±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 36464
New Yesterday: 0 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Exchange 2010 Rule-based Forwarded Email

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts


Exchange 2010 Rule-based Forwarded Email

Post Posted: Sep 10, 14 19:40

Hello Everyone,

I am working on a case where an ex-employee (the Exchange Admin) received some confidential emails after they had left their employer. I have checked the Exchange Message Tracking logs and have not found any email being sent to this individual. I have also checked the log’s ‘SOURCE’ field for the presence of ‘MAILBOXRULE’ (indicates an end-user created mailbox rule) and nothing.

I know that email can also be forwarded through two other methods:

1. Exchange administrator can create forwarding rules for mailboxes from Exchange itself.
2. Exchange administrators can create a transport rule to send copies of emails sent or received by certain users to another mailbox.

Does anyone know if Exchange records the sending of email via Transport rule and AD/Exchange level forwarding? If so, how is it recorded in the Message Tracking logs? Can these emails be identified through some other logs?

I will be speaking to the new Exchange Admin to see if these two rules are active. The problem with this is whether the rules have been deleted. The emails in question were sent 11 months ago.

The company is using Exchange 2010.

Thanks ahead of time.  


Re: Exchange 2010 Rule-based Forwarded Email

Post Posted: Sep 11, 14 12:23

I am not sure I can help, but I think understanding how you know the email was sent to them would be helpful. I assume it is implied that the email was sent to his personal address? If so how do you know that.

Could it be as simple as someone telling him about the emails or maybe he had credential past the time of his employment to see email traffic?

Back-ups for the exchange system might be archived back that far.  


Re: Exchange 2010 Rule-based Forwarded Email

Post Posted: Sep 11, 14 21:12

Thank you for the reply. You are correct when you say understanding how the email was sent would be helpful. That is exactly what I am trying to figure out.

I know that the user's logon account had been disable along with a password change. The other parties involved said they had no contact with the individual. All admin passwords were changed and a review of existing accounts was performed. No rogue accounts were found.

I have found some info regarding mail forwarding and Message Tracking logs. Mail send by end-user created mailbox rules show up in the Message Tracking logs as "MAILBOXRULE" in the SOURCE field.

Email that underwent some form of mail routing are identified as "ROUTING" in the SOURCE field.

Messages that are handled by the use of the alternateRecipient, are identified by a "REDIRECT" event in the message tracking log.

Email sent by the transport rule can be identified in the Application event log, if and only if the system has been set to record transport rules.

Does anyone know what file contains Exchange rules and actions?  

Page 1 of 1