Daily Blog #405: Exploring Extended MAPI Part 12

Exploring Extended MAPI Part 12by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
           For today's post I've wanted to share some testing I've been doing of Arman Gungor's research into Extended MAPI data. Arman has agreed to come on the Forensic Lunch next month and talk about his work and this post I'd like to focus on some research he's done on how some file system timestamps are preserved from the sender's system when a file is attached in Outlook.

First you can read Arman's post here:

https://www.meridiandiscovery.com/articles/email-attachment-timestamps-forensics-outlook/

I emailed myself one of the pictures from Saturday's solution post and then examined the Extended MAPI data of the attachment with Outlook spy to see if I could confirm what Arman found.

Here are the file system timestamps on my system for pic10.png:
Exploring Extended MAPI Part 12by David Cowen - Hacking Exposed Computer Forensics Blog

Looking at the Extended MAPI for the attachment I found the following. For the creation time I have the creation time of the message rather than the file attachment. The time is displayed is in UTC and I'm currently in is UTC +10.

Looking at the Modification time though we do find the correct file system time:

Which +10 hours is 6/24/18 at 6:14PM.

This is fascinating to me as I thought all file system metadata was stripped away when a file was attached. I am going to do more testing with Outlook attachments and the dates applied to see how these changes my prior results.

This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment