Question RE Outlook...
 
Notifications
Clear all

Question RE Outlook Email Attachments

14 Posts
8 Users
0 Likes
1,982 Views
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Hi All,

I wanted to bounce something off everyone to see if you have ever encountered this or know of a way which this can be detected.

Specific to Outlook 2016 (However, I recall you can do this with other versions) if you right-click on an attachment in a given email, you have the option to remove an attachment and can save the message.

Let's assume you have a message with two attachments and one is removed, how would you be able to prove this short of some obvious indication of the attachment in the body of the message or the conversation eluding to it. I am aware of the attachment value in the message header, but this would only indicate if there was an attachment, not how many.

Thx!

 
Posted : 08/08/2017 10:49 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.

 
Posted : 09/08/2017 6:24 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.

Sorry, should have mentioned this - Let's assume it's a PST you have been provided/collected and the Exchange Server is not an option.

 
Posted : 09/08/2017 8:21 pm
JimC
 JimC
(@jimc)
Posts: 86
Estimable Member
 

My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com

 
Posted : 09/08/2017 8:36 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Thanks Jim - I had tried testing that method on a sample PST I created with no luck, will go back to the drawing board.

I would assume if this were for a Discovery matter where .MSG files were produced (stand alone) then there really would be no hope either!

My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com

 
Posted : 09/08/2017 8:46 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

In my experience, when you remove attachments in that manner, the MSG file would not be compacted. So

* The size of the MSG file would typically reflect the original size of the message, including its attachments—it may be larger.

* You can often find the contents of the attachments in the MSG even though the attachments are not accessible via the Outlook GUI or MAPI.

To test this quickly, I found an MSG file with two PDF attachments. Removed the attachments as you described using Outlook 2007 and saved the message. The size of the MSG file increased from 975 KB to 1,004 KB even though I removed the attachments.

I then opened the new MSG file in a hex editor and was able to find the XMP metadata streams of both of the "removed" PDFs.

Will play further to see if I can extract the "removed" PDFs.

 
Posted : 10/08/2017 3:17 am
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

JimC is right, the PST is a mini file system with well a defined structure (Microsoft Compound Binary Format).

If the PST was used as the default local mail container and it wasn't manually compacted, you will have traces of all deleted attachments from your mails, since there is a placeholder space for each deleted attachment. After compacting the PST these placeholder areas are removed.

If your PST was created as "export to PST" after the attachment was removed, most probably you won't have any traces of the deleted attachment, since before exporting to PST first there is a compacting process first.

 
Posted : 10/08/2017 11:19 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

By chance, I had this question yesterday, in a real case from one of our local customers.

Solution turned up in the recent activity from the Window's Event log for "Microsoft Office Alerts".

It seems, at least by default, that Office logs documents removal requests in it's event log.

 
Posted : 10/08/2017 1:07 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Thanks for this!

In my experience, when you remove attachments in that manner, the MSG file would not be compacted. So

* The size of the MSG file would typically reflect the original size of the message, including its attachments—it may be larger.

* You can often find the contents of the attachments in the MSG even though the attachments are not accessible via the Outlook GUI or MAPI.

To test this quickly, I found an MSG file with two PDF attachments. Removed the attachments as you described using Outlook 2007 and saved the message. The size of the MSG file increased from 975 KB to 1,004 KB even though I removed the attachments.

I then opened the new MSG file in a hex editor and was able to find the XMP metadata streams of both of the "removed" PDFs.

Will play further to see if I can extract the "removed" PDFs.

 
Posted : 10/08/2017 9:27 pm
(@Anonymous)
Posts: 0
Guest
Topic starter
 

Good tip thanks, will pass that one along.

The scenario I was curious about was a provided PST and/or standalone MSG where you can not go back to the source system assuming there was no image taken - just provided items.

By chance, I had this question yesterday, in a real case from one of our local customers.

Solution turned up in the recent activity from the Window's Event log for "Microsoft Office Alerts".

It seems, at least by default, that Office logs documents removal requests in it's event log.

 
Posted : 10/08/2017 9:29 pm
Page 1 / 2
Share: