Lotus Notes® is a messaging software platform developed by IBM. It is an integrated platform to perform business oriented tasks like emailing, calendaring, contacts management, discussion forums, microblogging, and much more. With an effective combination of document database system and facilities for seamless mailing, the entire infrastructure works on the client-server combination which is Notes® and Domino® respectively. The data resides on both the ends: Client and Server.
Lotus Notes database gets saved into Notes Storage Format (NSF) file that gets saved under "c:\lotus\notes\data". The Notes client set up is available free of cost that gives an easily available platform for examination. The client and the server creates single NSF file for storing data of an individual user.
With Notes and Domino environment, users get a secure messaging platform called "Sametime". It gives a way to communicate with colleagues and is definitely an alternate to email and phone calls. The quick chat that happens between two users or between a group of users get recorded. This chat history can either be automatically saved or as per the user requirement. It is either stored into the mail file, i.e. username.nsf, locally on system, or as transcript. This transcript can be used in Lotus Notes NSF forensics.
Domino Directory: It is a Notes database that stores configuration information related to Users, Servers etc. It is automatically created when the server is configured for the first time in Notes domain.
Since Domino Directory contains all the system specific information, there is possibility that anyone managing it can have unauthorized access to it and cause damage to Notes installation within a domain. Considering its importance, organizations maintain a regular backup of Domino Directory.
Notes ID: When a new user, server, or a certifier is added, Notes generates a unique User ID. It contains information of Encryption keys, Name of Entity, and the password for unlocking the ID and access its contents.
Depending upon the entity, the IS files are referred to as User ID, Server ID, and Certifier ID. This file has a huge contribution in maintaining Notes security. If any of the resource has to be accessed within a Notes domain, it is important that the Notes Id file is available. The ID file is then checked by the system for the certificates that are issued by the certifiers which is important while doing Lotus Notes Forensics.
In addition to this, if encrypting or digital signature techniques are used to protect data traversal, the private key gets saved into the ID file. To prevent any harm done to the domain users through ID file, its contents are decrypted using a password.
If the ID file is lost, there is no way to recover it and it can only be re-created. Reason being, the ID file stores the private key and it is not possible to create a private key from public key.
Access Control Lists (ACL) provide the most convenient way in which access to the Notes database can be restricted. For individual Notes database, there are restrictions set to protect the DB against unauthorized access. However, it should be noted that the access control may vary locally or on server.
When a notes database set with permissions is accessed, this entry is recorded in the User Log (log.nsf) that can be viewed through following process:
The details include information if any read or write activity has been performed on the database & important for the process of Lotus Notes NSF forensics investigation. While the act of deletion will be presented as Write action, the replication will be presented as large number of Read actions.
How artifacts would be carved out from the database depends a lot on how settings have been managed by the administrator. Accompanying forensics with Lotus Notes NSF Forensic tool can work in analyzing the collected artifacts.
Opening NSF files without Notes Domino Platform, examining email headers, hops, filtering required data through keywords etc. is a part of Lotus Notes Database analysis phase of eDiscovery. Lotus Notes email analysis can be accompanied by Lotus Notes forensics tool like Mailxaminer that is proven for digital forensics of number of mail platforms.