Notifications
Clear all

Novell Groupwise

6 Posts
4 Users
0 Likes
742 Views
(@velandra)
Posts: 9
Active Member
Topic starter
 

Hi guys.

I have to do an investigation involving Novell Groupwise emails. Is there anyone that has done investigations like this using FTK.

 
Posted : 22/10/2009 12:13 pm
(@bithead)
Posts: 1206
Noble Member
 

Unless something has changed in the newest version (which I have only started to play with), you will need some sort of intermediate step to read/extract the message store.

 
Posted : 22/10/2009 5:06 pm
(@armresl)
Posts: 1011
Noble Member
 

Paraben's Network Email Examiner is a great choice for this, and pretty reasonably priced compared to enterprise options.

 
Posted : 22/10/2009 9:42 pm
(@velandra)
Posts: 9
Active Member
Topic starter
 

Hi

Thanks for the reply after some research IO found a program called Nexics that has software that allows you to view groupwise emails securely and forensically sound or thats what they claim I have requested triall version and will be giving feedback once I tested it out.

Have a great day SA is damn hot at the moment

 
Posted : 23/10/2009 12:33 pm
(@paul206)
Posts: 70
Trusted Member
 

Velandra,
Are you wanting to analyze the workstation or the server? You won't find any GroupWise artifcats on the PC. GroupWise stores everything in the user's mailbox in the post office on the server. I use FTK in a Novell shop that uses GroupWise. When we get an email investigation we do it one of two ways.

1.The LAN group changes the password to their email account and I log into Novell as me and log into GroupWise as the user with the new password. We do this for currently existing email.

2.When we want to see email from the past we have the LAN group restore the appropriate tape backups to a storage area and then log into the user's GroupWise as them with the new password and restore the backup. Either way the user knows they are being investigated because they are not told the new password while we are looking at it.

I am not familiar with Nexics but I work for government and we are not allowed to buy stuff so I can't use it. I hope it does what you want.

 
Posted : 23/10/2009 6:42 pm
(@paul206)
Posts: 70
Trusted Member
 

By the way, GroupWise normally remembers the last user to log in and brings it up. You will not be doing this on the user's computer and will need to change the user id from you to them. To force GroupWise to let you change it you go into properties for the icon the on the end of the executable you put a space and the letters /@u-? to bring up the dialog box. You can delete it when you are done.

 
Posted : 23/10/2009 6:47 pm
Share: