Submitted time and delivered time?
I was just asked what the difference is between submitted time and delivered time in FTKs email view, and I realize I have no answer. There is nothing in the help file or in the documentation I have available. Can anyone help?
I suspect that submitted time is either the timestamp from the email client or from the first email server (originating email server), and that delivered time is either the timestamp from the receiving email client, or from the last/receiving/target email server. Does anyone know for sure?
I think I have asked myself the same question in the past and ended up doing some testing with known data by sending and receiving emails using Outlook and then examined the pst in FTK. I don't remember the answer, the best way is to always confirm this yourself anyway.
Yes, I have performed some tests, and will do more next week. I was just hoping that someone might point me in the right direction. All I've found so far is that submit time seems to be the time stamp set by the sending client, and not by any servers. I haven't managed to create an email with a delivered time yet and I not sure what to test next apart from different email servers, clients and protocols.
Looks like you're talking Outlook - and perhaps an exchange server at the other end?
If so, there are two notification options you can attach to a sent email, one is requesting a Read Receipt and the second is requesting Delivery Notification.
One test where you can see the difference Outlook allows you to go in to Offline cached mode, and so create an email and request Delivery notification. Click send. Wait a few minutes and then 'go online' and allow Outlook to delivery/synch up with the exchange server. You will get a delivery notification showing the message is delivered.
When you view that message in FTK you will see the difference - Submitted is when you click Send, Delivered is when the Exchange server reports back to you that the email was placed in the target's mailbox or sent to the next hop.
If you're not using an exchange server then this timestamp means very little and is auto-populated with the 'submitted' timestamp (this is my observation only - no documentation on this piece).
Different email clients may behave differently with regard to time stamps, so unless you know the client used to send the email, the rest will be speculation. For instance, is "submitted time" the time that the user pressed send or the time the email client sent the email to the first server in the chain? (this can differ by quite a margin - for example if the email client is offline when the user presses send).