Hello Reader,
Another Friday where I'm not able to get a forensic test kitchen done due to my travel and teaching schedule but next week should be better!
Instead lets continue our outlook attachment testing, in the prior post I tested a png file. Let's test an Microsoft Excel document now to see how a file with a metadata structure Outlook would know effects our testing.
First here is the metadata on the file on the disk
Here is the extended mapi properties of the attachment when I sent the message a minute after creating the file.
As you can see the last modification time is being preserved again but the creation time is actually being set to the message creation time as seen in the delivery time below.
I then made sure it wasn't just a rounding issue by sending the same attachment the next day
which shows that the creation time is being sent to the date the message was sent and the modification time of the file is being preserved.
Saving the attachment back to the disk gives the following dates
As we can see the creation time is being set to when the message was sent and the modification time is being reapplied. The Access date appears to be updated but really that's just the real creation time before Microsoft Outlook rolled back the date.
More to come as we test other formats!
Another Friday where I'm not able to get a forensic test kitchen done due to my travel and teaching schedule but next week should be better!
Instead lets continue our outlook attachment testing, in the prior post I tested a png file. Let's test an Microsoft Excel document now to see how a file with a metadata structure Outlook would know effects our testing.
First here is the metadata on the file on the disk
Here is the extended mapi properties of the attachment when I sent the message a minute after creating the file.
As you can see the last modification time is being preserved again but the creation time is actually being set to the message creation time as seen in the delivery time below.
I then made sure it wasn't just a rounding issue by sending the same attachment the next day
which shows that the creation time is being sent to the date the message was sent and the modification time of the file is being preserved.
Saving the attachment back to the disk gives the following dates
As we can see the creation time is being set to when the message was sent and the modification time is being reapplied. The Access date appears to be updated but really that's just the real creation time before Microsoft Outlook rolled back the date.
More to come as we test other formats!
.png)
Post a Comment