Email is increasingly in the news these days, it’s near the center of the current US Attorney firing scandal, and for good reason. A substantial amount of communication flows through email, which can be an efficient way to communicate memos and other relationships. Email is almost instantaneous, costs next to nothing, and has largely replaced the paper note. Email provides a previously unavailable query path for investigators, as a paper document can be shredded or burned, while email leaves a trace even when deleted. Also, unlike a piece of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says (quoted by Michael Abramowitz on April 14, 2007 in Rove Emails Missing 4 Years, GOP Admits) “Emails cannot be deleted, not today… They have been through too many servers. Those emails are there -” There are mainly three types of email in common use. One is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. The second type is the predominant Microsoft Outlook, a very different program from the same company’s Outlook Express. The third party is commonly known as webmail or Internet mail.
Email client programs store data primarily in the form of text, words that people understand, as opposed to cryptic computer language. In general, all individual emails in a single mailbox (such as “In” or “Sent” mailboxes) are stored together as a single file.
When mail is deleted, it is truncated from the mailbox file, but its data is not actually deleted from the computer at this point. Each file has an entry in an index which is something like a table of contents. When an entire mailbox is deleted, part of its entry, the index of the file, is deleted, but the actual body of the file does not disappear from the computer. The area of the computer’s hard drive containing the file is marked as available for reuse, but the contents of the file may not be overwritten and thus may be recoverable for some time, if at all. .
The computer forensics specialist can then search the apparently unused portion of the computer for text that may have been part of an email. The expert can search for names, phrases, places, or actions that might have been mentioned in an email. The email contains internal data indicating where it has been and to whom it has been.
For example, I just sent my wife a 17-word message titled “Where is this email from?” She replied, “Honey, surely you mean, ‘Where is this email from?’ Love, your grammatically correct wife.” – Answers of 15 words. However, when I look below what is displayed on the screen, I see that the email actually contained 246 words. Where did it all come from?
The additional information included a return path with my beloved’s America Online (AOL) email address, the IP address of her computer (“IP” stands for Internet Protocol” – every computer that is connected to a network has a IP address), the IP addresses of three other computers, both email addresses repeated another three times each, the names of three or four mail servers, and four timestamps.
If I forwarded or copied the email, I would have more information, especially the email addresses of the other people I copied or forwarded the message to.
Looking at the IP addresses and doing some more research, I was able to tell the approximate physical location of the computer with the given IP addresses. I was able to see who else was involved in the communication chain and roughly where they were.
In an investigation, if a judge sees the multiple email addresses that indicate these other people might be involved, and that the original party did not come forward with all the requested information, the judge could then allow access to all other computers. to all. the other email addresses to be inspected. Then the great officially sanctioned fishing expedition could begin in earnest.
Thus we read headlines like this seen on the ThinkProgress website on April 12, 2007: White House originally claimed RNC emails were on file, only a ‘handful’ of employees had accounts. At a news conference, White House Deputy Press Secretary Dana Perino said only a handful of White House staffers had RNC (Republican National Committee) email addresses. It may have been in the face of the inevitable discovery that the White House was forced to admit that more than fifty senior officials (of Officials’ emails may be missing, White House says – Los Angeles Times, April 12, 2007) had such RNC email addresses – that’s 10 handfuls in most cases.
in your article Follow the emails At Salon.com, Sidney Blumenthal says: “The offshoring of White House records via RNC emails became apparent when an RNC domain, gwb43.com (referring to George W. Bush, 43rd President), appeared in a batch of emails the White House provided to House and Senate committees earlier this month Rove’s deputy Scott Jennings, former Bush legal adviser Harriet Miers, and his deputies had strangely used gwb43.com as an email domain. Producing these emails for El Congreso was something of a slip-up.” By the way. This is exactly the kind of information computer forensics experts like to have to help them in their electronic discovery process. In my own electronic discovery work, I have found over half a million unexpected references on a single computer.
Investigators can now search the computers at the RNC, at the White House, and at locations that house computers for both, as well as the laptops and Blackberries used by employees of these organizations. The search will be triggered for any occurrence of “gwb43”, a search that is likely to return more email addresses and more emails, whether they are deleted or not.
I mentioned three types of email at the beginning of this article, but I only talked about the one that is most likely to show deleted data. The second type is
represented by Microsoft Outlook. Outlook stores all data in an encrypted file on a user’s computer, on a mail server, or both, depending on the mail server’s settings. All mailboxes are in the same encrypted file. Computer forensics specialists have tools to enable the decryption of this file in a way that can often recover many or all of the deleted emails. The email server may also have backup copies of users’ mail.
Webmail, where mail is stored on a remote server (such as AOL’s large mail server farm) may leave little or nothing stored on the user’s own computer. Here, the user is essentially looking at a web page that displays mail. Such mail servers are so dynamic that any deleted email is likely to have been overwritten in a matter of minutes. Blumenthal refers to the advantages that these systems can have for those who wish to hide information in Follow the emails hence: “As a result, many attendees have switched to Internet email instead of the White House system. ‘It’s Yahoo!, honey,’ says a Bushie.”
On the other hand, while such email content may be difficult to find once deleted, email account access logs are likely to be retained for quite some time and may be of some use in an investigation.
The result is that, unlike paper documents, email can spread widely, even by accident. Also unlike paper, when it is shredded, copies are likely to exist elsewhere; To paraphrase Senator Leahy, electronic data can be nearly immortal. Another difference is that the email contains data indicating who wrote it, when and where it was sent. The current US Attorney scandal has shown us once again that email is not only a valuable tool for communication, but has the benefit (or detriment, depending on your perspective) of providing some additional transparency. to the rooms of our leaders that would otherwise be closed.
