Forensics and Your Exchange Server

Imagine a nightmare: You're sitting in your office, and your phone rings. It's the receptionist. "A man from the FBI is here to see you—something about a subpoena." The G-man walks into your office, waves a paper in the air, and announces that you are now legally required to produce a copy of all email stored on or sent through your server since 1999. As he drones on about chains of custody, stipulations, and evidentiary rules, you begin to fidget, then to sweat. As the agent moves closer to your desk, you suddenly awake in a tangled ball of damp sheets.

OK, back to reality. The odds that you'll get such a subpoena are probably small. However, the technologies and requirements of computer forensics, especially as they pertain to Exchange systems, are interesting and worth learning about. Like knowing how to navigate by the stars, such knowledge might seem useless now but come in handy at a future time.

"The American Heritage Dictionary" definition of "forensic" lists three meanings, but the third—"Relating to the use of science or technology in the investigation and establishment of facts or evidence in a court of law"—is the most relevant for us. The basic purpose of computer forensics is to accurately capture complete records from a target computer for use as evidence in a civil or criminal proceeding. The records can be captured in several ways, but not all of them meet the commonly accepted legal standards for forensic evidence. The name of the game in computer forensics is "exact copy"; that's the standard most evidence must meet.

So, if you had to provide forensic data, how would you go about it? Tape backups often aren't acceptable; even though they contain the same data, the data is in a different physical form and thus isn't an exact bit-for-bit representation of the data on disk. For the same reason, files copied from the targeted server to another server usually won't suffice.

The typical way to copy data for forensic analysis is to use a tool such as Guidance Software's EnCase ( http://www.guidancesoftware.com ) or New Technologies' SafeBack ( http://www.forensics-intl.com/safeback.html ) to make an exact copy of the target system's disks. These tools are superficially similar to Symantec's Ghost product family or PowerQuest's Drive Image 2002 but with an important distinction: The manufacturers have demonstrated that their products make a true copy, so prosecutors, government agencies, and the US courts accept the results.

This approach is less practical—or even impossible—on systems that have multiple disks that can be scanned. For example, RAID arrays and Storage Area Networks (SANs) require special procedures to ensure that the data is copied in an acceptable way. One approach that I expect to catch on is the use of hardware tools such as WiebeTech's Forensic DriveDock ( http://www.wiebetech.com ), a nifty FireWire-to-IDE bridge that write-protects the drive. Attach an IDE drive, plug the Forensic DriveDock cable into a FireWire port, and you can mount the disk on your desktop to scan or copy it, with a guarantee that you won't affect the original data.

Even though you might never have to provide forensic data, you might find computer forensics intriguing. For a fascinating discussion of the topic, read Debra Littlejohn Shinder's "Scene of the Cybercrime" (Syngress Publishing, 2002), a primer on forensic techniques and technologies. In the meantime, sweet dreams.