Daily Blog #413: Exploring Extended MAPI Part 17

Exploring Extended MAPI Part 17 by David Cowen - Hacking Exposed Computer Forensics Blog



Hello Reader,
            With all the talk about the Office 365 API I thought it might be worth testing how OWA (Outlook Web Access) accesses in Office 365 modified my local sync'd Outlook OST. This is important as there are many situations where the victim and the attacker are accessing the same mailbox in different forms and knowing what to expect when you do your analysis is important.

So the first thing I did today was to mark an item unread in OWA and then I sync'd my Outlook folders and saw the message go unread. After which I pulled up the Extended MAPI data within Outlook Spy and well, it didn't go as I expected.

When I looked at the last modification I found this:

Exploring Extended MAPI Part 17 by David Cowen - Hacking Exposed Computer Forensics Blog

Which is showing that even though the message was marked unread and read again that the last modification time didn't change from the time it was originally. In fact going through all the dates i didn't find any updates made at all.

I think next I need to retrieve the message directly to test it again but tomorrow I'll be doing more Outlook testing.

This is a 19-part series on Exploring Extended MAPI. You can find the rest of the posts here

Post a Comment