Solved

Exchange conversation ID

Posted on 2014-12-05
1
655 Views
Last Modified: 2014-12-18
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks
0
Comment
Question by:TechGuy_007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40484062
this has good run through of the conversation id (or PR_CONVERSATION_INDEX which is 32 bytes) and use of "Conversation Index Parser" http://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
The index indicates the position of the message within a particular conversation. Note the '%' is the escape code char and the two characters following it are the Hex no of a font character. e.g. %3d is '=',  and %2b is a '+'. I did not drill further but they should be in Base64 or URL encoded. They then be converted to bytes and eventually to Hex. The link above mentioned further breakdown of those hex representation in each field (separated by the '.') within the conversation index hex string
 
Here is one use case for analysing the email trails
http://www.meridiandiscovery.com/articles/email-forgery-analysis-in-computer-forensics/
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question