Daily Blog #391: Exploring Extended MAPI Part 5

Exploring Extended MAPI Part 5 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
           In the prior post we went thought what dates were preserved when a message was exported out of a mailbox and into a PST. I put forth the question to myself what would happen if I then took that exported message and copied it to another volume, what would change within the message?

I copied the MSG file to an external drive with an exFAT file system using the explorer copy/paste operation. Here is what the file system metadata looked like.

Exploring Extended MAPI Part 5 by David Cowen - Hacking Exposed Computer Forensics Blog


Looking at the message copied onto the external storage volume i checked the PR_CREATION_TIME first and found the original creation date when the message was exported out of the mailbox was preserved even though the file system creation time had been updated to the time of copy.

Exploring Extended MAPI Part 5 by David Cowen - Hacking Exposed Computer Forensics Blog

In addition the PR_LAST_MODIFICATION_TIME also retained the original date even though the file system modification time was updated.

Exploring Extended MAPI Part 5 by David Cowen - Hacking Exposed Computer Forensics Blog

I've noticed some other interesting mapi attributes including the names of the and sid's of the users who modified a message. Next let's see how those are set and updated.


This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment