PST - email last mo...
 
Notifications
Clear all

PST - email last modification date

5 Posts
3 Users
0 Likes
489 Views
kiashi
(@kiashi)
Posts: 99
Trusted Member
Topic starter
 

Hello All, I am hoping for some guidance in a case that I am currently working on. There is an allegation that another person was accessing the email of a suspended worker after the date of their suspension. The domain account and email account of the suspended subject were not disabled and so continued to receive new emails within this period.

The anomaly exists where I have located a large number of emails/calendar items that have a 'last modified date' within the suspension period, however their 'created date' (received date for emails) is in some cases as long as 4 years in the past.

So my question is as follows What actions tend to alter this 'last modified date'? I have EnCase and Intella in agreement with the dates they are showing me.

A number (~300) items have a 'last modified date' set to within a range of 4 minutes which seems to indicate some kind of automated process acting on them such as a virus scan or archive. Their creation dates range however from 2006 to 2009. Any ideas?

I am looking in to this but as we are a Notes shop here I'll have to set up some kind of virtual environment to test it.

 
Posted : 20/01/2011 4:24 pm
(@research1)
Posts: 165
Estimable Member
 

Are the create dates all before the suspension? If so, and all modification dates follow a strong time pattern, id be inclined to say automated process.

Determining which process I would not know, possibly event logs can assist you there?

 
Posted : 20/01/2011 4:37 pm
kiashi
(@kiashi)
Posts: 99
Trusted Member
Topic starter
 

thanks for your quick reply research1, yes the created dates are all before the date of suspension.

I suppose it is theorectically possible to preview 300 mail items in 4 minutes but I'm just most hung up on what changes this 'last modification date'. The vast majority of emails have a 'last modification date' which either matches or is within about two seconds of the 'creation date'. Therefore I doubt just previewing or reading an email would change it's mod date.

Has anyone done any testing on this?

 
Posted : 20/01/2011 5:02 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Actually it is not that impossible.

Turn preview pane on, then check "Mark item as read when selection changes" under options, then hold the arrow key down. It can be done in less then a 10 seconds.

Or, simply select a folder, and press Ctrl-Q. Mark all as read . . .

 
Posted : 21/01/2011 9:55 am
kiashi
(@kiashi)
Posts: 99
Trusted Member
Topic starter
 

Cheers jhup, so marking as read is a condition that will change the modification date? That is good to know. I haven't had a chance to look into it further myself yet but will hopefully next week.

 
Posted : 21/01/2011 6:29 pm
Share: