I have found information in my ISA logs that is crucial to an investigation. I am using MSDE. I am running an array of 2 ISA 2006 servers. I really like the drill down I could do in the filters to get this information! The info in the URL was crucial and it was easy to search for.
I used the handy "copy to clipboard" to get the query results in Excel, but feel like I should preserve the actual database file for forensic purposes. I see the .mdf and .ldf files I need, but of course they are in locked by the app.
I assume I need to stop MSDE to do this? Not sure of the MSDE server instance. In a cluster, is the actual database only on one physical ISA box?
Also, do I need to stop the firewall service to do this?
I need advice on how to forensically preserve this information.