±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 171

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Outlook Rule Settings/File

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

CdtDelta
Senior Member
 

Outlook Rule Settings/File

Post Posted: Apr 22, 09 20:17

Hey all,
I'm working on a case where the individual in question had set up a rule to forward all of his mail to a personal email account. I've been looking into where Outlook keeps the mail rule information on the system (exchange server, whatever). The machine in question is running Vista Business, and Outlook 2007. I found a document on Microsoft's site that says the following:

Rules (.rwz)

Windows Vista drive:\Users\user\AppData\Roaming\Microsoft\Outlook

Windows XP or Windows Server 2003 drive:\Documents and Settings\user\Application Data\Microsoft\Outlook

Note If you upgraded to Office Outlook 2007 from a version of Outlook earlier than Microsoft Outlook 2002, you might have an .rwz file on your computer's hard disk drive. The .rwz file is no longer needed, and the information about rules is now kept on the server running Microsoft Exchange, and in the Personal Folders file (.pst) (Personal Folders file (.pst): Data file that stores your messages and other items on your computer. You can assign a .pst file to be the default delivery location for e-mail messages. You can use a .pst to organize and back up items for safekeeping.) for POP3 (POP3: A common protocol that is used to retrieve e-mail messages from an Internet e-mail server.) and IMAP (IMAP (Internet Message Access Protocol): Unlike Internet e-mail protocols such as POP3, IMAP creates folders on a server to store/organize messages for retrieval by other computers. You can read message headers only and select which messages to download.) e-mail accounts. So you can delete the file.

If you use the Rules Import and Export feature, the default location for .rwz files is drive:\Documents and Settings\user\My Documents.

So it appears that in this instance the users rule settings would be on he Exchange server. My question is does anyone know if that data is contained in he PST file on the server (which I have) or is it kept somewhere else on the server?

Thanks ahead of time,
Tom
_________________
CHFI, CCNA, EnCE
Digital Forensic Analyst 
 
  

BitHead
Senior Member
 

Re: Outlook Rule Settings/File

Post Posted: Apr 22, 09 23:02

If your messages are stored in an Exchange Server mailbox, a majority of your rules are server-side rules. If your messages are stored in a Personal folder, most of your rules are client-side.

For Exchange Server 5.5 thru 2003: You can view/manage rules in the Exchange Message Store using MDBVu (Mdbvu32.exe). Using MDBVu you can use the Outlook Rules Organizer and look for items that start with -> cb: 40|*pb: <-. Double-click these items, and then verify if the following line is present: PR_MESAGE_CLASS PT_STRING8 IPM.RULE.MESSAGE. Each item should have a Message Class, but it is the IPM.RULE.MESSAGE portion that you are interested in.  
 

Page 1 of 1