IBM Support

How to analyze questionable deletions in a Notes database

Technote (FAQ)


Question

A customer states that there have been deletions in a Lotus Notes database such as a mail file that no person actually deleted. Is there a way to analyze if the documents were in fact deleted and is it possible to find out what the source of the deletion was?

Answer

Notes does not explicitly log deletions for a database so there is no way to definitively check the source of a deleted document. The User Activity Log considers a deletion to be a modification and as a result, does not provide additional information. An enhancement request to add this functionality was reported to Quality Engineering as SPR# MSUI549K96 and SPR# DTUL64MV8B.
Based on SPR# DTUL64MV8B, the Notes/Lotus Domino 8.0 release introduces User Activity tracking which breaks down the modification ("Writes") detail to: Adds, Updates, Deletes. This feature is only present when using the On Disk Structure (ODS) 48 or later. The new feature does not specifically detail which document was deleted. The content that follows can be used if specific detail is necessary.

NOTES:
-- To create databases that use ODS 48, you must set the notes.ini file parameter CREATE_R8_DATABASES=1, or have created a replica/database using the NS8 extension. (Note: Be aware of the issue described in technote 1086780-- Databases created with an ODS-specific extension are not upgraded by Compact task).

-- To create databases that use ODS 51, you must set the notes.ini file parameter CREATE_R85_DATABASES=1


Workaround:
The Database Tools in the Administration Panel has the ability to analyze any document's Note ID or UNID. The key to finding the deleted document is to get the document's Note ID or UNID*. The Note ID is the simpler method. However, if there is another replica involved in the deletion, the UNID would have to be used to find the particular note in the replica. This is because Note IDs are unique to the individual replica but UNIDs are the same across replicas. These are the resources that are needed:

-- An operating system backup of the database with the document in question still in the database or another replica of the database

-- A backup of the log file within the date range when the document was deleted.

*NOTE: Domino Administrator 6.0 and later releases have an issue in which they are not able to search for deleted documents by UNID. This issue was reported to Quality Engineering as SPR# KDOY5ZRJKY. There are no current plans to address the issue. The ability to search for deleted documents by Note ID is not affected by this issue and should be used instead.



Steps for finding the deleted document
    1. Open the backup database file.
    2. Write down everyone in the access control list (ACL) who has the ability to "Delete Documents" and "Write Public Documents".
      NOTE: If using an 8 release, you would examine the User Activity detail and note the users who had deleted documents within the related time frame.
    3. Right-click the document that exists in the backup database but no longer exists in the current database and select Document Properties.
    4. Write down the Note ID (the number that begins with NT0000xxxx where xxxx is the document's Note ID number).
    5. Use the Domino Administrator to find the Note ID of the current database.
      a. Launch the Domino Administrator Client.
      b. Select the server to administer.
      c. On the Files tab, select the file name.
      d. Under Tools on the right side of the screen, select the Database drop-down list.
      e. Select Find Note (at the bottom of the list). Type the last four digits of the Note ID that was in the backup database. For example, if the Note ID was NT00005106, type 5106. Select Find. You should see the Note ID, the word "(Deleted)", and the date that was added to this file or modified to this file.
        Caveats:
        If the Note ID is larger than four digits, then type the largest number of non-zero digits. Example: For a Note ID of NT000A5106, a search of A5106 must be used.

        If the Note ID is less than four digits, then type the last four digits from the right. Example: For a Note ID of NT00000106, a search of 0106 must be used.

    6. Repeat the same steps in the replica.


    Steps for finding the possible source of the deletion:

    You now have the date on which the document was deleted and you must cross-reference the log file for that date.

    NOTE: If you are using a Notes/Domino 8 release, you can simply examine the User Activity Deletes column to determine what ID(s) deleted documents in the related time frame.

    1. Open the log file for the date of the deletion specified in the Database Tools and look at the view By User.
    2. Expand the date in the log file when the document was deleted according to the Note ID in the Database Tools.
    3. Check each user that you identified as having access to "Delete Documents" and/or "Write Public Documents".
    4. Look for a time that is around the time frame when the document was deleted. It should say the number of documents that were written within a certain amount of time. If there is a significantly large number of documents written in a short amount of time, then this is the possible source that deleted the documents.

    Supporting information:
    If it is unknown which document exists in the backup database and no longer exists in the current database, do the following:

    1. Make a backup of the backup database.
    2. Place the backup database on the Domino server.
    3. Enable the following parameters in the notes.ini file on the server:

      debug_threadid=1
      debug_noteopen=5
      debug_repl_all=2
      debug_Repl=1
    4. Start consolelog.
    5. Run the following commands at the Domino server console:

    load fixup databasename.nsf> Fixup_db.txt
      load compact databasename.nsf -B> Compact_db.txt
      load updall databasename.nsf -r> Updall_db.txt

    If there are any error messages reported during these transactions, they will be recorded in the console.log and .txt files. For example, if fixup runs and it references a Note ID, then we know to view the backup of the backup copy for the NoteID via the steps above.

    Related information

    A simplified Chinese translation is available

    Document information

    More support for: IBM Notes
    Mail

    Software version: 6.0, 6.5, 7.0, 8.0, 8.5, 9.0

    Operating system(s): Linux, Windows, iOS

    Software edition: All Editions

    Reference #: 1086649

    Modified date: 02 June 2011


    Translate this page: