Uncovering the Cause of Missing Emails in a Shared Mailbox
When important emails went missing from a shared mailbox, we were called in to assist in the investigation to establish whether malicious activity was involved.
Our client was tasked to investigate allegations of mailbox tampering. Salient provided expert digital forensic support to their investigatory team, in the collection, reconciliation and analysis of various datasets, the interview process with key individuals, as well as preparing their findings in terms a non-technical audience would understand.
The investigation evolved as the cause of the concerns emerged and focus shifted to the organisation’s overall approach to IT security.
The challenge
This was a sensitive investigation with multiple individuals accessing a shared inbox. It was alleged that emails had been deleted to support fraudulent behaviour and we were called on to establish the facts in the case.
A broad collection of data was required, including local, device-level logs, as well as server-level information related to numerous individuals through Microsoft Purview eDiscovery. It was then necessary to reconcile and de-duplicate the various datasets collected to unravel a timeline, establish what had happened and who had instigated which actions, plus searching for traces of deleted messages.
Our solution
Salient’s team collected and acquired forensic images of laptops, as well as providing the end client’s IT team with support in managing a rigorous, complete collection of data in Microsoft 365. All evidence was collected in a forensically sound manner, ensuring the integrity, authenticity, and admissibility of the collected data.
Our digital forensics experts carried out:
- Cross-referencing of data, de-duplication of data, reconcilation of user activities to identify a timeline of events
- Detailed classification of information to group data
- Analysis and scrutiny of local, device logs vs server level logs to identify discrepancies
- Searches using Microsoft Purview eDiscovery to retrieve evidence of deleted and moved items
Our experts were also involved in advising the investigations team when questioning the key individuals in the case.
Having thoroughly investigated the data, we produced a visual timeline and various diagrams to demonstrate to a non-technical audience how we reached our final conclusions. We were required to explain the movements of the emails from the shared mailbox and track both at server and device level activities in order to avoid and explain double-counting of the data.
Results
Ultimately, the investigation did not reveal any malicious activity, however it was established that data security controls and access management should be enforeced. . The end client requested recommendations on how to make improvements and our sister company, Cloud Essentials, provided them with a security baseline assessment to provide a roadmap for improvements. We were responsive to the changing demands of the investigation as it progressed and our experts produced rigorous, evidence-based findings to support the investigators’ conclusions.
