Computer forensics and Hillary Clinton’s deleted e-mails
12th March 2015
Hillary Clinton has been accused of using a private home-based email account for official US government business instead of an official state department email account while she was secretary of state.
She is said to have deleted 31,000 personal emails traced back to an Internet service registered to her family’s home in Chappaqua, New York state. The controversy is, perhaps predictably, being called “Emailgate”.
Although Clinton claims “no classified material” was contained in the emails, inevitably, questions are now being asked about whether this was a proper thing to do from the perspective of the security of potentially private emails about US foreign affairs. From a computer forensics standpoint, questions may also be asked about any subsequent digital investigation that seeks to recover these deleted emails.
Joel Tobias, who runs digital forensics company, CYFOR, says: “Firstly, it’s worth noting that Hillary Clinton has an e-mail server in her house! This sounds like a lady who is already well placed to limit access to her message archives; she seems to be using far more sophisticated and secretive email practices than most politicians. Although this in no way suggests she is guilty of anything, someone that sets up their own email server is either a technical expert themselves or has access to one; that person is probably concerned with the privacy of their digital communications and perhaps, surveillance, so they take matters into their own hands.”
Emails Are Very Hard To Dispose Of
CYFOR are veterans in conducting digital investigations whether they be for law enforcement agencies, regulators or legal teams. Tobias feels confident an examination of the digital hardware would turn up something. “In general emails are very hard to dispose of completely, from a computer forensics perspective. The recovery of deleted emails depends on the architecture of the email system, which in this case appears to have been running Windows Server 2008 and using Microsoft Exchange. Naturally, it depends on the extent to which steps have been taken to delete emails or otherwise make the data inaccessible, but typically the recovery rate could be as high as 95 percent.”
Tobias uses an analogy to explain the principle, “Think of an email as a library book: when you delete an email, you are not shredding the book on the shelf, just the index card in the catalogue, so it becomes harder to find. Now, to follow this analogy, the librarian thinks that shelf space is at this point empty, and seeks to fill it with a new book thus overwriting the original document. In digital terms this is possible because computers randomly store data on hard drives. The more data you store on a computer, the more likely it is that ‘deleted’ material gets truly and permanently overwritten. When you defragment a hard drive, it further moves all the library books around making them harder to find, to continue the analogy.”
He adds, “As for Clinton’s deleted emails, she has access to them as they are on her server; even if they have been deleted in the conventional sense, artefacts or remnants of them will exist.”
This is where computer forensics investigators come into their own, using specialised training, tools and techniques in an attempt to piece together the errant emails.
Supporting Civil Litigation and Criminal Cases with Computer Forensics
“As forensic investigators where we differ from experts who specialise in merely recovering deleted data is that we will go further in order to support the needs of a civil litigation or criminal cases. We look for the metadata: the data about the data, if you will,” says John Young who manages one of CYFOR’s two UK digital forensics laboratories. “The first thing we’d do is create a digital forensic image. That allows us to extract the evidence forensically, keeping it intact so that it stands up to cross-examination in a court of law. As long as the emails have not been overwritten by another document, the recovery process is a relatively trivial element in data recovery.”
What if a skilled and determined technician wanted to completely delete the emails and hide his tracks by wiping the data? Young thinks that would present a problem for investigators. He says, “If the deleted files have been overwritten? The odds on recovering the files would be slim to impossible.”
Deleted Files Could Be Overwritten
With a large sense of irony Young adds, “If Clinton fears there is a danger her deleted files could be overwritten because the computer remains in use, she is best to immediately turn it off to aid the recoverability of the data is in the future.”
Given the political clamour over “Emailgate”, overwritten or not, the likelihood that Clinton’s deleted emails will ever surface in public is almost non-existent.
CYFOR’s experts are available to give media interviews and comment.