Alter an email mess...
 
Notifications
Clear all

Alter an email message in your mailbox

11 Posts
4 Users
0 Likes
3,562 Views
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

I am working on a case where someone allegedly entered a sentence into the body of an email message after it was originally sent to 3 people. This alleged email is a reply to an email my client sent.

I have online access (usernames and passwords) to two of those three email accounts (my client's Gmail account and another Yahoo account). My client has the original email in his Sent Items. And both Gmail and Yahoo accounts, each have the alleged reply message in their Inboxes. The reply message in the Gmail & Yahoo accounts do NOT have that allegedly added sentence. (I used Nuix to collect and preserve the email messages.)

My client is asking me to prove that the allegedly added sentence is a forgery!

It is my understanding and experience that you can not modify the body of an email message while is it sitting in your Inbox. There is no way that they could have deleted/removed that alleged sentence, can they?

I know in an email chain, you can modify the body of a previous message when you reply (or forward ???) it; that's easy to do. But can you modify it once you received it in your Inbox. Is there an email client that can do so that anyone knows of (and of course sync it back to the server?

Of course if I am challenged, my client's counsel can request the alleged reply message from the sender and the other 3rd person.

I appreciate any insight, thanks!

 
Posted : 17/01/2019 5:04 am
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

I think I just answered my own question. I discovered a way to edit the body of a message. Waiting for it sync back to the server…

 
Posted : 17/01/2019 6:20 am
(@trewmte)
Posts: 1877
Noble Member
 

I discovered a way to edit the body of a message. Waiting for it sync back to the server…

OK, how? I am talking POC here..

 
Posted : 17/01/2019 12:51 pm
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

Here's a link I found showing how to make changes to the body and subject of an email messages already in your inbox.

https://www.wikihow.com/Edit-Received-Emails-in-Outlook

I used Microsoft Outlook 2013 set up to my personal Gmail account using IMAP. Downloaded most messages. Picked a message labeled "Boats", that only had a few messages in there so it would be easy to identify the edited messages.

Then printed the original source before I edited that particular email message with the subject "RE 1964+Chris+Craft+Constellation" dated 2/26/2018 133347 -0800 (PST).

Following the directions from the link above, Actions menu > Edit Message, edited my name from John to Johnny, and then hit Ctrl + S.

Then went to Send/Receive tab and clicked Send/Receive All Folders. Waited for it to sync, went to a different computer (a Mac), logged into my Gmail account and viewed the email message "RE 1964+Chris+Craft+Constellation". Sure enough the my name edit went through. Then printed the source page and started comparing the email header and metadata between both email messages - before and after.

There are clearly differences in the header and metadata, most noticeable is the metadata at the end of the message body changed from
"<html><head></head><body>< …."
to
"<html xmlnsv=3D"urnschema-microsoft-comvml" …"

There are other differences too, such as change of Content Transfer Encoding from quoted-printable to 8bit. Also, the DKIM signature is missing among other things.

Having the before and after print outs of the original source, you can clearly see the difference in metadata. But one message by itself, there is no definitive identifier that says this email message has been altered.

The dates, time, zone are the same, MX servers the same, email addresses all the same, IP addresses are the same, message ID the same, References the same, X-Mailer the same, etc.

I even found different epoc time stamps 1519680817287 and 1519680816675, but both translate to the original date 3/18/2018.

Nothing beautiful like… this messages has been edited by Outlook on 1/16/2019 1020 PM (PST). No such luck…

There maybe something subtle, but I can't find it. At this point, I can not authenticate email messages between two parties to definitively say one is original and the other is a forgery.

What do you all think?

 
Posted : 17/01/2019 5:31 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

In my experience, altering the message the way you described when connected to Gmail via IMAP would cause Gmail to assign the message a new unique identifier (UID). UIDs are assigned in an ascending manner, so this would cause the altered message to be out of order chronologically when compared to its neighbors. As part of your preservation workflow, you can capture message UIDs and check their order along with the timestamps of the messages.

Depending on the email client, altering the message could also cause the internal date metadata the server has about the message to be updated. This is metadata that you can acquire from the server, not something you would find within the message itself. Unfortunately, the method you described—using Outlook—doesn't cause Gmail to update the internal date metadata.

I had written about this a while back, you might find some of the information useful
https://www.metaspike.com/imap-internal-date-forensic-email-authentication/

Looking at the message itself, assuming, as an example, that the edits were performed using Outlook 2013, you might find artifacts such as

The X-Mailer header field being populated with "Microsoft Outlook 15.0"
The header date of the message being re-written reflecting the time zone where the message was edited (i.e., same timestamp, shown in a different time zone)
Thread-Index header field being introduced by Outlook
Multipart MIME entity boundary delimiters that are inconsistent with those of other messages between the same parties
Header fields that were removed by Outlook, etc.

The message could have been altered using various tools/methods. I would be inclined to examine a number of undisputed, legitimate messages between the parties and determine if and how they are different than the messages in question. Since you have server access, I would suggest preserving server-side metadata such as internal dates and UIDs along with the raw copies of the messages (i.e., RFC 5322).

 
Posted : 18/01/2019 4:48 am
watcher
(@watcher)
Posts: 125
Estimable Member
 

Let me start by saying I'm confused.

"… someone allegedly entered a sentence into the body of an email message after it was originally sent …"

"… It is my understanding and experience that you can not modify the body of an email message while is it sitting in your Inbox …"

So first off, the question pertains to the possibility of multiple recipients altering their inbox, or the sender altering his outbox? Or both?

Most of the replies to date implicitly assume either web based server, or Imap server stored email, but I see nothing in the original question that precludes client side email that would be subject to direct edit.

Depending upon the scenario, which I am not clear on here, client side email could be directly edited, and web based email could be altered in stream.

That's the whole point of using digital signatures, email can be undetectably altered without a digital signature.

 
Posted : 18/01/2019 8:19 pm
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

Thanks Arman!

I like the article, a lot of good information. The article centers around a date change and yes, I do have several date indicators but they all match up (on my sample and on the two accounts that I have access via my client).

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?

In the alleged messages dealing with my client, they have indeed been created using Microsoft Outlook and do have the X-Mailer "Microsoft Outlook 14". Both message from my client have matching Thread Indexes. I would need metadata from the other party to compare.

Looks like I'm going to need the header/metadata from the sender of the alleged email (and the 3rd person) in order to a thorough comparison. And if if find something, I'll most likely need access to the originating computer to validate my findings, maybe.

A lot of good information! Thanks again,

 
Posted : 18/01/2019 9:52 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?

Hi John,

That's right; selecting "Show Original" in Gmail wouldn't show you the UID of the message. UID is an IMAP concept, and you can capture it with other server-side metadata during preservation—provided that your tool supports it. You can also query it by directly talking to the IMAP server. In one of our webinars, I was connecting to an IMAP server and issuing some commands manually to show UIDs and internal dates—I will dig it up and PM you the link.

When analyzing an altered message, you would want to be looking at the message along with its neighbors to see if their UIDs are in sequence when they are in chronological order. You could do this by selecting a folder (i.e., EXAMINE) and then running an IMAP SEARCH command to narrow the contents down.

 
Posted : 18/01/2019 11:23 pm
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

Let me start by saying I'm confused.

You should have seen me when I first started this case! Couldn't see straight for half a day… jk.

 
Posted : 19/01/2019 12:17 am
(@jahearne)
Posts: 35
Eminent Member
Topic starter
 

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?

Hi John,

That's right; selecting "Show Original" in Gmail wouldn't show you the UID of the message. UID is an IMAP concept, and you can capture it with other server-side metadata during preservation—provided that your tool supports it. You can also query it by directly talking to the IMAP server. In one of our webinars, I was connecting to an IMAP server and issuing some commands manually to show UIDs and internal dates—I will dig it up and PM you the link.

When analyzing an altered message, you would want to be looking at the message along with its neighbors to see if their UIDs are in sequence when they are in chronological order. You could do this by selecting a folder (i.e., EXAMINE) and then running an IMAP SEARCH command to narrow the contents down.

Hi Arman,

Nice work on your article!

https://articles.forensicfocus.com/2019/01/29/forensic-examination-of-manipulated-email-in-gmail/?unapproved=116215&moderation-hash=9b162c66f40148eaa5baec9fa26ab848#comment-116215

I think the FILETIME date could be the key in my case!

Thanks,
John

 
Posted : 28/02/2019 9:26 pm
Page 1 / 2
Share: