Analysis of novell webaccess artifacts
Sorry for the late response. I have been busy and have not been in the forums in a while. It may be too late already but I will give it a shot anyway. I work in a Novell shop. You need to do your investigation on the GroupWise server and the user's post office. The WebAccess for GroupWise is browser dependent and uses Java to run. You will have very few artifacts on the workstation except internet history showing the login and maybe some Java temp files if you are luck. You will get no more than you will with current versions of Hotmail/Windows Live Mail or Gmail or Yahoo Mail from the workstation. What you need to do is have your email admin notify the user that their email will be down for 2 or 3 days. They then change the password and give it to you. You sit down at your workstation in the same building as the user and log into GroupWise as them by opening the icon for GroupWise and putting the /@u-? at the end of the path to the executable. This forces GroupWise to ask for the password instead of using the last one to login. You now manually browse the user's post office looking for evidence. When you find it you print a hard copy and hand it in with your report. You investigation will not be automated or easy but that is Novell. This is the procedure we go through for every email investigation whether it is from the client or webaccess. You see webaccess goes straight to the post office just as if you were at the work station. Any artifacts will be browser related and minimal at best.
My reason for saying to be in the same building was meaning that you have to log into the post office the user in question does. If you only have one GroupWise server then you are ok. If not then your location will matter. You do not have the ability to redirect your client to a different server. Only to change the user id in the login box if you use the command in the shortcut.