Try   HackMD

Extended MAPI

It is a set of properties that are part of the message structure of any Outlook or Exchange stored email .

It would be good to visit the Extended MAPI data and provide some analysis scenarios and more information for easy understanding

Firstly , How I can see these Properties if I have an email file ???

Well, firstly you will need to download outlook it is not installed on your analysis machine , install Outlookspy extension , that will show you all MAPIs Interfaces.

After installing the extension, just open Outlook and you will see the extension already installed.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

So Far , So Good…

1- PR_LAST_VERB_EXECUTED : records in email messages what the last action that occurred to the message itself (Reply , Reply All , Forward , Reply To Forward ,….)

2- PR_LAST_VERB_EXECUTION_TIME : records when the last action happened.

The previous two entries is not created as part of the base message structure an instead is created when an action occurs.

All of the possible values that can be set for PR_LAST_VERB_EXECUTED are here.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

1- PR_CREATION_TIME : tracks when this message was stored within this message archive.

2- PR_LAST_MODIFICATION_TIME : time when the object or subobject was last modified.

Note that the time is in UTC 00:00

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • IF you tried to make the email UnRead , the PR_LAST_VERB_EXECUTED value will not change , but PR_LAST_MODIFICATION_TIME will change , so Comparing PR_LAST_MODIFICATION_TIME and PR_CREATION_TIME you will know that something happened.

How to validate those times with those in the extension
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • The answer would be from structure!.

The first thing to you should know about underlying message structure is that it is not just a text file like a RFC82 email message (consists of Header , Body) , it is Compound File Binary File Format which stores stream objects in a hierarchical structure within a single file , so we will use Sturcture Sotrage Viewer to to see the stream which we will extract to parse using any hex-editor (Easy Parsing)

Just Drop the .msg file in the tool to see all streams.

The Extended MAPI data is stored within the stream named _properties_version1.0 save the stream and open it in your hex tool.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

From the documentation for each property in Microsoft , we can know the identity of each one.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Search for 0x3008 but little endian 08 30 and the last 8 bytes will be the time.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

But, when checking the time in outlook and the structure , the time was totally different , as when we extract the file , this resets the creation time which byself resets the modification time ,too.

From this point , we are going to check
5- PR_MESSAGE_DELIVERY_TIME : which is the time the message was delivered .
The creation time and delivery time are the same in Outlook as shown here :

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

But , when checking dates from the stream, only the creation time is being reset , the delivery time (0x0E060040) is remain as the original date the message was delivered.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

So we can determine when exactly someone exported the message out of the mailbox into the disk.

So Far , So Good…

What happened when you forward a message
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

  • PR_LAST_VERB_EXECUTED will have a value (106) , and PR_LAST_MODIFICATION_TIME will be updated.

6- 0x84A6 (ClientInfo) : tracking clients and different internet browsers that being used to send email on Exchange and Office365 with EWS , also can determine a version of Windows and what type of web browser.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

What about saving an attachment file on your disk, does it changes the TimeStamps
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

David Cowen said that he saw in the past that Outlook would look into Word documents and retrieve the dates from the metadata in the document to apply to the file system and when he tested it and extract the attachment , he found that The creation time was sent to the time the message was received and matched the PR_CREATION_TIME .But the Modification time was reapplied from the data that was saved in the attachment extended mapi property. Testing was in 2018.
When i tested this both creation and modification times are set to the time they being exported to my PC. maybe differs as i doing my own test on Outlook environment , maybe his hypothesis is in other environment like Office365.

Tracking Conversations
Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

Microsoft has an article titled Tracking Conversations on how the e-mail conversation index (PR_CONVERSATION_INDEX) value is calculated.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

I will get you all what you need to cover this part .

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

FILETIME Value : this is the header value , indicates the current time values when the message was sent and this matches the PR_CLIENT_SUBMIT_TIME time.

GUID : Sixteen bytes holding a GUID, or globally unique identifier.

Child Block : composed of 5 bytes from which we can calculate the time difference values based on the user’s local time , For example, let’s assume that person C creates and sends a message to person D at precisely 4:00:00 PM. Person D’s computer time is 5 minutes ahead, and shows 4:05:00 PM at this moment.

Demo Time > we need to git PR_CONVERSATION_INDEX value , but it is better not to get it from MAPI as it maybe not accurate , we can get the Thread-Index value form the email header which from we can calculate the GUID and FILE-TIME , and Child Blocks through a free tool launched by Arman Gungor

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Observations

  1. When creating a new message, Outlook populates the header date in the e-mail conversation index (PR_CONVERSATION_INDEX) with the local timestamp when the message is sent (i.e. PR_CLIENT_SUBMIT_TIME)

  2. When replying to or forwarding a message, Outlook updates the e-mail conversation index (PR_CONVERSATION_INDEX) property and sets the time difference in the child block based on when the new message is created, not when it is sent. For example, let’s assume that person A receives an e-mail from person B and hits the reply button in Outlook at 3:00:00 PM. She then takes 10 minutes to compose her answer and send the e-mail. The time difference value contained in PR_CONVERSATION_INDEX would reflect the difference in time between 3:00:00 PM (when person A created the new message) and the timestamp of the previous message.

Detecting Time Forgery

  • When a computer forensics expert reviews a file that was known to have been created and lived on an NTFS file system, seeing a truncated timestamp can be interpreted as a red flag. Considering that the 7 digits beyond the seconds provide 10 million possibilities, the probability of a randomly created file legitimately having no 100-nanoseconds beyond the seconds in its timestamp (i.e. timestamp ending with “.0000000”) would be extremely small. This can be a good starting point in date forgery analysis.

As Arman Gungor shows in his blog, He has a tool which convert to the full resolution time , but i DM him in his community, but with no response

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →
, but, i am waiting

Conclusions

  • Email Forensics is not easy , remember that.
  • The information contained in the e-mail conversation index (PR_CONVERSATION_INDEX) MAPI property can be very helpful in the forensic analysis of e-mails.
  • Having access to timestamps with 100-nanosecond resolution is useful in date forgery analysis.

Resources

  1. https://www.hecfblog.com/2018/06/daily-blog-384exploring-extended-mapi.html
  2. https://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
  3. https://learn.microsoft.com/en-us/office/client-developer/outlook/mapi/mapping-mapi-names-to-canonical-property-names
  4. https://thinkdfir.com/2020/12/28/metaspike-ctf-week-2-as-per-my-previous-email/
Last changed by 
M4shl3 (مشعل)
Digital Forensic Examiner
0
866

Read more

Heavy USB Forensics

In this blog post, we will delve into USB forensics, covering approximately 95% of the essential knowledge and techniques that a digital forensics examiner would require when investigating USB-related cases.

May 4, 2025
Malware Analysis – Javascript Deobfuscation

sample

Jan 31, 2025
How to Easily Trace SSH Connections on macOS Using Unified Logs

About three weeks ago, during my study of the SSH login and logout events for the FOR518 course by Sara Edwards, I became curious about how to view SSH connection records using macOS's unified logs. It’s easy to access connection details using the traditional system.log file, but I started wondering: What if this file is deleted? It’s well-known that attackers may delete logs in the /var/log/ directory to cover their tracks. So, I set out to explore how I could accurately track SSH connection times without relying on the system log.

Jan 4, 2025
A Deep Dive Into APFS Structure

By default, a macOS storage disk consists of one Apple File System (APFS) container.Each container may have multiple volumes.

Dec 1, 2024
Read more from M4shl3 (مشعل)
Published on HackMD