AutoDiscover Forensics

Not open for further replies.

Bryan Milne

New Member
Outlook version
Outlook 2016 64 bit
Email Account
Exchange Server 2013
I am told that there are some who frequent this forum who carry out email forensics.

I am currently working a case where I have recovered several fragments of AutoDiscover.xml files. This is a single user computer in an Active Directory environment and as expected I have the user's AutoDiscover.xml file in its complete form.

In addition to the user's AutoDiscover file I have carved fragments of several other user's AutoDiscover.xml files using a grep search for "\<AutoDiscoverSMTPAddress\>.*\<\/AutoDiscoverSMTPAddress\>" including a fragment which had intact HTTP headers dating the access time to the Exchange server.

I have been unable to find any documentation online which would indicate legitimate circumstances in which this might occur.

Can anybody point me to a definitive guide as to when user2's AutoDiscover.xml information would be accessed by user1 in the domain? Could this occur if user1 accessed user2's calendar?

Thanks for reading and any pointers are very much appreciated.
Not open for further replies.

Similar threads