By K.C. Jones
April 13, 2007
Despite claims by the Bush administration that e-mails sent to a
Republican Party account have been purged, some IT forensics companies
suggest all of the messages may not be lost.
Four years of communications between political adviser Karl Rove and the
Republican National Committee were reportedly deleted in compliance with
the RNC's document retention policy, which is to purge all servers of
e-mail messages after 30 days. Democrats are trying to determine through
e-mails what role Rove played in the firing of eight U.S. attorneys.
As politicians and lawyers try to figure out just how many government
e-mail messages may have been lost to deletions by people using RNC
accounts from inside the White House, the issue brings up a broader
question of data recovery. A few technology forensics experts believe at
least some of the so-called "deleted" e-mail messages can be retrieved.
Messages deleted from a BlackBerry cannot be retrieved from the device
because memory cards do not retain information footprints the way a hard
drive does. That's true of most mobile devices, and forensics experts
can have a tougher time with them because of it.
"There are technology challenges within handheld forensics in general,"
Christopher L.T. Brown, CTO of Technology Pathways, said during an
interview Friday. "The technology changes much more rapidly than most in
the general technology arena. With a BlackBerry, even though it has been
around for a while, it's a unique device because they didn't use anybody
That doesn't mean that people who want to hide their tracks should count
on a BlackBerry or other handheld device to keep them in the clear.
Brown said people with the greatest technology advantages can always
have their actions uncovered by solid investigative techniques by people
who may be much less tech savvy. He pointed to the case of the T-K Worm,
in which a county task force took down an international bot network.
"They were really good investigators," he said.
Research In Motion declined to comment for this story, saying executives
were unavailable. The BlackBerry does have security features that allow
remote locking and wiping to prevent data loss in certain situations
Linda Davis, senior manager of marketing for Logicube, which
manufactures a forensic data extraction device called CellDEK, said that
if someone deleted an e-mail message from a BlackBerry, CellDEK cannot
"There is no device right now that can go in and extract data off the
memory card in a cell phone or BlackBerry," she said during an interview
Friday. "I'm sure it will probably change as the forensic capabilities
expand and device manufacturers make it easier for the devices to retain
that kind of information."
There's also the issue of whether a device has been synchronized with a
local network and what, if any, disaster recovery plans may be in place.
"In an office environment, and a network environment, there could be a
backup," Davis said. "My company backs up every night, and there is a
copy of that backup, either on tape or some other format, and it's sent
E-mail messages deleted from servers cannot be retrieved -- unless there
is a backup tape or an old server or hard drive sitting in a closet,
maybe one that was set aside for an upgrade, said Richard M. Smith of
Boston Software Forensics.
Even in cases where there are no old servers or backup tapes, the e-mail
messages could have been saved or archived by recipients and senders
using completely independent systems. Their servers may have stored the
information, or their organization may have backup tapes. If they had a
separate e-mail provider, that would be an avenue to pursue as well.
And many times investigators can retrieve lost e-mail through third
parties who received and stored copies. In corporate settings, Smith has
found situations where people have stored correspondence on their own
flash drives and hard drives.
"People can have their own archiving schemes," he said during an
interview Friday. "Maybe something got archived in a way that no one
Sen. Patrick Leahy recently told The New York Times that he thinks no
e-mail in this day and age can really be deleted. Smith said that may be
a bit of an overstatement.
"Maybe some of these old e-mail messages can be retrieved," he said.
"The RNS has said it's going to have some forensics people come in. I
would sit down with their IT people who run the e-mail servers and go
through the procedures to learn a little more about how they run the
Smith said he would expect a team of six people to take about three
weeks to find some of the messages.
"It's going to be a treasure hunt to find these messages and I think
it's going to be expensive," he said. "They're going to have some
lawyers involved, too, so it will probably be in the hundreds of
thousands of dollars. It's not something you would want to do
Subscribe to InfoSec News