Notifications
Clear all

Email Forensics

14 Posts
6 Users
0 Likes
977 Views
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Hey,

Found some novell archived files in a computer that was connected to a network. They access their email via web interface so I'm trying to find the best way to get a specific email user's account/email content from the server.

What is the common procedure here? Do i image the whole server or partition? It's a huge server.

Any inputs is appreciated. Thanks

MC

 
Posted : 27/06/2009 8:43 am
4n6art
(@4n6art)
Posts: 208
Reputable Member
 

First you (and we) need to know what email server they were/are using. The user computer could have a Novell client to access the primary server, but what were they using for email? Lotus Domino, MS Exchange, Groupwise ??

Is this a friendly job - as in you are working FOR the company that has the server or are you with the opposition. That may make a difference in how/what type of help you can get from them in getting that info.

-=ART=-

 
Posted : 27/06/2009 11:25 am
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Hi 4n6art,

Apologies, totally forgot its groupwise. And i'm helping an agency analyze the emails. I dont work for the company.

MC

 
Posted : 29/06/2009 11:13 am
(@abdulcadir)
Posts: 68
Trusted Member
 

check with Paraben email examiner… I hope..

()-CADI-()

 
Posted : 29/06/2009 12:09 pm
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

Hi Abdulcadir,

I've looked at Paraben network email examiner but am looking to get email off the server without purchasing a software if thats at all possible.

Thanks for the response though.

MC

 
Posted : 29/06/2009 12:34 pm
(@abdulcadir)
Posts: 68
Trusted Member
 

MC!

Trial will work for 30 days and 23 time … also its amazing fast in searching

()-CADI-()

 
Posted : 29/06/2009 3:03 pm
(@gkelley)
Posts: 128
Estimable Member
 

Hi Abdulcadir,

I've looked at Paraben network email examiner but am looking to get email off the server without purchasing a software if thats at all possible.

Thanks for the response though.

MC

That could be tough. You could try imaging the server and then virtualizing the image using VMWare. Connect a client machine to it and pull down the e-mails.

Of course, VMWare might necessitate buying software but it is another idea.

 
Posted : 29/06/2009 6:02 pm
Jesterladd
(@jesterladd)
Posts: 28
Trusted Member
 

A number of other questions. Do you have 'log on' access to the Groupwise server? Or admin rights to the Groupwise server over the network? If you do have you considered exporting or backing up the relevant postoffice out to an external drive? Or failing that considered logging on to the network using a Windows Box, mapping a drive to the PostOffices and using FTK to image them out?

If the groupwise server is part of the Netware eDirectory you may be able to export/backup the emails via the user account as an option.

This article may assist you. http//support.microsoft.com/kb/235362

Failing that find a friendly Netware Administrator.

Bon chance

Jesterladd

 
Posted : 30/06/2009 12:08 am
mc02
 mc02
(@mc02)
Posts: 20
Eminent Member
Topic starter
 

@gkelley & @Jesterladd and everyone else,

I will try imaging as suggested. Currently am using encase as my main tool, what email forensic software are you guys using apart from paraben?

MC

 
Posted : 30/06/2009 1:08 pm
Jesterladd
(@jesterladd)
Posts: 28
Trusted Member
 

MC,

The software I use depends on what task I want to get done. Apart from Paraben, I use FTK, NUIX Desktop or the native program.

Jesterladd

 
Posted : 30/06/2009 1:19 pm
Page 1 / 2
Share: