Juicy Tools

The scenario: you're part of a small IT company that uses Exchange. Human Resources just told you that the company is being sued and you need to give your company's outside counsel any necessary emails, files and data that may be considered "forensic evidence". What do you do? Here's the quick, simple answer...

First, you need to create perfect clones of each user's hard drive involved in the legal matter using a forensics cloning duplicator. Normal legal protocol involves creating a perfect raw copy and handing that perfect raw copy to your outside lawyers. That way, the copy cannot be construed as tampered evidence by the courts.

The lawyer, in turn, normally has their own forensics IT team to parse and search the contents of the drive. This keeps us you (the IT Department) out of court. Do not use Ghost, Acronis, etc. The copies aren't considered raw enough for court. To make the copy, you'll need a forensics drive duplicator. Here is a good hard drive duplicator company with good prices and support.

So all you need to do is physically pull each user's hard drive, clone it twice (one copy goes back in the user's machine, the other goes to the lawyer) and the original goes in your safe as future evidence. The cloning takes about a full night to complete on larger drives, by the way.

Secondly, you need to extract emails from the Exchange server. You need software to accomplish this. I highly recommend P2 Commander or Network Email Examiner. P2 Commander is a few hundred more and offers more functionality (and also comes with Network Email Examiner bundled). This will create legal, court-approved email copies from Exchange with hashes and checksums in a forensics "container".

That's it! Your task is complete. As always, check with your lawyers to make sure the software recommended is suitable for their needs. I'm not a lawyer and this should not be considered as legal advice. Good luck!