A great amount of legal and forensics discussion is involved when there is an investigation procedure that involves the seizing of crucial evidence from Live Exchange server. Whenever there is such an investigation, two things remain in focus
1. Identification of suspect evidence from the network
2. Collection approach that maintains exactitude of evidence
There has been an increasing effort in the theory of live imaging approaches because of the liabilities that come up when a server is taken down. In such a situation, the rules of law and evidence acquisition have caused new approaches and techniques of acquiring electronic evidence to be formed; many of these are specifically targeted at the large storage of data.
What are the data that are generally in question?