Hi Everyone,
We have recently started working on a case where we suspect that there may have been some email tampering involved. The reason being is that we have identified a number of emails where the attachment's modified dates (within the PST) is a few month's after the email was received.
We currently don't have access to the senders email & did not perform the collections ourselves. We have been informed that it was collected directly from exchange (but no idea how/with what tools etc.),. Analysing the data we have identified something strange within the PST we do have.
Using OutlookSpy we have identified that one of the attachments has the field PR_Attach_Long_Pathname_W populated. This field maintains the path of the attachment as being in the receiver's user profile and not the senders which I find extremely odd. Does anyone know when this field gets populated? I've done a bunch of research and testing and can't seem to get an answer. Secondly, some plausible explanations as to why modified dates of the attachments were after sent dates would be really helpful 🙂
Thank you!
