Email is more and more in the news these days, is near the center of the current US Attorney firing scandal, and for good reason. A substantial amount of communication flows via email, which can be an efficient form of communicating memos and other intercourse. Email is nearly instantaneous, costs almost nothing, and has in large part replaced the paper memo. Email provides for a path of inquiry that previously was unavailable to investigators for a paper document can be shredded or burned while email leaves a trail even when deleted. Furthermore, unlike a piece of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says (quoted by Michael Abramowitz on April 14, 2007 in 4 years of Rove e-mails are missing, GOP admits) “You can’t erase e-mails, not today…They’ve gone through too many servers. Those e-mails are there -” There are primarily three kinds of email in common use. One is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. The second type is the prevalent Microsoft Outlook, a very different program from the same company’s Outlook Express. The third is commonly known as web mail or Internet mail.
Email client programs store data mostly in text form – words people understand, as distinct from cryptic computer language. In general, all of the individual emails in a single mailbox (such as the “In’ or “Sent” mailboxes) are stored together as a single file.
When mail is deleted, it is truncated from the mailbox file, but its data is not actually removed from the computer at this point. Each file has an entry in an index that is something like a table of contents. When an entire mailbox is deleted, part of its entry the file index is removed, but the actual body of the file does not disappear from the computer. The area on the computer’s hard disk that holds the file gets marked as available to be reused, but the file’s contents may not get overwritten, and hence may be recoverable for some time, if at all.
The computer forensics specialist may then search the ostensibly unused portion of the computer for text that may have been part of an email. The expert can look for names, phrases, places, or actions that might have been mentioned in an email. The email contains internal data that tells where it has been and who it has been to.
For instance, I just sent my wife a 17-word message entitled, “Where’s this email from?” She replied, “Darling, Surely you must mean, “From where is this email?” Love, Your grammatically correct wife.” – 15 word reply. Yet when I look underneath what is displayed on the screen, I see the email actually contained 246 words. Where did it all come from?
The extra information included a return path with my beloved’s America Online (AOL) email address, her computer’s IP address (“IP” stands for Internet Protocol” – every computer that is hooked up to a network has an IP address), the IP addresses of three other computers, both email addresses repeated another three times each, the names of three or four mail servers, and four date / time stamps. Oh, and lest I forget, there’s an ad for AOL at the end.
If I forwarded or copied the email, it would have more information, most notably the email addresses of the other people to whom I copied or forwarded the message.
By looking at the IP addresses and doing a little more investigation, I could tell the approximate physical location of the computer with the given IP addresses. I could see who else was involved in the string of communication, and approximately where they were.
In an investigation, if a judge saw the multiple email addresses indicating that these other people might be involved, and that the original party was not forthcoming with all of the information requested, the judge might then allow all of the other computers accessible to all of the other email addresses to be inspected. Then the great fishing expedition could begin in officially sanctioned earnest.
Thus we read such headlines as this one seen on the ThinkProgress website on April 12, 2007: White House Originally Claimed RNC Emails Were Archived, Only ‘Handful’ Of Staffers Had Accounts. In a press conference, White House Deputy Press Secretary Dana Perino said that just a handful of White House staffers had RNC (Republican National Committee) email addresses. It may have been in the face of the inevitable discovery, that the White House was forced to admit that more than 50 top officials (from Officials’ e-mails may be missing, White House says – Los Angeles Times April 12, 2007) had such RNC email addresses – that’s 10 handfuls by most counts.
In his article Follow the e-mails on Salon.com Sidney Blumenthal says, “The offshoring of White House records via RNC e-mails became apparent when an RNC domain, gwb43.com (referring to George W. Bush, 43rd president), turned up in a batch of e-mails the White House gave to House and Senate committees earlier this month. Rove’s deputy, Scott Jennings, former Bush legal counsel Harriet Miers and her deputies strangely had used gwb43.com as an e-mail domain. The production of these e-mails to Congress was a kind of slip.” Indeed. This is exactly the kind of information that computer forensics experts like to have to assist in their process of electronic discovery. In my own e-discovery work, I have found more than a half million unexpected references on a single computer.
Investigators may now be able to search the computers at the RNC, in the White House, and at the locations that host computers for both, as well as those laptops and Blackberries used by staffers of these organizations. The search will be on for any occurrence of “gwb43” – a search that is likely to turn up more email addresses and more email, whether deleted or not.
I have mentioned three types of email at the beginning of this article but only talked about the one that has the most promise for turning up deleted data. The second type is
represented by Microsoft Outlook. Outlook stores data all in one encrypted file on a user’s computer, on a mail server or on both, depending upon the configuration of the mail server. All mailboxes are in the same encrypted file. Computer forensics specialists have tools to allow the decoding of this file in a fashion that can often bring back many or all of the deleted emails. The email server may also have backups of the users’ mail.
Web mail, where the mail is stored on a remote server (such as on AOL’s large farm of mail servers) may leave little or nothing stored on the user’s own computer. Here the user is essentially looking at a web page that is displaying mail. Such mail servers are so dynamic that any deleted email is likely to have been overwritten in a matter of minutes. Blumenthal references the advantages that such systems may have for those who wish to hide information in Follow the e-mails thus: “As a result, many aides have shifted to Internet E-mail instead of the White House system. ‘It’s Yahoo!, baby,’ says a Bushie.””
On the other hand, while such email content may be hard to find once deleted, logs of access to the email accounts are likely to be retained for quite a long time and may be of some use in an investigation.
The upshot is that, unlike paper documents, email may be widely broadcast, even by accident. Also unlike paper, when shredded, it is likely that copies exist elsewhere; to paraphrase Senator Leahy, electronic data can be near immortal. A further difference is that email contains data that tells who drafted it, when, and where it went. The current US Attorney scandal has shown us once again that email is not only a valuable tool for communication, but has the benefit (or detriment, depending on your perspective) of providing some additional transparency to the otherwise closed rooms of our leaders.