AOH :: ISNQ3907.HTM

White House E-Mail Probably Not 'Lost Forever'




White House E-Mail Probably Not 'Lost Forever'
White House E-Mail Probably Not 'Lost Forever'



http://www.informationweek.com/news/showArticle.jhtml?articleID=199000990 

By K.C. Jones
InformationWeek
April 13, 2007

Despite claims by the Bush administration that e-mails sent to a 
Republican Party account have been purged, some IT forensics companies 
suggest all of the messages may not be lost.

Four years of communications between political adviser Karl Rove and the 
Republican National Committee were reportedly deleted in compliance with 
the RNC's document retention policy, which is to purge all servers of 
e-mail messages after 30 days. Democrats are trying to determine through 
e-mails what role Rove played in the firing of eight U.S. attorneys.

As politicians and lawyers try to figure out just how many government 
e-mail messages may have been lost to deletions by people using RNC 
accounts from inside the White House, the issue brings up a broader 
question of data recovery. A few technology forensics experts believe at 
least some of the so-called "deleted" e-mail messages can be retrieved.

Messages deleted from a BlackBerry cannot be retrieved from the device 
because memory cards do not retain information footprints the way a hard 
drive does. That's true of most mobile devices, and forensics experts 
can have a tougher time with them because of it.

"There are technology challenges within handheld forensics in general," 
Christopher L.T. Brown, CTO of Technology Pathways, said during an 
interview Friday. "The technology changes much more rapidly than most in 
the general technology arena. With a BlackBerry, even though it has been 
around for a while, it's a unique device because they didn't use anybody 
else's technology."

That doesn't mean that people who want to hide their tracks should count 
on a BlackBerry or other handheld device to keep them in the clear.

Brown said people with the greatest technology advantages can always 
have their actions uncovered by solid investigative techniques by people 
who may be much less tech savvy. He pointed to the case of the T-K Worm, 
in which a county task force took down an international bot network.

"They were really good investigators," he said.

Research In Motion declined to comment for this story, saying executives 
were unavailable. The BlackBerry does have security features that allow 
remote locking and wiping to prevent data loss in certain situations 
like theft.

Linda Davis, senior manager of marketing for Logicube, which 
manufactures a forensic data extraction device called CellDEK, said that 
if someone deleted an e-mail message from a BlackBerry, CellDEK cannot 
retrieve it.

"There is no device right now that can go in and extract data off the 
memory card in a cell phone or BlackBerry," she said during an interview 
Friday. "I'm sure it will probably change as the forensic capabilities 
expand and device manufacturers make it easier for the devices to retain 
that kind of information."

There's also the issue of whether a device has been synchronized with a 
local network and what, if any, disaster recovery plans may be in place.

"In an office environment, and a network environment, there could be a 
backup," Davis said. "My company backs up every night, and there is a 
copy of that backup, either on tape or some other format, and it's sent 
away."

E-mail messages deleted from servers cannot be retrieved -- unless there 
is a backup tape or an old server or hard drive sitting in a closet, 
maybe one that was set aside for an upgrade, said Richard M. Smith of 
Boston Software Forensics.

Even in cases where there are no old servers or backup tapes, the e-mail 
messages could have been saved or archived by recipients and senders 
using completely independent systems. Their servers may have stored the 
information, or their organization may have backup tapes. If they had a 
separate e-mail provider, that would be an avenue to pursue as well.

And many times investigators can retrieve lost e-mail through third 
parties who received and stored copies. In corporate settings, Smith has 
found situations where people have stored correspondence on their own 
flash drives and hard drives.

"People can have their own archiving schemes," he said during an 
interview Friday. "Maybe something got archived in a way that no one 
knows about."

Sen. Patrick Leahy recently told The New York Times that he thinks no 
e-mail in this day and age can really be deleted. Smith said that may be 
a bit of an overstatement.

"Maybe some of these old e-mail messages can be retrieved," he said. 
"The RNS has said it's going to have some forensics people come in. I 
would sit down with their IT people who run the e-mail servers and go 
through the procedures to learn a little more about how they run the 
servers."

Smith said he would expect a team of six people to take about three 
weeks to find some of the messages.

"It's going to be a treasure hunt to find these messages and I think 
it's going to be expensive," he said. "They're going to have some 
lawyers involved, too, so it will probably be in the hundreds of 
thousands of dollars. It's not something you would want to do 
routinely."


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org 

Site design & layout copyright © 1986-2014 CodeGods