?
Solved

Exchange conversation ID

Posted on 2014-12-05
1
Medium Priority
?
907 Views
Last Modified: 2014-12-18
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks
0
Comment
Question by:TechGuy_007
1 Comment
 
LVL 66

Accepted Solution

by:
btan earned 2000 total points
ID: 40484062
this has good run through of the conversation id (or PR_CONVERSATION_INDEX which is 32 bytes) and use of "Conversation Index Parser" http://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
The index indicates the position of the message within a particular conversation. Note the '%' is the escape code char and the two characters following it are the Hex no of a font character. e.g. %3d is '=',  and %2b is a '+'. I did not drill further but they should be in Base64 or URL encoded. They then be converted to bytes and eventually to Hex. The link above mentioned further breakdown of those hex representation in each field (separated by the '.') within the conversation index hex string
 
Here is one use case for analysing the email trails
http://www.meridiandiscovery.com/articles/email-forgery-analysis-in-computer-forensics/
0

Featured Post

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

“I cannot open my Outlook 2013. It is showing an error message “Outlook does not start”. I do not know why this error is coming. I want to remove it. Please suggest me some methods to start my Outlook again.” A user faces above mentioned problem. …
In migration, Powershell can be a very crucial tool to achieve success and finalize projects within deadline or even fix issues. X500 or Legacy Exchange DN Attribute can cause lots of issue during the migration
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
This video tutorial shows you the steps to go through to set up what I believe to be the best email app on the android platform to read Exchange mail.  Get the app on your phone: The first step is to make sure you have the Samsung Email app on your …

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question