http://www.informationweek.com/news/showArticle.jhtml?articleID=199000990 By K.C. Jones InformationWeek April 13, 2007 Despite claims by the Bush administration that e-mails sent to a Republican Party account have been purged, some IT forensics companies suggest all of the messages may not be lost. Four years of communications between political adviser Karl Rove and the Republican National Committee were reportedly deleted in compliance with the RNC's document retention policy, which is to purge all servers of e-mail messages after 30 days. Democrats are trying to determine through e-mails what role Rove played in the firing of eight U.S. attorneys. As politicians and lawyers try to figure out just how many government e-mail messages may have been lost to deletions by people using RNC accounts from inside the White House, the issue brings up a broader question of data recovery. A few technology forensics experts believe at least some of the so-called "deleted" e-mail messages can be retrieved. Messages deleted from a BlackBerry cannot be retrieved from the device because memory cards do not retain information footprints the way a hard drive does. That's true of most mobile devices, and forensics experts can have a tougher time with them because of it. "There are technology challenges within handheld forensics in general," Christopher L.T. Brown, CTO of Technology Pathways, said during an interview Friday. "The technology changes much more rapidly than most in the general technology arena. With a BlackBerry, even though it has been around for a while, it's a unique device because they didn't use anybody else's technology." That doesn't mean that people who want to hide their tracks should count on a BlackBerry or other handheld device to keep them in the clear. Brown said people with the greatest technology advantages can always have their actions uncovered by solid investigative techniques by people who may be much less tech savvy. He pointed to the case of the T-K Worm, in which a county task force took down an international bot network. "They were really good investigators," he said. Research In Motion declined to comment for this story, saying executives were unavailable. The BlackBerry does have security features that allow remote locking and wiping to prevent data loss in certain situations like theft. Linda Davis, senior manager of marketing for Logicube, which manufactures a forensic data extraction device called CellDEK, said that if someone deleted an e-mail message from a BlackBerry, CellDEK cannot retrieve it. "There is no device right now that can go in and extract data off the memory card in a cell phone or BlackBerry," she said during an interview Friday. "I'm sure it will probably change as the forensic capabilities expand and device manufacturers make it easier for the devices to retain that kind of information." There's also the issue of whether a device has been synchronized with a local network and what, if any, disaster recovery plans may be in place. "In an office environment, and a network environment, there could be a backup," Davis said. "My company backs up every night, and there is a copy of that backup, either on tape or some other format, and it's sent away." E-mail messages deleted from servers cannot be retrieved -- unless there is a backup tape or an old server or hard drive sitting in a closet, maybe one that was set aside for an upgrade, said Richard M. Smith of Boston Software Forensics. Even in cases where there are no old servers or backup tapes, the e-mail messages could have been saved or archived by recipients and senders using completely independent systems. Their servers may have stored the information, or their organization may have backup tapes. If they had a separate e-mail provider, that would be an avenue to pursue as well. And many times investigators can retrieve lost e-mail through third parties who received and stored copies. In corporate settings, Smith has found situations where people have stored correspondence on their own flash drives and hard drives. "People can have their own archiving schemes," he said during an interview Friday. "Maybe something got archived in a way that no one knows about." Sen. Patrick Leahy recently told The New York Times that he thinks no e-mail in this day and age can really be deleted. Smith said that may be a bit of an overstatement. "Maybe some of these old e-mail messages can be retrieved," he said. "The RNS has said it's going to have some forensics people come in. I would sit down with their IT people who run the e-mail servers and go through the procedures to learn a little more about how they run the servers." Smith said he would expect a team of six people to take about three weeks to find some of the messages. "It's going to be a treasure hunt to find these messages and I think it's going to be expensive," he said. "They're going to have some lawyers involved, too, so it will probably be in the hundreds of thousands of dollars. It's not something you would want to do routinely." __________________________ Subscribe to InfoSec News http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Apr 15 2007 - 22:46:01 PDT