Solved

Exchange conversation ID

Posted on 2014-12-05
1
458 Views
Last Modified: 2014-12-18
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks
0
Comment
Question by:TechGuy_007
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
this has good run through of the conversation id (or PR_CONVERSATION_INDEX which is 32 bytes) and use of "Conversation Index Parser" http://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
The index indicates the position of the message within a particular conversation. Note the '%' is the escape code char and the two characters following it are the Hex no of a font character. e.g. %3d is '=',  and %2b is a '+'. I did not drill further but they should be in Base64 or URL encoded. They then be converted to bytes and eventually to Hex. The link above mentioned further breakdown of those hex representation in each field (separated by the '.') within the conversation index hex string
 
Here is one use case for analysing the email trails
http://www.meridiandiscovery.com/articles/email-forgery-analysis-in-computer-forensics/
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now