How about Searching your Common network shares for a file containing the same text. ?
Probably its still there forgot to delete. In the novel "The Partner" there is one place which says "When you do a murder, you do 25 mistakes, if you can cover 15 of them your are a genius" and check the local drive of the most mischievous guys of the office. regards Kuminda Kuminda Chandimith Sr. Technical Consultant Ducont.com FZ-LLC Tel: + 971-4-3913000 Ext 237 Fax: +971-4-3913001 http://www.ducont.com -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: 20 October 2001 22:42 To: Exchange Discussions Subject: RE: Investigating a Forged Message Not necessarily. If its a regular occurance that the user (McDonald) leaves his machine for extended periods (meetings, etc) without locking it, its just a bit of social engineering to identify when those times are. >From there, the initial message could be crafted days ahead of time, and saved as a text file/Word doc until such time as the perp was ready to do it, at which point its fairly trivial timewise. Roger ------------------------------------------------------ Roger D. Seielstad - MCSE MCT Senior Systems Administrator Peregrine Systems Atlanta, GA http://www.peregrine.com > -----Original Message----- > From: Tim Ault [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 9:13 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Thanks. > > I believe item #1 (of my post) is most probable.. hell, I > must leave OL2k > open and unattended on my PC a dozen times every day for minutes at a > stretch. > > However, this takes balls. Considering the length and > articulate phrasing of > the message, it seems the person would have spent an > inordinate amount of > time at McDonald's desk. Certainly someone should have seen > somebody there. > > I have recommended they check the EV on the server which > McDonald's mailbox > resides for EV 1016's.. just incase the Admin was in on it. > > Tim. > > > -----Original Message----- > From: Wright, Steven [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:47 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > It appears that it was send via Exchange since there are no internet > addresses in the TO: FROM: fields. Also, if you check the > headers and there > is nothing there, then you have the culprit in-house and logging on > legitimately via the user's account. The original > suggestions below are > probably what occurred. > > How accessible is the VP's computer? May be someone took a quick > opportunity at an unattended computer. If they were very > clever, they might > have set the message to delay a day or so before delivery. > > Hope everyone at the company took it seriously and went home ;-) > > Steve > > -----Original Message----- > From: Martin Blackstone [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 19, 2001 11:39 AM > To: Exchange Discussions > Subject: RE: Investigating a Forged Message > > > Headers, Let us see the headers. > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Tim Ault > Sent: Friday, October 19, 2001 8:33 AM > To: Exchange Discussions > Subject: Investigating a Forged Message > > > Here's a little something some of you may enjoy this fine Friday.. put > on your investigator hats.. > > My wife forwarded this message to me: > > > From: McDonald, Arthur K. > > Sent: Friday, October 19, 2001 9:19 AM > > To: EPDS Contractors; EPDS - EPI Data Systems > > Subject: Much to be grateful for... > > > > All of us in this division have much to be grateful for and > for that > > reason, I would like to encourage each of you to go home at noon > > today. You may use my annual leave since I have far more > than I will > > ever use. Go home, be with your families, talk with your neighbors, > > love life and be grateful for all we have in this great nation of > > ours. Then come back on Monday refreshed and ready to take on the > > world! > > ahem.. *chortle* ..well, in any event, "Arthur", VP (Very > Pissed), wants > a head on a pike. I will offer to him (via my woman) the following > likely prospects: > > 1) The culprit got direct access to OL2k on the desktop; > 2) The culprit knew Arthur's username & password; > 3) A confederate Exchange Admin granted "User" or "Send as" permission > to culprit > 4) Culprit spoofed the message from an SMTP srvr, or used a similar > serve from the web. > > Feel free to presume the obvious; and I can pass along a few details > that have be provide me. Care to contribute? > > Tim. > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
