Skip to main content

One of my favorite data points when forensically examining emails is hidden timestamps. These timestamps not only provide invaluable timing information in a forensic investigation, but they are also often overlooked by perpetrators during email manipulation attempts.

Let’s take a look at an example. The following is an email message from a Yahoo account to a GoDaddy account. I’ve acquired it in MIME format using Forensic Email Collector and highlighted some of the interesting lines below:

Received: (qmail 27394 invoked by uid 30297); 15 Jul 2019 19:00:53 -0000
Received: from unknown (HELO ([])
          (envelope-sender <>)
          by (qmail-1.03) with SMTP
          for <>; 15 Jul 2019 19:00:53 -0000
Received: from ([])
  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 256/256 bits)
  (Client did not present a certificate)
  by CMGW with ESMTP
  id n6DUhF6dMOiyon6DUhGLMC; Mon, 15 Jul 2019 12:00:53 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; h=Date:From:To:Subject:References:From:Subject; b=tQ1O9lbhlhas/87XFPpUNlysUhIYzDVm42L4MC6i6iofZ2+jslT5u5yAQB9fwxniIaEY4fQ6aTGK1BJn3WI967WUwAN0d4uYide8NwM1uSzD4p68muVqv85PrkbwEDIxL7deohpTgiI93T84I5skBGiWw4BisqkG9b52RaBa+0yHYdRiCe4/aT5zOAprC1YPsw2ZLAJdjxrYXgfJrnudxIei93s/rUJcUCvaT4Esp3bSU7+nQK9aMb7lHyCGhaDJNCn7c+ylcxCNeag54QQmi1OQlo2Kvvq8iSrjh/D2mgSJ02iKiYOiJM28GtQ2csRgQSduflviN9a5fb5TdGvgBA==
X-YMail-OSG: 3.j.gS4VM1kfruyqKA_wVA39FA6bG74nIIdq4w1kAWS66KTCaC_nrBBOGqMEuDa
Received: from by with HTTP; Mon, 15 Jul 2019 19:00:40 +0000
Date: Mon, 15 Jul 2019 18:58:39 +0000 (UTC)
From: FEC Dev <>
To: "" <>
Message-ID: <>
Subject: Upcoming Purchase
MIME-Version: 1.0
Content-Type: multipart/alternative; 
References: <>
X-Mailer: WebService/1.1.13991 YMailNorrin Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Content-Length: 700
X-CMAE-Envelope: MS4wfLZlB7CaMDrryNg4bKn55ydjUqDKCWBS9G3ok/BIKlkU8Zlsy82e/vSUfOmU7oimgtG0yXPVpfsC1jxBMM4BNLz+MoWQBwtojDPEZQwRhUYMcwWoZEfb
X-Nonspam: None

Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Please proceed with the transaction immediately. Thank you.

Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html><head></head><body><div class="yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div dir="ltr" data-setdir="false">Hello,</div><div dir="ltr" data-setdir="false"><br></div><div dir="ltr" data-setdir="false">Please proceed with the transaction immediately. Thank you.<br></div></div></body></html>

Timestamps in MIME Boundary Delimiters

Let’s start from the bottom up and take a look at the MIME boundary delimiters.


These delimiters on lines 37, 45, 52, and 57 contain Epoch timestamps with millisecond precision. When converted, this timestamp reads Monday, July 15, 2019 6:58:39.409 PM (UTC).

Timestamps in the Message-ID and References Header Fields

These fields look as follows:

Message-ID: <>
References: <>

These are also Epoch timestamps that read Monday, July 15, 2019 6:58:39.410 PM (UTC).

Timestamps in the DKIM Signature

If we look at the DKIM-Signature header field, we spot another timestamp:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s2048; t=1563217240; bh=8X7yayAIb3rM/ntRAK51gp9Em0JURK/p+ksVu/Z55lU=; …

This is an Epoch timestamp with second precision. It is equivalent to Monday, July 15, 2019 7:00:40 PM (UTC). Note that this matches the timestamp on the trace field on line 29.

Here is another example (trimmed the message body for brevity):

Received: by 2002:a81:2d82:0:0:0:0:0 with SMTP id t124-v6csp5502995ywt;
        Mon, 5 Nov 2018 09:43:29 -0800 (PST)
Received: from ( [])
        by with ESMTPS id z67-v6si26977178wmb.34.2018.
        for <>
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 05 Nov 2018 09:43:29 -0800 (PST)
Reply-To: <>
From: Product Hunt Daily <>
To: <>
Subject: Play games while you ride your horse
Date: Mon, 5 Nov 2018 09:43:28 -0800
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0000_01D4B364.5C460060"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGfn39hkC1I90ybIjXNvTnfAiwDDg==
X-Google-Smtp-Source: AJdET5dkvgL9ZDiU9AqwHqJmwM+9P3ex0EmM1ks+glLmIDuLOlKxiqWvHq92QPWql0gzUV6W6dsz
X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490;
        Mon, 05 Nov 2018 09:43:29 -0800 (PST)
       dkim=pass header.s=mailjet header.b=sqaMnw1J;
       dkim=pass header.s=mailjet header.b=lDZK9U0u;
       spf=pass ( domain of designates as permitted sender);
       dmarc=pass (p=NONE sp=NONE dis=NONE)
X-REPORT-ABUSE-TO: Message sent by Mailjet please report to with a copy of the message
List-Unsubscribe: <>
Content-Language: en-us
X-OlkEid: 00000000E99D742F177E4948AB97502B6BAC12160700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C10100E800000000006A8B4A45F8869849BA81A810114C7889

Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Timestamps in MIME Boundary Delimiters

In this case, the MIME boundary delimiters look as follows:


Here we have a FILETIME structure. Decoding the FILETIME value results in the timestamp 01/23/2019 21:41:12.6780000. Note that this doesn’t jibe with the apparent date of this email. This was expected because, in this case, the MIME boundary delimiters were updated after the fact when the message was edited using Outlook.

Timestamps in the X-Received Header

The X-Received header field contains the following string:

X-Received: by 2002:adf:eb48:: with SMTP id u8-v6mr18710230wrn.22.1541439809490;

The SMTP ID contains an Epoch date with millisecond precision, which represents Monday, November 5, 2018 5:43:29.490 PM (UTC).

How Do We Detect Hidden Timestamps?

Some of these timestamps can be hard to spot when looking at a wall of text. That said, knowing what to look for certainly helps. Below, I have put together a list of timestamps you might encounter when examining emails. The list also shows what each timestamp looks like within the range of 1/1/1980 12:00:00.000 to 12/31/2049 23:59:59.999—to give you a visual indication of what we should be looking for.

Timestamp Type 1/1/1980 12:00:00.000 10/1/2019 17:00:00.000 12/31/2049 23:59:59.999
Epoch Hex (Big Endian)
What is this?
12CEA600 5D938610 967A75FF
Epoch Hex (Little Endian) 00A6CE12 1086935D FF757A96
Epoch Second Precision 315532800 1569949200 2524607999
Epoch Millisecond Precision 315532800000 1569949200000 2524607999999
What is this?
119600064000000000 132144228000000000
FILETIME Hex (Big Endian) 01A8E79F:E1D58000 01D57879:A90EE800 01F7630B:E39D58F0
FILETIME Hex (Little Endian) 0080D5E1:9FE7A801 00E80EA9:7978D501 F0589DE3:0B63F701
OLE Automation Date
What is this?
OLE Automation Date Hex (Big Endian) 40DC894000000000 40E55B76AAAAAAAB 40EAC09FFFFFF9C9
OLE Automation Date Hex (Little Endian) 000000004089DC40 ABAAAAAA765BE540 C9F9FFFF9FC0EA40
Apple Cocoa Core Data Timestamp
(Mach Absolute Time) What is this?
Mac HFS+ Timestamp


Automated systems often utilize the current date and time in various formats when constructing unique identifiers. So, it is not uncommon to find timestamps hidden in data points such as MIME boundary delimiters, message IDs, and SMTP IDs. These timestamps can provide critical timing information such as when an email message was created, received, or processed through a server.

In order to utilize this information, forensic examiners should be familiar with what common timestamps look like—at least within the date and time range that is potentially relevant to the examination.

Next Steps

Now that you have seen the list of timestamp formats above, have you spotted any additional hidden timestamps in the sample email messages? If you did, or if you would like to see additional timestamp formats added to the list, please send us a note.