A Log for Outlook a...
 
Notifications
Clear all

A Log for Outlook and Changes????

5 Posts
3 Users
0 Likes
502 Views
(@datainvestigator2)
Posts: 10
Active Member
Topic starter
 

I just took on a case which primarilly involves Outlook. A former employee who had administrative rights, apparently added a fictitious name to the "global" (internal) email address, to receive future email at his home. Easy to see what messages went to him….but is there a log that may identify him adding the name and when it was done????

 
Posted : 18/11/2005 1:52 am
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

I am assuming you have Active Directory and Exchange Server enviornment.

Was he a member of domain admins or an exchange administrator groups? If yes, good luck unless you had controls and auditing in place to monitor the activity of administrative accounts.

Posssible places to look
1) Exchange server. Look at the event logs.
2) Active Directory logs if you have any kinda of auditing is place. See what domain controller he authenticated against and search the event logs on the domain controller.
3) Usually you can right click on the object (mailbox, user acct etc.) and get the create and modified date and time. Use that date and time to contruct your search criteria for the event logs.

A good tool to seach through event logs is EventComb. It is free, flexible an very powerful.

 
Posted : 18/11/2005 6:17 pm
(@fatrabbit)
Posts: 132
Estimable Member
 

What I think you are looking for is a contact object in the Active Directory which is mail enabled and is the object that links to the external e-mail address, this, as arashiryu points out, will give you the object creation date/time with which you can cross reference the event logs. The name that appears in the global address list will be the name of the contact object you are looking for in the Active Directory. There should also be a mailbox created for this contact on the Exchange Server, so you can use this objects creation date to cross reference any Exchange event logs.

 
Posted : 18/11/2005 8:27 pm
(@datainvestigator2)
Posts: 10
Active Member
Topic starter
 

Suggetions are good, I have been going through the event logs and also trying to detemine if he is still accessing the network through the VPN. This guy used to work for MS and knows networking, but logs appear intact. One problem I'm having is viewing the .pst file. I have used encase, FTK, MailNavagator, and Outlook; each time I get an error reporting that its "not a personal mail folder" or "improper file". I'm going to try image the server again on Saturady, this time making sure the backup is off; I think it interupted the imaging (never got verification, however the files all appear to be there).

 
Posted : 18/11/2005 10:55 pm
arashiryu
(@arashiryu)
Posts: 122
Estimable Member
 

Run Inbox repair tool (repair utility) on the *.pst. I believe it is called scanpst.exe. Might have to dowload it. Used to come as part of OS.

Check Firewall logs and also if you have a VPN concentrator, check the logs there.

 
Posted : 19/11/2005 12:59 am
Share: