Lotus Note Forensic

Posted on 2007-07-23
Last Modified: 2013-12-18
Recently my local email database in Lotus Notes (.nsf) file was open by other people without my notice.
All my mail box was expose to him.

But the problem is, i dont know who is this culprit.

I am wondering, is there any forensic method i can use, for example, to trace which ip address is open my .nsf file or in which worksplace that open my mail box database?

Please guide me, I really want find out this culprit.

Thank you.
Question by:ipoh1977
    LVL 20

    Accepted Solution

    You can try looking at the activity log by going to File->Database->Properties....2nd tab and then click on the user detail button.

    However this is a very basic log and will not tell you much. There will be a lot of entries for the servers and yourself in this log. There is not a default way to capture IP address of every user that opens a DB that I know of.
    LVL 46

    Assisted Solution

    by:Sjef Bosman
    Hello ipoh1977,

    If you have access to the server's log.nsf database, you can find some history there (providing the mail database is on a server), both in the Miscellaneous and the Usage/By Database sections.

    Another piece of advice: close your database to the "culprits" (other words less synpathetic come to mind...).
    In your mail, click on Tools, Preferences, select the Access and Delegation tab, and set it as you want. If you are NOT allowed to change the settings, ask here again what to do. Probably it would then be best to ask an Administrator (if you're not him).

    LVL 63

    Assisted Solution

    You mention your Local Mail box.

    If this is on your local machine and not on the server, then you have no way of knowing who accessed it, since they were probably using your ID, if the machine was not locked.

    If this is not the case, please provide more information.

    I hope this helps !
    LVL 31

    Assisted Solution

    1) Something led you to think that this was so.  How did you know?

    2) Do you think your ID was "stolen" and someone is actively using a nother copy of your ID? Then you've got bigger problems... they could still be doing it, on the same server or other servers, your mail or other databases.  Not a good thing.  Get your admin to turn on password checking in your directory entry, so that the server, not just the client, verifies your password.

    3) If someone else has access using a different ID, it will show up in all sorts of logs as a different user name.  Otherwise, there is NO CENTRAL INFORMATION logged about addresses, under normal circumstances.  If you have Log_Connections=1, then each connection will log its IP address to the console, but you would have to scan those logs to see who connected with your user ID with an unexpected address (which is very complicated if you use DHCP or a VPN).

    4) If you think someone is CURRENTLY looking at your file, the server console command SHOW USERS DEBUG will show a list of users, their IP addresses, and the databases you have open.  If you see your name with someone else's IP address, you've found a suspect.  If you see someone else's name with your mail databases, you've found a suspect.

    Author Comment

    dear all, thanks for your comments and i am seriously appreciate it.

    The actual situation (sorry for didnt explain clearly) is i am the administrator for the lotus note mail server. My email was expose to a culprit that able to read all my email which i yet to find out.

    I am not sure how he get to copy out the .nsf file, but i am sure (as it's more highly chances) he download it from the Lotus Notes Server. My local machine will never put un-lock.

    Thus, i wish to know:
    1. If he downloaded from server, can i know or trace with the current Lotus notes default setting, when he copied or downloaded the database ?
    2. Since he already copied my .nsf file from the server, can he still constantly read my latest email?

    LVL 46

    Assisted Solution

    by:Sjef Bosman
    You didn't answer our questions. We need more information about the how and why. Without it, there is no way to indicate how to proceed. First, you study the scene, you collect evidence, then you investigate and only then you know what happened, in order to prevent or punish. We're left in the dark a little, so we cannot possibly answer your latest questions...

    Let's discuss the download first. With "download" you mean: obtained the file from the server? Strictly speaking a "download" using a browser is not possible, there is no Domino command to download an entire database file (unless it is an attachment). So that person must have had access to the server in some other way, either physical or via the network. I assume the server's folders aren't shared over the network and the data folders have restricted access (no ordinary user needs to read those folders). Therefore, we can rule network access out.

    Now about physical access to the server (hardware). Anyone who can access the server with an Admin password is "in". He can do anything he likes. No one can trace that. Could this have happened?

    Then, Notes access to the Domino server. There are two types of access: client access and Admin access. Using the (remote) server console to create a replica or copy of the database is not possible. Any other client access to a mail database would require a leaky ACL or Full Admin rights. What is (was) your ACL, who could have opened your mail database? Is the database accessed via Notes or using a browser? If it's most likely a browser, is there a user Anonymous in your ACL, set to No access? By the way, which version of Domino are we talking about?

    Then about "constantly reading your email". If he has a copy of your database, AND he has a Notes client, AND he has sufficient rights to the mail database, AND Enforce consistent ACL is not activated, AND your database is not encrypted, then he can read your mails. But, new mails never arrive in that database, unless he replicates with the server. And THAT is traceable. See the log.nsf database, Usage/By database.

    So, please, if you have the complete story for us, we won't have to give half answers to half questions...
    LVL 31

    Expert Comment

    Again, this all comes down to "did he access it with your Notes ID," with another Notes ID... or without Notes.  And you can';t even tell us what makes you think someone has your mail.

    With your Notes ID: you can lock him out for the future by enabling srever password checking in your own Person document

    With another Notes ID: you can lock him out for the future by making sure your mail file ACL is tight.  It should have default=NO Access, you as person manager, your mail server(s) as server manager, and NO OTHER ENTRIES.

    Without Notes: That implies file-level access, either via physical server access, remote console access, network share, or possibly some backdoor software you have on your server.  Securing this is similar to securing any application server.  Limit shares and limita ccess to whatever shares are needed; limit remote access; limit physical server access and always log out or lock teh console when you leave it.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
    Lack of Storage capacity is a common problem that exists in every field of life. Here we are taking the case of Lotus Notes Emails, as we all know that we are totally depend on e-communication i.e. Emails. This article is fully dedicated to resolvin…
    This video discusses moving either the default database or any database to a new volume.
    In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now