Best acquisition software for a live production server?

Interesting Post.

Interesting Post!

For obtaining RAM Dumps take a look at

1. HBGary's FD, FDPro. www.hbgary.com
2. Matthieu Suiche's Win32dd, Win64dd. http//www.msuiche.net/windd/
3. GMG Systems, Inc.'s KnTTools. http//gmgsystemsinc.com/knttools/
4. FTK Imager Lite is also good for RAM dumps if Imager is also used for other purposes at the same time i.e. live imaging or searching for a specific file.

With the server aspect you may desire to use these with netcat/cryptcat.

Regards,

Chris Currier
CMT Digital Solutions, Inc.

If it doesn't have to be live, and you want to minimise disruption in the environment, then looking at the backup tapes can be an excellent option also. This way you can look at the data sets over time and capture deleted data. Just check what and when they are backing up first to see if they will cover what you are after.

I'll second Kroll's PowerControls. This is great for getting off the exhange database and exporting individual mailboxes in pst for analysis. It also integrates the transaction logs to create a clean copy. They offer a much more reasonable consultant license these days.