none
IIS Logs and OWA - Exchange 2007

    Question

  • We had a little situation at work where an employee was let go recently. I go to work and a user reports that a lot of their emails is missing. I check out the mailbox, and sure enough a lot of emails were deleted. I log on under OWA, and under the "Recover Deleted Items" under Settings I found all the deleted emails. The person has basically deleted the emails from inbox/sent folder and had also deleted them from the deleted items folder but did not purge those items from the recover deleted items. My job at this point is to prove that it was in fact the possibly "disgruntled" employee who did this (because maybe it was just a coincidence after all!)

    On our Exchange 2007 server, I went to the W32SVC1 folder under System32 to check out the IIS logs. Logging is enabled on our OWA website (default website) under IIS. Under OWA, I saw that items were deleted on Sunday at 02:09 PM. On log number 1, I found that someone had indeed logged on to the "hackeduser" account at 22:07 (GMT time, which is 2PM local time). I saw the external IP address was also listed. So I went and tried to see if I could match that IP with the disgruntled login earlier in the month when that person was working out of office. Log 2, I see that "disgruntled employee" was logged accessing his account under that same external IP. Looking at his sent items, emails were indeed sent that day. So here I have two matching external IP's - one logging onto "hackeduser" and onto his own account. Am I correct in saying that this is enough to prove that it was indeed the disgruntled employee who did this? Any other way to verify this?

    Our firewall has very very limited logging capabilities so at this point I am just relying on IIS logs.

    PS. All identifiers (including the IP's) have been changed.

    Thanks.

    LOG #1:

    2012-02-05 22:07:22 W3SVC1 10.0.0.10 GET /owa/default.aspx &prfltncy=37947&prfrpccnt=33&prfrpcltncy=7625&prfldpcnt=2&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/hackeduser 76.171.203.69 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0 0

    2012-02-05 22:07:47 W3SVC1 10.0.0.10 GET /owa/default.aspx ae=Item&a=Preview&t=IPM.Note&id=RgAAAACOozHBiR2DQ4L8npCIbGgTBwCX4rWUVwo1TaSd7vFOPpwlAAABhPNuAADW38ms6Q3XSYyI0x1g9VGxAAplJ1o2AAAJ&prfltncy=51&prfrpccnt=7&prfrpcltncy=31&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/hackeduser 76.171.203.69 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0 0

    2012-02-05 22:07:54 W3SVC1 10.0.0.10 POST /owa/ev.owa oeh=1&ns=MsgListView&ev=Delete&prfltncy=315&prfrpccnt=14&prfrpcltncy=250&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/hackeduser 76.171.203.69 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0 0

    2012-02-05 22:07:54 W3SVC1 10.0.0.10 POST /owa/ev.owa oeh=1&ns=MsgListView&ev=Refresh&prfltncy=229&prfrpccnt=6&prfrpcltncy=15&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/hackeduser 76.171.203.69 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0 0

    2012-02-05 22:07:55 W3SVC1 10.0.0.10 POST /owa/ev.owa oeh=1&ns=MsgListView&ev=Refresh&prfltncy=8&prfrpccnt=6&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/hackeduser 76.171.203.69 Mozilla/5.0+(compatible;+MSIE+9.0;+Windows+NT+6.0;+Trident/5.0) 200 0



    LOG #2

    2012-01-21 18:08:08 W3SVC1 10.0.0.10 GET /owa/default.aspx ae=PreFormAction&t=IPM.Note&a=Forward&id=RgAAAADYeejNvAqWRZ0soLYwIrovBwCX4rWUVwo1TaSd7vFOPpwlAAABOckcAADW38ms6Q3XSYyI0x1g9VGxAAplOQd3AAAJ&prfltncy=56&prfrpccnt=12&prfrpcltncy=0&prfldpcnt=1&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/disgruntled 76.171.203.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:9.0.1)+Gecko/20100101+Firefox/9.0.1 200 0 0

    2012-01-21 18:10:19 W3SVC1 10.0.0.10 GET /owa/keepalive.owa m=1327169293252&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/disgruntled 76.171.203.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:9.0.1)+Gecko/20100101+Firefox/9.0.1 200 0 0

    2012-01-21 18:10:44 W3SVC1 10.0.0.10 POST /owa/default.aspx ae=PreFormAction&t=IPM.Note&a=Send&prfltncy=66&prfrpccnt=25&prfrpcltncy=46&prfldpcnt=3&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/disgruntled 76.171.203.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:9.0.1)+Gecko/20100101+Firefox/9.0.1 200 0 0

