Lotus Notes NSF File Forensics- A Search of Evidence

Creative Team | June 20th, 2016 | Forensics
Nowadays, connectivity has boomed with the technology revolution in exchanging information, communication, and electronic media storage. The world that appears too large has minimized to a level, where users get multiple benefits through business connectivity, industrial as well as personal level. However, the technology fails to keep itself immune from cybercrime activities, which have taken advantage of this info age. There are many side effects of this immense technology as many crimes have started showing its existence.


Email clients are one of the most common ways of communication. It is turning out to be hugely involved in cybercriminal activities resulting in playing an important source of information for forensic investigation. This blog will focus on the techniques and challenges faced by investigation teams, while performing forensics analysis of one of the most powerful and secure desktop email platforms; IBM Notes.

Analysis on Lotus Notes NSF File

Email applications are becoming a weapon for offenders to commit frauds. One such email client is Lotus Notes, which is used in organizations. It uses .nsf file format to store its emails, bookmarks, notebooks, contacts, etc.


NOTE: NSF file format can be encrypted. The encryption is applicable both on file and email level, which sometimes emerges as a challenge during the investigation. It stores all the .nsf file data under:


  • Indexed Storage: The database of Lotus Notes is completed up with all documents, chat history, archived data, message folders, etc., which are examined forensically to examine to require the artifacts. All this data is saved into username.nsf file. All the calendar’s entry and To-Do’s list is also saved in same file.
  • Contacts Storage: Contacts are the also an important part of messaging environment. In Lotus Notes, the address book saves its contacts into .nsf file. It can be stored into readable format, i.e. vCard (VCF) or CSV for analyzing as well as investigation purpose.
  • Notebook: There is another important element, i.e. notebook, which can help in forensic investigation. It includes personal information and documents. It describes the priority documents of custodian.
  • IBM Sametime: While working on Notes and Domino environment, many users get a protected platform for messaging, i.e. Sametime. It provides a mode to communicate with other users, which is a kind of replacement of email and phone calls. It is a quick chat, which is between two users or between groups of various users. The history of chat is stored automatically or as specified by the user. This record can be utilized in Lotus Notes NSF forensics, as it is stored into mail files, i.e. transcript, locally on the system, etc.

Requirement for Lotus Notes NSF File Forensics

Lotus Notes is a desktop-based email application, which is used on the organizational level mainly. At organizational level, there are various surface involving to cybercriminal acts because of competency and connection of highly confidential information. Thus, eventually forensic sciences have to intervene and play their part to investigate the compromise of such crucial business information. Many challenges are faced by the investigators while investigating the NSF file as discussed.


  • File Encryption: NSF file is encrypted because of which there is a difficulty in investigation.
  • Encrypted Password: Sometimes, the account is password protected and user id file has to be browsed for login because without any id file, user cannot utilize the database of that particular account.
  • Access to ACL: It creates a problem at time of investigation, if the investigator is not having the user key. User key is the authority that admin holds to manage ACL (Access Control List) as per the needs.
Many security complexities create a hurdle during the analysis. To make the Lotus Notes NSF File investigation a result-oriented task, users can utilize software named as MailXaminer. It is an easy to use application to carve out the necessary evidence and helps to perform the investigation properly. It can proficiently analyze the data of desktop as well as web-based email applications.


Lotus Notes NSF File Forensics is a combined way investigating the crime involving the respective application. To make the investigation more easily executable and carried out with proper accuracy, there is MailXaminer which is an email forensics tool that can be utilized.