Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Exchange conversation ID

Posted on 2014-12-05
1
Medium Priority
?
750 Views
Last Modified: 2014-12-18
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks
0
Comment
Question by:TechGuy_007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 40484062
this has good run through of the conversation id (or PR_CONVERSATION_INDEX which is 32 bytes) and use of "Conversation Index Parser" http://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
The index indicates the position of the message within a particular conversation. Note the '%' is the escape code char and the two characters following it are the Hex no of a font character. e.g. %3d is '=',  and %2b is a '+'. I did not drill further but they should be in Base64 or URL encoded. They then be converted to bytes and eventually to Hex. The link above mentioned further breakdown of those hex representation in each field (separated by the '.') within the conversation index hex string
 
Here is one use case for analysing the email trails
http://www.meridiandiscovery.com/articles/email-forgery-analysis-in-computer-forensics/
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
New style of hardware planning for Microsoft Exchange server.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question