locked
IIS log | OWA access | cs-uri-query parameters RRS feed

  • Question

  • User1042085530 posted

    Hello,

    I am a forensic computer examiner and want to ask this forum to help me solve my problem.

    I am investigating a case in which we think the network administrator logged into the mailboxes of all the board members via Outlook Web Access. He used the users credentials and could do that because he new all the passwords and the users were not allowed to change them!!

    The OWA access took place from several ip-adresses belonging to his company, but also from (anonymous) proxy servers.

    Our goal is to pin point a person behind the illegal OWA access and not only assuming the administrator is the bad guy because of his relationship with several ip-adresses.

     

    We like to know all about  the parameter " sch= "   within the ' cs-uri-query '  field.

    This is one of the log lines: (I masked the cs-ip with ##)   (IIS version 7.0)


    u_ex100913.log maandag 13 september 2010 8:44:56 10.10.20.3 GET /owa/ ae=Folder&t=IPF.Contact&newSch=1&scp=1&sch=football&prfltncy=435&prfrpccnt=18&prfrpcltncy=21&prfldpcnt=1&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 80 Piet 83.247.###.### Mozilla/5.0+(Windows+NT;+owaauth) 200 0 0 870

    content cs-uri-query


    ae=Folder

    t=IPF.Contact

    newSch=1

    scp=1

    sch=football

    prfltncy=435

    prfrpccnt=18

    prfrpcltncy=21

    prfldpcnt=1

    prfldpltncy=0

    prfavlcnt=0

    prfavlltncy=0



    In our case the parameter 'sch='contains several different names and strings in which we are very interested.

       1. What is the purpose of this parameter?
       2. How is information stored within this parameter?
       3. Which kind of information is stored within this parameter?
       4. The strings and names come from the client, but what kind of information is it and what is the cause that this particular sting gets into the iis log?.  

     

    Could it be search strings or something like that? 

     

    Can you help us?

    Kind regards and thanks in advance,

    Hans Heins

    Monday, February 21, 2011 1:58 PM

All replies

  • User690216013 posted

    Do you plan to play the role of CIA/FBI? If you are in US, I suggest you call 911.

    Besides, this is an IIS forum. Your question should go to the Exchange one,

    http://social.technet.microsoft.com/Forums/en/category/exchangeserver/

    OWA is a special web site, so only OWA experts can help you on this.

    Monday, February 21, 2011 8:55 PM
  • User1042085530 posted

    As is said, I am a forensic investigator.

    The guys on the Exhange forum directed me to this one because of the relationship with the use of OWA.

    It seems that nobody knows what the logged records mean. 

    I am still waiting for the right info

    Kind Regards,

     

    hans

    Tuesday, February 22, 2011 3:33 PM
  • User299556178 posted

    Hi,

    Look at the source code and search for sch=football or just football (check all files that are requested, it is a bit tricky). It should give you a context, which you can use to understand the meaning of this parameter. I don't have access to the log files where OWA is running, so i cannot get which files to check (and i don't have time to check the source code, beginnning with the start page, to find all references).

    My guess however is that it is a contact list named Football.

    Wednesday, February 23, 2011 1:28 AM