Hello,
Below is an example from within an eml file of an attachment header of an attached .msg email, the email it is attached to was sent 24 Jun 2018 :
User-Agent: xxxxxxxxx
Date: Sat, 23 Jun 2018 11:43:02 +0000
Subject: Important
Where is the creation-date derived from, is there a reason that this would be a later date than that of the email it was attached to, eg if the email had been saved outside of an email client on that date?
Creation date of headers of other attachments in the same email all appear to be the same creation-date as this but a second different to each other.
The modification-date of the other picture attachments, appear to be the date that the eml file was provided and different to the email attachment.
What I hope is the case is that the the created-date is the date the file was attached and shouldn’t change however the eml file that the header was taken from was created, be it downloaded directly from the server, or save by the email client?
For instance, an email client might leave those parameters unpopulated, read the file system timestamps of the attachment and populate them accordingly, or populate them with the date/time when the files were attached to the email.
Something to be mindful of, especially with RFC822 attachments, is that the Creation-Date and Modification-Date parameters might be populated to reflect when the attached message was forwarded. I can reproduce this in Outlook by forwarding an older message with the “Forward as Attachment” respond action. I get a message/rfc822 attachment and the Creation-Date and Modification-Date parameters are populated with the date/time when I forwarded the message.
I would recommend testing with the specific email clients that were involved in the conversation if possible.
Thanks Arman, there are other attachments in this example email, pdf, jpg for example. The creation date of all is the same within 1-3 seconds, however whilst the rfc822 modification date is the same as its creation date, the modification date of all of the other attachments are the same as the date as the creation date of the eml file.
On a test email sent with the same client setup with a png attachment, the creation date was 2 seconds before the send date of the email, modification date the date the source was downloaded to eml. The png was a screen shot taken 4 minutes before the email was sent , so looks like the creation date is the date when attached/sent.
If this is true, if the creation dates are later than when an email was sent would it be reasonable to assume the attachments may have been added at a later date?