How to recover outlook emails

Question

It has happened many times in my organization that some people have left in not really good terms. So when you go to check their computers you find that they normally delete their emails, sometimes you can find them in the deleted folder (lol) but sometimes they even delete them from there.

Here is a way to get them back, I would like to see how other sys admins deal with this...

Download a hex editor from google.
Open the .pst with the hexeditor and delete positions 7 and 13.(just count the letter and do space bar on top of letter at space 7 and letter at space 13.
This will corrupt the pst file. Save it.

Run SCANPST.EXE, normally located in "C:\Program Files\Common Files\System\MSMAPI\1033". It will make a backup and then it will attempt to repair the file. Once its finished, open the .pst on outlook and emails should now be there.

NOW... if you are a sysadmin and you leave the company and you don't want anyone to recover your emails, or at least make it extra harder for them... then all you need to do after deleted your email is go to (in MS Outlook) Tools > Option > Mail Set up > Data Files > Choose the .pst and click on settings > Compact Now.

Answer 1

The best way is to get control of the emails before they get deleted. I will discuss generally and point to examples for Exchange because that is the mail system I know best.

1- Get the emails off of the server and to an archive of some kind when they are created. The specific solution depends on your mail server ... GFI and Sherpa are among many available for Exchange.

2- I like IMAP idea (Robert Moir's comment to this answer). It is even better if the mail server can hold on to deleted items for a while. Exchange has a "2 level" trash bin .. one in the user mailbox, then another accessible only by admins on the server. You will have to make sure that the server has enough disk space to support all of the users mail, but disk is cheap.

3- You could also go at this using Outlook archiving, particularly if you can control the settings centrally. If you have AD this is easy to do with Group Policy. Set Outlook to archive daily to a central server location, and include that location in your nightly backups. You could also have a "rotation", moving them nightly to various locations so you have multiple versions around in the event of bad behavior.

Answer 2

I think there is no real solution to this "problem." Since most organizations keep emails on the server which (hopefully) are regularly backed up, there will always be the option to restore your emails from a recent backup. I guess it wouldn't be ethically correct and even illegal, to remove all backups.

So, in my opinion, a professional way to deal with it is, that your work email (emphasis on "work") should always be handled from the perspective that the company will have access to it. Keep personal things separated from business communication using a different email address and provider (web based.)

Answer 3

We do the standard exchange backups so I could do it that way if I needed to but I recently found a new field in Exchange at the mailbox store level which is send copy of all email this store uses to another email address.

So while it's only effective from the time I started using it, we now have an archive of all email sent and recieved by everyone in another email server that is just a simple SMTP server. This is done more for legal reasons and in the 8 months its been running other then confirming its still working I've not had to go into it.

Answer 4

If you control your mail server - you could create copy of every incoming email message, for example using always_bcc feature in postfix.

Answer 5

If using Exchange, I would approach this from the server side first (For the non-archived emails): Recovering Deleted Items in Exchange 2003.

Answer 6

On the "recovering mail" front:

It looks like several of these posters thing you're running Exchange. Others talk about backing-up the mail. I'm guessing you're just storing PST files on the local hard disk drives of PCs, and very likely people are turning off the PCs after hours so that you can't get remote backups. It's not the greatest idea in the world to put PST files on "network drives", but it can be done. If the users leave Outlook open, though, you're not going to be able to get consistent backups of the PST files no matter where they live.

Using that little hack to "corrupt" the PST file and then rebuild it w/ SCANPST is a neat idea. >smile<

On the "making mail disappear" front:

Since you are just using PST files and you want to be sure that a PST isn't recoverable I'd highly recommend using an overwrite utility rather than just "compacting" the file. It's highly likely that a block-level examination of the disk (like with forensics tools) would still turn up some of the old email even after you "compacted". Overwriting the bits will make them much more inaccessible (and much more expensive to attempt to access).

Nico: Your employer sounds more and more like a joyful place to work.. >sigh< Good luck.

Answer 7

The best way to do this is to use some method that the user has no control over. If they can't see or access it, or even know it exists, then they won't know that they "need" to delete it before leaving. A few options:

1. Journal mailboxes (assuming that you know that this is going to happen in advance and want to prepare for it).
2. Tracking logs (if you only want to know what they sent to whom, and when).
3. Multiple backups from which individual mailboxes/messages can be restored. I've only ever used Exchange 2007 (I'm a former forcibly-converted GroupWise admin), but the deleted item/mailbox retention in it's pretty good, although I don't know what it was like under previous versions.

Answer 8

We use exmerge do perfrom our exchange backups. This works fine when there isn't too many users on the network, but it does blow away the security on the mailbox files. You'd be able to get emails abck from backups then.

As a Sysadmin, I'd change the access rights to my mailbox so they're not backed up. Not 100% effective, but it would make things more difficult, and I'd flush the deleted items from the system manager as well.

Answer 9

Messages deleted from the exchange mailbox should be recoverable via the exchange deleted items bin (server side - and you DO have this set up, right?)

Messages deleted from a PST file can be recoverable only if outlook didn't compact the file yet. The PST file has a marginally stupid behavior, and it will compact it automatically on exiting (or opening) outlook, if the changes in the PST reached 10% or more of it's size (that is, if you delete half the messages in the PST and close the outlook, it will probably compact it without asking you)

The smart way of not even needing to voodoo your way to those deleted email messages, is to force everyone to store their PST files on a network drive, which is the way you should be doing it anyway if you want to have backups for those users that accidentally lost data. Then you can just restore the PST from yesterdays/last week's backup, and maybe only lose a few of the latest messages.

Answer 10

I would suggest you make daily backups of all the mail on the server. Then, when someone decides to leave and delete their mail before hand, you still haveall of there mail in your backups.

How long you decided to keep backups of mail is entirely up to storage space, company policy etc.

Since your mail server is on linux, then you're most likely using maildir format, I would suggest running in cron:

tar -zxf mail-backup.tgz /path/to/mail

then when you need to restore you can gunzip mail-backup.tgz and use tar to select what directory you want to extract.