Daily Blog #406: Exploring Extended MAPI Part 13

Hello Reader,
           In my prior post I was looking at the file system metadata stored based on Arman's blog post. In this post I wanted to see if something had changed with how Outlook was assigning creation times on saving a file. In the past I had found that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system, and in this post I am looking to see if that has changed.

I haven't tested a regular file before in looking to see what dates got applied and when I saved the attachment to my disk I was surprised to see the following

The creation time was sent to the time the message was received and matched the PR_CREATION_TIME I saw in the prior post. But the Modification time was reapplied from the data that was saved in the attachment extended mapi property! Notice that the Access time is set for today even though access times have been disabled since Windows 10. This because the access time is being set to the actual time of creation and then the other two dates have been rolled back by Outlook.

This is very interesting to me and I plan on testing this with some more file types this week and next.