Is it possible that an outlook server can be manipulated to backdate mails?? (Full Version)

All Forums >> [Microsoft Exchange 2010] >> General



Message


borderfox -> Is it possible that an outlook server can be manipulated to backdate mails?? (9.Nov.2011 3:16:59 PM)

Mods - please feel free to move this if it's deemed to be in the wrong section.


The query is as per the thread title...but let me give some background first.

Situation involves a sub contractor working with a multi-national corporation. He was working very closely with them - in so far as he had a user account on the company's internal email system. Without going into detail, a dispute arose. Outlook access was subsequently withdrawn. However, the individual can still view legacy mails up to that time - on the copy of outlook that's on their laptop.

Upon reviewing mails, this individual has now noticed a handful of critical mails that they are 110% sure they had not received during the time in which they were working in close cooperation - onsite - with this company. However, the mails show up with dates suggesting that they were sent during the individuals time - working closely with the company.

Is it possible - where a company have their own outlook server - that mails could be backdated and then sent out from a couple of the other company employees who are key to the issue at hand? The individual concerned would have logged in on a number of occasions in the weeks following this conflict coming to a head.

Any input from anyone with experience of running an outlook server would be very welcome on the subject.




mark@mvps.org -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (9.Nov.2011 6:17:15 PM)

It's possible but extremely difficult to do. The possibility to manipulate emails is why archiving solutions exist and why they have all manner of certifications. Also why storage vendors have compliant locking solutions (think NetApp SnapLock as one example of several)

Your first assumption is that the dates are right. Work from there to prove otherwise.




ermanishchawla -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (10.Nov.2011 10:54:32 AM)

Yes this fact I have personally demonstrated in my lab while test exchange server. It is very easy domain controller has responsibility to synchronize time between exchange servers and emails are timestamped using system time of the mailbox servers. One day I have intentionally modifies the time of exchange servers to see the effects on the mails and I have put future time some 12 hours ahead to test, and the time it was resynchronized our test environment has received some twenty mails of future date and time !! so even mails can be backdated by simply changing time of active directory server for exchange and not keeping any synchronization of time using any sort of NTP. Then all mails sent during time will be of backdate !!

To avoid such scenarios you should have some strong compliance mechanism and to be treated as record after period of time




borderfox -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (11.Nov.2011 7:57:04 AM)

quote:

ORIGINAL: ermanishchawla

Yes this fact I have personally demonstrated in my lab while test exchange server. It is very easy domain controller has responsibility to synchronize time between exchange servers and emails are timestamped using system time of the mailbox servers.

Thanks for taking the time to respond. Having established that this is possible, as a non I.T. pro, I am at a loss as to how to advise this individual to deal with this situation. Naturally, the emails which were backdated and 'planted' weaken the legal position of this individual. Furthermore, the individual has no access to company systems now.

If they were to get a court order or use a similar legal mechanism - to obtain permission to acquire company data - what exactly could be sought from the server that could prove this wrongdoing - or simply prove that the emails in question were fabricated?


One last question. The handful of emails that were fabricated and backdated appeared to be sent from a number of different company employees. Is it safe to assume that it's possible to do this without ever getting them directly involved? i.e. they didn't have to send the mails themselves - the person that 'backdated' them did?




mark@mvps.org -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (11.Nov.2011 8:10:06 AM)

You need to engage counsel.
If you haven't already got an archiving solution in place that is compliant (Enterprise Vault, NearPoint being two such examples) then you can only work with what you have been given.




borderfox -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (11.Nov.2011 8:22:02 AM)

Hi Mark. Thanks for your post. I think I have not clarified the situation properly.
quote:

ORIGINAL: mark@mvps.org
You need to engage counsel.

I take your point - but 'counsel' are not IT professionals. They need to know what documents/data to get permission to go in and acquire - and that's what I'm trying to establish here.
quote:

ORIGINAL: mark@mvps.org
If you haven't already got an archiving solution in place that is compliant (Enterprise Vault, NearPoint being two such examples) then you can only work with what you have been given.

This individual did not work in any field even remotely related to I.T. - and so he has no knowledge whatsoever of what systems are in place...other than an inkling that there was a seperate exchange server specifically for that company location. Otherwise, he was an end user in terms of simply using an outlook inbox - and the company internal email system. The exchange of information via email forms a significant part of the dispute. Exacerbating this - is the planting of 'rogue' emails that have been introduced after the fact - as a damage limitation exercise by the company.

I hope this better explains away the quandry my friend finds himself in. Now, based on this, the head scratcher is what data should be acquired (by legal means) from the company to prove this disingenuous act??




mark@mvps.org -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (11.Nov.2011 8:27:43 AM)

We are not lawyers and can't help you further. You are not the admin of the server or his admin. If your man has a grievance he has to address it through channels, whatever those may be.
If you controlled the technology we could maybe help. If you could prove that on day 0 the email dates said x and then on day 1 they said y, you'd have some form of evidence.

At the end of the day only a legal engagement can get you what you need.

You now know that Exchange is not a forensically compliant solution and anything can be changed. You now have to take that knowledge and decide what to do.




borderfox -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (11.Nov.2011 8:37:01 AM)

Hi Mark. Thanks again for taking the time out to respond.
quote:

ORIGINAL: mark@mvps.org
You now know that Exchange is not a forensically compliant solution and anything can be changed. You now have to take that knowledge and decide what to do.

It's frustrating - but it sounds like from what your saying, the best outcome that can be hoped for is that it can be demonstrated that exchange CAN be tampered with - and not specifically that it HAS been tampered with in this specific case.




ermanishchawla -> RE: Is it possible that an outlook server can be manipulated to backdate mails?? (15.Nov.2011 11:46:13 AM)

But I have solution for you. Even if mails are sent from the users from outside the organization with backdate. The logs when it was received will be of the date of your system. So please check there and confirm that mails are not delivered backdated




Page: [1]