    2012-01-21 18:10:47 W3SVC1 10.0.0.10 GET /owa/default.aspx ae=Item&t=IPM.Note&id=RgAAAADYeejNvAqWRZ0soLYwIrovBwCX4rWUVwo1TaSd7vFOPpwlAAABOckcAABRTODl3sI%2fT4ZMn2%2bj8ctiAApk0RP9AAAJ&prfltncy=68&prfrpccnt=7&prfrpcltncy=46&prfldpcnt=1&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 domain/disgruntled 76.171.203.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:9.0.1)+Gecko/20100101+Firefox/9.0.1 200 0 0

    Thursday, February 09, 2012 2:15 AM

Answers

  • On Thu, 9 Feb 2012 02:15:43 +0000, EIT1 wrote:
     
    >
    >
    >We had a little situation at work where an employee was let go recently. I go to work and a user reports that a lot of their emails is missing. I check out the mailbox, and sure enough a lot of emails were deleted. I log on under OWA, and under the "Recover Deleted Items" under Settings I found all the deleted emails. The person has basically deleted the emails from inbox/sent folder and had also deleted them from the deleted items folder but did not purge those items from the recover deleted items. My job at this point is to prove that it was in fact the possibly "disgruntled" employee who did this (because maybe it was just a coincidence after all!)
    >
    >On our Exchange 2007 server, I went to the W32SVC1 folder under System32 to check out the IIS logs. Logging is enabled on our OWA website (default website) under IIS. Under OWA, I saw that items were deleted on Sunday at 02:09 PM. On log number 1, I found that someone had indeed logged on to the "hackeduser" account at 22:07 (GMT time, which is 2PM local time). I saw the external IP address was also listed. So I went and tried to see if I could match that IP with the disgruntled login earlier in the month when that person was working out of office. Log 2, I see that "disgruntled employee" was logged accessing his account under that same external IP. Looking at his sent items, emails were indeed sent that day. So here I have two matching external IP's - one logging onto "hackeduser" and onto his own account. Am I correct in saying that this is enough to prove that it was indeed the disgruntled employee who did this? Any other way to verify this?
     
    You can try to have the ISP tell you what account was assigned that IP
    address at that time. With only the IP address and not the MAC address
    you can't tell if it was a dynamic IP address assigned to different
    devices at different times.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, February 09, 2012 4:26 AM

All replies

  • On Thu, 9 Feb 2012 02:15:43 +0000, EIT1 wrote:
     
    >
    >
    >We had a little situation at work where an employee was let go recently. I go to work and a user reports that a lot of their emails is missing. I check out the mailbox, and sure enough a lot of emails were deleted. I log on under OWA, and under the "Recover Deleted Items" under Settings I found all the deleted emails. The person has basically deleted the emails from inbox/sent folder and had also deleted them from the deleted items folder but did not purge those items from the recover deleted items. My job at this point is to prove that it was in fact the possibly "disgruntled" employee who did this (because maybe it was just a coincidence after all!)
    >
    >On our Exchange 2007 server, I went to the W32SVC1 folder under System32 to check out the IIS logs. Logging is enabled on our OWA website (default website) under IIS. Under OWA, I saw that items were deleted on Sunday at 02:09 PM. On log number 1, I found that someone had indeed logged on to the "hackeduser" account at 22:07 (GMT time, which is 2PM local time). I saw the external IP address was also listed. So I went and tried to see if I could match that IP with the disgruntled login earlier in the month when that person was working out of office. Log 2, I see that "disgruntled employee" was logged accessing his account under that same external IP. Looking at his sent items, emails were indeed sent that day. So here I have two matching external IP's - one logging onto "hackeduser" and onto his own account. Am I correct in saying that this is enough to prove that it was indeed the disgruntled employee who did this? Any other way to verify this?
     
    You can try to have the ISP tell you what account was assigned that IP
    address at that time. With only the IP address and not the MAC address
    you can't tell if it was a dynamic IP address assigned to different
    devices at different times.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Thursday, February 09, 2012 4:26 AM
  • Thanks Rich. But would the ISP keep record of inbound connections to our network? And since I already have the external IP, I am not sure what how they would be able to help out?
    Thursday, February 09, 2012 5:25 AM
  • On Thu, 9 Feb 2012 05:25:02 +0000, EIT1 wrote:
     
    >Thanks Rich. But would the ISP keep record of inbound connections to our network? And since I already have the external IP, I am not sure what how they would be able to help out?
     
    They know what MAC address used the IP address. If the IP was assigned
    (using DHCP) to two different MAC addresses at the times you note in
    your log they (the devices) probably don't belong to the same person.
     
    ---
    Rich Matheisen
    MCSE+I, Exchange MVP
     

    --- Rich Matheisen MCSE+I, Exchange MVP
    Friday, February 10, 2012 2:44 AM