±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 3
Overall: 26796
Visitors: 47

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Capturing Specific Inbound/Outbound Emails

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 6:31 am

Hi All,

I was after some advice on alternative ways to collect any inbound and outbound email from multiple accounts through Exchange 2007.

My initial thoughts were to use F-Response and FTK Imager to acquire the live EDB, then use Nuix to process and search for the required content.

I need to have some alternatives as costs may be an issue in this matter. I was wondering if anyone knew of ways this could be handled at exchange level without altering metadata of the mail, enable rules on mail criteria etc?

Thanks  

creeshie
Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 7:16 am

If you document your steps, what is the issue with creating rules?  

BitHead
Senior Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 7:22 am

Probably nothing, just wanted to preserve the original mail as much as possible and see if there were other options methods out there that could be used.  

creeshie
Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 9:04 am

We have had a lot of luck with using Paraben's Network Email Examiner to convert .edb's into .pst's or into individual .eml's. The only problem we have seen is with larger .edb's (i.e., 250GB+) where it tends to choke and freeze. The unfortunate issue in that scenario is that there is no resume functionality once you restart the conversion process although you can usually figure out where it failed and re-initiate the process manually from the failure point. I cannot recall the cost for NEMX but seem to remember that it was fairly reasonable. Do note that the conversion process is quite slow with NEMX.  

eyez0n
Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 10:27 am

- creeshie
Probably nothing, just wanted to preserve the original mail as much as possible and see if there were other options methods out there that could be used.
OK. I just read the "I need to have some alternatives as costs may be an issue in this matter", part and thought rules to deliver to multiple mailboxes and then analyze those smaller objects would not require as many resources as examining the Exchange message store.

FWIW You might get some ideas from these F-Response videos:
Real World F-Response - Email - Nuix Desktop
F-Response on a Live Microsoft Exchange Server + Paraben's Network Email Examiner
More Live Exchange Server with EnCase 6.12  

BitHead
Senior Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Fri Nov 09, 2012 2:44 pm

I was going to suggest something like Brightmail that can filter and run rules on email outside of your Exchange server, but that may not work with a tight budget.

This email is not an endorsement of Brightmail nor Symantec, I'm merely using it as an example.
_________________
Tony Patrick, B. Inf Tech, CFCE
www.patrickcomputerfor...s.com/blog
www.twitter.com/Patrick4n6 

Patrick4n6
Senior Member
 
 
  

Re: Capturing Specific Inbound/Outbound Emails

Post Posted: Mon Nov 12, 2012 8:25 am

Thanks for the posts guys  

creeshie
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next