Daily Blog #407: Exploring Extended MAPI Part 14

Exploring Extended MAPI Part 14 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello reader,
        In yesterdays post I showed how saving an attachment applied the modification date that was stored within the attachment extended mapi properties. I was wondering how from a filesystem perspective you could tell the actual date the file was saved to the disk and as it turns out the filename attribute metadata has the dates the attachment was actually saved to the disk as seen below:


This is a png file, in the upcoming posts I'll be trying other file types to see if Outlook shows any different behaviors.


This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment