1

I'm trying to do a forensic analysis on an exchange server, and I'd like to determine what time a user read a particular email. Is there any way - perhaps with a tool like mfcmapi or another open source or commercial tool that can provide this information?

Specifically, a confidential email was accidentally sent to a user, followed immediately by an email informing the user of the accidental breach and directing the user to delete the message and not to share the message. The user claims that they only sent it to their own account since the breach contained their own personal information, and that they did not see the follow-up message until after they had already sent themselves a copy of that message. I'd like to prove that the user read the second message before forwarding the first (I.e. Confidential) email.

In the absence of read receipts, is there any way to prove this?

Thanks

Shmuel Levine
  • 113
  • 3
  • My suspicion is there's just a `mail.UnRead` boolean property which changes, but no log of when it changed. Are they connected through Outlook MAPI, Outlook HTTPS/Anywhere, IMAP, or BES? Which version of Exchange and Outlook? Have you at least proved that the second message was delivered to their mailbox before they sent the first? – TessellatingHeckler Jun 18 '15 at 00:02

1 Answers1

1

The short answer is no.

Assuming you're using Outlook with MAPI (using IMAP or some other protocol could only tell you that the message was retrieved by a mail client, most of which sync automatically on a schedule anyway). Even if there were a way to identify when the email had been marked as read (and I doubt that there is, but can't say for sure), it still doesn't prove anything. I, for example, have Outlook setup to automatically mark emails as read after five seconds.

Without confirmation from the user themselves that they'd read the email, there is no way to "prove" it. The best you can do is build up a body of evidence that seems indicative of a certain behaviour. But it wouldn't hold up in a court of law.

Most importantly, though, the user is not accountable in any case. Email is not considered a secure form of communication, and should not be used for confidential information. The exception to this is if you've set up some kind of encryption (plenty are available), but given that the person in question was able to read the contents of the email, it's safe to assume that this was not in place.

There may be some organisational precedent that governs whether the user's actions in forwarding the email were reasonable or acceptable (having read the message asking them to delete it or not, it might be arguable that a reasonable person would deem the content to be confidential and/or not appropriate to be forwarded). But that is a question for your HR department.

Matt
  • 1,893
  • 5
  • 28
  • 40
  • Thanks for your comments. Indeed the question is specifically about MAPI and not IMAP -- I realize that IMAP would not be able to provide the necessary information (but wasn't sure about hidden MAPI properties). The email was, as you noted, not encrypted. I was just hoping to find additional support documentation (i.e. in the form of said timeline) for HR. Thanks. – Shmuel Levine Jun 18 '15 at 15:13