MS Outlook 2010 Ano...
 
Notifications
Clear all

MS Outlook 2010 Anomaly

1 Posts
1 Users
0 Likes
232 Views
(@eyez0n)
Posts: 29
Eminent Member
Topic starter
 

I ran across a particularly odd situation in the past couple of weeks and have been unable to find any similar instances on these forums or on the greater internet. Admittedly, that could be due to my inability to come up with suitable search terms to narrow the query.

For background, this is not related to my forensic system, but rather an employer-supplied laptop used for general office usage (email, time and attendance, employer intranet, etc.). As such, it is a laptop and network on which I am simply a user with little ability to gather information on the architecture.

Hardware/software of note

~OS Windows 7 Enterprise SP1 (32-bit)
~Network Home network connecting to employer network via Citrix Access Gateway v.9.3.52.3 (full network connect option). The Citrix VPN connection is noticeably laggy.
~Email client MS Outlook 2010
~Email server unknown MS Exchange

The other day, I had Outlook open to my inbox with a message highlighted and viewed in the preview pane. The particular message had four attachments. I then decided to send a new message to a co-worker and opened a new email message. I entered the TO, SUBJECT, and BODY. Then I copied three files from an open Windows Explorer window (the folder was on the employer intranet) and pasted them into the new email message. The paste operation took a couple of seconds due to network lag (not file size) and when complete, only two of the files attached to the new email message.

I originally assumed I had not copied all three files so I copied the third file again and pasted it successfully into the email message. Then I sent the message. Shortly thereafter, I noticed the email in my inbox which had been highlighted and shown in the preview pane now had five attachments, rather than the original four. Yep, you guessed it, the new addition was the "missing" attachment I had pasted earlier.

At the time, I was puzzled but had other pressing demands and planned to get back to it. After a couple of weeks, I could not remember which message had the extra attachment and had to move on to other things without further analysis.

Twice last week, the same thing occurred again. This time, I copied out my .ost and viewed the message in Nuix which showed both messages had more attachments than they originally had when sent to me. This gives the impression that the files were attached to the messages when they were received by me when in fact they were not.

I then took a look at the email message headers. As expected, the "ghost" files are not listed in the headers which makes sense since this did not happen on the server, but rather on the client.

Luckily, in my particular case, there is no problem with this having occurred as they are not emails of any note (although they are subject to discovery requests should any be received). I am raising the issue more to see if anybody has seen this occur before and to see if anybody has a hypothesis on how his could occur (especially when the .ost, viewed on a forensic computer, shows the files were actually attached to the message).

This is also a caution to not rely solely on the reporting of forensic tools or MS Outlook in a email/document case. I know we all harp on verifying our tools and findings, but in this case, the tool is reporting correctly and the only way this would be noticed in an investigation would be if the examiner compared the header to the displayed message (not likely to be done when there may be hundreds or thousands of emails) or if an accused party disclaimed the findings, prompting further analysis.

I appreciate any thoughts.

 
Posted : 09/09/2014 1:04 am
Share: