When an e-mail is deleted, does it really go away?
That's one of the central questions facing congressional investigators who want to know what happened to e-mails sent by White House staffers using unofficial e-mail accounts run by the Republican National Committee.
White House officials said Thursday that many of the e-mails may have been deleted. Experts said today that may not be exactly true.
Whether it's the congressional inquiry into deleted e-mails among White House officials or similar probes of companies entangled legal troubles, there are a host of tools and techniques that can be used to recover and analyze the data left behind.
These computer forensics tools have helped to uncover and restore long trails of information-filled e-mails in corporate scandals, from the demise of Enron Corp. to the pretexting debacle that hit Hewlett-Packard Co. last year. No matter where the information is stored -- or whether it was created by individuals, government agencies or corporate employees -- the methods used to try to recover data are similar.
Mark Menz, a Sacramento, Calif.-based computer forensics expert, said investigators start with the obvious by looking for deleted e-mails on data center backup tapes. The next steps depend on what e-mail system is being used, he said, whether it is Microsoft Exchange and Outlook, Lotus Notes and Domino, Web-based e-mail systems such as those offered by Yahoo, Microsoft or Google or some other messaging system.
If Exchange and Outlook were used, forensics investigators look at the proprietary .PST files (Personal Storage) used to store data in the applications. A variety of software tools -- including EnCase Enterprise from Pasadena, Calif.-based Guidance Software Inc.; ProDiscover from Coronado, Calif.-based Technology Pathways LLC; or Forensic Toolkit from Lindon, Utah-based AccessData Corp. -- can be used to analyze and recover e-mail files that have been deleted.
The software tools can analyze hard drives and recover deleted files with "carving tools" that look at the individual sectors of a hard drive for the digital signatures of .PST files that have since been deleted, Menz said. While file names may be gone, the data remains on the drive sectors until it is overwritten -- making recovery possible. Those tools can then find and copy deleted .PST data from all the related hard drive sectors. The result: A temporary file that yields a new .PST file with the deleted information intact.
"It's a real art," Menz said. "It can take from an hour to a couple of days" or longer, depending on the size of the hard drive being studied.
Other techniques used by forensics investigators include keyword searches of hard drives for information in the deleted e-mails, he said. The tools allow investigators to look at files in areas of the drive still in use -- allocated space -- and in unallocated areas where deleted files are stored in sectors slated for reuse. Keyword searches can include an additional 50 to 100 words to give investigators the context about the data they might recover, Menz said.
"Looking through the keyword hits is what takes the most time," he said.
The likelihood of success depends on several factors, including how much time has passed since the e-mails were received and deleted and how much the computer has been in use since the deletions, he said.
If an organization's e-mail system uses Lotus Notes and Domino, recovery is harder, he said. Notes and Domino overwrite hard disk sectors quickly after e-mails are deleted. "If it's Lotus Notes, the chances [of recovery] are slim," Menz said.
In the past, Menz has probed e-mails sent over Yahoo mail and Hotmail accounts and found enough data debris on hard disks to recreate remnants of communications two or three years old, he said. Investigators can also look for data on recipients' computers -- those used by anyone who was copied or blind-copied on the e-mails -- if they know who got the messages.
"It's like looking for oil," Menz said. "There's no guarantee. You have dry holes or you have pockets of oil. You won't know until you go out and look."
David Sun, president of SunBlock Systems Inc., a computer forensics and litigation support consultancy in McLean, Va., said the chances of recovering files depends on how e-mail and other systems were set up by IT administrators. That includes for how long Exchange .PST files are stored before being deleted or how long they keep backup tapes before reusing or destroying them.
"In a situation like this [Congressional probe], what I would normally recommend to my clients...is to make an image of the servers, a bit by bit copy of all the data on the servers...and the desktops, and then also review the backup tapes," Sun said. "Then at that point, you see what you have."
A thorough analysis of five e-mail servers, a year's worth of monthly backup tapes and about 100 desktop or laptop hard drives could take about two months if the work is done by about 10 forensics investigators, he said.
What they would find depends on what they have to work with, he said. "Whether you're going to find a continuous timeline of e-mail between certain people along a certain time frame, that's hard to say," Sun said. "But if you're looking to see if there's evidence of e-mail use, then the chances are good you'll find something somewhere."
"Generally speaking, data is everywhere," he said. "People manage it badly. People store it everywhere. The packrat in everybody gets the best of them."
This story, "Retrieval Tips for Lost White House E-Mails" was originally published by Computerworld.