tag:blogger.com,1999:blog-1466903740262764947.post7804817679365731967..comments2023-12-28T03:01:49.774-06:00Comments on Hacking Exposed Computer Forensics Blog: Using OWA logs to make your Civil CaseDavid Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-1466903740262764947.post-25318947032923881042011-01-05T16:29:48.486-06:002011-01-05T16:29:48.486-06:00The links should still work, if they don't let...The links should still work, if they don't let me know and I'll fix them.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-60234809928997135052010-12-23T01:10:22.254-06:002010-12-23T01:10:22.254-06:00Hello,
I have this exact issue and there is an adm...Hello,<br />I have this exact issue and there is an admin that continues to change user account permissions, has convinced a new manager we have that turning on "Exchange 2007 SP2" mailbox auditing causes issues on our exchange server, and we know he is reading email. I started searching through the IIS logs and it is extremely hard as you know. Is the log parser exe still available or even the raw code if you could tell me how to run it? It seems like a tool like this for OWA specifically to show these results would be well in demand and also easy to find, your site (I read all the time, is the only one I have seen this though )Jakenoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-45281706738051242182009-03-11T14:10:00.000-05:002009-03-11T14:10:00.000-05:00I think there is a difference, though I cannot at ...I think there is a difference, though I cannot at the moment prove it is different, between the internal exchange EDB objectid id and the message id that outlook creates inside of the PST. <BR/><BR/>If there is a similar api for accessing an idividual object from an edb or running exchange server by object id then that should work. I have not found such a library exposed but that does not mean it does not exist since tools such as Ontrack Powercontrols, Paraben Network Email Examiner and Quest Recovery Manager for Exchange all seem to be making use of something like that to operate with the EDB file without the exchange server running.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-6750777876279314072009-03-11T09:55:00.000-05:002009-03-11T09:55:00.000-05:00Thanks for the interesting case, OWA documentation...Thanks for the interesting case, OWA documentation, and replay analysis.<BR/><BR/>in your example:<BR/>" /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"<BR/><BR/>If the obj= string recorded by the OWA log is the email message id then I can imagine an alternate technique (depending on coding experience) which could be to harvest the mailbox(s) from the exchange backup tapes and search them using the Outlook Redemption api to locate email message ids of interest....Anonymousnoreply@blogger.com