Extended MAPI

It is a set of properties that are part of the message structure of any Outlook or Exchange stored email .

It would be good to visit the Extended MAPI data and provide some analysis scenarios and more information for easy understanding

Firstly , How I can see these Properties if I have an email file ???

Well, firstly you will need to download outlook it is not installed on your analysis machine , install Outlookspy extension , that will show you all MAPIs Interfaces.

After installing the extension, just open Outlook and you will see the extension already installed.

So Far , So Good…

1- PR_LAST_VERB_EXECUTED : records in email messages what the last action that occurred to the message itself (Reply , Reply All , Forward , Reply To Forward ,….)

2- PR_LAST_VERB_EXECUTION_TIME : records when the last action happened.

The previous two entries is not created as part of the base message structure an instead is created when an action occurs.

All of the possible values that can be set for PR_LAST_VERB_EXECUTED are here.

1- PR_CREATION_TIME : tracks when this message was stored within this message archive.

2- PR_LAST_MODIFICATION_TIME : time when the object or subobject was last modified.

Note that the time is in UTC 00:00

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

• IF you tried to make the email UnRead , the PR_LAST_VERB_EXECUTED value will not change , but PR_LAST_MODIFICATION_TIME will change , so Comparing PR_LAST_MODIFICATION_TIME and PR_CREATION_TIME you will know that something happened.

How to validate those times with those in the extension

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

• The answer would be from structure!.

The first thing to you should know about underlying message structure is that it is not just a text file like a RFC82 email message (consists of Header , Body) , it is Compound File Binary File Format which stores stream objects in a hierarchical structure within a single file , so we will use Sturcture Sotrage Viewer to to see the stream which we will extract to parse using any hex-editor (Easy Parsing)

Just Drop the .msg file in the tool to see all streams.

The Extended MAPI data is stored within the stream named _properties_version1.0 save the stream and open it in your hex tool.

From the documentation for each property in Microsoft , we can know the identity of each one.

Search for 0x3008 but little endian 08 30 and the last 8 bytes will be the time.

But, when checking the time in outlook and the structure , the time was totally different , as when we extract the file , this resets the creation time which byself resets the modification time ,too.

From this point , we are going to check
5- PR_MESSAGE_DELIVERY_TIME : which is the time the message was delivered .
The creation time and delivery time are the same in Outlook as shown here :

But , when checking dates from the stream, only the creation time is being reset , the delivery time (0x0E060040) is remain as the original date the message was delivered.

So we can determine when exactly someone exported the message out of the mailbox into the disk.

So Far , So Good…

What happened when you forward a message

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

• PR_LAST_VERB_EXECUTED will have a value (106) , and PR_LAST_MODIFICATION_TIME will be updated.

6- 0x84A6 (ClientInfo) : tracking clients and different internet browsers that being used to send email on Exchange and Office365 with EWS , also can determine a version of Windows and what type of web browser.

What about saving an attachment file on your disk, does it changes the TimeStamps

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

David Cowen said that he saw in the past that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system and when he tested it and extract the attachment , he found that The creation time was sent to the time the message was received and matched the PR_CREATION_TIME .But the Modification time was reapplied from the data that was saved in the attachment extended mapi property. Testing was in 2018.
When i tested this both creation and modification times are set to the time they being exported to my PC. maybe differs as i doing my own test on Outlook environment , maybe his hypothesis is in other environment like Office365.

Tracking Conversations

Image Not Showing Possible Reasons

• The image file may be corrupted
• The server hosting the image is unavailable
• The image path is incorrect
• The image format is not supported

Learn More →

Microsoft has an article titled Tracking Conversations on how the e-mail conversation index (PR_CONVERSATION_INDEX) value is calculated.

I will get you all what you need to cover this part .

FILETIME Value : this is the header value , indicates the current time values when the message was sent and this matches the PR_CLIENT_SUBMIT_TIME time.

GUID : Sixteen bytes holding a GUID, or globally unique identifier.

Child Block : composed of 5 bytes from which we can calculate the time difference values based on the user’s local time , For example, let’s assume that person C creates and sends a message to person D at precisely 4:00:00 PM. Person D’s computer time is 5 minutes ahead, and shows 4:05:00 PM at this moment.

Demo Time –> we need to git PR_CONVERSATION_INDEX value , but it is better not to get it from MAPI as it maybe not accurate , we can get the Thread-Index value form the email header which from we can calculate the GUID and FILE-TIME , and Child Blocks through a free tool launched by Arman Gungor

Observations

1. When creating a new message, Outlook populates the header date in the e-mail conversation index (PR_CONVERSATION_INDEX) with the local timestamp when the message is sent (i.e. PR_CLIENT_SUBMIT_TIME)

2. When replying to or forwarding a message, Outlook updates the e-mail conversation index (PR_CONVERSATION_INDEX) property and sets the time difference in the child block based on when the new message is created, not when it is sent. For example, let’s assume that person A receives an e-mail from person B and hits the reply button in Outlook at 3:00:00 PM. She then takes 10 minutes to compose her answer and send the e-mail. The time difference value contained in PR_CONVERSATION_INDEX would reflect the difference in time between 3:00:00 PM (when person A created the new message) and the timestamp of the previous message.

Detecting Time Forgery

• When a computer forensics expert reviews a file that was known to have been created and lived on an NTFS file system, seeing a truncated timestamp can be interpreted as a red flag. Considering that the 7 digits beyond the seconds provide 10 million possibilities, the probability of a randomly created file legitimately having no 100-nanoseconds beyond the seconds in its timestamp (i.e. timestamp ending with “.0000000”) would be extremely small. This can be a good starting point in date forgery analysis.

As Arman Gungor shows in his blog, He has a tool which convert to the full resolution time , but i DM him in his community, but with no response

Conclusions

• Email Forensics is not easy , remember that.
• The information contained in the e-mail conversation index (PR_CONVERSATION_INDEX) MAPI property can be very helpful in the forensic analysis of e-mails.
• Having access to timestamps with 100-nanosecond resolution is useful in date forgery analysis.

Resources

1. https://www.hecfblog.com/2018/06/daily-blog-384exploring-extended-mapi.html
2. https://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
3. https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/mapping-mapi-names-to-canonical-property-names
4. https://thinkdfir.com/2020/12/28/metaspike-ctf-week-2-as-per-my-previous-email/