One of my favorite data points when forensically examining emails is hidden timestamps. These timestamps not only provide invaluable timing information in a forensic investigation, but they are also often overlooked by perpetrators during email manipulation attempts.
Let’s take a look at an example. The following is an email message from a Yahoo account to a GoDaddy account. I’ve acquired it in MIME format using Forensic Email Collector and highlighted some of the interesting lines below:
Received: (qmail 27394 invoked by uid 30297); 15 Jul 2019 19:00:53 -0000 Received: from unknown (HELO p3plibsmtp02-01.prod.phx3.secureserver.net) ([68.178.213.1]) (envelope-sender <fecdev@yahoo.com>) by p3plsmtp15-02-25.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <info@proksimiti.com>; 15 Jul 2019 19:00:53 -0000 Received: from sonic306-30.consmr.mail.bf2.yahoo.com ([74.6.132.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits) (Client did not present a certificate) by CMGW with ESMTP id n6DUhF6dMOiyon6DUhGLMC; Mon, 15 Jul 2019 12:00:53 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; h=Date:From:To:Subject:References:From:Subject; b=tQ1O9lbhlhas/87XFPpUNlysUhIYzDVm42L4MC6i6iofZ2+jslT5u5yAQB9fwxniIaEY4fQ6aTGK1BJn3WI967WUwAN0d4uYide8NwM1uSzD4p68muVqv85PrkbwEDIxL7deohpTgiI93T84I5skBGiWw4BisqkG9b52RaBa+0yHYdRiCe4/aT5zOAprC1YPsw2ZLAJdjxrYXgfJrnudxIei93s/rUJcUCvaT4Esp3bSU7+nQK9aMb7lHyCGhaDJNCn7c+ylcxCNeag54QQmi1OQlo2Kvvq8iSrjh/D2mgSJ02iKiYOiJM28GtQ2csRgQSduflviN9a5fb5TdGvgBA== X-YMail-OSG: 3.j.gS4VM1kfruyqKA_wVA39FA6bG74nIIdq4w1kAWS66KTCaC_nrBBOGqMEuDa JpRDkm2ebf7Eb.i.vPl.odVLcU0vIb0zWpLYW3c8tePXwfOGUrv3QYcYizcX31JC2i4ld4bdBwoN Ed6tJkHH39LCszcxu_u64IlRC4Avxu6RvWnjmxrmt3HLYWI5n6ODsZlf_Edww4X51MVvm5cErbKk Ch4B6acgyNoS6_38f_IuMYAycHUMgBIFtC0wXYyJl7WJcRVGScuwsbFk1ymIZmJIGbYHc3XgWtSP A85n_85lM16aegWOzNdBUxw2ZPhp3nM3TLl2mYltlnnSnaai97nq1UatRuzcob6_OXUpxAdvnck7 UKcIg.It66a5mD_xqEDUe1h0k0pICNKED5SAR7HGdsYT4IcKnzImnz8p.Y2pIgfQDFrHqos1Q2aG CpfuCCqMroRx4ZjoC7u7oaAi3nHCMmxOsomjEWXf_bFC8WIGZpd2FuxhLmesvnByGAj0WcFRFsLA Yjh7YmNdFHC_jlNkRmQCCGX7yzcetpIADHDKf3LFaaLnuiRF1KyfaaKhuZim7HFCnVuGMtIKm9Vl nIBHZvTJCenxsScQ4ziizhNzXfHTucgRvjVobSY4hNpMtwWBIFF3IUMPuIWYEErGa8nw.R5U.Mch VSvSsN3w.tZOp3fFrzNH5kEM4xoYblHCTpywDTLDHTA7lHBMJfZ2KYN7w1oeSTkcMV19CwP0qmEC 0gdgs6X7ke4AaM8wowYGTpOg4TdvRKeuURHzCsn5bBi9nKKGq8AbZCaTdBbOlwntsEEkksh7KPVW iNm.DpUh7ZEQu6RNWfxCuqNrck8SpeTU32LH0z4LftAaUcRAZ8wqMUQTr7v9zyDoDNAN0H7lwb8L c1czADflxB6oLT66AJ0boZseWs78jExk4BO6dg2CRiiIlbJZ.B4B3_Dk4ZiN51Nwa_5BS5yrFpz. VH4ncRe_KyrSj2PtD8xdtWiplF22Kxo7VSaTbCZjii055fxPIbprmjOpT8PJkf0flHU_hEhuYdv7 iZN0TJYHav91i8Id4OU0AM6suy9Nk_x0Kkk6gYfgGLaoV6iiVdTlmluWRAJJkjWzY2LCWJ1rbtXS iye5mxycKcWODr2mgtlEFIjVckB91r03C9_aM1.QtLiCaYSB9IBnTCg7Bb8WbS4t3bOQN3eglgUj C51ZoUEw2PT_0Wv.JQ0Xs7TO1OQ42egeowOwpdVybMOeTYYeuz77CagaA6g-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic306.consmr.mail.bf2.yahoo.com with HTTP; Mon, 15 Jul 2019 19:00:40 +0000 Date: Mon, 15 Jul 2019 18:58:39 +0000 (UTC) From: FEC Dev <fecdev@yahoo.com> To: "info@proksimiti.com" <info@proksimiti.com> Message-ID: <660010183.915726.1563217119410@mail.yahoo.com> Subject: Upcoming Purchase MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_915725_248640444.1563217119409" References: <660010183.915726.1563217119410.ref@mail.yahoo.com> X-Mailer: WebService/1.1.13991 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Content-Length: 700 X-CMAE-Envelope: MS4wfLZlB7CaMDrryNg4bKn55ydjUqDKCWBS9G3ok/BIKlkU8Zlsy82e/vSUfOmU7oimgtG0yXPVpfsC1jxBMM4BNLz+MoWQBwtojDPEZQwRhUYMcwWoZEfb hxr2yJFh5Lub21K8mK/Y6fcDSXBHSrgLz4rcKsXyk2+zTyPEFo9DbH7mP2wiSAuCTxUPs47+Hj710A== X-Nonspam: None ------=_Part_915725_248640444.1563217119409 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello, Please proceed with the transaction immediately. Thank you. ------=_Part_915725_248640444.1563217119409 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit <html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div dir="ltr" data-setdir="false">Hello,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Please proceed with the transaction immediately. Thank you.<br></div></div></body></html> ------=_Part_915725_248640444.1563217119409--
Timestamps in MIME Boundary Delimiters
Let’s start from the bottom up and take a look at the MIME boundary delimiters.
——=_Part_915725_248640444.1563217119409—
These delimiters on lines 37, 45, 52, and 57 contain Epoch timestamps with millisecond precision. When converted, this timestamp reads Monday, July 15, 2019 6:58:39.409 PM (UTC).
Timestamps in the Message-ID and References Header Fields
These fields look as follows:
Message-ID: <660010183.915726.1563217119410@mail.yahoo.com>
References: <660010183.915726.1563217119410.ref@mail.yahoo.com>
These are also Epoch timestamps that read Monday, July 15, 2019 6:58:39.410 PM (UTC).
Timestamps in the DKIM Signature
If we look at the DKIM-Signature header field, we spot another timestamp:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; …
This is an Epoch timestamp with second precision. It is equivalent to Monday, July 15, 2019 7:00:40 PM (UTC). Note that this matches the timestamp on the trace field on line 29.
Here is another example (trimmed the message body for brevity):
Received: by 2002:a81:2d82:0:0:0:0:0 with SMTP id t124-v6csp5502995ywt; Mon, 5 Nov 2018 09:43:29 -0800 (PST) Received: from o6.p10.mailjet.com (o6.p10.mailjet.com. [87.253.235.6]) by mx.google.com with ESMTPS id z67-v6si26977178wmb.34.2018.11.05.09.43.28 for <lmisf01@gmail.com> (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 05 Nov 2018 09:43:29 -0800 (PST) Reply-To: <hello@producthunt.com> From: Product Hunt Daily <hello@digest.producthunt.com> To: <lmisf01@gmail.com> Subject: Play games while you ride your horse Date: Mon, 5 Nov 2018 09:43:28 -0800 Message-ID: <4bbe0f40.AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA@mailjet.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01D4B364.5C460060" X-Mailer: Microsoft Outlook 16.0 Thread-Index: AQGfn39hkC1I90ybIjXNvTnfAiwDDg== X-Google-Smtp-Source: AJdET5dkvgL9ZDiU9AqwHqJmwM+9P3ex0EmM1ks+glLmIDuLOlKxiqWvHq92QPWql0gzUV6W6dsz X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490; Mon, 05 Nov 2018 09:43:29 -0800 (PST) Authentication-Results: mx.google.com; dkim=pass header.i=@digest.producthunt.com header.s=mailjet header.b=sqaMnw1J; dkim=pass header.i=@bnc3.mailjet.com header.s=mailjet header.b=lDZK9U0u; spf=pass (google.com: domain of 4bbe0f40.ajyaeqr-veeaaayratwaaad9o_waaaaiijyaaaaaaayklqbb4ifa@bnc3.mailjet.com designates 87.253.235.6 as permitted sender) smtp.mailfrom=4bbe0f40.AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA@bnc3.mailjet.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=producthunt.com X-CSA-Complaints: whitelist-complaints@eco.de X-MJ-Mid: AJYAEQR-VEEAAAYratwAAAd9o_wAAAAIijYAAAAAAAYklQBb4IFA03FF5R-iSEGQmP2RNbhPvgAF1QU X-REPORT-ABUSE-TO: Message sent by Mailjet please report to abuse@mailjet.com with a copy of the message List-Unsubscribe: <mailto:unsub-4bbe0f40.z83o.0otxyk1xtgso@bnc3.mailjet.com> Content-Language: en-us X-OlkEid: 00000000E99D742F177E4948AB97502B6BAC12160700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C10100E800000000006A8B4A45F8869849BA81A810114C7889 ------=_NextPart_000_0000_01D4B364.5C460060 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit
Timestamps in MIME Boundary Delimiters
In this case, the MIME boundary delimiters look as follows:
——=_NextPart_000_0000_01D4B364.5C460060
Here we have a FILETIME structure. Decoding the FILETIME value results in the timestamp 01/23/2019 21:41:12.6780000. Note that this doesn’t jibe with the apparent date of this email. This was expected because, in this case, the MIME boundary delimiters were updated after the fact when the message was edited using Outlook.
Timestamps in the X-Received Header
The X-Received header field contains the following string:
X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490;
The SMTP ID contains an Epoch date with millisecond precision, which represents Monday, November 5, 2018 5:43:29.490 PM (UTC).
How Do We Detect Hidden Timestamps?
Some of these timestamps can be hard to spot when looking at a wall of text. That said, knowing what to look for certainly helps. Below, I have put together a list of timestamps you might encounter when examining emails. The list also shows what each timestamp looks like within the range of 1/1/1980 12:00:00.000 to 12/31/2049 23:59:59.999—to give you a visual indication of what we should be looking for.
Timestamp Type | 1/1/1980 12:00:00.000 | 10/1/2019 17:00:00.000 | 12/31/2049 23:59:59.999 |
---|---|---|---|
Epoch Hex (Big Endian) What is this? |
12CEA600 | 5D938610 | 967A75FF |
Epoch Hex (Little Endian) | 00A6CE12 | 1086935D | FF757A96 |
Epoch Second Precision | 315532800 | 1569949200 | 2524607999 |
Epoch Millisecond Precision | 315532800000 | 1569949200000 | 2524607999999 |
FILETIME Decimal What is this? |
119600064000000000 | 132144228000000000 |
141690815999990000
|
FILETIME Hex (Big Endian) | 01A8E79F:E1D58000 | 01D57879:A90EE800 | 01F7630B:E39D58F0 |
FILETIME Hex (Little Endian) | 0080D5E1:9FE7A801 | 00E80EA9:7978D501 | F0589DE3:0B63F701 |
OLE Automation Date What is this? |
29221
|
43739.7083333333
|
54788.9999999884
|
OLE Automation Date Hex (Big Endian) | 40DC894000000000 | 40E55B76AAAAAAAB | 40EAC09FFFFFF9C9 |
OLE Automation Date Hex (Little Endian) | 000000004089DC40 | ABAAAAAA765BE540 | C9F9FFFF9FC0EA40 |
Apple Cocoa Core Data Timestamp (Mach Absolute Time) What is this? |
N/A |
591642000
|
1546300799 |
Mac HFS+ Timestamp |
2398377600
|
3652794000
|
4607452799 |
Conclusions
Automated systems often utilize the current date and time in various formats when constructing unique identifiers. So, it is not uncommon to find timestamps hidden in data points such as MIME boundary delimiters, message IDs, and SMTP IDs. These timestamps can provide critical timing information such as when an email message was created, received, or processed through a server.
In order to utilize this information, forensic examiners should be familiar with what common timestamps look like—at least within the date and time range that is potentially relevant to the examination.
Next Steps
Now that you have seen the list of timestamp formats above, have you spotted any additional hidden timestamps in the sample email messages? If you did, or if you would like to see additional timestamp formats added to the list, please send us a note.