Parsing a Stolen OST for Sensitive Data

James GallagherJames Gallagher
2 min read

During penetration tests or Red Team engagements often I will come across an orphaned .ost (Offline Outlook Data File) sitting on a network share, etc. Getting these files connected to an Outlook profile which they were not originally connected to is easier said than done. Microsoft doesn't offer a solution. There is a lot of paid software out there claiming to do it, but I'm not willing to trust such software and suspect it of being malicious. One free tool I tried didn't support older Outlook 2013 .ost files, as well.

Here's how I solved this problem:

  1. Created an isolated Windows VM in case the converter software was malicious so that it couldn't exfil any data.

  2. Downloaded the trial version of https[:]//www[.]stellarinfo[.]com/convert-ost-to-pst.php (use at your own risk). The trial currently only supports exporting 10 items unless you pay $79.

  3. Moved the installation file to the Windows VM and installed it.

  4. Ran Stellar on the OST and it showed the recovered emails in the GUI but they were not saved to a PST yet. Observed that the software stores a temporary file of the OST data here: 'C:\Program Files\Stellar Converter for OST\TempStell_Dir'.

  5. Moved this temp file to a Linux box and used strings/grep to parse it for sensitive data.

This worked pretty well and solves a problem I've experienced quite a few times.

0
Subscribe to my newsletter

Read articles from James Gallagher directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pentestingredteamingoutlookost

Written by

James Gallagher
James Gallagher

I grew up in the (TRS-)80's playing and creating text based adventure games on monochrome displays. My first infosec experience was booting a hacker from a dial-up BBS at around 12 years old. Then I became a professional violinist. But then I decided that I like to eat food, so I got back into computers in 2006. I've been hacking professionally since 2015 and I still know nothing - which is the best way to approach hacking. I really enjoy this work and have done well for myself by not expecting other's to teach me and just creating my own test environments from scratch to try stuff. Now I have a fun job at a pentesting firm where I pentest Big 5 clients and play electric violin when I feel like it.