Signature and classification for NSF Lotus Notes files

[gaffinet]

Hi

I have noticed, that NSF files (Lotus Notes Databases) aren't listed in the category of the mailboxes.

Yves

[lfcnassif]

Although I have already tried to use https://github.com/libyal/libnsfdb to parse Lotus Notes NSF files unsuccessfully in the past, for sure we can at least classify NSF files, thanks.

[gaffinet]

We are using "kernel for lotus notes to outlook" to convert NSF to PST and after this, we analyse the PST files

The classification would minimize the risk to miss such files.

[lfcnassif]

We are using "kernel for lotus notes to outlook" to convert NSF to PST and after this, we analyse the PST files

Nice suggestion, good to know. Unfortunately we need an open source library with compatible license to include in this project

The classification would minimize the risk to miss such files.

For sure.

[lfcnassif]

According to this https://github.com/libyal/libnsfdb/blob/main/documentation/Notes%20Storage%20Facility%20(NSF)%20database%20file%20format.asciidoc#4-the-file-header file signature is just 2 bytes: 0x1A 0x00

Maybe we could check format version at offset 6 (4 bytes length) to try avoiding false positives (https://github.com/libyal/libnsfdb/blob/main/documentation/Notes%20Storage%20Facility%20(NSF)%20database%20file%20format.asciidoc#511-format-version).

@gaffinet could you check in your files if the 4 bytes value (little-endian) at offset 6 is in {16, 17, 20, 41, 43, 48, 51} set?

[lfcnassif]

(little-endian)

Actually I found one sample here and format version seems big-endian.

[lfcnassif]

16, 17, 20, 41, 43, 48, 51

I added a check for this format versions, valid for Lotus Notes 1.x to 8.5 according to libnsfdb docs. If anyone could confirm the numbers for versions 9, 10 & 11, we can add later. Anyway, currently extension is used as fallback if signature doesn't match.