@gkelley & @Jesterladd and everyone else,
I will try imaging as suggested. Currently am using encase as my main tool, what email forensic software are you guys using apart from paraben?
MC
I use a variety of e-mail tools based on what I am trying to do. Encase or Paraben's tools from a "forensic" standpoint. Trident from Wave software for searching, deduping and production. We have other small tools for o********t conversion as well as dealing with e-mail stores that are giving me fits in my normal apps.
Thank you all for your input. You guys are the best.
MC
MC,
We use GroupWise where I work and you will not find any email artifacts on the workstation because everything is in the user's mailbox. I don't know any forensic applications that will read a GroupWise server. What we do when we have to see someone's email is to have the LAN group give us access to their mailbox. They reset the users GroupWise password and tell me what the new password is. I then sit at my desk and manually log into their GroupWise accout with the new password using my own client on my own desktop. I then look through their email in real time as if I were them. Obviously I have to know ahead of time what the person's user id is. If we think they have deleted emails we have the LAN group restore tape backups from before the date we think the deletion took place. You will have to do this on site and clearly this is something they should have done for themselves to begin with. If you cannot get onto their network you won't be able to do it. When you do get there and are sitting at the pc you are going to use open up your GroupWise shortcut and add the following characters /@u-? after a space following the executable which will force GroupWise to ask for a user id because it normally offers the last one to successfully login. I know you said this was webmail but what you need to know is there is no difference. The GroupWise WebAccess is simply a java based internet access portal to your regular GroupWise mailbox. There is no separate mail or anything. It is simply a different way to remotely see the same stuff you see when you are sitting at your desk. You are looking at the same post office and the same mailbox either way. By now you are thinking this is stupid and a pain in the @ss and you will be correct. The same way the bad guys attack the product used by the greatest number of people (Microsoft) forensic software companies make their tools to analyze the software used by the greatest number of people (Microsoft). I am pleased to say that after many years of not being able to do anything with Windows on Novell servers we are finally getting ready to deploy Active Directory and out of an MIS dept. with over 60 techs I only know one person who is unhappy about it. I realize my post is a little tardy and my answer is probably not what you were hoping for. By the way I don't mean to say that no tools exist to do what you want, just that I don't know of any.
By the way I don't mean to say that no tools exist to do what you want, just that I don't know of any.
Just so you know, so you have options
Paraben's NEMX - If you have the complete folder structure from the Groupwise server, NEMX will open it. Not 100% successful but it has worked.
Transend Migrator - I have used the application as a substitute for when I didn't have the Groupwise client. It will connect to a Groupwise mailbox.