Using IMAP Internal Date for Forensic Email Authentication

by Arman Gungor

Internal Date is an IMAP Message Attribute that indicates the internal date and time of a message on an IMAP server. This is a different timestamp than the Origination Date field found in the message header and can be instrumental in authenticating email messages on an IMAP server.

Let’s start with an example. The perpetrator wants to fabricate an email message and make it look like he sent it back in December 2016 from his GoDaddy email account to the Yahoo! email account of his business partner.

He takes a genuine message between the parties from December 2017, edits the subject and the message body to his heart’s content and makes sure to pick a suitable date in December 2016.

Read More


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Leave a Comment