1OUTLOOK.PST(5) OUTLOOK.PST(5)
2
3
4
6 outlook.pst - format of MS Outlook .pst file
7
9 outlook.pst
10
11
13 Low level or primitive items in a .pst file are identified by an I_ID
14 value. Higher level or composite items in a .pst file are identified by
15 a D_ID value. There are two separate b-trees indexed by these I_ID and
16 D_ID values. Starting with Outlook 2003, the file format changed from
17 one with 32 bit pointers, to one with 64 bit pointers. We describe both
18 formats here.
19
20
22 The 32 bit file header is located at offset 0 in the .pst file.
23
24
25 0000 21 42 44 4e 49 f8 64 d9 53 4d 0e 00 13 00 01 01
26 0010 00 00 00 00 00 00 00 00 50 d6 03 00 bd 1e 02 00
27 0020 08 4c 00 00 00 04 00 00 00 04 00 00 0f 04 00 00
28 0030 0d 40 00 00 99 0a 01 00 18 04 00 00 0d 40 00 00
29 0040 0d 40 00 00 11 80 00 00 02 04 00 00 0a 04 00 00
30 0050 00 04 00 00 00 04 00 00 0f 04 00 00 0f 04 00 00
31 0060 0f 04 00 00 0d 40 00 00 00 04 00 00 00 04 00 00
32 0070 04 40 00 00 00 04 00 00 00 04 00 00 00 04 00 00
33 0080 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
34 0090 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
35 00a0 0c 09 00 00 00 00 00 00 00 04 27 00 00 24 23 00
36 00b0 c0 09 0a 00 00 c8 00 00 bc 1e 02 00 00 7e 0c 00
37 00c0 b4 1e 02 00 00 54 00 00 01 00 00 00 23 55 44 d1
38 00d0 5a 4f ce 6b 80 ff ff ff 00 00 00 00 00 00 00 00
39 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
41 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
42 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
43 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
44 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
45 0140 00 00 00 00 00 00 00 00 00 00 00 00 3f ff ff ff
46 0150 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
47 0160 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
48 0170 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
49 0180 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
50 0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
51 01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
52 01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
53 01c0 ff ff ff ff ff ff ff ff ff ff ff ff 80 01 00 00
54 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
55 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
56 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
57
58 0000 signature [4 bytes] 0x4e444221 constant
59 000a indexType [1 byte] 0x0e constant
60 01cd encryptionType [1 byte] 0x01 in this case
61 00a8 total file size [4 bytes] 0x270400 in this case
62 00c0 backPointer1 [4 bytes] 0x021eb4 in this case
63 00c4 offsetIndex1 [4 bytes] 0x005400 in this case
64 00b8 backPointer2 [4 bytes] 0x021ebc in this case
65 00bc offsetIndex2 [4 bytes] 0x0c7e00 in this case
66
67
68
69 We only support index types 0x0e, 0x0f, 0x15, and 0x17, and encryption
70 types 0x00, 0x01 and 0x02. Index type 0x0e is the older 32 bit Outlook
71 format. Index type 0x0f seems to be rare, and so far the data seems to
72 be identical to that in type 0x0e files. Index type 0x17 is the newer
73 64 bit Outlook format. Index type 0x15 seems to be rare, and according
74 to the libpff project should have the same format as type 0x17 files.
75 It was found in a 64-bit pst file created by Visual Recovery. It may be
76 that index types less than 0x10 are 32 bit, and index types greater
77 than or equal to 0x10 are 64 bit, and the low order four bits of the
78 index type is some subtype or minor version number.
79
80
81 Encryption type 0x00 is no encryption, type 0x01 is "compressible" en‐
82 cryption which is a simple substitution cipher, and type 0x02 is
83 "strong" encryption, which is a simple three rotor Enigma cipher from
84 WWII.
85
86
87 offsetIndex1 is the file offset of the root of the index1 b-tree, which
88 contains (I_ID, offset, size, unknown) tuples for each item in the
89 file. backPointer1 is the value that should appear in the parent point‐
90 er of that root node.
91
92
93 offsetIndex2 is the file offset of the root of the index2 b-tree, which
94 contains (D_ID, DESC-I_ID, TREE-I_ID, PARENT-D_ID) tuples for each item
95 in the file. backPointer2 is the value that should appear in the parent
96 pointer of that root node.
97
98
100 The 64 bit file header is located at offset 0 in the .pst file.
101
102
103 0000 21 42 44 4e 03 02 23 b2 53 4d 17 00 13 00 01 01
104 0010 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00
105 0020 8b 00 00 00 00 00 00 00 1d 00 00 00 00 04 00 00
106 0030 00 04 00 00 04 04 00 00 00 40 00 00 02 00 01 00
107 0040 00 04 00 00 00 04 00 00 00 04 00 00 00 80 00 00
108 0050 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
109 0060 04 04 00 00 04 04 00 00 04 04 00 00 00 04 00 00
110 0070 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
111 0080 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
112 0090 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
113 00a0 00 04 00 00 00 04 00 00 02 04 00 00 00 00 00 00
114 00b0 00 00 00 00 00 00 00 00 00 24 04 00 00 00 00 00
115 00c0 00 44 00 00 00 00 00 00 00 71 03 00 00 00 00 00
116 00d0 00 22 00 00 00 00 00 00 83 00 00 00 00 00 00 00
117 00e0 00 6a 00 00 00 00 00 00 8a 00 00 00 00 00 00 00
118 00f0 00 60 00 00 00 00 00 00 01 00 00 00 00 00 00 00
119 0100 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
120 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
121 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
122 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
123 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
124 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
125 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
126 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
127 0180 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
128 0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
129 01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
130 01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
131 01c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
132 01d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
133 01e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
134 01f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
135 0200 80 00 00 00 e8 00 00 00 00 00 00 00 c4 68 cb 89
136
137 0000 signature [4 bytes] 0x4e444221 constant
138 000a indexType [1 byte] 0x17 constant
139 0201 encryptionType [1 byte] 0x00 in this case
140 00b8 total file size [8 bytes] 0x042400 in this case
141 00e8 backPointer1 [8 bytes] 0x00008a in this case
142 00f0 offsetIndex1 [8 bytes] 0x006000 in this case
143 00d8 backPointer2 [8 bytes] 0x000083 in this case
144 00e0 offsetIndex2 [8 bytes] 0x006a00 in this case
145
146
147
149 The 32 bit index1 b-tree nodes are 512 byte blocks with the following
150 format.
151
152
153 0000 04 00 00 00 8a 1e 02 00 00 1c 0b 00
154 000c 58 27 03 00 b3 1e 02 00 00 52 00 00
155 0018 00 00 00 00 00 00 00 00 00 00 00 00
156 0024 00 00 00 00 00 00 00 00 00 00 00 00
157 0030 00 00 00 00 00 00 00 00 00 00 00 00
158 003c 00 00 00 00 00 00 00 00 00 00 00 00
159 0048 00 00 00 00 00 00 00 00 00 00 00 00
160 0054 00 00 00 00 00 00 00 00 00 00 00 00
161 0060 00 00 00 00 00 00 00 00 00 00 00 00
162 006c 00 00 00 00 00 00 00 00 00 00 00 00
163 0078 00 00 00 00 00 00 00 00 00 00 00 00
164 0084 00 00 00 00 00 00 00 00 00 00 00 00
165 0090 00 00 00 00 00 00 00 00 00 00 00 00
166 009c 00 00 00 00 00 00 00 00 00 00 00 00
167 00a8 00 00 00 00 00 00 00 00 00 00 00 00
168 00b4 00 00 00 00 00 00 00 00 00 00 00 00
169 00c0 00 00 00 00 00 00 00 00 00 00 00 00
170 00cc 00 00 00 00 00 00 00 00 00 00 00 00
171 00d8 00 00 00 00 00 00 00 00 00 00 00 00
172 00e4 00 00 00 00 00 00 00 00 00 00 00 00
173 00f0 00 00 00 00 00 00 00 00 00 00 00 00
174 00fc 00 00 00 00 00 00 00 00 00 00 00 00
175 0108 00 00 00 00 00 00 00 00 00 00 00 00
176 0114 00 00 00 00 00 00 00 00 00 00 00 00
177 0120 00 00 00 00 00 00 00 00 00 00 00 00
178 012c 00 00 00 00 00 00 00 00 00 00 00 00
179 0138 00 00 00 00 00 00 00 00 00 00 00 00
180 0144 00 00 00 00 00 00 00 00 00 00 00 00
181 0150 00 00 00 00 00 00 00 00 00 00 00 00
182 015c 00 00 00 00 00 00 00 00 00 00 00 00
183 0168 00 00 00 00 00 00 00 00 00 00 00 00
184 0174 00 00 00 00 00 00 00 00 00 00 00 00
185 0180 00 00 00 00 00 00 00 00 00 00 00 00
186 018c 00 00 00 00 00 00 00 00 00 00 00 00
187 0198 00 00 00 00 00 00 00 00 00 00 00 00
188 01a4 00 00 00 00 00 00 00 00 00 00 00 00
189 01b0 00 00 00 00 00 00 00 00 00 00 00 00
190 01bc 00 00 00 00 00 00 00 00 00 00 00 00
191 01c8 00 00 00 00 00 00 00 00 00 00 00 00
192 01d4 00 00 00 00 00 00 00 00 00 00 00 00
193 01e0 00 00 00 00 00 00 00 00 00 00 00 00
194 01ec 00 00 00 00 02 29 0c 02 80 80 b6 4a
195 01f8 b4 1e 02 00 27 9c cc 56
196
197 01f0 itemCount [1 byte] 0x02 in this case
198 01f1 maxItemCount [1 byte] 0x29 constant
199 01f2 itemSize [1 byte] 0x0c constant
200 01f3 nodeLevel [1 byte] 0x02 in this case
201 01f8 backPointer [4 bytes] 0x021eb4 in this case
202
203
204
205 The itemCount specifies the number of 12 byte records that are active.
206 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
207 a different format. The backPointer must match the backPointer from the
208 triple that pointed to this node.
209
210
211 Each item in this node is a triple of (I_ID, backPointer, offset) where
212 the offset points to the next deeper node in the tree, the backPointer
213 value must match the backPointer in that deeper node, and I_ID is the
214 lowest I_ID value in the subtree.
215
216
218 The 64 bit index1 b-tree nodes are 512 byte blocks with the following
219 format.
220
221
222 0000 04 00 00 00 00 00 00 00 88 00 00 00
223 000C 00 00 00 00 00 48 00 00 00 00 00 00
224 0018 74 00 00 00 00 00 00 00 86 00 00 00
225 0024 00 00 00 00 00 54 00 00 00 00 00 00
226 0030 00 00 00 00 00 00 00 00 00 00 00 00
227 003C 00 00 00 00 00 00 00 00 00 00 00 00
228 0048 00 00 00 00 00 00 00 00 00 00 00 00
229 0054 00 00 00 00 00 00 00 00 00 00 00 00
230 0060 00 00 00 00 00 00 00 00 00 00 00 00
231 006C 00 00 00 00 00 00 00 00 00 00 00 00
232 0078 00 00 00 00 00 00 00 00 00 00 00 00
233 0084 00 00 00 00 00 00 00 00 00 00 00 00
234 0090 00 00 00 00 00 00 00 00 00 00 00 00
235 009C 00 00 00 00 00 00 00 00 00 00 00 00
236 00A8 00 00 00 00 00 00 00 00 00 00 00 00
237 00B4 00 00 00 00 00 00 00 00 00 00 00 00
238 00C0 00 00 00 00 00 00 00 00 00 00 00 00
239 00CC 00 00 00 00 00 00 00 00 00 00 00 00
240 00D8 00 00 00 00 00 00 00 00 00 00 00 00
241 00E4 00 00 00 00 00 00 00 00 00 00 00 00
242 00F0 00 00 00 00 00 00 00 00 00 00 00 00
243 00FC 00 00 00 00 00 00 00 00 00 00 00 00
244 0108 00 00 00 00 00 00 00 00 00 00 00 00
245 0114 00 00 00 00 00 00 00 00 00 00 00 00
246 0120 00 00 00 00 00 00 00 00 00 00 00 00
247 012C 00 00 00 00 00 00 00 00 00 00 00 00
248 0138 00 00 00 00 00 00 00 00 00 00 00 00
249 0144 00 00 00 00 00 00 00 00 00 00 00 00
250 0150 00 00 00 00 00 00 00 00 00 00 00 00
251 015C 00 00 00 00 00 00 00 00 00 00 00 00
252 0168 00 00 00 00 00 00 00 00 00 00 00 00
253 0174 00 00 00 00 00 00 00 00 00 00 00 00
254 0180 00 00 00 00 00 00 00 00 00 00 00 00
255 018C 00 00 00 00 00 00 00 00 00 00 00 00
256 0198 00 00 00 00 00 00 00 00 00 00 00 00
257 01A4 00 00 00 00 00 00 00 00 00 00 00 00
258 01B0 00 00 00 00 00 00 00 00 00 00 00 00
259 01BC 00 00 00 00 00 00 00 00 00 00 00 00
260 01C8 00 00 00 00 00 00 00 00 00 00 00 00
261 01D4 00 00 00 00 00 00 00 00 00 00 00 00
262 01E0 00 00 00 00 00 00 00 00 02 14 18 01
263 01EC 00 00 00 00 80 80 8a 60 68 e5 b5 19
264 01F8 8a 00 00 00 00 00 00 00
265
266 01e8 itemCount [1 byte] 0x02 in this case
267 01e9 maxItemCount [1 byte] 0x14 constant
268 01ea itemSize [1 byte] 0x18 constant
269 01eb nodeLevel [1 byte] 0x01 in this case
270 01f8 backPointer [8 bytes] 0x00008a in this case
271
272
273
274 The itemCount specifies the number of 24 byte records that are active.
275 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
276 a different format. The backPointer must match the backPointer from the
277 triple that pointed to this node.
278
279
280 Each item in this node is a triple of (I_ID, backPointer, offset) where
281 the offset points to the next deeper node in the tree, the backPointer
282 value must match the backPointer in that deeper node, and I_ID is the
283 lowest I_ID value in the subtree.
284
285
287 The 32 bit index1 b-tree leaf nodes are 512 byte blocks with the fol‐
288 lowing format.
289
290
291 0000 04 00 00 00 00 58 00 00 64 00 0f 00
292 000c 08 00 00 00 80 58 00 00 ac 00 06 00
293 0018 0c 00 00 00 40 59 00 00 ac 00 06 00
294 0024 10 00 00 00 00 5a 00 00 bc 00 03 00
295 0030 14 00 00 00 00 5b 00 00 a4 00 02 00
296 003c 18 00 00 00 c0 5b 00 00 64 00 02 00
297 0048 1c 00 00 00 40 5c 00 00 5c 00 02 00
298 0054 50 00 00 00 80 62 00 00 60 00 02 00
299 0060 74 00 00 00 00 77 00 00 5e 00 02 00
300 006c 7c 00 00 00 80 77 00 00 66 00 02 00
301 0078 84 00 00 00 00 76 00 00 ca 00 02 00
302 0084 88 00 00 00 00 63 00 00 52 00 02 00
303 0090 90 00 00 00 00 79 00 00 58 00 02 00
304 009c cc 00 00 00 c0 61 00 00 76 00 02 00
305 00a8 e0 00 00 00 00 61 00 00 74 00 02 00
306 00b4 f4 00 00 00 80 65 00 00 6e 00 02 00
307 00c0 8c 01 00 00 40 60 00 00 70 00 02 00
308 00cc ea 01 00 00 80 61 00 00 10 00 02 00
309 00d8 ec 01 00 00 40 8a 00 00 f3 01 02 00
310 00e4 f0 01 00 00 80 93 00 00 f4 1f 02 00
311 00f0 fa 01 00 00 c0 7f 00 00 10 00 02 00
312 00fc 00 02 00 00 00 89 00 00 34 01 02 00
313 0108 1c 02 00 00 40 ec 00 00 12 06 02 00
314 0114 22 02 00 00 00 84 00 00 10 00 02 00
315 0120 24 02 00 00 c0 ea 00 00 3c 01 02 00
316 012c 40 02 00 00 00 f4 00 00 0a 06 02 00
317 0138 46 02 00 00 40 8c 00 00 10 00 02 00
318 0144 48 02 00 00 80 f2 00 00 36 01 02 00
319 0150 64 02 00 00 80 fb 00 00 bf 07 02 00
320 015c 6a 02 00 00 80 63 00 00 10 00 02 00
321 0168 6c 02 00 00 40 fa 00 00 2a 01 02 00
322 0174 6c 02 00 00 40 fa 00 00 2a 01 02 00
323 0180 6c 02 00 00 40 fa 00 00 2a 01 02 00
324 018c 6c 02 00 00 40 fa 00 00 2a 01 02 00
325 0198 6c 02 00 00 40 fa 00 00 2a 01 02 00
326 01a4 6c 02 00 00 40 fa 00 00 2a 01 02 00
327 01b0 64 02 00 00 80 fb 00 00 bf 07 02 00
328 01bc 64 02 00 00 80 fb 00 00 bf 07 02 00
329 01c8 64 02 00 00 80 fb 00 00 bf 07 02 00
330 01d4 64 02 00 00 80 fb 00 00 bf 07 02 00
331 01e0 64 02 00 00 80 fb 00 00 bf 07 02 00
332 01ec 00 00 00 00 1f 29 0c 00 80 80 5b b3
333 01f8 5a 67 01 00 4f ae 70 a7
334
335 01f0 itemCount [1 byte] 0x1f in this case
336 01f1 maxItemCount [1 byte] 0x29 constant
337 01f2 itemSize [1 byte] 0x0c constant
338 01f3 nodeLevel [1 byte] 0x00 defines a leaf node
339 01f8 backPointer [4 bytes] 0x01675a in this case
340
341
342
343 The itemCount specifies the number of 12 byte records that are active.
344 The nodeLevel is zero for these leaf nodes. The backPointer must match
345 the backPointer from the triple that pointed to this node.
346
347
348 Each item in this node is a tuple of (I_ID, offset, size, unknown) The
349 two low order bits of the I_ID value seem to be flags. I have never
350 seen a case with bit zero set. Bit one indicates that the item is not
351 encrypted. Note that references to these I_ID values elsewhere may have
352 the low order bit set (and I don't know what that means), but when we
353 do the search in this tree we need to clear that bit so that we can
354 find the correct item.
355
356
358 The 64 bit index1 b-tree leaf nodes are 512 byte blocks with the fol‐
359 lowing format.
360
361
362 0000 04 00 00 00 00 00 00 00 00 58 00 00
363 000C 00 00 00 00 6c 00 05 00 00 00 00 00
364 0018 08 00 00 00 00 00 00 00 80 58 00 00
365 0024 00 00 00 00 b4 00 06 00 d8 22 37 08
366 0030 0c 00 00 00 00 00 00 00 80 59 00 00
367 003C 00 00 00 00 ac 00 07 00 d8 22 37 08
368 0048 10 00 00 00 00 00 00 00 40 5a 00 00
369 0054 00 00 00 00 bc 00 03 00 d8 22 37 08
370 0060 14 00 00 00 00 00 00 00 40 5b 00 00
371 006C 00 00 00 00 a4 00 02 00 d8 22 37 08
372 0078 18 00 00 00 00 00 00 00 00 5c 00 00
373 0084 00 00 00 00 64 00 02 00 d8 22 37 08
374 0090 1c 00 00 00 00 00 00 00 80 5c 00 00
375 009C 00 00 00 00 5c 00 02 00 d8 22 37 08
376 00A8 24 00 00 00 00 00 00 00 80 5d 00 00
377 00B4 00 00 00 00 72 00 02 00 d8 22 37 08
378 00C0 34 00 00 00 00 00 00 00 00 70 00 00
379 00CC 00 00 00 00 8c 00 02 00 00 0d 00 00
380 00D8 38 00 00 00 00 00 00 00 c0 71 00 00
381 00E4 00 00 00 00 5c 00 02 00 d8 22 9c 00
382 00F0 40 00 00 00 00 00 00 00 40 72 00 00
383 00FC 00 00 00 00 26 00 02 00 d8 22 9c 00
384 0108 4c 00 00 00 00 00 00 00 80 5f 00 00
385 0114 00 00 00 00 3e 00 02 00 d8 22 9c 00
386 0120 5c 00 00 00 00 00 00 00 c0 76 00 00
387 012C 00 00 00 00 8c 00 02 00 d8 22 9c 00
388 0138 64 00 00 00 00 00 00 00 40 75 00 00
389 0144 00 00 00 00 76 00 02 00 d8 22 9c 00
390 0150 6c 00 00 00 00 00 00 00 c0 73 00 00
391 015C 00 00 00 00 5e 00 02 00 d8 22 9c 00
392 0168 70 00 00 00 00 00 00 00 80 72 00 00
393 0174 00 00 00 00 1e 01 02 00 d8 22 9c 00
394 0180 70 00 00 00 00 00 00 00 80 72 00 00
395 018C 00 00 00 00 1e 01 02 00 d8 22 9c 00
396 0198 70 00 00 00 00 00 00 00 80 72 00 00
397 01A4 00 00 00 00 1e 01 02 00 d8 22 9c 00
398 01B0 74 00 00 00 00 00 00 00 40 74 00 00
399 01BC 00 00 00 00 e0 00 02 00 d8 22 9c 00
400 01C8 7c 00 00 00 00 00 00 00 80 77 00 00
401 01D4 00 00 00 00 dc 00 02 00 d8 22 9c 00
402 01E0 00 00 00 00 00 00 00 00 10 14 18 00
403 01EC 00 00 00 00 80 80 88 48 3f 50 0b 04
404 01F8 88 00 00 00 00 00 00 00
405
406 01e8 itemCount [1 byte] 0x10 in this case
407 01e9 maxItemCount [1 byte] 0x14 constant
408 01ea itemSize [1 byte] 0x18 constant
409 01eb nodeLevel [1 byte] 0x00 defines a leaf node
410 01f8 backPointer [8 bytes] 0x000088 in this case
411
412
413
414 The itemCount specifies the number of 24 byte records that are active.
415 The nodeLevel is zero for these leaf nodes. The backPointer must match
416 the backPointer from the triple that pointed to this node.
417
418
419 Each item in this node is a tuple of (I_ID, offset, size, unknown) The
420 two low order bits of the I_ID value seem to be flags. I have never
421 seen a case with bit zero set. Bit one indicates that the item is not
422 encrypted. Note that references to these I_ID values elsewhere may have
423 the low order bit set (and I don't know what that means), but when we
424 do the search in this tree we need to clear that bit so that we can
425 find the correct item.
426
427
429 The 32 bit index2 b-tree nodes are 512 byte blocks with the following
430 format.
