±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35503
New Yesterday: 0 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Alter an email message in your mailbox

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

jahearne
Member
 

Alter an email message in your mailbox

Post Posted: Jan 17, 19 06:04

I am working on a case where someone allegedly entered a sentence into the body of an email message after it was originally sent to 3 people. This alleged email is a reply to an email my client sent.

I have online access (usernames and passwords) to two of those three email accounts (my client's Gmail account and another Yahoo account). My client has the original email in his Sent Items. And both Gmail and Yahoo accounts, each have the alleged reply message in their Inboxes. The reply message in the Gmail & Yahoo accounts do NOT have that allegedly added sentence. (I used Nuix to collect and preserve the email messages.)

My client is asking me to prove that the allegedly added sentence is a forgery!


It is my understanding and experience that you can not modify the body of an email message while is it sitting in your Inbox. There is no way that they could have deleted/removed that alleged sentence, can they?

I know in an email chain, you can modify the body of a previous message when you reply (or forward ???) it; that's easy to do. But can you modify it once you received it in your Inbox. Is there an email client that can do so that anyone knows of (and of course sync it back to the server?


Of course if I am challenged, my client's counsel can request the alleged reply message from the sender and the other 3rd person.

I appreciate any insight, thanks!
_________________
John T Ahearne
Forensics Analyst 
 
  

jahearne
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 17, 19 07:20

I think I just answered my own question. I discovered a way to edit the body of a message. Waiting for it sync back to the server...  
 
  

trewmte
Senior Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 17, 19 13:51

- jahearne
I discovered a way to edit the body of a message. Waiting for it sync back to the server...


OK, how? I am talking POC here..
_________________
Institute for Digital Forensics (IDF) - www.linkedin.com/groups/2436720
Mobile Telephone Examination Board (MTEB) - www.linkedin.com/groups/141739
Universal Network Investigations - www.linkedin.com/groups/13536130
Mobile Telephone Evidence & Forensics trewmte.blogspot.com 
 
  

jahearne
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 17, 19 18:31

Here's a link I found showing how to make changes to the body and subject of an email messages already in your inbox.

www.wikihow.com/Edit-R...in-Outlook

I used Microsoft Outlook 2013 set up to my personal Gmail account using IMAP. Downloaded most messages. Picked a message labeled "Boats", that only had a few messages in there so it would be easy to identify the edited messages.

Then printed the original source before I edited that particular email message with the subject "RE: 1964+Chris+Craft+Constellation" dated 2/26/2018 13:33:47 -0800 (PST).

Following the directions from the link above, Actions menu > Edit Message, edited my name from John to Johnny, and then hit Ctrl + S.

Then went to Send/Receive tab and clicked Send/Receive All Folders. Waited for it to sync, went to a different computer (a Mac), logged into my Gmail account and viewed the email message "RE: 1964+Chris+Craft+Constellation". Sure enough the my name edit went through. Then printed the source page and started comparing the email header and metadata between both email messages - before and after.



There are clearly differences in the header and metadata, most noticeable is the metadata at the end of the message body changed from:
"<html><head></head><body>< ...."
to
"<html xmlns:v=3D"urn:schema-microsoft-com:vml" ..."


There are other differences too, such as change of Content Transfer Encoding from quoted-printable to 8bit. Also, the DKIM signature is missing among other things.


Having the before and after print outs of the original source, you can clearly see the difference in metadata. But one message by itself, there is no definitive identifier that says this email message has been altered.

The dates, time, zone are the same, MX servers the same, email addresses all the same, IP addresses are the same, message ID the same, References the same, X-Mailer the same, etc.

I even found different epoc time stamps 1519680817287 and 1519680816675, but both translate to the original date 3/18/2018.


Nothing beautiful like... this messages has been edited by Outlook on 1/16/2019 10:20 PM (PST). No such luck...

There maybe something subtle, but I can't find it. At this point, I can not authenticate email messages between two parties to definitively say one is original and the other is a forgery.


What do you all think?
_________________
John T Ahearne
Forensics Analyst 
 
  

gungora
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 18, 19 05:48

In my experience, altering the message the way you described when connected to Gmail via IMAP would cause Gmail to assign the message a new unique identifier (UID). UIDs are assigned in an ascending manner, so this would cause the altered message to be out of order chronologically when compared to its neighbors. As part of your preservation workflow, you can capture message UIDs and check their order along with the timestamps of the messages.

Depending on the email client, altering the message could also cause the internal date metadata the server has about the message to be updated. This is metadata that you can acquire from the server, not something you would find within the message itself. Unfortunately, the method you described—using Outlook—doesn't cause Gmail to update the internal date metadata.

I had written about this a while back, you might find some of the information useful:
www.metaspike.com/imap...ntication/

Looking at the message itself, assuming, as an example, that the edits were performed using Outlook 2013, you might find artifacts such as:

The X-Mailer header field being populated with "Microsoft Outlook 15.0"
The header date of the message being re-written reflecting the time zone where the message was edited (i.e., same timestamp, shown in a different time zone)
Thread-Index header field being introduced by Outlook
Multipart MIME entity boundary delimiters that are inconsistent with those of other messages between the same parties
Header fields that were removed by Outlook, etc.

The message could have been altered using various tools/methods. I would be inclined to examine a number of undisputed, legitimate messages between the parties and determine if and how they are different than the messages in question. Since you have server access, I would suggest preserving server-side metadata such as internal dates and UIDs along with the raw copies of the messages (i.e., RFC 5322).
_________________
Arman Gungor

Metaspike
Developers of Forensic Email Collector
www.metaspike.com 
 
  

watcher
Senior Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 18, 19 21:19

Let me start by saying I'm confused.

"... someone allegedly entered a sentence into the body of an email message after it was originally sent ..."

"... It is my understanding and experience that you can not modify the body of an email message while is it sitting in your Inbox ..."

So first off, the question pertains to the possibility of multiple recipients altering their inbox, or the sender altering his outbox? Or both?

Most of the replies to date implicitly assume either web based server, or Imap server stored email, but I see nothing in the original question that precludes client side email that would be subject to direct edit.

Depending upon the scenario, which I am not clear on here, client side email could be directly edited, and web based email could be altered in stream.

That's the whole point of using digital signatures, email can be undetectably altered without a digital signature.  
 
  

jahearne
Member
 

Re: Alter an email message in your mailbox

Post Posted: Jan 18, 19 22:52

Thanks Arman!

I like the article, a lot of good information. The article centers around a date change and yes, I do have several date indicators but they all match up (on my sample and on the two accounts that I have access via my client).

I didn't know about the server Internal Date Message Attribute, unfortunately, Nuix doesn't pick up on that. In my example (my personal Gmail account), not sure what the UID would be. I have "X-Google-Smtp-Source" and X-Received with SMTP id. The SMTP id has an epoch date in it, but the both match with the original message and the one I altered. When I'm in Gmail and select Show Original, I don't get the Internal Date Message Attribute or UID, do I?


In the alleged messages dealing with my client, they have indeed been created using Microsoft Outlook and do have the X-Mailer: "Microsoft Outlook 14". Both message from my client have matching Thread Indexes. I would need metadata from the other party to compare.

Looks like I'm going to need the header/metadata from the sender of the alleged email (and the 3rd person) in order to a thorough comparison. And if if find something, I'll most likely need access to the originating computer to validate my findings, maybe.

A lot of good information! Thanks again,
_________________
John T Ahearne
Forensics Analyst 
 

Page 1 of 2
Page 1, 2  Next