Pau Lo
asked on
email account (exchange server) forensics best practices
What would be a forensically sound acquisition of a users mailbox from an exchange server 2010? we wouldn't have capacity to image the entire mailbox database server - nor should we be doing, if only investigating a single users mailbox for an internal investigation. But what processes should you take to ensure you can prove the copy of the mailbox taken was how the mailbox was at that time. I don't really understand how if the mailbox will continue to be in use, how you can prove your copy of the mailbox is as the mailbox was at the time the copy was taken. At present our admin uses an exchange shell command which just creates a copy of a mailbox in PST format which can be imported into out forensics software for searching.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So the native export facilities are asynchronous, meaning you create a request to export a mailbox and the request enters a queue managed by the system. You'd use New-MailboxExportRequest for this. When you say your Exchange admin is exporting using the Shell that's the command. Once the command is entered Get-MailboxExportRequestSt
So why is this relevant to proving the fidelity of the export? It will show the administrator exported the whole mailbox with no exclusions. It will show the export was successful, and of course the time executed started even duration. And a whole lot more.
Let me know if you need more help with that cmdlet.
So why is this relevant to proving the fidelity of the export? It will show the administrator exported the whole mailbox with no exclusions. It will show the export was successful, and of course the time executed started even duration. And a whole lot more.
Let me know if you need more help with that cmdlet.
ASKER
what does it tell us / proove?