Solved

Did they view an email

Posted on 2012-04-03
9
294 Views
Last Modified: 2012-04-13
I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
0
Comment
Question by:pma111
  • 4
  • 3
  • 2
9 Comments
 
LVL 8

Accepted Solution

by:
dmarinenko earned 250 total points
ID: 37801415
You can look at outlook on there computer.  Does the email show that it's been read?
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 37801442
Also you can look for certain exchange logins.  This article has some useful auditing information.  Unfortunatelya lot of it depends on what logging/auditing you may have had enabled a the time.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37801498
>>You can look at outlook on there computer.  Does the email show that it's been read?

How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
0
 
LVL 3

Author Comment

by:pma111
ID: 37801505
There are 10 users with access to the mailbox.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 3

Author Comment

by:pma111
ID: 37805541
Do you know the answer?
0
 
LVL 61

Expert Comment

by:btan
ID: 37815642
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.

http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334706.html
http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334675.html
0
 
LVL 61

Expert Comment

by:btan
ID: 37815648
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37826564
Thanks Breadtan, Is journalling turned on by default ?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 37827360
I believe it is not enabled by default as it is quite intensive due to storage  archiving.  if interested, can find out how to enable per email box for user.
 http://technet.microsoft.com/en-us/library/bb124985.aspx
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Use these top 10 tips to master the art of email signature design. Create an email signature design that will easily wow recipients, promote your brand and highlight your professionalism.
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now