±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35886
New Yesterday: 2 Visitors: 144

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Lotus Notes Collection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

isth
Senior Member
 

Lotus Notes Collection

Post Posted: Nov 04, 10 02:05

Hi All,

We have a potential collection job coming up which involves the collection of multiple (~12) custodian hard drives along with each users' mail. The client has sparse details as of yet, but one of the things they mentioned is that their primary mail system is Lotus Notes. I have experience collecting from Exchange, either using Exmerge or copying the entire EDB, but I have never worked directly with Lotus Notes - besides using the trial version to view NSFs. Would someone be able to point me in the direction of methodology for collecting notes email? Is it just a dump of NSFs in a predetermined folder or something that requires an exmerge-esc utility?

Any insight would be appreciated.

Thanks!  
 
  

jonstewart
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 04, 10 02:47

The nice thing about Lotus Notes is that it's NSFs on the client and it's NSFs on the server. Contrast that with Exchange/Outlook, where it's PSTs on the client and EDBs on the server. You don't have to worry about using an exmerge-like utility.

That's the only thing nice about Lotus Notes. It's otherwise hellacious to deal with. Lotus Notes itself is buggy, the file format is complex, the types of data it stores is very flexible--it's not just email--which means you have to figure out whether an organization is using custom forms and how best to produce that data, and tool support for Notes is generally not as good as for Outlook.

Oh, and encryption? Yeah, there's encryption. Notes has "ID" files, and you need those to decrypt the NSFs. I cannot remember at the moment whether there's a master escrow ID file (i.e., an administrator ID file). You're dead in the water if you don't collect these.

I'm not a Notes expert, so I don't want to comment beyond my expertise, but... do your homework and run through some trials before going onsite. It is not a forgiving, learn-as-you-go technology.

Jon  
 
  

roncufley
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 04, 10 19:08

Jon is correct in that if you have the .nsf files you have all the data, the views, the forms....... everything. You can always be sure that you can carry out the extraction and analysis later. There should be at least one .nsf for each custodian which may be on the server or the workstation or both and may be replicated onto other servers. His point about the id files may or may not matter, if the .nsf files are encrypted then you need both the id files and the users' passwords; depending upon how the system is set up these may be available from the admins (or, indeed, they may not).

There is a further possible wrinkle in that it is permissible to have a single email repository like Exchange Server but this is very rarely used, if it does exist it will be encrypted as a virtual certainty.

Any questions - just ask.

Good luck
Ron

PS By the way, Lotus Notes is a wonderful system, don't listen to the detractors.
_________________
Forensic Computer Services
Digital Forensics and eDiscovery
Lotus Notes eDiscovery and Forensics
CCTV Forensics and analysis
Tape eDiscovery and Forensics 
 
  

isth
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 04, 10 20:13

Thanks so much for the replies, gents! We're scheduled to have a call with the client to obtain more details on the exact configuration in the near future. It does seem like this will be a fairly straight forward task though.

Thanks again for the feedback!  
 
  

gblack
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 04, 10 22:35

- roncufley
if you have the .nsf files you have all the data, the views, the forms....... everything


That's not 100% correct. A copy of the NSF can be made by an administrator in which you don't get design elements, only documents. Make sure this doesn't happen. Often the Notes admin can make a physical copy of the NSF directly from the server and get everything. NSFs from a Notes server are typically not encrypted, and once you have a local copy permissions are ignored. If you get one of these, you MUST double check and make sure it opens after you receive the copy. I have seen NSFs get corrupted from physical copies off of Notes servers, especially when the files are active mailboxes in use.

If you're collecting from the desktop or home/group shares, this is where you have to worry about the ID files and passwords.

- roncufley
PS By the way, Lotus Notes is a wonderful system, don't listen to the detractors.


Bah, humbug! The Notes dev API is as screwed up as they come. Someone put very little forethought into the design of it and developers pay the price. Notes is the devil! :)
_________________
Geoff 
 
  

roncufley
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 04, 10 23:31

- gblack
- roncufley
if you have the .nsf files you have all the data, the views, the forms....... everything


That's not 100% correct. A copy of the NSF can be made by an administrator in which you don't get design elements, only documents.


I think that one can say that it is axiomatic that if a copy is made that intentionally leaves things out then those things that are left out will not be in the copy, I didn't realise that I had to specify that. (We are talking forensics here aren't we?)

- gblack
<.....> and once you have a local copy permissions are ignored.


Perhaps or should I say often?

- gblack
- roncufley
PS By the way, Lotus Notes is a wonderful system, don't listen to the detractors.


Bah, humbug! The Notes dev API is as screwed up as they come. Someone put very little forethought into the design of it and developers pay the price. Notes is the devil! Smile


Workmen and tools?
_________________
Forensic Computer Services
Digital Forensics and eDiscovery
Lotus Notes eDiscovery and Forensics
CCTV Forensics and analysis
Tape eDiscovery and Forensics 
 
  

gblack
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 05, 10 00:09

- roncufley
I think that one can say that it is axiomatic that if a copy is made that intentionally leaves things out then those things that are left out will not be in the copy, I didn't realise that I had to specify that. (We are talking forensics here aren't we?)


I don't think we are, actually. This sounds like an eDiscovery collection to me. There's more than one way to get a "copy" of a Notes mailbox. Since the OP is obviously unfamiliar, I'd rather give more information than less.
_________________
Geoff 
 

Page 1 of 4
Page 1, 2, 3, 4  Next