Collecting email evidence from mail servers can indeed be challenging due to various factors like server location, criticality to business operations, and the utilization of shared-hosting or cloud facilities.
1) Full or Logical Disk Image of Server
Challenges: Difficult to obtain for highly utilized, critical servers.
Method: Live imaging is often the only viable option.
Considerations:
Requires specialized tools capable of live imaging.
Risk of disrupting business operations if not handled carefully.
2) Export of Individual Mailboxes in Their Entirety
Method: Export each mailbox to create a backup or a PST file.
Considerations:
Efficiency: Suitable for collecting specific user data.
Completeness: Ensures all mailbox data is captured.
Tools: Exchange Management Shell or third-party utilities can be used for mailbox export.
3) Specialized Applications for Searching, Filtering, and Extracting Messages
Method: Utilize forensic tools designed for email extraction and analysis.
Considerations:
Precision: Allows targeted searches based on criteria.
Flexibility: Filters to extract relevant messages or data.
Compatibility: Ensure the tool supports the server's email platform.
Backup and Recovery
Windows Server Backup (WSB):
Exchange Aware Backups:
Uses a plugin named "WSBExchange.exe" for Exchange-aware backups.
Leverages Volume Shadow Service for background backups.
Checks Exchange database consistency, flushes transactional logs, and marks databases as backed up.
Backups stored as Virtual Hard Disk (VHD) files.
Instructions for Backing up Exchange 2007 or 2010:
1. Start Windows Server Backup.
2. Click on "Backup Once" from the Actions pane to initiate the Backup Once Wizard.
3. Choose Backup Options:
Select "Different options" and proceed.
Opt for Full server (recommended) or Custom to specify volumes.
4. Specify Backup Destination:
Choose a location and configure Access Control settings.
5. Advanced Options:
Select VSS full backup.
6. Review and Confirm:
Confirm backup settings and start the backup process.
7. Monitor Backup Progress:
Check the backup progress page.
8. Backup Completion:
Close once the backup operation is complete.
Conclusion:
When collecting email evidence from network-based servers, it's crucial to choose the right method based on the server's characteristics, business needs, and the investigation's requirements. Whether it's live imaging, mailbox exports, or specialized forensic tools, each approach has its advantages and challenges.
Additionally, leveraging server backups like Windows Server Backup can provide a reliable and efficient way to capture Exchange data while ensuring data integrity and compliance with backup and disaster recovery plans.
Akash Patel
Comments