Mar 18, 2011

Experience of dbx recovery

Recently i had a task about email recovery, some messages in Inbox were missing after folder compaction of Outlook Express 6 (running on Windows XP Prof. SP3) and there is no another copy in email server.

In Outlook Express 6, each folder is stored as a dbx file, which is with 2-GB size limit. When a message is deleted or moved to another folder, it is flagged as deleted and still occupies space in original folder. Compacting a folder releases the spaces occupied by deleted/moved messages. A bak file, copy of corresponding folder, is created before compaction and is moved to recycle bin after the process. If i can find the file Inbox.bak, the missing messages will be recovered. However, Inbox.bak was gone due to full of recycle bin.

i made a dd image file of the affected partition (C: ~80GB). My first action on this image file was using Windows System Restore, but it didn't backup user data, like emails and documents. Some Windows/Linux data recovery tools didn't help either. During these trials, there is a valuable thing found, INFO2, the log file of recycle bin. i opened it by using rifiuti2 and found that the target Inbox.bak is 1.4GB.

Arne Schloh decoded Outlook Express dbx file format and kindly published in http://oedbx.aroh.de/doc/OE_Dbx_FileHeader.html, 2 portions in file header are very useful for me
0x0000         "cf ad 12 fe" Equal for all dbx files.
0x007c-0x0080  used space of the file.

Then i successfully recovered Inbox.bak by the following steps
  1. write a script to search hex string "cfad12fe" over the image file and record their positions.
  2. check all used space values related to found positions, there is one near 1.4GB.
  3. extract this 1.4GB portion and save as a dbx file.
  4. open this dbx file by Outlook Express, and it is what i need, my luck.