Lotus Notes Forensics — Searching and Carving Out Evidence
Many cases related to Lotus Notes data have been encountered by me and my team. During the investigation, we noticed that there is a treasure of information in the form of an NSF database. To make it more clear, I will have to narrate the whole experience.
Most of the time, clients arrive with just Lotus Notes account credentials and demand to find out the evidence from the suspected person’s email account. Lotus Notes has its database in NSF format, storing – emails, contacts, tasks, calendars, notes, & journals. From a forensic point of view, the evidence can be hidden in any of the Lotus Notes elements. Lotus Notes is a good email client for sending and receiving mails and manages data well, but there is no easy or manual way to find out pieces of evidence secluded within.
The file extension used by Lotus Notes for its database is difficult to work with. Due to the various drawbacks and complexities attached to NSF file format. Like; if an account is password protected, the user id file has to be browsed for login. Without that id file, no one can access that particular account’s database. Also, security complexities create hurdles during analysis. For case analysis, we need to find an application that makes the tedious Lotus notes NSF forensics investigation an easy task. As it is very important to give out instant results to catch the culprit. So, for that my team members along with me, researched and found a solution to analyze the NSF file format.
Convert NSF to PST File: The Whys & Wherefores?
During our research process, we analyzed that, there is another email client that works quite similar to Lotus Notes. The email client is Microsoft Outlook and it uses a file called PST (Personal Storage Table) which is quite simple to analyze as compared to the NSF format database. The PST is a format for Outlook to store the contents of a particular user account. All the versions of Microsoft Outlook support PST format. We can simply use an external exporter to migrate NSF file to PST format. There are various tools available that perform the migration. But only a few guarantee a successful conversion. We used a few tools and came up with an idea that really helped in Lotus Notes forensics, i.e. the Lotus Notes to Outlook Converter.
The software not only migrate Lotus Notes to Outlook, but has various advanced level features that are useful for Lotus Notes forensics, all these features are listed below:
Migrate all NSF Items Successfully:
The software is well capable to migrate all the items in the NSF database folder to PST format which includes emails, contacts, calendars, journals, tasks, & notes. It exports all the items successfully to outlook PST format with all the original details and structure of the folders.
Using this Advanced level filtering, the Lotus Notes Forensics become easier and quicker to find suspected files. on the basis of date, it can filter by setting To and From, by checking or unchecking the Exclude Deleted Items option deleted folders can be excluded or included for the investigation.
- Advance Level Setting: Using Advanced level features you can get information about internet header, NSF encryption file type, information in HTML format & Rich Text Format. All such information is very helpful for a fornicator.
- Attachments & Meta properties: There is a different option to analyze attachments of respective files. Attachments like PDF files, Document files, Audio, Video, Images, etc. Can be viewed for performing Lotus Notes Forensics after NSF to PST conversion. It can analyse the Meta properties of files using this application.
We recommend using this tool for those who are facing inconvenience in performing Lotus Notes NSF Forensics. The simple way is to use Lotus Notes to Outlook Converter and search out the hidden evidence of suspected files. Various government agencies trust this tool with the best results. Also, the utility has helped us to put the culprit behind the bars. Which makes it all the more relevant in terms of using it.