±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36107
New Yesterday: 1 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Lotus Notes Collection

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

isth
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 05, 10 01:20

To add, the collection is for the purposes of eDiscovery, yes. We typically make dd images of custodian desktop drives (which would encompass any NSFs that may exist on the users machine) AND we collect all mail from the mail servers for the applicable users. This approach is typically highly duplicative but it ensures we have the most complete dataset, since e-mail is often of the most interest and it's really easy for someone to tamper with email on their own machine.

Appreciate the additional info.  
 
  

roncufley
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 05, 10 03:39

- gblack
- roncufley
(We are talking forensics here aren't we?)


I don't think we are, actually. This sounds like an eDiscovery collection to me.


This raises an interesting question, is this not a distinction without a difference? Forensics is producing evidence to place before the Court and eDiscovery is producing evidence to place before the Court. I appreciate the the tools and techniques might not be the same but do we not have to exercise the same care and attention to detail? Can we really afford to say, "Oh those records are probably missing because I might not have copied the whole file," just because it is "only" eDiscovery? I think not, what do others think?
_________________
Forensic Computer Services
Digital Forensics and eDiscovery
Lotus Notes eDiscovery and Forensics
CCTV Forensics and analysis
Tape eDiscovery and Forensics 
 
  

mbarnes86
Newbie
 

Re: Lotus Notes Collection

Post Posted: Nov 05, 10 04:19

Hi

About a Year ago my employer went over to Outlook & Exchange Server from Lotus Notes and Lotus Domino Server so my recollection maybe a bit hazy
There were several thousand users with many Notes servers


The domino servers (Win 2003) had 1 nsf file per user,.
The users U: (users private area on login server) had some data and identity files
and the Local PC had some files and data copied from the U: when the user first used Notes on a PC these were updated while the Notes Client was in use.
The server notes files were compacted by a process which ran each night
to remove deleted messages

smaller systems may be less complex

regards
Mike Barnes  
 
  

gblack
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 05, 10 20:39

- roncufley
This raises an interesting question, is this not a distinction without a difference? Forensics is producing evidence to place before the Court and eDiscovery is producing evidence to place before the Court.


I'm not all that familiar with UK law concerning eDiscovery, so I really can't speak to any difference on burden you might experience. In the US, courts routinely weigh cost, burden, and reasonableness in what will be collected and reviewed for any given case, forensic or eDiscovery.

- roncufley
I appreciate the the tools and techniques might not be the same but do we not have to exercise the same care and attention to detail?


We absolutely must exercise attention to detail - it's just as important in eDiscovery as it is in forensics, just in different areas of specificity.

- roncufley
Can we really afford to say, "Oh those records are probably missing because I might not have copied the whole file," just because it is "only" eDiscovery? I think not, what do others think?


I think you've completely misinterpreted my statements. My original post was intended to give the OP more information on how to avoid missing data that will be useful later. You can obtain a copy of all messages in an NSF and miss design elements. This causes problems for eDiscovery Review vendors if there are documents present with custom forms. That being said, forensics and eDiscovery are necessarily different in their requirements and connotations.
_________________
Geoff 
 
  

Buster
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 08, 10 14:16

isth

AND we collect all mail from the mail servers for the applicable users


That's a good plan with Lotus/Domino systems otherwise you may just end up with the headers and no message bodies due to Domino's "Single Copy Object Store" (SCOS) which allows servers to store a single copy of messages received by multiple recipients in a special central database, or object store.

There are some useful Domino notes either side of this link.

Stu
_________________
My Computer Once Beat Me at Chess, but it is No Match for Me at Kickboxing! 
 
  

isth
Senior Member
 

Re: Lotus Notes Collection

Post Posted: Nov 08, 10 21:36



There are some useful Domino notes either side of this link.

Stu


Thanks, Stu this is good to know! Quick question on this... if SCOS is enabled the notes mention that the unique copies are stored in a separate "shared mail database." Is this separate database just another series of NSF files or is it in a different file format that would require special handling to collect?


An FYI to anyone who comes across this thread and is looking for more info on Notes, here's a snip-bit on that same site regarding Mail Journaling: Link  
 
  

Buster
Member
 

Re: Lotus Notes Collection

Post Posted: Nov 08, 10 22:47

isth

Is this separate database just another series of NSF files or is it in a different file format


From memory, they will be in NSF format although around v7, IBM added the ability to use DB2 as an alternative (NSFDB2) although I believe this is now deprecated and no longer supported.

I also seem to remember a set of files called "MAIL.BOX" which were relevant (on the server side) but I can' t recall why off the top of my head. I'll try and dig out some old notes (if I still have them) and see if they will be of any use.

It is also worth knowing that any attachments will be compressed using LZ1.

Stu
_________________
My Computer Once Beat Me at Chess, but it is No Match for Me at Kickboxing! 
 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next