Hi Guys,
I have a question surrounding outlook permissions and investigating when someone has added permission to a user account.
Windows 7 EnterpriseVersion 6.1 service pack 1 client.
The story is a user has there own enterprise outlook which only they can access for their mail. The case is that someone accessed this persons mail without permission and forwarded some private emails to someone else. In outlook under "permissions", there was an anonymous user added it says "anonymous".
So my question is how can i see from the windows registry, who added an account under permissions in outlook, or who connected to the user account and forwarded a mail on the users behalf without there permission? The user was set as read all, which means anyone can add the users email account and view there mail. This was not done by the user but supposedly by the suspect. How can i see permission setting changes in outlook, under windows registry.
I have a full image of the hard drive. I was hoping to get exchange server logs for outlook but logging is no longer available as this happened over 6 months ago.
What i have done
I have imaged hard drive,
checked rdp connections, used regripper to get ntuser.dat and look at items related to outlook.
HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Outlook\Preferences (i dont see preferences) i only see under outlook "addins"
So any help would be most appreciated,
thanks,
David
> So my question is how can i see from the windows registry, who added an account under
> permissions in outlook, or who connected to the user account and forwarded a mail on the
> users behalf without there permission?
I'm curious…what is it that leads you to believe that what you're looking for is stored in the Registry?
My suggestion would be to look in the Exchange logs. I understand that you said that they weren't available, so my recommendation would be to work with your client had have them make a similar modification to another account, and see where the logs of that are stored.
HTH
Hi,
Thanks for the response your suggestion. I completely agree with you the exchange logs are where the information may be, but this case activity is back a year ago and logs are only kept for 6 months.
I looked into the registry just to see if there were outlook keys which may help. Realistically i agree registry may not have an answer.
thanks,
David
In regards to making the modification. I know exactly where they will be stored (exchange logs). But the problem is in this case we have lost the logs.
So really i wanted to know is there really nothing that can be done now from a forensic perspective?
thanks,
David
Sometimes, that's simply the case.