Join Us!

Wrong timestamp on ...
 
Notifications
Clear all

Wrong timestamp on Yahoo Mail email  

Page 1 / 3
  RSS
freebird
(@freebird)
New Member

In 2015 I was convicted of a serious criminal offence and sentenced to years in prison. I am now out on bail pending appeal. In evidence was an email that I sent from Toronto in the ealry morning hours of Sept. 19, 2011 but bore a timestamp of 1206 PM, which very much appeared to the court that the email was intended to create an alibi for me it's a long story.

Is there any way to track down the true time that email was sent? I have the original headers from the email, which DOES bear a timestamp of 1206. I have spoken to computer specialists who have insisted that the email must have been sent at the time of the timestamp.
It wasn't.

I am rapidly running out of time on this.

Quote
Posted : 05/02/2018 5:24 pm
jasonlee
(@jasonlee)
New Member

Are you sure it wasn't in UTC ?

ReplyQuote
Posted : 05/02/2018 5:43 pm
freebird
(@freebird)
New Member

That was taken into account the timestamp is 1206 PM. One proposed possibility is that it was sent via a very weak wireless signal which in fact it was! Whether this is what happened or some other thing, I need to know how to dig out the info in a manner that a court would consider proof.

ReplyQuote
Posted : 05/02/2018 5:46 pm
jaclaz
(@jaclaz)
Community Legend

Is there any way to track down the true time that email was sent?

Unless the email header was forged/fiddled with, the send date/time in the header is correct.

There may be an issue with timezone (and possibly also with DST - Daylight Saving Time or whatever it is called in the US, but this will only at the most offset one hour), check against
https://www.lifewire.com/how-to-understand-date-and-time-in-email-headers-1170524

Without the actual data in the header it is impossible to know if any of the above issues may be relevant.

Besides the specific e-mail, a complete report/examination of the device mass storage involved may provide a timeline of the usage, and either support the accuracy of that date/timestamp (and the way the data has been interpreted) or put it in doubt.

jaclaz

ReplyQuote
Posted : 05/02/2018 5:52 pm
jaclaz
(@jaclaz)
Community Legend

That was taken into account the timestamp is 1206 PM.

We need the actual FULL DATA as is.
1206 PM means NOTHING.
1206 PM (+0000) means something, 1206 PM (-0500) means something else.

See also reply on your duplicate thread
https://www.forensicfocus.com/Forums/viewtopic/t=16293/

jaclaz

ReplyQuote
Posted : 05/02/2018 5:58 pm
freebird
(@freebird)
New Member

I would not be surprised to learn that the timestamp had been altered by police experts, if such a thing is possible I suffer from no psychoses and why I consider such a thing possible is yet another long story.

I have the email headers, they take up 2 pages but there was no way to attach it to my posts.

I owned 2 computers at the time the email was sent, a PC and laptop. Over the years I was in prison (since Sept. 2011 until Feb 2016) the PC has disappeared but I have laptop and the drive has not been formatted.

ReplyQuote
Posted : 05/02/2018 6:00 pm
jaclaz
(@jaclaz)
Community Legend

I have the email headers, they take up 2 pages but there was no way to attach it to my posts.

Make SURE (and I mean REALLY SURE, DOUBLE and TRIPLE check this) that you "anonymize" them ACCURATELY, removing ALL occurrences of the Sender address (replacing it with - say - "[email protected]) and ALL occurrences of the Recipient(s) (replacing it/them with - still say - "[email protected]) .

Then copy and paste to - say - pastebin
https://pastebin.com/
and post a link to the page.

jaclaz

ReplyQuote
Posted : 05/02/2018 6:13 pm
Jamie
(@jamie)
Community Legend

Duplicate topics merged (also, see above post for good advice).

ReplyQuote
Posted : 05/02/2018 7:21 pm
freebird
(@freebird)
New Member

https://drive.google.com/open?id=1sPHSWgpeq6hDp6KDwx3AObGw24UHMiYu

You will see a date of Sep 20, 2011 at the top of the page this is the receiver of my Sep 19, 2011 forwarding the email headers to an investigating police officer the email headers. as you will probably immediately realize, are of the email I sent on Sep. 19, 2011.

ReplyQuote
Posted : 05/02/2018 7:32 pm
jaclaz
(@jaclaz)
Community Legend

Everything happened (roughly) on
Date Mon, 19 Sep 2011 090653 -0700 PDT
give or take a few minutes.
Some of the intermediate "hops" are
Date Mon, 19 Sep 2011 160653 -0000 (i.e. UTC)

The PDT means Pacific Daylight Time
https://www.timeanddate.com/time/zones/pdt

And it is actually -0700 (seven hours behind) UTC.

This is compliant/coherent with the "default" settings for Yahoo Mail
https://www.techwalla.com/articles/how-to-change-time-zones-on-yahoo-mail

In UTC the time needs to be added 7 hours, so it comes out as 9+7=16
160653 UTC (or Zulu or -0000)

In Toronto, on 19 Sep 2011 local time should have been
https://www.timeanddate.com/time/zone/canada/toronto
EDT, i.e. UTC minus 4 hours
https://www.timeanddate.com/time/zones/edt

which translates to 16-4=12
120653 -0400 EDT

jaclaz

ReplyQuote
Posted : 05/02/2018 8:56 pm
freebird
(@freebird)
New Member

Yes, we have that. What I am telling you, and anybody I could get to listen from the time on after a police computer forensics expert testified that it wasn't possible for the timestamp to be wrong–including the jury–is that it WAS NOT sent at 1206 PM that day I sent it in the early morning hours.
I am telling the truth and I find it nothing less than mind-boggling to be told again and again by computer experts that there is no possibility the timestamp is wrong.
I sent that email in the early morning hours from Toronto to 250 miles away (but same time zone).

ReplyQuote
Posted : 06/02/2018 12:45 am
benfindlay
(@benfindlay)
Active Member

What happens if you repeat this? Can you send another email and replicate this at all?

If so I would do so, noting down the time you send the new email, then compare the timestamps present with the time you know you actually sent it.

You may (and I stress may) find that there is something funny going on with regards to the mail server providing times (rather than them being taken from the local computer) which could explain it.

ReplyQuote
Posted : 06/02/2018 8:03 am
freebird
(@freebird)
New Member

No, I can't repeat it, and I suspect it impossible to actually duplicate the situation.
At the time the Sept.19, 2011 email was sent I was living in a friend's basement and she was too cheap to pay for internet she just bummed of whatever area wireless connections she could access (in 2011 passwords on routers wasn't at all as common as today). Often the signals were very weak and would drop the connection frequently. This is what happened. That aside, after the conviction and years in prison the person I sent the email to would not be agreeable to take part in anything to do with me.

ReplyQuote
Posted : 06/02/2018 8:09 am
benfindlay
(@benfindlay)
Active Member

You don't necessarily have to repeat it exactly "as is". Send an email from one Yahoo account to another (given both sender and receiver seem to be Yahoo) and check the headers that result. You may spot something which shows that the resultant timestamps are different from what you would expect to see.

Also, have these headers come from the local PC or from the mail server itself? If they've only come from one source, what do the headers from the other source say?

And I'm not quite sure I understand - how exactly would a weak/intermittent signal cause an incorrect timestamp?

ReplyQuote
Posted : 06/02/2018 8:25 am
jaclaz
(@jaclaz)
Community Legend

The time stamps are provided by Yahoo servers, besides the original one, the ones for the intermediate "hops" inside Yahoo various servers appear to be consistent.

A possible scenario (provided that Yahoo Mail works like other similar providers) could only be the case where to the message was attached a single (huge) file and the users pressed send in the early morning and it took - due to the extremely slow connection - several hours to complete the uploading of the mail to Yahoo server.

Give or take a few seconds, the "sent" timestamp also marks the moment the Yahoo server completely received the e-mail (and the attachment).

I have no idea if in such scenario the connection would have timed out or it would be kept "alive" notwithstanding the extremely slow transfer rate.

To give you an idea of the time needed, in the good ol' times (talking of 1993/1994, last century wink ) transferring a 1.44 MB floppy image on an analog modem 14,400 baud took roughly 15 minutes.

Later, circa 2002/2003, I happened to have in a particular location a very slow (more than slow, highly asymmetrical) satellite connection, where - while the download was - all in all - a decent speed, the upload was excruciatingly slow, and I remember e-mails (with attachments, even if not particularly large) take several minutes.

As hinted before a complete analysis of the computer actually used at the time may provide some additional info, but till now the data from the timestamps alone seem like confirming that the mail was actually sent at the given time.

I personally doubt (but that doesn't mean that is not possible) that the Yahoo servers had a wrong timestamp, nor that they "held in hostage" the e-mail for several hours before actually sending it, the given hypothetical scenario could explain it but proving that something like that happened, and proving it some 6 years later, isn't going to be easy.

As a side-side note (and only to reaffirm how "strange things" may happen) there is the famous case of the further than 500 mile e-mail not delivered
https://www.ibiblio.org/harris/500milemail.html

jaclaz

ReplyQuote
Posted : 06/02/2018 10:27 am
Page 1 / 3
Share: