Daily Blog #418: Exploring Extended MAPI Part 19

Exploring Extended MAPI Part 19 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
         Since my last test that showed that the Extended MAPI data wasn't be updated when I modified a message in OWA in my local outlook client I've been testing ways to get this updated data.

First I tried to download my mailbox, but apparently I need to get a working EWS url first. So I'll try that again tomorrow.

Second I went into the compliance center and searched for and found my test message I've been experimenting with. In doing this I downloaded the original message in EML format (the only option given) and I still did not find the updated extended MAPI data as seen below:

Exploring Extended MAPI Part 19 by David Cowen - Hacking Exposed Computer Forensics Blog

Here the Last Modification time got set to when I downloaded the message from Compliance Center and the original submission time exists. But I have no Last Verb time or code showing this message was replied too.

Third I emailed myself the message in OWA as an attachment by drag and dropping the message into a new email, this actually put the message as a MSG attached to the email message. Once I accessed this within Outlook in my local system I was able to see the expected data:

Exploring Extended MAPI Part 19 by David Cowen - Hacking Exposed Computer Forensics Blog


Here you can see that we finally have the expected Last Verb time showing when the message was replied to and when it was replied to. The Last Modification has been updated to reflect when I sent the message to myself as an attachment.


So I now need to download the mailbox fresh and then look into my local outlook account to see if this data has finally been updated.


This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment