Case shape: Mid-market manufacturer (~120 employees). Microsoft 365 migration ran February to April 2026. Sales executive departed end of March 2026. Decommission of the on-premises Exchange completed early April 2026 with the executive mailbox not yet archived. Mid-May the company suspected the executive had taken customer plus pricing data to a competitor. The executive laptop was returned at separation plus retained in inventory. The OST cache on the laptop became the sole remaining copy of the pre-migration mailbox.
What the Server Decommission Missed
The migration plan called for full mailbox archival to PST before decommissioning the on-premises Exchange server. The archival workflow ran for most of the mailbox population but stalled on five mailboxes including the sales executive's. The IT team flagged the stall, scheduled a follow-up archival window plus decommissioned the server on the documented date because the migration timeline was hard-locked against vendor contracts. The follow-up archival window never executed because the IT team treated the decommission as the end of the work item.
This failure pattern is more common than it should be in mid-market environments. The migration project plan optimizes for the timeline. The archival workflow is a long-running batch operation. When the batch operation stalls on a subset of mailboxes the IT team has limited time before the hard decommission date plus often makes the call to decommission on schedule with a follow-up plan that never gets formally scoped. The mailboxes that did not archive become unrecoverable from the server side once the decommission completes.
How the OST Cache Saved the Investigation
The sales executive used Outlook on a corporate laptop with the standard Outlook profile configured against the on-premises Exchange. Outlook maintained an OST cache on the laptop that synchronized with the executive mailbox up until the moment of the migration cutover. The OST contains the synced mailbox state including all sent items, all received items, the contacts cache, the calendar plus the folder structure.
When the executive separated end of March, the laptop was returned per the separation procedure plus held in inventory. The OST file on the laptop sat untouched at %LOCALAPPDATA%/Microsoft/Outlook/ when Sherlock Forensics received the device. Two months had elapsed since the executive last used the device. The OST file size was 12 GB plus the file timestamp matched the date of the last successful Exchange sync before the migration cutover.
The Reconciliation Workflow
The Sherlock Forensics workflow for this case had four phases. Phase one was acquisition: image the laptop plus extract the OST file with hash verification plus chain of custody documentation. Phase two was OST recovery using the Sherlock OST Viewer to open the file plus extract messages. Phase three was reconciliation against the partial server backup that the IT team had as a fallback. Phase four was evidence packaging for the civil litigation against the departed executive over IP theft.
Phase one took about three hours. The laptop disk image was 240 GB. The OST extract was straightforward because the laptop was already powered down plus the file was not locked. The hash verification produced a SHA256 record that anchored the chain of custody. Phase two took about six hours. The Sherlock OST Viewer opened the 12 GB OST file in under two minutes plus produced the folder tree. The relevant message extraction (filtered by recipient plus date range) produced approximately 1500 messages of interest from the 80000 total messages in the archive.
The Reconciliation Step Mattered for Court Admissibility
Phase three was the critical step for court admissibility. The IT team had a partial server backup from approximately two weeks before the decommission date. This backup was incomplete (it was a snapshot of the Exchange database from a routine backup window, not a full mailbox export) but it contained enough data to corroborate the OST contents. The reconciliation step compared message identifiers between the OST plus the partial backup plus confirmed that the OST contents matched the corresponding backup contents for the overlapping time window.
This reconciliation produced the evidentiary anchor needed to defend the OST as accurate plus complete in court. The defending position was that the OST might be incomplete, tampered with or fabricated. The reconciliation against the partial backup established that the OST contents were consistent with independently-preserved server-side state for the time window where both data sets existed. This is the chain of custody discipline that matters when the OST is the sole remaining copy.
The Evidence Package and the Outcome
Phase four was evidence packaging. The 1500 relevant messages were exported from Sherlock OST Viewer as PST for legal review platform ingest plus as individual MSG files for native review. The browser history forensic record from the laptop (parsed with the Sherlock Browser Viewer) was added to the package to corroborate the executive accessing competitor websites plus job search platforms in the weeks before separation. The chain of custody document covered the OST, the browser history, the laptop disk image plus the partial server backup with cross-referencing hash records.
The case settled before trial. The defending executive accepted the evidence package plus signed a non-compete plus non-solicitation agreement covering the affected customer accounts for 24 months. The settlement value covered the Sherlock engagement cost plus the company internal investigation cost plus the lost margin on the affected accounts. The settlement disclosure agreement prevents naming of either party.
The Operational Discipline This Case Suggests
For mid-market organizations the operational discipline this case suggests is straightforward. First, build the OST acquisition step into the separation procedure for every departing employee whose role gives them access to material business data. Second, hold the device in inventory under controlled conditions for at least six months post-separation. Third, document the chain of custody from the moment of device return so that if a future investigation requires the data, the chain of custody is already established. Fourth, plan migration archival workflows with buffer time so that mailbox archival completes before any server decommission, not after.
The OST cache exists on the device whether or not the organization actively planned for it. Building the operational discipline to acquire OST files at separation turns a reactive forensic effort into a routine business process. The Sherlock OST Viewer storefront documents pricing plus the engagement workflow for organizations that want to build internal capability.