Using IMAP Internal Date for Forensic Email Authentication

by Arman Gungor

Internal Date is an IMAP Message Attribute that indicates the internal date and time of a message on an IMAP server. This is a different timestamp than the Origination Date field found in the message header and can be instrumental in authenticating email messages on an IMAP server.

Let’s start with an example. The perpetrator wants to fabricate an email message and make it look like he sent it back in December 2016 from his GoDaddy email account to the Yahoo! email account of his business partner.

He takes a genuine message between the parties from December 2017, edits the subject and the message body to his heart’s content and makes sure to pick a suitable date in December 2016.

Read More


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...