Parsing a Stolen OST for Sensitive Data
During penetration tests or Red Team engagements often I will come across an orphaned .ost (Offline Outlook Data File) sitting on a network share, etc. Getting these files connected to an Outlook profile which they were not originally connected to is easier said than done. Microsoft doesn't offer a solution. There is a lot of paid software out there claiming to do it, but I'm not willing to trust such software and suspect it of being malicious. One free tool I tried didn't support older Outlook 2013 .ost files, as well.
Here's how I solved this problem:
Created an isolated Windows VM in case the converter software was malicious so that it couldn't exfil any data.
Downloaded the trial version of https[:]//www[.]stellarinfo[.]com/convert-ost-to-pst.php (use at your own risk). The trial currently only supports exporting 10 items unless you pay $79.
Moved the installation file to the Windows VM and installed it.
Ran Stellar on the OST and it showed the recovered emails in the GUI but they were not saved to a PST yet. Observed that the software stores a temporary file of the OST data here: 'C:\Program Files\Stellar Converter for OST\TempStell_Dir'.
Moved this temp file to a Linux box and used strings/grep to parse it for sensitive data.
This worked pretty well and solves a problem I've experienced quite a few times.