Notifications
Clear all

Exchange by NEMX

8 Posts
4 Users
0 Likes
540 Views
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

Quick question, has anyone tried doing an Exchange collection using Parabens Network Email Examiner (NEMX) from a live exchange server or does the server always have to be shutdown (services) and preserved? Assuming the exchange server is supported and using the latest version of Paraben.

 
Posted : 23/06/2011 2:54 am
(@douglasbrush)
Posts: 812
Prominent Member
 

F-Response would be a good option and they have a video up showing the set-up you are describing
http//blip.tv/fresponse-extend-your-arsenal/f-response-live-exchange-server-1074313

 
Posted : 23/06/2011 4:47 am
(@bithead)
Posts: 1206
Noble Member
 

And it actually works in the real world just like in the video.

 
Posted : 23/06/2011 6:26 am
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

Thanks for the informative responses.

So F-Response consultant edition works as a proxy between Exchange and NEMX? The video didn't make mention whether F-Response was "normalizing" the live exchange EDB files so that NEMX could properly view the data without closing the service or if NEMX was capable of doing so if installed on the exchange server. Thoughts? Video makes it look pretty easy and going off BitHead's response perhaps it is.

Do you know if this process can be executed through the field kit edition ($300) or if you need the consultant edition ($3K).

Thanks!

 
Posted : 24/06/2011 11:08 pm
(@bithead)
Posts: 1206
Noble Member
 

Do you know if this process can be executed through the field kit edition ($300) or if you need the consultant edition ($3K).

All editions of F-Response create the same connection to the remote machine. The difference between the editions is the number of users, remote deployment of client and how many dongles are required (Consultant and Enterprise only require a dongle on the examiner's machine).

 
Posted : 25/06/2011 2:00 am
(@douglasbrush)
Posts: 812
Prominent Member
 

F-Response uses an iSCSI connection to see the physical and/or logical volumes on the server. Is it a physical server or VM? Depends because you will need to use the USB dongle on the target machine if you use field kit edition and some virtualized configs won't give you a USB port to plug into.
More here on Field Kit http//www.f-response.com/index.php?option=com_content&view=article&id=165&Itemid=83

With the Consultant Edition you don't need the physical access. Either way the connection though the iSCSI initiator is the same process.

You could make a Volume Shadow Copy with VSS to make a volume that is "frozen" and imaged that way - F-Response will mount VSS volumes.

May even want to give F-Response a call for advice on what will work best - they are extremely nice and helpful.

 
Posted : 25/06/2011 2:02 am
(@chitapett)
Posts: 76
Estimable Member
Topic starter
 

Is it a physical server or VM?

Physical Box

You could make a Volume Shadow Copy with VSS to make a volume that is "frozen" and imaged that way - F-Response will mount VSS volumes.

I want to avoid having to preserve the whole exchange db.

I understand that all versions of F-Response use iSCSI but do they do anything to the live exchange server to allow NEMX to access the open database or is that just how NEMX works? I spoke to Paraben last week and they said that NEMX is not supported on live Exchange Servers so I'm trying to figure if F-Response provides special handling of the live DB through a snapshot/caching - or is this just a function of NEMX and I was misinformed by Paraben?

I'm gathering that F-Response provides the ability to map or connect through an internet connection protocol the exchange server DB directory, functionally like EnCase's VFS? Tell me if I'm way off base here.

 
Posted : 25/06/2011 2:38 am
(@paraben)
Posts: 47
Eminent Member
 

Chitapett,

I apologize for the delay in my response. NEMX does not support acquisitions of live Exchange mailstores. It's only designed to analyze previously acquired files.

We do have this functionality in our network forensic tool - Shuttle Pro. It's designed to provide special handling of Exchange mailstores during collection to prevent data corruption on the live file. You can check out the free version of the tool, Shuttle Free, that only acquires active memory but allows you to get a feel of how easy the tool is to use.

 
Posted : 28/06/2011 12:54 am
Share: