Part of the point that Harlan was making was, I think, what do you need to get from the server.
If it is mailboxes, you don't need to image it to get that although you may want to for backup purposes.
You can spend $10k on Nuix or Kroll if you want, but it may be unnecessary for your task. Anyway, all of the products you mention come with a price tag which, in some cases, would be above and beyond the forensic software.
So knowing what is the objective is always important to selecting the appropriate tool.
Part of the point that Harlan was making was, I think, what do you need to get from the server.
Agreed, but my question was why the redundancy of using exmerge to extract the mailboxes and then make a forensic image.
You can spend $10k on Nuix or Kroll if you want, but it may be unnecessary for your task. Anyway, all of the products you mention come with a price tag which, in some cases, would be above and beyond the forensic software.
What do you mean by "a price tag… would be above and beyond the forensic software"? Thanks.
What do you mean by "a price tag… would be above and beyond the forensic software"? Thanks.
What I meant was this, most of the products you listed are written specifically for handling Exchange. If you need to image the computer for forensic analysis beyond mail recovery, you'll likely need another product, as well, though the imaging you could do on the cheap with Helix or FTK imager.
If, for example, all you needed to do was to determine whether there was any evidence that A received a certain message from B and you already had Encase, FTK, X-Ways, ProDiscover, etc., you wouldn't need an additional Exchange specific package to answer that question.
If, instead, you want to recreate the threads of one or more conversations, some of the products that you mentioned would be more useful than EnCase.
Bottom line, again, is the choice of tool is determined by the task. Since the OP didn't say, specifically, what was that task, any advice is going to be generic if even appropriate.
Agreed, but my question was why the redundancy of using exmerge to extract the mailboxes and then make a forensic image.
Well, as I stated, I wasn't looking at this as a redundancy, I was looking at this from the apparent skill level of the OP. The OP didn't make it readily apparent what they were looking for, and I based the reference to ExMerge and PSTs based on my experience in what folks usually look for on such systems.
As I see it, having the Admin run ExMerge to extract PSTs and then imaging the system really isn't all that different from imaging the system and the virtualizing the image and connecting using the whichever one of the listed clients you can afford.
Sean's comment about "…all of the products you mention come with a price tag…" was pretty clear to me, as he's right…
NEMX from Paraben -> $799
Discovery Attender -> ??
Recovery for Exchange Server -> Standard license $799
Transcend Migrator Forensic Edition -> Need to contact Transcend for pricing
Who's going to pay for the product?
As I see it, having the Admin run ExMerge to extract PSTs and then imaging the system really isn't all that different from imaging the system and the virtualizing the image and connecting using the whichever one of the listed clients you can afford.
The difference is that if you are first using Exmerge and then imaging you are spending more time at the client site and tying up the client's admin with the request of running Exmerge. Also, Exmerge has a 2gb limit. There is a tool that MS created which goes beyond 2gb, but it is only available on Exchange 2007 with SP1.
Sean's comment about "…all of the products you mention come with a price tag…" was pretty clear to me, as he's right…
NEMX from Paraben -> $799
Discovery Attender -> ??
Recovery for Exchange Server -> Standard license $799
Transcend Migrator Forensic Edition -> Need to contact Transcend for pricingWho's going to pay for the product?
Yes they do. But for $800 you are not tying up the client's resources, spending extra time out at the client (which costs money in terms of billable time). Use the tool multiple times and your cost per engagement starts dropping significantly.
Why not grab the EDB and deal with extracting the mailboxes later? Exmerge has a 2gb output pst limit since its a 2000 pst. Use NEMX or power controls to pull out the pst's you need.