Have you ever seized a laptop, found a massive OST file on it, and then watched Outlook refuse to open it?
I have. Hundreds of times. On raids across India, that moment is one of the most frustrating a digital forensics investigator faces. The data is sitting right there on the disk. You can see the file. You can hash it. But Outlook will not let you in.
That experience is what eventually pushed me to build MailXaminer, my own email forensics tool, from scratch. And it is what makes me qualified to write this guide.
Here is what I am going to walk you through. What OST and PST files actually are. How they are different at the binary level, not just the surface level. Why the protocol your suspect used matters enormously to your investigation. And how to get data out of files that look inaccessible.
Let’s dig in.
What Is an OST File?
An OST file stands for Offline Storage Table. Microsoft Outlook creates one automatically when you set up an email account using IMAP or Microsoft Exchange.
Here is the simple version. Outlook downloads a local copy of your entire mailbox and stores it in that OST file. You can read, write and organise email even when you are offline. The moment your internet comes back, Outlook syncs the local copy with the server. Changes go both ways.
On a seized device, you will find OST files here by default:
C:\Users\[Username]\AppData\Local\Microsoft\Outlook\
What Is Actually Inside an OST File
Most guides stop at “it’s a local cache.” That is not enough if you are doing forensics.
An OST file uses a binary format built on a B-tree node structure. It has a fixed 4-byte magic header, 21 42 44 4E, that identifies it as a valid Outlook data store. Every folder, every message and every attachment is referenced through a chain of node ID tables and heap allocation maps.
When I was building MailXaminer, reverse-engineering this structure took months. I needed to understand how the NDB layer (Node Database) sits beneath the LTP layer (Lists, Tables, Properties). Most commercial tools treat the OST as a black box. We treated it as a file system. That distinction is why MailXaminer can read files that other tools cannot.
The forensic implication? Even a “broken” or inaccessible OST is often structurally intact at the binary level. More on that below.
What Is a PST File?
A PST file stands for Personal Storage Table. Outlook creates one when an account is set up using POP3 (Post Office Protocol 3).
Here is the key difference from IMAP. POP3 downloads your emails from the server to your local device. Then, by default, it deletes them from the server. The PST file on the local machine is often the only surviving copy of that correspondence. There is no server backup to fall back on.
For investigators, that changes everything.
ANSI vs Unicode PST Files
PST files come in two formats and you need to know which one you are dealing with.
ANSI PST files were used before Outlook 2003. They max out at 2 GB and use single-byte character encoding. In my lab, I have processed ANSI PST files from Outlook 97 installations where the encoding created corruption artefacts that naive conversion tools misread entirely. MailXaminer detects the format version from the header automatically and switches parsing logic without any manual input.
Unicode PST files came in with Outlook 2003 and are still the standard today. They support up to 50 GB and use UTF-16 encoding. If you are working with a modern machine, this is what you will see.
PST files are also fully portable. A PST archive can be imported into any Outlook installation without a live server connection. That is exactly why lawyers and legal teams prefer PST when they receive email evidence.
OST vs PST: The Key Differences at a Glance
| Feature | OST File | PST File |
|---|---|---|
| Protocol | IMAP / Exchange | POP3 |
| Server sync | Yes (bidirectional) | No (local only) |
| Portability | Limited (tied to profile) | Fully portable |
| Importable into Outlook directly | No (must convert first) | Yes |
| Works offline | Yes (cached copy) | Yes (stored locally) |
| Max file size (Unicode) | 50 GB | 50 GB |
| Character encoding | Unicode (UTF-16) | ANSI or Unicode |
| Magic bytes (header) | 21 42 44 4E | 21 42 44 4E |
| Primary forensic challenge | Orphan files, profile binding | Large archives, corruption |
| Default location | AppData\Local\Microsoft\Outlook | Documents\Outlook Files |
Why the Protocol Your Suspect Used Matters
Let’s say you are investigating a fraud case. You seize the suspect’s laptop. Do you know whether their Outlook was set up with IMAP or POP3?
It matters more than most investigators realise.
If it was IMAP, the server still holds a copy of every email. You have options. You can approach the email provider, serve a legal notice and obtain server-side records. The OST on the local machine is useful, but it is not your only shot.
If it was POP3, that PST file on the laptop may be the only copy of every email the suspect ever sent or received. The server deleted them on download. I have worked cases exactly like this. The server logs showed zero retained messages. The PST was everything. One corrupt sector on that drive would have ended the investigation.
So yes, the stakes for recovering a POP3 PST file cleanly are enormous.
What Our Lab Tests Found About Deleted Messages
Here is something that will change how you think about PST files.
In our forensics lab, we run controlled tests on how Outlook handles deleted messages in PST files. What we found is this. When a user deletes an email from the Deleted Items folder, Outlook does not immediately overwrite the data blocks. It marks the message with a deletion flag in the node header and flags that space for reuse. The actual data persists until Outlook compacts the file.
That recovery window is real. In our internal tests, MailXaminer consistently recovers 60 to 90 percent of soft-deleted messages from recent PST files. The user thinks the email is gone. It is not.
The Orphan OST Problem (And How to Solve It)
Back to that scenario I opened with.
You seize a device. You find a large OST file. But the suspect’s Exchange account has been deactivated. The server is offline or out of jurisdiction. Outlook needs to authenticate against that server to open the OST. It cannot. So it refuses.
Outlook’s refusal is a UI restriction. It is not a data destruction event.
The internal structure of that orphan OST is completely intact. The B-tree is readable. The node tables are valid. Every message record is there. The only thing missing is the server handshake that Outlook uses as a gatekeeper.
MailXaminer bypasses that gatekeeper entirely. By parsing the NDB layer directly without going through Outlook’s profile authentication, it reads every message, attachment, calendar entry and contact from an orphan OST as if the account were fully live.
How to Handle an Orphan OST the Right Way
- Always work from a forensic copy. Never open the original OST. Create a verified bit-for-bit image first. Work only from the copy.
- Hash the file before you touch it. Record the SHA-256 or MD5 hash of the OST before any conversion. See the detailed guide on hash values in computer forensics.
- Log everything in the conversion process. Tool name, version, date, operator, input hash and output hash. Chain of custody applies to every step.
- Validate the output. After converting OST to PST, cross-reference message counts and folder structure. Confirm nothing was dropped.
- Use court-accepted tools only. Opposing counsel will challenge your conversion tool if it cannot produce a verifiable audit log. I have seen this happen in court. Do not give them that opening.
What MailXaminer Extracts That Standard Tools Miss
I built MailXaminer around one principle. Nothing inside an OST or PST file should be inaccessible to a trained investigator.
Standard tools, including Outlook itself, only show you what the application layer is designed to surface. MailXaminer goes to the binary internals. Here is what that means in practice.
Soft-deleted message recovery. Messages purged from Deleted Items but still in the PST’s free block list are recoverable. In our lab tests, we recover 60 to 90 percent of them from recent files.
Attachment carving. Attachments live as embedded message objects in the node structure. Even when the parent email is deleted, MailXaminer can carve and extract the attachment binary independently.
Full MIME header extraction. Every email stores its full MIME header as a property stream. MailXaminer pulls out X-Originating-IP, Message-ID, the Received chain and DKIM signature fields. That data is invisible in Outlook’s reading pane. For origin tracing, it is everything.
Accurate email timelines. MailXaminer reads PR_CREATION_TIME, PR_LAST_MODIFICATION_TIME and PR_MESSAGE_DELIVERY_TIME directly from the MAPI property stream in the node table. Those timestamps hold up under cross-examination because they come from the file itself, not from any display layer.
Corrupt file triage. Partial OST and PST files from failing drives are common in this work. MailXaminer’s parser is fault-tolerant. It recovers readable nodes even when the header or allocation map is damaged.
Can OST and PST Files Be Used as Evidence in Court?
Yes. And I say that from the witness stand, not just from theory.
I have given expert witness testimony in multiple civil and criminal cases in India where OST and PST files formed the backbone of the email evidence. Courts accept them. But admissibility is not automatic.
Three things determine whether your evidence holds up. Integrity means verified hash values from the point of seizure through to the courtroom. Authenticity means a documented chain of custody for every single handling step. Intelligibility means a qualified expert who can explain the file structure and the extraction methodology to a judge who has never heard of a B-tree.
Get all three right and email from an OST or PST file is powerful evidence. Miss any one of them and opposing counsel will have a field day.
For more on this, read how email is used as evidence in Indian courts and how to start a proper email forensics investigation.
How to Report Cyber Crime Involving Email Evidence
- Call the National Cyber Crime Helpline: 1930
- File a complaint at cybercrime.gov.in
- Approach your nearest cyber crime police station
If you need hands-on help with an OST or PST investigation, expert witness support, or a forensic review of email evidence, get in touch with me directly.
Frequently Asked Questions About OST and PST Files
What is the main difference between an OST and a PST file?
An OST file syncs with an IMAP or Exchange server and stores a local cached copy of your mailbox. A PST file is created by POP3 accounts and stores email only locally with no server sync.
Can you open an OST file without the original Exchange account?
Not through Outlook’s standard interface. Outlook needs to authenticate with the originating server. However, forensic tools like MailXaminer parse the NDB layer directly and can read every message from an orphan OST without the server.
Are deleted emails recoverable from a PST file?
Often yes. Outlook marks deleted messages with a deletion flag but does not immediately overwrite the data. In our lab tests, we recover 60 to 90 percent of soft-deleted messages from recent PST files.
What is the maximum size of an OST or PST file?
Both support up to 50 GB in Unicode format (Outlook 2003 and later). Older ANSI PST files are capped at 2 GB.
Are OST and PST files admissible in court in India?
Yes, provided they are collected with verified hash values, handled with a documented chain of custody, and explained by a qualified expert. I have submitted both file types as evidence in court in India.
What is the most challenging part of OST or PST forensics that you have run into? Leave a comment and let me know.
