469,307 Members | 2,055 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,307 developers. It's quick & easy.

Change date in .pst file using hex editor

I am trying to change the sent date on a Microsoft outlook email.

Here's what I've done so far:

* Exported outlook folder containing a single email to a .pst file
* Opened .pst file in hex editor and checked value at offset 10, which is 0x17, confirming file is a unicode pst file
* Checked bCryptMethod byte at offset 513, which is 0x01, meaning the file is encrypted using NDB_CRYPT_PERMUTE method.
* Decrypt file using method described here:
* Open decrypted file and found date stamp, which is in format:
TAMANS-MB111-121117164625Z-34782 (DDMMYYHHMMSS)
* Found corresponding (encrypted) bytes in original file and changed them to a new date
* Tried importing new file into outlook only to get an invalid block error due to CRC mismatch
"CRC mismatch (read 6EBE8399, computed 31408368)"
* Changed CRC to computed value for that block in hex editor
* Tried importing file again, only to get an error due to invalid header:
!!Header CRC mismatch (read=7611F2D3, computed=3772C705)
* Changed CRC value for header to computed value
* Imported file again, this time with no errors!
* However sent date on email remains the same
* So I take the edited file, and decrypt it again, just to check that the timestamp was changed correctly, and it was.

So the date must also be stored elsewhere in the .pst file, but I haven't been able to find it.

I used the above steps to change the content of the email, and it worked fine, without having to change the CRC value for the header.

So I thought I was onto something when changing the timestamp invalidated the CRC for the file header as well as the block,
however the date remained the same when I imported the email.

So my question is: Where else in the .pst file is the date stored?

BTW I am doing this for fun, not profit


Jan 1 '18 #1
3 5625
1,043 Expert 1GB
In the docs: Immutability
This file format specification treats the NDB as an immutable store. What this means is that, with the exception of the header and allocation metadata pages, the data in the NDB MUST NOT be modified in-place. Instead, a new copy of the data needs to be written at a new location, and then, when all references of the pre-existing data have been removed, the old data can be purged

it's in capitals, 'MUST NOT' ... ;)
Jan 6 '18 #2
Hi thanks for your response, does "MUST NOT" mean "CAN NOT" then?
I couldn't find any mention of a timestamp in that doc, but it must be stored there somewhere
Jan 12 '18 #3
1,043 Expert 1GB
it's the part of the sentence after 'MUST NOT'.

one can do it, but :
- a new copy of the data needs to be written at a new location
- when all references of the pre-existing data have been removed

I , personally, only use Outlook to change a pst-file ;)
Jan 13 '18 #4

Post your reply

Sign in to post your reply or Sign up for a free account.

Similar topics

1 post views Thread by pythos | last post: by
4 posts views Thread by wil | last post: by
2 posts views Thread by Amintas Lopes Neto | last post: by
4 posts views Thread by Tom C. | last post: by
3 posts views Thread by terrychangsharp | last post: by
6 posts views Thread by nataria | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
1 post views Thread by Geralt96 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.