Email Attachment has Future Modification Date
I have an email that was sent in Jan 2018 with an attached Excel spreadsheet. After collection, the file modification date on the Excel spreadsheet shows as June 2019 which is well over a year into the future of the email sent date. Has anybody seen this before and help me out with any explanation?
For what it's worth, the PST is from a Microsoft Exchange mailbox, was collected earlier this year and I'm navigating it with EnCase at the moment.
How did you determine the Excel file's modification date? And which date field are you looking at?
You may have success looking at the extended MAPI properties; I'm not sure if Encase displays this, so you can export the PST and open with Outlookspy (through outlook) or standalone MFCMAPI (outlook needs to be installed, but you can just load up the PST I think, definitely an MSG file).
I'd suggest testing some things; primarily what happens if you open an email in Outlook that has an attachment and edit it. The other thing would to build a timeline of all of the dates within the email to make sure that theres nothing in there that indicates forgery, having an attachment modified after the email was sent may indicate that (or maybe the time on the sending computer was wrong?). I'd suggest taking a look at Arman Gungor's recent webinars on the Metaspike CTF, and I have written up a few of the challenges as well on thinkdfir.