+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 24
Enterprise Software Thread, Is it possible that an outlook server can be manipulated to backdate mails?? in Technical; The query is as per the thread title...but let me give some background first. Situation involves a sub contractor working ...
  1. #1

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Is it possible that an outlook server can be manipulated to backdate mails??

    The query is as per the thread title...but let me give some background first.

    Situation involves a sub contractor working with a multi-national corporation. He was working very closely with them - in so far as he had a user account on the company's internal email system. Without going into detail, a dispute arose. Outlook access was subsequently withdrawn. However, the individual can still view legacy mails up to that time - on the copy of outlook that's on their laptop.

    Upon reviewing mails, this individual has now noticed a handful of critical mails that they are 110% sure they had not received during the time in which they were working in close cooperation - onsite - with this company. However, the mails show up with dates suggesting that they were sent during the individuals time - working closely with the company.

    Is it possible - where a company have their own outlook server - that mails could be backdated and then sent out from a couple of the other company employees who are key to the issue at hand? The individual concerned would have logged in on a number of occasions in the weeks following this conflict coming to a head.

    Any input from anyone with experience of running an outlook server would be very welcome on the subject.

  2. #2

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,691
    Thank Post
    756
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    If all the header datestamps match then the email was sent when it says it was.

    Ben

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,691
    Thank Post
    756
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    Especially with no current access to the mail server or are you suggesting it was forged and then access was withdrawn?

    Ben

  4. #4

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi Ben. Thanks for your mail. I'm talking in terms of a concerted effort on behalf of senior management in this organisation - directing IT staff - to insert these mails after the fact. I can't go into the specifics other than to say that I am exploring this as it's a legal issue with high stakes for those involved.


    If they control the mail server - could they do this...that's my question. I note your point about datestamping on the email header -and so I will try and check that out. Actually, on that point, how exactly can I access the header information of a mail in outlook (apologies if this is basic but I'm not an IT professional).

    Quote Originally Posted by plexer
    Especially with no current access to the mail server or are you suggesting it was forged and then access was withdrawn?
    I'm suggesting it was done - then the individual logged in remotely from home - and these mails would then have propagated in their inbox. Subsequently, access was withdrawn.
    Last edited by borderfox; 9th November 2011 at 11:17 PM.

  5. #5

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,821
    Thank Post
    272
    Thanked 1,140 Times in 1,036 Posts
    Rep Power
    351
    Yes i think you can - but it involves changing the time on the server - something which is very risky as Kerberous could lock it out.

    I had it a few weeks ago when i setup a new ntp server on our internal network (that queries our lea - dc queries our local server) and this updated and all the servers did aswell - bar the exchange server (which the time jumped 2 hours out). I was able to send emails say at 3:30pm real time but the server thought it was 1:30 so they appeared in outlook as though they arrived at 1:30pm.

    not sure if this works with date though.


    EDIT: you may find there is event logs showing that this has been done.

  6. #6

    featured_spectre's Avatar
    Join Date
    Nov 2008
    Posts
    12,505
    Thank Post
    1,684
    Thanked 2,054 Times in 1,491 Posts
    Blog Entries
    2
    Rep Power
    464
    Right, yes it is possible, and very easily if the exchange server is the ONLY thing running on that server.

    The server time can be changed on the server and the mail sent (and subsequently exchange will receive it) and it will go into wherever the date on the mailbox fits. To tie in with this, the laptop or PC where the mail originated had to be changed to the same date. It is a fair bit of work to do but it can be done. However there would need to be more than 1 person involved as it would involved the server, domain level admin access and local admin access on the originating machines.

    I hope that helps in your quest to resolve your problem.

  7. #7

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,271
    Thank Post
    884
    Thanked 2,749 Times in 2,322 Posts
    Blog Entries
    11
    Rep Power
    785
    Yes, if the mail is internal then this can be forged or if they have access to the remote sending server aswell. It is just time stamped by each server so if you hve control of those servers you can do whatever. It rapidly becomes a pain though the more systems you involve and the more heavily trafficed the system is.

  8. #8

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    1. I;m not sure what exactly what you're trying to acheive here. Yes it can be done but was this the case in your scenario, needs investigation.
    2. If it's a legal battle, then more than likely, that would be thrown out of the window as message can be altered.
    3. If the company is using journaling then that would stand.
    4. If you have a sample of the message, you check the creation date of the message, send date, and a lot more infomration.

  9. #9

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,260
    Thank Post
    290
    Thanked 796 Times in 605 Posts
    Rep Power
    348
    It should be possible to figure this out from the message tracking log on the exchange server, if not then forensic examination of the exchange database will show it up. You do need someone with forensic analysis skills with exchange, best speaking to Microsoft support in the first instance. It will cost money and is not something to mess around having a go yourself as the evidence could then be inadmissable if it was serious enough to go to court.

  10. Thanks to teejay from:

    borderfox (10th November 2011)

  11. #10

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    What I dont see is, if there is access to the env or not. It seems like this is from an Outlook end and the user doesnt work the company anymore. Therefore wouldn't have access to the Exch server. No you cant get the info.

  12. Thanks to sukh from:

    borderfox (10th November 2011)

  13. #11

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    What I dont see is, if there is access to the env or not. It seems like this is from an Outlook end and the user doesnt work the company anymore. Therefore wouldn't have access to the Exch server. No you cant get the info.
    Your quite right. This was always from the outlook end -as the individual concerned did not contract to this organisation for anything remotely I.T. related. This individual is in dispute (as in pending legal action) with the organisation.

    Based on all of your comments above, it seems that it is plausable that the system could have been tampered with to facilitate the company 'planting' a number of emails in his inbox.....emails that will have a deleterious effect on him proving wrong-doing. Having come to this conclusion, the question now is how does he deal with this scenario? That is to say, how does he prove that these mails have been mischievously planted there - to weaken the grievance he claims against them?

  14. #12

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,144
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    78
    Depends on how far the indivdual want to take this. In fact, it depends on how and if the email are going to be used against him or not. If the evidence is with emails then dispute the authenticity. If one can't prove, then they cant be used.

  15. #13

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    Depends on how far the indivdual want to take this.
    Well, lets just say that it's already in train - and will be running the full course.
    Quote Originally Posted by sukh View Post
    In fact, it depends on how and if the email are going to be used against him or not.
    It's safe to assume that they were planted there with a view to discrediting the course of events that the complainant would be presenting.
    Quote Originally Posted by sukh View Post
    If one can't prove, then they cant be used.
    I hadn't considered it like this - so thanks for mentioning that.
    Looking at this from another angle, if we were to assume that it's possible for the complainant to have this checked (via a court order or other legal mechanism), given access to company systems, would an I.T. professional be likely to get evidence to prove this? Can anyone suggest how this could be approached? Are there people who specialise in this type of thing...i guess it's computer forensics, is it not?? It would be good to get a general opinion from I.T. savvy folk here - as to how this aspect of it could best be handled.

  16. #14

    featured_spectre's Avatar
    Join Date
    Nov 2008
    Posts
    12,505
    Thank Post
    1,684
    Thanked 2,054 Times in 1,491 Posts
    Blog Entries
    2
    Rep Power
    464
    IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines. At which point all machines pertinent to the case in question would need to be surrendered to said IT professional. On top of this, any additional machines that would need checking would also have to be submitted, as would all passwords and other details required to gain the appropriate access.

    From there the IT Professional would then need to have an allowed period of time (1 day per machine should be sufficient, however 2 days per machine would be what I would spec for).

    My own personal approach would be to check the following
    Back up all machines in a full system state - this way if I make any errors the machines can be restored to how they were (covering myself on this one)

    Then I would check for
    Timestamps in the headers of the email account in question
    IP/DNS stamps in the headers of the email account in question
    Content of said emails (and print off hard copies including headers)

    I would then do the following
    Go to the exchange server and check the above, and check the database entries for when emails entered into the exchange database. Reason being is that these are exceedingly difficult to forge and requires a fair bit of configuring to do without screwing everything up.
    Check SPF (Sender Policy Framework) records which are stored on the exchange server as well as authenticated machines from which the email address can be sent. If for example I sent something from say nephilim@edugeek.net it would store at your exchange box, however it would tell you in the SPF that a non-authenticated machine sent that email and will flag up as a spoofed email address / mail.

    I would also document every step I did so that another person can verify my findings as appropriate.

    It is not a case of computer forensics, but just simply knowing what to look for and giving accurate reports for the people as required.
    Last edited by featured_spectre; 15th November 2011 at 03:18 AM.

  17. #15

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,376
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines
    Remember this guy is in the Republic of Ireland so different laws applies so it may not be the same there as it is in the UK.



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. is it possible to rename an exchange server
    By timbo343 in forum Windows
    Replies: 15
    Last Post: 20th October 2007, 08:09 AM
  2. Replies: 6
    Last Post: 8th June 2007, 02:42 PM
  3. Target Tracker without MS Office! Is it possible!
    By CM786 in forum Educational Software
    Replies: 6
    Last Post: 5th May 2007, 08:53 AM
  4. Is it possible to redirect a share?
    By ChrisH in forum Windows
    Replies: 6
    Last Post: 29th March 2006, 09:16 AM
  5. Is it possible ?
    By mac_shinobi in forum General Chat
    Replies: 13
    Last Post: 27th September 2005, 05:59 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •