The .msg format, used by Microsoft Outlook for Windows, is an odd duck. It feels at times almost as if Microsoft is trying to lock users into the Windows ecosystem by ensuring that the files they archive can only be used on the Windows operating system. But the .msg file format seems almost sane, at least when compared to the .olk format as used by Microsoft Outlook for Macintosh – that really is a howling at the moon crazy format. <\/p>\n\n\n\n\n\n\n\n
So\u2026 Let’s examine .olk and see if we can work out what makes it tick.<\/p>\n\n\n\n
OLK (Outlook for Mac Local Cache) is a proprietary binary file format used by Microsoft Outlook for Mac to store email messages, calendar events, contacts, and other mailbox items. Unlike Windows Outlook which uses monolithic PST\/OST files, Outlook for Mac fragments each email into multiple component files stored across a directory structure.<\/p>\n\n\n\n
Characteristics<\/strong><\/p>\n\n\n\n OLK14 (Outlook 2011)<\/strong><\/p>\n\n\n\n OLK15 (Outlook 2016+)<\/strong><\/p>\n\n\n\n Note<\/strong>: OLK15 uses numbered subdirectories (0-255) to distribute files and prevent filesystem performance issues with large mailboxes.<\/p>\n\n\n\n Email Related Files<\/strong><\/p>\n\n\n\n Other Data Types<\/strong><\/p>\n\n\n\n All OLK binary files follow a similar tagged-record pattern. Data is stored in little-endian byte order.<\/p>\n\n\n\n General Binary Layout<\/strong><\/p>\n\n\n\n Record Structure<\/strong><\/p>\n\n\n\n Each record follows a Tag-Length-Value (TLV) pattern:<\/p>\n\n\n\n Tag<\/strong>: Identifies the field (e.g., Subject, From, Date) Type<\/strong>: Indicates the data type of the value Length<\/strong>: Size of the value in bytes (encoding depends on type) Value<\/strong>: The actual data<\/p>\n\n\n\n Property Types<\/strong><\/p>\n\n\n\n String Encoding<\/strong><\/p>\n\n\n\n Strings in OLK15 files are typically: – Stored as UTF-16-LE (Little Endian) – Prefixed with a 4-byte length field (character count, not byte count) – May include null terminator<\/p>\n\n\n\n These tags are based on MAPI property IDs and identify specific fields within records.<\/p>\n\n\n\n Message Header Fields (olk14message \/ olk15Message)<\/strong><\/p>\n\n\n\n Recipient Fields<\/strong><\/p>\n\n\n\n Attachment Fields (olk14msgattach \/ olk15MsgAttach)<\/strong><\/p>\n\n\n\n The MsgSource file contains the actual message body content. It may be structured in several ways:<\/p>\n\n\n\n Format 1: Raw MIME\/RFC822<\/strong><\/p>\n\n\n\n The file may contain a complete RFC822 message with MIME structure:<\/p>\n\n\n\n Format 2: Binary Header + UTF-16 Content<\/strong><\/p>\n\n\n\n To find the HTML content, search for Format 3: Tagged Records + Body<\/strong><\/p>\n\n\n\n Similar to message files, with tagged records followed by body content.<\/p>\n\n\n\n Header Signature<\/strong><\/p>\n\n\n\n Attachment files begin with a 4-byte signature:<\/p>\n\n\n\n Attribute Structure<\/strong><\/p>\n\n\n\n Following the signature, the file contains MIME-like attributes:<\/p>\n\n\n\n Data Section<\/strong><\/p>\n\n\n\n After the header attributes, the raw attachment data follows. If Content-Transfer-Encoding is “base64”, the data is Base64-encoded.<\/p>\n\n\n\n To reconstruct a complete email from OLK files, you must locate and merge associated files.<\/p>\n\n\n\n In OLK14, files for the same message share a common identifier in their filename:<\/p>\n\n\n\n Pattern<\/strong>: OLK15 files use GUIDs as filenames:<\/p>\n\n\n\n Pattern<\/strong>: The most reliable method for OLK15 is to query the To process an entire mailbox:<\/p>\n\n\n\n The Message Table<\/strong><\/p>\n\n\n\n MessageSource Table<\/strong><\/p>\n\n\n\n Attachment Table<\/strong><\/p>\n\n\n\n Folder Table<\/strong><\/p>\n\n\n\n Windows FILETIME<\/strong><\/p>\n\n\n\n Dates are stored as 64-bit Windows FILETIME values: – 100-nanosecond intervals since January 1, 1601 UTC<\/p>\n\n\n\n Opening a Single File<\/strong><\/p>\n\n\n\n When a user attempts to open a single OLK file:<\/p>\n\n\n\n Opening a Folder Structure<\/strong><\/p>\n\n\n\n When opening an entire mailbox:<\/p>\n\n\n\nOutlook.sqlite<\/code>) that serves as an index<\/li>Format Versions<\/h1>\n\n\n\n
Version<\/strong><\/td> Outlook Version<\/strong><\/td> Notes<\/strong><\/td><\/tr> OLK14<\/td> Outlook 2011 for Mac<\/td> Original Mac format<\/td><\/tr> OLK15<\/td> Outlook 2016, 2019, Office 365 for Mac<\/td> Enhanced structure, SQLite integration<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Directory Structure<\/h1>\n\n\n\n
~\/Documents\/Microsoft User Data\/Office 2011 Identities\/Main Identity\/\n\u251c\u2500\u2500 Data Records\/\n\u2502 \u251c\u2500\u2500 Messages\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14message\n\u2502 \u251c\u2500\u2500 Message Sources\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14msgsource\n\u2502 \u251c\u2500\u2500 Message Attachments\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14msgattach\n\u2502 \u251c\u2500\u2500 Contacts\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14contact\n\u2502 \u251c\u2500\u2500 Events\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14event\n\u2502 \u251c\u2500\u2500 Tasks\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14task\n\u2502 \u251c\u2500\u2500 Notes\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk14note\n\u2502 \u2514\u2500\u2500 Categories\/\n\u2502 \u2514\u2500\u2500 *.olk14category\n\u251c\u2500\u2500 Folders\/\n\u2502 \u2514\u2500\u2500 *.olk14folder\n\u251c\u2500\u2500 Signatures\/\n\u2502 \u2514\u2500\u2500 *.olk14signature\n\u251c\u2500\u2500 Mail Accounts\/\n\u2502 \u2514\u2500\u2500 *.olk14mailaccount\n\u251c\u2500\u2500 Searches\/\n\u2502 \u2514\u2500\u2500 *.olk14search\n\u2514\u2500\u2500 Preferences\/\n \u2514\u2500\u2500 *.olk14pref<\/code><\/pre>\n\n\n\n~\/Library\/Group Containers\/UBF8T346G9.Office\/Outlook\/Outlook 15 Profiles\/Main Profile\/\n\u251c\u2500\u2500 Data\/\n\u2502 \u251c\u2500\u2500 Messages\/\n\u2502 \u2502 \u2514\u2500\u2500 [0-255]\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15Message\n\u2502 \u251c\u2500\u2500 Message Sources\/\n\u2502 \u2502 \u2514\u2500\u2500 [0-255]\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15MsgSource\n\u2502 \u251c\u2500\u2500 Message Attachments\/\n\u2502 \u2502 \u2514\u2500\u2500 [0-255]\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15MsgAttach\n\u2502 \u251c\u2500\u2500 Contacts\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15Contact\n\u2502 \u251c\u2500\u2500 Events\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15Event\n\u2502 \u251c\u2500\u2500 Tasks\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15Task\n\u2502 \u251c\u2500\u2500 Notes\/\n\u2502 \u2502 \u2514\u2500\u2500 *.olk15Note\n\u2502 \u2514\u2500\u2500 Categories\/\n\u2502 \u2514\u2500\u2500 *.olk15Category\n\u251c\u2500\u2500 Outlook.sqlite (Primary database\/index)\n\u2514\u2500\u2500 Outlook.sqlite-wal (Write-ahead log)<\/code><\/pre>\n\n\n\nFile Types Summary<\/h1>\n\n\n\n
Extension<\/th> Content<\/th> Description<\/th><\/tr><\/thead> .olk14message<\/code>.olk15Message<\/code><\/td>Header Metadata<\/td> To, From, Subject, Date, Message-ID, recipients. Does NOT contain body text.<\/td><\/tr> .olk14msgsource<\/code>\u00a0.olk15MsgSource<\/code><\/td>Body Content<\/td> Plain text, HTML, and\/or RTF body content. May contain embedded MIME data.<\/td><\/tr> .olk14msgattach<\/code>.olk15MsgAttach<\/code><\/td>Attachment Data<\/td> Individual attachment files with metadata (filename, content-type, encoding).<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Extension<\/th> Content<\/th><\/tr><\/thead> .olk14contact<\/code>\u00a0.olk15Contact<\/code><\/td>Contact records (name, email, phone, address, organization)<\/td><\/tr> .olk14event<\/code>\u00a0.olk15Event<\/code><\/td>Calendar events (time, date, invitees, location, recurrence)<\/td><\/tr> .olk14task<\/code>\u00a0.olk15Task<\/code><\/td>Task\/to-do items<\/td><\/tr> .olk14note<\/code>\u00a0.olk15Note<\/code><\/td>Sticky notes<\/td><\/tr> .olk14folder<\/code>\u00a0.olk15Folder<\/code><\/td>Folder structure definitions<\/td><\/tr> .olk14category<\/code>\u00a0.olk15Category<\/code><\/td>Category\/label definitions<\/td><\/tr> .olk14signature<\/code>\u00a0.olk15Signature<\/code><\/td>Email signatures (HTML format)<\/td><\/tr> .olk14mailaccount<\/code>\u00a0.olk15MailAccount<\/code><\/td>Account configuration and credentials<\/td><\/tr> .olk14search<\/code>\u00a0.olk15Search<\/code><\/td>Saved search queries<\/td><\/tr> .olk14pref<\/code>\u00a0.olk15Pref<\/code><\/td>Application preferences<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Binary File Structure<\/h1>\n\n\n\n
+------------------+\n| File Header | (Variable size, version-dependent)\n+------------------+\n| Record 1 |\n+------------------+\n| Record 2 |\n+------------------+\n| ... |\n+------------------+\n| Record N |\n+------------------+\n| (Optional) Body | (For MsgSource files: raw HTML\/text content)\n+------------------+<\/code><\/pre>\n\n\n\n+----------------+----------------+----------------+----------------+\n| Tag (4 bytes) | Type (2 bytes) | Length (var) | Value (var) |\n+----------------+----------------+----------------+----------------+<\/code><\/pre>\n\n\n\nType ID<\/th> Name<\/th> Description<\/th> Value Format<\/th><\/tr><\/thead> 0x0001<\/td> Null<\/td> No value<\/td> (none)<\/td><\/tr> 0x0002<\/td> Int16<\/td> 16-bit signed integer<\/td> 2 bytes<\/td><\/tr> 0x0003<\/td> Int32<\/td> 32-bit signed integer<\/td> 4 bytes<\/td><\/tr> 0x0004<\/td> Float<\/td> 32-bit float<\/td> 4 bytes<\/td><\/tr> 0x0005<\/td> Double<\/td> 64-bit double<\/td> 8 bytes<\/td><\/tr> 0x0006<\/td> Currency<\/td> Currency value<\/td> 8 bytes<\/td><\/tr> 0x0007<\/td> AppTime<\/td> Application time<\/td> 8 bytes<\/td><\/tr> 0x000A<\/td> Error<\/td> Error code<\/td> 4 bytes<\/td><\/tr> 0x000B<\/td> Boolean<\/td> Boolean value<\/td> 2 bytes (0=false, 1=true)<\/td><\/tr> 0x0014<\/td> Int64<\/td> 64-bit signed integer<\/td> 8 bytes<\/td><\/tr> 0x001E<\/td> String8<\/td> ASCII string<\/td> Length-prefixed bytes<\/td><\/tr> 0x001F<\/td> Unicode<\/td> UTF-16-LE string<\/td> Length-prefixed bytes<\/td><\/tr> 0x0040<\/td> SysTime<\/td> Windows FILETIME<\/td> 8 bytes<\/td><\/tr> 0x0048<\/td> GUID<\/td> 128-bit GUID<\/td> 16 bytes<\/td><\/tr> 0x0102<\/td> Binary<\/td> Binary blob<\/td> Length-prefixed bytes<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n +----------------+--------------------------------+\n| Length (4 B) | UTF-16-LE String Data |\n+----------------+--------------------------------+<\/code><\/pre>\n\n\n\nField Tags (Property IDs)<\/h1>\n\n\n\n
Tag (Hex)<\/th> Field Name<\/th> Data Type<\/th> Description<\/th><\/tr><\/thead> 0x0017<\/td> Importance<\/td> Int32<\/td> 0=Low, 1=Normal, 2=High<\/td><\/tr> 0x001A<\/td> MessageClass<\/td> Unicode<\/td> Message type (e.g., “IPM.Note”)<\/td><\/tr> 0x0026<\/td> Priority<\/td> Int32<\/td> X-Priority value<\/td><\/tr> 0x0036<\/td> Sensitivity<\/td> Int32<\/td> 0=Normal, 1=Personal, 2=Private, 3=Confidential<\/td><\/tr> 0x0037<\/td> Subject<\/td> Unicode<\/td> Email subject line<\/td><\/tr> 0x0039<\/td> SentTime<\/td> SysTime<\/td> When message was sent<\/td><\/tr> 0x0042<\/td> SentRepresentingName<\/td> Unicode<\/td> Display name of sender delegate<\/td><\/tr> 0x0065<\/td> SentRepresentingEmail<\/td> Unicode<\/td> Email of sender delegate<\/td><\/tr> 0x0070<\/td> ConversationTopic<\/td> Unicode<\/td> Conversation\/thread topic<\/td><\/tr> 0x0071<\/td> ConversationIndex<\/td> Binary<\/td> Thread tracking blob<\/td><\/tr> 0x0C1A<\/td> SenderName<\/td> Unicode<\/td> Display name of sender<\/td><\/tr> 0x0C1F<\/td> SenderEmailAddress<\/td> Unicode<\/td> Email address of sender<\/td><\/tr> 0x0E02<\/td> DisplayBcc<\/td> Unicode<\/td> BCC recipients (display string)<\/td><\/tr> 0x0E03<\/td> DisplayCc<\/td> Unicode<\/td> CC recipients (display string)<\/td><\/tr> 0x0E04<\/td> DisplayTo<\/td> Unicode<\/td> To recipients (display string)<\/td><\/tr> 0x0E06<\/td> DeliveryTime<\/td> SysTime<\/td> When message was delivered<\/td><\/tr> 0x0E07<\/td> MessageFlags<\/td> Int32<\/td> Bitfield of message status flags<\/td><\/tr> 0x0E08<\/td> MessageSize<\/td> Int32<\/td> Total message size in bytes<\/td><\/tr> 0x0E17<\/td> MessageStatus<\/td> Int32<\/td> Status flags<\/td><\/tr> 0x0E1D<\/td> NormalizedSubject<\/td> Unicode<\/td> Subject without RE:\/FW: prefixes<\/td><\/tr> 0x1000<\/td> Body<\/td> Unicode<\/td> Plain text body (may be in MsgSource)<\/td><\/tr> 0x1009<\/td> RtfCompressed<\/td> Binary<\/td> Compressed RTF body<\/td><\/tr> 0x1013<\/td> BodyHtml<\/td> Unicode<\/td> HTML body content<\/td><\/tr> 0x1035<\/td> InternetMessageId<\/td> String8<\/td> RFC Message-ID header<\/td><\/tr> 0x1042<\/td> InReplyTo<\/td> String8<\/td> In-Reply-To header value<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Tag (Hex)<\/th> Field Name<\/th> Data Type<\/th> Description<\/th><\/tr><\/thead> 0x0C15<\/td> RecipientType<\/td> Int32<\/td> 1=To, 2=CC, 3=BCC<\/td><\/tr> 0x3001<\/td> DisplayName<\/td> Unicode<\/td> Recipient display name<\/td><\/tr> 0x3003<\/td> EmailAddress<\/td> Unicode<\/td> Recipient email address<\/td><\/tr> 0x39FE<\/td> SmtpAddress<\/td> Unicode<\/td> SMTP email address<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Tag (Hex)<\/th> Field Name<\/th> Data Type<\/th> Description<\/th><\/tr><\/thead> 0x0E20<\/td> AttachSize<\/td> Int32<\/td> Size of attachment in bytes<\/td><\/tr> 0x3701<\/td> AttachDataBinary<\/td> Binary<\/td> Raw attachment data<\/td><\/tr> 0x3703<\/td> AttachExtension<\/td> Unicode<\/td> File extension<\/td><\/tr> 0x3704<\/td> AttachFilename<\/td> Unicode<\/td> Short filename<\/td><\/tr> 0x3705<\/td> AttachMethod<\/td> Int32<\/td> How attachment is stored<\/td><\/tr> 0x3707<\/td> AttachLongFilename<\/td> Unicode<\/td> Full filename<\/td><\/tr> 0x370E<\/td> AttachMimeTag<\/td> Unicode<\/td> MIME content-type<\/td><\/tr> 0x3712<\/td> AttachContentId<\/td> Unicode<\/td> Content-ID for inline attachments<\/td><\/tr> 0x3716<\/td> AttachContentDisposition<\/td> Unicode<\/td> “inline” or “attachment”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Message Source File Structure (olk14msgsource \/ olk15MsgSource)<\/h1>\n\n\n\n
From: sender@example.com\nTo: recipient@example.com\nSubject: Test\nContent-Type: multipart\/alternative; boundary=\"----=_Part_123\"\n\n------=_Part_123\nContent-Type: text\/plain; charset=\"UTF-8\"\n\nPlain text body here.\n\n------=_Part_123\nContent-Type: text\/html; charset=\"UTF-8\"\n\n<html><body>HTML body here.<\/body><\/html>\n\n------=_Part_123--<\/code><\/pre>\n\n\n\n+------------------+\n| Binary Header | (40+ bytes of metadata)\n+------------------+\n| UTF-16-LE HTML | (Starting with \"<html\" encoded as UTF-16-LE)\n+------------------+<\/code><\/pre>\n\n\n\n<html<\/code> encoded as UTF-16-LE: – Byte sequence: 3C 00 68 00 74 00 6D 00 6C 00<\/code> = “<html”<\/p>\n\n\n\nAttachment File Structure (olk14msgattach \/ olk15MsgAttach)<\/h1>\n\n\n\n
Signature: \"Attc\" (0x41 0x74 0x74 0x63)<\/code><\/pre>\n\n\n\nAttribute<\/th> Description<\/th><\/tr><\/thead> Content-Type<\/td> MIME type of the attachment<\/td><\/tr> Name<\/td> Original filename<\/td><\/tr> Content-Disposition<\/td> “inline” or “attachment”<\/td><\/tr> Filename<\/td> Same as Name<\/td><\/tr> Content-Transfer-Encoding<\/td> Usually “base64”<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n File Association Rules<\/h1>\n\n\n\n
Association Methods<\/h2>\n\n\n\n
Method 1: Filename-Based (OLK14)<\/h4>\n\n\n\n
Messages\/x00_270429.olk14Message\nMessage Sources\/x00_270429.olk14MsgSource\nMessage Attachments\/x00_270429_1.olk14MsgAttach\nMessage Attachments\/x00_270429_2.olk14MsgAttach<\/code><\/pre>\n\n\n\n{prefix}_{messageId}.{extension}<\/code> Attachment Pattern<\/strong>: {prefix}_{messageId}_{attachmentIndex}.{extension}<\/code><\/p>\n\n\n\nMethod 2: Record ID \/ GUID (OLK15)<\/h4>\n\n\n\n
Messages\/11\/0B2132B7-999F-4114-AC6C-E93DE72CEF9A.olk15Message\nMessage Sources\/11\/0B2132B7-999F-4114-AC6C-E93DE72CEF9A.olk15MsgSource\nMessage Attachments\/11\/0B2132B7-999F-4114-AC6C-E93DE72CEF9A_1.olk15MsgAttach<\/code><\/pre>\n\n\n\n{GUID}.{extension}<\/code> Attachment Pattern<\/strong>: {GUID}_{attachmentIndex}.{extension}<\/code><\/p>\n\n\n\nMethod 3: SQLite Database Lookup (OLK15 Preferred)<\/h4>\n\n\n\n
Outlook.sqlite<\/code> database:<\/p>\n\n\n\n-- Find message source for a message\nSELECT MessageSource.PathComponent \nFROM Message\nJOIN MessageSource ON Message.pk = MessageSource.Message\nWHERE Message.PathComponent = 'GUID.olk15Message';\n\n-- Find attachments for a message\nSELECT Attachment.PathComponent\nFROM Message\nJOIN Attachment ON Message.pk = Attachment.Message\nWHERE Message.PathComponent = 'GUID.olk15Message';<\/code><\/pre>\n\n\n\nAssociation Pseudocode<\/h2>\n\n\n\n
FUNCTION findAssociatedFiles(filePath):\n baseName = getBaseName(filePath) \/\/ Remove extension\n extension = getExtension(filePath)\n directory = getParentDirectory(filePath)\n rootDirectory = getDataRootDirectory(directory)\n \n \/\/ Determine version from extension\n IF extension CONTAINS \"olk14\":\n version = \"OLK14\"\n ELSE IF extension CONTAINS \"olk15\":\n version = \"OLK15\"\n ELSE:\n RETURN error(\"Unknown OLK version\")\n \n \/\/ Extract message identifier\n IF version == \"OLK14\":\n \/\/ Pattern: prefix_messageId or prefix_messageId_attachIndex\n parts = split(baseName, \"_\")\n messageId = parts[0] + \"_\" + parts[1]\n ELSE:\n \/\/ Pattern: GUID or GUID_attachIndex\n IF baseName CONTAINS \"_\" AND isNumber(lastPart(baseName)):\n messageId = baseName UP TO last \"_\"\n ELSE:\n messageId = baseName\n \n result = {\n messageFile: NULL,\n sourceFile: NULL,\n attachments: []\n }\n \n \/\/ Locate message file\n messageDir = rootDirectory + \"\/Messages\"\n IF version == \"OLK15\":\n \/\/ Check subdirectories\n FOR subdir IN range(0, 255):\n candidate = messageDir + \"\/\" + subdir + \"\/\" + messageId + \".olk15Message\"\n IF fileExists(candidate):\n result.messageFile = candidate\n BREAK\n ELSE:\n candidate = messageDir + \"\/\" + messageId + \".olk14message\"\n IF fileExists(candidate):\n result.messageFile = candidate\n \n \/\/ Locate message source file\n sourceDir = rootDirectory + \"\/Message Sources\"\n IF version == \"OLK15\":\n FOR subdir IN range(0, 255):\n candidate = sourceDir + \"\/\" + subdir + \"\/\" + messageId + \".olk15MsgSource\"\n IF fileExists(candidate):\n result.sourceFile = candidate\n BREAK\n ELSE:\n candidate = sourceDir + \"\/\" + messageId + \".olk14msgsource\"\n IF fileExists(candidate):\n result.sourceFile = candidate\n \n \/\/ Locate attachment files\n attachDir = rootDirectory + \"\/Message Attachments\"\n attachIndex = 1\n WHILE TRUE:\n IF version == \"OLK15\":\n found = FALSE\n FOR subdir IN range(0, 255):\n candidate = attachDir + \"\/\" + subdir + \"\/\" + \n messageId + \"_\" + attachIndex + \".olk15MsgAttach\"\n IF fileExists(candidate):\n result.attachments.APPEND(candidate)\n found = TRUE\n BREAK\n IF NOT found:\n BREAK\n ELSE:\n candidate = attachDir + \"\/\" + messageId + \"_\" + attachIndex + \".olk14msgattach\"\n IF fileExists(candidate):\n result.attachments.APPEND(candidate)\n ELSE:\n BREAK\n attachIndex = attachIndex + 1\n \n RETURN result<\/code><\/pre>\n\n\n\nParsing Pseudocode<\/h1>\n\n\n\n
Reading a Message File<\/h2>\n\n\n\n
FUNCTION parseMessageFile(filePath):\n data = readBinaryFile(filePath)\n result = {}\n offset = 0\n \n \/\/ Skip file header (size varies by version)\n version = detectVersion(data)\n IF version == \"OLK15\":\n offset = 128 \/\/ Larger header\n ELSE:\n offset = 64 \/\/ Standard header\n \n \/\/ Parse tagged records\n WHILE offset < length(data) - 8:\n tag = readUInt32LE(data, offset)\n offset = offset + 4\n \n type = readUInt16LE(data, offset)\n offset = offset + 2\n \n \/\/ Read value based on type\n value, bytesRead = readPropertyValue(data, offset, type)\n offset = offset + bytesRead\n \n \/\/ Map tag to field name\n fieldName = tagToFieldName(tag)\n IF fieldName != NULL:\n result[fieldName] = value\n \n RETURN result\n\nFUNCTION readPropertyValue(data, offset, type):\n SWITCH type:\n CASE 0x0002: \/\/ Int16\n RETURN readInt16LE(data, offset), 2\n \n CASE 0x0003: \/\/ Int32\n RETURN readInt32LE(data, offset), 4\n \n CASE 0x000B: \/\/ Boolean\n RETURN readUInt16LE(data, offset) != 0, 2\n \n CASE 0x0014: \/\/ Int64\n RETURN readInt64LE(data, offset), 8\n \n CASE 0x001E: \/\/ ASCII String\n length = readUInt32LE(data, offset)\n stringData = readBytes(data, offset + 4, length)\n RETURN decodeASCII(stringData), 4 + length\n \n CASE 0x001F: \/\/ Unicode String\n charCount = readUInt32LE(data, offset)\n byteCount = charCount * 2\n stringData = readBytes(data, offset + 4, byteCount)\n RETURN decodeUTF16LE(stringData), 4 + byteCount\n \n CASE 0x0040: \/\/ SysTime (FILETIME)\n filetime = readUInt64LE(data, offset)\n RETURN filetimeToDate(filetime), 8\n \n CASE 0x0102: \/\/ Binary\n length = readUInt32LE(data, offset)\n RETURN readBytes(data, offset + 4, length), 4 + length\n \n DEFAULT:\n RETURN NULL, 0<\/code><\/pre>\n\n\n\nReading a Message Source File<\/h2>\n\n\n\n
FUNCTION parseMessageSource(filePath):\n data = readBinaryFile(filePath)\n result = {\n plainText: NULL,\n html: NULL,\n rtf: NULL\n }\n \n \/\/ Try to find HTML content (UTF-16-LE encoded)\n htmlMarker = encodeUTF16LE(\"<html\")\n htmlStart = findBytes(data, htmlMarker)\n \n IF htmlStart != -1:\n \/\/ Find end of HTML\n htmlEndMarker = encodeUTF16LE(\"<\/html>\")\n htmlEnd = findBytes(data, htmlEndMarker, htmlStart)\n \n IF htmlEnd != -1:\n htmlEnd = htmlEnd + length(htmlEndMarker)\n htmlData = data[htmlStart : htmlEnd]\n result.html = decodeUTF16LE(htmlData)\n ELSE:\n \/\/ Read to end of file\n htmlData = data[htmlStart :]\n result.html = decodeUTF16LE(htmlData)\n ELSE:\n \/\/ Try plain text extraction\n \/\/ May be RFC822 format or plain UTF-8\/ASCII\n textContent = tryDecodeAsText(data)\n IF textContent != NULL:\n IF looksLikeRFC822(textContent):\n result = parseMIMEMessage(textContent)\n ELSE:\n result.plainText = textContent\n \n RETURN result<\/code><\/pre>\n\n\n\nReading an Attachment File<\/h2>\n\n\n\n
FUNCTION parseAttachment(filePath):\n data = readBinaryFile(filePath)\n result = {\n filename: NULL,\n contentType: NULL,\n disposition: NULL,\n data: NULL\n }\n \n \/\/ Check for \"Attc\" signature\n signature = readBytes(data, 0, 4)\n IF signature != \"Attc\":\n RETURN error(\"Invalid attachment file\")\n \n offset = 4\n \n \/\/ Parse header attributes\n WHILE offset < length(data):\n line = readLine(data, offset)\n IF line == \"\" OR line == NULL:\n \/\/ End of headers\n offset = offset + 2 \/\/ Skip blank line\n BREAK\n \n IF line CONTAINS \":\":\n key, value = splitOnFirst(line, \":\")\n key = trim(key)\n value = trim(value)\n \n SWITCH lowercase(key):\n CASE \"content-type\":\n result.contentType = value\n CASE \"name\":\n result.filename = value\n CASE \"filename\":\n result.filename = value\n CASE \"content-disposition\":\n result.disposition = value\n CASE \"content-transfer-encoding\":\n result.encoding = value\n \n offset = offset + length(line) + 2 \/\/ +2 for CRLF\n \n \/\/ Read attachment data\n attachmentData = data[offset :]\n \n IF result.encoding == \"base64\":\n result.data = base64Decode(attachmentData)\n ELSE:\n result.data = attachmentData\n \n RETURN result<\/code><\/pre>\n\n\n\nMerging Associated Files<\/h1>\n\n\n\n
FUNCTION reconstructEmail(messageFilePath):\n \/\/ Find all associated files\n associated = findAssociatedFiles(messageFilePath)\n \n email = {\n headers: {},\n body: {\n plain: NULL,\n html: NULL,\n rtf: NULL\n },\n attachments: []\n }\n \n \/\/ Parse message header file\n IF associated.messageFile != NULL:\n headerData = parseMessageFile(associated.messageFile)\n email.headers = headerData\n \n \/\/ Parse message source (body content)\n IF associated.sourceFile != NULL:\n bodyData = parseMessageSource(associated.sourceFile)\n email.body.plain = bodyData.plainText\n email.body.html = bodyData.html\n email.body.rtf = bodyData.rtf\n \n \/\/ Parse attachments\n FOR attachPath IN associated.attachments:\n attachData = parseAttachment(attachPath)\n email.attachments.APPEND(attachData)\n \n RETURN email<\/code><\/pre>\n\n\n\nFolder\/Mailbox Enumeration<\/h1>\n\n\n\n
FUNCTION enumerateMailbox(profilePath, version):\n messages = []\n \n IF version == \"OLK15\":\n messagesDir = profilePath + \"\/Data\/Messages\"\n \n \/\/ Iterate through numbered subdirectories\n FOR subdir IN range(0, 255):\n subdirPath = messagesDir + \"\/\" + subdir\n IF directoryExists(subdirPath):\n FOR file IN listFiles(subdirPath):\n IF file ENDS WITH \".olk15Message\":\n messageInfo = {\n path: subdirPath + \"\/\" + file,\n id: removeExtension(file)\n }\n messages.APPEND(messageInfo)\n ELSE:\n messagesDir = profilePath + \"\/Data Records\/Messages\"\n FOR file IN listFiles(messagesDir):\n IF file ENDS WITH \".olk14message\":\n messageInfo = {\n path: messagesDir + \"\/\" + file,\n id: removeExtension(file)\n }\n messages.APPEND(messageInfo)\n \n RETURN messages<\/code><\/pre>\n\n\n\nSQLite Database Schema (OLK15)<\/h1>\n\n\n\n
Outlook.sqlite<\/code> database provides an index of all cached items. Key tables include:<\/p>\n\n\n\nCREATE TABLE Message (\n pk INTEGER PRIMARY KEY,\n PathComponent TEXT, -- Filename (GUID.olk15Message)\n RecordIdentifier TEXT, -- Internal record ID\n FolderPath TEXT, -- Parent folder path\n MessageClass TEXT, -- \"IPM.Note\", etc.\n Subject TEXT,\n SenderName TEXT,\n SenderEmailAddress TEXT,\n DateReceived REAL, -- Unix timestamp\n DateSent REAL,\n HasAttachments INTEGER,\n IsRead INTEGER,\n IsFlagged INTEGER,\n Importance INTEGER,\n ...\n);<\/code><\/pre>\n\n\n\nCREATE TABLE MessageSource (\n pk INTEGER PRIMARY KEY,\n Message INTEGER, -- Foreign key to Message.pk\n PathComponent TEXT, -- Filename (GUID.olk15MsgSource)\n ...\n);<\/code><\/pre>\n\n\n\nCREATE TABLE Attachment (\n pk INTEGER PRIMARY KEY,\n Message INTEGER, -- Foreign key to Message.pk\n PathComponent TEXT, -- Filename (GUID_N.olk15MsgAttach)\n Filename TEXT,\n ContentType TEXT,\n FileSize INTEGER,\n ...\n);<\/code><\/pre>\n\n\n\nCREATE TABLE Folder (\n pk INTEGER PRIMARY KEY,\n PathComponent TEXT,\n DisplayName TEXT,\n ParentFolder INTEGER,\n FolderType INTEGER,\n ...\n);<\/code><\/pre>\n\n\n\nDate\/Time Handling<\/h1>\n\n\n\n
FUNCTION filetimeToUnixTimestamp(filetime):\n \/\/ FILETIME epoch: 1601-01-01\n \/\/ Unix epoch: 1970-01-01\n \/\/ Difference: 11644473600 seconds\n \n seconds = filetime \/ 10000000\n unixTimestamp = seconds - 11644473600\n RETURN unixTimestamp\n\nFUNCTION unixTimestampToFiletime(unixTimestamp):\n seconds = unixTimestamp + 11644473600\n filetime = seconds * 10000000\n RETURN filetime<\/code><\/pre>\n\n\n\nImplementation Recommendations<\/h1>\n\n\n\n