HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 34 guests and 3 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow What time was the Out Of Office added/changed?
EH-Net
May 23, 2013, 10:53:06 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: What time was the Out Of Office added/changed?  (Read 3812 times)
0 Members and 1 Guest are viewing this topic.
Dav_Id
Newbie
*
Offline Offline

Posts: 12


View Profile
« on: July 27, 2009, 05:17:24 PM »
Hi Guy's,

Got an interesting on here  thought you'd might like a go at solving.

I have a client that has an employee that skipped work today. Their out of office reply on their system, outlook 2007 on a 2003 sbs server was, was set saying they would not be in until tomorrow !!

They went on vacation on Thursday and should have been back today. They set up the Out of Office (apparently) to say back today.

The question is is there a way of telling when the original out of office was set and if/when it was changed???

Sorry if it sounds lame but it may be something you have done in the past?

Cheers.

Dav
Logged
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: July 27, 2009, 06:27:37 PM »
I believe you can determine this using MAPI properties in the Microsoft Exchange Information store.   Out Of Office Assistant is simply a mailbox rule that is located in the User's mailbox.   The rule is actually a hidden message.  You cannot see any of this in Outlook or the Exchange client.  

Here is what you can do:

1. Download Microsoft Exchange MAPI Editor from the following location.  This is a Microsoft maintained tool for editing MAPI properties in various types of MAPI stores, including the Exchange Information Store.

http://mfcmapi.codeplex.com/

2.  Connect the MAPI Editor to the Exchange server that contains the mailbox with the Out Of Office rule.  You would do this by going to the Session menu, and choosing Logon and Dispay Store Table.

I always do this with an Exchange admin account.  I have to modify the account to have Send As and Receive As rights on the mailbox in question.  The mailbox you choose in the profile creation wizard should be the mailbox you want to analyze.  I also run this directly from the Exchange server.

After you connect, you should have the mailbox and public folders for the custodian in question listed in the top pane.

3.  Double-click the Mailbox - Custodian Name in the top pane to open the Mailbox Root Container.

4.  Expand the Root Container down to Inbox.   Inbox is under Top of Information Store.

5.  Right-click the Inbox and choose Open Associated Contents Table.   This table should contain the hidden messages in the Inbox.

6.  Find the Out of Office Assistant rule in the top pane and click on it (single click).

7.  In the bottom pane, you should have the following MAPI properties:

PR_CREATION_TIME
PR_LAST_MODIFICATION_TIME
PR_LOCAL_COMMIT_TIME

You may have some others.  If you are on an Outlook 2007 MAPI system, these properties will be a little different.   PR_CREATION_TIME becomes PidTagCreationTime, for example.

Unfortunately, this is hardly a forensic process, since it must be done on the live system.  You can attempt to restore a backup or an image of the Exchange server, but that's quite a bit of work.

<edit> I haven't tried this this with a PST file, but I would assume the procedure could work.   The PST would have to be a complete export, including system data.  </edit>

Hope this helps.
« Last Edit: July 27, 2009, 08:13:33 PM by Ketchup » Logged
~~~~~~~~~~~~~~
Ketchup
Dav_Id
Newbie
*
Offline Offline

Posts: 12


View Profile
« Reply #2 on: July 28, 2009, 01:43:34 AM »
 Smiley Smiley Smiley

I Ketchup,

You are a Geeeeeeenius!

Thank you.

I understand it may not be Forensics in the computer forensics sense of the definition but it is a great help.

thank you again.

Dav
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.077 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.