Notifications
Clear all

Outlook 2003

8 Posts
3 Users
0 Likes
322 Views
(@secret_squirrel)
Posts: 38
Eminent Member
Topic starter
 

Hi Everyone,

Standard disclaimer I am not looking for someone to tell how its done, I would happy with a point in the right direction. I don't mind to read.

With the being said, I have a harddrive that I need to find evidence of deleted email on.

Email client is Outlook 2003. No local archives. No .pst's or .ost's.

Is there anything else I should be looking for?

From the Exchange side(server), I have all the emails this person deleted( didnt clear the trash 😉 ). Approx. 2000 deleted emails all about 1 hour after the user was aware of the investigation (nice huh).

So, I could say that chances are that this was everything, since the user did not keep his inbox up to date. But……

Any push in the right direction would be great!

Thanks everyone!

-ss

CHFI/ SnortCP

 
Posted : 25/05/2007 9:38 pm
(@bithead)
Posts: 1206
Noble Member
 

I am surprised Outlook was not installed in Cached mode. But if you are already examining the EDB files, what more are you looking to find? Something on the computer rather than on the server?

NTUSER.DAT will give you things like the account password (which you probably already have if you have the Exchange Server) and the Outlook Attachment Directory (if you needed to show where files were saved), but that would provide you with some correlation.

 
Posted : 25/05/2007 11:14 pm
(@secret_squirrel)
Posts: 38
Eminent Member
Topic starter
 

I will check to see if the client was installed in cached mode.

This is not an agency that I normally deal with and I am not as familiar with their software standards.

I have a great deal of evidence from the server, but if there is anything on the pc I want it also.

Doesn't hurt to be thorough in this field. -)

 
Posted : 28/05/2007 6:25 pm
(@bithead)
Posts: 1206
Noble Member
 

Cached Mode is the default installation for Outlook connected to an Exchange server. However if there is no PST file and Outlook was setup as Cached, then you have some obvious destruction. It is always interesting to compare the server copy to the PC copy of the message store.

Also, you might want to examine the Exchange server to see if Volume Shadow Copy was implemented (only in Exchange 2003 SP1 on Server 2003 or later). This would give you a quick way to mount the databases and transaction log files at various points in history. Exchange 2003 has a separate storage group that can be used to recover a database. You mount the recovered database using this storage group and Exchange lets you access it using the Exmerge tool.

Exchange 2000 requires you to install a separate recovery server for recovering a mailbox or a single item from a backed up database, so it is not quite as quick and may make you consider a dedicated Network Mail forensic tool.

 
Posted : 28/05/2007 7:14 pm
(@secret_squirrel)
Posts: 38
Eminent Member
Topic starter
 

Hey thanks BitHead!

Exchange 2000 is the flavor.

I am going to go ahead and request the harddrive.

A Network Email Forensic Tool?
Could you elaborate a little more?

TIA

-ss

 
Posted : 29/05/2007 6:09 am
(@bithead)
Posts: 1206
Noble Member
 

Network E-Mail tools allow you to look at an entire message store or just part of one without having to restore the entire store.

Check out
network e-mail examiner from Paraben
and
fbi from nuix

 
Posted : 29/05/2007 6:33 am
DoDForensics
(@dodforensics)
Posts: 16
Active Member
 

I've found that both email tools from Paraben are top notch. They are my favorite when dealing with either local or network email issues.

 
Posted : 29/05/2007 8:22 pm
(@secret_squirrel)
Posts: 38
Eminent Member
Topic starter
 

thanks Bit, thanks DoD.

They look very promissing.
I like the fbi screencasts.

I will be at Gartner Security and GCON next week and I am hoping to see these and other 'e-discovery'(sounds like a bad word) solutions.

It does look like there will be too many forensic focused vendors there but 'e-discovery' is sure to be a big topic this year.

Thanks again for the help!

 
Posted : 30/05/2007 7:17 am
Share: