[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 246
  • Last Modified:

Trace source PC of an e-mail

An (now ex) employee is denying sending company information to their home e-mail address before leaving. Unfortunately for him, all e-mails in and out are copied to the Administrator account (Exchange 2003 on SBS2003) so we know it was sent despite him clearing out his 'sent items'. However, the claim now is that 'someone else must have sent it from a different PC'.

We can tie him down to being at a certain PC at a certain time when the e-mails were sent. Is there any way of the system giving us the IP address or computer name of PC that these e-mails were sent from?
0
TS_MikeH
Asked:
TS_MikeH
  • 5
  • 3
  • 3
  • +1
1 Solution
 
TS_MikeHAuthor Commented:
Better add that all PCs just use Outlook 2003 to connect to the Exchange server, so nothing complicated etc
0
 
Stephen CroftTechnical ArchitectCommented:
Have you checked the headers for any information? If not, you could maybe look through the message tracking logs (if enabled).

If not, just politely remind him that it is his responsibility to keep his account secure, and anything done from his account is his responsibility.

:)
0
 
TS_MikeHAuthor Commented:
Thanks for the quick reply. However, I've checked the message header and there's nothing in there (that I can see) and the MTC confirms that it was sent, but doesn't tell me where it's come from.

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Stephen CroftTechnical ArchitectCommented:
Can you not see where it was submitted from?

If not, tough luck sorry :(
0
 
L3370Commented:
I agree with djxtreme.

Does the user admit to giving out his account login information?  You can only send email from that account if the account is logged in!

Now as for the IP address...disregard this if i am interpertting this incorrectly.

Are you having trouble getting the IP address of the computer, or is the problem that you are trying to find bonified proof that the messages were tied to that ip address?

Other than comparing security Events in Event viewer of the local computer and comparing it to the time the messages were sent, I wouldn't know how to tie them together.
0
 
TS_MikeHAuthor Commented:
The EX-user is denying all knowledge of these e-mails being sent out. We can place him at a particular PC (his 'own' one) between 3pm and 3:15pm on a particular date, and we can also show that e-mails were sent out between those times. It's blindingly obvious to us all that he sent them, but how can we PROVE that they came from the PC (static IP and machine name of which are known) that he was sitting at.

Playing devils advocate, he cpould say that the IT administrator changed the settings on his Exchange account and then sent these e-mails from another PC using his e-mail account. Theoretically possible, so I've got to prove they came from his PC.
0
 
L3370Commented:
Yeah I understand your prediciment. It is also worth noting that there would be logs showing that kind of action was taken...if it were the case.

Does your organization plan on seeking legal/law enforcement intervention on this?  

If I were in your shoes this is how I would begin:

First. Take physical control of the computer you suspect was used to do this.  Keep it off the network and in a secure location.
Next. Disable the user's account if not already done. Do not allow the user to do anything else...like possibly covering their tracks.

Utilize the Exmerge Utility for exchange.    This utility can be used to track all iterations of sent/received messages. Handy information for investigations.

Download Sysinternals, and look up forensic policies. Sysinternals has some forensic tools that may be able to help tracking all this information.

make a copy of that hard drive's image. Use sysinternals products on that copy to see if you can pull up any data that proves he commited an offense.

I am trying to find a good link to using sysinternals for forensics.
0
 
L3370Commented:
Didn't realize you said he's already gone.  It would be nice if his network account is still on the network tho.

Here's some utils on sysinternals. Click on the utilities index.

http://technet.microsoft.com/en-us/sysinternals/default.aspx
0
 
Stephen CroftTechnical ArchitectCommented:
You dont have SMTP logging enabled do you?
0
 
MesthaCommented:
If the email messages were sent by Outlook using MAPI then there is nothing stored by Exchange will show what IP address the message was sent from.

SMTP logging - will show nothing.
There are no logs of the IP addresses connecting to the Exchange server at any time.

A decent lawyer would be able to get out of it anyway. The only thing that would stand up in court is a video or witnesses.

If they decide to use the "An administrator changed the settings" ploy, then you will need to prove that with logging. If you have accounts with access to all mailboxes then that defence has been won, because you cannot prove it didn't happen.

I hate to say it, but all you can prove is the emails were sent by his account, not physically by that individual or that machine.

I am not a lawyer though and I don't play one on EE.

-M
0
 
TS_MikeHAuthor Commented:
L3370 - I'm familiar with Sysinternals, but am not aware of any of their utilities that would help me get the info I require. Have I overlooked one? Also, you suggest using Exmerge - will this give me the info I require?

My thoughts are the same as Mestha's (ie "all you can prove is the emails were sent by his account, not physically by that individual or that machine."). Can anyone offer any ideas to the contrary?

Thanks

Mike
0
 
TS_MikeHAuthor Commented:
Whilst I was hoping for a solution, the original question was 'is there a way' and it seems that the answer is 'no, there isn't'

Thanks for the assistance / ideas though
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now