Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.


154 Chapter6·DefensibleDataCollectionTechniquesintheEnterprise need for additional tools. These tools can almost always be used on Macintosh systems running any variety of OS X because the OS X family of operating systems is based on a variant of UNIX. The same metadata does not get tracked in UNIX and Linux operating systems as is tracked in Windows. In addition, transferring data among file systems utilized by different operating system requires special handling. E-mail The most common type of e-mail server we encounter in corporate environments is Microsoft Exchange. The collection method depends on the size of the custodian mailboxes and the version of exchange server at issue. Frequently, the collection technique involves extracting custodian data from the Exchange server in the form of a Microsoft personal storage file or "PST" format. Microsoft provides a tool to facilitate this process (in some circumstances), called ExMerge. If the data collection is sufficiently large, an alternative method is commonly used to collect the data, such as shutting down the server and copying the entire Exchange database or running a special tape backup to collect some or all of the server data. Lotus Notes and GroupWise are also found in the corporate environment, although less frequently. These may present different collection considerations based on the version of the mail server and configuration of the server environment. When collecting Lotus Notes data, for example, it is important to request the user ID and password as Lotus Notes e-mail databases may be encrypted. BlackBerry and Treo Devices BlackBerry and Treo devices contain potential ESI as well and are fairly prevalent in corporate environments. Typically, the data is replicated with the corporate Exchange server, so separate collec- tion from the handheld devices themselves is usually unnecessary. However, in limited circumstances, the data may become out of sync. In such cases, the extracted data may not easily lend itself to online review environments. Oftentimes, a BlackBerry or Treo will be collected in the interest of complete- ness and referred to later if a question arises. Paraben and CelleBrite are two packages that you can use to capture the contents of BlackBerry, Treo, and other mobile devices. Paraben's software product has minimal additional accessories. CelleBrite offers its package as a separate portable kit. BlackBerry and Treo devices can also be backed up with desktop and Web-based software, which can be used to capture data on the device if other methods fail. In the case of these devices, the third- party software is performing the equivalent of a physical image on these devices, where the vendor- provided backup software is providing the equivalent of a logical backup. One additional benefit provided by such backup software is that the computer used to sync the data may become a redun- dant source of data if the device fails or it may provide the only source of data should the device itself become inaccessible.