431
432
433 0000 21 00 00 00 bb 1e 02 00 00 e2 0b 00
434 000c 64 78 20 00 8c 1e 02 00 00 dc 0b 00
435 0018 00 00 00 00 00 00 00 00 00 00 00 00
436 0024 00 00 00 00 00 00 00 00 00 00 00 00
437 0030 00 00 00 00 00 00 00 00 00 00 00 00
438 003c 00 00 00 00 00 00 00 00 00 00 00 00
439 0048 00 00 00 00 00 00 00 00 00 00 00 00
440 0054 00 00 00 00 00 00 00 00 00 00 00 00
441 0060 00 00 00 00 00 00 00 00 00 00 00 00
442 006c 00 00 00 00 00 00 00 00 00 00 00 00
443 0078 00 00 00 00 00 00 00 00 00 00 00 00
444 0084 00 00 00 00 00 00 00 00 00 00 00 00
445 0090 00 00 00 00 00 00 00 00 00 00 00 00
446 009c 00 00 00 00 00 00 00 00 00 00 00 00
447 00a8 00 00 00 00 00 00 00 00 00 00 00 00
448 00b4 00 00 00 00 00 00 00 00 00 00 00 00
449 00c0 00 00 00 00 00 00 00 00 00 00 00 00
450 00cc 00 00 00 00 00 00 00 00 00 00 00 00
451 00d8 00 00 00 00 00 00 00 00 00 00 00 00
452 00e4 00 00 00 00 00 00 00 00 00 00 00 00
453 00f0 00 00 00 00 00 00 00 00 00 00 00 00
454 00fc 00 00 00 00 00 00 00 00 00 00 00 00
455 0108 00 00 00 00 00 00 00 00 00 00 00 00
456 0114 00 00 00 00 00 00 00 00 00 00 00 00
457 0120 00 00 00 00 00 00 00 00 00 00 00 00
458 012c 00 00 00 00 00 00 00 00 00 00 00 00
459 0138 00 00 00 00 00 00 00 00 00 00 00 00
460 0144 00 00 00 00 00 00 00 00 00 00 00 00
461 0150 00 00 00 00 00 00 00 00 00 00 00 00
462 015c 00 00 00 00 00 00 00 00 00 00 00 00
463 0168 00 00 00 00 00 00 00 00 00 00 00 00
464 0174 00 00 00 00 00 00 00 00 00 00 00 00
465 0180 00 00 00 00 00 00 00 00 00 00 00 00
466 018c 00 00 00 00 00 00 00 00 00 00 00 00
467 0198 00 00 00 00 00 00 00 00 00 00 00 00
468 01a4 00 00 00 00 00 00 00 00 00 00 00 00
469 01b0 00 00 00 00 00 00 00 00 00 00 00 00
470 01bc 00 00 00 00 00 00 00 00 00 00 00 00
471 01c8 00 00 00 00 00 00 00 00 00 00 00 00
472 01d4 00 00 00 00 00 00 00 00 00 00 00 00
473 01e0 00 00 00 00 00 00 00 00 00 00 00 00
474 01ec 00 00 00 00 02 29 0c 02 81 81 b2 60
475 01f8 bc 1e 02 00 7e 70 dc e3
476
477 01f0 itemCount [1 byte] 0x02 in this case
478 01f1 maxItemCount [1 byte] 0x29 constant
479 01f2 itemSize [1 byte] 0x0c constant
480 01f3 nodeLevel [1 byte] 0x02 in this case
481 01f8 backPointer [4 bytes] 0x021ebc in this case
482
483
484
485 The itemCount specifies the number of 12 byte records that are active.
486 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
487 a different format. The backPointer must match the backPointer from the
488 triple that pointed to this node.
489
490
491 Each item in this node is a triple of (D_ID, backPointer, offset) where
492 the offset points to the next deeper node in the tree, the backPointer
493 value must match the backPointer in that deeper node, and D_ID is the
494 lowest D_ID value in the subtree.
495
496
498 The 64 bit index2 b-tree nodes are 512 byte blocks with the following
499 format.
500
501
502 0000 21 00 00 00 00 00 00 00 77 00 00 00
503 000C 00 00 00 00 00 56 00 00 00 00 00 00
504 0018 4c 06 00 00 00 00 00 00 82 00 00 00
505 0024 00 00 00 00 00 68 00 00 00 00 00 00
506 0030 4f 80 00 00 00 00 00 00 84 00 00 00
507 003C 00 00 00 00 00 6e 00 00 00 00 00 00
508 0048 00 00 00 00 00 00 00 00 00 00 00 00
509 0054 00 00 00 00 00 00 00 00 00 00 00 00
510 0060 00 00 00 00 00 00 00 00 00 00 00 00
511 006C 00 00 00 00 00 00 00 00 00 00 00 00
512 0078 00 00 00 00 00 00 00 00 00 00 00 00
513 0084 00 00 00 00 00 00 00 00 00 00 00 00
514 0090 00 00 00 00 00 00 00 00 00 00 00 00
515 009C 00 00 00 00 00 00 00 00 00 00 00 00
516 00A8 00 00 00 00 00 00 00 00 00 00 00 00
517 00B4 00 00 00 00 00 00 00 00 00 00 00 00
518 00C0 00 00 00 00 00 00 00 00 00 00 00 00
519 00CC 00 00 00 00 00 00 00 00 00 00 00 00
520 00D8 00 00 00 00 00 00 00 00 00 00 00 00
521 00E4 00 00 00 00 00 00 00 00 00 00 00 00
522 00F0 00 00 00 00 00 00 00 00 00 00 00 00
523 00FC 00 00 00 00 00 00 00 00 00 00 00 00
524 0108 00 00 00 00 00 00 00 00 00 00 00 00
525 0114 00 00 00 00 00 00 00 00 00 00 00 00
526 0120 00 00 00 00 00 00 00 00 00 00 00 00
527 012C 00 00 00 00 00 00 00 00 00 00 00 00
528 0138 00 00 00 00 00 00 00 00 00 00 00 00
529 0144 00 00 00 00 00 00 00 00 00 00 00 00
530 0150 00 00 00 00 00 00 00 00 00 00 00 00
531 015C 00 00 00 00 00 00 00 00 00 00 00 00
532 0168 00 00 00 00 00 00 00 00 00 00 00 00
533 0174 00 00 00 00 00 00 00 00 00 00 00 00
534 0180 00 00 00 00 00 00 00 00 00 00 00 00
535 018C 00 00 00 00 00 00 00 00 00 00 00 00
536 0198 00 00 00 00 00 00 00 00 00 00 00 00
537 01A4 00 00 00 00 00 00 00 00 00 00 00 00
538 01B0 00 00 00 00 00 00 00 00 00 00 00 00
539 01BC 00 00 00 00 00 00 00 00 00 00 00 00
540 01C8 00 00 00 00 00 00 00 00 00 00 00 00
541 01D4 00 00 00 00 00 00 00 00 00 00 00 00
542 01E0 00 00 00 00 00 00 00 00 03 14 18 01
543 01EC 00 00 00 00 81 81 83 6a 49 da f3 d3
544 01F8 83 00 00 00 00 00 00 00
545
546 01e8 itemCount [1 byte] 0x03 in this case
547 01e9 maxItemCount [1 byte] 0x14 constant
548 01ea itemSize [1 byte] 0x18 constant
549 01eb nodeLevel [1 byte] 0x01 in this case
550 01f8 backPointer [8 bytes] 0x000083 in this case
551
552
553
554 The itemCount specifies the number of 24 byte records that are active.
555 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
556 a different format. The backPointer must match the backPointer from the
557 triple that pointed to this node.
558
559
560 Each item in this node is a triple of (D_ID, backPointer, offset) where
561 the offset points to the next deeper node in the tree, the backPointer
562 value must match the backPointer in that deeper node, and D_ID is the
563 lowest D_ID value in the subtree.
564
565
567 The 32 bit index2 b-tree leaf nodes are 512 byte blocks with the fol‐
568 lowing format.
