Solved

Get “Microsoft Outlook Profiles” information from a collected image of a Windows operating system.

Posted on 2015-02-09
15
52 Views
Last Modified: 2015-02-24
I have a collected image of a Windows machine, which means this machine is not bootable.  I know the end user used Outlook and had PST files attached.  I am trying to determine the full path of any PST files that they had attached to Outlook.

I searched the registry and I was not able to find this.  Does anyone know where in Windows this information is stored?

Many Thanks!
0
Comment
Question by:rye004
  • 7
  • 6
  • 2
15 Comments
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599639
Hi

what version of Windows do you have?
On windows 7 and 8, it would be:
c:\Users\user\AppData\Local\Microsoft\Outlook

You may also want to grab any ost file also at the same time.

Please also have a look at this link:
Locating the Outlook data files
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599662
Oh yes, the folder may be hidden also. Make sure to unhidden hidden folders
0
 

Author Comment

by:rye004
ID: 40599731
Windows 7 Pro
0
 

Author Comment

by:rye004
ID: 40599733
Also, so you know, I am suspecting that the user had a PST file on a thumb drive.  That is why I am looking for a listing of PST files and not necessarily the PST file itself.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599734
good. yo will found your ost and  pst files in
c:\Users\user\AppData\Local\Microsoft\Outlook
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599740
he does have multiple pst files, you will need to look into Outlook direcly.

In File / Account settings / Go in Data files tab, you should see the pst link:

pst files
0
 

Author Comment

by:rye004
ID: 40599905
Wilder1626, thank you for your posting. Since I am working with an image of the machine and it is not bootable, I am not able to use a gui. I need to determine this from looking at the file structure.
0
Are your end users making ugly email signatures?

Have you left it up to your end users to create their own email signatures? Are they forgetting to add the company logo or using garish font colors? Take control and ensure all users have the same email signature.

 
LVL 24

Expert Comment

by:VB ITS
ID: 40600030
Outlook 2010 and Outlook 2013 places PST files by default in the C:\Users\username\Documents\Outlook Files folder.

Outlook 2003 and Outlook 2007 places PST files by default in the C:\Users\usernameAppData\Local\Microsoft\Outlook folder.

What type of account was Outlook connecting to? A POP3/IMAP account or Exchange? Also what version of Outlook?
0
 

Author Comment

by:rye004
ID: 40601041
I am trying to determine if the user had a PST file on a thumb drive that was mounted to Outlook.  So the default locations of the PST file on the hard drive will not help.

The account was Exchange.  I was able to determine this by the talking with the companies IT, but not by looking at the “Mail” properties in the control panel – since I am working with a collected image.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601069
HI rye004

I  don't see any other way to pull the pst path attached to a Microsoft Outlook besides the original path:
C:\Users\username\Documents\Outlook

Or

If you open Microsoft Outlook and validate in:
File / Account settings / Go in Data files tab

It would also be harder if the PST file was attached to removable drive also.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601186
But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
0
 

Author Comment

by:rye004
ID: 40601223
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40602269
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
Outlook doesn't create any sort of LNK file to tell you that a PST file has been added/created in Outlook, the most it does is create some .tmp files in the same directory as the PST file when the PST file is opened in Outlook. It may be too late now but something you should consider in future is to restrict the use of USB devices via Group Policy or third party software to prevent someone from doing this again.

But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
PST Capture is used to search for PST files on a machine then upload them into Office 365, doesn't really apply to this scenario.
0
 

Accepted Solution

by:
rye004 earned 0 total points
ID: 40619604
So I figured this out.  Below is what I have:

Details of opened PST/OST files may be found in one of the following Registry keys depending on Outlook version -
HKCU\Software\Microsoft\Office\<Version>\Outlook\S earch
HKCU\Software\Microsoft\Office\<Version>\Outlook\C atalog

Profile configuration data will be found in one of the following Registry keys (also dependent on version) -
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKCU\Software\Microsoft\Office\<Version>\Outlook\P rofiles\Outlook
0
 

Author Closing Comment

by:rye004
ID: 40627764
Unfortunately none of the responses I received was what I was looking for.  I did additional research and found the following.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now