1OUTLOOK.PST(5) libpst Utilities - Version 0.6 OUTLOOK.PST(5)
2
6 outlook.pst - format of MS Outlook .pst file
7
9 outlook.pst
10
12 Low level or primitive items in a .pst file are identified by an I_ID
13 value. Higher level or composite items in a .pst file are identified by
14 a D_ID value. There are two separate b-trees indexed by these I_ID and
15 D_ID values. Starting with Outlook 2003, the file format changed from
16 one with 32 bit pointers, to one with 64 bit pointers. We describe both
17 formats here.
18
20 The 32 bit file header is located at offset 0 in the .pst file.
21 0000 21 42 44 4e 49 f8 64 d9 53 4d 0e 00 13 00 01 01
23 0010 00 00 00 00 00 00 00 00 50 d6 03 00 bd 1e 02 00
24 0020 08 4c 00 00 00 04 00 00 00 04 00 00 0f 04 00 00
25 0030 0d 40 00 00 99 0a 01 00 18 04 00 00 0d 40 00 00
26 0040 0d 40 00 00 11 80 00 00 02 04 00 00 0a 04 00 00
27 0050 00 04 00 00 00 04 00 00 0f 04 00 00 0f 04 00 00
28 0060 0f 04 00 00 0d 40 00 00 00 04 00 00 00 04 00 00
29 0070 04 40 00 00 00 04 00 00 00 04 00 00 00 04 00 00
30 0080 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
31 0090 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
32 00a0 0c 09 00 00 00 00 00 00 00 04 27 00 00 24 23 00
33 00b0 c0 09 0a 00 00 c8 00 00 bc 1e 02 00 00 7e 0c 00
34 00c0 b4 1e 02 00 00 54 00 00 01 00 00 00 23 55 44 d1
35 00d0 5a 4f ce 6b 80 ff ff ff 00 00 00 00 00 00 00 00
36 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
37 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
38 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
39 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
41 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
42 0140 00 00 00 00 00 00 00 00 00 00 00 00 3f ff ff ff
43 0150 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
44 0160 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
45 0170 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
46 0180 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
47 0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
48 01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
49 01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
50 01c0 ff ff ff ff ff ff ff ff ff ff ff ff 80 01 00 00
51 01d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
52 01e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
53 01f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
54 0000 signature [4 bytes] 0x4e444221 constant
56 000a indexType [1 byte] 0x0e constant
57 01cd encryptionType [1 byte] 0x01 in this case
58 00a8 total file size [4 bytes] 0x270400 in this case
59 00c0 backPointer1 [4 bytes] 0x021eb4 in this case
60 00c4 offsetIndex1 [4 bytes] 0x005400 in this case
61 00b8 backPointer2 [4 bytes] 0x021ebc in this case
62 00bc offsetIndex2 [4 bytes] 0x0c7e00 in this case
63 We only support index types 0x0e, 0x0f, 0x15, and 0x17, and encryption
65 types 0x00, 0x01 and 0x02. Index type 0x0e is the older 32 bit Outlook
66 format. Index type 0x0f seems to be rare, and so far the data seems to
67 be identical to that in type 0x0e files. Index type 0x17 is the newer
68 64 bit Outlook format. Index type 0x15 seems to be rare, and according
69 to the libpff project should have the same format as type 0x17 files.
70 It was found in a 64-bit pst file created by Visual Recovery. It may be
71 that index types less than 0x10 are 32 bit, and index types greater
72 than or equal to 0x10 are 64 bit, and the low order four bits of the
73 index type is some subtype or minor version number.
74 Encryption type 0x00 is no encryption, type 0x01 is "compressible"
76 encryption which is a simple substitution cipher, and type 0x02 is
77 "strong" encryption, which is a simple three rotor Enigma cipher from
78 WWII.
79 offsetIndex1 is the file offset of the root of the index1 b-tree, which
81 contains (I_ID, offset, size, unknown) tuples for each item in the
82 file. backPointer1 is the value that should appear in the parent
83 pointer of that root node.
84 offsetIndex2 is the file offset of the root of the index2 b-tree, which
86 contains (D_ID, DESC-I_ID, TREE-I_ID, PARENT-D_ID) tuples for each item
87 in the file. backPointer2 is the value that should appear in the parent
88 pointer of that root node.
89
91 The 64 bit file header is located at offset 0 in the .pst file.
92 0000 21 42 44 4e 03 02 23 b2 53 4d 17 00 13 00 01 01
94 0010 00 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00
95 0020 8b 00 00 00 00 00 00 00 1d 00 00 00 00 04 00 00
96 0030 00 04 00 00 04 04 00 00 00 40 00 00 02 00 01 00
97 0040 00 04 00 00 00 04 00 00 00 04 00 00 00 80 00 00
98 0050 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
99 0060 04 04 00 00 04 04 00 00 04 04 00 00 00 04 00 00
100 0070 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
101 0080 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
102 0090 00 04 00 00 00 04 00 00 00 04 00 00 00 04 00 00
103 00a0 00 04 00 00 00 04 00 00 02 04 00 00 00 00 00 00
104 00b0 00 00 00 00 00 00 00 00 00 24 04 00 00 00 00 00
105 00c0 00 44 00 00 00 00 00 00 00 71 03 00 00 00 00 00
106 00d0 00 22 00 00 00 00 00 00 83 00 00 00 00 00 00 00
107 00e0 00 6a 00 00 00 00 00 00 8a 00 00 00 00 00 00 00
108 00f0 00 60 00 00 00 00 00 00 01 00 00 00 00 00 00 00
109 0100 ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
110 0110 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
111 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
112 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
113 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
114 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
115 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
116 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
117 0180 7f ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
118 0190 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
119 01a0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
120 01b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
121 01c0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
122 01d0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
123 01e0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
124 01f0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
125 0200 80 00 00 00 e8 00 00 00 00 00 00 00 c4 68 cb 89
126 0000 signature [4 bytes] 0x4e444221 constant
128 000a indexType [1 byte] 0x17 constant
129 0201 encryptionType [1 byte] 0x00 in this case
130 00b8 total file size [8 bytes] 0x042400 in this case
131 00e8 backPointer1 [8 bytes] 0x00008a in this case
132 00f0 offsetIndex1 [8 bytes] 0x006000 in this case
133 00d8 backPointer2 [8 bytes] 0x000083 in this case
134 00e0 offsetIndex2 [8 bytes] 0x006a00 in this case
135
137 The 32 bit index1 b-tree nodes are 512 byte blocks with the following
138 format.
