Pau Lo
asked on
Did they view an email
I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
>>You can look at outlook on there computer. Does the email show that it's been read?
How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
ASKER
There are 10 users with access to the mailbox.
ASKER
Do you know the answer?
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.
https://www.experts-exchange.com/questions/26334706/How-do-I-prove-I-never-opened-an-email.html
https://www.experts-exchange.com/questions/26334675/Verify-email-has-been-opened.html
https://www.experts-exchange.com/questions/26334706/How-do-I-prove-I-never-opened-an-email.html
https://www.experts-exchange.com/questions/26334675/Verify-email-has-been-opened.html
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
ASKER
Thanks Breadtan, Is journalling turned on by default ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html