423,682 Members | 1,622 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 423,682 IT Pros & Developers. It's quick & easy.

Change date in .pst file using hex editor

P: 2
I am trying to change the sent date on a Microsoft outlook email.

Here's what I've done so far:

* Exported outlook folder containing a single email to a .pst file
* Opened .pst file in hex editor and checked value at offset 10, which is 0x17, confirming file is a unicode pst file
* Checked bCryptMethod byte at offset 513, which is 0x01, meaning the file is encrypted using NDB_CRYPT_PERMUTE method.
* Decrypt file using method described here:
https://msdn.microsoft.com/en-us/library/office/ff386229(v=office.12).aspx
* Open decrypted file and found date stamp, which is in format:
TAMANS-MB111-121117164625Z-34782 (DDMMYYHHMMSS)
* Found corresponding (encrypted) bytes in original file and changed them to a new date
* Tried importing new file into outlook only to get an invalid block error due to CRC mismatch
"CRC mismatch (read 6EBE8399, computed 31408368)"
* Changed CRC to computed value for that block in hex editor
* Tried importing file again, only to get an error due to invalid header:
!!Header CRC mismatch (read=7611F2D3, computed=3772C705)
* Changed CRC value for header to computed value
* Imported file again, this time with no errors!
* However sent date on email remains the same
* So I take the edited file, and decrypt it again, just to check that the timestamp was changed correctly, and it was.

So the date must also be stored elsewhere in the .pst file, but I haven't been able to find it.

I used the above steps to change the content of the email, and it worked fine, without having to change the CRC value for the header.

So I thought I was onto something when changing the timestamp invalidated the CRC for the file header as well as the block,
however the date remained the same when I imported the email.

So my question is: Where else in the .pst file is the date stored?

BTW I am doing this for fun, not profit

references:

https://msdn.microsoft.com/en-us/library/office/gg615595(v=office.14).aspx
https://blogs.msdn.microsoft.com/openspecification/2012/02/08/ms-pst-how-to-decode-data-pages-using-permutative-decoding/
https://msdn.microsoft.com/en-us/library/office/ff386229(v=office.12).aspx
https://blogs.msdn.microsoft.com/openspecification/2010/11/30/ms-pst-how-to-navigate-the-node-btree/
Jan 1 '18 #1
Share this Question
Share on Google+
3 Replies


Expert 100+
P: 931
In the docs:
2.6.1.3.1 Immutability
This file format specification treats the NDB as an immutable store. What this means is that, with the exception of the header and allocation metadata pages, the data in the NDB MUST NOT be modified in-place. Instead, a new copy of the data needs to be written at a new location, and then, when all references of the pre-existing data have been removed, the old data can be purged

it's in capitals, 'MUST NOT' ... ;)
Jan 6 '18 #2

P: 2
Hi thanks for your response, does "MUST NOT" mean "CAN NOT" then?
I couldn't find any mention of a timestamp in that doc, but it must be stored there somewhere
Jan 12 '18 #3

Expert 100+
P: 931
it's the part of the sentence after 'MUST NOT'.

one can do it, but :
- a new copy of the data needs to be written at a new location
- when all references of the pre-existing data have been removed

I , personally, only use Outlook to change a pst-file ;)
Jan 13 '18 #4

Post your reply

Sign in to post your reply or Sign up for a free account.