View previous topic :: View next topic |
Author |
Message |
Neko Just Arrived
Joined: 07 Oct 2007 Posts: 0
|
Posted: Sun Oct 21, 2007 6:15 pm Post subject: E-mail Recovery in Outlook Express |
|
|
Hi,
I am trying to help out a friend, who suspects that one of his employees may be doing something malicious, recover some deleted email. They use Outlook Express to manage their email and it appears that this employee is deleting his email, compressing the .dbx files, and then deleting the .dbx files on a daily basis. I've been able to recover the deleted .dbx files, and ran DBXpress on them but I not getting any data. We don't know for sure if any wrong doing is taking place and just want to find out whats going on, but it seems to me that his employee is being excessively tidy. Any help/tips would be greatly appreciated.
*EDIT*
I forgot to mention that we are working with the email server admin to see if they can recover anything on their end.
|
|
Back to top |
|
|
Neko Just Arrived
Joined: 07 Oct 2007 Posts: 0
|
Posted: Tue Oct 23, 2007 7:43 am Post subject: |
|
|
Well nm on that. He's just going to send the HDD off to a data recovery team. I'd still be interested in any suggestions anyone may have for future use though.
|
|
Back to top |
|
|
v Just Arrived
Joined: 21 Feb 2007 Posts: 0 Location: #openbsd @ irc.freenode.net
|
|
Back to top |
|
|
Neko Just Arrived
Joined: 07 Oct 2007 Posts: 0
|
Posted: Tue Oct 23, 2007 3:41 pm Post subject: |
|
|
I read that about the .pst files for Outlook, which worked OK when I tested it out on my machine, but this guy is using Outlook express which uses a .dbx file, so the same thing won't work unfortunately.
I did some google searches for ways to recover .dbx files but all I saw was software to purchase which may or may not work. DBXpress seemed to work OK when I tested it out on my machine, but when I ran it on this guys I came up with nothing. And I used the recovery tool from ERD Commander to recover the deleted .dbx files, which worked fine.
|
|
Back to top |
|
|
Sysops Just Arrived
Joined: 15 Dec 2007 Posts: 0
|
Posted: Sat Dec 15, 2007 6:59 pm Post subject: |
|
|
My friend just recently lost all of her emails, I believe it was through the server so I told the administrator to get them through the host; but of course they said they think the host is non-helpful so didn't even ask..
|
|
Back to top |
|
|
The_Real_Gandalf Trusted SF Member
Joined: 14 Apr 2004 Posts: 0 Location: Athens,Greece
|
Posted: Tue Dec 18, 2007 9:51 am Post subject: |
|
|
this is a job for forensics proffesional as recovering the deleted dbx file is only the easy part.
You will probably need some "re-built" tools , to work on hexadecimal level , not to mention that you will have to be very carefull while re-building the lost data (FROM A TAKEN IMAGE!!!) so you wont alter the data in hand.
Also take under some serious consideration, that , if the user thinks that his rights got violated (we are talking about privacy and emails here) , he can go in court and then the company might face serious impacts from these actions.
My advice:...
Get a proffesional forensics investigator , if your company thinks that those emails are suspected for industrial espionage or other serious offences.
Gandalf
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Wed Dec 19, 2007 7:35 pm Post subject: |
|
|
Or, grab it at the server level. What mail server is being used? If the emails are passing through the company server, then they technically belong to the company at that point (hopefully you had an AUP signed as a condition of employment) and can be split off and archived from there.
|
|
Back to top |
|
|
The_Real_Gandalf Trusted SF Member
Joined: 14 Apr 2004 Posts: 0 Location: Athens,Greece
|
Posted: Thu Dec 20, 2007 8:33 am Post subject: |
|
|
ThePsyko...
Οutlook Express usually is not leaving any copies on server unless it is setup to do so.
In addition to that , no matter where you "grab" those emails, from the moment they leave the sender's mailbox to the moment they arrive to the recepients mailbox , they are considered to be protected with Privacy rights , both in U.S. ( i do not remember the exact federal law by heart since i live in E.U.) and E.U. (law about individual rights according to the E.U. constitution).
You are never sure that those emails contain vital info about company issues , so by the time you are going to conduct a forensic search , you should be ready to support this search with proper procedures recorded and justified according local laws.
Gandalf
|
|
Back to top |
|
|
Sysops Just Arrived
Joined: 15 Dec 2007 Posts: 0
|
Posted: Sun Jan 27, 2008 3:31 am Post subject: |
|
|
The_Real_Gandalf wrote: |
ThePsyko...
Οutlook Express usually is not leaving any copies on server unless it is setup to do so.
In addition to that , no matter where you "grab" those emails, from the moment they leave the sender's mailbox to the moment they arrive to the recepients mailbox , they are considered to be protected with Privacy rights , both in U.S. ( i do not remember the exact federal law by heart since i live in E.U.) and E.U. (law about individual rights according to the E.U. constitution).
You are never sure that those emails contain vital info about company issues , so by the time you are going to conduct a forensic search , you should be ready to support this search with proper procedures recorded and justified according local laws.
Gandalf |
I really don't think you would need to jump through that many loops, to recover your ... "your" emailed from your hosting company; considering you are paying them to maintain your account.
|
|
Back to top |
|
|
The_Real_Gandalf Trusted SF Member
Joined: 14 Apr 2004 Posts: 0 Location: Athens,Greece
|
Posted: Thu Feb 07, 2008 3:44 pm Post subject: |
|
|
yes...
you can retreive them , however messing with their contained data in messages , is a whole different story.
ISPs wont refuse to handle emails to you , (if they do exist on their servers) but from that point to the point of investigating personal mails, you will have to comply with local laws..... Unless of course you do not care ending up in a law court room as the accused person instead of being the accuser.
Gandalf
|
|
Back to top |
|
|
|