+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 24 of 24
Enterprise Software Thread, Is it possible that an outlook server can be manipulated to backdate mails?? in Technical; Didn't realise Pembrokeshire was ROI...
  1. #16

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,809
    Thank Post
    1,624
    Thanked 1,880 Times in 1,397 Posts
    Blog Entries
    2
    Rep Power
    423
    Didn't realise Pembrokeshire was ROI

  2. #17

    teejay's Avatar
    Join Date
    Apr 2008
    Posts
    3,174
    Thank Post
    284
    Thanked 773 Times in 583 Posts
    Rep Power
    335
    Quote Originally Posted by borderfox View Post
    Well, lets just say that it's already in train - and will be running the full course.
    It's safe to assume that they were planted there with a view to discrediting the course of events that the complainant would be presenting.
    I hadn't considered it like this - so thanks for mentioning that.
    Looking at this from another angle, if we were to assume that it's possible for the complainant to have this checked (via a court order or other legal mechanism), given access to company systems, would an I.T. professional be likely to get evidence to prove this? Can anyone suggest how this could be approached? Are there people who specialise in this type of thing...i guess it's computer forensics, is it not?? It would be good to get a general opinion from I.T. savvy folk here - as to how this aspect of it could best be handled.
    The simple answer is:
    a) Stop discussing it on here, this is a public forum and and discussion could discredit the case
    b) SEEK PROFESSIONAL LEGAL ADVICE who will advise and take appropriate action if it's felt this is required

  3. #18

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by FN-GM View Post
    Remember this guy is in the Republic of Ireland so different laws applies so it may not be the same there as it is in the UK.
    Quote Originally Posted by nephilim
    Didn't realise Pembrokeshire was ROI
    Sorry folks - my bad. Originally from IRL but in UK now - so discussed in the context of the UK.


    Quote Originally Posted by teejay
    The simple answer is:
    a) Stop discussing it on here, this is a public forum and and discussion could discredit the case
    b) SEEK PROFESSIONAL LEGAL ADVICE who will advise and take appropriate action if it's felt this is required
    It was never the intention to discuss any legal aspects whatsoever. I felt it was necessary to give some background. Otherwise, the query is purely technical - regarding the mechanics of how servers could be examined to prove that data was tampered with.


    Quote Originally Posted by nephilim
    IF you have a court order/subpoena, you would need someone impartial (and you could recommend someone to the courts who has nothing to do with the case and knows neither party) to have the evidence checked on the servers/machines. At which point all machines pertinent to the case in question would need to be surrendered to said IT professional. On top of this, any additional machines that would need checking would also have to be submitted, as would all passwords and other details required to gain the appropriate access.

    From there the IT Professional would then need to have an allowed period of time (1 day per machine should be sufficient, however 2 days per machine would be what I would spec for).

    My own personal approach would be to check the following
    Back up all machines in a full system state - this way if I make any errors the machines can be restored to how they were (covering myself on this one)

    Then I would check for
    Timestamps in the headers of the email account in question
    IP/DNS stamps in the headers of the email account in question
    Content of said emails (and print off hard copies including headers)

    I would then do the following
    Go to the exchange server and check the above, and check the database entries for when emails entered into the exchange database. Reason being is that these are exceedingly difficult to forge and requires a fair bit of configuring to do without screwing everything up.
    Check SPF (Sender Policy Framework) records which are stored on the exchange server as well as authenticated machines from which the email address can be sent. If for example I sent something from say nephilim@edugeek.net it would store at your exchange box, however it would tell you in the SPF that a non-authenticated machine sent that email and will flag up as a spoofed email address / mail.

    I would also document every step I did so that another person can verify my findings as appropriate.

    It is not a case of computer forensics, but just simply knowing what to look for and giving accurate reports for the people as required.
    This is exactly the type of info I was looking for - thanks very much for taking the time to respond. As I don't have the technical expertise that you guys possess, can I ask do others agree that the above approach will work?
    Last edited by borderfox; 15th November 2011 at 01:05 PM.

  4. #19

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    SPF wont be relevant if the message are sent internally, need to clarify if the message was internal>internal?

    What you need to do is.

    1. Get message tracking logs from the Exchange server and analyse them
    2. IF auditing is enabled, see if any send as permission were granted to this users mailbox. Again IF auditing in enabled to check if any admin modified this mailbox. Again IF auditing is enabled check to see when this object was last modified.
    3. Check message headers of the messages in question.

  5. #20

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,809
    Thank Post
    1,624
    Thanked 1,880 Times in 1,397 Posts
    Blog Entries
    2
    Rep Power
    423
    Ahhh good point. I was assuming they would be spoofed from internal to show external which spf should show.

  6. #21

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by sukh View Post
    SPF wont be relevant if the message are sent internally, need to clarify if the message was internal>internal?
    Yes, that's correct - internal only.

  7. #22

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,809
    Thank Post
    1,624
    Thanked 1,880 Times in 1,397 Posts
    Blog Entries
    2
    Rep Power
    423
    In that case all but the SPF record from my statement before would still be relevant.

  8. #23

    Join Date
    Nov 2011
    Location
    Pembrokeshire
    Posts
    11
    Thank Post
    4
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by nephilim View Post
    In that case all but the SPF record from my statement before would still be relevant.
    Ok, thanks. That's much appreciated.

  9. #24

    nephilim's Avatar
    Join Date
    Nov 2008
    Location
    Dunstable
    Posts
    11,809
    Thank Post
    1,624
    Thanked 1,880 Times in 1,397 Posts
    Blog Entries
    2
    Rep Power
    423
    You sir are most welcome. If it helps if I could arrange accommodation and travel I could probably do all that work for you (for a reasonable fee)

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. is it possible to rename an exchange server
    By timbo343 in forum Windows
    Replies: 15
    Last Post: 20th October 2007, 07:09 AM
  2. Replies: 6
    Last Post: 8th June 2007, 01:42 PM
  3. Target Tracker without MS Office! Is it possible!
    By CM786 in forum Educational Software
    Replies: 6
    Last Post: 5th May 2007, 07:53 AM
  4. Is it possible to redirect a share?
    By ChrisH in forum Windows
    Replies: 6
    Last Post: 29th March 2006, 08:16 AM
  5. Is it possible ?
    By mac_shinobi in forum General Chat
    Replies: 13
    Last Post: 27th September 2005, 04:59 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •