Recover email from a locked xp machine

I have a customer with a PC that he has been locked out of due to a hacker that talked him into running his remote assistance tool.  He has a Windows XP machine with emails on it using an old version of Firefox Thunderbird.

This is all I know and I can't login to the machine.  

It's a desktop computer and I do have a way to at least access the drive from another machine but do not know which folders to access or whether I will run into password issues. What's the best way to recover the email in this case?
frugalmuleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
If you can connect to the drive navigate to

C:\Users\<username>\AppData\Local\Microsoft\Outlook

Here you grab the PST files and you are good to go.
If you run into password issues just make yourself 'owner' for that folder but i dont expect this to happen.
0
Ron MalmsteadInformation Services ManagerCommented:
..You could hook up his hard drive as an secondary drive in another computer, browse to the folder where the e-mail is contained..(ie. /../outlook.pst)  ..copy to a USB thumb drive.

If you get any "access denied." messages..  right-click > properties, security tab.. Owner tab, change the owner to you., click apply.  Now open the folder or file.
0
Emmanuel AdebayoGlobal Windows Infrastructure Engineer - ConsultantCommented:
Hi,

It is good that you can url into the server, I believe the user is using Outlook, the location of the email is usually at the link below assuming the user has not changed this like me.

drive:\Documents and Settings\<user>\Local Settings\Application Data\Microsoft\Outlook

Copy all the pst, ost or pab files in this location.

Also you might want to copy all the user data and folders from the computer and reinstall the OS, to ensure that the you have clean installation.

Regards
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Nick RhodeIT DirectorCommented:
If this is just a local system and not a domain user I would use Offline NT Password Editor

http://pcsupport.about.com/gi/o.htm?zi=1/XJ&zTi=1&sdn=pcsupport&cdn=compute&tm=5&gps=315_13_1280_917&f=00&su=p504.6.342.ip_&tt=4&bt=6&bts=0&zu=http%3A//pogostick.net/%7Epnh/ntpasswd/bootdisk.html

Burn the software to a cd and boot to it.  You can use it to reset the admin or user password and elevate the accounts.  It works for windows xp, vista, 7.  Reset the password and get in there.

This is an ethical hacktool and should only be used for legitimate reasons and good intentions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pgm554Commented:
I would get a 3rd party USB converter for the locked disk or connect it to a port on a known working machine.

Depending upon what the hacker did,there maybe a poison pill app(format or encrypt) that may run if you boot the machine with a password reset.
0
Gary CaseRetiredCommented:
I don't recall where Thunderbird's default store folder is -- but it may have been changed anyway, so it's best to search for it.

Since you can access the drive, just search for .sbd and/or .msf files => when you find them, you'll know where the store folder is.

Then just copy the entire store folder ... then just install Thunderbird on a new machine and "point" to that store folder and you'll have all the e-mail recovered.

Note:  If you can't access the files on the drive, you simply need to "Take Ownership" of the drive.    How you do this depends on what OS you're running to do the recovery.   Just ask if you need help.
0
Don ThomsonCommented:
Thunderbird Mail fold is at
 %USERPROFILE%\Application Data\Thunderbird\Profiles\XXXXXXXX.default\Mail\

If you get to a valid login screen then I don't think the OS is fully compromised.

I would remove the drive from the PC and install it on a second machine as the secondary drive.

First thing is run a virus scan on the entire drive before you do anything else
Second - Make a backup of the drive
Third Put it back in the original machine
If it's XP Home there is not really an administrator user only in PRO
If it's XP Pro then do as NRhode suggested and use the Password reset cd
and blow away the administrative password

IF its XP Home try booting into Safe mode and see if the Administrator user comes up
IF it doesn't then just use the Password reset program to remove the User's password
0
Marc ZCommented:
frugalmule,
Follow @DTHConsulting's recommendations, however I would grab the entire "Profiles" folder, which will ensure you have all the necessary items for a full recovering of mail. I wouldn't just grab the Mail folders.  Your first 3 Experts think you are looking for Outlook emails, and they are giving you wrong information for your problem.

Here is a link to the Thunderbird support pages regarding the Profiles, and the locations, and recovering data from them.
https://support.mozillamessaging.com/en-US/kb/profiles?s=profile+location+windows+xp&as=s#w_where-is-my-profile-stored

If you don't have physical access to this computer where you can remove the disk, and install either on USB or as second drive in clean computer, you might have more issues like @pgm554 pointed out.  If you are only concerned with the emails, we've given you enough info here to get them.  

If you think you want to try to clean up this machine, my personal recommendation would be to take a full image of the hard drive (back up your data), and fully format and reinstall windows.  It would be faster and better than trying to clean this thing.
0
Gary CaseRetiredCommented:
"... Your first 3 Experts think you are looking for Outlook emails ..." ==>  I had noticed that as well.   Not sure I'd apply the term "Experts" to those comments :-)
0
pgm554Commented:
Actually a fast and easy way might just be to get a USB drive ,download a Knoppix live CD and boot the Knoppix OS and copy the files off to the USB drive.

http://lifehacker.com/192982/geek-to-live--rescue-files-with-a-boot-cd
0
Ron MalmsteadInformation Services ManagerCommented:
Hey Gary .. I didn't say it was outlook.  I used an example "ie"
0
frugalmuleAuthor Commented:
Thanks for all the input.  I accept the answer provided and would like to expand on this dialog.

Password reset boot disk for xp, vista, win7 http://pogostick.net/~pnh/ntpasswd/bootdisk.html
Password reset boot disk needed for Win 8

I noticed there is also a USB boot image there as well.  How can use that from a USB drive that already has data on it?

Thunderbird mail location:  %USERPROFILE%\Application Data\Thunderbird\Profiles\XXXXXXXX.default\Mail\ not yet tried.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Thunderbird

From novice to tech pro — start learning today.