Top Ad unit 728 × 90

Latest News


Daily Blog #397: Exploring Extended MAPI part 8

Hello Reader,
                   In this post I wanted to look at more actions and their effect on Extended MAPI. Today I'm looking at what a forward does to a message.

After forwarding the message you can see that within Outlook it is notifying me that the message was forwarded and when.

This data we know is stored in the PR_LAST_VERB_EXECUTED extended mapi flag and inspecting those values does confirm this

Notice that this time is being stored UTC within the extended mapi property but displayed to the user in local time.

The same is true for the other timestamp that has been updated which is PR_LAST_MODIFICATION_TIME

PR_LAST_MODIFICATION_TIME is also reflecting that it is stored in UTC and is being updated because the LAST_VERB_EXECUTED values have been set.

In my review of the message I forwarded those were the only two timestamps that were altered. Tomorrow let's look at the received message to see if anything was retained.
Daily Blog #397: Exploring Extended MAPI part 8 Reviewed by David Cowen on June 19, 2018 Rating: 5

No comments:

All Rights Reserved by Hacking Exposed Computer Forensics Blog © 2014 - 2020
Powered By Blogger, Designed by Sweetheme

Contact Form


Email *

Message *

Powered by Blogger.