Daily Blog #384: Exploring Extended MAPI Part 1

Exploring Extended MAPI Part 1 by David Cowen - Hacking Exposed Computer Forensics Blog

Hello Reader,
          One thing that I've used for years and we've talked about before on the Forensic Lunch is Extended MAPI. Extended MAPI is a set of properties that are part of the message structure of any Outlook or Exchange stored email. In this first series of posts I thought it would be good to revisit the Extended MAPI data and provide some analysis scenarios and more information as many people still either seem confused by it or unaware of its existence.

To start with let's look at the property PR_LAST_VERB_EXECUTED. This Extended MAPI property records in email messages what the last action that occurred to the message itself. Most of the common entries here are actions like Reply, Reply All, Forward or Reply To Forward. Combined with PR_LAST_VERB_EXECUTION_TIME you can tell not just what last happened to the message but when it happened.

To read more about all of the possible values that can be set for the last verb executed go here :

https://docs.microsoft.com/en-us/office/client-developer/outlook/mapi/pidtaglastverbexecuted-canonical-property

Now when I found that list of properties I wasn't expecting to see all the additional states relating to things other than email messages. It makes sense that other objects within the structure would have Extended MAPI properties but its not something i've tested. So my plan for the next several posts is to run a couple of different tests against different outlook items (email message, calendar item, etc...) and see what actions I can infer from the properties stored within them.

Talk to you tomorrow!

This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment