Oh no, it's GroupWise!

GroupWise server disasters - by David Cowen - Hacking Exposed Computer Forensics Blog

Hi there Reader,

For many years when I talked to a client about their network environment, these would be my words 'Oh no, it's GroupWise!' but not anymore!

It used to be that in order to get at the email data held within a GroupWise server (not the individual user archives) that you would have to setup a GroupWise server and then bring in the existing database as you would in a disaster recovery scenario.

You see GroupWise suffers from three principal items that made it hard to deal with:

1) Not as popular as other mail servers: this meant that fewer forensic tools were in a rush to support it.

2) Encrypted mail storage on the server by default:  which meant you couldn't just try to decode the binary structure.

3) Dispersed data structure: user settings are stored in one directory of databases, messages of less than 2k of size stored in another directory of databases and the messages and attachments over 2k in size are stored in yet a third directory in separate files.

All of these combined made it a real pain to deal with and a frequent way to make fellow examiners shudder when you brought it up.

That has changed since Paraben's Network Email Examiner (http://www.paraben.com/network-email-examiner.html) started supporting GroupWise. You can now take an offline GroupWise database and NEMX will open it up and be able to export out PSTs from it so the rest of your tools can deal with it.

So if you've never dealt with GroupWise before this is what you need to know:

1. Look for a directory that has the file NWGUARD.DB, this is the root of your GroupWise mail server. NWGUARD.DB, WPDOMAIN.DB and WPHOST.DB are your keys to the kingdom.  Using these files NEMX is able to access the encrypted messages and pointers across the three databases.

2. Make sure the following three directories exist underneath it:

                a) ofuser - this database stores user preferences, profiles and message headers.

                b) offiles - this directory stores the messages and/or attachments greater than 2k in size in separate files.

                c) ofmsg - this database keeps the message bodies for messages and/or attachments less than 2k in size.

3. Copy the parent directory you found NWGUARD.DB and three underlying directories out of the image and load it up in NEMX.

4. Export out the PSTs and smile knowing that life is much easier now.

One of the options to know/understand in NEMX is whether or not to populate a message the way Outlook expects it or to leave it as it was originally stored by GroupWise.

I'll explain, GroupWise stores either the sent date or received date of a message depending obviously if it was sent or received by the user. Outlook will populate the other field with the same date as the one populated.

So if you choose to produce it as it was originally stored some vendors and/or products will complain that there is null dates and some products will fill in a false date to normalize the data. It's important to be aware of this and ask those who will ultimately review and produce the data how they want to handle it.

I hope this makes your life a little easier, I know it's made mine much easier.

If you know of other offline GroupWise solutions please let me know!

Post a Comment