<div>
<div class="content wysiwyg-content">
Investigating someone accessing an email account on a server that should not have through OWA. 
 
We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed. 
 
The URL when requesting an email from the server includes what looks like a &quot;Conversation ID&quot; in the query string. Here is an example: 
 
Conversation&amp;id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d 
 
Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this: 
 
71BF97E6E112844187331BAEC0E238DF 
 
Does anyone have any ideas? 
 
Thanks
</div>
</div>

Investigating someone accessing an email account on a server that should not have through OWA. 

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed. 

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this: 

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks

Exchange conversation ID

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Digital Forensics

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Exchange

Microsoft Outlook is a personal information manager from Microsoft, available as a part of the Microsoft Office suite. Although often used mainly as an email application, it also includes a calendar, task manager, contact manager, note-taker, journal, and web browser.