Lotus Notes eDiscovery – A Look at the Essentials
IBM Notes (Lotus Notes) is still known as the world’s first and best groupware application product. It offers collaborated services of emailing, personal information management, application development, and more for the organizational environment.
The application enables groups of people, preferably teams to work together with its client/server infrastructure. As a result, Lotus Notes allows data storage on both; Domino Server or the client machine. Whatever changes are made to a local replica of a Notes database are synchronized automatically with the master database on Domino when connected. Thus, evidence can be tracked on both the ends during an investigation.
This paper discusses in detail about the architecture and Lotus Notes eDiscovery. The typical methods and expertly suggested procedure along with tips on where to find reliable and potential evidence amongst different Notes storage file types.
IBM Notes File Types
Important File Formats to Look For Lotus Notes eDiscovery
However, evidently, IBM Notes application has plenty of data files for the storage of database and other information related to the application’s functioning. However, of all these file types, there are specifically 4 such files that need your attention during a forensic analysis:
1. Names.nsf
2. *.nsf
3. Username.nsf
4. Username.ID
The ‘.nsf’ database is the server mailbox replica consisting of emails and other business/personal information of the account holder. This is the primary source of evidence where communications took place and contacts contacted can be found. Whereas, ‘username.nsf’ is the address book file which clearly consists of any/all contacts. Meanwhile, if the database is in case protected with password protection, the ‘username.ID’ file will be required for accessing the same along with the respective password.
Being extremely and primarily known for serving groupware environment to (mostly) organizations, Lotus Notes ensures in all aspects that its information remains safe. Another instance that showcases the same aspect is that the infrastructure of Lotus Notes is such that not even a third party application can open its database as a standalone. Lotus Notes will be required for doing so.
Challenges of Lotus Notes eDiscovery
As far as carving out of information is concerned, challenges tend to come up. Similarly, during Lotus Notes eDiscovery, some of the major challenges that come across are:
1. Strictly Proprietary: Notes Storage Format file (.nsf) is strictly a proprietary of Lotus Notes and cannot be accessed without the application installed. Therefore, creating a complete environment for accessing and studying the database is considered as a cumbersome procedure.
2. Message Level Encryption: Security being one of the strongest aspects of Lotus Notes is also used as per user requirement. While exchanging a confidential email, a user can apply message level encryption to the email in order to make sure that only the account holder (with the private key to the message) can decrypt and access the email and to other’s it remains just a scrambled arrangement of text and characters. This poses as one of the biggest challenges, as an investigator may sometimes be completely cut out from emails that might possibly be storing potential evidence.
3. Complicated Architecture: Traversing a Notes database is not a direct procedure due to the complicated infrastructure it is made with. In attempts to parse an NSF file, it has been discovered that the internal structure is complex enough to be decoded, which makes it an unsuited database to perform standalone forensics on.
However, as part of the workaround to still parse information stored within the suggested data files important from Lotus Notes forensic point of view, even a dummy profile will work. Looking closely at the challenges expose, the many possibilities to forensically examine a Notes database file. While a dummy profile resolves the obstacle of not being able to get into the contents of the file, on the other hand, information from email protected with message level encryption can also be acquired.
Though message level encryption can be decrypted with the private key of the account holder, its implementation only protects the message body and not the email subject and header fields like; sender details, IP, server path, etc., which are great sources of evidence.
Conclusion
Thus, even though there may be obstacles faced during the examination of this complicated structure database, but deeply knowing the program is the key to precisely conclude the eDiscovery of Lotus Notes using the User ID file, database, database replica, and address book file.