±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36779
New Yesterday: 2 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

A Log for Outlook and Changes????

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

DataInvestigator2
Member
 

A Log for Outlook and Changes????

Post Posted: Nov 18, 05 02:52

I just took on a case which primarilly involves Outlook. A former employee who had administrative rights, apparently added a fictitious name to the "global" (internal) email address, to receive future email at his home. Easy to see what messages went to him....but is there a log that may identify him adding the name and when it was done????  
 
  

arashiryu
Senior Member
 

Re: A Log for Outlook and Changes????

Post Posted: Nov 18, 05 19:17

I am assuming you have Active Directory and Exchange Server enviornment.

Was he a member of domain admins or an exchange administrator groups? If yes, good luck unless you had controls and auditing in place to monitor the activity of administrative accounts.

Posssible places to look:
1) Exchange server. Look at the event logs.
2) Active Directory logs if you have any kinda of auditing is place. See what domain controller he authenticated against and search the event logs on the domain controller.
3) Usually you can right click on the object (mailbox, user acct etc.) and get the create and modified date and time. Use that date and time to contruct your search criteria for the event logs.

A good tool to seach through event logs is EventComb. It is free, flexible an very powerful.  
 
  

fatrabbit
Senior Member
 

Re: A Log for Outlook and Changes????

Post Posted: Nov 18, 05 21:27

What I think you are looking for is a contact object in the Active Directory which is mail enabled and is the object that links to the external e-mail address, this, as arashiryu points out, will give you the object creation date/time with which you can cross reference the event logs. The name that appears in the global address list will be the name of the contact object you are looking for in the Active Directory. There should also be a mailbox created for this contact on the Exchange Server, so you can use this objects creation date to cross reference any Exchange event logs.
_________________
fatrabbit 
 
  

DataInvestigator2
Member
 

Re: A Log for Outlook and Changes????

Post Posted: Nov 18, 05 23:55

Suggetions are good, I have been going through the event logs and also trying to detemine if he is still accessing the network through the VPN. This guy used to work for MS and knows networking, but logs appear intact. One problem I'm having is viewing the .pst file. I have used encase, FTK, MailNavagator, and Outlook; each time I get an error reporting that its "not a personal mail folder" or "improper file". I'm going to try image the server again on Saturady, this time making sure the backup is off; I think it interupted the imaging (never got verification, however the files all appear to be there).  
 
  

arashiryu
Senior Member
 

Re: A Log for Outlook and Changes????

Post Posted: Nov 19, 05 01:59

Run Inbox repair tool (repair utility) on the *.pst. I believe it is called scanpst.exe. Might have to dowload it. Used to come as part of OS.

Check Firewall logs and also if you have a VPN concentrator, check the logs there.  
 

Page 1 of 1