Skip to main content

One of my favorite data points when forensically examining emails is hidden timestamps. These timestamps not only provide invaluable timing information in a forensic investigation, but they are also often overlooked by perpetrators during email manipulation attempts.

Let’s take a look at an example. The following is an email message from a Yahoo account to a GoDaddy account. I’ve acquired it in MIME format using Forensic Email Collector and highlighted some of the interesting lines below:

Received: (qmail 27394 invoked by uid 30297); 15 Jul 2019 19:00:53 -0000
Received: from unknown (HELO p3plibsmtp02-01.prod.phx3.secureserver.net) ([68.178.213.1])
          (envelope-sender <fecdev@yahoo.com>)
          by p3plsmtp15-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP
          for <info@proksimiti.com>; 15 Jul 2019 19:00:53 -0000
Received: from sonic306-30.consmr.mail.bf2.yahoo.com ([74.6.132.229])
  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
  (Client did not present a certificate)
  by CMGW with ESMTP
  id n6DUhF6dMOiyon6DUhGLMC; Mon, 15 Jul 2019 12:00:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; h=Date:From:To:Subject:References:From:Subject; b=tQ1O9lbhlhas/87XFPpUNlysUhIYzDVm42L4MC6i6iofZ2+jslT5u5yAQB9fwxniIaEY4fQ6aTGK1BJn3WI967WUwAN0d4uYide8NwM1uSzD4p68muVqv85PrkbwEDIxL7deohpTgiI93T84I5skBGiWw4BisqkG9b52RaBa+0yHYdRiCe4/aT5zOAprC1YPsw2ZLAJdjxrYXgfJrnudxIei93s/rUJcUCvaT4Esp3bSU7+nQK9aMb7lHyCGhaDJNCn7c+ylcxCNeag54QQmi1OQlo2Kvvq8iSrjh/D2mgSJ02iKiYOiJM28GtQ2csRgQSduflviN9a5fb5TdGvgBA==
X-YMail-OSG: 3.j.gS4VM1kfruyqKA_wVA39FA6bG74nIIdq4w1kAWS66KTCaC_nrBBOGqMEuDa
 JpRDkm2ebf7Eb.i.vPl.odVLcU0vIb0zWpLYW3c8tePXwfOGUrv3QYcYizcX31JC2i4ld4bdBwoN
 Ed6tJkHH39LCszcxu_u64IlRC4Avxu6RvWnjmxrmt3HLYWI5n6ODsZlf_Edww4X51MVvm5cErbKk
 Ch4B6acgyNoS6_38f_IuMYAycHUMgBIFtC0wXYyJl7WJcRVGScuwsbFk1ymIZmJIGbYHc3XgWtSP
 A85n_85lM16aegWOzNdBUxw2ZPhp3nM3TLl2mYltlnnSnaai97nq1UatRuzcob6_OXUpxAdvnck7
 UKcIg.It66a5mD_xqEDUe1h0k0pICNKED5SAR7HGdsYT4IcKnzImnz8p.Y2pIgfQDFrHqos1Q2aG
 CpfuCCqMroRx4ZjoC7u7oaAi3nHCMmxOsomjEWXf_bFC8WIGZpd2FuxhLmesvnByGAj0WcFRFsLA
 Yjh7YmNdFHC_jlNkRmQCCGX7yzcetpIADHDKf3LFaaLnuiRF1KyfaaKhuZim7HFCnVuGMtIKm9Vl
 nIBHZvTJCenxsScQ4ziizhNzXfHTucgRvjVobSY4hNpMtwWBIFF3IUMPuIWYEErGa8nw.R5U.Mch
 VSvSsN3w.tZOp3fFrzNH5kEM4xoYblHCTpywDTLDHTA7lHBMJfZ2KYN7w1oeSTkcMV19CwP0qmEC
 0gdgs6X7ke4AaM8wowYGTpOg4TdvRKeuURHzCsn5bBi9nKKGq8AbZCaTdBbOlwntsEEkksh7KPVW
 iNm.DpUh7ZEQu6RNWfxCuqNrck8SpeTU32LH0z4LftAaUcRAZ8wqMUQTr7v9zyDoDNAN0H7lwb8L
 c1czADflxB6oLT66AJ0boZseWs78jExk4BO6dg2CRiiIlbJZ.B4B3_Dk4ZiN51Nwa_5BS5yrFpz.
 VH4ncRe_KyrSj2PtD8xdtWiplF22Kxo7VSaTbCZjii055fxPIbprmjOpT8PJkf0flHU_hEhuYdv7
 iZN0TJYHav91i8Id4OU0AM6suy9Nk_x0Kkk6gYfgGLaoV6iiVdTlmluWRAJJkjWzY2LCWJ1rbtXS
 iye5mxycKcWODr2mgtlEFIjVckB91r03C9_aM1.QtLiCaYSB9IBnTCg7Bb8WbS4t3bOQN3eglgUj
 C51ZoUEw2PT_0Wv.JQ0Xs7TO1OQ42egeowOwpdVybMOeTYYeuz77CagaA6g--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Mon, 15 Jul 2019 19:00:40 +0000
Date: Mon, 15 Jul 2019 18:58:39 +0000 (UTC)
From: FEC Dev <fecdev@yahoo.com>
To: "info@proksimiti.com" <info@proksimiti.com>
Message-ID: <660010183.915726.1563217119410@mail.yahoo.com>
Subject: Upcoming Purchase
MIME-Version: 1.0
Content-Type: multipart/alternative; 
  boundary="----=_Part_915725_248640444.1563217119409"
References: <660010183.915726.1563217119410.ref@mail.yahoo.com>
X-Mailer: WebService/1.1.13991 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Length: 700
X-CMAE-Envelope: MS4wfLZlB7CaMDrryNg4bKn55ydjUqDKCWBS9G3ok/BIKlkU8Zlsy82e/vSUfOmU7oimgtG0yXPVpfsC1jxBMM4BNLz+MoWQBwtojDPEZQwRhUYMcwWoZEfb
 hxr2yJFh5Lub21K8mK/Y6fcDSXBHSrgLz4rcKsXyk2+zTyPEFo9DbH7mP2wiSAuCTxUPs47+Hj710A==
X-Nonspam: None

------=_Part_915725_248640444.1563217119409
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hello,
Please proceed with the transaction immediately. Thank you.

------=_Part_915725_248640444.1563217119409
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div dir="ltr" data-setdir="false">Hello,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Please proceed with the transaction immediately. Thank you.<br></div></div></body></html>
------=_Part_915725_248640444.1563217119409--

Timestamps in MIME Boundary Delimiters

Let’s start from the bottom up and take a look at the MIME boundary delimiters.

——=_Part_915725_248640444.1563217119409

These delimiters on lines 37, 45, 52, and 57 contain Epoch timestamps with millisecond precision. When converted, this timestamp reads Monday, July 15, 2019 6:58:39.409 PM (UTC).

Timestamps in the Message-ID and References Header Fields

These fields look as follows:

Message-ID: <660010183.915726.1563217119410@mail.yahoo.com>
References: <660010183.915726.1563217119410.ref@mail.yahoo.com>

These are also Epoch timestamps that read Monday, July 15, 2019 6:58:39.410 PM (UTC).

Timestamps in the DKIM Signature

If we look at the DKIM-Signature header field, we spot another timestamp:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; …

This is an Epoch timestamp with second precision. It is equivalent to Monday, July 15, 2019 7:00:40 PM (UTC). Note that this matches the timestamp on the trace field on line 29.

Here is another example (trimmed the message body for brevity):

Received: by 2002:a81:2d82:0:0:0:0:0 with SMTP id t124-v6csp5502995ywt;
        Mon, 5 Nov 2018 09:43:29 -0800 (PST)
Received: from o6.p10.mailjet.com (o6.p10.mailjet.com. [87.253.235.6])
        by mx.google.com with ESMTPS id z67-v6si26977178wmb.34.2018.11.05.09.43.28
        for <lmisf01@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 05 Nov 2018 09:43:29 -0800 (PST)
Reply-To: <hello@producthunt.com>
From: Product Hunt Daily <hello@digest.producthunt.com>
To: <lmisf01@gmail.com>
Subject: Play games while you ride your horse
Date: Mon, 5 Nov 2018 09:43:28 -0800
Message-ID: <4bbe0f40.AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA@mailjet.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01D4B364.5C460060"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGfn39hkC1I90ybIjXNvTnfAiwDDg==
X-Google-Smtp-Source: AJdET5dkvgL9ZDiU9AqwHqJmwM+9P3ex0EmM1ks+glLmIDuLOlKxiqWvHq92QPWql0gzUV6W6dsz
X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490;
        Mon, 05 Nov 2018 09:43:29 -0800 (PST)
Authentication-Results: mx.google.com;
       dkim=pass header.i=@digest.producthunt.com header.s=mailjet header.b=sqaMnw1J;
       dkim=pass header.i=@bnc3.mailjet.com header.s=mailjet header.b=lDZK9U0u;
       spf=pass (google.com: domain of 4bbe0f40.ajyaeqr-veeaaayratwaaad9o_waaaaiijyaaaaaaayklqbb4ifa@bnc3.mailjet.com designates 87.253.235.6 as permitted sender) smtp.mailfrom=4bbe0f40.AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA@bnc3.mailjet.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=producthunt.com
X-CSA-Complaints: whitelist-complaints@eco.de
X-MJ-Mid: AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA03FF5R-iSEGQmP2RNbhPvgAF1QU
X-REPORT-ABUSE-TO: Message sent by Mailjet please report to abuse@mailjet.com with a copy of the message
List-Unsubscribe: <mailto:unsub-4bbe0f40.z83o.0otxyk1xtgso@bnc3.mailjet.com>
Content-Language: en-us
X-OlkEid: 00000000E99D742F177E4948AB97502B6BAC12160700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C10100E800000000006A8B4A45F8869849BA81A810114C7889

------=_NextPart_000_0000_01D4B364.5C460060
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Timestamps in MIME Boundary Delimiters

In this case, the MIME boundary delimiters look as follows:

——=_NextPart_000_0000_01D4B364.5C460060

Here we have a FILETIME structure. Decoding the FILETIME value results in the timestamp 01/23/2019 21:41:12.6780000. Note that this doesn’t jibe with the apparent date of this email. This was expected because, in this case, the MIME boundary delimiters were updated after the fact when the message was edited using Outlook.

Timestamps in the X-Received Header

The X-Received header field contains the following string:

X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490;

The SMTP ID contains an Epoch date with millisecond precision, which represents Monday, November 5, 2018 5:43:29.490 PM (UTC).

How Do We Detect Hidden Timestamps?

Some of these timestamps can be hard to spot when looking at a wall of text. That said, knowing what to look for certainly helps. Below, I have put together a list of timestamps you might encounter when examining emails. The list also shows what each timestamp looks like within the range of 1/1/1980 12:00:00.000 to 12/31/2049 23:59:59.999—to give you a visual indication of what we should be looking for.

Timestamp Type 1/1/1980 12:00:00.000 10/1/2019 17:00:00.000 12/31/2049 23:59:59.999
Epoch Hex (Big Endian)
What is this?
12CEA600 5D938610 967A75FF
Epoch Hex (Little Endian) 00A6CE12 1086935D FF757A96
Epoch Second Precision 315532800 1569949200 2524607999
Epoch Millisecond Precision 315532800000 1569949200000 2524607999999
FILETIME Decimal
What is this?
119600064000000000 132144228000000000
141690815999990000
FILETIME Hex (Big Endian) 01A8E79F:E1D58000 01D57879:A90EE800 01F7630B:E39D58F0
FILETIME Hex (Little Endian) 0080D5E1:9FE7A801 00E80EA9:7978D501 F0589DE3:0B63F701
OLE Automation Date
What is this?
29221
43739.7083333333
54788.9999999884
OLE Automation Date Hex (Big Endian) 40DC894000000000 40E55B76AAAAAAAB 40EAC09FFFFFF9C9
OLE Automation Date Hex (Little Endian) 000000004089DC40 ABAAAAAA765BE540 C9F9FFFF9FC0EA40
Apple Cocoa Core Data Timestamp
(Mach Absolute Time) What is this?
N/A
591642000
1546300799
Mac HFS+ Timestamp
2398377600
3652794000
4607452799

Conclusions

Automated systems often utilize the current date and time in various formats when constructing unique identifiers. So, it is not uncommon to find timestamps hidden in data points such as MIME boundary delimiters, message IDs, and SMTP IDs. These timestamps can provide critical timing information such as when an email message was created, received, or processed through a server.

In order to utilize this information, forensic examiners should be familiar with what common timestamps look like—at least within the date and time range that is potentially relevant to the examination.

Next Steps

Now that you have seen the list of timestamp formats above, have you spotted any additional hidden timestamps in the sample email messages? If you did, or if you would like to see additional timestamp formats added to the list, please send us a note.