We’ve said that when Outlook displays a ‘This will be permanently deleted’ it’s not really deleted. For anyone interested in the gory details or testing themselves, here’s how we checked that out.
It’s standard database procedure for a deleted record simply to be flagged ‘deleted’ rather than fully erased or overwritten. Tagging as ‘deleted’ and hiding from the application is the fastest way to do it and databases are usually programmed with speed as a primary goal. Once a record is marked as ‘deleted’ the space used by that record can be reused for a new entry, which is also a faster way to add a new record (instead of creating extra space for a new record, just reuse old unneeded space). Windows files work a similar way with ‘deleted’ files merely marked as free space.
We wanted to check that Outlook didn’t truly erase items when ‘permanently deleted’. We (foolishly) hoped that Microsoft might have changed the Outlook deletion given its use in high-security organizations, including many governments.
Alas, it’s the same behavior in PST and OST files. ‘Permanently’ deleted items are still available to be read, despite Microsoft’s wording.
To test that we created a small Outlook PST file and put a few emails in it.
One of the deleted items had some unique text ‘PassportDetails’ that would be simple to search for with a hex editor looking at the ‘raw’ PST file. Turns out we didn’t have to try that hard.
Then we ‘permanently’ deleted that message. After doing that, Outlook shows only one item in the Deleted Items folder.
Now we need to look at the PST file without Outlook to see what’s ‘under the hood’. There are various tools that can read PST’s – we grabbed the free version of PST File Viewer 2.0
After closing Outlook, the PST File Viewer can open the PST and show all the contents including Outlook items that have been marked as deleted (as opposed to being in the Deleted Items folder).
And there was the ‘permanently deleted’ item – with all the message content easily viewable. Also, the Deleted Items folder shows two items instead of one (because the PST viewer is counting all items regardless of the ‘Deleted’ message flag).
It was too easy. We didn’t even need to search for the unique text. If the PST/OST file viewers weren’t available, a raw file viewer could have opened the file for reading ‘byte-by-byte’ and then search for the unique text we put in the test record. But that deeper forensic analysis wasn’t necessary.
What about OST files?
Outlook OST files are almost the same as PST files. They are used for Exchange Server account information. Maybe they work differently? So we tried the entire scenario above, except with an Exchange Server account and an OST file.
Exactly the same result. The ‘permanently deleted’ items were visible in the OST file, merely flagged as ‘Deleted’ but not truly wiped.