Personal Folder File (PAB, PST, OST)

From ForensicsWiki
Revision as of 03:15, 31 January 2009 by Joachim Metz (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Microsoft Outlook uses the Personal Folder File (PFF) to store e-mails, appointments, tasks, contacts, notes, etc.

Three different types of the PFF are known:

  • The Personal Address Book (PAB), which contains the address book of contacts. These files have the extension .pab.
  • The Personal Storage Table (PST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as current and archived mailbox files. These files have the extension .pst. The PST format is also referred to as the Personal Folder File (PFF) format.
  • The Offline Storage Table (OST), which contains items like e-mails, appointments, tasks, notes, etc. and is used as off line mailbox files in conjunction with Microsoft Exchange. These files have the extension .ost. The OST format is also referred to as the Offline Folder File (OFF) format.

The underlying file format of these files is the same of which the actual name is unknown but has been dubbed the Personal Folder File (PFF) format, because of its most common usage.

MIME types

The actual Mime type of the PFF format is unspecified however some sources claim the following MIME types apply to this file format:

  • application/vnd.ms-outlook (for PST files)

File signature

The PFF has the following file signature: hexadecimal: 21 42 44 4e ASCII: !BDN

File types

There are a 32-bit and a 64-bit version of the PFF. These have the same file signature but can be identified by the version in the file header.

Contents

The PFF basically contains a hierarchy of items. The attributes of these items are defined by the Microsoft Outlook Message API (MAPI).

Encryption

The PFF format allows the file to be encrypted. Two types of encryptions are currently known these are referred to as compressible and high encryption. The compressible encryption is a basic substitution cypher and the high encryption is a little more complex substitution cypher. From a cryptographic point of view this is more a way of obfuscation than a means to protect confidentiality.

See also