forensics imaging of a database file

pma111 used Ask the Experts™
if you used one of the digital forensics imaging tools, such as FTK imager of a live system that hosted a database, be that an exchange mailbox database, or sql server database - will the imaging process work, and actually give you a copy of the database that can be interrogated in your forensics search tools? My thoughts were that even backups have to follow a specific purpose which stops processes before they can be backed up - so trying to take an image of a running database is similar to try and copy and paste it - in that it will result in errors and you wont get a clean copy/copy at all?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
From a forensic point of view, it is not important that a DB file is clean or not, while you can extract data from it!
The process used is similar with Volume Shadow Copy or System Snap-shoot. In this way you can Copy a file ( or disk for a VM), even if another process still read/write.In some cases, the data is usable without problems.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial