Calling all expertise

Being a good student, I have learned that while a tool is designed to automate a portion of an analysis, it’s always good to have a general understanding as to how the tool is able to accomplish this.¬†One feature of FTK that has me questioning is the fact that given a pst, the tool is able to determine which emails were read vs. which were unread. One thing I cannot find solid research on is how FTK is able to parse this information. A friend has conducted experiments around this by viewing an unread message, a read message, and a message marked as unread forensically. There are slight differences in the hex, but what does that mean?

Is there a bit somewhere in the message headers that determines this? (True/False?)

Is it a hidden setting in message headers?

Is it determined based on timestamps? (Modified/Accessed dates)

Is there a way to forensically¬†distinguish¬†between a message that was truly unread, or that was “mark as unread”?


If anyone has any resources or ideas, please let me know. I’d love to learn about it.


Leave a Reply

Your email address will not be published. Required fields are marked *