Lotus Note Forensic

Posted on 2007-07-23
Medium Priority
Last Modified: 2013-12-18
Recently my local email database in Lotus Notes (.nsf) file was open by other people without my notice.
All my mail box was expose to him.

But the problem is, i dont know who is this culprit.

I am wondering, is there any forensic method i can use, for example, to trace which ip address is open my .nsf file or in which worksplace that open my mail box database?

Please guide me, I really want find out this culprit.

Thank you.
Question by:ipoh1977
LVL 20

Accepted Solution

brwwiggins earned 200 total points
ID: 19548520
You can try looking at the activity log by going to File->Database->Properties....2nd tab and then click on the user detail button.

However this is a very basic log and will not tell you much. There will be a lot of entries for the servers and yourself in this log. There is not a default way to capture IP address of every user that opens a DB that I know of.
LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 400 total points
ID: 19548647
Hello ipoh1977,

If you have access to the server's log.nsf database, you can find some history there (providing the mail database is on a server), both in the Miscellaneous and the Usage/By Database sections.

Another piece of advice: close your database to the "culprits" (other words less synpathetic come to mind...).
In your mail, click on Tools, Preferences, select the Access and Delegation tab, and set it as you want. If you are NOT allowed to change the settings, ask here again what to do. Probably it would then be best to ask an Administrator (if you're not him).

LVL 63

Assisted Solution

SysExpert earned 200 total points
ID: 19549077
You mention your Local Mail box.

If this is on your local machine and not on the server, then you have no way of knowing who accessed it, since they were probably using your ID, if the machine was not locked.

If this is not the case, please provide more information.

I hope this helps !
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 31

Assisted Solution

qwaletee earned 200 total points
ID: 19550152
1) Something led you to think that this was so.  How did you know?

2) Do you think your ID was "stolen" and someone is actively using a nother copy of your ID? Then you've got bigger problems... they could still be doing it, on the same server or other servers, your mail or other databases.  Not a good thing.  Get your admin to turn on password checking in your directory entry, so that the server, not just the client, verifies your password.

3) If someone else has access using a different ID, it will show up in all sorts of logs as a different user name.  Otherwise, there is NO CENTRAL INFORMATION logged about addresses, under normal circumstances.  If you have Log_Connections=1, then each connection will log its IP address to the console, but you would have to scan those logs to see who connected with your user ID with an unexpected address (which is very complicated if you use DHCP or a VPN).

4) If you think someone is CURRENTLY looking at your file, the server console command SHOW USERS DEBUG will show a list of users, their IP addresses, and the databases you have open.  If you see your name with someone else's IP address, you've found a suspect.  If you see someone else's name with your mail databases, you've found a suspect.

Author Comment

ID: 19554012
dear all, thanks for your comments and i am seriously appreciate it.

The actual situation (sorry for didnt explain clearly) is i am the administrator for the lotus note mail server. My email was expose to a culprit that able to read all my email which i yet to find out.

I am not sure how he get to copy out the .nsf file, but i am sure (as it's more highly chances) he download it from the Lotus Notes Server. My local machine will never put un-lock.

Thus, i wish to know:
1. If he downloaded from server, can i know or trace with the current Lotus notes default setting, when he copied or downloaded the database ?
2. Since he already copied my .nsf file from the server, can he still constantly read my latest email?

LVL 46

Assisted Solution

by:Sjef Bosman
Sjef Bosman earned 400 total points
ID: 19554471
You didn't answer our questions. We need more information about the how and why. Without it, there is no way to indicate how to proceed. First, you study the scene, you collect evidence, then you investigate and only then you know what happened, in order to prevent or punish. We're left in the dark a little, so we cannot possibly answer your latest questions...

Let's discuss the download first. With "download" you mean: obtained the file from the server? Strictly speaking a "download" using a browser is not possible, there is no Domino command to download an entire database file (unless it is an attachment). So that person must have had access to the server in some other way, either physical or via the network. I assume the server's folders aren't shared over the network and the data folders have restricted access (no ordinary user needs to read those folders). Therefore, we can rule network access out.

Now about physical access to the server (hardware). Anyone who can access the server with an Admin password is "in". He can do anything he likes. No one can trace that. Could this have happened?

Then, Notes access to the Domino server. There are two types of access: client access and Admin access. Using the (remote) server console to create a replica or copy of the database is not possible. Any other client access to a mail database would require a leaky ACL or Full Admin rights. What is (was) your ACL, who could have opened your mail database? Is the database accessed via Notes or using a browser? If it's most likely a browser, is there a user Anonymous in your ACL, set to No access? By the way, which version of Domino are we talking about?

Then about "constantly reading your email". If he has a copy of your database, AND he has a Notes client, AND he has sufficient rights to the mail database, AND Enforce consistent ACL is not activated, AND your database is not encrypted, then he can read your mails. But, new mails never arrive in that database, unless he replicates with the server. And THAT is traceable. See the log.nsf database, Usage/By database.

So, please, if you have the complete story for us, we won't have to give half answers to half questions...
LVL 31

Expert Comment

ID: 19570342
Again, this all comes down to "did he access it with your Notes ID," with another Notes ID... or without Notes.  And you can';t even tell us what makes you think someone has your mail.

With your Notes ID: you can lock him out for the future by enabling srever password checking in your own Person document

With another Notes ID: you can lock him out for the future by making sure your mail file ACL is tight.  It should have default=NO Access, you as person manager, your mail server(s) as server manager, and NO OTHER ENTRIES.

Without Notes: That implies file-level access, either via physical server access, remote console access, network share, or possibly some backdoor software you have on your server.  Securing this is similar to securing any application server.  Limit shares and limita ccess to whatever shares are needed; limit remote access; limit physical server access and always log out or lock teh console when you leave it.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Notes Document Link used by IBM Notes is a link file which aids in the sharing of links to documents in email and webpages. The posts describe the importance and steps to create a Lotus Notes NDL file in brief.
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question