569
570
571 0000 21 00 00 00 38 e6 00 00 00 00 00 00 00 00 00 00
572 0010 61 00 00 00 2c a8 02 00 36 a8 02 00 00 00 00 00
573 0020 22 01 00 00 20 a2 02 00 00 00 00 00 22 01 00 00
574 0030 2d 01 00 00 88 7b 03 00 00 00 00 00 00 00 00 00
575 0040 2e 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00
576 0050 2f 01 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
577 0060 e1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
578 0070 01 02 00 00 b4 e4 02 00 00 00 00 00 00 00 00 00
579 0080 61 02 00 00 a0 e4 02 00 00 00 00 00 00 00 00 00
580 0090 0d 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00
581 00A0 0e 06 00 00 08 00 00 00 00 00 00 00 00 00 00 00
582 00B0 0f 06 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
583 00C0 10 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00
584 00D0 2b 06 00 00 84 00 00 00 00 00 00 00 00 00 00 00
585 00E0 4c 06 00 00 1c 00 00 00 00 00 00 00 00 00 00 00
586 00F0 71 06 00 00 18 00 00 00 00 00 00 00 00 00 00 00
587 0100 92 06 00 00 14 00 00 00 00 00 00 00 00 00 00 00
588 0110 23 22 00 00 14 a0 02 00 00 00 00 00 22 01 00 00
589 0120 26 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00
590 0130 27 22 00 00 1c a0 02 00 00 00 00 00 00 00 00 00
591 0140 22 80 00 00 50 00 00 00 00 00 00 00 22 01 00 00
592 0150 2d 80 00 00 f8 9f 02 00 00 00 00 00 00 00 00 00
593 0160 2e 80 00 00 08 00 00 00 00 00 00 00 00 00 00 00
594 0170 2f 80 00 00 34 e6 00 00 00 00 00 00 00 00 00 00
595 0180 42 80 00 00 3c 6d 02 00 00 00 00 00 22 80 00 00
596 0190 4d 80 00 00 04 00 00 00 00 00 00 00 00 00 00 00
597 01A0 4e 80 00 00 10 6d 02 00 00 00 00 00 00 00 00 00
598 01B0 4f 80 00 00 ec 23 00 00 00 00 00 00 00 00 00 00
599 01C0 62 80 00 00 38 78 02 00 00 00 00 00 22 01 00 00
600 01D0 6d 80 00 00 34 78 02 00 00 00 00 00 00 00 00 00
601 01E0 6e 80 00 00 08 00 00 00 00 00 00 00 00 00 00 00
602 01F0 10 1f 10 00 81 81 a0 9a ae 1e 02 00 89 44 6a 0f
603
604 01f0 itemCount [1 byte] 0x10 in this case
605 01f1 maxItemCount [1 byte] 0x1f constant
606 01f2 itemSize [1 byte] 0x10 constant
607 01f3 nodeLevel [1 byte] 0x00 in this case
608 01f8 backPointer [4 bytes] 0x021eae in this case
609
610
611
612 The itemCount specifies the number of 16 byte records that are active.
613 The nodeLevel is zero for these leaf nodes. The backPointer must match
614 the backPointer from the triple that pointed to this node.
615
616
617 Each item in this node is a tuple of (D_ID, DESC-I_ID, TREE-I_ID, PAR‐
618 ENT-D_ID) The DESC-I_ID points to the main data for this item (Associ‐
619 ated Descriptor Items 0x7cec, 0xbcec, or 0x0101) via the index1 tree.
620 The TREE-I_ID is zero or points to an Associated Tree Item 0x0002 via
621 the index1 tree. The PARENT-D_ID points to the parent of this item in
622 this index2 tree.
623
624
626 The 64 bit index2 b-tree leaf nodes are 512 byte blocks with the fol‐
627 lowing format.
628
629
630 0000 21 00 00 00 00 00 00 00 74 00 00 00 00 00 00 00
631 0010 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
632 0020 61 00 00 00 00 00 00 00 34 00 00 00 00 00 00 00
633 0030 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
634 0040 22 01 00 00 00 00 00 00 4c 00 00 00 00 00 00 00
635 0050 00 00 00 00 00 00 00 00 22 01 00 00 02 00 00 00
636 0060 2d 01 00 00 00 00 00 00 70 00 00 00 00 00 00 00
637 0070 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
638 0080 2e 01 00 00 00 00 00 00 08 00 00 00 00 00 00 00
639 0090 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
640 00A0 2f 01 00 00 00 00 00 00 0c 00 00 00 00 00 00 00
641 00B0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
642 00C0 e1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
643 00D0 00 00 00 00 00 00 00 00 00 00 00 00 d8 e3 13 00
644 00E0 01 02 00 00 00 00 00 00 8c 00 00 00 00 00 00 00
645 00F0 00 00 00 00 00 00 00 00 00 00 00 00 b0 e3 13 00
646 0100 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
647 0110 00 00 00 00 00 00 00 00 00 00 00 00 d8 e3 13 00
648 0120 0d 06 00 00 00 00 00 00 04 00 00 00 00 00 00 00
649 0130 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
650 0140 0e 06 00 00 00 00 00 00 08 00 00 00 00 00 00 00
651 0150 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
652 0160 0f 06 00 00 00 00 00 00 0c 00 00 00 00 00 00 00
653 0170 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
654 0180 10 06 00 00 00 00 00 00 10 00 00 00 00 00 00 00
655 0190 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
656 01A0 2b 06 00 00 00 00 00 00 24 00 00 00 00 00 00 00
657 01B0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
658 01C0 71 06 00 00 00 00 00 00 18 00 00 00 00 00 00 00
659 01D0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
660 01E0 00 00 00 00 00 00 00 00 0e 0f 20 00 00 00 00 00
661 01F0 81 81 77 56 f8 32 43 49 77 00 00 00 00 00 00 00
662
663 01e8 itemCount [1 byte] 0x0e in this case
664 01e9 maxItemCount [1 byte] 0x0f constant
665 01ea itemSize [1 byte] 0x20 constant
666 01eb nodeLevel [1 byte] 0x00 defines a leaf node
667 01f8 backPointer [8 bytes] 0x000077 in this case
668
669
670
671 The itemCount specifies the number of 32 byte records that are active.
672 The nodeLevel is zero for these leaf nodes. The backPointer must match
673 the backPointer from the triple that pointed to this node.
674
675
676 Each item in this node is a tuple of (D_ID, DESC-I_ID, TREE-I_ID, PAR‐
677 ENT-D_ID) The DESC-I_ID points to the main data for this item (Associ‐
678 ated Descriptor Items 0x7cec, 0xbcec, or 0x0101) via the index1 tree.
679 The TREE-I_ID is zero or points to an Associated Tree Item 0x0002 via
680 the index1 tree. The PARENT-D_ID points to the parent of this item in
681 this index2 tree.
682
683
685 A D_ID value may point to an entry in the index2 tree with a non-zero
686 TREE-I_ID which points to this descriptor block via the index1 tree. It
687 maps local ID2 values (referenced in the main data for the original
688 D_ID item) to I_ID values. This descriptor block contains triples of
689 (ID2, I_ID, CHILD-I_ID) where the local ID2 data can be found via I_ID,
690 and CHILD-I_ID is either zero or it points to another Associated Tree
691 Item via the index1 tree.
692
693
694 In the above 32 bit leaf node, we have a tuple of (0x61, 0x02a82c,
695 0x02a836, 0) 0x02a836 is the I_ID of the associated tree, and we can
696 lookup that I_ID value in the index1 b-tree to find the (offset,size)
697 of the data in the .pst file.
698
699
700 0000 02 00 01 00 9f 81 00 00 30 a8 02 00 00 00 00 00
701
702 0000 signature [2 bytes] 0x0002 constant
703 0002 count [2 bytes] 0x0001 in this case
704 repeating
705 0004 id2 [4 bytes] 0x00819f in this case
706 0008 i_id [4 bytes] 0x02a830 in this case
707 000c child-i_id [4 bytes] 0 in this case
708
709
710
712 This descriptor block contains a tree that maps local ID2 values to
713 I_ID entries, similar to the 32 bit version described above.
714
715
716 0000 02 00 02 00 00 00 00 00 92 06 00 00 00 00 00 00
717 0010 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
718 0020 3f 80 00 00 00 00 00 00 98 00 00 00 00 00 00 00
719 0030 00 00 00 00 00 00 00 00
720
721 0000 signature [2 bytes] 0x0002 constant
722 0002 count [2 bytes] 0x0002 in this case
723 0004 unknown [4 bytes] 0 possibly constant
724 repeating
725 0008 id2 [4 bytes] 0x000692 in this case
726 000c unknown1 [2 bytes] 0 may be a count or size
727 000e unknown2 [2 bytes] 0 may be a count or size
728 0010 i_id [8 bytes] 0x0000a8 in this case
729 0018 child-i_id [8 bytes] 0 in this case
730
731
732
734 Contains information about the item, which may be email, contact, or
735 other outlook types. In the above leaf node, we have a tuple of (0x21,
736 0x00e638, 0, 0) 0x00e638 is the I_ID of the associated descriptor, and
737 we can lookup that I_ID value in the index1 b-tree to find the (off‐
738 set,size) of the data in the .pst file. This descriptor is eventually
739 decoded to a list of MAPI elements.
740
741
742 0000 3c 01 ec bc 20 00 00 00 00 00 00 00 b5 02 06 00
743 0010 40 00 00 00 f9 0f 02 01 60 00 00 00 01 30 1e 00
744 0020 80 00 00 00 04 30 1e 00 00 00 00 00 df 35 03 00
745 0030 ff 00 00 00 e0 35 02 01 a0 00 00 00 e2 35 02 01
746 0040 e0 00 00 00 e3 35 02 01 c0 00 00 00 e4 35 02 01
747 0050 00 01 00 00 e5 35 02 01 20 01 00 00 e6 35 02 01
748 0060 40 01 00 00 e7 35 02 01 60 01 00 00 1e 66 0b 00
749 0070 00 00 00 00 ff 67 03 00 00 00 00 00 d2 7f 17 d8
750 0080 64 8c d5 11 83 24 00 50 04 86 95 45 53 74 61 6e
751 0090 6c 65 79 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
752 00A0 24 00 50 04 86 95 45 22 80 00 00 00 00 00 00 d2
753 00B0 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 42
754 00C0 80 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
755 00D0 24 00 50 04 86 95 45 a2 80 00 00 00 00 00 00 d2
756 00E0 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 c2
757 00F0 80 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
758 0100 24 00 50 04 86 95 45 e2 80 00 00 00 00 00 00 d2
759 0110 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 02
760 0120 81 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
761 0130 24 00 50 04 86 95 45 62 80 00 00 00 0b 00 00 00
762 0140 0c 00 14 00 7c 00 8c 00 93 00 ab 00 c3 00 db 00
763 0150 f3 00 0b 01 23 01 3b 01
764
765 0000 indexOffset [2 bytes] 0x013c in this case
766 0002 signature [2 bytes] 0xbcec constant
767 0004 b5offset [4 bytes] 0x0020 index reference
768
769
770
771 Note the signature of 0xbcec. There are other descriptor block formats
772 with other signatures. Note the indexOffset of 0x013c - starting at
773 that position in the descriptor block, we have an array of two byte in‐
774 tegers. The first integer (0x000b) is a (count-1) of the number of
775 overlapping pairs following the count. The first pair is (0, 0xc), the
776 next pair is (0xc, 0x14) and the last (12th) pair is (0x123, 0x13b).
777 These pairs are (start,end+1) offsets of items in this block. So we
778 have count+2 integers following the count value.
779
780
781 Note the b5offset of 0x0020, which is a type that I will call an index
782 reference. Such index references have at least two different forms, and
783 may point to data either in this block, or in some other block. Exter‐
784 nal pointer references have the low order 4 bits all set, and are ID2
785 values that can be used to fetch data. This value of 0x0020 is an in‐
786 ternal pointer reference, which needs to be right shifted by 4 bits to
787 become 0x0002, which is then a byte offset to be added to the above in‐
788 dexOffset plus two (to skip the count), so it points to the (0xc, 0x14)
789 pair.
790
791
792 So far we have only described internal index references where the high
793 order 16 bits are zero. That suffices for single descriptor blocks. But
794 in the case of the type 0x0101 descriptor block, we have an array of
795 subblocks. In this case, the high order 16 bits of an internal index
796 reference are used to select the subblock. Each subblock starts with a
797 16 bit indexOffset which points to the count and array of 16 bit inte‐
798 ger pairs which are offsets in the current subblock.
799
800
801 Finally, we have the offset and size of the "b5" block located at off‐
802 set 0xc with a size of 8 bytes in this descriptor block. The "b5" block
803 has the following format:
804
805
806 0000 signature [2 bytes] 0x02b5 constant
807 0002 datasize [2 bytes] 0x0006 constant +2 for 8 byte entries
808 0004 descoffset [4 bytes] 0x0040 index reference
809
810
811
812 Note the descoffset of 0x0040, which again is an index reference. In
813 this case, it is an internal pointer reference, which needs to be right
814 shifted by 4 bits to become 0x0004, which is then a byte offset to be
815 added to the above indexOffset plus two (to skip the count), so it
816 points to the (0x14, 0x7c) pair. The datasize (6) plus the b5 code (02)
817 gives the size of the entries, in this case 8 bytes. We now have the
818 offset 0x14 of the descriptor array, composed of 8 byte entries that
819 describe MAPI elements. Each descriptor entry has the following format:
820
821
822 0000 itemType [2 bytes]
823 0002 referenceType [2 bytes]
824 0004 value [4 bytes]
825
826
827
828 For some reference types (2, 3, 0xb) the value is used directly. Other‐
829 wise, the value is an index reference, which is either an ID2 value, or
830 an offset, to be right shifted by 4 bits and used to fetch a pair from
831 the index table to find the offset and size of the item in this de‐
832 scriptor block.
833
834
835 The following reference types are known, but not all of these are im‐
836 plemented in the code yet.
837
838
839 0x0002 - Signed 16bit value
840 0x0003 - Signed 32bit value
841 0x0004 - 4-byte floating point
842 0x0005 - Floating point double
843 0x0006 - Signed 64-bit int
844 0x0007 - Application Time
845 0x000A - 32-bit error value
846 0x000B - Boolean (non-zero = true)
847 0x000D - Embedded Object
848 0x0014 - 8-byte signed integer (64-bit)
849 0x001E - Null terminated String
850 0x001F - Unicode string
851 0x0040 - Systime - Filetime structure
852 0x0048 - OLE Guid
853 0x0102 - Binary data
854 0x1003 - Array of 32bit values
855 0x1014 - Array of 64bit values
856 0x101E - Array of Strings
857 0x1102 - Array of Binary data
858
859
860
861 The following item types are known, but not all of these are implement‐
862 ed in the code yet.
863
864
865 0x0002 Alternate recipient allowed
866 0x0003 Extended Attributes Table
867 0x0017 Importance Level
868 0x001a IPM Context, message class
869 0x0023 Global delivery report requested
870 0x0026 Priority
871 0x0029 Read Receipt
872 0x002b Reassignment Prohibited
873 0x002e Original Sensitivity
874 0x0032 Report time
875 0x0036 Sensitivity
876 0x0037 Email Subject
877 0x0039 Client submit time / date sent
878 0x003b Outlook Address of Sender
879 0x003f Outlook structure describing the recipient
880 0x0040 Name of the Outlook recipient structure
881 0x0041 Outlook structure describing the sender
882 0x0042 Name of the Outlook sender structure
883 0x0043 Another structure describing the recipient
884 0x0044 Name of the second recipient structure
885 0x004f Reply-To Outlook Structure
886 0x0050 Name of the Reply-To structure
887 0x0051 Outlook Name of recipient
888 0x0052 Second Outlook name of recipient
889 0x0057 My address in TO field
890 0x0058 My address in CC field
891 0x0059 Message addressed to me
892 0x0063 Response requested
893 0x0064 Sender's Address access method (SMTP, EX)
894 0x0065 Sender's Address
895 0x0070 Conversation topic, processed subject (with Fwd:, Re, ... removed)
896 0x0071 Conversation index
897 0x0072 Original display BCC
898 0x0073 Original display CC
899 0x0074 Original display TO
900 0x0075 Recipient Address Access Method (SMTP, EX)
901 0x0076 Recipient's Address
902 0x0077 Second Recipient Access Method (SMTP, EX)
903 0x0078 Second Recipient Address
904 0x007d Email Header. This is the header that was attached to the email
905 0x0c04 NDR Reason code
906 0x0c05 NDR Diag code
907 0x0c06 Non-receipt notification requested
908 0x0c17 Reply Requested
909 0x0c19 Second sender structure
910 0x0c1a Name of second sender structure
911 0x0c1b Supplementary info
912 0x0c1d Second outlook name of sender
913 0x0c1e Second sender access method (SMTP, EX)
914 0x0c1f Second Sender Address
915 0x0c20 NDR status code
916 0x0e01 Delete after submit
917 0x0e02 BCC Addresses
918 0x0e03 CC Addresses
919 0x0e04 SentTo Address
920 0x0e06 Date.
921 0x0e07 Flag bits
922 0x01 - Read
923 0x02 - Unmodified
924 0x04 - Submit
925 0x08 - Unsent
926 0x10 - Has Attachments
927 0x20 - From Me
928 0x40 - Associated
929 0x80 - Resend
930 0x100 - RN Pending
931 0x200 - NRN Pending
932 0x0e08 Message Size
933 0x0e0a Sentmail EntryID
934 0x0e1f Compressed RTF in Sync
935 0x0e20 Attachment Size
936 0x0ff9 binary record header
937 0x1000 Plain Text Email Body. Does not exist if the email doesn't have a plain text version
938 0x1001 Report Text
939 0x1006 RTF Sync Body CRC
940 0x1007 RTF Sync Body character count
941 0x1008 RTF Sync body tag
942 0x1009 RTF Compressed body
943 0x1010 RTF whitespace prefix count
944 0x1011 RTF whitespace tailing count
945 0x1013 HTML Email Body. Does not exist if the email doesn't have an HTML version
946 0x1035 Message ID
947 0x1042 In-Reply-To or Parent's Message ID
948 0x1046 Return Path
949 0x3001 Folder Name? I have seen this value used for the contacts record aswell
950 0x3002 Address Type
951 0x3003 Contact Address
952 0x3004 Comment
953 0x3007 Date item creation
954 0x3008 Date item modification
955 0x300b binary record header
956 0x35df Valid Folder Mask
957 0x35e0 binary record contains a reference to "Top of Personal Folder" item
958 0x35e2 binary record contains a reference to default outbox item
959 0x35e3 binary record contains a reference to "Deleted Items" item
960 0x35e4 binary record contains a reference to sent items folder item
961 0x35e5 binary record contains a reference to user views folder item
962 0x35e6 binary record contains a reference to common views folder item
963 0x35e7 binary record contains a reference to "Search Root" item
964 0x3602 the number of emails stored in a folder
965 0x3603 the number of unread emails in a folder
966 0x360a Has Subfolders
967 0x3613 the folder content description
968 0x3617 Associate Content count
969 0x3701 Binary Data attachment
970 0x3704 Attachment Filename
971 0x3705 Attachement method
972 0x3707 Attachment Filename long
973 0x370b Attachment Position
974 0x370e Attachment mime encoding
975 0x3710 Attachment mime Sequence
976 0x3a00 Contact's Account name
977 0x3a01 Contact Alternate Recipient
978 0x3a02 Callback telephone number
979 0x3a03 Message Conversion Prohibited
980 0x3a05 Contacts Suffix
981 0x3a06 Contacts First Name
982 0x3a07 Contacts Government ID Number
983 0x3a08 Business Telephone Number
984 0x3a09 Home Telephone Number
985 0x3a0a Contacts Initials
986 0x3a0b Keyword
987 0x3a0c Contact's Language
988 0x3a0d Contact's Location
989 0x3a0e Mail Permission
990 0x3a0f MHS Common Name
991 0x3a10 Organizational ID #
992 0x3a11 Contacts Surname
993 0x3a12 original entry id
994 0x3a13 original display name
995 0x3a14 original search key
996 0x3a15 Default Postal Address
997 0x3a16 Company Name
998 0x3a17 Job Title
999 0x3a18 Department Name
1000 0x3a19 Office Location
1001 0x3a1a Primary Telephone
1002 0x3a1b Business Phone Number 2
1003 0x3a1c Mobile Phone Number
1004 0x3a1d Radio Phone Number
1005 0x3a1e Car Phone Number
1006 0x3a1f Other Phone Number
1007 0x3a20 Transmittable Display Name
1008 0x3a21 Pager Phone Number
1009 0x3a22 user certificate
1010 0x3a23 Primary Fax Number
1011 0x3a24 Business Fax Number
1012 0x3a25 Home Fax Number
1013 0x3a26 Business Address Country
1014 0x3a27 Business Address City
1015 0x3a28 Business Address State
1016 0x3a29 Business Address Street
1017 0x3a2a Business Postal Code
1018 0x3a2b Business PO Box
1019 0x3a2c Telex Number
1020 0x3a2d ISDN Number
1021 0x3a2e Assistant Phone Number
1022 0x3a2f Home Phone 2
1023 0x3a30 Assistant's Name
1024 0x3a40 Can receive Rich Text
1025 0x3a41 Wedding Anniversary
1026 0x3a42 Birthday
1027 0x3a43 Hobbies
1028 0x3a44 Middle Name
1029 0x3a45 Display Name Prefix (Title)
1030 0x3a46 Profession
1031 0x3a47 Preferred By Name
1032 0x3a48 Spouse's Name
1033 0x3a49 Computer Network Name
1034 0x3a4a Customer ID
1035 0x3a4b TTY/TDD Phone
1036 0x3a4c Ftp Site
1037 0x3a4d Gender
1038 0x3a4e Manager's Name
1039 0x3a4f Nickname
1040 0x3a50 Personal Home Page
1041 0x3a51 Business Home Page
1042 0x3a57 Company Main Phone
1043 0x3a58 childrens names
1044 0x3a59 Home Address City
1045 0x3a5a Home Address Country
1046 0x3a5b Home Address Postal Code
1047 0x3a5c Home Address State or Province
1048 0x3a5d Home Address Street
1049 0x3a5e Home Address Post Office Box
1050 0x3a5f Other Address City
1051 0x3a60 Other Address Country
1052 0x3a61 Other Address Postal Code
1053 0x3a62 Other Address State
1054 0x3a63 Other Address Street
1055 0x3a64 Other Address Post Office box
1056 0x3fde Internet code page
1057 0x3ffd Message code page
1058 0x65e3 Entry ID
1059 0x67f2 Attachment ID2 value
1060 0x67ff Password checksum
1061 0x6f02 Secure HTML Body
1062 0x6f04 Secure Text Body
1063 0x7c07 Top of folders RecID
1064 0x8005 Contact Fullname
1065 0x801a Home Address
1066 0x801b Business Address
1067 0x801c Other Address
1068 0x8045 Work Address Street
1069 0x8046 Work Address City
1070 0x8047 Work Address State
1071 0x8048 Work Address Postal Code
1072 0x8049 Work Address Country
1073 0x804a Work Address Post Office Box
1074 0x8082 Email Address 1 Transport
1075 0x8083 Email Address 1 Address
1076 0x8084 Email Address 1 Description
1077 0x8085 Email Address 1 Record
1078 0x8092 Email Address 2 Transport
1079 0x8093 Email Address 2 Address
1080 0x8094 Email Address 2 Description
1081 0x8095 Email Address 2 Record
1082 0x80a2 Email Address 3 Transport
1083 0x80a3 Email Address 3 Address
1084 0x80a4 Email Address 3 Description
1085 0x80a5 Email Address 3 Record
1086 0x80d8 Internet Free/Busy
1087 0x8205 Appointment shows as
1088 0x8208 Appointment Location
1089 0x820d Appointment start
1090 0x820e Appointment end
1091 0x8214 Label for appointment
1092 0x8215 All day appointment flag
1093 0x8216 Appointment recurrence data
1094 0x8223 Appointment is recurring
1095 0x8231 Recurrence type
1096 0x8232 Recurrence description
1097 0x8234 TimeZone of times
1098 0x8235 Recurrence Start Time
1099 0x8236 Recurrence End Time
1100 0x8501 Reminder minutes before appointment start
1101 0x8503 Reminder alarm
1102 0x8516 Common Time Start
1103 0x8517 Common Time End
1104 0x851f Play reminder sound filename
1105 0x8530 Followup String
1106 0x8534 Mileage
1107 0x8535 Billing Information
1108 0x8554 Outlook Version
1109 0x8560 Appointment Reminder Time
1110 0x8700 Journal Entry Type
1111 0x8706 Start Timestamp
1112 0x8708 End Timestamp
1113 0x8712 Journal Entry Type - duplicate?
1114
1115
1116
1118 This style of descriptor block is similar to the 0xbcec format. This
1119 descriptor is also eventually decoded to a list of MAPI elements.
1120
1121
1122 0000 7a 01 ec 7c 40 00 00 00 00 00 00 00 b5 04 02 00
1123 0010 60 00 00 00 7c 18 60 00 60 00 62 00 65 00 20 00
1124 0020 00 00 80 00 00 00 00 00 00 00 03 00 20 0e 0c 00
1125 0030 04 03 1e 00 01 30 2c 00 04 0b 1e 00 03 37 28 00
1126 0040 04 0a 1e 00 04 37 14 00 04 05 03 00 05 37 10 00
1127 0050 04 04 1e 00 07 37 24 00 04 09 1e 00 08 37 20 00
1128 0060 04 08 02 01 0a 37 18 00 04 06 03 00 0b 37 08 00
1129 0070 04 02 1e 00 0d 37 1c 00 04 07 1e 00 0e 37 40 00
1130 0080 04 10 02 01 0f 37 30 00 04 0c 1e 00 11 37 34 00
1131 0090 04 0d 1e 00 12 37 3c 00 04 0f 1e 00 13 37 38 00
1132 00A0 04 0e 03 00 f2 67 00 00 04 00 03 00 f3 67 04 00
1133 00B0 04 01 03 00 09 69 44 00 04 11 03 00 fa 7f 5c 00
1134 00C0 04 15 40 00 fb 7f 4c 00 08 13 40 00 fc 7f 54 00
1135 00D0 08 14 03 00 fd 7f 48 00 04 12 0b 00 fe 7f 60 00
1136 00E0 01 16 0b 00 ff 7f 61 00 01 17 45 82 00 00 00 00
1137 00F0 45 82 00 00 78 3c 00 00 ff ff ff ff 49 1e 00 00
1138 0100 06 00 00 00 00 00 00 00 a0 00 00 00 00 00 00 00
1139 0110 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00
1140 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1141 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 40 dd a3
1142 0140 57 45 b3 0c 00 40 dd a3 57 45 b3 0c 02 00 00 00
1143 0150 00 00 fa 10 3e 2a 86 48 86 f7 14 03 0a 03 02 01
1144 0160 4a 2e 20 44 61 76 69 64 20 4b 61 72 61 6d 27 73
1145 0170 20 42 69 72 74 68 64 61 79 00 06 00 00 00 0c 00
1146 0180 14 00 ea 00 f0 00 55 01 60 01 79 01
1147
1148 0000 indexOffset [2 bytes] 0x017a in this case
1149 0002 signature [2 bytes] 0x7cec constant
1150 0004 7coffset [4 bytes] 0x0040 index reference
1151
1152
1153
1154 Note the signature of 0x7cec. There are other descriptor block formats
1155 with other signatures. Note the indexOffset of 0x017a - starting at
1156 that position in the descriptor block, we have an array of two byte in‐
1157 tegers. The first integer (0x0006) is a (count-1) of the number of
1158 overlapping pairs following the count. The first pair is (0, 0xc), the
1159 next pair is (0xc, 0x14) and the last (7th) pair is (0x160, 0x179).
1160 These pairs are (start,end+1) offsets of items in this block. So we
1161 have count+2 integers following the count value.
1162
1163
1164 Note the 7coffset of 0x0040, which is an index reference. In this case,
1165 it is an internal reference pointer, which needs to be right shifted by
1166 4 bits to become 0x0004, which is then a byte offset to be added to the
1167 above indexOffset plus two (to skip the count), so it points to the
1168 (0x14, 0xea) pair. We have the offset and size of the "7c" block locat‐
1169 ed at offset 0x14 with a size of 214 bytes in this case. The "7c" block
1170 starts with a header with the following format:
1171
1172
1173 0000 signature [1 bytes] 0x7c constant
1174 0001 itemCount [1 bytes] 0x18 in this case
1175 0002 unknown [2 bytes] 0x0060 in this case
1176 0004 unknown [2 bytes] 0x0060 in this case
1177 0006 unknown [2 bytes] 0x0062 in this case
1178 0008 recordSize [2 bytes] 0x0065 in this case
1179 000a b5Offset [4 bytes] 0x0020 index reference
1180 000e index2Offset [4 bytes] 0x0080 index reference
1181 0012 unknown [2 bytes] 0x0000 in this case
1182 0014 unknown [2 bytes] 0x0000 in this case
1183
1184
1185
1186 Note the b5Offset of 0x0020, which is an index reference. In this case,
1187 it is an internal reference pointer, which needs to be right shifted by
1188 4 bits to become 0x0002, which is then a byte offset to be added to the
1189 above indexOffset plus two (to skip the count), so it points to the
1190 (0xc, 0x14) pair. Finally, we have the offset and size of the "b5"
1191 block located at offset 0xc with a size of 8 bytes in this descriptor
1192 block. The "b5" block has the following format:
1193
1194
1195 0000 signature [2 bytes] 0x04b5 constant
1196 0002 datasize [2 bytes] 0x0002 +4 for 6 byte entries in this case
1197 0004 descoffset [4 bytes] 0x0060 index reference
1198
1199
1200
1201 Note the descoffset of 0x0060, which again is an index reference. In
1202 this case, it is an internal pointer reference, which needs to be right
1203 shifted by 4 bits to become 0x0006, which is then a byte offset to be
1204 added to the above indexOffset plus two (to skip the count), so it
1205 points to the (0xea, 0xf0) pair. The datasize (2) plus the b5 code (04)
1206 gives the size of the entries, in this case 6 bytes. We now have the
1207 offset 0xea of an unused block of data in an unknown format, composed
1208 of 6 byte entries. That gives us (0xf0 - 0xea)/6 = 1, so we have a
1209 recordCount of one.
1210
1211
1212 We have seen cases where the descoffset in the b5 block is zero, and
1213 the index2Offset in the 7c block is zero. This has been seen for ob‐
1214 jects that seem to be attachments on messages that have been read. Be‐
1215 fore the message was read, it did not have any attachments.
1216
1217
1218 Note the index2Offset above of 0x0080, which again is an index refer‐
1219 ence. In this case, it is an internal pointer reference, which needs to
1220 be right shifted by 4 bits to become 0x0008, which is then a byte off‐
1221 set to be added to the above indexOffset plus two (to skip the count),
1222 so it points to the (0xf0, 0x155) pair. This is an array of tables of
1223 four byte integers. We will call these the IND2 tables. The size of
1224 each of these tables is specified by the recordSize field of the "7c"
1225 header. The number of these tables is the above recordCount value de‐
1226 rived from the "b5" block.
1227
1228
1229 Now the remaining data in the "7c" block after the header starts at
1230 offset 0x2a. There should be itemCount 8 byte items here, with the fol‐
1231 lowing format:
1232
1233
1234 0000 referenceType [2 bytes]
1235 0002 itemType [2 bytes]
1236 0004 ind2Offset [2 bytes]
1237 0006 size [1 byte]
1238 0007 unknown [1 byte]
1239
1240
1241
1242 The ind2Offset is a byte offset into the current IND2 table of some
1243 value. If that is a four byte integer value, then once we fetch that,
1244 we have the same triple (item type, reference type, value) as we find
1245 in the 0xbcec style descriptor blocks. If not, then this value is used
1246 directly. These 8 byte descriptors are processed recordCount times,
1247 each time using the next IND2 table. The item and reference types are
1248 as described above for the 0xbcec format descriptor block.
1249
1250
1252 This descriptor block contains a list of I_ID values. It is used when
1253 an I_ID (that would normally point to a type 0x7cec or 0xbcec descrip‐
1254 tor block) contains more data than can fit in any single descriptor of
1255 those types. In this case, it points to a type 0x0101 block, which con‐
1256 tains a list of I_ID values that themselves point to the actual de‐
1257 scriptor blocks. The total length value in the 0x0101 header is the sum
1258 of the lengths of the blocks pointed to by the list of I_ID values. The
1259 result is an array of subblocks, that may contain index references
1260 where the high order 16 bits specify which descriptor subblock to use.
1261 Only the first descriptor subblock contains the signature (0xbcec or
1262 0x7cec).
1263
1264
1265 0000 01 01 02 00 26 28 00 00 18 77 0c 00 b8 04 00 00
1266
1267 0000 signature [2 bytes] 0x0101 constant
1268 0002 count [2 bytes] 0x0002 in this case
1269 0004 total length [4 bytes] 0x002826 in this case
1270 repeating
1271 0008 i_id [4 bytes] 0x0c7718 in this case
1272 000c i_id [4 bytes] 0x0004b8 in this case
1273
1274
1275
1277 This descriptor block contains a list of I_ID values, similar to the 32
1278 bit version described above.
1279
1280
1281 0000 01 01 02 00 ea 29 00 00 10 83 00 00 00 00 00 00
1282 0010 1c 83 00 00 00 00 00 00
1283
1284 0000 signature [2 bytes] 0x0101 constant
1285 0002 count [2 bytes] 0x0002 in this case
1286 0004 total length [4 bytes] 0x0029ea in this case
1287 repeating
1288 0008 i_id [8 bytes] 0x008310 in this case
1289 0010 i_id [8 bytes] 0x00831c in this case
1290
1291
1292
1293
1294
1295 2009-09-14 OUTLOOK.PST(5)