• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 330
  • Last Modified:

Did they view an email

I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
0
pma111
Asked:
pma111
  • 4
  • 3
  • 2
2 Solutions
 
dmarinenkoCommented:
You can look at outlook on there computer.  Does the email show that it's been read?
0
 
dmarinenkoCommented:
Also you can look for certain exchange logins.  This article has some useful auditing information.  Unfortunatelya lot of it depends on what logging/auditing you may have had enabled a the time.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
0
 
pma111Author Commented:
>>You can look at outlook on there computer.  Does the email show that it's been read?

How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
pma111Author Commented:
There are 10 users with access to the mailbox.
0
 
pma111Author Commented:
Do you know the answer?
0
 
btanExec ConsultantCommented:
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.

http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334706.html
http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334675.html
0
 
btanExec ConsultantCommented:
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
0
 
pma111Author Commented:
Thanks Breadtan, Is journalling turned on by default ?
0
 
btanExec ConsultantCommented:
I believe it is not enabled by default as it is quite intensive due to storage  archiving.  if interested, can find out how to enable per email box for user.
 http://technet.microsoft.com/en-us/library/bb124985.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now