Why email matters: The science behind the US Attorneys scandal
Email, which is more and more in the news these days, is close to the center of the current US Attorney firing scandal, and for good reason. A substantial amount of communication flows via email, which is nearly instantaneous, costs almost nothing, and has in large part replaced the paper memo.
Email also provides a path of inquiry that previously was unavailable to investigators. A paper document can be shredded or burned, while email leaves a trail even when deleted. Furthermore, unlike a piece of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says, “You can't erase e-mails, not today…They've gone through too many servers. Those e-mails are there –”
There are three kinds of email systems in common use. The most familiar is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. These programs store data mainly in text form, rather than in cryptic computer language. Generally all of the individual emails in a single mailbox (such as the “In” or “Sent” mailbox) are stored together as a single file. Each mailbox file is then represented by an entry in an index that functions something like a table of contents.
When a single email is deleted, it is truncated from the mailbox file, but its data is not actually removed from the computer. Even when an entire mailbox is deleted, its entry is removed from the file index, but the actual body of the file does not disappear from the computer. The area on the computer’s hard disk that holds the file is marked as available to be reused, but the file’s contents will not immediately be overwritten and hence may be recoverable for a considerable period of time.
The computer forensics specialist is able to search the ostensibly unused portion of the hard drive for text that may have been part of an email. The expert can look for names, phrases, places, or actions that might have been mentioned in an email. The email also contains additional internal data that tells where it has been and who it has been sent to.
As an example of such data, I just sent my wife a 17-word message titled, “Where’s this email from?” She replied, “Darling, Surely you must mean, ‘From where is this email?’ Love, Your grammatically correct wife.” Her reply is only 15 words, yet when I look underneath what is displayed on the screen, I see the email actually contains 246 words. Where did the rest of it come from?
The extra information includes a return path with my beloved’s America Online (AOL) email address, her computer’s IP address, the IP addresses of three other computers, both email addresses repeated another three times each, the names of three or four mail servers, and four date / time stamps. Oh, and lest I forget, there’s an ad for AOL at the end. (“IP” stands for Internet Protocol.” Every computer that is hooked up to a network has an IP address.)
If I forwarded or copied the email, it would have more information added, most notably the email addresses of the other people to whom I copied or forwarded the message.
By looking at the IP addresses and doing a little more investigation, I could tell the approximate physical location of the computers with the given IP addresses. I could see who else was involved in the string of communication, and approximately where they were located.
In an investigation, if a judge saw multiple email addresses indicating that other people might be involved, and if the original party was not forthcoming with all the information requested, the judge might allow the computers specified by the other email addresses to be inspected. Then the great officially sanctioned fishing expedition could begin in earnest.
That is why we read headlines such as this one, which appeared on the ThinkProgress website on April 12, 2007: White House Originally Claimed RNC Emails Were Archived, Only ‘Handful’ Of Staffers Had Accounts. In a press conference, White House Deputy Press Secretary Dana Perino had said that just a handful of White House staffers had RNC (Republican National Committee) email addresses. It may have been in the face of the inevitable discovery, that the White House was soon forced to admit that more than 50 top officials had such RNC email addresses – that’s 10 handfuls by most counts.
In his article Follow the e-mails, Sidney Blumenthal says, “The offshoring of White House records via RNC e-mails became apparent when an RNC domain, gwb43.com (referring to George W. Bush, 43rd president), turned up in a batch of e-mails the White House gave to House and Senate committees earlier this month. Rove's deputy, Scott Jennings, former Bush legal counsel Harriet Miers and her deputies strangely had used gwb43.com as an e-mail domain. The production of these e-mails to Congress was a kind of slip.”
Indeed. This is exactly the kind of information that computer forensics experts like to have to assist in their process of electronic discovery. In my own e-discovery work, I have found more than a half million unexpected references on a single computer.
Investigators may now be able to search the computers at the RNC, in the White House, and at the locations that host computers for both, as well as those laptops and Blackberries used by staffers of these organizations. The search will be on for any occurrence of “gwb43” – a search that is likely to turn up more email addresses and more email, whether deleted or not.
I mentioned three types of email at the beginning of this article but only talked about the one that has the most promise for turning up deleted data. The second type is
represented by Microsoft Outlook, while the third is commonly known as web mail or Internet mail.
Outlook stores its data all in one encrypted file on a user’s computer, on a mail server, or on both, depending upon the configuration of the server. All mailboxes are in the same encrypted file. Computer forensics specialists have tools to allow the decoding of this file in a fashion that can often bring back many or all of the deleted emails. The email server may also have backups of the users’ mail.
Web mail, where the user is essentially looking at a web page that is displaying mail, keeps all its emails on a remote server (such as on AOL’s large farm of mail servers) and little or nothing is on the user’s own computer. Such remote mail servers are so dynamic that any deleted email is likely to be overwritten in a matter of minutes. Blumenthal references the advantages that such systems may have for those who wish to hide information in Follow the e-mails: “As a result, many aides have shifted to Internet E-mail instead of the White House system. ‘It's Yahoo!, baby,’ says a Bushie.”
On the other hand, while such email content may be hard to find once deleted, logs of access to the email accounts are likely to be retained for quite a long time and may be of some use in an investigation.
The upshot is that, unlike paper documents, email may be widely broadcast, sometimes even by accident. Also unlike paper, which is destroyed once shredded, it is likely that copies of deleted messages exist elsewhere. To paraphrase Senator Leahy, electronic data can be near immortal. A further difference is that email contains data that tells who drafted it, when, and where it went.
The current US Attorney scandal has shown us once again that email is not only a valuable tool for communication, but has the benefit (or detriment, depending on your perspective) of providing additional transparency to the otherwise closed rooms of our leaders.
Steve Burgess is a freelance technology writer, a practicing computer forensics specialist as the principal of Burgess Forensics, and a contributor to the upcoming Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al. Mr. Burgess may be reached at www.burgessforensics.com or steve@burgessforensics.com
|
