The dissection of the header of PR_CONVERSATION_INDEX (22 bytes) is as follows:
* One reserved byte. Its value is 1.
* Five bytes for the current system time converted to the FILETIME structure format.
* Sixteen bytes holding a GUID, or globally unique identifier.
The correct parsing for FILETIME is carried out on 8-bytes.
The current way FILETIME is converted to a time is that it takes the 5-bytes, with pre-padding of 1 byte (00), and post-padding of 2 bytes (0000). The full 8-bytes are then converted to a readable time (the converted value represents 100-nanosecond units since start of 1/1/1601).
Example:
PR_CONVERSATION_INDEX (5-Bytes of Header the represent FILETIME only): D0BC97E167
> Current FILETIME: (Low = 0xE1670000, High = 0x_00_D0BC97) = 11:52:46.352 AM 09-Mar-1787
The correct way of evaluating FILETIME is to not pre-pad the FILETIME (5-bytes) but rather take the first 6-bytes, and only add post-padding of 2-bytes (0000)
As such, the FILETIME should be evaluated as:
> 0x_01_D0BC97:E1670000 - this would result in the correct timestamp: 11:42:50 AM 12-Jul-2015
which is the correct timestamp for the email
This would eventually need to be corrected in upcoming versions, to correctly reflect the FILETIME included in the Conversation Index
* One reserved byte. Its value is 1.
* Five bytes for the current system time converted to the FILETIME structure format.
* Sixteen bytes holding a GUID, or globally unique identifier.
The correct parsing for FILETIME is carried out on 8-bytes.
The current way FILETIME is converted to a time is that it takes the 5-bytes, with pre-padding of 1 byte (00), and post-padding of 2 bytes (0000). The full 8-bytes are then converted to a readable time (the converted value represents 100-nanosecond units since start of 1/1/1601).
Example:
PR_CONVERSATION_INDEX (5-Bytes of Header the represent FILETIME only): D0BC97E167
> Current FILETIME: (Low = 0xE1670000, High = 0x_00_D0BC97) = 11:52:46.352 AM 09-Mar-1787
The correct way of evaluating FILETIME is to not pre-pad the FILETIME (5-bytes) but rather take the first 6-bytes, and only add post-padding of 2-bytes (0000)
As such, the FILETIME should be evaluated as:
> 0x_01_D0BC97:E1670000 - this would result in the correct timestamp: 11:42:50 AM 12-Jul-2015
which is the correct timestamp for the email
This would eventually need to be corrected in upcoming versions, to correctly reflect the FILETIME included in the Conversation Index