Can you tell if emails in an Outlook file have been falsified?
December 2, 2006 9:58 PM Subscribe
How can you tell if emails in an Outlook .PST file have been falsified?
Suppose somebody sends me an Outlook mailbox (i.e. a .PST file). I want to know whether they falsified an email in that mailbox.
For example: They send me the Outlook mailbox. It contains an email that the mailbox owner received on January 1, 2004. I can see the body of the email, the date received, date sent, the message ID, and so on.
However, how do I know the body of the email has the same text as the email that was originally received? For example, in Outlook, you can edit an email you receive to change the text of it. You can edit it long after you actually received the email to make it look like someone sent you an email saying X, when they really said Y.
Can I tell if an email has been edited in such a fashion just by looking at something in the Outlook mailbox (.PST file)? (For example, in Word I can look at the "Properties" of a Word document and see when it was last saved.)
Or do I need to get logs off their email server or somesuch?
thanks,
Mike
Suppose somebody sends me an Outlook mailbox (i.e. a .PST file). I want to know whether they falsified an email in that mailbox.
For example: They send me the Outlook mailbox. It contains an email that the mailbox owner received on January 1, 2004. I can see the body of the email, the date received, date sent, the message ID, and so on.
However, how do I know the body of the email has the same text as the email that was originally received? For example, in Outlook, you can edit an email you receive to change the text of it. You can edit it long after you actually received the email to make it look like someone sent you an email saying X, when they really said Y.
Can I tell if an email has been edited in such a fashion just by looking at something in the Outlook mailbox (.PST file)? (For example, in Word I can look at the "Properties" of a Word document and see when it was last saved.)
Or do I need to get logs off their email server or somesuch?
thanks,
Mike
Unless the mail was cryptographically signed (and generally crypto signatures are pretty obvious), no.
The 'last saved' bit in Word docs is also trivially falsifiable with the most basic of file manipulation tools.
posted by oats at 10:37 PM on December 2, 2006
The 'last saved' bit in Word docs is also trivially falsifiable with the most basic of file manipulation tools.
posted by oats at 10:37 PM on December 2, 2006
do I need to get logs off their email server or somesuch?
Even this wouldn't help you. Few, if any, of the popular e-mail server packages record message contents to their logs.
posted by RichardP at 10:47 PM on December 2, 2006
Even this wouldn't help you. Few, if any, of the popular e-mail server packages record message contents to their logs.
posted by RichardP at 10:47 PM on December 2, 2006
You do it by contacting the sender, and asking for a copy of the mail that they sent to X on such and such a date at such and such a time.
Even then, they could be in cahoots.
posted by flabdablet at 12:27 AM on December 3, 2006
Even then, they could be in cahoots.
posted by flabdablet at 12:27 AM on December 3, 2006
There is no way to tell. As oats said, a cryptographic signature is really the only thing that would help here, and without that, you're out of luck.
posted by event at 6:11 AM on December 3, 2006
posted by event at 6:11 AM on December 3, 2006
Response by poster: Well let's narrow down the possibilities then.
Suppose the person who sends the Outlook mailbox with a falsified email does the simplest thing possible: Before sending the mailbox to you, they go into Outlook, open the message they received, and simply use Edit -> Edit Message to edit the body of the message. They save the edited message and then send the whole mailbox to you.
Is there a way to detect such a change?
posted by mikeand1 at 8:47 AM on December 3, 2006
Suppose the person who sends the Outlook mailbox with a falsified email does the simplest thing possible: Before sending the mailbox to you, they go into Outlook, open the message they received, and simply use Edit -> Edit Message to edit the body of the message. They save the edited message and then send the whole mailbox to you.
Is there a way to detect such a change?
posted by mikeand1 at 8:47 AM on December 3, 2006
I don't know, but I know how I'd find out.
I'd send myself a mail containing many copies of an unlikely word like florbleglast. I'd use Outlook to edit the mail and change all the florbleglasts to flubberworths, then open the .pst file with a hex editor to see if there were any florbleglasts still inside it (or even if there was a complete copy of the original, unedited mail). I'd then have another look after running a Compact Mail Folders from Outlook.
posted by flabdablet at 4:15 PM on December 3, 2006
I'd send myself a mail containing many copies of an unlikely word like florbleglast. I'd use Outlook to edit the mail and change all the florbleglasts to flubberworths, then open the .pst file with a hex editor to see if there were any florbleglasts still inside it (or even if there was a complete copy of the original, unedited mail). I'd then have another look after running a Compact Mail Folders from Outlook.
posted by flabdablet at 4:15 PM on December 3, 2006
Response by poster: ^^^ That's an excellent idea. Unfortunately, my mailbox is already full of florbleglasts and flubberworths... Damn you spammers!!!!
j/k
Thanks flabdablet, I'll give it a try.
posted by mikeand1 at 5:24 PM on December 3, 2006
j/k
Thanks flabdablet, I'll give it a try.
posted by mikeand1 at 5:24 PM on December 3, 2006
This thread is closed to new comments.
posted by phrontist at 10:31 PM on December 2, 2006