Good morning!
I’m new to forensics and have been tasked to research what software would be best used to capture all types of information from a live production Microsoft Exchange server. I know that Encase, Paraben, Helix all have the capability, but what does everyone think of their actual functionality? Is there some other program that everyone recommends? At this point cost is not an issue, I’m just trying to find which software is the best at capturing the data
1. Transparently
2. Quickly
3. Completely.
Does anyone have any recommendations or thoughts for me?
i think most of the people here will vote for fresponse
FTK Imager Lite is my preferred imaging tool. It's free and it can create images in DD and EnCase format (plus some others).
Just a comment about F-Response. It's a program that permits you to connect to a remote computer, so you can then use your preferred imaging software (EnCase, FTK, etc) to acquire an image of the remote drive. The remote computer's hard drive appears like a local drive in F-Response and can then be imaged using your preferred software.
Furthermore, although F-R is awesome, the reality of networking still puts concrete limitations on functionality.
Hello see this thread…
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4839
i'm of the idea that the smaller the footprint, the best is the result, installing something on a target machina for examination should be avoided whenever possible.
if you are looking for acquiring the media then go with anything that's portable, like ftk imager.
since you have to start up ftk imager then you can use it also for memory acquisition, if you are planning to use separate tools consider windd for acquiring the memory dump.
if you are looking for acquiring the media then go with anything that's portable, like ftk imager..
It would still need to interface with the target machine. To not take it down, F-Response would be the best because of the small foot print it offers on the target (memory, few reg keys, etc).
if you are looking for acquiring the media then go with anything that's portable, like ftk imager..
It would still need to interface with the target machine. To not take it down, F-Response would be the best because of the small foot print it offers on the target (memory, few reg keys, etc).
F-Response Enterprise is great, don't get me wrong but the cheapest and quickest (and maybe easiest to explain in terms of changes made?) method here would be to attach an external USB hard drive with FTK Imager Lite on it.
Are you interested only in the data contained within Exchange, or do you want the entire server?
If just the Exchange db, depending upon your version of Exchange, NTBACKUP is simple to use and is modified by the installation of Exchange to allow for online backup of Exchange stores. This is important in terms of maintaining the integrity of a live Exchange instance since file-level or raw acquisition of open Exchange stores can lead to a corrupted Exchange on restore.
You can even use NTBACKUP to backup Exchange to a non-Exchange Windows installation using the following
http//
This would get around the small footprint issue.
There are also tools like Kroll's PowerControls which are ok if you have $$$.
Thanks so much for all the replies! This really points me in the right direction to begin my research.