Outlook email: Time stamps of outgoing ("Sent") email

[Roman Bachnak]

This query concerns time stamping of outgoing ("Sent")
email by Outlook. In particular, my interest is to
understand the following:

A) Is there any possibility for a Sent time stamp to be
modified in the process of being displayed on a recipient's
computer? In other words, can the Sent stamp be modified
according to whatever clock is recipient's machine set on?
For example, in the circumstances when a sender's computer
clock is set on London (UK) time and recipient's computer
clock is set on EST time (the difference being 5 hours),
can an email time stamped as Sent on 1:00 PM be displayed
on the recipient's computer as Sent on 8:00 AM?

B) Is there any possibility for a Sent time stamp to be
modified en route to recipient?

I am asking this to get clarity on two documents that have
been shown to me as part of evidence for a civil case. The
two documents in question are printouts of Outlook emails.
Both of these printouts contain an identical email message
embedded within a series of emails. Crucially, however, the
identical message differs in the Sent time stamp. On one
printout the message bears the markings "Sent: Tuesday, 30
January 2001 1:01 PM", but on the other the markings are
"Tue 1/30/2001 8:00 AM". If these printouts were genuine,
it would mean that Sent time stamps are (or at minimum can
be) modified depending on setting of the recipient's
computer clock. There is, however, always a possibility
that the printouts were manipulated. In the circumstances
that the time stamps would serve to substantiate a material
point of evidence, an incentive to manipulate would be
present. The question is whether the incentive was acted on
and the time stamp were manipulated or whether the
disparity in the time stamps can be explained and therefore
the evidence can be genuine.

Copies of the two printouts can be made available upon
request (and sent as image attachments).

Thank you.

Roman Bachnak

 

[Jeff Stephenson [MSFT]]

A) The sent time will be displayed in the timezone of the displaying client.
Thus, if a message was sent from London at 1:00 PM it will be displayed on a
computer in New York as having been sent at 8:00 AM (which is the time in
New York when the message was sent).

B) Yes, the sent timestamp could have been changed in transit, but it's
*very* unlikely. It's much easier to change it on the receiving system -
there are a number of tools that allow you to modify messages that you have
received.

One thing I find interesting about the times you show is that there is a
difference of a minute between the two, even accounting for the timezone
difference. Perhaps the real time was 1:00:30 PM in Londone and this is a
difference in how the two clients rounded the time to minutes...

 

[Roman Bachnak]

Thank you for your response to my query. My fundamental concern is this: How
can two identical emails displayed by identical displaying client (see below)
differ in Sent stamps?

In getting to the bottom of this it may be most helpful to refer to the
Outlook printouts I mentioned. These printouts are labelled A and B. The
detail is the following:

The printout A displays a series of Outlook email messages beginning with
one sent by me (Roman Bachnak) to "Taylor, John". This message shows Sent
stamp "30 January 2001 12:13". My message is then responded to by “Taylor,
John†and sent to myself and another individual whose name is displayed as
"Block, Paul-Andre (London)". This second message shows Sent stamp "Tuesday,
30 January 2001 1:01 PM". This is them followed-up by a message from "Block,
Paul-Andre (London)" to "Taylor, John (London)" and myself. This third
message shows Sent stamp "Tuesday, 30 January 2001 8:31 AM".

Now, importantly, the first two messages displayed on the printout A are
also displayed on the printout B: the email from me to “Taylor, John†and the
response from “Taylor, John†to myself and "Bloch, Paul-Andre (London)".
Critically, the response message from “Taylor, John†as displayed on the
printout B differs from how this same email is displayed on the printout A:
while on the printout B the Sent stamp is "Tue 1/30/2001 8:00 AM", on the
printout A the Sent stamp is "Tuesday, 30 January 2001 1:01 PM".

So again how can two identical emails displayed by identical displaying
client—“Bloch, Paul-Andre (London)â€â€”differ in Sent stamps?

I would be very grateful for your insight into this matter.

Roman Bachnak

 

[Jeff Stephenson [MSFT]]

Do you know which email client was used to send all the messages? Were the
other parties also using Outlook? In which timezones were printouts A and B
made? It's possible that one of the clients did not put the (required)
timezone information on the message that it sent, which would mean that the
time would have been interpreted as local time regardless of which timezone
it was printed in. Thus, such a time would not change between timezones
whereas a properly formatted time stamp would.

In reality, I wouldn't rely on printed timestamps as evidence - they're too
easily changed, and without someone with a fair amount of knowledge
investigating the computer systems themselves, thus not very conclusive.

--
Jeff Stephenson
Outlook Development
This posting is provided "AS IS" with no warranties, and confers no rights

 

[Roman Bachnak]

Many thanks. The answers to your questions are the following: The email
client was Microsoft Outlook. All the parties participating in the exchange
were using MS Outlook. As far as the timezones question, the emails in
question were generated in UK timezone.

I think by far the best way to understand what might be going on would be by
looking at the printouts themselves. Is there any way I can send them to you
(by email or fax) for inspection? I am willing to pay for this level of
advise. If this is beyond your remit perhaps you could advise me where I can
get reputable opinion on whether or not the printouts in question are (or
could be) genuine. In the circumstances that there are two emails identical
in every respect including the addressee, but differing in Sent stamps, there
is a possibility that one of the time stamps has been tampered with while the
other (perhaps by mistake) was left unchanged. Again would be grateful for
advise on how to get to the bottom of this.

Thanks again.

Roman

 

[Jeff Stephenson [MSFT]]

As a Microsoft employee, there's no way I can get involved in something like
this. Besides, as I said below, printouts are not going to give you any
answers - I could, for example, use Microsoft Word to create something that
looked exactly like any of those printed messages. Paper copies mean
nothing when it comes to computers - sorting this out will require expert
investigation of the actual computers involved. I passed this on to some
non-Microsoft experts, none of whom were interested in taking it on. Two
comments they made, though:

-If all he has are printouts, then I'd tell him there's no way to determine
whether the messages are intact or tampered with.

-Yeah no doubt. Give me access to the mailstore, the server logs, backups of
all parties involved and maybe one can say something about the e-mails.
There's also the 'oops mail failed to send', I'll 'resend' option, as well
as any number of crappy POP3 connectors which could effect what is shown.

You'll need to find someone that can actually investigate the computer
systems involved...

--
Jeff Stephenson
Outlook Development
This posting is provided "AS IS" with no warranties, and confers no rights