Outlook msg files timestamps

Issue #25 closed
Philippe Guéry
created an issue

Hi,

First at all many thanks for the outstanding job. I use this library in order to make some forensic analysis on Outlook msg files. My starting point was msg-extractor (https://github.com/mattgwwalker/msg-extractor) which use your library to extract information. But I cant recover any valuable date from sent messages. If I use your olefile.py i recover mtime and ctime but it's the msg file creation and modification time, not the send time. Do you see any solution ?

Many thanks by advance Philippe

Comments (3)

  1. Philippe Lagadec repo owner

    Hi, I haven't tested it myself, but from the source code of msg-extractor, it looks like you can get a date using the date property of the Message class (line 245 here).

    And in fact the Message.header attribute (see line 233) is a standard python email.message.Message object containing the message header fields, so you may list its keys and values like a dict (Message.header.items()), to see if there is the timestamp you are looking for.

    Otherwise, the Microsoft specifications for the MSG format are here: https://msdn.microsoft.com/en-us/library/cc463912%28v=exchg.80%29.aspx (pretty complex)

    Hope this helps.

  2. Log in to comment