Lotus Notes NSF Forensics

Tricks and Techniques To Simplify Lotus Notes Forensics

Introduction of Lotus Notes

Lotus Notes® is a messaging software platform developed by IBM. It is an integrated platform to perform business oriented tasks like emailing, calendaring, contacts management, discussion forums, microblogging, and much more. With an effective combination of document database system and facilities for seamless mailing, the entire infrastructure works on the client-server combination which is Notes® and Domino® respectively. The data resides on both the ends: Client and Server.

Lotus Notes Forensics

Overview of Lotus Notes NSF Forensics

Storage in Lotus Notes

Lotus Notes Email Analysis

Lotus Notes database gets saved into Notes Storage Format (NSF) file that gets saved under "c:\lotus\notes\data". The Notes client set up is available free of cost that gives an easily available platform for examination. The client and the server creates single NSF file for storing data of an individual user.

  • The mailbox database of Notes is made up of message folders, mails with follow up flags, All Documents, Chat History and Archived Data that can be forensically examined to carve out artifacts. This data gets saved into username.nsf file. Calendars entries and the list of To-Do's get saved into the same file.
  • Next important part of messaging environment is Contacts. The address book of Notes get saved into names.nsf file. However, for investigating & analyzing, the contacts can be saved into a readable format-vCard (VCF) or Comma Separated Value (CSV) file.
  • Another crucial element that can help in Lotus Notes Forensics Investigation Process is the Notebook. Also known as Personal Journals, it comprises of personal documents and information. This can define the priority documents of the custodian. This database of Notes gets saved into notebook.nsf file.

Lotus Notes Components

Instant Messaging and Chat History

With Notes and Domino environment, users get a secure messaging platform called "Sametime". It gives a way to communicate with colleagues and is definitely an alternate to email and phone calls. The quick chat that happens between two users or between a group of users get recorded. This chat history can either be automatically saved or as per the user requirement. It is either stored into the mail file, i.e. username.nsf, locally on system, or as transcript. This transcript can be used in Lotus Notes NSF forensics.

Lotus Notes Chat History Forensics

Security Options in Lotus Notes

Domino Directory: It is a Notes database that stores configuration information related to Users, Servers etc. It is automatically created when the server is configured for the first time in Notes domain.

Since Domino Directory contains all the system specific information, there is possibility that anyone managing it can have unauthorized access to it and cause damage to Notes installation within a domain. Considering its importance, organizations maintain a regular backup of Domino Directory.

Notes ID: When a new user, server, or a certifier is added, Notes generates a unique User ID. It contains information of Encryption keys, Name of Entity, and the password for unlocking the ID and access its contents.

Depending upon the entity, the IS files are referred to as User ID, Server ID, and Certifier ID. This file has a huge contribution in maintaining Notes security. If any of the resource has to be accessed within a Notes domain, it is important that the Notes Id file is available. The ID file is then checked by the system for the certificates that are issued by the certifiers which is important while doing Lotus Notes Forensics.

Lotus Notes ID

In addition to this, if encrypting or digital signature techniques are used to protect data traversal, the private key gets saved into the ID file. To prevent any harm done to the domain users through ID file, its contents are decrypted using a password.

If the ID file is lost, there is no way to recover it and it can only be re-created. Reason being, the ID file stores the private key and it is not possible to create a private key from public key.

Access Control and Logging

Access Control Lists (ACL) provide the most convenient way in which access to the Notes database can be restricted. For individual Notes database, there are restrictions set to protect the DB against unauthorized access. However, it should be noted that the access control may vary locally or on server.

NSF Database Analysis

When a notes database set with permissions is accessed, this entry is recorded in the User Log (log.nsf) that can be viewed through following process:

  • Select the File, and choose "Properties".
  • Click on "Information Tab" and choose "User Detail".

The details include information if any read or write activity has been performed on the database & important for the process of Lotus Notes NSF forensics investigation. While the act of deletion will be presented as Write action, the replication will be presented as large number of Read actions.

Lotus Notes Database Analysis

How artifacts would be carved out from the database depends a lot on how settings have been managed by the administrator. Accompanying forensics with Lotus Notes NSF Forensic tool can work in analyzing the collected artifacts.

Opening NSF files without Notes Domino Platform, examining email headers, hops, filtering required data through keywords etc. is a part of Lotus Notes Database analysis phase of eDiscovery. Lotus Notes email analysis can be accompanied by Lotus Notes forensics tool like that is proven for digital forensics of number of mail platforms.