SANS Digital Forensics and Incident Response Blog: Tag - outlook

Analysis of e-mail and appointment falsification on Microsoft Outlook/Exchange

Author: Joachim Metz

Summary

In digital forensic analysis it is sometimes required to be able to determine if an e-mail has or has
not been falsified. In this paper a review of certain Outlook Message Application Programming
Interface (MAPI)
is provided which can help in determining falsified e-mails or altered
appointments in an Microsoft Outlook/Exchange environment.

About the libpff project

In 2008 Joachim Metz a forensic investigator at Hoffmann Investigations started the libpff project.
At that time the best source about the Personal Folder File (PFF) format in the public domain was
the libpst project. The libpst project dated back to 2002 and had been contributed and

...


Robocopy - a Computer Forensics tool?

The usual practice for obtaining potential evidence would be to acquire a bit for bit forensic image of the drive and to lock the image up in an evidence safe. Depending upon the legal team's request, one may also replace the original hard drive and keep it in the safe instead of just an image. Another option I like is having a third party acquire the drive on our behalf and keep it in their secure area for us. Sometimes, however, for various reasons, a forensic image may not be feasible. So, then, what is another option?

In a recent e-mail exchange with Rob Lee, I asked him what he thought about using


Open Sesame

Sometimes little gems come across mailing lists. Like this little
footnote announcement in Microsoft's MSDN email this
week
:

Open Specifications

Microsoft is providing
open connections to its high-volume products -
Windows Vista (including the .NET Framework), Windows Server 2008, SQL
Server 2008, Office 2007, Exchange Server 2007, and Office SharePoint
Server 2007. As a developer, you now have full access to information
about protocols, binary file formats, and other specifications for
these products that can be used to create solutions

Microsoft? Open protocols? Sure enough the