Welcome to ISAserver.org

Forensics copy of MDSE logs

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> Forensics copy of MDSE logs

Page: [1]

Message

<< Older Topic Newer Topic >>

Forensics copy of MDSE logs - 13.Apr.2007 2:35:39 PM

mjgraves@tisecurity.

Posts: 73
Joined: 19.Jun.2006
Status: offline

I have found information in my ISA logs that is crucial to an investigation. I am using MSDE. I am running an array of 2 ISA 2006 servers. I really like the drill down I could do in the filters to get this information! The info in the URL was crucial and it was easy to search for.

I used the handy "copy to clipboard" to get the query results in Excel, but feel like I should preserve the actual database file for forensic purposes. I see the .mdf and .ldf files I need, but of course they are in locked by the app.

I assume I need to stop MSDE to do this? Not sure of the MSDE server instance. In a cluster, is the actual database only on one physical ISA box?

Also, do I need to stop the firewall service to do this?

I need advice on how to forensically preserve this information.

Thanks!

_____________________________

Mark

Post #: 1

Featured Links*

RE: Forensics copy of MDSE logs - 30.Apr.2007 8:14:22 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Mark,

There is a tool on on the ms.com/isa site that allows you to dump the complete contents of the MSDE file to text.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mjgraves@tisecurity.)

Post #: 2

RE: Forensics copy of MDSE logs - 30.Apr.2007 3:04:43 PM

mjgraves@tisecurity.

Posts: 73
Joined: 19.Jun.2006
Status: offline

Tom,

Thanks.

Also, I think I will write a batch to backup then zip the database files, so I can keep more offline if need be.

Thanks as always for the help.

Mark

(in reply to tshinder)

Post #: 3