±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34850
New Yesterday: 8 Visitors: 242

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Question RE Outlook Email Attachments

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Question RE Outlook Email Attachments

Post Posted: Tue Aug 08, 2017 4:49 pm

Hi All,

I wanted to bounce something off everyone to see if you have ever encountered this or know of a way which this can be detected.

Specific to Outlook 2016 (However, I recall you can do this with other versions) if you right-click on an attachment in a given email, you have the option to remove an attachment and can save the message.

Let's assume you have a message with two attachments and one is removed, how would you be able to prove this short of some obvious indication of the attachment in the body of the message or the conversation eluding to it. I am aware of the attachment value in the message header, but this would only indicate if there was an attachment, not how many.

Thx!  

flytnx
Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Wed Aug 09, 2017 12:24 pm

If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.  

jpickens
Senior Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Wed Aug 09, 2017 2:21 pm

- jpickens
If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.


Sorry, should have mentioned this - Let's assume it's a PST you have been provided/collected and the Exchange Server is not an option.  

flytnx
Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Wed Aug 09, 2017 2:36 pm

My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com  

JimC
Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Wed Aug 09, 2017 2:46 pm

Thanks Jim - I had tried testing that method on a sample PST I created with no luck, will go back to the drawing board.

I would assume if this were for a Discovery matter where .MSG files were produced (stand alone) then there really would be no hope either!

- JimC
My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com
 

flytnx
Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Wed Aug 09, 2017 9:17 pm

In my experience, when you remove attachments in that manner, the MSG file would not be compacted. So:

* The size of the MSG file would typically reflect the original size of the message, including its attachments—it may be larger.

* You can often find the contents of the attachments in the MSG even though the attachments are not accessible via the Outlook GUI or MAPI.

To test this quickly, I found an MSG file with two PDF attachments. Removed the attachments as you described using Outlook 2007 and saved the message. The size of the MSG file increased from 975 KB to 1,004 KB even though I removed the attachments.

I then opened the new MSG file in a hex editor and was able to find the XMP metadata streams of both of the "removed" PDFs.

Will play further to see if I can extract the "removed" PDFs.
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 

gungora
Member
 
 
  

Re: Question RE Outlook Email Attachments

Post Posted: Thu Aug 10, 2017 5:19 am

JimC is right, the PST is a mini file system with well a defined structure (Microsoft Compound Binary Format).

If the PST was used as the default local mail container and it wasn't manually compacted, you will have traces of all deleted attachments from your mails, since there is a placeholder space for each deleted attachment. After compacting the PST these placeholder areas are removed.

If your PST was created as "export to PST" after the attachment was removed, most probably you won't have any traces of the deleted attachment, since before exporting to PST first there is a compacting process first.
_________________
Apple passcode unlock + decrypted filesystem dump, Android user locks unlock + physical dump with decrypted userdata partition. We provide our services world-wide, but we reserve the right for choosing which tasks we take and which we deny! 

passcodeunlock
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next