Daily Blog #397: Exploring Extended MAPI Part 8

Exploring Extended MAPI Part 8 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
                   In this post I wanted to look at more actions and their effect on Extended MAPI. Today I'm looking at what a forward does to a message.

After forwarding the message you can see that within Outlook it is notifying me that the message was forwarded and when.

by David Cowen - Hacking Exposed Computer Forensics Blog


This data we know is stored in the PR_LAST_VERB_EXECUTED extended mapi flag and inspecting those values does confirm this

by David Cowen - Hacking Exposed Computer Forensics Blog


Notice that this time is being stored UTC within the extended mapi property but displayed to the user in local time.

The same is true for the other timestamp that has been updated which is PR_LAST_MODIFICATION_TIME

by David Cowen - Hacking Exposed Computer Forensics Blog


PR_LAST_MODIFICATION_TIME is also reflecting that it is stored in UTC and is being updated because the LAST_VERB_EXECUTED values have been set.

In my review of the message I forwarded those were the only two timestamps that were altered. Tomorrow let's look at the received message to see if anything was retained.


This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment