Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Is it technically possible to recover "deleted" emails from computers?

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread		 This topic is archived.
Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU
 
Postman Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:10 AM
Original message
Is it technically possible to recover "deleted" emails from computers?
Edited on Thu Apr-12-07 06:12 AM by Postman
http://www.crooksandliars.com/2007/04/11/white-house-rnc-loses-potentially-damning-emails/

If not, is there a way these emails could be recovered by some other method?

I'm not that up to date on this kind of stuff....Doesn't some server somewhere have a record of all of this stuff?
Printer Friendly | Permalink |  | Top
Berry Cool Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:14 AM
Response to Original message
1. Yes, there is. Of course there is.
I'm not an expert in that area, but sure there is. Which is why you should never think any email you delete is truly "gone."

You bet it can be recovered.
Printer Friendly | Permalink |  | Top
 
w4rma Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:16 AM
Response to Original message
2. Yes. The FBI has all the tools to recover practically anything. (nt)
Printer Friendly | Permalink |  | Top
 
Bluebear Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:16 AM
Response to Reply #2
4. Send them to the White House, posthaste! nt
Printer Friendly | Permalink |  | Top
 
Postman Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:18 AM
Response to Reply #2
6. If so, Wow. How stupid. What were these crooks in the WH thinking?
Did they really expect to hold onto power forever with no oversight?

Its amazing how arrogance can blind you to reality.
Printer Friendly | Permalink |  | Top
 
still_one Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:29 AM
Response to Reply #2
16. not if the email files have been physically overwritten with 0s and 1s
They you need to do this to the email server, and all the local machines where the email was sent to. If it was localized, and they knew what they were doing, there would be no trace
Printer Friendly | Permalink |  | Top
 
w4rma Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:58 AM
Response to Reply #16
26. A simple overwrite won't do it.
Edited on Thu Apr-12-07 07:01 AM by w4rma
And this creates proof of tampering with evidence and obstruction of justice.
Printer Friendly | Permalink |  | Top
 
cassiepriam Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:16 AM
Response to Original message
3. Yes, my understanding is that everything is still on the hard drive somehow.
So if you get cute and try to delete incriminating evidence you are screwed.
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:17 AM
Response to Reply #3
30. Not true
Printer Friendly | Permalink |  | Top
 
cassiepriam Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 03:13 PM
Response to Reply #30
34. Very interesting, thanks!
Printer Friendly | Permalink |  | Top
 
meegbear Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:17 AM
Response to Original message
5. Yes, actually ...
you see, computers store information as a series of "ones" and "zeros" and ...

Enough of that bullshit. When you create a file, what's happening is the information is stored on the hard drive and the software creates a 'link' to it. The link stores it's size, location in memory, etc.

When you delete a file, the link is removed and the area is marked as available for writing. So unless the drive is reformatted or a lot of new data is written to the drive, it's there. This is how data recovery companies work; they scan the disk and locate what looks like data and tries to rebuild it.
Printer Friendly | Permalink |  | Top
 
Postman Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:21 AM
Response to Reply #5
8. Unless they reformat the drive....
Edited on Thu Apr-12-07 06:24 AM by Postman
Do you think they were shrewd enough to do some of that?

Considering who these cynically evil bastards are, I'd be surprised if they didn't.
Printer Friendly | Permalink |  | Top
 
meegbear Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:26 AM
Response to Reply #8
14. If they did, then I think we have a crime ...
if I was running an inquiry, I'd demand to know why it was reformatted.

Of course, if it was reformatted, then one would assume they would have backed up the data so when the machine is rebuilt, minimal data loss occurs.
Printer Friendly | Permalink |  | Top
 
still_one Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:35 AM
Response to Reply #14
18. They don't have to reformat it. There are plenty of tools to overwrite the data
so it would not be recognizable

What crime are you talking about? Whose data is it?

Unless they get an order to impound the machines in question, I think you are out of luck
Printer Friendly | Permalink |  | Top
 
Postman Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:45 AM
Response to Reply #18
22. Wouldn't it look awfully suspicious?
Edited on Thu Apr-12-07 06:48 AM by Postman
There may not have been a crime committed in "reformatting" your computer, but what if everyone involved had done something similar?

By doing so, they're intent was to obstruct justice....(I know I'm reaching here)
Printer Friendly | Permalink |  | Top
 
meegbear Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:53 AM
Response to Reply #18
25. I'm not sure what crime it would be ...
tampering/destruction of evidence. :shrug:
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:19 AM
Response to Reply #18
31. Secure erase software is cheap and legal
and it would not be a crime if it was in continuous use prior to knowledge of an investigation

Using it after there was knowledge of an investigation in process could be construed as destruction of evidence etc.
Printer Friendly | Permalink |  | Top
 
meldroc Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 05:25 PM
Response to Reply #31
39. Rove was under investigation back in 2005 over the Plame affair.
Edited on Thu Apr-12-07 05:31 PM by meldroc
The RNC was under orders from Fitzgerald to retain all emails, especially Karl Rove's emails, and they changed their retention policy from deletion-after-30-days to permanent-retention, but they didn't prohibit users from deleting emails.

So if we find any deleted emails, a single deleted email, or even a fragment of a deleted email on the RNC servers, we have hard evidence the RNC was breaking the law, and are guilty of obstruction of justice. If Rove or the RNC go beyond simple deletion and wipe those emails with a secure delete utility, a forensic examination of those hard drives will find sectors with Gutmann wipe patterns or psuedo-random data on them. Seeing patterns like that written onto the hard drive after Fitz directed the RNC to retain emails will completely screw them. That shows not only that they destroyed evidence, but is evidence that they did so WILLINGLY, which will turn the heat up even more, and result in longer prison sentences.

That's their choice: Keep the emails in compliance with the law, and get busted for all the incriminating contents of those emails, or delete those emails and face the music for obstruction of justice.

Waxman, Conyers and Leahy need to subpoena and seize the physical hard drives on which those emails were stored, and have those drives forensically examined. Subpoena the backup tapes, the workstations at the White House, routers, EVERYTHING! Go through them byte by byte.
Printer Friendly | Permalink |  | Top
 
HysteryDiagnosis Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 07:17 PM
Response to Reply #8
41. Unformat..... checkit.
http://www.restorer2000.com/

Unformat and File Recovery tools for Windows 95/98/Me/NT/2000/XP/2003 Server/Vista
New Restorer2000 version has improved file recovery algorithm and suports all Windows VISTA versions

Restorer2000 3.3 is the reliable data recovery utility that provides you with powerful undelete, data recovery and disk restoration functionality. With Restorer2000 3.3 data recovery software you can view and restore deleted files and folders. Disk Scan option gives you outstanding unformat ability to recover data from formatted, reformatted, corrupted and damaged NTFS and FAT hard drives and partitions.
Printer Friendly | Permalink |  | Top
 
baldguy Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:21 AM
Response to Original message
7. Think about what happens when you send an email.
It goes from your computer, to the local mail server, then to the ISP mail server, then to the internet to the destination ISP mail server, to the local destination mail server, then to the destination computer. And in a professional network environment, every one of those computers is backed up daily.
Printer Friendly | Permalink |  | Top
 
lukasahero Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:23 AM
Response to Reply #7
9. You can get them off your own computer even w/o all the network stuff
Just because something is "deleted" doesn't mean it's been erased.
Printer Friendly | Permalink |  | Top
 
B Calm Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:24 AM
Response to Reply #7
11. Hard to believe all those computers have been reformatted...
Printer Friendly | Permalink |  | Top
 
tiptoe Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 07:12 AM
Response to Reply #11
27. "...all those computers (servers)" ...plus, perhaps, at least 20 WH-staffers' home PCs nt
Edited on Thu Apr-12-07 07:13 AM by tiptoe
Printer Friendly | Permalink |  | Top
 
cdsilv Donating Member (883 posts) Send PM | Profile | Ignore Thu Apr-12-07 06:27 AM
Response to Reply #7
15. Well yes. Easily?....
...perhaps no. It really depends on the mail system, how many intermediate computers the mail went through and whether the sysops on the various systems believed in 'backups'.

You would be surprised how many do not.


Yes, you can recover 'deleted' files sometimes - if they have not been overwritten or erased.

A smart Rove would have 'erased' his email.
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:15 AM
Response to Reply #15
29. Intermediate machines do not save data streams
unless they were designed to do so...
Printer Friendly | Permalink |  | Top
 
paparush Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 03:20 PM
Response to Reply #29
36. No, but they should be logging the transaction.
Received from X , by Y, for Z.
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 05:12 PM
Response to Reply #36
38. Not even then. The traffic is broken into chunks and may take multiple routes
between the servers. It not reassembled until it reaches the destination. At that level it is only IP to IP communications. No user names involved.
Printer Friendly | Permalink |  | Top
 
still_one Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:39 AM
Response to Reply #7
20. If they were stupid enough to send the email on the internet, you are correct
however, based on the activities that this administration has already got away with, including the ILLEGAL WIRE TAPS, I would be very surprised if anything happened
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:13 AM
Response to Reply #7
28. Think about what REALLY happens
- If the sending machine is not set up to keep sent messages, it never hits the hard drive with the possible exception of temp storage which is not backed up and frequently overwritten
- On most mail servers, the mail spool is kept in memory. It might never hit the outgoing ISP hard drive.
- On the receiving end, it goes into the users mailbox. Temporarily stored, but when its deleted or transfered to the users machine, it is removed from the disk and the space reused.
- On the receivers machine it goes into a mail file. When deleted the space is recovered and overwritten.

It is trivial to implement secure overwriting and deletion to insure nothing is recoverable
Printer Friendly | Permalink |  | Top
 
HysteryDiagnosis Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:24 AM
Response to Original message
10. Tira Misu should be able to sniff out ANYTHING, deleted, erased,
written over etc, etc.

http://www.ontrack.com/newsreleases/index.aspx?getPressRelease=60
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:23 AM
Response to Reply #10
33. Nonsense I suggest you learn how the technology works before making such silly claims
Printer Friendly | Permalink |  | Top
 
HysteryDiagnosis Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 07:08 PM
Response to Reply #33
40. MCP, MCSE.... I understand how technology works, have
rebuilt hydrostatic transmissions, diesel engines, automatic transmissions, built a color television, digital breadboard, digital meter, and an oscilloscope. I understand technology just fine.... however, I may be a little off on the Tira Misu thingy.... but who's counting.
Printer Friendly | Permalink |  | Top
 
Canuckistanian Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 08:35 PM
Response to Reply #10
44. "written over"?
Sorry, no technology in the world can detect the "previous" state of data on a disk, once it's been written over.

Not unless they have a have a crack team of psychics with impeccable memories.

Deleted, no problem. Deletion just wipes out the index to the data, not the data itself.
Printer Friendly | Permalink |  | Top
 
JHB Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:24 AM
Response to Original message
12. Not an expert but...
Edited on Thu Apr-12-07 06:25 AM by JHB
...from what I've picked up from those who are:

Most "deleted" files aren't really deleted, they're just renamed (or have their names stripped, or something like that). The data is still on the hard drive.

To actually erase the data, the place they were stored on the hard drive has to be overwritten. On top of that, the real data recovery experts have more sensitive equipment than the average system, and so can still read overwritten data unless it's been overwritten many times (in the ballpark of 7-10, maybe more times to really make the data unreadable). There are "disk scrubbers" available to do this (for instance, if you're selling an old computer and you want to make sure all your personal data is gone), but unless this was done routinely, there's a good chance the e-mails are recoverable.

Real experts are invited to correct my misconceptions.
Printer Friendly | Permalink |  | Top
 
paparush Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 03:30 PM
Response to Reply #12
37. When you 'delete' a file in windows....Windows marks those sectors
on the hard drive that hold that file as available for use (the pointer to the file is removed). Until and unless something else is written to those sectors, your original file is still there. Which is why something you deleted five minutes ago has a much greater chance of being recovered than something you deleted a week ago.
Printer Friendly | Permalink |  | Top
 
still_one Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:25 AM
Response to Original message
13. It depends. It would be no problem to destroy the emails locally
They could do it by file shredding or wiping, which involves various techniques, repartitioning and formatting the hard drive, or physically destroying the hard drive.

It also depends on the email server setup, whether the email is encrypted, and whether any of the emails were actually dispatched on the internet
Printer Friendly | Permalink |  | Top
 
tiptoe Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:34 AM
Response to Original message
17. Is it presumable RNC email accts were accessed not just at WH but also at WH-aides' homes (on PCs)?
Edited on Thu Apr-12-07 07:08 AM by tiptoe
Might we see Waxman issuing subpoenas (and/or search warrants) to WH aides on an *INDIVIDUAL* basis...in order to track and piece together communications between parties? Are there sufficient grounds to do so...just on knowledge of the existence and use of external *private* accounts by the White House (aides)--otherwise required by law to maintain records involving presidential decision-making and deliberations-- and given, too, suspicions now raised by apparent "missing" status of the files requested to be turned over?

...
Administration officials said they could offer no estimate of how many e-mails were lost but indicated that some may involve messages from White House senior adviser Karl Rove, whose role in the firings has been under scrutiny by congressional Democrats.

Democrats have charged that Rove and other officials may have used the private accounts, set up through the Republican National Committee, in an effort to avoid normal review. Under federal law, the White House is required to maintain records, including e-mails, involving presidential decision-making and deliberations. White House aides' use of their political e-mail accounts to discuss the prosecutor firings has also fanned Democratic accusations that the actions were politically motivated
...
Briefing reporters yesterday about an initial review of the private e-mail system, White House spokesman Scott Stanzel declined to discuss whether the political aides were driven by a desire to conduct business outside of potential review. "I can't speak to people's individual e-mail practices," he said.

Stanzel conceded that the White House had done a poor job of instructing staff members how to save politically oriented e-mail and said that it has developed new guidance for the more than 20 staffers who have official as well as political e-mail addresses. He also said that the White House is trying to recover the lost e-mails.

"The White House has not at this point done a good enough job at overseeing the practices of staff with political e-mail accounts," Stanzel said. "Some officials' e-mails have potentially been lost and that is a mistake that the White House is aggressively working to fix."
...

source: Washington Post


Waxman advises RNC not to destroy any e-mails
Michael Roston - Monday March 26, 2007
Waxman advises RNC not to destroy any e-mails

Pointing to e-mails between Bush administration officials and convicted lobbyist Jack Abramoff that used private e-mail addresses, the Chairman of the House Oversight and Government Reform Committee ordered the Republican National Committee and the Bush/Cheney 2004 campaign to preserve all e-mail records and to ensure that they aren't purged or destroyed.

"White House officials have used nongovernmental e-mail accounts, including those maintained by the RNC [other non-governmental accounts besides the RNC's?], to conduct official White House business," Rep. Henry Waxman (D-CA) wrote in letters delivered today, copies of which were sent to RAW STORY. "The Committee has questions about who has access to these e-mail records and how the RNC protects them from destruction and tampering."
...
Waxman also noted that according to the terms of the Presidential Records Act of 1978, "Such e-mails written in the conduct of White House business would appear to be governmental records subject to preservation and eventual public disclosure."
...
Printer Friendly | Permalink |  | Top
 
ComerPerro Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:36 AM
Response to Original message
19. Only if the people doing the retrieving want to find them
Printer Friendly | Permalink |  | Top
 
sendero Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:42 AM
Response to Original message
21. Absolutely..
Edited on Thu Apr-12-07 06:44 AM by sendero
.... there is a lot of good info here, but let me add this.

Reformatting or simply writing over the sectors of a hard drive is not enough.

Sophisticated equipment can read up to 7 generations of writes on the magnetic platter of a hard drive. SEVEN generations. So realistically you have 2 choices - buy special software that repeatedly writes sectors over and over, or destroy the hard drive physically.

I'm sure the people who are charged with keeping these emails away from scrutiny are aware of all this.

my fervent hope is that some administrator has a server backup off site somewhere that they don't know about, and decides to give it to the media or congress. a NIGHTMARE SCENARIO for the Republicans, I can assure you - but not impossible.
Printer Friendly | Permalink |  | Top
 
jody Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:45 AM
Response to Original message
23. Yes if the storage media have not been properly cleaned/erased. n/t
Printer Friendly | Permalink |  | Top
 
BlueJazz Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 06:46 AM
Response to Original message
24. The bottom line is: If you accidentally delete something ,.....
...then the answer is Yes.
If you truly want to hide and destroy your deleted files and you have the resources
(such as the Whitehouse), the files are most likely History.
Printer Friendly | Permalink |  | Top
 
Solo_in_MD Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 11:20 AM
Response to Reply #24
32. Anybody can easily insure that deleted files are not recoverable
cheap and even free tools to do that
Printer Friendly | Permalink |  | Top
 
paparush Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 03:16 PM
Response to Original message
35. Yes.
They would have to zero out (overwrite the entire drive with zeroes; 35 times for DOD standards) to completely erase all evidence of the mails on the servers. Same with the laptops.
Would they do that? Possibly.

But, there are other email servers in the equation. Servers that passed on the original from its point of origination, to its final destination. Those are probably NOT in RNC control.

Printer Friendly | Permalink |  | Top
 
Strelnikov_ Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 07:46 PM
Response to Original message
42. In this case, No
On your machine, a tech could possibly recover them.

But in the case of the White House e-mails, after they accidentally deleted them, accidentally ran a format, accidentally ran a bit-by-bit write of the hard drive, accidentally removed the hard drive, dropped it in acid, then it inexplicably fell in front of a pavement roller . . . . No.
Printer Friendly | Permalink |  | Top
 
entanglement Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 08:25 PM
Response to Original message
43. Depends - if (as I suspect) a 'shred' type delete utility was used, it'd be tough
to recover info. For example, commercial shredding software allows overwriting the areas on the disk where the file(s) resides with any number of passes of random bits (even more than say what the DoD specs recommend for secure file delete). Once you do something like that, the probability of recovering information is practically nil.
Printer Friendly | Permalink |  | Top
 
undeterred Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Apr-12-07 08:37 PM
Response to Original message
45. I find it very difficult to believe that this loss is not deliberate.
Usually email is going to be stored on a server which is also backed up. There may also be a local copy on a workstation or laptop.

Speaking of local copies. I have had cases where there was physical damage to a drive and where the drive was completely and deliberately overwritten (re-imaged). In both cases the drives were sent to a company that specializes in data recovery and they recovered 98% of what we wanted from the physical sectors. I was frankly amazed at what could be done.

Speaking of server copies and backups. Most ordinary companies keep emails and server backups for a very long time. Its true that deleted emails disappear from view, but often they can still be undeleted. And the tapes are pretty thorough, even for ordinary companies, especially since Sarbanes Oxley.

The White House is lying or they have deliberately destroyed evidence.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list Click to add this author to your Ignore list Fri May 03rd 2024, 03:02 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Archives » General Discussion (1/22-2007 thru 12/14/2010) Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC