Welcome to the home page of Charles N Wyble. Charles is a 24 year old systems guy, hacker and entrepreneur currently living in El Monte CA, with his wife of 3 years.

He is currently employed as a system engineer for Ripple TV with responsibility for a nation wide advertising network.

In his spare time he serves as Chief Technology Officer for the SoCalWiFI.net project, runs a hacker space in the San Gabriel Valley and tries to save the local economy.

Thursday, March 19, 2009

[Fwd: Outlook PST File Format]

An old e-mail. Want to get this info out on the net...

-------- Original Message --------
Subject: Outlook PST File Format
Date: Sat, 14 Oct 2006 08:19:43 -0700
From: Russell Mangel <russell@tymer.net>
To: <charles@thewybles.com>

_ <<0001C2C0_BLOCK_EC7C .htm>> _
I read most of your web site, and I know that you are familar with OLE2
Stuctured Storage, and are involved in OSER project. I have been
reversing the Microsoft Outlook PST file format, my intention is to
document this file database and build an API to read and write to the
PST file. I have spent approximately 6 months of time (over 3 years)
discovering information about the structure.

The purpose of this email is to Network with you to and find additional
people or information.

The Outlook PST file format uses at least two BTree indexes, and has
several leaf pages (keys/data) . Currently I am working on one of the
most difficult data pages, trying to recover the exact data and data
structures that Microsoft used to serialize the information to disk. I
have enclosed an html attachment that shows what I have learned. This
specific page is a MAPI Table *HierarchyTable*, and so we can identify
the data. I can not figure out how Microsoft references String data
types in the Hierarchy Table, PR_STRING8 property values do not have a
fixed length and so Microsoft uses some referencing scheme to point to
the starting address of the String. However when the value will fit in
32 bits or smaller, they just place the value directly.

Problem: How do I reference the String 0x24E "Deleted Items" from the
table at 0x00C2. You can see at: 0x00C2 the value of A0000000 somehow
this points to offset 0x24e.

There is a very important sequence of bytes starting at 0x0314 that must
be the beginning of building data structures to hold the serialized data.

Can you help?

Russell Mangel
Las Vegas, NV

I am aware of libPst project which is also working on reversing the PST
format. _http://www.five-ten-sg.com/libpst/rn01re04.html_ I question
the authors algorithm used to recover the data (see->> Associated
Descriptor Item 0x7cec section), as it is trying to recover the same
data from a similar B-Tree page that I have enclosed as an attachment.
The libpst author seems to right shift 4 bits for many of the values. I
don't understand the data structure that the author has created. I don't
think the author understands that he is building a MAPI Hierarchy table
and therefore just trys anything to recover the data. This is not good
enough for me.

No comments: