Being a good student, I have learned that while a tool is designed to automate a portion of an analysis, it’s always good to have a general understanding as to how the tool is able to accomplish this. One feature of FTK that has me questioning is the fact that given a pst, the tool is able to determine which emails were read vs. which were unread. One thing I cannot find solid research on is how FTK is able to parse this information. A friend has conducted experiments around this by viewing an unread message, a read message, and a message marked as unread forensically. There are slight differences in the hex, but what does that mean?
Is there a bit somewhere in the message headers that determines this? (True/False?)
Is it a hidden setting in message headers?
Is it determined based on timestamps? (Modified/Accessed dates)
Is there a way to forensically distinguish between a message that was truly unread, or that was “mark as unread”?
If anyone has any resources or ideas, please let me know. I’d love to learn about it.