Skip to main content

This post on Gmail MIME boundary timestamps is an update to my previous Dates in Hiding post to cover some recent developments. Stig Hopland sent me an email about 10 days ago to talk about the MIME boundaries in Gmail messages. Stig is a fellow digital forensic examiner from Norway and is a beloved FEC user who offers us invaluable feedback and insights.

Apparently, Stig was working from his home office due to the growing health concerns, re-read my Dates in Hiding post, and decided to investigate the interesting values in Gmail MIME boundaries which look as in the example below:

000000000000b6809105a0ae7b18

Researching these values has been on my to-do list for a while. We use timestamps extracted from MIME boundary delimiters all the time, and being able to apply the same technique to Gmail messages was an exciting thought! We exchanged a few emails, Stig went back to pondering the bytes, and came back within the week with a method to decrypt the timestamps with an accuracy of minutes! I was beyond excited! I took a look at his findings and it wasn’t long before we managed to fine-tune the method to get to millisecond precision.

How to Decode Gmail MIME Boundary Delimiters

Here is an example of how these timestamps look in context:

MIME-Version: 1.0
Date: Thu, 12 Mar 2020 13:49:03 -0700
Message-ID: <CAA+wZVWXROPiNEuaBdpE77P3dAKye5aj1WowgYr3xRmTexnW6w@mail.gmail.com>
Subject: Test
From: John Doe <jdoe@gmail.com>
To: Jane Doe <janedoe@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000b6809105a0ae7b18"

--000000000000b6809105a0ae7b18
Content-Type: text/plain; charset="UTF-8"

Test

--000000000000b6809105a0ae7b18
Content-Type: text/html; charset="UTF-8"

<div dir="ltr">Test</div>

--000000000000b6809105a0ae7b18--

This is how we ended up converting the MIME boundary delimiters to timestamps:

000000000000b6809105a0ae7b18

1. Append the green part to the yellow part:

05a0ae7bb68091

2. Convert the resulting hex value to decimal:

1584046143864977

3. Take the first 13 digits, treat that as an Epoch date with millisecond precision (or treat the entire value as an Epoch date with microsecond precision), and convert it to a human-readable timestamp:

1584046143864 ➫ Thursday, March 12, 2020 8:49:03.864 PM (GMT) or Thursday, March 12, 2020 1:49:03.864 PM (GMT -7)

Note that this matches the origination date of the source email in this example. I have encountered scenarios where there was a relatively small (typically less than 30 seconds) discrepancy between the date found in the Gmail MIME Boundary and the origination date of the message.

What Is The Forensic Relevance?

The MIME boundary delimiter format above is found in messages sent via Gmail’s web interface as well as Gmail API such as the Gmail Android App. So, the majority of the messages with Gmail origin that we encounter have this MIME boundary delimiter format.

Since the contents of these delimiters are not immediately clear to the end-user, excluding those with Rain Man abilities, they usually remain unaltered in fraudulent emails. This makes these boundary delimiters a very valuable data point for digital forensic examiners investigating email fraud.

Messages Sent via Other Email Clients

Gmail also supports access using methods other than its web interface or Gmail API. For instance, here is an example message that was sent from Gmail using Outlook over IMAP:

X-Apparently-To: fecdev@yahoo.com; Mon, 06 Jan 2020 20:06:01 +0000
Return-Path: <lmisf01@gmail.com>
Authentication-Results: mta4202.mail.ne1.yahoo.com; 
 dkim=pass (ok) header.i=@gmail.com header.s=20161025;
 spf=pass smtp.mailfrom=@gmail.com;
 dmarc=pass(p=none sp=quarantine dis=none) header.from=gmail.com;
Received-SPF: pass (domain of gmail.com designates 209.85.215.180 as permitted sender)
X-Originating-IP: [209.85.215.180]
Received: from 10.217.130.17  (EHLO mail-pg1-f180.google.com) (209.85.215.180)
  by mta4202.mail.ne1.yahoo.com with SMTPS; Mon, 06 Jan 2020 20:06:01 +0000
Received: by mail-pg1-f180.google.com with SMTP id k3so27354527pgc.3
        for <fecdev@yahoo.com>; Mon, 06 Jan 2020 12:06:01 -0800 (PST)
X-Gm-Message-State: APjAAAU1ztyAEuXNkub0paV4W28Tu/cax3NFUE7anPoKsNEO5gg8wPAn
  ySeN6wilsBOhg/try+lS7H/WRIa5MnA=
X-Google-Smtp-Source: APXvYqyRnNbxjdO0Oqt4JGv8PKY9MV79V2tDti/bn3mR6B+QGDdMG3kditksOjUNaEKNmdRSrdELFA==
X-Received: by 2002:a63:28c7:: with SMTP id o190mr109687943pgo.394.1578341160386;
        Mon, 06 Jan 2020 12:06:00 -0800 (PST)
Return-Path: <lmisf01@gmail.com>
Received: from <computername> ([xxx.xxx.xxx.xxx])
        by smtp.gmail.com with ESMTPSA id i8sm63452858pfa.109.2020.01.06.12.05.59
        for <fecdev@yahoo.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 06 Jan 2020 12:06:00 -0800 (PST)
From: "LMISF01" <lmisf01@gmail.com>
To: <fecdev@yahoo.com>
Subject: Test from Outlook
Date: Mon, 6 Jan 2020 12:06:02 -0800
Message-ID: <0a6f01d5c4cc$b9145e70$2b3d1b50$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
  boundary="----=_NextPart_000_0A70_01D5C489.AAF193A0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AdXEzIY/C5WB1x/BREeMK5BBoT9QGQ==
Content-Language: en-us
Content-Length: 2330

This is a multipart message in MIME format.

------=_NextPart_000_0A70_01D5C489.AAF193A0
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit

This is the body of an email sent via Outlook 16 on a PC.


------=_NextPart_000_0A70_01D5C489.AAF193A0
Content-Type: text/html;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" =
xmlns=3D"http://www.w3.org/TR/REC-html40"><head><META =
HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii"><meta name=3DGenerator content=3D"Microsoft Word 15 =
(filtered medium)"><style><!--
/* Font Definitions */
@font-face
  {font-family:"Cambria Math";
  panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
  {font-family:Calibri;
  panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
  {font-family:Cambria;
  panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
  {margin:0in;
  margin-bottom:.0001pt;
  font-size:11.0pt;
  font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
  {mso-style-priority:99;
  color:#0563C1;
  text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
  {mso-style-priority:99;
  color:#954F72;
  text-decoration:underline;}
span.EmailStyle17
  {mso-style-type:personal-compose;
  font-family:"Cambria",serif;
  color:windowtext;}
.MsoChpDefault
  {mso-style-type:export-only;
  font-family:"Calibri",sans-serif;}
@page WordSection1
  {size:8.5in 11.0in;
  margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
  {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]--></head><body lang=3DEN-US =
link=3D"#0563C1" vlink=3D"#954F72"><div class=3DWordSection1><p =
class=3DMsoNormal><span =
style=3D'font-size:12.0pt;font-family:"Arial",sans-serif;color:#222222;ba=
ckground:white'>This is the body of an email sent via Outlook 16 on a =
PC.</span><span =
style=3D'font-family:"Cambria",serif'><o:p></o:p></span></p></div></body>=
</html>
------=_NextPart_000_0A70_01D5C489.AAF193A0--

The MIME boundary delimiters created by Outlook appear clearly different:

——=_NextPart_000_0A70_01D5C489.AAF193A0

That said, these delimiters also contain valuable timestamps in FILETIME format:

01D5C489:AAF193A0 ➫ 01/06/2020 12:06:03.482 PM (LT)

The Message-ID header field looks as follows:

Message-ID: <0a6f01d5c4cc$b9145e70$2b3d1b50$@gmail.com>

01D5C4CC:B9145E70 ➫ 01/06/2020 08:06:03.479 PM (GMT)

This gives us two clues:

  1. We can verify the local time offset by comparing the FILETIME values from the MIME boundary delimiters and the Message-ID header field.
  2. The fact that the Message-ID value ends with @gmail.com rather than @mail.gmail.com corroborates that the message was sent via IMAP rather than via Gmail’s web interface or API.

Free Tool to Decode Gmail MIME Boundary Delimiters

Although the calculation is simple, manually decoding Gmail MIME boundary delimiters can get tiring. We’ve put together a quick tool that will do the work for you.

Gmail MIME Boundary Decoder

If you do not receive an email from us in a few minutes, please check your spam folder.

System Requirements