tools to achieve the outcomes quickly.
Need powerful email forensics software that can recover deleted emails quickly? Try Stellar Email Forensic! It supports more than 25 email file formats, such as PST, EDB, OST, DBX, NSF, MBOX, OLM, TBB, EML, and many more. It makes forensic email analysis easy and readily recovers deleted emails. The software is available for download with a free 60-day trial for a limited period.
About The Author
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
