Hi,
I have been asked to carry out an audit of an exchange server.
Our client is concerned that their IT Manager is looking at other employees emails.
Are there log files I can use to see if and when mail accounts have been accessed and by whom?
I have an EnCase Image of their exchange server. Where is the best place to start?
Thanks
Hello,
Most of the time those crooks use Outlook Web Acces (OWA) to look into different mailboxes.
Check if OWA logging is enabled. Also check if 'message tracking' is enabled. (see properties of the exchange store)
If not enabled, try to get access to the Exchange server and enable those loggings.
If you have those logs, you will be able to see who is reading mail in employee mailboxes.
You can use Encase to see if any log files are present.
Check winnt\system32\logfiles
Also look for 'W3SVC' in file and directory names.
Kind regards,
Hans Heins
Thanks for the feedback Hans, much appreciated.