Experts say recovery of missing White House e-mail may be possible, but not trivial

Source: AP

Although a top Senate Democrat believes even a teenager could recover missing White House e-mails, experts said Friday that doing so could be tough _ but not impossible.

On Thursday, Senate Judiciary Committee Chairman Patrick Leahy of Vermont disputed the Bush administration's claims that e-mails sent on a Republican Party account might have been lost, insisting that e-mail is never fully deleted and "I've got a teenage kid in my neighborhood that can go get 'em for them."

"I read that and I laughed," said Mark Rasch, managing director for technology at FTI Consulting Inc. "Senator Leahy is wrong when he says it's a trivial matter, but it's also not correct to say they cannot be recovered."

...

"I would not say that any teenager could do it, but I would say there are many, many highly qualified computer forensics experts," he said. "Whether they will find every deleted message is doubtful but they should find quite a bit."


Read more: http://creativemac.digitalmedianet.com/articles/viewarticle.jsp?id=127637

Dude, run the restores to another box. With Lotus Notes it's cake, Exchange a bit harder. Not harder if the messages are being forked to another message store, which is likely as part of the records retention law.

the backup.

Perhaps they did brick level backups as well and not the full store. Be interesting to know. As I said Notes is easier, since each mail file is itself just a database, unless they are using shared storage for attachments, then just a tad harder. With the retention policy, they probably just kept the notes mail db's intact, then did replications to a copy that ignored deletion stubs from the main user's mailbox, plus dumped all the sent mail into a mail-in db.

I worked for a client who used groupwise, and since they had a type of company subject to lawsuits as customer, they were not allowed to have an automatic deletion policy. And archives had to be warm or live when the subpoenas came in. Seven years worth of archives...

Maybe Leahy's neighborhood has one of those scary ones. Is he too young to legally work for Uncle Sam I wonder?

"I'm important!! I'm important!!!"

Maybe it would take a computer whiz kid, but we live in the computer era when there's apt to be one just down the block.

It depends if the emails were just deleted or the disk area where
the files were have been erased and then written over.

I say chase this rabbit and see where its tunnel leads. If email relays have records of datestamps for the email in question, and they can be traced to a backup that's been overwritten with random bytes in the last week or two, that'd be grounds for indictment.

instead of giving them more time to destroy evidence?

The more people involved in a conspiracy, the more likely (exponentially likely) that someone has a laptop or something they have forgotten about and even if the servers are wiped clean, there are likely smoking hard drives out there. Maybe someone will actually grow a conscience and become the new Deep Throat.

"Deep Modem" has already been taken. Perhaps he will make the supreme sacrifce and turn his handle over, for the good of the country.

Because the bits would otherwise be deeply buried.

data is written to tape/disk with a aes key. That key is kept until the data is to be destroyed. Then the key is destroyed. The only thing restored is cyphertext. (The red button kills all the keys instantly)

Depends on how they keep data. If it is sitting on tape no big deal. If it is encrypted from block write to tape and keys rotated, it is a no go.

"It'll be hard." Do it anyway. NOW.

Any semi-functional organization with at least a few firing neurons amongst its IT staff is going to have regular backups for the important servers, including the email servers. We're talking about an organization with VIPs like Karl Rove and other White House staffers using the systems. If there was a true accidental data loss, Karl Rove would have the IT department's heads, so of course they're going to have backups and RAID arrays and everything. Email will not just be routed to and from individuals, it'll all be automatically bcc'ed to an archive server. The servers will have daily backups to tape, weekly full backups, an offsite monthly backup, etc. In a worst case scenario, where a server crashed, the software went berserk, the hard drives all exploded, etc. they will at WORST lose a day's worth of email. Any sysadmin who doesn't have a backup system and redundant email systems to get things back in business after a worst-case scenario in a matter of hours is incompetent.

The only way that emails are going to be lost is INTENTIONALLY. That means they'll have a loyal Bushie IT guy delete the email from the servers, from as many workstations as they have control of, then they're going to have to go dig up possibly dozens of backup tapes and wipe the emails from them.

retention policy. You write data to tape or disk for archive with a aes key. The date is encrypted. When you hit the delete date the keys are destroyed. The only thing on tape is garbage. It is not recoverable.

You keep 5 days online, archive after that to sata storage block level encrypted, destroy write key after 30. Kill files to recover space.

SOP in big companies and I would assume government.

gwb never uses email because of this very reason, he wants to leave no tracks.

I am positive gwb handdled backup and retention of rnc emails in the same was he had done everything else, sloppily.

Look at all the emails Microsoft had to produce when under antitrust, going back years.

More emails are there, for the WH to immediatly try to say they are gone, it shows how little they know about anything technical.

that data recovery varies from very simple (restore from tape) to impossible (block level crypto, key destruction).

Maybe the RNC has a 30-day retention policy, but the White House is required, by the Presidential Records Act, to permanently archive all communications forever.

I mean, drivers are required by law to go no more than 35 mph on the road near my apt., but that doesn't mean tickets haven't been given out in the last month to kids doing over 70. Some kids like to drag race on it late at night. "But officer, I couldn't have been going over 65. The law requires that I do no more than 35 mph."

As for backups: The "windows" of lost e-mail ended well over a year ago. I know the computer facility I worked at didn't keep backups for more than a couple of months. A year's worth of backups take up room, and is simply pointless.

The WH doesn't understand, they can try to obstruct justice by deleting mails rove received, but all the emails rove sent to other rnc addresses, to other gov addresses, anytime it was forwarded all of those should be available. These guys love spending money, they probably got new laptops every year. Where are those computers? What addresses did rove use, I really want to see what is in the google cache.

there will be a convenient fire, arson, flood, or earthquake that will eliminate them.

It takes time to wipe out a thousand harddrives.