Tuesday, June 19, 2018

Daily Blog #398: Exploring Extended MAPI part 9

Hello Reader,
           As I write this I'm flying over Canada and on my way to Sydney via Dubai. Satellite inflight internet really is an amazing thing!

In this post I was going to talk about what was set on the message I forwarded and received yesterday but as I was looking at the extended MAPI fields in OutlookSpy I noticed that several had no description next to them but had dates:

This was interesting to say the least which sent me on some extensive Googling where I ran across yet another interesting piece of data. There is a MAPI property only set on sent messages that records the type of Client connection that existed when the message was sent.

This was the Client connection type for the message I forwarded to myself sitting in my sent box:

I found an exchange blog from 2016 about this field: https://gsexdev.blogspot.com/2016/02/mining-clientinfo-property-in-messages.html?view=classic

Now what is interesting to me is three fold:
1. The property tag has changed since 2016 from 0x866F to 0x84A6, which means some reading up on MSDN is order to figure out if there was a reason why
2. My ClientInfo property is showing I sent this using the ExchangeRPC connection from Outlook.
3. The blog post I referenced above showed not just Exchange or OWA but also useragent data from web browsers!

I think this is something we could profile sent messages in a mailbox from. Not only to see messages sent via mobile versus desktop, but also to profile and find all the messages an attacker forwarded or replied to when they were accessing someones mailbox.

I plan to do some testing on this property this week, but I'll need a bit more bandwidth than what this satellite wifi connection can do to do so. So until tomorrow, thanks for reading!

Daily Blog #397: Exploring Extended MAPI part 8

Hello Reader,
                   In this post I wanted to look at more actions and their effect on Extended MAPI. Today I'm looking at what a forward does to a message.

After forwarding the message you can see that within Outlook it is notifying me that the message was forwarded and when.

This data we know is stored in the PR_LAST_VERB_EXECUTED extended mapi flag and inspecting those values does confirm this

Notice that this time is being stored UTC within the extended mapi property but displayed to the user in local time.

The same is true for the other timestamp that has been updated which is PR_LAST_MODIFICATION_TIME

PR_LAST_MODIFICATION_TIME is also reflecting that it is stored in UTC and is being updated because the LAST_VERB_EXECUTED values have been set.

In my review of the message I forwarded those were the only two timestamps that were altered. Tomorrow let's look at the received message to see if anything was retained.

Sunday, June 17, 2018

Daily Blog #396: Sunday Funday 6/17/18

Hello Reader,
             We had a large number of great submissions last week and I hope we continue that trend this week! You will have a five days to try to complete this challenge now that answers are not due till Friday. Send in your answer as you have it and you are allowed to update your submission if you find new information.

Zone.Identifiers have come up on conversations recently both in my time teaching SANS FOR500 and in Phil Moore's recent tweets. Let's see what you know about them.

The Prize:
$100 Amazon Giftcard

The Rules:

  1. You must post your answer before Friday 6/22/18 7PM CST (GMT -5)
  2. The most complete answer wins
  3. You are allowed to edit your answer after posting
  4. If two answers are too similar for one to win, the one with the earlier posting time wins
  5. Be specific and be thoughtful 
  6. Anonymous entries are allowed, please email them to dcowen@g-cpartners.com. Please state in your email if you would like to be anonymous or not if you win.
  7. In order for an anonymous winner to receive a prize they must give their name to me, but i will not release it in a blog post

The Challenge:
Zone.Identifier alternate data streams have been around for awhile please answer the following questions.
1. What version of Windows introduced zone.identifier
2. What data is contained with in a zone.identifier
3. What sets the zone.identifier
4. what conditions causes them to be created
5. What are the limitations of zone.identifier

Saturday, June 16, 2018

Daily Blog #395: Solution Saturday 6/16/18

Hello Reader,
         Well this weeks challenge had a lot of submissions! It was very tough picking a winner but as the rules state the most complete answer wins. When it comes to complete answers this week Kevin Pagano did the most testing of extended mapi attributes in his testing with screenshots and a follow up email to fill in even more.

What I liked about Kevin's answer that put him over the top is that he not only submitted PR_CLIENT_SUBMIT_TIME as most people did. He also went in and found other Extended MAPI entries that could be related even testing a deferred delivery mechanism I haven't even thought to test yet!

So well done Kevin Pagano you are this weeks winner.

Here was this weeks challenge:

The Challenge:
 Extended MAPI records metadata around what actions occur against an email message inside of Exchange and Outlook. What within an email message sent from Outlook and connected to an Exchange server would allow an examiner to determine when an email was sent from the system they are examining presuming they found the message in the sent folder within the mailbox. 

Here is Kevin Pagano's winning submission. 

In a test by sending an email to myself, the PR_LAST_MODIFICATION_TIME matched that of the PR_CREATION_TIME field. Since sending an email creates a brand new email entry in your mailbox, thus syncing the creation time of the email with when it was last modified before it being sent out. All of these times are in UTC.

In another test marking a Sent email to unread this did update the PR_LAST_MODIFICATION_TIME field to reflect when it was set to unread.

A third test for curiosity sake was done. While selecting to do a delay delivery of an email, we see that the PR_MESSAGE_DELIVERY_TIME is set to when the user hit send on the email, while the PR_CREATION_TIME is set to when the email was created in the Sent Folder (2 minutes later). You can also see the PR_DEFERRED_DELIVERY_TIME as well when the user set it to be sent.

This would seem to indicate that the PR_MESSAGE_DELIVER_TIME is when the user hit send in Outlook while the PR_CREATION_TIME would be your closest match to when the email was officially sent through Exchange creating the Sent email in the Inbox.

In doing more research, the PR_CLIENT_SUBMIT_TIME field seems to be a better indicator when the user submits an email to be sent. While the PR_MESSAGE_DELIVERY_TIME matched times when the emails were sent this could be different in other instances where the network connection is slower and has more hops to jump between Exchange servers.

Friday, June 15, 2018

Daily Blog #394: Forensic Lunch 6/15/18

Hello Reader,
            Today we had another episode of the Forensic Lunch! This week Matthew and I talked to Jaco_ZA about the Magnet User Summit CTF he won and we created. Watch below to see how Jaco approached the problems and ultimately clutched victory with seconds left!

If you are interested in playing our next CTF make sure to come to Defcon where we will be running another Unofficial DFIR CTF!

Thursday, June 14, 2018

Daily Blog #393: Exploring Extended MAPI part 7

Hello Reader,
          I've been wondering in the last several posts about what happens to exported messages when different users edit the message. I finally got a chance to test this today and document my results here. To do this I exported a message from my SANS FOR500 instructor laptop on to a USB external storage device.

Once I exported the message I loaded up the message on my SANS instructor laptop and with Outlook spy inspected the last modification time and name.

Next I took that external storage device and I plugged it into my surface book where I usually write these blog posts and opened up the message from the external storage drive to see if just opening it as another user would change this data.

As you can see nothing changed which is what I was hoping would be true.

However what happened next surprised me. In order to try to modify the message and get the Extended MAPI fields to update with my work email address of dcowen@g-cpartners.com I did the following:

1. I set a follow up flag as completed
2. I replied to the message
3. I removed a file attachment from the message

After I did each step I checked the Extended MAPI and found that the values didn't change! This is what the Extended MAPI fields looked like after I did all three things.

Notice that PR_LAST_MODIFIER_NAME_W and PR_LAST_MODIFICATION_TIME have not changed from the prior screenshot. However notice that PR_LAST_VERB_EXECUTED was set to a reply value (102) and that the PR_LAST_VERB_EXECUTION_TIME had been updated to reflect when i replied to the message on my surface book.

Now I was doing these against the exported message directly without bringing it back into Outlook. Next week I will attempt to import a message into Outlook from an exported message from another mailbox and see if this behavior changes.

Daily Blog #392: Exploring Extended MAPI part 6

Hello Reader,
        I will continue my testing next week with multiple user accounts modifying a message but one thing has caught my attention. I have noticed that for Office 365 atleast the X-Originating IP header has returned and id also present in the Extended MAPI data.

As seen below the test message I have been working with and replying to has an X-Originating IP header set.

This is interesting to me as for some time most services have been dropping this header or placing the IP address of the mail server in its place. In this case its showing the IP address of the Tmobile NAT gateway since I was connected to my phone's hotspot when I sent this message.

I need to test this again using the web interface but I'm always happy when old useful headers come back to life.