Hi Everyone,
I have a new investigation underway regarding an exemployee of our company who have been identified by the Serious Crimes Office as having been in communication with known illegal groups operating in the middle east. I have established the the person left the organisation back in 2009 and was with the company nine years.
We have a series of end of year backup tapes from 2001 through to 2009 and so I'm confident we can recover our exchange server database and extract the mailbox relating to this individual but would like to find out more about the data access permissions he/she had.
Is is possible to recover the SAM file from the Domain Control from a backup tape and then analyze the user profiles or is this kind of information stored elsewhere.
I have tried obtaining manual records but there is nothing available as far as I can tell. The laptop used by the induvidual was disposed of early this year and the hard drive shredded.
Any thoughts or advise very gratefully accepted.
Kind regards
Richard
Is is possible to recover the SAM file from the Domain Control from a backup tape and then analyze the user profiles or is this kind of information stored elsewhere.
That's the idea of a system state backup you should be able to recover everything you need for normal operation.
So *is* system state data included? (It is madness not to backup it on a DC …)
There are some gotchas about restoring it to alternative locations – some key files won't be restored. But you probably need to talk to an AD expert for that, or any ways around it.
Thanks for the response Athulin, I believe that back will be find it's just that the configuration of the servers at that time are very different to our modern counterparts and so a total restore probably would not run unless we had the same server configuration, devices, drivers etc.
I will talk to our Active directory guys regarding the permissions data; as previously stated I'm not sure where that information is stored.
Many thanks for your help
Richard