139 0000 04 00 00 00 8a 1e 02 00 00 1c 0b 00
141 000c 58 27 03 00 b3 1e 02 00 00 52 00 00
142 0018 00 00 00 00 00 00 00 00 00 00 00 00
143 0024 00 00 00 00 00 00 00 00 00 00 00 00
144 0030 00 00 00 00 00 00 00 00 00 00 00 00
145 003c 00 00 00 00 00 00 00 00 00 00 00 00
146 0048 00 00 00 00 00 00 00 00 00 00 00 00
147 0054 00 00 00 00 00 00 00 00 00 00 00 00
148 0060 00 00 00 00 00 00 00 00 00 00 00 00
149 006c 00 00 00 00 00 00 00 00 00 00 00 00
150 0078 00 00 00 00 00 00 00 00 00 00 00 00
151 0084 00 00 00 00 00 00 00 00 00 00 00 00
152 0090 00 00 00 00 00 00 00 00 00 00 00 00
153 009c 00 00 00 00 00 00 00 00 00 00 00 00
154 00a8 00 00 00 00 00 00 00 00 00 00 00 00
155 00b4 00 00 00 00 00 00 00 00 00 00 00 00
156 00c0 00 00 00 00 00 00 00 00 00 00 00 00
157 00cc 00 00 00 00 00 00 00 00 00 00 00 00
158 00d8 00 00 00 00 00 00 00 00 00 00 00 00
159 00e4 00 00 00 00 00 00 00 00 00 00 00 00
160 00f0 00 00 00 00 00 00 00 00 00 00 00 00
161 00fc 00 00 00 00 00 00 00 00 00 00 00 00
162 0108 00 00 00 00 00 00 00 00 00 00 00 00
163 0114 00 00 00 00 00 00 00 00 00 00 00 00
164 0120 00 00 00 00 00 00 00 00 00 00 00 00
165 012c 00 00 00 00 00 00 00 00 00 00 00 00
166 0138 00 00 00 00 00 00 00 00 00 00 00 00
167 0144 00 00 00 00 00 00 00 00 00 00 00 00
168 0150 00 00 00 00 00 00 00 00 00 00 00 00
169 015c 00 00 00 00 00 00 00 00 00 00 00 00
170 0168 00 00 00 00 00 00 00 00 00 00 00 00
171 0174 00 00 00 00 00 00 00 00 00 00 00 00
172 0180 00 00 00 00 00 00 00 00 00 00 00 00
173 018c 00 00 00 00 00 00 00 00 00 00 00 00
174 0198 00 00 00 00 00 00 00 00 00 00 00 00
175 01a4 00 00 00 00 00 00 00 00 00 00 00 00
176 01b0 00 00 00 00 00 00 00 00 00 00 00 00
177 01bc 00 00 00 00 00 00 00 00 00 00 00 00
178 01c8 00 00 00 00 00 00 00 00 00 00 00 00
179 01d4 00 00 00 00 00 00 00 00 00 00 00 00
180 01e0 00 00 00 00 00 00 00 00 00 00 00 00
181 01ec 00 00 00 00 02 29 0c 02 80 80 b6 4a
182 01f8 b4 1e 02 00 27 9c cc 56
183 01f0 itemCount [1 byte] 0x02 in this case
185 01f1 maxItemCount [1 byte] 0x29 constant
186 01f2 itemSize [1 byte] 0x0c constant
187 01f3 nodeLevel [1 byte] 0x02 in this case
188 01f8 backPointer [4 bytes] 0x021eb4 in this case
189 The itemCount specifies the number of 12 byte records that are active.
191 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
192 a different format. The backPointer must match the backPointer from the
193 triple that pointed to this node.
194 Each item in this node is a triple of (I_ID, backPointer, offset) where
196 the offset points to the next deeper node in the tree, the backPointer
197 value must match the backPointer in that deeper node, and I_ID is the
198 lowest I_ID value in the subtree.
199
201 The 64 bit index1 b-tree nodes are 512 byte blocks with the following
202 format.
203 0000 04 00 00 00 00 00 00 00 88 00 00 00
205 000C 00 00 00 00 00 48 00 00 00 00 00 00
206 0018 74 00 00 00 00 00 00 00 86 00 00 00
207 0024 00 00 00 00 00 54 00 00 00 00 00 00
208 0030 00 00 00 00 00 00 00 00 00 00 00 00
209 003C 00 00 00 00 00 00 00 00 00 00 00 00
210 0048 00 00 00 00 00 00 00 00 00 00 00 00
211 0054 00 00 00 00 00 00 00 00 00 00 00 00
212 0060 00 00 00 00 00 00 00 00 00 00 00 00
213 006C 00 00 00 00 00 00 00 00 00 00 00 00
214 0078 00 00 00 00 00 00 00 00 00 00 00 00
215 0084 00 00 00 00 00 00 00 00 00 00 00 00
216 0090 00 00 00 00 00 00 00 00 00 00 00 00
217 009C 00 00 00 00 00 00 00 00 00 00 00 00
218 00A8 00 00 00 00 00 00 00 00 00 00 00 00
219 00B4 00 00 00 00 00 00 00 00 00 00 00 00
220 00C0 00 00 00 00 00 00 00 00 00 00 00 00
221 00CC 00 00 00 00 00 00 00 00 00 00 00 00
222 00D8 00 00 00 00 00 00 00 00 00 00 00 00
223 00E4 00 00 00 00 00 00 00 00 00 00 00 00
224 00F0 00 00 00 00 00 00 00 00 00 00 00 00
225 00FC 00 00 00 00 00 00 00 00 00 00 00 00
226 0108 00 00 00 00 00 00 00 00 00 00 00 00
227 0114 00 00 00 00 00 00 00 00 00 00 00 00
228 0120 00 00 00 00 00 00 00 00 00 00 00 00
229 012C 00 00 00 00 00 00 00 00 00 00 00 00
230 0138 00 00 00 00 00 00 00 00 00 00 00 00
231 0144 00 00 00 00 00 00 00 00 00 00 00 00
232 0150 00 00 00 00 00 00 00 00 00 00 00 00
233 015C 00 00 00 00 00 00 00 00 00 00 00 00
234 0168 00 00 00 00 00 00 00 00 00 00 00 00
235 0174 00 00 00 00 00 00 00 00 00 00 00 00
236 0180 00 00 00 00 00 00 00 00 00 00 00 00
237 018C 00 00 00 00 00 00 00 00 00 00 00 00
238 0198 00 00 00 00 00 00 00 00 00 00 00 00
239 01A4 00 00 00 00 00 00 00 00 00 00 00 00
240 01B0 00 00 00 00 00 00 00 00 00 00 00 00
241 01BC 00 00 00 00 00 00 00 00 00 00 00 00
242 01C8 00 00 00 00 00 00 00 00 00 00 00 00
243 01D4 00 00 00 00 00 00 00 00 00 00 00 00
244 01E0 00 00 00 00 00 00 00 00 02 14 18 01
245 01EC 00 00 00 00 80 80 8a 60 68 e5 b5 19
246 01F8 8a 00 00 00 00 00 00 00
247 01e8 itemCount [1 byte] 0x02 in this case
249 01e9 maxItemCount [1 byte] 0x14 constant
250 01ea itemSize [1 byte] 0x18 constant
251 01eb nodeLevel [1 byte] 0x01 in this case
252 01f8 backPointer [8 bytes] 0x00008a in this case
253 The itemCount specifies the number of 24 byte records that are active.
255 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
256 a different format. The backPointer must match the backPointer from the
257 triple that pointed to this node.
258 Each item in this node is a triple of (I_ID, backPointer, offset) where
260 the offset points to the next deeper node in the tree, the backPointer
261 value must match the backPointer in that deeper node, and I_ID is the
262 lowest I_ID value in the subtree.
263
265 The 32 bit index1 b-tree leaf nodes are 512 byte blocks with the
266 following format.
267 0000 04 00 00 00 00 58 00 00 64 00 0f 00
269 000c 08 00 00 00 80 58 00 00 ac 00 06 00
270 0018 0c 00 00 00 40 59 00 00 ac 00 06 00
271 0024 10 00 00 00 00 5a 00 00 bc 00 03 00
272 0030 14 00 00 00 00 5b 00 00 a4 00 02 00
273 003c 18 00 00 00 c0 5b 00 00 64 00 02 00
274 0048 1c 00 00 00 40 5c 00 00 5c 00 02 00
275 0054 50 00 00 00 80 62 00 00 60 00 02 00
276 0060 74 00 00 00 00 77 00 00 5e 00 02 00
277 006c 7c 00 00 00 80 77 00 00 66 00 02 00
278 0078 84 00 00 00 00 76 00 00 ca 00 02 00
279 0084 88 00 00 00 00 63 00 00 52 00 02 00
280 0090 90 00 00 00 00 79 00 00 58 00 02 00
281 009c cc 00 00 00 c0 61 00 00 76 00 02 00
282 00a8 e0 00 00 00 00 61 00 00 74 00 02 00
283 00b4 f4 00 00 00 80 65 00 00 6e 00 02 00
284 00c0 8c 01 00 00 40 60 00 00 70 00 02 00
285 00cc ea 01 00 00 80 61 00 00 10 00 02 00
286 00d8 ec 01 00 00 40 8a 00 00 f3 01 02 00
287 00e4 f0 01 00 00 80 93 00 00 f4 1f 02 00
288 00f0 fa 01 00 00 c0 7f 00 00 10 00 02 00
289 00fc 00 02 00 00 00 89 00 00 34 01 02 00
290 0108 1c 02 00 00 40 ec 00 00 12 06 02 00
291 0114 22 02 00 00 00 84 00 00 10 00 02 00
292 0120 24 02 00 00 c0 ea 00 00 3c 01 02 00
293 012c 40 02 00 00 00 f4 00 00 0a 06 02 00
294 0138 46 02 00 00 40 8c 00 00 10 00 02 00
295 0144 48 02 00 00 80 f2 00 00 36 01 02 00
296 0150 64 02 00 00 80 fb 00 00 bf 07 02 00
297 015c 6a 02 00 00 80 63 00 00 10 00 02 00
298 0168 6c 02 00 00 40 fa 00 00 2a 01 02 00
299 0174 6c 02 00 00 40 fa 00 00 2a 01 02 00
300 0180 6c 02 00 00 40 fa 00 00 2a 01 02 00
301 018c 6c 02 00 00 40 fa 00 00 2a 01 02 00
302 0198 6c 02 00 00 40 fa 00 00 2a 01 02 00
303 01a4 6c 02 00 00 40 fa 00 00 2a 01 02 00
304 01b0 64 02 00 00 80 fb 00 00 bf 07 02 00
305 01bc 64 02 00 00 80 fb 00 00 bf 07 02 00
306 01c8 64 02 00 00 80 fb 00 00 bf 07 02 00
307 01d4 64 02 00 00 80 fb 00 00 bf 07 02 00
308 01e0 64 02 00 00 80 fb 00 00 bf 07 02 00
309 01ec 00 00 00 00 1f 29 0c 00 80 80 5b b3
310 01f8 5a 67 01 00 4f ae 70 a7
311 01f0 itemCount [1 byte] 0x1f in this case
313 01f1 maxItemCount [1 byte] 0x29 constant
314 01f2 itemSize [1 byte] 0x0c constant
315 01f3 nodeLevel [1 byte] 0x00 defines a leaf node
316 01f8 backPointer [4 bytes] 0x01675a in this case
317 The itemCount specifies the number of 12 byte records that are active.
319 The nodeLevel is zero for these leaf nodes. The backPointer must match
320 the backPointer from the triple that pointed to this node.
321 Each item in this node is a tuple of (I_ID, offset, size, unknown) The
323 two low order bits of the I_ID value seem to be flags. I have never
324 seen a case with bit zero set. Bit one indicates that the item is not
325 encrypted. Note that references to these I_ID values elsewhere may have
326 the low order bit set (and I don´t know what that means), but when we
327 do the search in this tree we need to clear that bit so that we can
328 find the correct item.
329
331 The 64 bit index1 b-tree leaf nodes are 512 byte blocks with the
332 following format.
333 0000 04 00 00 00 00 00 00 00 00 58 00 00
335 000C 00 00 00 00 6c 00 05 00 00 00 00 00
336 0018 08 00 00 00 00 00 00 00 80 58 00 00
337 0024 00 00 00 00 b4 00 06 00 d8 22 37 08
338 0030 0c 00 00 00 00 00 00 00 80 59 00 00
339 003C 00 00 00 00 ac 00 07 00 d8 22 37 08
340 0048 10 00 00 00 00 00 00 00 40 5a 00 00
341 0054 00 00 00 00 bc 00 03 00 d8 22 37 08
342 0060 14 00 00 00 00 00 00 00 40 5b 00 00
343 006C 00 00 00 00 a4 00 02 00 d8 22 37 08
344 0078 18 00 00 00 00 00 00 00 00 5c 00 00
345 0084 00 00 00 00 64 00 02 00 d8 22 37 08
346 0090 1c 00 00 00 00 00 00 00 80 5c 00 00
347 009C 00 00 00 00 5c 00 02 00 d8 22 37 08
348 00A8 24 00 00 00 00 00 00 00 80 5d 00 00
349 00B4 00 00 00 00 72 00 02 00 d8 22 37 08
350 00C0 34 00 00 00 00 00 00 00 00 70 00 00
351 00CC 00 00 00 00 8c 00 02 00 00 0d 00 00
352 00D8 38 00 00 00 00 00 00 00 c0 71 00 00
353 00E4 00 00 00 00 5c 00 02 00 d8 22 9c 00
354 00F0 40 00 00 00 00 00 00 00 40 72 00 00
355 00FC 00 00 00 00 26 00 02 00 d8 22 9c 00
356 0108 4c 00 00 00 00 00 00 00 80 5f 00 00
357 0114 00 00 00 00 3e 00 02 00 d8 22 9c 00
358 0120 5c 00 00 00 00 00 00 00 c0 76 00 00
359 012C 00 00 00 00 8c 00 02 00 d8 22 9c 00
360 0138 64 00 00 00 00 00 00 00 40 75 00 00
361 0144 00 00 00 00 76 00 02 00 d8 22 9c 00
362 0150 6c 00 00 00 00 00 00 00 c0 73 00 00
363 015C 00 00 00 00 5e 00 02 00 d8 22 9c 00
364 0168 70 00 00 00 00 00 00 00 80 72 00 00
365 0174 00 00 00 00 1e 01 02 00 d8 22 9c 00
366 0180 70 00 00 00 00 00 00 00 80 72 00 00
367 018C 00 00 00 00 1e 01 02 00 d8 22 9c 00
368 0198 70 00 00 00 00 00 00 00 80 72 00 00
369 01A4 00 00 00 00 1e 01 02 00 d8 22 9c 00
370 01B0 74 00 00 00 00 00 00 00 40 74 00 00
371 01BC 00 00 00 00 e0 00 02 00 d8 22 9c 00
372 01C8 7c 00 00 00 00 00 00 00 80 77 00 00
373 01D4 00 00 00 00 dc 00 02 00 d8 22 9c 00
374 01E0 00 00 00 00 00 00 00 00 10 14 18 00
375 01EC 00 00 00 00 80 80 88 48 3f 50 0b 04
376 01F8 88 00 00 00 00 00 00 00
377 01e8 itemCount [1 byte] 0x10 in this case
379 01e9 maxItemCount [1 byte] 0x14 constant
380 01ea itemSize [1 byte] 0x18 constant
381 01eb nodeLevel [1 byte] 0x00 defines a leaf node
382 01f8 backPointer [8 bytes] 0x000088 in this case
383 The itemCount specifies the number of 24 byte records that are active.
385 The nodeLevel is zero for these leaf nodes. The backPointer must match
386 the backPointer from the triple that pointed to this node.
387 Each item in this node is a tuple of (I_ID, offset, size, unknown) The
389 two low order bits of the I_ID value seem to be flags. I have never
390 seen a case with bit zero set. Bit one indicates that the item is not
391 encrypted. Note that references to these I_ID values elsewhere may have
392 the low order bit set (and I don´t know what that means), but when we
393 do the search in this tree we need to clear that bit so that we can
394 find the correct item.
395
397 The 32 bit index2 b-tree nodes are 512 byte blocks with the following
398 format.
399 0000 21 00 00 00 bb 1e 02 00 00 e2 0b 00
401 000c 64 78 20 00 8c 1e 02 00 00 dc 0b 00
402 0018 00 00 00 00 00 00 00 00 00 00 00 00
403 0024 00 00 00 00 00 00 00 00 00 00 00 00
404 0030 00 00 00 00 00 00 00 00 00 00 00 00
405 003c 00 00 00 00 00 00 00 00 00 00 00 00
406 0048 00 00 00 00 00 00 00 00 00 00 00 00
407 0054 00 00 00 00 00 00 00 00 00 00 00 00
408 0060 00 00 00 00 00 00 00 00 00 00 00 00
409 006c 00 00 00 00 00 00 00 00 00 00 00 00
410 0078 00 00 00 00 00 00 00 00 00 00 00 00
411 0084 00 00 00 00 00 00 00 00 00 00 00 00
412 0090 00 00 00 00 00 00 00 00 00 00 00 00
413 009c 00 00 00 00 00 00 00 00 00 00 00 00
414 00a8 00 00 00 00 00 00 00 00 00 00 00 00
415 00b4 00 00 00 00 00 00 00 00 00 00 00 00
416 00c0 00 00 00 00 00 00 00 00 00 00 00 00
417 00cc 00 00 00 00 00 00 00 00 00 00 00 00
418 00d8 00 00 00 00 00 00 00 00 00 00 00 00
419 00e4 00 00 00 00 00 00 00 00 00 00 00 00
420 00f0 00 00 00 00 00 00 00 00 00 00 00 00
421 00fc 00 00 00 00 00 00 00 00 00 00 00 00
422 0108 00 00 00 00 00 00 00 00 00 00 00 00
423 0114 00 00 00 00 00 00 00 00 00 00 00 00
424 0120 00 00 00 00 00 00 00 00 00 00 00 00
425 012c 00 00 00 00 00 00 00 00 00 00 00 00
426 0138 00 00 00 00 00 00 00 00 00 00 00 00
427 0144 00 00 00 00 00 00 00 00 00 00 00 00
428 0150 00 00 00 00 00 00 00 00 00 00 00 00
429 015c 00 00 00 00 00 00 00 00 00 00 00 00
430 0168 00 00 00 00 00 00 00 00 00 00 00 00
431 0174 00 00 00 00 00 00 00 00 00 00 00 00
432 0180 00 00 00 00 00 00 00 00 00 00 00 00
433 018c 00 00 00 00 00 00 00 00 00 00 00 00
434 0198 00 00 00 00 00 00 00 00 00 00 00 00
435 01a4 00 00 00 00 00 00 00 00 00 00 00 00
436 01b0 00 00 00 00 00 00 00 00 00 00 00 00
437 01bc 00 00 00 00 00 00 00 00 00 00 00 00
438 01c8 00 00 00 00 00 00 00 00 00 00 00 00
439 01d4 00 00 00 00 00 00 00 00 00 00 00 00
440 01e0 00 00 00 00 00 00 00 00 00 00 00 00
441 01ec 00 00 00 00 02 29 0c 02 81 81 b2 60
442 01f8 bc 1e 02 00 7e 70 dc e3
443 01f0 itemCount [1 byte] 0x02 in this case
445 01f1 maxItemCount [1 byte] 0x29 constant
446 01f2 itemSize [1 byte] 0x0c constant
447 01f3 nodeLevel [1 byte] 0x02 in this case
448 01f8 backPointer [4 bytes] 0x021ebc in this case
449 The itemCount specifies the number of 12 byte records that are active.
451 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
452 a different format. The backPointer must match the backPointer from the
453 triple that pointed to this node.
454 Each item in this node is a triple of (D_ID, backPointer, offset) where
456 the offset points to the next deeper node in the tree, the backPointer
457 value must match the backPointer in that deeper node, and D_ID is the
458 lowest D_ID value in the subtree.
459
461 The 64 bit index2 b-tree nodes are 512 byte blocks with the following
462 format.
463 0000 21 00 00 00 00 00 00 00 77 00 00 00
465 000C 00 00 00 00 00 56 00 00 00 00 00 00
466 0018 4c 06 00 00 00 00 00 00 82 00 00 00
467 0024 00 00 00 00 00 68 00 00 00 00 00 00
468 0030 4f 80 00 00 00 00 00 00 84 00 00 00
469 003C 00 00 00 00 00 6e 00 00 00 00 00 00
470 0048 00 00 00 00 00 00 00 00 00 00 00 00
471 0054 00 00 00 00 00 00 00 00 00 00 00 00
472 0060 00 00 00 00 00 00 00 00 00 00 00 00
473 006C 00 00 00 00 00 00 00 00 00 00 00 00
474 0078 00 00 00 00 00 00 00 00 00 00 00 00
475 0084 00 00 00 00 00 00 00 00 00 00 00 00
476 0090 00 00 00 00 00 00 00 00 00 00 00 00
477 009C 00 00 00 00 00 00 00 00 00 00 00 00
478 00A8 00 00 00 00 00 00 00 00 00 00 00 00
479 00B4 00 00 00 00 00 00 00 00 00 00 00 00
480 00C0 00 00 00 00 00 00 00 00 00 00 00 00
481 00CC 00 00 00 00 00 00 00 00 00 00 00 00
482 00D8 00 00 00 00 00 00 00 00 00 00 00 00
483 00E4 00 00 00 00 00 00 00 00 00 00 00 00
484 00F0 00 00 00 00 00 00 00 00 00 00 00 00
485 00FC 00 00 00 00 00 00 00 00 00 00 00 00
486 0108 00 00 00 00 00 00 00 00 00 00 00 00
487 0114 00 00 00 00 00 00 00 00 00 00 00 00
488 0120 00 00 00 00 00 00 00 00 00 00 00 00
489 012C 00 00 00 00 00 00 00 00 00 00 00 00
490 0138 00 00 00 00 00 00 00 00 00 00 00 00
491 0144 00 00 00 00 00 00 00 00 00 00 00 00
492 0150 00 00 00 00 00 00 00 00 00 00 00 00
493 015C 00 00 00 00 00 00 00 00 00 00 00 00
494 0168 00 00 00 00 00 00 00 00 00 00 00 00
495 0174 00 00 00 00 00 00 00 00 00 00 00 00
496 0180 00 00 00 00 00 00 00 00 00 00 00 00
497 018C 00 00 00 00 00 00 00 00 00 00 00 00
498 0198 00 00 00 00 00 00 00 00 00 00 00 00
499 01A4 00 00 00 00 00 00 00 00 00 00 00 00
500 01B0 00 00 00 00 00 00 00 00 00 00 00 00
501 01BC 00 00 00 00 00 00 00 00 00 00 00 00
502 01C8 00 00 00 00 00 00 00 00 00 00 00 00
503 01D4 00 00 00 00 00 00 00 00 00 00 00 00
504 01E0 00 00 00 00 00 00 00 00 03 14 18 01
505 01EC 00 00 00 00 81 81 83 6a 49 da f3 d3
506 01F8 83 00 00 00 00 00 00 00
507 01e8 itemCount [1 byte] 0x03 in this case
509 01e9 maxItemCount [1 byte] 0x14 constant
510 01ea itemSize [1 byte] 0x18 constant
511 01eb nodeLevel [1 byte] 0x01 in this case
512 01f8 backPointer [8 bytes] 0x000083 in this case
513 The itemCount specifies the number of 24 byte records that are active.
515 The nodeLevel is non-zero for this style of nodes. The leaf nodes have
516 a different format. The backPointer must match the backPointer from the
517 triple that pointed to this node.
518 Each item in this node is a triple of (D_ID, backPointer, offset) where
520 the offset points to the next deeper node in the tree, the backPointer
521 value must match the backPointer in that deeper node, and D_ID is the
522 lowest D_ID value in the subtree.
523
525 The 32 bit index2 b-tree leaf nodes are 512 byte blocks with the
526 following format.
527 0000 21 00 00 00 38 e6 00 00 00 00 00 00 00 00 00 00
529 0010 61 00 00 00 2c a8 02 00 36 a8 02 00 00 00 00 00
530 0020 22 01 00 00 20 a2 02 00 00 00 00 00 22 01 00 00
531 0030 2d 01 00 00 88 7b 03 00 00 00 00 00 00 00 00 00
532 0040 2e 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00
533 0050 2f 01 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
534 0060 e1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
535 0070 01 02 00 00 b4 e4 02 00 00 00 00 00 00 00 00 00
536 0080 61 02 00 00 a0 e4 02 00 00 00 00 00 00 00 00 00
537 0090 0d 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00
538 00A0 0e 06 00 00 08 00 00 00 00 00 00 00 00 00 00 00
539 00B0 0f 06 00 00 0c 00 00 00 00 00 00 00 00 00 00 00
540 00C0 10 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00
541 00D0 2b 06 00 00 84 00 00 00 00 00 00 00 00 00 00 00
542 00E0 4c 06 00 00 1c 00 00 00 00 00 00 00 00 00 00 00
543 00F0 71 06 00 00 18 00 00 00 00 00 00 00 00 00 00 00
544 0100 92 06 00 00 14 00 00 00 00 00 00 00 00 00 00 00
545 0110 23 22 00 00 14 a0 02 00 00 00 00 00 22 01 00 00
546 0120 26 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00
547 0130 27 22 00 00 1c a0 02 00 00 00 00 00 00 00 00 00
548 0140 22 80 00 00 50 00 00 00 00 00 00 00 22 01 00 00
549 0150 2d 80 00 00 f8 9f 02 00 00 00 00 00 00 00 00 00
550 0160 2e 80 00 00 08 00 00 00 00 00 00 00 00 00 00 00
551 0170 2f 80 00 00 34 e6 00 00 00 00 00 00 00 00 00 00
552 0180 42 80 00 00 3c 6d 02 00 00 00 00 00 22 80 00 00
553 0190 4d 80 00 00 04 00 00 00 00 00 00 00 00 00 00 00
554 01A0 4e 80 00 00 10 6d 02 00 00 00 00 00 00 00 00 00
555 01B0 4f 80 00 00 ec 23 00 00 00 00 00 00 00 00 00 00
556 01C0 62 80 00 00 38 78 02 00 00 00 00 00 22 01 00 00
557 01D0 6d 80 00 00 34 78 02 00 00 00 00 00 00 00 00 00
558 01E0 6e 80 00 00 08 00 00 00 00 00 00 00 00 00 00 00
559 01F0 10 1f 10 00 81 81 a0 9a ae 1e 02 00 89 44 6a 0f
560 01f0 itemCount [1 byte] 0x10 in this case
562 01f1 maxItemCount [1 byte] 0x1f constant
563 01f2 itemSize [1 byte] 0x10 constant
564 01f3 nodeLevel [1 byte] 0x00 in this case
565 01f8 backPointer [4 bytes] 0x021eae in this case
566 The itemCount specifies the number of 16 byte records that are active.
568 The nodeLevel is zero for these leaf nodes. The backPointer must match
569 the backPointer from the triple that pointed to this node.
570 Each item in this node is a tuple of (D_ID, DESC-I_ID, TREE-I_ID,
572 PARENT-D_ID) The DESC-I_ID points to the main data for this item
573 (Associated Descriptor Items 0x7cec, 0xbcec, or 0x0101) via the index1
574 tree. The TREE-I_ID is zero or points to an Associated Tree Item 0x0002
575 via the index1 tree. The PARENT-D_ID points to the parent of this item
576 in this index2 tree.
577
579 The 64 bit index2 b-tree leaf nodes are 512 byte blocks with the
580 following format.
581 0000 21 00 00 00 00 00 00 00 74 00 00 00 00 00 00 00
583 0010 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
584 0020 61 00 00 00 00 00 00 00 34 00 00 00 00 00 00 00
585 0030 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
586 0040 22 01 00 00 00 00 00 00 4c 00 00 00 00 00 00 00
587 0050 00 00 00 00 00 00 00 00 22 01 00 00 02 00 00 00
588 0060 2d 01 00 00 00 00 00 00 70 00 00 00 00 00 00 00
589 0070 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
590 0080 2e 01 00 00 00 00 00 00 08 00 00 00 00 00 00 00
591 0090 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
592 00A0 2f 01 00 00 00 00 00 00 0c 00 00 00 00 00 00 00
593 00B0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
594 00C0 e1 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00
595 00D0 00 00 00 00 00 00 00 00 00 00 00 00 d8 e3 13 00
596 00E0 01 02 00 00 00 00 00 00 8c 00 00 00 00 00 00 00
597 00F0 00 00 00 00 00 00 00 00 00 00 00 00 b0 e3 13 00
598 0100 61 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00
599 0110 00 00 00 00 00 00 00 00 00 00 00 00 d8 e3 13 00
600 0120 0d 06 00 00 00 00 00 00 04 00 00 00 00 00 00 00
601 0130 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
602 0140 0e 06 00 00 00 00 00 00 08 00 00 00 00 00 00 00
603 0150 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
604 0160 0f 06 00 00 00 00 00 00 0c 00 00 00 00 00 00 00
605 0170 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
606 0180 10 06 00 00 00 00 00 00 10 00 00 00 00 00 00 00
607 0190 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
608 01A0 2b 06 00 00 00 00 00 00 24 00 00 00 00 00 00 00
609 01B0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
610 01C0 71 06 00 00 00 00 00 00 18 00 00 00 00 00 00 00
611 01D0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00
612 01E0 00 00 00 00 00 00 00 00 0e 0f 20 00 00 00 00 00
613 01F0 81 81 77 56 f8 32 43 49 77 00 00 00 00 00 00 00
614 01e8 itemCount [1 byte] 0x0e in this case
616 01e9 maxItemCount [1 byte] 0x0f constant
617 01ea itemSize [1 byte] 0x20 constant
618 01eb nodeLevel [1 byte] 0x00 defines a leaf node
619 01f8 backPointer [8 bytes] 0x000077 in this case
620 The itemCount specifies the number of 32 byte records that are active.
622 The nodeLevel is zero for these leaf nodes. The backPointer must match
623 the backPointer from the triple that pointed to this node.
624 Each item in this node is a tuple of (D_ID, DESC-I_ID, TREE-I_ID,
626 PARENT-D_ID) The DESC-I_ID points to the main data for this item
627 (Associated Descriptor Items 0x7cec, 0xbcec, or 0x0101) via the index1
628 tree. The TREE-I_ID is zero or points to an Associated Tree Item 0x0002
629 via the index1 tree. The PARENT-D_ID points to the parent of this item
630 in this index2 tree.
631
633 A D_ID value may point to an entry in the index2 tree with a non-zero
634 TREE-I_ID which points to this descriptor block via the index1 tree. It
635 maps local ID2 values (referenced in the main data for the original
636 D_ID item) to I_ID values. This descriptor block contains triples of
637 (ID2, I_ID, CHILD-I_ID) where the local ID2 data can be found via I_ID,
638 and CHILD-I_ID is either zero or it points to another Associated Tree
639 Item via the index1 tree.
640 In the above 32 bit leaf node, we have a tuple of (0x61, 0x02a82c,
642 0x02a836, 0) 0x02a836 is the I_ID of the associated tree, and we can
643 lookup that I_ID value in the index1 b-tree to find the (offset,size)
644 of the data in the .pst file.
645 0000 02 00 01 00 9f 81 00 00 30 a8 02 00 00 00 00 00
647 0000 signature [2 bytes] 0x0002 constant
649 0002 count [2 bytes] 0x0001 in this case
650 repeating
651 0004 id2 [4 bytes] 0x00819f in this case
652 0008 i_id [4 bytes] 0x02a830 in this case
653 000c child-i_id [4 bytes] 0 in this case
654
656 This descriptor block contains a tree that maps local ID2 values to
657 I_ID entries, similar to the 32 bit version described above.
658 0000 02 00 02 00 00 00 00 00 92 06 00 00 00 00 00 00
660 0010 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
661 0020 3f 80 00 00 00 00 00 00 98 00 00 00 00 00 00 00
662 0030 00 00 00 00 00 00 00 00
663 0000 signature [2 bytes] 0x0002 constant
665 0002 count [2 bytes] 0x0002 in this case
666 0004 unknown [4 bytes] 0 possibly constant
667 repeating
668 0008 id2 [4 bytes] 0x000692 in this case
669 000c unknown1 [2 bytes] 0 may be a count or size
670 000e unknown2 [2 bytes] 0 may be a count or size
671 0010 i_id [8 bytes] 0x0000a8 in this case
672 0018 child-i_id [8 bytes] 0 in this case
673
675 Contains information about the item, which may be email, contact, or
676 other outlook types. In the above leaf node, we have a tuple of (0x21,
677 0x00e638, 0, 0) 0x00e638 is the I_ID of the associated descriptor, and
678 we can lookup that I_ID value in the index1 b-tree to find the
679 (offset,size) of the data in the .pst file. This descriptor is
680 eventually decoded to a list of MAPI elements.
681 0000 3c 01 ec bc 20 00 00 00 00 00 00 00 b5 02 06 00
683 0010 40 00 00 00 f9 0f 02 01 60 00 00 00 01 30 1e 00
684 0020 80 00 00 00 04 30 1e 00 00 00 00 00 df 35 03 00
685 0030 ff 00 00 00 e0 35 02 01 a0 00 00 00 e2 35 02 01
686 0040 e0 00 00 00 e3 35 02 01 c0 00 00 00 e4 35 02 01
687 0050 00 01 00 00 e5 35 02 01 20 01 00 00 e6 35 02 01
688 0060 40 01 00 00 e7 35 02 01 60 01 00 00 1e 66 0b 00
689 0070 00 00 00 00 ff 67 03 00 00 00 00 00 d2 7f 17 d8
690 0080 64 8c d5 11 83 24 00 50 04 86 95 45 53 74 61 6e
691 0090 6c 65 79 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
692 00A0 24 00 50 04 86 95 45 22 80 00 00 00 00 00 00 d2
693 00B0 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 42
694 00C0 80 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
695 00D0 24 00 50 04 86 95 45 a2 80 00 00 00 00 00 00 d2
696 00E0 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 c2
697 00F0 80 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
698 0100 24 00 50 04 86 95 45 e2 80 00 00 00 00 00 00 d2
699 0110 7f 17 d8 64 8c d5 11 83 24 00 50 04 86 95 45 02
700 0120 81 00 00 00 00 00 00 d2 7f 17 d8 64 8c d5 11 83
701 0130 24 00 50 04 86 95 45 62 80 00 00 00 0b 00 00 00
702 0140 0c 00 14 00 7c 00 8c 00 93 00 ab 00 c3 00 db 00
703 0150 f3 00 0b 01 23 01 3b 01
704 0000 indexOffset [2 bytes] 0x013c in this case
706 0002 signature [2 bytes] 0xbcec constant
707 0004 b5offset [4 bytes] 0x0020 index reference
708 Note the signature of 0xbcec. There are other descriptor block formats
710 with other signatures. Note the indexOffset of 0x013c - starting at
711 that position in the descriptor block, we have an array of two byte
712 integers. The first integer (0x000b) is a (count-1) of the number of
713 overlapping pairs following the count. The first pair is (0, 0xc), the
714 next pair is (0xc, 0x14) and the last (12th) pair is (0x123, 0x13b).
715 These pairs are (start,end+1) offsets of items in this block. So we
716 have count+2 integers following the count value.
717 Note the b5offset of 0x0020, which is a type that I will call an index
719 reference. Such index references have at least two different forms, and
720 may point to data either in this block, or in some other block.
721 External pointer references have the low order 4 bits all set, and are
722 ID2 values that can be used to fetch data. This value of 0x0020 is an
723 internal pointer reference, which needs to be right shifted by 4 bits
724 to become 0x0002, which is then a byte offset to be added to the above
725 indexOffset plus two (to skip the count), so it points to the (0xc,
726 0x14) pair.
727 So far we have only described internal index references where the high
729 order 16 bits are zero. That suffices for single descriptor blocks. But
730 in the case of the type 0x0101 descriptor block, we have an array of
731 subblocks. In this case, the high order 16 bits of an internal index
732 reference are used to select the subblock. Each subblock starts with a
733 16 bit indexOffset which points to the count and array of 16 bit
734 integer pairs which are offsets in the current subblock.
735 Finally, we have the offset and size of the "b5" block located at
737 offset 0xc with a size of 8 bytes in this descriptor block. The "b5"
738 block has the following format:
739 0000 signature [2 bytes] 0x02b5 constant
741 0002 datasize [2 bytes] 0x0006 constant +2 for 8 byte entries
742 0004 descoffset [4 bytes] 0x0040 index reference
743 Note the descoffset of 0x0040, which again is an index reference. In
745 this case, it is an internal pointer reference, which needs to be right
746 shifted by 4 bits to become 0x0004, which is then a byte offset to be
747 added to the above indexOffset plus two (to skip the count), so it
748 points to the (0x14, 0x7c) pair. The datasize (6) plus the b5 code (02)
749 gives the size of the entries, in this case 8 bytes. We now have the
750 offset 0x14 of the descriptor array, composed of 8 byte entries that
751 describe MAPI elements. Each descriptor entry has the following format:
752 0000 itemType [2 bytes]
754 0002 referenceType [2 bytes]
755 0004 value [4 bytes]
756 For some reference types (2, 3, 0xb) the value is used directly.
758 Otherwise, the value is an index reference, which is either an ID2
759 value, or an offset, to be right shifted by 4 bits and used to fetch a
760 pair from the index table to find the offset and size of the item in
761 this descriptor block.
762 The following reference types are known, but not all of these are
764 implemented in the code yet.
765 0x0002 - Signed 16bit value
767 0x0003 - Signed 32bit value
768 0x0004 - 4-byte floating point
769 0x0005 - Floating point double
770 0x0006 - Signed 64-bit int
771 0x0007 - Application Time
772 0x000A - 32-bit error value
773 0x000B - Boolean (non-zero = true)
774 0x000D - Embedded Object
775 0x0014 - 8-byte signed integer (64-bit)
776 0x001E - Null terminated String
777 0x001F - Unicode string
778 0x0040 - Systime - Filetime structure
779 0x0048 - OLE Guid
780 0x0102 - Binary data
781 0x1003 - Array of 32bit values
782 0x1014 - Array of 64bit values
783 0x101E - Array of Strings
784 0x1102 - Array of Binary data
785 The following item types are known, but not all of these are
787 implemented in the code yet.
788 0x0002 Alternate recipient allowed
790 0x0003 Extended Attributes Table
791 0x0017 Importance Level
792 0x001a IPM Context, message class
793 0x0023 Global delivery report requested
794 0x0026 Priority
795 0x0029 Read Receipt
796 0x002b Reassignment Prohibited
797 0x002e Original Sensitivity
798 0x0032 Report time
799 0x0036 Sensitivity
800 0x0037 Email Subject
801 0x0039 Client submit time / date sent
802 0x003b Outlook Address of Sender
803 0x003f Outlook structure describing the recipient
804 0x0040 Name of the Outlook recipient structure
805 0x0041 Outlook structure describing the sender
806 0x0042 Name of the Outlook sender structure
807 0x0043 Another structure describing the recipient
808 0x0044 Name of the second recipient structure
809 0x004f Reply-To Outlook Structure
810 0x0050 Name of the Reply-To structure
811 0x0051 Outlook Name of recipient
812 0x0052 Second Outlook name of recipient
813 0x0057 My address in TO field
814 0x0058 My address in CC field
815 0x0059 Message addressed to me
816 0x0063 Response requested
817 0x0064 Sender´s Address access method (SMTP, EX)
818 0x0065 Sender´s Address
819 0x0070 Conversation topic, processed subject (with Fwd:, Re, ... removed)
820 0x0071 Conversation index
821 0x0072 Original display BCC
822 0x0073 Original display CC
823 0x0074 Original display TO
824 0x0075 Recipient Address Access Method (SMTP, EX)
825 0x0076 Recipient´s Address
826 0x0077 Second Recipient Access Method (SMTP, EX)
827 0x0078 Second Recipient Address
828 0x007d Email Header. This is the header that was attached to the email
829 0x0c04 NDR Reason code
830 0x0c05 NDR Diag code
831 0x0c06 Non-receipt notification requested
832 0x0c17 Reply Requested
833 0x0c19 Second sender structure
834 0x0c1a Name of second sender structure
835 0x0c1b Supplementary info
836 0x0c1d Second outlook name of sender
837 0x0c1e Second sender access method (SMTP, EX)
838 0x0c1f Second Sender Address
839 0x0c20 NDR status code
840 0x0e01 Delete after submit
841 0x0e02 BCC Addresses
842 0x0e03 CC Addresses
843 0x0e04 SentTo Address
844 0x0e06 Date.
845 0x0e07 Flag bits
846 0x01 - Read
847 0x02 - Unmodified
848 0x04 - Submit
849 0x08 - Unsent
850 0x10 - Has Attachments
851 0x20 - From Me
852 0x40 - Associated
853 0x80 - Resend
854 0x100 - RN Pending
855 0x200 - NRN Pending
856 0x0e08 Message Size
857 0x0e0a Sentmail EntryID
858 0x0e1d Normalized subject
859 0x0e1f Compressed RTF in Sync
860 0x0e20 Attachment Size
861 0x0ff9 binary record header
862 0x1000 Plain Text Email Body. Does not exist if the email doesn´t have a plain text version
863 0x1001 Report Text
864 0x1006 RTF Sync Body CRC
865 0x1007 RTF Sync Body character count
866 0x1008 RTF Sync body tag
867 0x1009 RTF Compressed body
868 0x1010 RTF whitespace prefix count
869 0x1011 RTF whitespace tailing count
870 0x1013 HTML Email Body. Does not exist if the email doesn´t have an HTML version
871 0x1035 Message ID
872 0x1042 In-Reply-To or Parent´s Message ID
873 0x1046 Return Path
874 0x3001 Folder Name? I have also seen this value used for the contacts record
875 0x3002 Address Type
876 0x3003 Contact Address
877 0x3004 Comment
878 0x3007 Date item creation
879 0x3008 Date item modification
880 0x300b binary record header
881 0x35df Valid Folder Mask
882 0x35e0 binary record contains a reference to "Top of Personal Folder" item
883 0x35e2 binary record contains a reference to default outbox item
884 0x35e3 binary record contains a reference to "Deleted Items" item
885 0x35e4 binary record contains a reference to sent items folder item
886 0x35e5 binary record contains a reference to user views folder item
887 0x35e6 binary record contains a reference to common views folder item
888 0x35e7 binary record contains a reference to "Search Root" item
889 0x3602 the number of emails stored in a folder
890 0x3603 the number of unread emails in a folder
891 0x360a Has Subfolders
892 0x3613 the folder content description
893 0x3617 Associate Content count
894 0x3701 Binary Data attachment
895 0x3704 Attachment Filename
896 0x3705 Attachement method
897 0x3707 Attachment Filename long
898 0x370b Attachment Position
899 0x370e Attachment mime encoding
900 0x3710 Attachment mime Sequence
901 0x3712 Content ID
902 0x3a00 Contact´s Account name
903 0x3a01 Contact Alternate Recipient
904 0x3a02 Callback telephone number
905 0x3a03 Message Conversion Prohibited
906 0x3a05 Contacts Suffix
907 0x3a06 Contacts First Name
908 0x3a07 Contacts Government ID Number
909 0x3a08 Business Telephone Number
910 0x3a09 Home Telephone Number
911 0x3a0a Contacts Initials
912 0x3a0b Keyword
913 0x3a0c Contact´s Language
914 0x3a0d Contact´s Location
915 0x3a0e Mail Permission
916 0x3a0f MHS Common Name
917 0x3a10 Organizational ID #
918 0x3a11 Contacts Surname
919 0x3a12 original entry id
920 0x3a13 original display name
921 0x3a14 original search key
922 0x3a15 Default Postal Address
923 0x3a16 Company Name
924 0x3a17 Job Title
925 0x3a18 Department Name
926 0x3a19 Office Location
927 0x3a1a Primary Telephone
928 0x3a1b Business Phone Number 2
929 0x3a1c Mobile Phone Number
930 0x3a1d Radio Phone Number
931 0x3a1e Car Phone Number
932 0x3a1f Other Phone Number
933 0x3a20 Transmittable Display Name
934 0x3a21 Pager Phone Number
935 0x3a22 user certificate
936 0x3a23 Primary Fax Number
937 0x3a24 Business Fax Number
938 0x3a25 Home Fax Number
939 0x3a26 Business Address Country
940 0x3a27 Business Address City
941 0x3a28 Business Address State
942 0x3a29 Business Address Street
943 0x3a2a Business Postal Code
944 0x3a2b Business PO Box
945 0x3a2c Telex Number
946 0x3a2d ISDN Number
947 0x3a2e Assistant Phone Number
948 0x3a2f Home Phone 2
949 0x3a30 Assistant´s Name
950 0x3a40 Can receive Rich Text
951 0x3a41 Wedding Anniversary
952 0x3a42 Birthday
953 0x3a43 Hobbies
954 0x3a44 Middle Name
955 0x3a45 Display Name Prefix (Title)
956 0x3a46 Profession
957 0x3a47 Preferred By Name
958 0x3a48 Spouse´s Name
959 0x3a49 Computer Network Name
960 0x3a4a Customer ID
961 0x3a4b TTY/TDD Phone
962 0x3a4c Ftp Site
963 0x3a4d Gender
964 0x3a4e Manager´s Name
965 0x3a4f Nickname
966 0x3a50 Personal Home Page
967 0x3a51 Business Home Page
968 0x3a57 Company Main Phone
969 0x3a58 childrens names
970 0x3a59 Home Address City
971 0x3a5a Home Address Country
972 0x3a5b Home Address Postal Code
973 0x3a5c Home Address State or Province
974 0x3a5d Home Address Street
975 0x3a5e Home Address Post Office Box
976 0x3a5f Other Address City
977 0x3a60 Other Address Country
978 0x3a61 Other Address Postal Code
979 0x3a62 Other Address State
980 0x3a63 Other Address Street
981 0x3a64 Other Address Post Office box
982 0x3fde Internet code page
983 0x3ffd Message code page
984 0x65e3 Entry ID
985 0x67f2 Attachment ID2 value
986 0x67ff Password checksum
987 0x6f02 Secure HTML Body
988 0x6f04 Secure Text Body
989 0x7c07 Top of folders RecID
990 0x8005 Contact Fullname
991 0x801a Home Address
992 0x801b Business Address
993 0x801c Other Address
994 0x8045 Work Address Street
995 0x8046 Work Address City
996 0x8047 Work Address State
997 0x8048 Work Address Postal Code
998 0x8049 Work Address Country
999 0x804a Work Address Post Office Box
1000 0x8082 Email Address 1 Transport
1001 0x8083 Email Address 1 Address
1002 0x8084 Email Address 1 Description
1003 0x8085 Email Address 1 Record
1004 0x8092 Email Address 2 Transport
1005 0x8093 Email Address 2 Address
1006 0x8094 Email Address 2 Description
1007 0x8095 Email Address 2 Record
1008 0x80a2 Email Address 3 Transport
1009 0x80a3 Email Address 3 Address
1010 0x80a4 Email Address 3 Description
1011 0x80a5 Email Address 3 Record
1012 0x80d8 Internet Free/Busy
1013 0x8205 Appointment shows as
1014 0x8208 Appointment Location
1015 0x820d Appointment start
1016 0x820e Appointment end
1017 0x8214 Label for appointment
1018 0x8215 All day appointment flag
1019 0x8216 Appointment recurrence data
1020 0x8223 Appointment is recurring
1021 0x8231 Recurrence type
1022 0x8232 Recurrence description
1023 0x8234 TimeZone of times
1024 0x8235 Recurrence Start Time
1025 0x8236 Recurrence End Time
1026 0x8501 Reminder minutes before appointment start
1027 0x8503 Reminder alarm
1028 0x8516 Common Time Start
1029 0x8517 Common Time End
1030 0x851f Play reminder sound filename
1031 0x8530 Followup String
1032 0x8534 Mileage
1033 0x8535 Billing Information
1034 0x8554 Outlook Version
1035 0x8560 Appointment Reminder Time
1036 0x8700 Journal Entry Type
1037 0x8706 Start Timestamp
1038 0x8708 End Timestamp
1039 0x8712 Journal Entry Type - duplicate?
1040
1042 This style of descriptor block is similar to the 0xbcec format. This
1043 descriptor is also eventually decoded to a list of MAPI elements.
1044 0000 7a 01 ec 7c 40 00 00 00 00 00 00 00 b5 04 02 00
1046 0010 60 00 00 00 7c 18 60 00 60 00 62 00 65 00 20 00
1047 0020 00 00 80 00 00 00 00 00 00 00 03 00 20 0e 0c 00
1048 0030 04 03 1e 00 01 30 2c 00 04 0b 1e 00 03 37 28 00
1049 0040 04 0a 1e 00 04 37 14 00 04 05 03 00 05 37 10 00
1050 0050 04 04 1e 00 07 37 24 00 04 09 1e 00 08 37 20 00
1051 0060 04 08 02 01 0a 37 18 00 04 06 03 00 0b 37 08 00
1052 0070 04 02 1e 00 0d 37 1c 00 04 07 1e 00 0e 37 40 00
1053 0080 04 10 02 01 0f 37 30 00 04 0c 1e 00 11 37 34 00
1054 0090 04 0d 1e 00 12 37 3c 00 04 0f 1e 00 13 37 38 00
1055 00A0 04 0e 03 00 f2 67 00 00 04 00 03 00 f3 67 04 00
1056 00B0 04 01 03 00 09 69 44 00 04 11 03 00 fa 7f 5c 00
1057 00C0 04 15 40 00 fb 7f 4c 00 08 13 40 00 fc 7f 54 00
1058 00D0 08 14 03 00 fd 7f 48 00 04 12 0b 00 fe 7f 60 00
1059 00E0 01 16 0b 00 ff 7f 61 00 01 17 45 82 00 00 00 00
1060 00F0 45 82 00 00 78 3c 00 00 ff ff ff ff 49 1e 00 00
1061 0100 06 00 00 00 00 00 00 00 a0 00 00 00 00 00 00 00
1062 0110 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00
1063 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1064 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 40 dd a3
1065 0140 57 45 b3 0c 00 40 dd a3 57 45 b3 0c 02 00 00 00
1066 0150 00 00 fa 10 3e 2a 86 48 86 f7 14 03 0a 03 02 01
1067 0160 4a 2e 20 44 61 76 69 64 20 4b 61 72 61 6d 27 73
1068 0170 20 42 69 72 74 68 64 61 79 00 06 00 00 00 0c 00
1069 0180 14 00 ea 00 f0 00 55 01 60 01 79 01
1070 0000 indexOffset [2 bytes] 0x017a in this case
1072 0002 signature [2 bytes] 0x7cec constant
1073 0004 7coffset [4 bytes] 0x0040 index reference
1074 Note the signature of 0x7cec. There are other descriptor block formats
1076 with other signatures. Note the indexOffset of 0x017a - starting at
1077 that position in the descriptor block, we have an array of two byte
1078 integers. The first integer (0x0006) is a (count-1) of the number of
1079 overlapping pairs following the count. The first pair is (0, 0xc), the
1080 next pair is (0xc, 0x14) and the last (7th) pair is (0x160, 0x179).
1081 These pairs are (start,end+1) offsets of items in this block. So we
1082 have count+2 integers following the count value.
1083 Note the 7coffset of 0x0040, which is an index reference. In this case,
1085 it is an internal reference pointer, which needs to be right shifted by
1086 4 bits to become 0x0004, which is then a byte offset to be added to the
1087 above indexOffset plus two (to skip the count), so it points to the
1088 (0x14, 0xea) pair. We have the offset and size of the "7c" block
1089 located at offset 0x14 with a size of 214 bytes in this case. The "7c"
1090 block starts with a header with the following format:
1091 0000 signature [1 bytes] 0x7c constant
1093 0001 itemCount [1 bytes] 0x18 in this case
1094 0002 unknown [2 bytes] 0x0060 in this case
1095 0004 unknown [2 bytes] 0x0060 in this case
1096 0006 unknown [2 bytes] 0x0062 in this case
1097 0008 recordSize [2 bytes] 0x0065 in this case
1098 000a b5Offset [4 bytes] 0x0020 index reference
1099 000e index2Offset [4 bytes] 0x0080 index reference
1100 0012 unknown [2 bytes] 0x0000 in this case
1101 0014 unknown [2 bytes] 0x0000 in this case
1102 Note the b5Offset of 0x0020, which is an index reference. In this case,
1104 it is an internal reference pointer, which needs to be right shifted by
1105 4 bits to become 0x0002, which is then a byte offset to be added to the
1106 above indexOffset plus two (to skip the count), so it points to the
1107 (0xc, 0x14) pair. Finally, we have the offset and size of the "b5"
1108 block located at offset 0xc with a size of 8 bytes in this descriptor
1109 block. The "b5" block has the following format:
1110 0000 signature [2 bytes] 0x04b5 constant
1112 0002 datasize [2 bytes] 0x0002 +4 for 6 byte entries in this case
1113 0004 descoffset [4 bytes] 0x0060 index reference
1114 Note the descoffset of 0x0060, which again is an index reference. In
1116 this case, it is an internal pointer reference, which needs to be right
1117 shifted by 4 bits to become 0x0006, which is then a byte offset to be
1118 added to the above indexOffset plus two (to skip the count), so it
1119 points to the (0xea, 0xf0) pair. The datasize (2) plus the b5 code (04)
1120 gives the size of the entries, in this case 6 bytes. We now have the
1121 offset 0xea of an unused block of data in an unknown format, composed
1122 of 6 byte entries. That gives us (0xf0 - 0xea)/6 = 1, so we have a
1123 recordCount of one.
1124 We have seen cases where the descoffset in the b5 block is zero, and
1126 the index2Offset in the 7c block is zero. This has been seen for
1127 objects that seem to be attachments on messages that have been read.
1128 Before the message was read, it did not have any attachments.
1129 Note the index2Offset above of 0x0080, which again is an index
1131 reference. In this case, it is an internal pointer reference, which
1132 needs to be right shifted by 4 bits to become 0x0008, which is then a
1133 byte offset to be added to the above indexOffset plus two (to skip the
1134 count), so it points to the (0xf0, 0x155) pair. This is an array of
1135 tables of four byte integers. We will call these the IND2 tables. The
1136 size of each of these tables is specified by the recordSize field of
1137 the "7c" header. The number of these tables is the above recordCount
1138 value derived from the "b5" block.
1139 Now the remaining data in the "7c" block after the header starts at
1141 offset 0x2a. There should be itemCount 8 byte items here, with the
1142 following format:
1143 0000 referenceType [2 bytes]
1145 0002 itemType [2 bytes]
1146 0004 ind2Offset [2 bytes]
1147 0006 size [1 byte]
1148 0007 unknown [1 byte]
1149 The ind2Offset is a byte offset into the current IND2 table of some
1151 value. If that is a four byte integer value, then once we fetch that,
1152 we have the same triple (item type, reference type, value) as we find
1153 in the 0xbcec style descriptor blocks. If not, then this value is used
1154 directly. These 8 byte descriptors are processed recordCount times,
1155 each time using the next IND2 table. The item and reference types are
1156 as described above for the 0xbcec format descriptor block.
1157
1159 This descriptor block contains a list of I_ID values. It is used when
1160 an I_ID (that would normally point to a type 0x7cec or 0xbcec
1161 descriptor block) contains more data than can fit in any single
1162 descriptor of those types. In this case, it points to a type 0x0101
1163 block, which contains a list of I_ID values that themselves point to
1164 the actual descriptor blocks. The total length value in the 0x0101
1165 header is the sum of the lengths of the blocks pointed to by the list
1166 of I_ID values. The result is an array of subblocks, that may contain
1167 index references where the high order 16 bits specify which descriptor
1168 subblock to use. Only the first descriptor subblock contains the
1169 signature (0xbcec or 0x7cec).
1170 0000 01 01 02 00 26 28 00 00 18 77 0c 00 b8 04 00 00
1172 0000 signature [2 bytes] 0x0101 constant
1174 0002 count [2 bytes] 0x0002 in this case
1175 0004 total length [4 bytes] 0x002826 in this case
1176 repeating
1177 0008 i_id [4 bytes] 0x0c7718 in this case
1178 000c i_id [4 bytes] 0x0004b8 in this case
1179
1181 This descriptor block contains a list of I_ID values, similar to the 32
1182 bit version described above.
1183 0000 01 01 02 00 ea 29 00 00 10 83 00 00 00 00 00 00
1185 0010 1c 83 00 00 00 00 00 00
1186 0000 signature [2 bytes] 0x0101 constant
1188 0002 count [2 bytes] 0x0002 in this case
1189 0004 total length [4 bytes] 0x0029ea in this case
1190 repeating
1191 0008 i_id [8 bytes] 0x008310 in this case
1192 0010 i_id [8 bytes] 0x00831c in this case
1193[FIXME: source] 2017-12-07 OUTLOOK.PST(5)