Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Did they view an email

Posted on 2012-04-03
9
Medium Priority
?
309 Views
Last Modified: 2012-04-13
I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 8

Accepted Solution

by:
dmarinenko earned 1000 total points
ID: 37801415
You can look at outlook on there computer.  Does the email show that it's been read?
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 37801442
Also you can look for certain exchange logins.  This article has some useful auditing information.  Unfortunatelya lot of it depends on what logging/auditing you may have had enabled a the time.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
0
 
LVL 3

Author Comment

by:pma111
ID: 37801498
>>You can look at outlook on there computer.  Does the email show that it's been read?

How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 3

Author Comment

by:pma111
ID: 37801505
There are 10 users with access to the mailbox.
0
 
LVL 3

Author Comment

by:pma111
ID: 37805541
Do you know the answer?
0
 
LVL 65

Expert Comment

by:btan
ID: 37815642
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.

http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334706.html
http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334675.html
0
 
LVL 65

Expert Comment

by:btan
ID: 37815648
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
0
 
LVL 3

Author Comment

by:pma111
ID: 37826564
Thanks Breadtan, Is journalling turned on by default ?
0
 
LVL 65

Assisted Solution

by:btan
btan earned 1000 total points
ID: 37827360
I believe it is not enabled by default as it is quite intensive due to storage  archiving.  if interested, can find out how to enable per email box for user.
 http://technet.microsoft.com/en-us/library/bb124985.aspx
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question