Lotus Notes NSF Forensics
Tricks and Techniques To Simplify Lotus Notes Forensics
Introduction of Lotus Notes
Lotus Notes® is a messaging software platform developed by IBM. It is an integrated platform to perform business oriented tasks like emailing, calendaring, contacts management, discussion forums, microblogging, and much more. With an effective combination of document database system and facilities for seamless mailing, the entire infrastructure works on the client-server combination which is Notes® and Domino® respectively. The data resides on both the ends: Client and Server.
Overview of Lotus Notes NSF Forensics
Instant Messaging and Chat History
Domino Directory: It is a Notes database that stores configuration information related to Users, Servers etc. It is automatically created when the server is configured for the first time in Notes domain.
Since Domino Directory contains all the system specific information, there is possibility that anyone managing it can have unauthorized access to it and cause damage to Notes installation within a domain. Considering its importance, organizations maintain a regular backup of Domino Directory.
Notes ID: When a new user, server, or a certifier is added, Notes generates a unique User ID. It contains information of Encryption keys, Name of Entity, and the password for unlocking the ID and access its contents.
Depending upon the entity, the IS files are referred to as User ID, Server ID, and Certifier ID. This file has a huge contribution in maintaining Notes security. If any of the resource has to be accessed within a Notes domain, it is important that the Notes Id file is available. The ID file is then checked by the system for the certificates that are issued by the certifiers which is important while doing Lotus Notes Forensics.
In addition to this, if encrypting or digital signature techniques are used to protect data traversal, the private key gets saved into the ID file. To prevent any harm done to the domain users through ID file, its contents are decrypted using a password.
If the ID file is lost, there is no way to recover it and it can only be re-created. Reason being, the ID file stores the private key and it is not possible to create a private key from public key.
Access Control Lists (ACL) provide the most convenient way in which access to the Notes database can be restricted. For individual Notes database, there are restrictions set to protect the DB against unauthorized access. However, it should be noted that the access control may vary locally or on server.
When a notes database set with permissions is accessed, this entry is recorded in the User Log (log.nsf) that can be viewed through following process:
The details include information if any read or write activity has been performed on the database & important for the process of Lotus Notes NSF forensics investigation. While the act of deletion will be presented as Write action, the replication will be presented as large number of Read actions.
Lotus Notes Database Analysis
How artifacts would be carved out from the database depends a lot on how settings have been managed by the administrator. Accompanying forensics with Lotus Notes NSF Forensic tool can work in analyzing the collected artifacts.
Opening NSF files without Notes Domino Platform, examining email headers, hops, filtering required data through keywords etc. is a part of Lotus Notes Database analysis phase of eDiscovery. Lotus Notes email analysis can be accompanied by Lotus Notes forensics tool like that is proven for digital forensics of number of mail platforms.