Can deleted emails be recovered from a PST file?

Yes, in most cases. When a user deletes an email in Outlook, the message moves to the Deleted Items folder within the PST file. Even after the user empties Deleted Items, the email data often remains in the PST file's internal structure until the file is compacted. A forensic PST viewer can locate and display these messages without modifying the file.

What is the difference between soft delete and hard delete in a PST file?

A soft delete moves the email to the Deleted Items folder where it remains accessible. A hard delete occurs when the user empties the Deleted Items folder or uses Shift+Delete to bypass Deleted Items entirely. Hard-deleted emails are marked as purged in the PST internal tables but may still exist in unallocated space within the file until compaction overwrites them.

Does emptying the Deleted Items folder permanently destroy emails in a PST file?

Not immediately. Emptying Deleted Items marks messages as purged in the PST file's internal allocation tables, but the actual message data remains in the file until Outlook compacts the PST to reclaim space. Until compaction occurs, a forensic tool that reads raw PST structures can often recover the purged messages.

Why should I use a forensic viewer instead of Outlook to recover deleted emails?

Microsoft Outlook modifies PST files when it opens them. It updates internal indices, repairs structures and may compact the file. These modifications can overwrite the exact data you are trying to recover. A forensic viewer like Sherlock PST Viewer opens the file in strict read-only mode, preserving all recoverable data and maintaining a verifiable SHA-256 hash for evidentiary integrity.

When are deleted emails truly unrecoverable from a PST file?

Deleted emails become unrecoverable after PST compaction overwrites their data, after running Microsoft's ScanPST repair tool which may discard orphaned data, or after the PST file itself is overwritten on disk. If the PST has been compacted or repaired since deletion, the chances of recovery decrease significantly.

Recover Deleted Emails from PST File

Where Outlook Stores Deleted Emails in PST Files

When a user deletes an email in Microsoft Outlook, the message does not vanish. It moves to the Deleted Items folder inside the PST file. This is a soft delete. The email remains fully intact and accessible. Most users understand this much.

What most users do not realize is that emptying the Deleted Items folder does not destroy the message data either. Outlook marks the space occupied by those messages as available for reuse, but the actual bytes remain in the file. The messages are still there. They are simply no longer visible in the folder tree.

Exchange-connected PST files may also contain a Recoverable Items subfolder. This folder holds messages that were purged from Deleted Items but retained by the Exchange server's retention policy before the PST was disconnected or exported. When examining a PST file created from an Exchange mailbox, always check for this subfolder as it often contains messages the user believed were permanently destroyed.

How PST File Structure Preserves Deleted Data

Understanding why deleted emails survive inside a PST file requires a brief look at the file's internal architecture.

A PST file uses a B-tree structure to organize data. Messages, folders and attachments are stored as nodes in these trees. Each node has a reference in the file's allocation tables. When Outlook deletes a message, it removes the node's reference from the allocation table but does not zero out or overwrite the node's data on disk.

Deletion Stage	What Happens Internally	Recoverable?
Move to Deleted Items	Message node moves to Deleted Items folder in the B-tree. All data intact.	Yes. Visible in any PST viewer.
Empty Deleted Items	Node reference removed from allocation table. Data remains in file.	Yes, with forensic tools that read raw PST structure.
PST compaction	Outlook reclaims space by overwriting orphaned nodes with new data.	Partial or no. Depends on how much was overwritten.
ScanPST repair	Microsoft repair tool rebuilds allocation tables. May discard orphaned data.	Unlikely. Repair process prioritizes structure over data preservation.

The critical window for recovery is between deletion and compaction. If the PST file has not been compacted since the emails were deleted, the message data is almost certainly still present in the file. This is why the first rule of PST email recovery is the same as the first rule of all digital forensics: stop using the file immediately and create a forensic copy.

Step-by-Step: Recovering Deleted Emails with Sherlock PST Viewer

Step 1: Create a Forensic Copy

Never attempt recovery on the original PST file. Copy the file using a write-blocking method or at minimum close Outlook before copying. Compute the SHA-256 hash of both the original and the copy. Verify they match. This hash becomes your proof that no data was altered during the recovery process.

If the PST file resides on a drive that is still in active use, every write operation to that drive risks overwriting the deleted email data within the PST. Prioritize creating the forensic copy before doing anything else. Use Sherlock Forensics Hash Calculator to verify integrity.

Step 2: Open the Copy in Sherlock PST Viewer

Launch Sherlock PST Viewer and open the forensic copy. The tool operates in strict read-only mode. It will not modify the PST file in any way. Verify the status bar confirms read-only access.

Do not open the PST file in Microsoft Outlook. Outlook opens PST files in read-write mode and immediately begins modifying internal structures. These modifications can overwrite the exact deleted data you are trying to recover. This is not a theoretical risk. It happens every time Outlook opens a PST file.

Step 3: Navigate to the Deleted Items Folder

Expand the folder tree in the left panel. Click on the Deleted Items folder. Review every message listed. These are soft-deleted emails that the user moved to trash but never permanently removed. In many investigations, the messages you need are sitting right here.

Step 4: Check the Recoverable Items Subfolder

Look beneath Deleted Items for subfolders named Recoverable Items, Purges or Deletions. These subfolders exist in PST files that were created from or synchronized with an Exchange server that had a retention policy enabled.

Exchange Server 2010 and later versions maintain a Recoverable Items folder that retains deleted messages for a configurable retention period (default 14 days, often extended to 30 days or more by organizational policy). When a PST file is exported from such a mailbox, the Recoverable Items contents may be included. These are messages the user explicitly purged from Deleted Items, making them invisible in Outlook, but they survived in the Exchange retention system and were captured in the PST export.

Step 5: Search Across All Folders

Use the global search function to search by sender, subject line, date range or keyword. Configure the search to scan all folders including Deleted Items and any subfolders.

Why search everywhere? Because users do not always delete emails from where you expect. A user may have moved a sensitive email to a subfolder before deleting the subfolder itself. The email might appear in a custom folder that was later deleted. It could be in Sent Items if the user deleted the received copy but forgot the sent reply. Searching across every folder catches these scenarios.

Common forensic search strategies for deleted email recovery:

Search by sender email address to find all communications from a specific party
Search by date range to isolate the time period when relevant communications occurred
Search by keyword for project names, account numbers or specific terms relevant to the investigation
Search by attachment filename to locate messages with specific documents attached

Step 6: Export Recovered Emails

Once you locate the deleted messages, the Forensic Edition ($67) allows you to export them individually or in batch to EML format. Each exported message receives an individual SHA-256 hash. The export manifest documents every recovered message with its metadata and hash value, creating a verifiable chain of custody for the recovered evidence.

When Emails Are Truly Unrecoverable

Not every deleted email can be recovered. There are specific conditions that make recovery impossible or highly unlikely.

PST compaction has occurred: When Outlook compacts a PST file (either automatically or when the user selects File > Data File Management > Compact Now), it reclaims space by overwriting orphaned data with active data. Once the space occupied by deleted messages is overwritten, those messages cannot be recovered from the PST file. If you are unsure whether compaction has occurred, check the PST file size. A file that recently decreased in size has likely been compacted.
ScanPST (Inbox Repair Tool) was run: Microsoft's ScanPST.exe repairs corrupted PST files by rebuilding internal data structures. The repair process prioritizes structural integrity over data preservation. Orphaned nodes containing deleted messages may be discarded during repair. If the user or IT department ran ScanPST on the file before you obtained it, some deleted data may be permanently lost.
Hard delete with Shift+Delete: When a user presses Shift+Delete, the message bypasses the Deleted Items folder entirely. The node reference is removed from the allocation table immediately. The data remains in the file until compaction, but it is harder to locate because it was never associated with the Deleted Items folder. Recovery is possible but requires tools that can scan raw PST structure rather than just the folder hierarchy.
PST file was overwritten on disk: If the PST file itself was deleted from the file system and the disk space was subsequently reused, the entire file is compromised. File-level recovery from the disk's unallocated space is a different discipline from PST-internal recovery and requires forensic imaging of the storage device.

Why a Forensic Viewer Beats Outlook for Deleted Email Recovery

The instinct when looking for deleted emails is to open the PST file in Outlook and check the Deleted Items folder. For personal use, that approach may work for soft-deleted messages. For any investigation, litigation or compliance scenario, using Outlook is a critical error.

Factor	Microsoft Outlook	Sherlock PST Viewer
File access mode	Read-write. Modifies the file on open.	Read-only. Zero modifications.
SHA-256 integrity	Hash changes after opening.	Hash remains identical before and after.
Compaction risk	May auto-compact, destroying deleted data.	No compaction. Deleted data preserved.
Index rebuilding	Rebuilds indices on open, modifying file structure.	Reads existing structure without modification.
Recoverable items visibility	Visible only if connected to Exchange.	Displays all folders present in the PST file.
Chain of custody	Broken the moment you open the file.	Maintained with per-message SHA-256 hashing.
Court admissibility	Opposing counsel can challenge integrity.	Hash verification proves no modification occurred.

The fundamental problem with Outlook is that it was designed to be a mail client, not a forensic tool. It assumes read-write access because it needs to update indices, sync with servers and manage storage. Those assumptions directly conflict with forensic requirements. A purpose-built forensic viewer eliminates these conflicts entirely.

Forensic Considerations for Legal Proceedings

If the recovered deleted emails may be used as evidence in litigation or regulatory proceedings, additional precautions apply.

Document every step of the recovery process. Record the source of the PST file, who provided it, when it was received and the SHA-256 hash at receipt. Document the tool used for analysis (Sherlock PST Viewer version number), the date and time of each examination session and every search query executed.

The Forensic Edition automates this documentation through its chain of custody logging feature. Every search, every filter and every export is recorded with timestamps. The final report includes the source file hash, examiner identification and a complete audit trail. This documentation satisfies the requirements of Federal Rules of Evidence Rule 901(b)(9) for authentication of evidence produced by a process or system.

For Canadian proceedings, the Canada Evidence Act Section 31.1 through 31.8 governs the admissibility of electronic documents. The integrity requirement is met by demonstrating that the PST file was not modified during examination, which SHA-256 hash verification before and after analysis directly establishes.

Recover Deleted Emails from a PST File