Solved

Get “Microsoft Outlook Profiles” information from a collected image of a Windows operating system.

Posted on 2015-02-09
15
50 Views
Last Modified: 2015-02-24
I have a collected image of a Windows machine, which means this machine is not bootable.  I know the end user used Outlook and had PST files attached.  I am trying to determine the full path of any PST files that they had attached to Outlook.

I searched the registry and I was not able to find this.  Does anyone know where in Windows this information is stored?

Many Thanks!
0
Comment
Question by:rye004
  • 7
  • 6
  • 2
15 Comments
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599639
Hi

what version of Windows do you have?
On windows 7 and 8, it would be:
c:\Users\user\AppData\Local\Microsoft\Outlook

You may also want to grab any ost file also at the same time.

Please also have a look at this link:
Locating the Outlook data files
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599662
Oh yes, the folder may be hidden also. Make sure to unhidden hidden folders
0
 

Author Comment

by:rye004
ID: 40599731
Windows 7 Pro
0
 

Author Comment

by:rye004
ID: 40599733
Also, so you know, I am suspecting that the user had a PST file on a thumb drive.  That is why I am looking for a listing of PST files and not necessarily the PST file itself.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599734
good. yo will found your ost and  pst files in
c:\Users\user\AppData\Local\Microsoft\Outlook
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599740
he does have multiple pst files, you will need to look into Outlook direcly.

In File / Account settings / Go in Data files tab, you should see the pst link:

pst files
0
 

Author Comment

by:rye004
ID: 40599905
Wilder1626, thank you for your posting. Since I am working with an image of the machine and it is not bootable, I am not able to use a gui. I need to determine this from looking at the file structure.
0
Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 24

Expert Comment

by:VB ITS
ID: 40600030
Outlook 2010 and Outlook 2013 places PST files by default in the C:\Users\username\Documents\Outlook Files folder.

Outlook 2003 and Outlook 2007 places PST files by default in the C:\Users\usernameAppData\Local\Microsoft\Outlook folder.

What type of account was Outlook connecting to? A POP3/IMAP account or Exchange? Also what version of Outlook?
0
 

Author Comment

by:rye004
ID: 40601041
I am trying to determine if the user had a PST file on a thumb drive that was mounted to Outlook.  So the default locations of the PST file on the hard drive will not help.

The account was Exchange.  I was able to determine this by the talking with the companies IT, but not by looking at the “Mail” properties in the control panel – since I am working with a collected image.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601069
HI rye004

I  don't see any other way to pull the pst path attached to a Microsoft Outlook besides the original path:
C:\Users\username\Documents\Outlook

Or

If you open Microsoft Outlook and validate in:
File / Account settings / Go in Data files tab

It would also be harder if the PST file was attached to removable drive also.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601186
But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
0
 

Author Comment

by:rye004
ID: 40601223
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40602269
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
Outlook doesn't create any sort of LNK file to tell you that a PST file has been added/created in Outlook, the most it does is create some .tmp files in the same directory as the PST file when the PST file is opened in Outlook. It may be too late now but something you should consider in future is to restrict the use of USB devices via Group Policy or third party software to prevent someone from doing this again.

But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
PST Capture is used to search for PST files on a machine then upload them into Office 365, doesn't really apply to this scenario.
0
 

Accepted Solution

by:
rye004 earned 0 total points
ID: 40619604
So I figured this out.  Below is what I have:

Details of opened PST/OST files may be found in one of the following Registry keys depending on Outlook version -
HKCU\Software\Microsoft\Office\<Version>\Outlook\S earch
HKCU\Software\Microsoft\Office\<Version>\Outlook\C atalog

Profile configuration data will be found in one of the following Registry keys (also dependent on version) -
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKCU\Software\Microsoft\Office\<Version>\Outlook\P rofiles\Outlook
0
 

Author Closing Comment

by:rye004
ID: 40627764
Unfortunately none of the responses I received was what I was looking for.  I did additional research and found the following.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
Use email signature images to promote corporate certifications and industry awards.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now