+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Enterprise Software Thread, Is it possible that an outlook server can be manipulated to backdate mails?? in Technical; The query is as per the thread title...but let me give some background first. Situation involves a sub contractor working ...
  1. #1

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Is it possible that an outlook server can be manipulated to backdate mails??

    The query is as per the thread title...but let me give some background first.

    Situation involves a sub contractor working with a multi-national corporation. He was working very closely with them - in so far as he had a user account on the company's internal email system. Without going into detail, a dispute arose. Outlook access was subsequently withdrawn. However, the individual can still view legacy mails up to that time - on the copy of outlook that's on their laptop.

    Upon reviewing mails, this individual has now noticed a handful of critical mails that they are 110% sure they had not received during the time in which they were working in close cooperation - onsite - with this company. However, the mails show up with dates suggesting that they were sent during the individuals time - working closely with the company.

    Is it possible - where a company have their own outlook server - that mails could be backdated and then sent out from a couple of the other company employees who are key to the issue at hand? The individual concerned would have logged in on a number of occasions in the weeks following this conflict coming to a head.

    Any input from anyone with experience of running an outlook server would be very welcome on the subject.

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    If all the header datestamps match then the email was sent when it says it was.

    Ben

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,343
    Thank Post
    624
    Thanked 1,584 Times in 1,421 Posts
    Rep Power
    414
    Especially with no current access to the mail server or are you suggesting it was forged and then access was withdrawn?

    Ben

  4. #4

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Ben. Thanks for your mail. I'm talking in terms of a concerted effort on behalf of senior management in this organisation - directing IT staff - to insert these mails after the fact. I can't go into the specifics other than to say that I am exploring this as it's a legal issue with high stakes for those involved.


    If they control the mail server - could they do this...that's my question. I note your point about datestamping on the email header -and so I will try and check that out. Actually, on that point, how exactly can I access the header information of a mail in outlook (apologies if this is basic but I'm not an IT professional).

    Quote Originally Posted by plexer
    Especially with no current access to the mail server or are you suggesting it was forged and then access was withdrawn?
    I'm suggesting it was done - then the individual logged in remotely from home - and these mails would then have propagated in their inbox. Subsequently, access was withdrawn.
    Last edited by borderfox; 9th November 2011 at 10:17 PM.

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,799
    Thank Post
    272
    Thanked 1,134 Times in 1,030 Posts
    Rep Power
    349
    Yes i think you can - but it involves changing the time on the server - something which is very risky as Kerberous could lock it out.

    I had it a few weeks ago when i setup a new ntp server on our internal network (that queries our lea - dc queries our local server) and this updated and all the servers did aswell - bar the exchange server (which the time jumped 2 hours out). I was able to send emails say at 3:30pm real time but the server thought it was 1:30 so they appeared in outlook as though they arrived at 1:30pm.

    not sure if this works with date though.


    EDIT: you may find there is event logs showing that this has been done.

  6. #6

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,784
    Thank Post
    1,623
    Thanked 1,877 Times in 1,395 Posts
    Blog Entries
    2
    Rep Power
    422
    Right, yes it is possible, and very easily if the exchange server is the ONLY thing running on that server.

    The server time can be changed on the server and the mail sent (and subsequently exchange will receive it) and it will go into wherever the date on the mailbox fits. To tie in with this, the laptop or PC where the mail originated had to be changed to the same date. It is a fair bit of work to do but it can be done. However there would need to be more than 1 person involved as it would involved the server, domain level admin access and local admin access on the originating machines.

    I hope that helps in your quest to resolve your problem.

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,076
    Thank Post
    853
    Thanked 2,676 Times in 2,270 Posts
    Blog Entries
    9
    Rep Power
    769
    Yes, if the mail is internal then this can be forged or if they have access to the remote sending server aswell. It is just time stamped by each server so if you hve control of those servers you can do whatever. It rapidly becomes a pain though the more systems you involve and the more heavily trafficed the system is.

  8. #8

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    1. I;m not sure what exactly what you're trying to acheive here. Yes it can be done but was this the case in your scenario, needs investigation.
    2. If it's a legal battle, then more than likely, that would be thrown out of the window as message can be altered.
    3. If the company is using journaling then that would stand.
    4. If you have a sample of the message, you check the creation date of the message, send date, and a lot more infomration.

  9. #9

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,174
    Thank Post
    284
    Thanked 773 Times in 583 Posts
    Rep Power
    335
    It should be possible to figure this out from the message tracking log on the exchange server, if not then forensic examination of the exchange database will show it up. You do need someone with forensic analysis skills with exchange, best speaking to Microsoft support in the first instance. It will cost money and is not something to mess around having a go yourself as the evidence could then be inadmissable if it was serious enough to go to court.

  10. Thanks to teejay from:

    borderfox (10th November 2011)

  11. #10

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    What I dont see is, if there is access to the env or not. It seems like this is from an Outlook end and the user doesnt work the company anymore. Therefore wouldn't have access to the Exch server. No you cant get the info.

  12. Thanks to sukh from:

    borderfox (10th November 2011)

  13. #11

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    What I dont see is, if there is access to the env or not. It seems like this is from an Outlook end and the user doesnt work the company anymore. Therefore wouldn't have access to the Exch server. No you cant get the info.
    Your quite right. This was always from the outlook end -as the individual concerned did not contract to this organisation for anything remotely I.T. related. This individual is in dispute (as in pending legal action) with the organisation.

    Based on all of your comments above, it seems that it is plausable that the system could have been tampered with to facilitate the company 'planting' a number of emails in his inbox.....emails that will have a deleterious effect on him proving wrong-doing. Having come to this conclusion, the question now is how does he deal with this scenario? That is to say, how does he prove that these mails have been mischievously planted there - to weaken the grievance he claims against them?

  14. #12

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Depends on how far the indivdual want to take this. In fact, it depends on how and if the email are going to be used against him or not. If the evidence is with emails then dispute the authenticity. If one can't prove, then they cant be used.

  15. #13

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    Depends on how far the indivdual want to take this.
    Well, lets just say that it's already in train - and will be running the full course.
    Quote Originally Posted by sukh View Post
    In fact, it depends on how and if the email are going to be used against him or not.
    It's safe to assume that they were planted there with a view to discrediting the course of events that the complainant would be presenting.
    Quote Originally Posted by sukh View Post
    If one can't prove, then they cant be used.
    I hadn't considered it like this - so thanks for mentioning that.
    Looking at this from another angle, if we were to assume that it's possible for the complainant to have this checked (via a court order or other legal mechanism), given access to company systems, would an I.T. professional be likely to get evidence to prove this? Can anyone suggest how this could be approached? Are there people who specialise in this type of thing...i guess it's computer forensics, is it not?? It would be good to get a general opinion from I.T. savvy folk here - as to how this aspect of it could best be handled.

  16. #14

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,784
    Thank Post
    1,623
    Thanked 1,877 Times in 1,395 Posts
    Blog Entries
    2
    Rep Power
    422
    IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines. At which point all machines pertinent to the case in question would need to be surrendered to said IT professional. On top of this, any additional machines that would need checking would also have to be submitted, as would all passwords and other details required to gain the appropriate access.

    From there the IT Professional would then need to have an allowed period of time (1 day per machine should be sufficient, however 2 days per machine would be what I would spec for).

    My own personal approach would be to check the following
    Back up all machines in a full system state - this way if I make any errors the machines can be restored to how they were (covering myself on this one)

    Then I would check for
    Timestamps in the headers of the email account in question
    IP/DNS stamps in the headers of the email account in question
    Content of said emails (and print off hard copies including headers)

    I would then do the following
    Go to the exchange server and check the above, and check the database entries for when emails entered into the exchange database. Reason being is that these are exceedingly difficult to forge and requires a fair bit of configuring to do without screwing everything up.
    Check SPF (Sender Policy Framework) records which are stored on the exchange server as well as authenticated machines from which the email address can be sent. If for example I sent something from say nephilim@edugeek.net it would store at your exchange box, however it would tell you in the SPF that a non-authenticated machine sent that email and will flag up as a spoofed email address / mail.

    I would also document every step I did so that another person can verify my findings as appropriate.

    It is not a case of computer forensics, but just simply knowing what to look for and giving accurate reports for the people as required.
    Last edited by nephilim; 15th November 2011 at 02:18 AM.

  17. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,838
    Thank Post
    876
    Thanked 1,676 Times in 1,458 Posts
    Blog Entries
    12
    Rep Power
    444
    IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines
    Remember this guy is in the Republic of Ireland so different laws applies so it may not be the same there as it is in the UK.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. is it possible to rename an exchange server
    By timbo343 in forum Windows
    Replies: 15
    Last Post: 20th October 2007, 07:09 AM
  2. Replies: 6
    Last Post: 8th June 2007, 01:42 PM
  3. Target Tracker without MS Office! Is it possible!
    By CM786 in forum Educational Software
    Replies: 6
    Last Post: 5th May 2007, 07:53 AM
  4. Is it possible to redirect a share?
    By ChrisH in forum Windows
    Replies: 6
    Last Post: 29th March 2006, 08:16 AM
  5. Is it possible ?
    By mac_shinobi in forum General Chat
    Replies: 13
    Last Post: 27th September 2005, 04:59 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •