Recovering Permanently Deleted Email in Outlook

Doesn’t that sound just wrong? “Recovering” and “permanently deleted” in the same sentence like that?

Since my last post about one little registry setting suddenly making months or a years’ worth of “deleted” email reappear, I’ve gotten a flurry of responses. Among the interesting mentions:

-You don’t need the registry hack in Outlook 2007; only Outlook 2003.

-If you really want to delete something, you’ll have to move it from your server to a PST file, then compact that file.

-I don’t know that I trust that, either…

-There are commercial tools for this (which you can use on a trial basis in an emergency), for instance RecoverMyEmail at
http://www.recovermyemail.com/.

-If you’re a Do-It-Yourselfer (or a Do-It-For-Free-er) there are some good user articles, for instance
http://www.groovypost.com/howto/microsoft/ie/recover-deleted-email-in-microsoft-outlook-from-any-folder/.

This capability represents, depending on your perspective, a terrific opportunity to rescue some hapless user (or yourself) and look like an IT demigod, or a horrifying feature, of which most users will be oblivious, that will inevitably result in a very, very nasty legal situation. Techs and security take note.

Special thanks to Subnet7 and Herbbie for their contributions.

temp

http://www.zdnet.com/blog/btl/quiz-hackers-and-patches-and-malware-oh-my/49099?tag=mantle_skin;content

One tiny registry hack, a thing that makes me go hmm

Today I got a tip from one of my insider sources:

Got something good.

Most people think that when you hold shift and press delete, the messages from Outlook are permanently deleted. I thought this as well, up until this morning. You can add one D Word value to the registry and recover messages. I was able to recover 1 years worth of messages. So…. are they stored locally or on the server? 😀

Now, may I ask you to ponder on this just one moment? Start now….

Thank you. Now that you’ve pondered, you and I share my source’s concern: This wasn’t a setting he turned on and *began* keeping messages; oh no! This is a year’s worth of past messages easily recoverable with a single registry entry. Now, I am often foolishly forced to explicate the workings of mad minds, but I must explicitly protest: Holy $#@t!

Cheaters, for instance, beware: all those deleted messages are still there, ready to hang you by the neck until dead. You, I’m not worried about. But political dissidents, you see, might find this dismaying. Among others.

Using Backtrack: Network Mapping: Identify Live Hosts: hping

[Registered users of my site can access a whole series of articles and tutorials on security and networking tools, including BackTrack. Here’s a taste.
– Glenn]

hping, hping2 and hping3

Purpose:

The various versions of hping provide either a command-line or TCL interface. All of them are used to craft packets at the very lowest level: you can choose the network protocol and individual packet flags, spoof your addresses, flood a target, pop a shell and transfer files.

Discussion:

This is a phenomenally powerful tool, one that can do simple, stupid DOS attacks, or brilliant, subtle exploits; take your pick. There are a whole lot of good tutorials and how-tos on the Internet, so I’m linking you to some of these.

Stage:

Information gathering

Home Page:

http://www.hping.org/

Wiki:

http://wiki.hping.org/

Tutorials:

Read this one first at The Ethical Hacker Network: http://ethicalhacker.net/content/view/72/24

Some good examples at Linux-Magazine.com: http://www.linux-magazine.com/Issues/2009/99/Hping/(offset)/6

Very short examples: http://rationallyparanoid.com/articles/hping.html

One lengthy procedure: http://www.compuhowto.com/linux/hping3-examples/

A 5-part tutorial at TheTazZone.com: http://www.thetazzone.com/tutorial-hping-basic-host-and-port-probing-tut-1-of-5/

Resources: Security Standards

Which security standards apply to you? Research this carefully. Here are some of the critical ones:

FIPS 140

http://en.wikipedia.org/wiki/FIPS_140-2

This standard comes from the US Government and governs how sensitive (federal) information must be encrypted. Administrations like the VA and the SSA are most concerned with this.

HIPAA

http://en.wikipedia.org/wiki/HIPAA

The Health Insurance Portability and Accountability Act is all about medical records. If you’re involved in medical care, you have some onerous HIPAA requirements. If you aren’t, but somehow possess other people’s medical records (as a lawyer might, for instance) most of it does not apply. But beware of (truly massive) civil liability.

SAS 70

http://en.wikipedia.org/wiki/SAS_70

The Statement on Auditing Standards No. 70 is a financial and accounting standard that might concern IT practitioners charged with data preservation and integrity.

Automated Wi-Fi Scanning with Wi-fEye

Wi-fEye

Purpose:

Wi-fEye provides a nice terminal interface for automating a variety of wireless network scans.

Discussion:

I ran into this article on Teckkranti.com about Wi-fEye:

http://www.techkranti.com/2010/11/wi-feye-automated-network-penetration.html

and had to try the tool, and I must say I’m impressed. When you open it you’re presented with a series of “Choose One: ” menus, which mask the huge array of exploits in this package. You can hijack HTTP sessions, snatch URLs from wi-fi and open them in your browser, do nmap scans, change your MAC address, and even perform one of the most insidious exploits, using evilgrade to create fake software updates that look and act like the real thing.

Read the article linked above, then trot on out and download it. It’s a natural add-on to BackTrack..

Home Page:

Official Website: http://wi-feye.za1d.com/t
Download page: http://wi-feye.za1d.com/Download.html
Documentation: http://wi-feye.za1d.com/Documentation.html
Video tutorial: http://wi-feye.za1d.com/Wi-fEye-Software-hijacking.html

 

Using Backtrack: Network Mapping: Identify Live Hosts: PBNJ

PBNJ: ScanPBNJ and OutputPBNJ

Purpose:

The PBNJ tools are Perl scripts that use nmap to audit and a database to track changes to your network, and display change notifications.

Discussion:

From the website:

PBNJ is a suite of tools written in Perl. PBNJ calls Nmap to perform a scan and then PBNJ correlates the information about the targets using Nmap’s result and the PBNJ database.

Stage:

Information gathering

Online at:

http://www.spl0it.org/files/PBNJ-sysadmin-article-feb07.html

Using Backtrack: Network Mapping: Identify Live Hosts: onesixtyone

onesixtyone

Purpose:

onesixtyone scans SNMP community strings. Simple Network Management Protocol, after all, does indeed offer management.

Discussion:

From the website:

onesixtyone takes a different approach to SNMP scanning. It takes advantage of the fact that SNMP is a connectionless protocol and sends all SNMP requests as fast as it can. Then the scanner waits for responses to come back and logs them, in a fashion similar to Nmap ping sweeps. By default onesixtyone waits for 10 milliseconds between sending packets, which is adequate for 100Mbs switched networks. The user can adjust this value via the -w command line option. If set to 0, the scanner will send packets as fast as the kernel would accept them, which may lead to packet drop.

Stage:

Information gathering

Home Page:

http://www.phreedom.org/solar/onesixtyone/

Using Backtrack: Network Mapping: Identify Live Hosts: nsat

nsat – the Network Security Analysis Tool

Discussion:

From the README:

NSAT is a fast, stable bulk security scanner designed to audit remote network
services and check for versions, security problems, gather information about
the servers and the machine and much more. Unlike many other auditing tools,
it can collect information about services independently of vulnerabilities,
which makes it “timeless”, meaning it doesn’t depend on frequent updates as new
vulnerabilities are found.

A manpage providing extensive information on NSAT has been included in the
distribution. It is available after a ‘make install’, or just by typing
‘man doc/nsat.8’ from this dir. It is suggested that you inform yourself at
least about the -v (scan verbosity) option and edit the configuration file.
To learn about changes in this version, please consult doc/CHANGES.

New to this version is support for distributed scanning. The manpage
describes how to do a distributed scan. Note that distributed scanning in
this version is just a preliminary, proof-of-concept, implementation with
no guarantees for its security, reliability, or performance.

Stage:

Information gathering

Home Page:

http://nsat.sourceforge.net/

Using Backtrack: Network Mapping: Identify Live Hosts: Netifera

Netifera

Purpose:

Network enumeration and packet sniffing.

Discussion:

Like Autoscan-Network, Netifera provides a nice GUI for scanning networks, with customizable workspaces and sub-spaces. It’s pretty, simple, and pretty simple to use. I did find that if I added hosts to an existing scan, when it was re-scanned Netifera didn’t detect them, or at least report them.

One potentially highly useful feature is that you can detect hosts (like nmap), then sniff traffic and save it, which is a nice feature pair.

Stage:

Network Mapping: Identifying Live Hosts

Home Page:

http://netifera.com

Getting Started:

http://netifera.com/doc/netifera_getting_started_guide/