Outlook Forensics


Warren Guffey

I have a situation in which my boss wants to know if I can prove if someone
was actually viewing another person's mailbox. The user had rights to the
other person's mailbox but denies actually reading anything. Upon inspection
the mailbox in question was not in the folder list but I have been given the
task of proving or disproving that the user actually accessed the mailbox. I
have checked on local log files or dat files but couldn't find anything to
help. Isn't there a log in Exchange to find this information, not just last
login but a history of logins? Is there any other software or service that
would be able to show when a user may attach or detach a mailbox? Any help
or direction would be appreciated as I am under some heavy pressure here to
accomplish this task.

Roady [MVP]

You can enable Auditing for this on Exchange. Of course you need to
configure this beforehand and not afterwards; it won't be logged if auditing
isn't configured.
Oct 28, 2014
Reaction score
Your problem can be solved, you will easily be able to know when the mailbox is accessed and what changes are made in the mailbox in your absence.
This will definitely help to investigate all the emails and email header with body content, IP addresses and other relevant information.You can refer to the post for detail study: outlookforensics{dot}wordpress.com

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question