Solved

Get “Microsoft Outlook Profiles” information from a collected image of a Windows operating system.

Posted on 2015-02-09
15
56 Views
Last Modified: 2015-02-24
I have a collected image of a Windows machine, which means this machine is not bootable.  I know the end user used Outlook and had PST files attached.  I am trying to determine the full path of any PST files that they had attached to Outlook.

I searched the registry and I was not able to find this.  Does anyone know where in Windows this information is stored?

Many Thanks!
0
Comment
Question by:rye004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 2
15 Comments
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599639
Hi

what version of Windows do you have?
On windows 7 and 8, it would be:
c:\Users\user\AppData\Local\Microsoft\Outlook

You may also want to grab any ost file also at the same time.

Please also have a look at this link:
Locating the Outlook data files
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599662
Oh yes, the folder may be hidden also. Make sure to unhidden hidden folders
0
 

Author Comment

by:rye004
ID: 40599731
Windows 7 Pro
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:rye004
ID: 40599733
Also, so you know, I am suspecting that the user had a PST file on a thumb drive.  That is why I am looking for a listing of PST files and not necessarily the PST file itself.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599734
good. yo will found your ost and  pst files in
c:\Users\user\AppData\Local\Microsoft\Outlook
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40599740
he does have multiple pst files, you will need to look into Outlook direcly.

In File / Account settings / Go in Data files tab, you should see the pst link:

pst files
0
 

Author Comment

by:rye004
ID: 40599905
Wilder1626, thank you for your posting. Since I am working with an image of the machine and it is not bootable, I am not able to use a gui. I need to determine this from looking at the file structure.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40600030
Outlook 2010 and Outlook 2013 places PST files by default in the C:\Users\username\Documents\Outlook Files folder.

Outlook 2003 and Outlook 2007 places PST files by default in the C:\Users\usernameAppData\Local\Microsoft\Outlook folder.

What type of account was Outlook connecting to? A POP3/IMAP account or Exchange? Also what version of Outlook?
0
 

Author Comment

by:rye004
ID: 40601041
I am trying to determine if the user had a PST file on a thumb drive that was mounted to Outlook.  So the default locations of the PST file on the hard drive will not help.

The account was Exchange.  I was able to determine this by the talking with the companies IT, but not by looking at the “Mail” properties in the control panel – since I am working with a collected image.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601069
HI rye004

I  don't see any other way to pull the pst path attached to a Microsoft Outlook besides the original path:
C:\Users\username\Documents\Outlook

Or

If you open Microsoft Outlook and validate in:
File / Account settings / Go in Data files tab

It would also be harder if the PST file was attached to removable drive also.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40601186
But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
0
 

Author Comment

by:rye004
ID: 40601223
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40602269
I realize that this is more of a forensics question and may be a bit unfair to put on expert exchange.

I know that the user had an external drive plugged into their computer that disappeared after they left the company that I work for.  Normally I would look for LNK files to see what a user puts on an external media after they leave, unfortunately the action of adding a PST file to Outlook does not create a LNK
Outlook doesn't create any sort of LNK file to tell you that a PST file has been added/created in Outlook, the most it does is create some .tmp files in the same directory as the PST file when the PST file is opened in Outlook. It may be too late now but something you should consider in future is to restrict the use of USB devices via Group Policy or third party software to prevent someone from doing this again.

But i think that if you would of been on Microsoft Exchange,  Microsoft Exchange PST Capture would of help to capture the PST files.

But i dont know alot about it as I have never tested it.
PST Capture is used to search for PST files on a machine then upload them into Office 365, doesn't really apply to this scenario.
0
 

Accepted Solution

by:
rye004 earned 0 total points
ID: 40619604
So I figured this out.  Below is what I have:

Details of opened PST/OST files may be found in one of the following Registry keys depending on Outlook version -
HKCU\Software\Microsoft\Office\<Version>\Outlook\S earch
HKCU\Software\Microsoft\Office\<Version>\Outlook\C atalog

Profile configuration data will be found in one of the following Registry keys (also dependent on version) -
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
HKCU\Software\Microsoft\Office\<Version>\Outlook\P rofiles\Outlook
0
 

Author Closing Comment

by:rye004
ID: 40627764
Unfortunately none of the responses I received was what I was looking for.  I did additional research and found the following.
0

Featured Post

What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question