SAN/NAS Acquisition...
 
Notifications
Clear all

SAN/NAS Acquisitions and Exchange Server

3 Posts
3 Users
0 Likes
201 Views
hunterw
(@hunterw)
Posts: 13
Active Member
Topic starter
 

Hi,

I might be coming across a case that will require me to do a live acquisition and analysis of a SAN and a NAS. I might also have to analyze an exchange server. In this situation I will not be imaging the entire server instead just pulling off the .ebd and .pst files. This will also need to be done live so I don't interrupt daily business activities.

If anyone has encountered these situations please let me know the best course of action.

Thanks.

 
Posted : 16/07/2005 2:45 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

WTR to the SAN/NAS, it really depends on what you're looking for, operating system(s) involved, etc. That will determine your procedure, which will in turn may dictate your tools.

What are the questions you're being asked to answer?

WRT to the .edb/.pst files, document MAC times before touching them, hash them, copy them off of the system, then rehash them to verify that they weren't altered. Maybe you can even hash them and burn the files and their hashes off to CD. But beyond that, again, it really depends on what you're looking for.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 16/07/2005 5:01 am
(@djazz)
Posts: 8
Active Member
 

Copying the edb without interrupting the daily business is not possible as far as I know. The edb is in use and can't be copied on a running Exchange server. You should at least stop the Information Store service for some time.

 
Posted : 18/07/2005 12:23 am
Share: