Tool Guide 7 min read

Triaging IBM Notes NSF Archives: A Forensic Examiner Workflow With Sherlock NSF Viewer

NSF forensics IBM Notes Sherlock NSF Viewer Tool Guide

Encountering an IBM Notes NSF archive during a forensic investigation is more common than most examiners expect in 2026. Canadian Federal Government departments, the legal sector plus large insurance carriers still operate long-tail IBM Notes deployments. This Sherlock Forensics Tool Guide walks through the end-to-end forensic triage workflow for an NSF archive using Sherlock NSF Viewer.

The short answer: Five-step workflow. Acquire the NSF file from the source device. Hash plus document chain of custody. Open the working copy with Sherlock NSF Viewer (no IBM Notes client required). Filter messages by sender or date or subject. Export to PST, MSG or EML for downstream review. Total workflow time is approximately 45 minutes for a typical mid-size archive.

Why NSF Forensic Triage Still Matters in 2026

IBM Notes (formerly Lotus Notes) is no longer a dominant mail platform in private-sector enterprise but the long tail is real. Canadian Federal Government departments retain Notes for legacy workflow applications. Provincial government tier-3 agencies still run Notes for mail. Large legal practice management systems carry Notes calendar plus contact integrations. Insurance carriers running on IBM hardware stacks often have Notes mail archives going back 15 years.

For forensic investigators the practical consequence is that NSF archives turn up in investigations more often than examiners expect. The first NSF archive in any investigation always raises the same question: can the examiner read the file without standing up an IBM Notes client plus a Domino server? The Sherlock NSF Viewer answers that question with a flat no for both prerequisites. The tool reads the NSF format directly plus extracts the content needed for forensic review without any IBM-side dependencies.

Step 1: Acquire the NSF File

Forensic acquisition of an NSF archive follows the standard rules: image the source device when possible, extract the file when full device imaging is not justified, document the acquisition step in the case log. NSF files on Windows live at %LOCALAPPDATA%/IBM/Notes/Data/ or C:/Program Files/IBM/Notes/Data/ depending on the install profile. On macOS the location is ~/Library/Application Support/IBM Notes Data/. Server-side Domino archives live under the Domino data directory which is operator-configured.

The NSF file extension is .nsf. File size varies from a few megabytes for a small personal archive to multiple gigabytes for an active enterprise mailbox with 10+ years of history. NSF files are locked by the IBM Notes client when running, so acquisition either happens with the client closed or through forensic acquisition tools that bypass file locks. The Sherlock Disk Imager handles the lock-bypass path on Windows systems.

Step 2: Hash plus Chain of Custody

Compute SHA256 of the source NSF file before any analysis. Record the hash, the acquisition timestamp (UTC plus local), the source device identifier, the examiner identity plus the case number into the chain of custody log. Document the working-copy hash separately if you are operating on a copy rather than the original. The Sherlock hash verifier produces a signed acquisition record suitable for litigation submission.

For investigations heading toward Canadian civil or criminal court the chain of custody documentation needs to satisfy the evidentiary standards in the relevant jurisdiction. The Canada Evidence Act plus the provincial evidence acts have specific requirements for digital evidence authentication. The Sherlock methodology produces documentation that meets those requirements out of the box; the examiner does not need to reverse-engineer the chain of custody after the fact.

Step 3: Open With Sherlock NSF Viewer

Open the working copy of the NSF file in Sherlock NSF Viewer. The tool launches without requiring an IBM Notes client installation or any Domino server connection. The first-load operation parses the NSF internal structure (folders, messages, attachments, calendar items, contacts, tasks) plus produces the folder tree in the left navigation pane. For a typical 2 GB archive the first-load operation completes in under 60 seconds on modern forensic hardware.

The folder tree shows the original Notes folder structure plus any nested sub-folders. The message list pane shows per-folder messages with sender, date, subject plus attachment indicator columns. The preview pane shows the rendered message body with full header detail available through a toggle. The Sherlock NSF Viewer renders Notes-format rich text, embedded images plus inline attachments without requiring the IBM Notes rendering engine.

Step 4: Extract Messages by Filter

Apply sender, recipient, date range or subject keyword filters to narrow the message set to the items in scope for the investigation. Sherlock NSF Viewer supports compound filters across multiple fields with boolean logic. For example: sender contains domain example.com plus date between 2024-01-01 plus 2024-03-31 plus subject keyword contains acquisition. The filter pane shows the matching message count in real time as filter criteria are entered.

For large archives the filter step is the workflow component that delivers most of the value. A 20 GB archive may contain 200000 messages; the in-scope subset for a specific investigation might be 200 messages. The filter reduces the review burden by three orders of magnitude. The exported filter set carries the same metadata plus authentication chain as the full archive plus is documented in the case log as a derived working set.

Step 5: Export to PST, MSG or EML

Export the relevant messages to the format that downstream review tooling expects. PST is the standard target for Outlook desktop ingest plus Relativity case management. MSG is the standard target for native individual message review. EML is the standard target for cross-platform review tooling plus open-source forensic stacks. The export step preserves original headers, sent dates, recipients, attachment binaries plus inline content with hash verification per message.

For Canadian civil litigation the most common downstream format is PST because most Canadian legal review platforms ingest PST natively. For US ediscovery cases the most common target is EML for ediscovery platform-agnostic ingest. For native message review the target is MSG. The Sherlock NSF Viewer handles all three exports from the same filtered working set without re-acquisition.

Where the Tool Guide Connects to Sherlock Engagement Work

The NSF triage workflow above is the core methodology Sherlock Forensics applies on every NSF-bearing case. For organizations with internal forensic capability the Sherlock NSF Viewer storefront documents pricing plus licensing. For organizations needing external incident response or litigation support, the Sherlock engagement model includes NSF acquisition plus review as part of the standard mail-archive forensic scope. The methodology stays the same regardless of who runs the tooling.