Does Exchange Server adequately protect against backdating items in a mailbox folder? I want to determine from an auditing perspective what level of risk exists/what trust can be put into Exchange database records.
Is there a (mis)feature that allows end point users to modify the sent/recieved date fields on their own messages?
Is there a reasonable way short of hand editing the files for an Exchange Server admin to make such a change?
And most importantly: Is there any kind of "sequence number" that we could use to audit Exchange records for evidence of date manipulation (ex. msg100 = Dec 15, msg101 = Dec 10, msg102 = Dec 16)
I am not sure that this really answers your question, but looking at the MSDN reference for the MailItem, and it's time properties may give you an idea what you can trust.
MailItem
MailItem.CreationTime
MailItem.LastModificationTime
MailItem.ReceivedTime
I don't believe so. If you really need to audit at this level you may just need to keep a seperate copy of each message/item. Or perhaps you need to come up with a good backup/restore method. If you suspect something check out an older version of the persons mailbox from your archives.