Checking several forumns I've come across the question of how to tell if an email within an Outlook .pst file has been open and read by a suspect.
I've seen the obvious method of exporting the .pst file out to a clean copy of Outlook and seeing how the emails appear. That is not the best method since a user can mark an email as unread after it was open and read.
Is there a tested method for determining if an email has been read by a suspect. Is there a hidden flag of sorts that can be displayed with EnCase Version 6.14.
I figured it out after doing my own testing.
The Additional Fields Tab contains a value for "Message Flags"
"1" indicates the email was opened and "Flagged as Follow-Up"
"2" indicates the email was not opened or opened and "Marked as Unread"
"3" indicates the email was opened
Microsoft Outlook apparently does not make a distinction when an email has been read and then "Marked as Unread" – it displays it as "Unread" even though it was previously opened.
I figured it out after doing my own testing.
The Additional Fields Tab contains a value for "Message Flags"
"1" indicates the email was opened and "Flagged as Follow-Up"
"2" indicates the email was not opened or opened and "Marked as Unread"
"3" indicates the email was opened
Microsoft Outlook apparently does not make a distinction when an email has been read and then "Marked as Unread" – it displays it as "Unread" even though it was previously opened.
Could you give a bit more detail please (like how to get to those message flags). I recently have a task to determine whether an email has been opened/read. Please help.
Excellent thread. I do have one question. Is this possible in FTK?
I've been doing some research, and no answer yet. Rich has been a big help is that research, so if there are any FTK users reading, and you know which attribute in the properties pane displays the original read/unread status, please let me know.
Thanks,
BSE
พุงหมู
What tools do you have to process PSTs?