What would in your opinion, the best way, to image an entire server that has to be forensically analyzed?
What would in your opinion, the best way, to image an entire server that has to be forensically analyzed?
That depends on a LOT of factors, really.
What is the hardware platform? Boot-from-SAN? Is the server running in VMWare? Are the drives in a RAID configuration, and if so, which one(s)? What is the total volume of drive space, and do you *really* need to take all of it?
Is this an ecommerce server that is critical to business operations? Does it have a SAN attached? What is the purpose of the system? File server? Domain controller? Mail server?
What is the software running? What OS is installed?
What type of access do you have to the system; local or remote? What tools do you have available? What's your skill level, or the skill level of the person who will be performing the acquisition (it doesn't do any good to image each individual RAID 5 drive if the analyst doesn't know how to reassemble the array in their tool-of-choice)?
There's a great deal that goes into determining the "best"…
It is essentially an exchange mail server with 160 gigs of hdd. no raid.
OS is windows server 2k3. I have local access to the system.
What do you need to obtain from the system? If you need .PSTs of the mailboxes, I'd suggest that you have the Exchange admin run the MS exmerge utility for you first (be sure to fully document this), then, if you have the appropriate write-blocker, remove the drive from the system and acquire it.
There's still other info that you'll need to consider…for example, do you need to acquire physical memory?
F-Response!
😉
What do you need to obtain from the system? If you need .PSTs of the mailboxes, I'd suggest that you have the Exchange admin run the MS exmerge utility for you first (be sure to fully document this), then, if you have the appropriate write-blocker, remove the drive from the system and acquire it.
Why would you need to use exmerge before making an image of the entire drive? With the image, you can use numerous tools to export the mailboxes from the EDB/STM files.
What do you need to obtain from the system? If you need .PSTs of the mailboxes, I'd suggest that you have the Exchange admin run the MS exmerge utility for you first (be sure to fully document this), then, if you have the appropriate write-blocker, remove the drive from the system and acquire it.
Why would you need to use exmerge before making an image of the entire drive? With the image, you can use numerous tools to export the mailboxes from the EDB/STM files.
well that's exactly the point I put across, but the client is insisting on it!
What do you need to obtain from the system? If you need .PSTs of the mailboxes, I'd suggest that you have the Exchange admin run the MS exmerge utility for you first (be sure to fully document this), then, if you have the appropriate write-blocker, remove the drive from the system and acquire it.
Why would you need to use exmerge before making an image of the entire drive? With the image, you can use numerous tools to export the mailboxes from the EDB/STM files.
well that's exactly the point I put across, but the client is insisting on it!
There are some limitations with exmerge (as there are with all of the tools that we use). For one, I believe exmerge doesn't create PSTs over 2gb.
If the client really wants you to grab PSTs beforehand, then just make sure the running of exmerge doesn't purge messages (as one of the switches allows it to do so).
Greg,
Why would you need to use exmerge before making an image of the entire drive? With the image, you can use numerous tools to export the mailboxes from the EDB/STM files.
I'm trying to provide a response to the OP, in a way that puts a solution in his hands that roughly approximates his skill level.
For instance, what "numerous tools" would you use to export the mailboxes from the EDB/STM files extracted from an acquired image?
Greg,
Why would you need to use exmerge before making an image of the entire drive? With the image, you can use numerous tools to export the mailboxes from the EDB/STM files.
I'm trying to provide a response to the OP, in a way that puts a solution in his hands that roughly approximates his skill level.
For instance, what "numerous tools" would you use to export the mailboxes from the EDB/STM files extracted from an acquired image?
Off the top of my head
NEMX from Paraben
Discovery Attender
Recovery for Exchange Server
Encase
Transcend Migrator Forensic Edition
You can virtualize the server and connect using the client of your choice