If all the header datestamps match then the email was sent when it says it was.
The query is as per the thread title...but let me give some background first.
Situation involves a sub contractor working with a multi-national corporation. He was working very closely with them - in so far as he had a user account on the company's internal email system. Without going into detail, a dispute arose. Outlook access was subsequently withdrawn. However, the individual can still view legacy mails up to that time - on the copy of outlook that's on their laptop.
Upon reviewing mails, this individual has now noticed a handful of critical mails that they are 110% sure they had not received during the time in which they were working in close cooperation - onsite - with this company. However, the mails show up with dates suggesting that they were sent during the individuals time - working closely with the company.
Is it possible - where a company have their own outlook server - that mails could be backdated and then sent out from a couple of the other company employees who are key to the issue at hand? The individual concerned would have logged in on a number of occasions in the weeks following this conflict coming to a head.
Any input from anyone with experience of running an outlook server would be very welcome on the subject.
If all the header datestamps match then the email was sent when it says it was.
Especially with no current access to the mail server or are you suggesting it was forged and then access was withdrawn?
Hi Ben. Thanks for your mail. I'm talking in terms of a concerted effort on behalf of senior management in this organisation - directing IT staff - to insert these mails after the fact. I can't go into the specifics other than to say that I am exploring this as it's a legal issue with high stakes for those involved.
If they control the mail server - could they do this...that's my question. I note your point about datestamping on the email header -and so I will try and check that out. Actually, on that point, how exactly can I access the header information of a mail in outlook (apologies if this is basic but I'm not an IT professional).
I'm suggesting it was done - then the individual logged in remotely from home - and these mails would then have propagated in their inbox. Subsequently, access was withdrawn.Originally Posted by plexer
Last edited by borderfox; 9th November 2011 at 11:17 PM.
Yes i think you can - but it involves changing the time on the server - something which is very risky as Kerberous could lock it out.
I had it a few weeks ago when i setup a new ntp server on our internal network (that queries our lea - dc queries our local server) and this updated and all the servers did aswell - bar the exchange server (which the time jumped 2 hours out). I was able to send emails say at 3:30pm real time but the server thought it was 1:30 so they appeared in outlook as though they arrived at 1:30pm.
not sure if this works with date though.
EDIT: you may find there is event logs showing that this has been done.
Right, yes it is possible, and very easily if the exchange server is the ONLY thing running on that server.
The server time can be changed on the server and the mail sent (and subsequently exchange will receive it) and it will go into wherever the date on the mailbox fits. To tie in with this, the laptop or PC where the mail originated had to be changed to the same date. It is a fair bit of work to do but it can be done. However there would need to be more than 1 person involved as it would involved the server, domain level admin access and local admin access on the originating machines.
I hope that helps in your quest to resolve your problem.
Yes, if the mail is internal then this can be forged or if they have access to the remote sending server aswell. It is just time stamped by each server so if you hve control of those servers you can do whatever. It rapidly becomes a pain though the more systems you involve and the more heavily trafficed the system is.
1. I;m not sure what exactly what you're trying to acheive here. Yes it can be done but was this the case in your scenario, needs investigation.
2. If it's a legal battle, then more than likely, that would be thrown out of the window as message can be altered.
3. If the company is using journaling then that would stand.
4. If you have a sample of the message, you check the creation date of the message, send date, and a lot more infomration.
It should be possible to figure this out from the message tracking log on the exchange server, if not then forensic examination of the exchange database will show it up. You do need someone with forensic analysis skills with exchange, best speaking to Microsoft support in the first instance. It will cost money and is not something to mess around having a go yourself as the evidence could then be inadmissable if it was serious enough to go to court.
What I dont see is, if there is access to the env or not. It seems like this is from an Outlook end and the user doesnt work the company anymore. Therefore wouldn't have access to the Exch server. No you cant get the info.
Based on all of your comments above, it seems that it is plausable that the system could have been tampered with to facilitate the company 'planting' a number of emails in his inbox.....emails that will have a deleterious effect on him proving wrong-doing. Having come to this conclusion, the question now is how does he deal with this scenario? That is to say, how does he prove that these mails have been mischievously planted there - to weaken the grievance he claims against them?
Depends on how far the indivdual want to take this. In fact, it depends on how and if the email are going to be used against him or not. If the evidence is with emails then dispute the authenticity. If one can't prove, then they cant be used.
Looking at this from another angle, if we were to assume that it's possible for the complainant to have this checked (via a court order or other legal mechanism), given access to company systems, would an I.T. professional be likely to get evidence to prove this? Can anyone suggest how this could be approached? Are there people who specialise in this type of thing...i guess it's computer forensics, is it not?? It would be good to get a general opinion from I.T. savvy folk here - as to how this aspect of it could best be handled.
IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines. At which point all machines pertinent to the case in question would need to be surrendered to said IT professional. On top of this, any additional machines that would need checking would also have to be submitted, as would all passwords and other details required to gain the appropriate access.
From there the IT Professional would then need to have an allowed period of time (1 day per machine should be sufficient, however 2 days per machine would be what I would spec for).
My own personal approach would be to check the following
Back up all machines in a full system state - this way if I make any errors the machines can be restored to how they were (covering myself on this one)
Then I would check for
Timestamps in the headers of the email account in question
IP/DNS stamps in the headers of the email account in question
Content of said emails (and print off hard copies including headers)
I would then do the following
Go to the exchange server and check the above, and check the database entries for when emails entered into the exchange database. Reason being is that these are exceedingly difficult to forge and requires a fair bit of configuring to do without screwing everything up.
Check SPF (Sender Policy Framework) records which are stored on the exchange server as well as authenticated machines from which the email address can be sent. If for example I sent something from say email@example.com it would store at your exchange box, however it would tell you in the SPF that a non-authenticated machine sent that email and will flag up as a spoofed email address / mail.
I would also document every step I did so that another person can verify my findings as appropriate.
It is not a case of computer forensics, but just simply knowing what to look for and giving accurate reports for the people as required.
Last edited by featured_spectre; 15th November 2011 at 03:18 AM.
Remember this guy is in the Republic of Ireland so different laws applies so it may not be the same there as it is in the UK.IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines
There are currently 1 users browsing this thread. (0 members and 1 guests)