Turning off PST compacting in Outlook? - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Turning off PST compacting in Outlook?

  1. #11
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Sorry everyone, stepped offline for a while.

    morganlefay: Sorry for confusion...I'm NOT talking about AutoArchive but rather the automatic compacting of "white space" in Outlook PST file.

    This is a standalone home Outlook install which pulls down mail from POP server.

    Originally posted here by nihil
    Are you sure that Outlook 2002 actually has an autocompact feature.
    Nihil: I'm not totally sure it does have one but this MS article and some other articles (dont have them handy) mentioned it. http://support.microsoft.com/default...NoWebContent=1.
    Automatic compaction takes place as an idle task in the background. The following conditions must be true for this background task to take place:
    * Outlook must be running.
    -and-
    *The computer must not be engaged in other CPU-intensive tasks such as copying or downloading files.
    It also mentions that the file had to be a min of 16KB in size and there was at least 16KB of "white space" available. Not a problem, the PST I'm talking about is 40MB+.

    So that would lend me to believe it does auto compact...sigh not clear! I hope it's not automatic, obviously. I guess I need to test it by creating a new PST, moving a bunch of messages into it, delete some, and then wait to see if it auto compacts. I was hoping to avoid this process and not sure if I'll test it properly.

    /EDIT:
    Another article that talks about the auto compacting feature.
    http://www.winnetmag.com/Article/ArticleID/22164/22164.html
    Outlook automatically compacts a .pst file when the file reaches a certain (but undocumented) size; however, for automatic compaction to occur, your PC must be completely idle.

  2. #12
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    OK ric-o sit down and hold on tight, here come some gross hacks

    Try installing SETI@home or Folding@home. They will keep the CPU at full belt. Normal proggys will just grab resource from them, but it sounds as if the Outlook compressor checks CPU usage BEFORE it launches itself. In theory, if they are already taking the CPU up to 100%, the compressor will never start.

    A slightly more elegant one:

    1. Find the program that does the compression and rename it
    2. Write a little script that puts up a message box "Compacting Outlook Files" for 15 seconds and name it the same as the original file and put it in the same place.

    Outlook will call the proggy which will run, and I bet Outlook will be none the wiser.

    How about that for a pure theft of virus design technology?

    I have dug out my Outlook 2002 box and will have a look tomorrow and get back to you.

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #13
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Ok, I've done couple tests now and have confirmed that indeed Outlook does do some sort of automatic compacting without initiation when your PC is idle.

    Test:
    * Left Outlook alone for 15 mins after deleting tons of stuff...
    1. File size = 20,400; Outlook size (properties | folder size option) = 19,165
    2. Closed all other apps but Outlook
    3. Deleted enough stuff so the overall folder sizes totalled 9,447 (when using Outlook properties | folder size option)
    4. Emptied Deleted Items folder
    5. Left PC alone for ~20 minutes
    6. PST file size went from 20,400 to 17,500 and was steadily shrinking right in front of my eyes

    So there you have it Computer Forensics fans...Outlook DOES INDEED have an automatic compacting mechanism that kicks in if you have an idle system and Outlook is open and running.

    Now if only I could find the disable value/key in the Registry (if it exists).

    Thanks for the help Nihil.

  4. #14
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    If the files are actually deleted from the PST. That is they are not moved to the deleted items folder, say you use shift-detele in a PST, stopping compaction will not keep the email from being overwritting. Exchange will always write to white space first before growing the size of the PST.

    Exchange server does the same thing on its databases. It is usually pretty common to see around 3-5GB of whitespace on an exchange store that is 25GB in total size, and has a lot of activity.

    So I don't know how effective your data recovery would be. If there is a lot of mail being writting in and out of the PST I would expect that most things would be overwritten pretty quickly once they are deleted.

  5. #15
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    So there you have it Computer Forensics fans...Outlook DOES INDEED have an automatic compacting mechanism that kicks in if you have an idle system and Outlook is open and running.
    Now how the hell do you carry out a forensic examination on a pc that is running, at least one that will stand up in a court of law?
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #16
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    First off..Why the hell is this in the computer forensics forum? This has nothing to do with the topic.

    Secondly, Jinxy: You use this: http://www.digitalintel.com/shadow.htm
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  7. #17
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    hogfly

    First off..Why the hell is this in the computer forensics forum? This has nothing to do with the topic.
    On the contrary, it has everything to do with forensics. The question is about whether the Outlook automatic maintenance routine will destroy forensic evidence or not. And, if it does, can this be prevented to permit accurate forensic analysis. I realise it wasn't worded quite like that, but that does seem to be the issue? so it is sort of "pre-forensics", with the ultimate objective being a reliable forensic analysis. In other words: "are forensics possible in these conditions?"

    mohaugn

    If the files are actually deleted from the PST. That is they are not moved to the deleted items folder, say you use shift-detele in a PST, stopping compaction will not keep the email from being overwritting. Exchange will always write to white space first before growing the size of the PST.
    That is an excellent point which I did mention in an earlier post. Actually, it does not matter if you use <shift> + <delete> or just send items to the deleted "folder" and then empty it (you can actually set an option to automatically empty the deleted items folder on exit). Both will create the same available (white) space, which the system will use.

    Now, the "deleted items folder" does not exist The records are actually held in .pst. Only the archive has a separate folder. Whilst they are "flagged" as being in the deleted items folder, they are safe, and you can recover them using Outlook itself (it's a bit like the Recycle Bin). Once you reset this flag by emptying the deleted items folder, or set it directly by using <shift> + <delete> the space is available for use.

    So a lot will depend on user usage patterns. If they go into Outlook, do their stuff then come out and go away, you would have a reasonable chance. If they keep going in and out of Outlook sessions, then the probability of overwriting is very high.

    I see the whole dilemma as similar to the page/swap file, it is a dynamic and volatile environment rather than a static one. Sure, you can recover data from the page/swap file but what you get is very dependent on how the machine is being used.

    For a really reliable result you need a physical solution such as hogfly has identified, or software that intercepts all e-mail and sends a BCC to another location. Both are "spying" so you need to make damn sure that you have the authority to do it

    Well, those are my thoughts on it
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #18
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Originally posted here by nihil




    On the contrary, it has everything to do with forensics. The question is about whether the Outlook automatic maintenance routine will destroy forensic evidence or not. And, if it does, can this be prevented to permit accurate forensic analysis. I realise it wasn't worded quite like that, but that does seem to be the issue? so it is sort of "pre-forensics", with the ultimate objective being a reliable forensic analysis. In other words: "are forensics possible in these conditions?"
    Nihil, if this is a forensics issue then I weep for the credibility of anything produced from it. While compacting whitespace might be an issue, the system shouldn't even be live, and shouldn't be operated on, so the whole compacting issue is moot, because in a real investigation the system isn't going to be live unless someone is using something similar to shadow.

    Now, that being said, you should be able to recover outlook files from an INFO2 file or the MFT itself. If it requires it, go get the slack space surrounding the pst file as well. and since it seems like some help is needed in this area...you could always fork out $200 bucks and buy this: http://www.paraben-forensics.com/examiner.html
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  9. #19
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Originally posted here by hogfly
    Nihil, if this is a forensics issue then I weep for the credibility of anything produced from it. While compacting whitespace might be an issue, the system shouldn't even be live, and shouldn't be operated on, so the whole compacting issue is moot, because in a real investigation the system isn't going to be live unless someone is using something similar to shadow.
    You're right. As this discovery regarding how Outlook operates moves along it has become very apparent that 1) I wont be able to recover the data as expected and 2) wont hold up in court. That said, this issue might not be a court thing but if it turns into one than this evidence is worthless...big risk here of course.
    Now, that being said, you should be able to recover outlook files from an INFO2 file or the MFT itself. If it requires it, go get the slack space surrounding the pst file as well. and since it seems like some help is needed in this area...you could always fork out $200 bucks and buy this: http://www.paraben-forensics.com/examiner.html [/B]
    Thanks for the reference...I'll take a look at this. I also like that Shadow box you sent earlier because in addition to the challenge of monitoring email, I have to monitor all traffic including web and a packet sniffer may be viable in this particular situation.

    Thanks for all your tips and help (nihil, hogfly, mo, jinxy)!

  10. #20
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Compaction apparently destroys the email so yes..when a pst is compacted, you lose the ability to recover the email.

    here's a little tidbit from a mailing list.

    1) Make a backup copy of the PST file being examined.
    2) Using a hex editor that you are familiar with replace bytes 7 to 13
    of the PST file with FF (they're usually set to 00).
    3) Run a tool called "scanpst", which is usually resident in C:\Program
    Files\Common Files\System\Mapi\1033 on a windows box. It might not be
    in this directory, but should be installed by default.
    4) Open the PST file and any recoverable messages should have been
    recovered.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •