For a HX server investigation we are looking for the best tool to find deleted emails and contacts. As we do not have full access as no dedicated server was in use the case is difficult.
Who has advice for fast finding evidence on a HX? Shall we also take Splunk into consideration?
Please help! Thank you.
Shall we also take Splunk into consideration?
Why, as in using that overpriced piece of s**t for an investigation?
The only reason you buy a Siem system is because you want a ISO 12001 cert. I've been offered Arcsite, Splunk, RSA and similar s**t but i went with fast hardware + NoSql/Shared nothing databases instead. For performance and analytics they run in circles around Siem systems.
You don't do forensics in a Siem system.
Ask yourself, what kind of data is this? What do you NEED to be able to do your job? Do not listen to salespeople, they generally dont give a crap about your needs, and will lie straight to your face about their products being able to deliver magical unicorns and rainbows.
Is it a standard VM? Then ask if they can download the VM and send it. Then do recovery/carving on that.
Thank you!
Fully agree that Splunk is overprized s**t, we just have it internally.
They refuse to send the VM image and we are under time pressure. A 'Internationales Rechtshilfegesuch in Strafsachen' takes too long time.
In an ongoing investigation (neartime crime) its about speed only.
I search for a script 'asking the eXchange server to answer everything possible' withing the sync communication.
Given the time constrains, all you are left with is to access remotely and gather info.
Try looking for artifacts left in the exchange log, example
https://
If IIS and message tracking is enabled, you can find more under \\servername\exchangeserver.log
Tack!