Did they view an email

I am not holding out to much hope on this, but as a long shot, a user (XP workstation, outlook 2003 software) had been granted (wrongly) delegate rights to a team mailbox, this user has viewed an email they shouldnt of (which became apparent during general office discussion), the user is claiming they didnt view that mailbox and that email, when the evidence suggests different. Is there any possible way to prove on their machine that they may of opened that email from their PC? Or is it impossible (I highly suspect they'll be no purpose set audit logs on that mailbox, but I wondered if on the PC itself there could be). We can prove they did have access to the mailbox via delegate rights using PFDavAdmin. At a bit of a loss as to where to ask forensics to start looking, or whether to invest time/money in doing so.
LVL 3
pma111Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
dmarinenkoConnect With a Mentor Commented:
You can look at outlook on there computer.  Does the email show that it's been read?
0
 
dmarinenkoCommented:
Also you can look for certain exchange logins.  This article has some useful auditing information.  Unfortunatelya lot of it depends on what logging/auditing you may have had enabled a the time.
http://www.msexchange.org/tutorials/auditing-mailbox-access-exchange-system-manager-event-viewer.html
0
 
pma111Author Commented:
>>You can look at outlook on there computer.  Does the email show that it's been read?

How, please can you provide a screenshot on where you mean within outlook 03. The email will have already been opened by another user with delegate perms on the mailbox, but I cant see where for every users whose ever accessed that email where the evidence will be.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
pma111Author Commented:
There are 10 users with access to the mailbox.
0
 
pma111Author Commented:
Do you know the answer?
0
 
btanExec ConsultantCommented:
Not sure if this can help but there is some past EE discussion on this - not straightforward and I believe it is impossible to proof to that high confidence of user opening it email. The gathering artefact is still finding needle in haystack which may not eventually produce chain of evidence.

http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334706.html
http://www.experts-exchange.com/Security/Digital_Forensics/Q_26334675.html
0
 
btanExec ConsultantCommented:
Exchange journeling is good to know for investigative purpose but to proof opening of email - may not be a fit ...but still thought of sharing since it is useful for forensic purpose
http://technet.microsoft.com/en-us/library/aa998649(EXCHG.80).aspx
http://technet.microsoft.com/en-us/library/bb124382(v=exchg.80).aspx
0
 
pma111Author Commented:
Thanks Breadtan, Is journalling turned on by default ?
0
 
btanConnect With a Mentor Exec ConsultantCommented:
I believe it is not enabled by default as it is quite intensive due to storage  archiving.  if interested, can find out how to enable per email box for user.
 http://technet.microsoft.com/en-us/library/bb124985.aspx
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.