±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36121
New Yesterday: 0 Visitors: 106

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Alter an email message in your mailbox

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

gungora
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 19, 19 00:23

- jahearne

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?


Hi John,

That's right; selecting "Show Original" in Gmail wouldn't show you the UID of the message. UID is an IMAP concept, and you can capture it with other server-side metadata during preservation—provided that your tool supports it. You can also query it by directly talking to the IMAP server. In one of our webinars, I was connecting to an IMAP server and issuing some commands manually to show UIDs and internal dates—I will dig it up and PM you the link.

When analyzing an altered message, you would want to be looking at the message along with its neighbors to see if their UIDs are in sequence when they are in chronological order. You could do this by selecting a folder (i.e., EXAMINE) and then running an IMAP SEARCH command to narrow the contents down.
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 
 
  

jahearne
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 19, 19 01:17

- watcher
Let me start by saying I'm confused.


You should have seen me when I first started this case! Couldn't see straight for half a day... jk.  
 
  

jahearne
Member
 

Re: Alter an email message in your mailbox

Post Posted: Feb 28, 19 22:26

- gungora
- jahearne

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?


Hi John,

That's right; selecting "Show Original" in Gmail wouldn't show you the UID of the message. UID is an IMAP concept, and you can capture it with other server-side metadata during preservation—provided that your tool supports it. You can also query it by directly talking to the IMAP server. In one of our webinars, I was connecting to an IMAP server and issuing some commands manually to show UIDs and internal dates—I will dig it up and PM you the link.

When analyzing an altered message, you would want to be looking at the message along with its neighbors to see if their UIDs are in sequence when they are in chronological order. You could do this by selecting a folder (i.e., EXAMINE) and then running an IMAP SEARCH command to narrow the contents down.


Hi Arman,

Nice work on your article!

articles.forensicfocus...ent-116215

I think the FILETIME date could be the key in my case!

Thanks,
John  
 
  

gungora
Member
 

Re: Alter an email message in your mailbox

Post Posted: Mar 01, 19 18:16

Hi John,

I'm glad you've found it helpful. Thanks for sharing your question with the community!

- jahearne

Hi Arman,

Nice work on your article!

articles.forensicfocus...ent-116215

I think the FILETIME date could be the key in my case!

Thanks,
John

_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 
 

Page 2 of 2
Page Previous  1, 2