The short answer: Yes. Sherlock PST Viewer 1.4.0 salvage reconstruction recovers messages from damaged PST files where Outlook and scanpst.exe and mainstream forensic tools all decline the file. The reconstruction is read-only on the evidence file. The forensic edition ($67 one-time) performs the reconstruction; the free edition provides the diagnosis and an upgrade prompt. Reconstruction works when the header is intact and the data pages are reachable; it cannot recover data from pages that are actually missing (post-truncation gap).
Why This Question Matters More in 2026 Than It Used To
The volume of damaged PST files hitting forensic engagements has increased through 2025 and into 2026 for structural reasons. First, PST file sizes have grown; 20 GB to 50 GB PST files are routine in enterprise and legal contexts where mail retention runs 10-plus years. Larger files are more likely to encounter transfer truncation, storage-boundary issues and network-interruption damage. Second, mail archive extraction workflows increasingly move PST files across storage boundaries: from workstation to network share to eDiscovery vendor to review platform. Each hop introduces truncation risk. Third, the mainstream forensic toolchain (EnCase and Cellebrite Physical Analyzer and scanpst.exe and vendor-specific PST processors) has not kept pace with the salvage capability that damaged-file scenarios need. The result is a growing gap between the volume of damaged PST files organizations encounter and the tooling capacity to recover them.
Sherlock PST Viewer 1.4.0 introduces damaged-PST salvage specifically to close this gap. The capability was not previously packaged in a customer-accessible forensic tool. Prior to 1.4.0 the salvage capability existed in bespoke data-recovery-vendor tooling with $15000 to $25000 engagement pricing and 3 to 4 week engagement windows. Sherlock packages the same capability in the standard PST Viewer Forensic Edition at $67 one-time payment and provides the reconstruction in a single-tool workflow that examiners run themselves.
The Three Damage Patterns That Cause Outlook to Refuse a PST
Outlook and scanpst.exe apply strict validation at PST file open. Files that fail the validation cause Outlook to display a generic error and refuse to open the file. The three most common damage patterns that trigger this behavior:
Header truncation. The PST header at file offset 0 declares the file format and the total size and the offset of the internal index. When the header itself is truncated (the first 512 bytes of the file are incomplete or corrupted) Outlook cannot proceed past initial validation. Header truncation is rare in practice because header damage requires the truncation boundary to land in the first 512 bytes of the file which most transfer failures avoid.
Body truncation with valid header. The PST header is intact and declares a total file size larger than the actual on-disk file size. This is the most common damage pattern in transfer-failure scenarios. The header may declare a 65 GB total and the file on disk is 40 GB with the internal index (which typically sits near the end of the file) truncated away. Outlook and scanpst.exe both decline this pattern because the index they rely on for message enumeration is missing.
Corrupt or missing internal index without header truncation. The header and the data pages are present but the internal B-tree index that maps messages to page offsets is damaged (bit-flip, partial write, storage-corruption sector damage). Outlook cannot navigate the message tree without the index. scanpst.exe attempts index reconstruction but often fails or produces incomplete output.
For each of these damage patterns Sherlock PST Viewer 1.4.0 salvage reconstruction diagnoses the specific pattern and applies the appropriate recovery methodology. Patterns 2 (body truncation) and 3 (index damage) are recoverable through the walk-plus-reconstruct methodology described below. Pattern 1 (header truncation) is the exception and is genuinely unrecoverable in the general case because without the header the file format itself is ambiguous.
How the Sherlock Salvage Reconstruction Actually Works
The Sherlock PST Viewer 1.4.0 salvage reconstruction operates in three phases. Phase one is diagnostic: the tool inspects the PST header and reports the exact damage pattern in plain-language output. Example: "Header declares 65 GB total. File on disk is 40 GB. Internal B-tree index missing beyond offset 38 GB. Salvage reconstruction available." The diagnostic surfaces before any reconstruction attempt so the examiner knows what condition the file is in and what to expect from recovery.
Phase two is data-page walking. The tool traverses the intact data pages of the PST from the start of the file forward to the damage boundary. Each data page contains one or more MAPI records (message objects and attachment objects and folder objects). The tool reads each MAPI record and captures its fields and its cross-reference pointers to other records. This is the reconstruction primitive: knowing what MAPI records survived the damage and how they relate to each other.
Phase three is folder tree rebuild and message extraction. From the surviving MAPI records the tool rebuilds the folder tree by walking the parent-child pointers embedded in each folder object. Messages are extracted by walking the folder-to-message pointers and attaching the intact attachment records. The output is a new reconstructed PST file containing every message that survived the damage and a diagnostic manifest listing which messages recovered and which are absent (identified by broken pointer references in surviving folders).
The reconstruction runs read-only on the source PST file. The source is never modified. The output PST is a new file and the diagnostic manifest documents the provenance chain (source file and source hash and reconstruction timestamp and tool version and per-message hash for every recovered message) that supports court-defensible chain of custody for the reconstructed evidence.
What Recovers and What Does Not
The specific recovery yield depends on where the damage boundary landed relative to the folder and message layout. In the typical body-truncation case with 40 GB of a claimed 65 GB total surviving, the recovery yield is 60 to 90 percent of the estimated total message count. Higher yield occurs when the truncation boundary sits near the end of the file (most historical mail preserved). Lower yield occurs when the truncation boundary sits mid-file and disrupts folder structure (some folders recovered fully, some folders lost their message-list pages and recover only partial contents).
The Sherlock diagnostic manifest documents the recovered and unrecovered counts explicitly. The manifest identifies unrecovered messages by their broken folder-to-message pointer references so the examiner can characterize the gap. For litigation contexts this gap-characterization is legally important: opposing counsel routinely questions whether the recovered set is complete and the diagnostic manifest provides the answer.
Attachments recover with their parent messages when both the message record and the attachment record survived intact. Attachment binaries stored in separate pages from the message record recover as long as the attachment binary pages are within the surviving portion of the file. The recovery methodology handles attachment binaries and embedded images and embedded OLE objects the same way it handles message bodies: intact pages recover, missing pages produce a documented gap.
What This Means for Investigators Handling Damaged PSTs
For investigators receiving a damaged PST the operational sequence is straightforward. First, do not accept vendor "unrecoverable" determinations without independent second-opinion assessment. Vendors that lack salvage-reconstruction capability decline files that a salvage-capable tool would recover. Second, request formal diagnostic output when a PST fails ingest. The specific failure mode (header truncation vs body truncation vs index corruption) determines whether reconstruction is feasible. Third, build salvage-capable tooling into the standard forensic acquisition and review workflow so damaged-file scenarios do not stall investigations while alternatives are negotiated.
The Sherlock PST Viewer 1.4.0 at Forensic Edition tier handles the salvage capability end-to-end. Free tier receives the diagnostic and a Forensic Edition upgrade prompt so operators can evaluate whether the specific damaged PST recovers before committing to the license purchase. The one-time $67 price makes the Forensic Edition upgrade routine and removes the negotiation-with-vendor friction that historically stalled damaged-PST scenarios.
Where Sherlock PST Viewer 1.4.0 Fits Against Alternatives
Compared to Microsoft scanpst.exe (bundled with Outlook, free), Sherlock PST Viewer 1.4.0 handles the damage patterns that scanpst.exe declines. scanpst.exe fixes minor index-corruption cases and recovers CRC-repairable header damage; it does not handle body truncation or missing-index scenarios. Sherlock covers scanpst.exe scope and adds the salvage-reconstruction scope on top.
Compared to EnCase and Cellebrite Physical Analyzer and Magnet AXIOM (enterprise forensic suites), Sherlock PST Viewer 1.4.0 is the salvage-capable option. The enterprise suites decline damaged PST files at initial validation. Their user community routinely engages specialized data-recovery vendors when damaged-PST scenarios arise; the Sherlock salvage capability replaces that outsourced engagement with an in-tool workflow.
Compared to bespoke data-recovery vendors (Kroll Ontrack and DriveSavers and similar), Sherlock PST Viewer 1.4.0 provides comparable salvage capability at significantly lower cost and faster turnaround. Bespoke vendor engagements typically bill $15000 to $25000 and require 3 to 4 week windows. Sherlock reconstruction runs in-tool in hours on standard forensic hardware. For most Canadian mid-market engagements the Sherlock path is the appropriate choice; the bespoke-vendor path remains warranted for edge cases where the damage pattern is exotic (physical media damage, encryption and corruption combined, format-conversion damage).
The Chain of Custody Documentation That Salvage Produces
Sherlock PST Viewer 1.4.0 salvage reconstruction produces a chain of custody documentation package alongside the reconstructed PST. The package includes the source file hash, the reconstruction command and parameters, the tool version stamp, the per-message hash for every recovered message and the diagnostic manifest identifying recovered and unrecovered messages. For litigation contexts this documentation supports court submission of the reconstructed evidence and establishes the reconstruction methodology under deposition scrutiny.
For Canadian civil and criminal court contexts the Canada Evidence Act and provincial evidence acts have specific requirements for digital evidence authentication. The Sherlock reconstruction documentation aligns with these requirements out of the box. The examiner does not need to reverse-engineer the chain of custody after the fact; the tool produces the documentation as part of the reconstruction workflow.
For a real-world example of the salvage-plus-documentation workflow the Sherlock Truncated 40 GB PST Salvage Reconstruction Case walks through a Sherlock-anonymized mid-market Canadian insurance litigation matter where the salvage capability recovered 89 percent of surviving messages and rescued a two-week-stalled investigation. That case study documents the full reconstruction and deposition-tested chain of custody in practical detail.