Solved

Exchange conversation ID

Posted on 2014-12-05
1
623 Views
Last Modified: 2014-12-18
Investigating someone accessing an email account on a server that should not have through OWA.

We are going through IIS logs and looking for some way to see what messages/attachments were actually viewed.

The URL when requesting an email from the server includes what looks like a "Conversation ID" in the query string. Here is an example:

Conversation&id=CID.9gq4HoS59kq4uLGqOoZ1PQ%3d%3d.LgAAAAC3c1JmG%2bFYSoBxC3ra8gZlAQBnA1LiUGSQQrdy0NrqgcKuAAAAWcycAAAB.vyIAAABZzJgAAAAAlQAAAAAAAAA%3d

Is there anyway to tie this back to an email, for example, by using MFCMAPI? There is a field called PR_CONVERSATION_ID in MFCMAPI but the values look like they are in a different format. Here is an example from this:

71BF97E6E112844187331BAEC0E238DF

Does anyone have any ideas?

Thanks
0
Comment
Question by:TechGuy_007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40484062
this has good run through of the conversation id (or PR_CONVERSATION_INDEX which is 32 bytes) and use of "Conversation Index Parser" http://www.meridiandiscovery.com/how-to/e-mail-conversation-index-metadata-computer-forensics/
The index indicates the position of the message within a particular conversation. Note the '%' is the escape code char and the two characters following it are the Hex no of a font character. e.g. %3d is '=',  and %2b is a '+'. I did not drill further but they should be in Base64 or URL encoded. They then be converted to bytes and eventually to Hex. The link above mentioned further breakdown of those hex representation in each field (separated by the '.') within the conversation index hex string
 
Here is one use case for analysing the email trails
http://www.meridiandiscovery.com/articles/email-forgery-analysis-in-computer-forensics/
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Large Outlook files lead to various unwanted errors and corruption issues. Furthermore, large outlook files can also make Outlook take longer to start-up, search, navigate, and shut-down. So, In this article, i will discuss a method to make your Out…
Many people use more than one email account and so it becomes difficult for them to manage them when they use separate accounts,  so, in this article, I have shared an easy way to add Other Mail Accounts in your Google Inbox. It helps to combine all…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question