±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36738
New Yesterday: 0 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Lotus Notes Collection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4 
  

kalymistirl
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 09, 10 16:53

Hi,

Just a quick pointer, When doing a collection of Notes NSF Files, you should request from the IT person in charge of the environment is there any compacting of mail boxes running on the domino server. I carried out some testing on some nsf mail boxes. If I delete mails form an NSF Mail box and then compact the mailbox on the server I will will loose some of the the deleted mails.

You may want to estibilish the backup environment of the suspect premises.

Hope this helps.

James  
 
  

jhup
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 10, 10 00:35

I can only speak from my personal experience.

PST to MSG... I use dtSearch's mapitool.

As for NSF to MSG, so far I have been most successful using NSF to PST to MSG, I have yet to find a good (stable) solution to do this NSF to MSG conversion.

I have used 'Transend Migrator Forensic' with the some success for both PST and NSF.

Agreed, metadata is altered, directory/folder structure lost, and some attachments get mangled. but, in my experience for most discovery, the purpose of conversion of, say 2 million messages is to find the dozen which is relevant, and then go back to the original and extract only those originals with the appropriate headers and intact metadata.

I would love to say that my work involves cutting edge forensics; alas almost all cases revolve around e-mail content, with little need to do forensics. Yes, the drudgery of indexing gobs and gobs of meeting notes is where electronic discovery 'shines'.

- joachimm
- jhup
I collect both PSTs and NSFs then dump them into MSGs for indexing, by the millions. Crying or Very sad

In my experience about 2/3rds of the time the problems are with the NSF extracts, not the PST.


Part of the problem is probably that PST -> MSG remains MAPI (no conversion) and NSF -> MSG needs conversion. Personally I'm reluctant to such conversions because you'll alter the metadata, but I also know that sometimes you (in general) have little other choice.

Another part might be that the tool(s) you are using has a limited or broken support for NSF. I was often amazed to find the only tool capable to read certain NSF files is Notes itself. But I also have seen semi-corrupted-PST files created by Exmerge not being opened by any tool. For which I had to cook up something in libpff.

Note that both PST and NSF are complex database formats. Although if you put them in comparison the latter might be the more complex due to more capabilities. Where PST uses a lot of external COM objects, NSF mostly has the functionality embedded.


- roncufley
- jhup
I collect both PSTs and NSFs then dump them into MSGs for indexing


What tools do you use to get from .nsf to .msg?
 
 
  

joachimm
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 10, 10 01:24

- jhup
I would love to say that my work involves cutting edge forensics; alas almost all cases revolve around e-mail content, with little need to do forensics.


Note that cutting-edge quite easily can turn into bleeding-edge Wink  
 

Page 4 of 4
Page Previous  1, 2, 3, 4