I have been requested to capture a documents folder (office documents and pdf's) and also a single mailbox in Exchange. They are both on RAID5 arrays.
Of course I have almost no budget to do this process. I have found a lot of information online but it seems pretty hit or miss and very application specific.
Any suggestions or technical documents you can suggest would be very helpful. I have no forensic experience but I do have a solid IT administration background. However, looking into this had made me very interested in the forensics field.
I hope that this has been put in the proper section. Thank you very much in advance.
You can use Exmerge to capture Exchange data on a live system. There's no cost for that.
Please specify if you're going for forensic capture of the drives for the documents, or just looking to preserve the documents themselves with metadata intact from a live system, as the methodology would be different
Patrick - Thanks for your response.
- preserve the documents themselves with metadata intact from a live system would be fine I think.
- I have used Exmerge when migrating exchange servers, so I am familiar with the utility. What would the process be for doing it though? Just like I would during a server migration? Run the utility and copy the .pst off to an external drive. Is that a forensically sound process?
Thanks so much for your help!
You can use Exmerge to capture Exchange data on a live system. There's no cost for that.
You don't say what version of exchange it is. Exmerge was replaced with Exchange Management Shell in Exchange 2007. If it is Exchange 2007 RTM then you will not have the ability to extract to PST, this was only implemented in SP1 and later.
You can use ExMerge with 2007 if you have the executable and some time to research how you connect to the exchange server.
For the documents folder, if you have EnCase, you can create a Logical Evidence File of that folder. I suspect you don't have EnCase, and if you do not require the copy to be forensically sound, you could use Robocopy to preserve timestamps etc and create a log of the copy.
Alternatively, FTK Imager is freely available and could capture the image in a forensically sound manner and then it would be up to you to identify the format to capture in and a method to review the documents.
Ronan
tsv99
One thing that I would add is to carefully note everything that you have done. Simplisitically something along the lines of
Logged in as "administrator" at *. Connected a forensically clean drive to *
Used Exmerge version to extract * and saved to *.
Used FTK version * to extract * to *.
Completed examination at ***.
Kind regards
Thanks for all the help everyone.
The data does need to be forensically sound. How do I make a forensic image of a raid 5 array? Will FTK do that? Is it one image or 3?
Is using Exmerge forensically sound? The system is Exchange 2003 sp2.
Is there any free, or a least a lot cheaper than Encase, forensic software around that you guys recommend to analyse that data?
Exmerge is used extensively in the e-discovery realm. Forensics generally requires a higher standard of preservation where possible, and using Exmerge on a live system is going to result in changes, albeit explainable ones. You can always preserve the system first, and then extract with Exmerge later, and then it would be hard to argue that your results aren't sound nor reproducible, although depending on your needs, this may be like cracking an egg with a sledgehammer.
As for imaging a RAID5, you have 2 options logical RAID imaging, and physical drive imaging. Addressing the second option first, you simply image all the drives in the RAID, and then let your forensic software reconstruct the RAID from the images. I know that X-Ways does this quite nicely, although if you're looking for free, then consider PyFLAG, a free forensic tool made by the guys at Australian DoD.
If you want a logical image of the RAID, which is to say capturing the RAID as if it were 1 hard drive, then you need a forensic boot disk which will support the RAID hardware and present you the drive as a device, and then image the device much the same way as you'd image a regular hard drive. Depending on the size of the RAID, you're going to need to image to a RAID or perhaps to a large drive using compression to fit it all in.
Tony I can't say thanks enough for the time you're taking to help me out.
- I am required to produce a single mailbox for a user that is currently employed and has a live mailbox. There are disk based backups also available of the Exchange database.
- I am also required to produce an image of the companies documents directory with metadata in tact.
I would prefer to make a logical image of the raid. Do you have software that you suggest for doing that?
You could use F-Response and then image the RAID with the tool of your choice. Actually you could use F-Response for all of what you are going to do (along with whatever tool of your choosing).
Tom
Tom -
Thanks for the suggestion of using F-Response. It looks like exactly what I am looking for. The price is right too.
I also saw demo's with Paraben's network email examiner and X-ways. They seem to do similar things, however Paraben seemed to be a lot better at extracting the email to a pst from a live Exchange db.
However X-ways and Paraben together could get expensive.