Hi,
I might be coming across a case that will require me to do a live acquisition and analysis of a SAN and a NAS. I might also have to analyze an exchange server. In this situation I will not be imaging the entire server instead just pulling off the .ebd and .pst files. This will also need to be done live so I don't interrupt daily business activities.
If anyone has encountered these situations please let me know the best course of action.
Thanks.
WTR to the SAN/NAS, it really depends on what you're looking for, operating system(s) involved, etc. That will determine your procedure, which will in turn may dictate your tools.
What are the questions you're being asked to answer?
WRT to the .edb/.pst files, document MAC times before touching them, hash them, copy them off of the system, then rehash them to verify that they weren't altered. Maybe you can even hash them and burn the files and their hashes off to CD. But beyond that, again, it really depends on what you're looking for.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
Copying the edb without interrupting the daily business is not possible as far as I know. The edb is in use and can't be copied on a running Exchange server. You should at least stop the Information Store service for some time.