Hello people,
Been lurking this forum for a while now and I need some advice as this has been driving me NUTS.
So I'm working on a case where there's a 4GB Lotus Notes NSF file - <username>.nsf recognized by FTK 3.3 as an encrypted database. I know that you need a password to decrypt it.
I contacted the customer's IT department and they - not knowing we use FTK and that I already took a forensic image of the suspect's laptop - they resetted the password on the suspect's machine and sent me the id file with the instruction to replace the id file currently on the machine with the one they sent me.
Of course , adding stuff to the case is a no-no. So I extracted the 4GB nsf file to a new image , added the new id file and then added the two files to a new case in FTK. So i have a username.nsf and a username.id
But still the nsf's refuse to decrypt with a blank password. What am I missing here?
I don't know Lotus Notes at all is the password something different then the user password in Windows. How can an admin bypass that password if a user were to leave ? How does FTK take into account the id file when i ask to decrypt the nsf file ?
I am a long-time expert in Lotus Notes – with no skills in digital forensics.
Here is a primer on the industry-leading encryption within Lotus Notes…
http//
As it seems, you can now easily inspect the contents of your copied target file - just use the Lotus Notes client software (v8.5.3 is latest).
Here's how…
On any machine, install the appropriate version of the Lotus Notes client software, along with a copy of the your target file and the updated user.id file you were given.
(IBM offers the client software for free, as part of download for Lotus Domino Designer v8.5.3)
The steps… (Note Lotus Notes logs user access to NSF files, within those files!)
#1 - Start Lotus Notes client.
#2 - Tell Lotus Notes to switch to your new user.id file (entering your provided password).
#3 - Tell Lotus Notes to open your copied target NSF file
#4 - If all is ok, you are now looking at the standard "mail" application, within Lotus Notes – ready for your inspection.
That is the overview – you have a lot of steps to get there.
Finally…
Lotus Notes is well-designed for a full range of user-controlled security – the user.id file is vital (used as designed by the Lotus Notes client software) - - and the credentials within the user.id needs to match an existing entry on the Access Control List "ACL" of the target NSF file (which should already be the case for your configuration).
Good Luck!
Tawmess is right…the easiest way to open the file is with notes.
I'm not sure if FTK is supposed to be able to handle encrypted NSF files or not, so I would probably take it a step further in Notes and create a copy of the mail database without any encryption. Then you could load that back into FTK (or whatever email review product you have) to look at the items that way if you prefer.
If you have the .id file & pass, there are several tools to export the NSF to MSG and there after, ingest it with dtSearch. mrgreen
Tawmess , thanks a lot for the advice. I will try this out and get back to report the results.
Hello,
I managed to get FTK to import the NSF files. Decrypting the nsf files within FTK 3.3 did not work at all. I had to find a way to decrypt the file.
So I installed the Lotus Notes Client - switched to the correct user id , opened the nsf file and chose the option to decrypt the nsf database. You then have to "compact" the database to let it unencrypt. I reimported my unencrypted nsf file to FTK and added it to the case.
Thanks a lot Tawmess !