Question RE Outlook...
 
Notifications
Clear all

Question RE Outlook Email Attachments

 Anonymous

Hi All,

I wanted to bounce something off everyone to see if you have ever encountered this or know of a way which this can be detected.

Specific to Outlook 2016 (However, I recall you can do this with other versions) if you right-click on an attachment in a given email, you have the option to remove an attachment and can save the message.

Let's assume you have a message with two attachments and one is removed, how would you be able to prove this short of some obvious indication of the attachment in the body of the message or the conversation eluding to it. I am aware of the attachment value in the message header, but this would only indicate if there was an attachment, not how many.

Thx!

Quote
Topic starter Posted : 08/08/2017 11:49 pm
jpickens
(@jpickens)
Active Member

If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.

ReplyQuote
Posted : 09/08/2017 7:24 pm
 Anonymous

If it's in an Exchange environment, and retention policies are in place, you can pull the origional from the mail server and compare.

Just because a change in Outlook happens, does not mean it will always reflect the mail server storage.

Sorry, should have mentioned this - Let's assume it's a PST you have been provided/collected and the Exchange Server is not an option.

ReplyQuote
Topic starter Posted : 09/08/2017 9:21 pm
JimC
 JimC
(@jimc)
Member

My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com

ReplyQuote
Posted : 09/08/2017 9:36 pm
 Anonymous

Thanks Jim - I had tried testing that method on a sample PST I created with no luck, will go back to the drawing board.

I would assume if this were for a Discovery matter where .MSG files were produced (stand alone) then there really would be no hope either!

My understanding is that the PST file is a mini file system (Microsoft Compound Binary format).

There may be some evidence of the attachment content (and even the original message) remaining in the PST *if* you can get hold of it soon after the event. However, as with all file systems, your mileage will reduce with time.

Jim

www.binarymarkup.com

ReplyQuote
Topic starter Posted : 09/08/2017 9:46 pm
gungora
(@gungora)
Junior Member

In my experience, when you remove attachments in that manner, the MSG file would not be compacted. So

* The size of the MSG file would typically reflect the original size of the message, including its attachments—it may be larger.

* You can often find the contents of the attachments in the MSG even though the attachments are not accessible via the Outlook GUI or MAPI.

To test this quickly, I found an MSG file with two PDF attachments. Removed the attachments as you described using Outlook 2007 and saved the message. The size of the MSG file increased from 975 KB to 1,004 KB even though I removed the attachments.

I then opened the new MSG file in a hex editor and was able to find the XMP metadata streams of both of the "removed" PDFs.

Will play further to see if I can extract the "removed" PDFs.

ReplyQuote
Posted : 10/08/2017 4:17 am
passcodeunlock
(@passcodeunlock)
Senior Member

JimC is right, the PST is a mini file system with well a defined structure (Microsoft Compound Binary Format).

If the PST was used as the default local mail container and it wasn't manually compacted, you will have traces of all deleted attachments from your mails, since there is a placeholder space for each deleted attachment. After compacting the PST these placeholder areas are removed.

If your PST was created as "export to PST" after the attachment was removed, most probably you won't have any traces of the deleted attachment, since before exporting to PST first there is a compacting process first.

ReplyQuote
Posted : 10/08/2017 12:19 pm
Passmark
(@passmark)
Active Member

By chance, I had this question yesterday, in a real case from one of our local customers.

Solution turned up in the recent activity from the Window's Event log for "Microsoft Office Alerts".

It seems, at least by default, that Office logs documents removal requests in it's event log.

ReplyQuote
Posted : 10/08/2017 2:07 pm
 Anonymous

Thanks for this!

In my experience, when you remove attachments in that manner, the MSG file would not be compacted. So

* The size of the MSG file would typically reflect the original size of the message, including its attachments—it may be larger.

* You can often find the contents of the attachments in the MSG even though the attachments are not accessible via the Outlook GUI or MAPI.

To test this quickly, I found an MSG file with two PDF attachments. Removed the attachments as you described using Outlook 2007 and saved the message. The size of the MSG file increased from 975 KB to 1,004 KB even though I removed the attachments.

I then opened the new MSG file in a hex editor and was able to find the XMP metadata streams of both of the "removed" PDFs.

Will play further to see if I can extract the "removed" PDFs.

ReplyQuote
Topic starter Posted : 10/08/2017 10:27 pm
 Anonymous

Good tip thanks, will pass that one along.

The scenario I was curious about was a provided PST and/or standalone MSG where you can not go back to the source system assuming there was no image taken - just provided items.

By chance, I had this question yesterday, in a real case from one of our local customers.

Solution turned up in the recent activity from the Window's Event log for "Microsoft Office Alerts".

It seems, at least by default, that Office logs documents removal requests in it's event log.

ReplyQuote
Topic starter Posted : 10/08/2017 10:29 pm
Cults14
(@cults14)
Active Member

Not sure of my ground here but if the Modified Date/Tme on the message was noticably different from the Received Date/Time, would that indicate a change of some kind?

May not be much to go on

Cheers

ReplyQuote
Posted : 22/08/2017 4:22 pm
gungora
(@gungora)
Junior Member

Not sure of my ground here but if the Modified Date/Tme on the message was noticably different from the Received Date/Time, would that indicate a change of some kind?

May not be much to go on

Cheers

When emails are produced in MSG format as per flytnx's question, internal creation and modification timestamps are typically updated to reflect the time when the messages were extracted from the mailbox. I can think of a couple of scenarios where your suggestion may be applicable

* You have a production where all MSGs have creation and modification timestamps very close to each other—reflecting the time when the production was exported—and a small subset of messages have later modification timestamps. This may indicate that some of these messages were modified after the fact, or perhaps the production was patched in some way by running a subsequent export.

* The files were originally maintained in MSG format long before production. For instance, if someone was saving important messages by dumping them to the file system as MSG files from Outlook. If those messages have internal modification dates when they should not, this can be a red flag.

ReplyQuote
Posted : 22/08/2017 7:08 pm
gungora
(@gungora)
Junior Member

Thanks for this!

I was able to recover the attachments after all. I made this into a blog post so you can better see what I was looking at.

https://www.metaspike.com/recovering-removed-email-attachments/

ReplyQuote
Posted : 01/09/2017 10:00 pm
bilbofids
(@bilbofids)
New Member

@gungora thanks for that great article.

I was wondering if it is possible to detect the reverse of this, that is if an attachment had been added to an email rather than removed, or if an attachment already present had been modified?

ReplyQuote
Posted : 27/01/2021 3:22 pm
Share: