• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 64
  • Last Modified:

Get “Microsoft Outlook Profiles” information from a collected image of a Windows operating system.

I have a collected image of a Windows machine, which means this machine is not bootable.  I know the end user used Outlook and had PST files attached.  I am trying to determine the full path of any PST files that they had attached to Outlook.

I searched the registry and I was not able to find this.  Does anyone know where in Windows this information is stored?

Many Thanks!
0
rye004
Asked:
rye004
  • 7
  • 6
  • 2
1 Solution
 
Wilder1626Commented:
Hi

what version of Windows do you have?
On windows 7 and 8, it would be:
c:\Users\user\AppData\Local\Microsoft\Outlook

You may also want to grab any ost file also at the same time.

Please also have a look at this link:
Locating the Outlook data files
0
 
Wilder1626Commented:
Oh yes, the folder may be hidden also. Make sure to unhidden hidden folders
0
 
rye004Author Commented:
Windows 7 Pro
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
rye004Author Commented:
Also, so you know, I am suspecting that the user had a PST file on a thumb drive.  That is why I am looking for a listing of PST files and not necessarily the PST file itself.
0
 
Wilder1626Commented:
good. yo will found your ost and  pst files in
c:\Users\user\AppData\Local\Microsoft\Outlook
0
 
Wilder1626Commented:
he does have multiple pst files, you will need to look into Outlook direcly.

In File / Account settings / Go in Data files tab, you should see the pst link:

pst files
0
 
rye004Author Commented:
Wilder1626, thank you for your posting. Since I am working with an image of the machine and it is not bootable, I am not able to use a gui. I need to determine this from looking at the file structure.
0
 
VB ITSSpecialist ConsultantCommented:
Outlook 2010 and Outlook 2013 places PST files by default in the C:\Users\username\Documents\Outlook Files folder.

Outlook 2003 and Outlook 2007 places PST files by default in the C:\Users\usernameAppData\Local\Microsoft\Outlook folder.

What type of account was Outlook connecting to? A POP3/IMAP account or Exchange? Also what version of Outlook?
0
 
rye004Author Commented:
I am trying to determine if the user had a PST file on a thumb drive that was mounted to Outlook.  So the default locations of the PST file on the hard drive will not help.

The account was Exchange.  I was able to determine this by the talking with the companies IT, but not by looking at the “Mail” properties in the control panel – since I am working with a collected image.
0
 
Wilder1626Commented:
HI rye004

I  don't see any other way to pull the pst path attached to a Microsoft Outlook besides the original path:
C:\Users\username\Documents\Outlook

Or

If you open Microsoft Outlook and validate in:
File / Account settings / Go in Data files tab

It would also be harder if the PST file was attached to removable drive also.
0
 
Wilder1626Commented:
But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
0
 
rye004Author Commented:
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
0
 
VB ITSSpecialist ConsultantCommented:
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
Outlook doesn't create any sort of LNK file to tell you that a PST file has been added/created in Outlook, the most it does is create some .tmp files in the same directory as the PST file when the PST file is opened in Outlook. It may be too late now but something you should consider in future is to restrict the use of USB devices via Group Policy or third party software to prevent someone from doing this again.

But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
PST Capture is used to search for PST files on a machine then upload them into Office 365, doesn't really apply to this scenario.
0
 
rye004Author Commented:
So I figured this out.  Below is what I have:

Details of opened PST/OST files may be found in one of the following Registry keys depending on Outlook version -
HKCU\Software\Microsoft\Office\<Version>\Outlook\S earch
HKCU\Software\Microsoft\Office\<Version>\Outlook\C atalog

Profile configuration data will be found in one of the following Registry keys (also dependent on version) -
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKCU\Software\Microsoft\Office\<Version>\Outlook\P rofiles\Outlook
0
 
rye004Author Commented:
Unfortunately none of the responses I received was what I was looking for.  I did additional research and found the following.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 7
  • 6
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now