Solved

Did they view an email

Posted on 2012-04-03
9
299 Views
Last Modified: 2012-04-13
I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 8

Accepted Solution

by:
dmarinenko earned 250 total points
ID: 37801415
You can look at outlook on there computer.  Does the email show that it's been read?
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 37801442
Also you can look for certain exchange logins.  This article has some useful auditing information.  Unfortunatelya lot of it depends on what logging/auditing you may have had enabled a the time.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37801498
>>You can look at outlook on there computer.  Does the email show that it's been read?

How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Author Comment

by:pma111
ID: 37801505
There are 10 users with access to the mailbox.
0
 
LVL 3

Author Comment

by:pma111
ID: 37805541
Do you know the answer?
0
 
LVL 64

Expert Comment

by:btan
ID: 37815642
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.

http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334706.html
http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334675.html
0
 
LVL 64

Expert Comment

by:btan
ID: 37815648
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37826564
Thanks Breadtan, Is journalling turned on by default ?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 37827360
I believe it is not enabled by default as it is quite intensive due to storage  archiving.  if interested, can find out how to enable per email box for user.
 http://technet.microsoft.com/en-us/library/bb124985.aspx
0

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question