0

I sent an excel file over Hotmail to another hotmail account on my work computer around 5 months ago. This email has since been deleted by the sender and the receiver. Is it possible for my employer to go back and retrieve the email and file?

A few extra things to note:

  • the website was protected by https
  • when looking at the certificate authority of the browser it all looked legitimate (i.e. no mention of 'THECOMPANY - VA).

If my employer isn't using MITM would it be possible for them to retrieve it?

Even though the certificate authority looked legit, is it still possible there's a MITM used and if there is one used how easy would it be for them to go back and retrieve the file?

Edit: this is not a general quesion on whether a company can monitor employees on their server, it's a specific question on whether it's likely a MITM is used and if a file sent over personal email from months previous can be retrieved or is sitting on the server at all. Also to clarify the size of the company is around 600 people.

Peter
  • 1
  • 1
  • If they are using some kinds of Data Loss Prevention system, they could even be monitoring unexpected files opened by browsers. – Matthew Jul 27 '17 at 10:30
  • 1
    I suggest you speak to IT. Only they will know the answer to your problem, all other comments and answers on here are speculation and opinion. – ISMSDEV Jul 27 '17 at 11:28
  • within your constraints, no they cannot see it. – dandavis Jul 27 '17 at 20:44

2 Answers2

1

Yes, it could be possible for them to retrieve the contents of the email. There are two options:

  • They monitor the network, i.e. do MITM and TLS-intercept. The fact that you didn't find your company name in the certificate chain is no guarantee that there were no rouge certificates installed in your trust store. They could be named something much more innocent.
  • They monitor your computer, e.g. by saving files opened by browsers as suggested by Matthew.
Anders
  • 65,052
  • 24
  • 180
  • 218
  • Thank you. How common is it for small to medium companies to have MITM/TLS-intercept? For point 2, if the file saved would there be a way of seeing if that was the file sent via the personal email? – Peter Jul 27 '17 at 11:50
0

Common usages are to only log request headers, and not their full body content, so unless your company has very high security requirements, it is unlikely that they kept the full transcript of your file upload.

MITM in often used in medium to large company to cope with Deep Packet Inspection. This is an additional security measure that can come with full request logs for later analysis, mainly after a security alert. In West European countries, employees must be warned of all possible logs, but I'm unsure of how it goes in other countries.

Said differently, logging full HTTPS exchange without first setting up DPI is certainly possible but is uncommon. But as offline attack is not time constrained as online attack is, and depending on the SSL/TLS level of the exchange, it could be used to try to decode the exchange by brute force. But here again it is IMHO unlikely, because the common usage would be to first setup DPI.

So if you leave in a West European country and has not be warned of possible logging, or can be reasonably sure that DPI was not in use, it is very unlikely that your company has kept a full transcript of the exchange. But when you use their machines, they can know a lot of what you do...

Serge Ballesta
  • 25,952
  • 4
  • 42
  • 84