Daily Blog #411: Exploring Extended MAPI Part 16

Exploring Extended MAPI Part 16 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
                 I decided to test a Microsoft Word attachment this time to see if the results would be any different. In the end the results were the same but I need to do one more test tomorrow to see if the internal metadata varies from the file system metadata if their is any difference.

Here is the original file metadata:

Exploring Extended MAPI Part 16 by David Cowen - Hacking Exposed Computer Forensics Blog


This is the Extended MAPI properties of the attachment

Exploring Extended MAPI Part 16 by David Cowen - Hacking Exposed Computer Forensics Blog

Again the creation time is being set to when the message was sent, this is different than Arman's testing so I'm trying to see what I'm doing different. I'll know for sure when he comes on the Forensic Lunch this month.

Here is the resulting metadata of the saved file:

Exploring Extended MAPI Part 16 by David Cowen - Hacking Exposed Computer Forensics Blog

More testing to come!


This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment