Dear all,
I have some .msg email files that I suspect to have been forged/corrupted (i.e. contents modified in Outlook before being exported).
What is the best way/tool to extract all the cryptic metadata and attributes in order to prove this message is not original.
Kind regards
Daniel Mouly
Hi, Daniel.
Can you give more details? Do you have only the .msg files?
Are they valid messages that have been tampered? Do you have access to the whole Outlook mailbox? If you don´t have, how do you know it´s not the same as the original one?
Tampering with an exported msg file is not trivial. AFAIK it´s not possible using Outlook, it would have to be done by hand with some hexadecimal editor. In such case, metadata probably has been keept.
Hi Sergio,
The tampering process is quite simple: open an email in Outlook, modify it and then export it as an .msg file.
I don’t have access to the whole Outlook mailbox, but one of the recipients of the original message claims that the copy he received a couple of years ago did not contains some statements that are now in the .msg copy we received.
I have found an interesting tool (4n6 Email Forensic Wizard) that is able to parse a significant number of msg file properties, but not all of them.
I was wondering if someone here had another tool to suggest that would be able to fully parse an .msg file.
Kind regards
Daniel
Take a look at Forensic Email Intelligence. The following two videos should give you a quick overview of how the MAPI capabilities work:
https://youtu.be/E041vT8S1TU
https://www.youtube.com/live/XwqaN6TwTAE
In your scenario, perhaps you can also authenticate the receiver’s copy (especially DKIM & ARC) to form an opinion on which version of the message is more likely to be authentic.