@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Using OWA logs to make your civil case

Hello Readers,

   
I will not be talking about OWA every time.


 In our prior time together we discussed parsing OWA logs to determine who has been accessing someone else's account. For criminal prosecution (unauthorized access) or internal investigations this might be enough, but for investigations involving the civil court system you need to show that the information accessed and the time they accessed it corresponds to some claim such as tortuous interference.

The same OWA logs we looked at last time will allow you to do this, with some caveats. When you see a single entry to access an item such as:

" /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"

This is a request to open up an email attachment, the obj show here in the query is a unique identifier for the item within the exchange database. This means that if you replay that url while, and this is important, logged in as that user you will be able to bring up the exact same message that was viewed at that time (If it was not deleted). If you attempt to access this object while logged in as any other user it will deny you, even if you login as the administrator. If you want to make sure the messages exist (meaning not deleted) restore the exchange server from a backup tape referring to the time period the message we viewed and replay it to the restored server.


 

These are the following asp pages that can be called by an OWA user according to about two years worth of logs from one case I worked:

/exchange/USA/LogonFrm.asp

/exchange/USA/root.asp

/exchange/USA/Navbar/nbInbox.asp

/exchange/USA/inbox/main_fr.asp

/exchange/USA/inbox/peerfldr.asp

/exchange/USA/inbox/title.asp

/exchange/USA/inbox/messages.asp

/exchange/USA/inbox/commands.asp

/exchange/USA/forms/IPM/NOTE/frmRoot.asp

/exchange/USA/forms/IPM/NOTE/read.asp    

/exchange/USA/logoff.asp

/exchange/USA/Attach/read.asp

/exchange/USA/logon.asp

/exchange/USA/forms/IPM/NOTE/commands.asp

/exchange/USA/forms/IPM/NOTE/cmpTitle.asp

/exchange/USA/forms/IPM/NOTE/cmpMsg.asp

/exchange/USA/errinbox.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/read.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/RESP/commands.asp

/exchange/USA/options/set.asp

/exchange/USA/calendar/main_fr.asp

/exchange/USA/calendar/title.asp

/exchange/USA/calendar/events.asp

/exchange/USA/calendar/appts.asp

/exchange/USA/calendar/pick.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/frmRoot.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp

/exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/commands.asp

/exchange/USA/contacts/main_fr.asp

/exchange/USA/contacts/title.asp

/exchange/USA/contacts/peerfldr.asp

/exchange/USA/contacts/messages.asp

/exchange/USA/contacts/commands.asp

/exchange/USA/finduser/root.asp

/exchange/USA/finduser/fumid.asp

/exchange/USA/finduser/fumsgdef.asp

/exchange/USA/finduser/fumsg.asp

/exchange/USA/finduser/details.asp

/exchange/USA/forms/REPORT/DR/frmRoot.asp

/exchange/USA/tshoot.asp


 

Of these we care about the following:

This is a user logging in - /exchange/USA/LogonFrm.asp

This is a user requesting to read a specific message - /exchange/USA/forms/IPM/NOTE/read.asp

This is a user opening an attachment - /exchange/USA/Attach/read.asp

This is a user composing a new message - /exchange/USA/forms/IPM/NOTE/cmpMsg.asp

This is a user reading a message request - /exchange/USA/forms/IPM/SCHEDULE/MEETING/REQUEST/mrread.asp


 

If you parsed our just these commands identified by the logged in user you could see what specific emails, meetings, and attachments a webmail user had viewed, created, sent using OWA and the time on which they did. Using these times and matching the ip address to the suspect you can then combine the information accessed, to the time it was accessed, to the benefit they received by having that information at that time.


 

As an example, in the case Exel Transporation Services Inc v. Total Transportation Services LLC et al (3:06-cv-00593) I used this to uncover a large industrial espionage case. First I used the program in the prior post to find which accounts were being used to access other email accounts in the system. Then I looked up the IP Addresses and found out one of them was actually registered to one of the ex-executives of exel directly on ARIN. We then broke out just the accesses used by those accounts (I mean really why else would the blackberry server administrative account or the voicemail server be logging into a website .. something we had to explain to counsel) into a database divided up by type of item accessed (email, attachment, calendar).


 

The next part was more difficult, we had to replicate their exchange network, AD controller, etc.. to restore their exchange server backups and replay those months to find out what our suspects were viewing. This included almost every decision maker within exel and according to the filings I read about $120 million dollars in lost business as they were able to read the contracts sent to customers during a bidding process and always beat them. We fed the urls into a GUI automation tool that would interact with the web browser and save the emails and attachments into MHT (full website archive) files for the lawyers review. I couldn't within the time frame get a pure perl program to work the way I needed it to.


 

For more information read this news article:

http://www.bizjournals.com/memphis/stories/2006/08/21/daily30.html


 

The case was settled out of court with a public apology written by TTS. The final stone in my understanding that led to settlement was when we matched the TTS OWA logs to the Exel OWA logs and showed the suspects logged into the TTS server with their real user name, with the same ip and at the same date/time, as they were logged into the Exel OWA server with their administrative accounts.


 

I hope this was useful, I can post parsers I wrote if you think it would help you in the future.


 


 

Post a Comment

  1. Thanks for the interesting case, OWA documentation, and replay analysis.

    in your example:
    " /exchange/USA/Attach/read.asp?obj=000000007C6A5AC4439BD948B2EDEC2B4701083907007DC649E6901ED711982E0002B3A2389C000000C0411400007DC649E6901ED711982E0002B3A2389C0000013340B20000&att=ATT-0-C9D9D5C63632DD439C1AF3C6A4B4AF8A-TOD9D1%7E1.PPT"

    If the obj= string recorded by the OWA log is the email message id then I can imagine an alternate technique (depending on coding experience) which could be to harvest the mailbox(s) from the exchange backup tapes and search them using the Outlook Redemption api to locate email message ids of interest....

    ReplyDelete
  2. I think there is a difference, though I cannot at the moment prove it is different, between the internal exchange EDB objectid id and the message id that outlook creates inside of the PST.

    If there is a similar api for accessing an idividual object from an edb or running exchange server by object id then that should work. I have not found such a library exposed but that does not mean it does not exist since tools such as Ontrack Powercontrols, Paraben Network Email Examiner and Quest Recovery Manager for Exchange all seem to be making use of something like that to operate with the EDB file without the exchange server running.

    ReplyDelete
  3. Hello,
    I have this exact issue and there is an admin that continues to change user account permissions, has convinced a new manager we have that turning on "Exchange 2007 SP2" mailbox auditing causes issues on our exchange server, and we know he is reading email. I started searching through the IIS logs and it is extremely hard as you know. Is the log parser exe still available or even the raw code if you could tell me how to run it? It seems like a tool like this for OWA specifically to show these results would be well in demand and also easy to find, your site (I read all the time, is the only one I have seen this though )

    ReplyDelete
  4. The links should still work, if they don't let me know and I'll fix them.

    ReplyDelete

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.