N/APosted on - 11/08/2011
Before migrating, a company was running on Exchange 2003 server. The company has given me the mandate to go through some back-up files before migration. In order to determine whether an employee accessed another employee’s mailbox I have to go through all the access logs. I am not saying that an employee accessed another’s mailbox but the chances are high by doing it so. Before the migration the Exchange 2003 server was set up in a way that no trail was to be revealed; however, in the First Storage Group -> Mailbox Store -> Logons, the trails are visible. I have tried a number of tools but all of them just restore the mailboxes and their contents. I have a few questions regarding the file like EDB that I have and the logs could they be recoverable and are they really part of the EDB?
EDB logs could be recoverable
To review the audit trail of mailboxes for tracking purpose as to who accessed the other persons mailboxes and folders in exchange 2003, you have to use a specialized procedure, using the Exchange System manager and the event viewer. Furthermore a tool called PFDAVAdmin also helps to determine which folders have been accessed.
Exchange System Manager consist of Mailbox and logon objects under each mailbox store, which displays the LASTLOGON column enabling the administrator to see the account accessed a particular mailbox. See the figure.
In the figure you can clearly see that the mailbox of user1 has been accessed by the user of domain NGH.
In the event viewer you can also see an event, where the above access by user 3 to user 1 box is logged.
Now let’s see the PFDAVAdmin tool. This tool can explain which particular Folder was accessed by which user. The tool can be downloaded from:
After installation of the tool, click on run, and select to connect to all mailboxes.
Now expand the administrator mailbox, right click Top of Information Store, and choose Property Editor.
Now select ptagFID : 0x67480014, from the property option, select display radio button, and Perform this action on all subfolders of the selected folder, is checked marked.
Now click the execute button, another screen will popup, which will contain the list / details of all the folders. You can match the folder ID which was displayed on the event journal, informing which folder was accessed by user3.