I believe you have two options:
- Take an image of the exchange database live (not shut-down) and apply the transaction logs post-acquisition to bring the 'dirty' database back into a clean status - you can use the 'eseutil' command for this. Make sure you image both the database files (.edb) and the transaction logs, they are usually located on two different disks for performance reasons. You can then parse the database using X-Ways, FTK or my favourite "Kernel for Exchange Server". Kernel will even parse dirty .edb databases
- Take the data live. I've used the "Export-Mailbox" cmdlet in the Exchange Management Shell before with good results. You can get more information in regards to this approach here:
http://technet.microsoft.com/en-gb/library/bb266964(v=exchg.80).aspx
Watch out in regards to Exchange 2010, I believe they have significantly changed the file structure of the .edb database with this release so all of the forensics tools are now starting to catch up. I believe the latest Paraben's Network Email Examiner tool and the latest X-Ways support the new format.
Although there are other approaches these are the two I've done before in the past.
↧