 |
Susan Brown, owner of Tech With Us First, recently faced just such a challenge. After using a conventional recovery tool that effectively recovered all of the deleted data, she realised how difficult the task could be. Brown used RecoverAll Pro to retrieve the deleted files, but it found hundreds of files Brown didn't need. All she wanted to do was grab that single needle in the Outlook haystack.
“I didn't want to recover them all,” wrote Brown, “just that one e-mail. Does Outlook have a special extension to identify e-mails?”
One TechRepublic member came to Brown's aid with the suggestion of an unusual method that involved, believe it or not, deliberately corrupting the .pst file and then restoring it with a common tool.
If you ever find yourself in a similar jam and it's important enough to veer off the usual path, you can take the steps used in this method to recover what has been emptied out of the Deleted Items folder and grab that one message you really need.
Deleted doesn't really mean gone
Scott Heath responded to Brown's dilemma with the tip that helped her find the one item she needed to recover. The key is that deleted e-mails aren't really completely removed when they've left the Deleted Items folder.
“A PST has its own FAT, so to speak,” wrote Heath, “and when an e-mail is deleted, it is simply marked to be replaced.”
The trick is getting back that one message that's been removed. Heath discovered a way to do this in an article posted on the High Technology Crime Investigation Association (HTCIA) Web site. In the article, fraud examiner Randall Shane explains how you can deliberately corrupt the PST and then recover it, retrieving all of the contents, including “permanently” deleted items. You can follow these steps to pull this off:
Make a backup first!
As the following steps involve corrupting Outlook's PST file, I strongly recommend you make a backup before attempting the process outlined in this article. I realise PST files can be rather large, but it's better to be safe than sorry.
- To corrupt the PST file, Shane suggests opening it with the hex editor of your choice. If you don't have one, Shane recommended searching for one on CNET's Download.com.
- Delete positions 7 through 13 with the spacebar. Since you're using hexadecimal numbering, this actually clears 13 characters in the following positions:
- 00007
00008
00009
0000a
0000b
0000c
0000d
0000e
0000f
00010
00011
00012
00013
(The editor displays the code “20” each time you clear a position with the spacebar.) - After clearing those positions in the file, save it. Your PST is now corrupted.
- Run the Inbox Repair Tool, SCANPST.exe, to recover the file. On Win2K and WinNT systems, the executable is located in C:\Program Files\Common Files\System\Mapi\1033\NT. You can also find it on the Office 2000 CD-ROM in Drive:\Pfiles\Common\System\Mapi\1033\NT. In WinXP, the file is located in C:\Program Files\Common Files\System\Mapi\1033. For additional information on the Inbox Repair Tool, see Microsoft Knowledge Base article 287497.
- After creating a backup, the Inbox Repair Tool repairs the damage and recreates the PST. Open the new PST in Outlook. The Deleted Items folder should contain all removed messages, so anything you've emptied will be restored.
Though this technique falls outside the lines of the usual measures available for repairing or recovering data, it may be the best available option for retrieving specific messages that have been permanently deleted from Outlook. It's a fairly simple operation to perform, and you don't have to spend any money on recovery tools. Brown reported that the method worked well for her, so the next time a user inadvertently removes a deleted message, you might consider this an option for getting it back.
TechRepublic is the online community and information resource for all IT professionals, from support staff to executives. We offer in-depth technical articles written for IT professionals by IT professionals. In addition to articles on everything from Windows to e-mail to firewalls, we offer IT industry analysis, downloads, management tips, discussion forums, and e-newsletters.
©2003 TechRepublic, Inc.
4%
4%
Does this approach still work if the pst has been compacted in the interim?