±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36768
New Yesterday: 0 Visitors: 83

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

PST - email last modification date

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

kiashi
Senior Member
 

PST - email last modification date

Post Posted: Jan 20, 11 17:24

Hello All, I am hoping for some guidance in a case that I am currently working on. There is an allegation that another person was accessing the email of a suspended worker after the date of their suspension. The domain account and email account of the suspended subject were not disabled and so continued to receive new emails within this period.

The anomaly exists where I have located a large number of emails/calendar items that have a 'last modified date' within the suspension period, however their 'created date' (received date for emails) is in some cases as long as 4 years in the past.

So my question is as follows: What actions tend to alter this 'last modified date'? I have EnCase and Intella in agreement with the dates they are showing me.

A number (~300) items have a 'last modified date' set to within a range of 4 minutes which seems to indicate some kind of automated process acting on them such as a virus scan or archive. Their creation dates range however from 2006 to 2009. Any ideas?

I am looking in to this but as we are a Notes shop here I'll have to set up some kind of virtual environment to test it.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

research1
Senior Member
 

Re: PST - email last modification date

Post Posted: Jan 20, 11 17:37

Are the create dates all before the suspension? If so, and all modification dates follow a strong time pattern, id be inclined to say automated process.

Determining which process I would not know, possibly event logs can assist you there?  
 
  

kiashi
Senior Member
 

Re: PST - email last modification date

Post Posted: Jan 20, 11 18:02

thanks for your quick reply research1, yes the created dates are all before the date of suspension.

I suppose it is theorectically possible to preview 300 mail items in 4 minutes but I'm just most hung up on what changes this 'last modification date'. The vast majority of emails have a 'last modification date' which either matches or is within about two seconds of the 'creation date'. Therefore I doubt just previewing or reading an email would change it's mod date.

Has anyone done any testing on this?
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 
  

jhup
Senior Member
 

Re: PST - email last modification date

Post Posted: Jan 21, 11 10:55

Actually it is not that impossible.

Turn preview pane on, then check "Mark item as read when selection changes" under options, then hold the arrow key down. It can be done in less then a 10 seconds.

Or, simply select a folder, and press Ctrl-Q. Mark all as read . . .  
 
  

kiashi
Senior Member
 

Re: PST - email last modification date

Post Posted: Jan 21, 11 19:29

Cheers jhup, so marking as read is a condition that will change the modification date? That is good to know. I haven't had a chance to look into it further myself yet but will hopefully next week.
_________________
_________________________________________
The only people who find what they are looking for
in life are the fault finders. 
 

Page 1 of 1