AKIBIA'S PRACTICAL GUIDE TO ENTERPRISE TECHNOLOGY

Wednesday, September 16, 2009

Boston’s Missing Email Case Has Many People Asking Questions about Digital Forensics

On September 14, Massachusetts Secretary of State William Galvin ordered the city of Boston to seize computers and software used by Mayor Menino’s aide, Michael J. Kineavy. Under question is whether Kineavy may have violated state law by deleting emails. According to the news articles, Kineavy deleted emails from his inbox and trash folder every day, possibly before the city’s systems made a backup. Alan N. Cote, head of the public records division in Galvin’s office, ordered the city to hire “a qualified independent and competent technology expert to employ all reasonable means of recovering and restoring the missing records”.

The job of a digital forensics investigator will be to recover the deleted emails and possibly to report whether it was likely that they were intended to be deleted permanently or whether it was expected that they would remain available on central servers or backup media.

As the case is well covered in the local Boston media, many people have asked me “What’s the process behind this type of digital forensics investigation?” And, some people have even asked “So they can really recover those emails I’ve deleted????”

There are several steps to the process of recovering deleted emails:

1. Identify systems which are in scope for the investigation. In a typical email client server environment, this includes the desktop and laptop systems containing an email client used by Kineavy to access the city’s mail server, the mail server itself, and backup devices.
2. Create a forensically sound copy of the in-scope system hard drives and other media. A “forensically sound” copy is one that is made without altering the original and that can be verified to be an exact and true copy of the original. Specialty forensic hardware and software is available to ensure that the original media is not altered. A “hash”, or unique identification number, is generated for both the original and the copy. If the hash is the same, then the original and the copy are the same.
3. Most investigators will make an additional copy, so that an archive copy which will not be changed is available. Then the investigator is free to use the working copy for examination, or even to create a copy of a working desktop, laptop, or server.
4. Examine the working image file.

The final step is usually of the most interest to investigators and the customer. During this step, deleted material can possibly be viewed or recovered, evidence of misuse of systems can be discovered, even user credentials (passwords) can be discovered.

In this case, the location of missing emails depends on the operating systems and email systems in use. Generally, we might find the missing emails in local email storage files on the desktop and laptop machines, email storage files on the mail server, deleted file areas on all in-scope systems. The investigator will perform multiple searches for data which might turn up in unexpected places on the systems. Often, even though an email has been deleted, its content still exists in local storage files. In that case, it is easy to retrieve the email. The contents of deleted files also often exist on hard drives, and until those deleted file areas are overwritten with new data, or deliberately “wiped” (overwritten with random data), the information is available for retrieval. Finally, individuals or software systems might write data to other areas on a system for various reasons, allowing the data to be discovered there.

It might also be possible to determine whether the emails were deleted with the intention of destroying evidence. A regular pattern of email deletion with no additional measure taken to hide residual information or to hide the act of deleting emails would not be indicative of deliberate destruction of evidence. However, deleting specific emails or emails of specific time periods, actively overwriting unused disk space, encrypting data with unauthorized products, and similar proactive measures are an indication that an individual is hiding or destroying evidence.

One of the dilemmas faced by digital forensic consultants as well as customers is that it is difficult to predict the level of effort required to obtain the desired results. In this particular case, it should be relatively easy to recover recent emails (within the last month for example), but to recover emails from years in the past would require a great amount of effort, if they can be recovered at all. The stakes will determine the amount of effort spent on such an endeavor. Given the upcoming mayoral election and the public interest in this case, it seems likely that effort will be spent on recovering as much information as possible.

The answer is yes, my friend, they can recover your deleted emails.

LABELS:

Randy Bohrer,

Security,

Digital Forensics,

Compliance

Post a Comment

BLOG ARCHIVE

• 2011 (29)
  • December (1)
    • Is Employee Cybershopping Threatening Your Company's Security?
  • October (1)
    • Plans are nothing; planning is everything
  • September (1)
    • Has it really come down to a bag of chips?
  • August (6)
    • Modernization is The Key
    • VRM (Vendor Relationship Management)
    • The Double Dip Recession is Coming!
    • Security Faux Pas
    • Too Extreme? I don’t think so. Tying security to compensation.
    • Unique Requirements for Exchange 2010 Based Messaging Platform and Dependencies
  • July (2)
    • Configuration Management with System Center
    • Keep living in a fantasy world…
  • June (7)
    • The Softer Side of Information Security…
    • The Black Hats Get It. Do you?
    • More from midTECH
    • midTECH IT Summit
    • Advances and Limitations of Windows DHCP/DNS Services
    • Choosing the Right Consultant
    • Don't Panic Yet
  • May (3)
    • Citrix Synergy 2011
    • Citrix Summit 2011 - Day 1
    • Federal FISMA Compliance Rated "Poor"
  • April (1)
    • First Time Offshoring?
  • March (3)
    • AFCOM Data Center World - Day 2
    • AFCOM Data Center World - Day 1
    • RSA SecurID Breach: Are Your Tokens Safe?
  • February (1)
    • You can outsource the work, but not the responsibility
  • January (3)
    • P3 Cubed: Focus on the Basics Part III
    • P3 Cubed: Focus on the Basics Part II
    • P3 Cubed: Focus on the Basics
• 2010 (19)
  • December (1)
    • The Next Generation of Smartphones in the Enterprise
  • October (1)
    • How to Ensure a Successful Monitoring Implementation
  • September (2)
    • Too Many Requirements; How One VP of IT Handles It
    • The Missing Link
  • August (2)
    • Informationweek Survey of Sun Customers - Demonstrably Worse Service
    • The Death of Information Security
  • July (1)
    • Moving to Larger Mailbox Sizes with Exchange 2010
  • June (3)
    • Top 10 Features in Exchange 2010 for Users
    • Low Risk Support Alternatives for Cisco End of Life Equipment
    • Health Providers Beware of the New HITECH Act
  • May (1)
    • Compliance and Security Go Hand in Hand – How to Achieve Both
  • April (2)
    • A Boston Globe Article Ignites a Password Controversy - Why We Need Them, How to Make Them Effective
    • Reviewing Oracle's Changes - Has the Sun Set on Sun Systems?
  • March (2)
    • New Requirement - New Fire Drill?
    • Why HP is Worried about TPM's
  • February (1)
    • Has the Sun Set on Flexible Support Options?
  • January (3)
    • You Inherited Your Cisco Infrastructure, But Do You Know Why You are Still Buying It?
    • Your Workers are Surfing While Snacking on a Big Mac - Time to Revisit Managing Your End-Point.
    • Ensuring Security in the Virtualized Environment
• 2009 (34)
  • December (1)
    • Monitoring Via the Cloud
  • November (2)
    • Sun Makes More Changes Amid Uncertainty
    • Sky High Cloud Chatter
  • October (2)
    • Improving Vulnerability and Patch Management
    • A Couple Quick and Easy Green IT Steps
  • September (3)
    • Don’t Put off Until Tomorrow…
    • Boston's Missing Email Case Has Many People Asking Questions about Digital Forensics
    • IT Needs Turbo Compliance
  • August (3)
    • Take Full Advantage of System Monitoring
    • Implement, educate and enforce strict Social Media usage policies – in that order
    • Preparing for a Return to Growth? It’s Not Too Soon to Make Process Improvements
  • July (2)
    • Death by A Thousand Processes: Getting Compliance Right Requires a Change in Thinking
    • Wrest Control of Your Data Center Back From the OEM
  • June (3)
    • Getting Ready for Cloud Computing
    • A Letter to Ralph Szygenda, the CIO of General Motors
    • Lax Web Site Security: The Site Owner's Responsibility
  • May (3)
    • The Checklist Approach to IT Security is Failing You
    • Financial Strength of Your Vendors…Show Me the Money!
    • PCI DSS v1.2 and its Requirement from WEP to WPA Wireless Encryption
  • April (4)
    • The Near-Term Impact of Oracle Buying Sun
    • On the Path to the Cloud... Walk Before You Run
    • CIOs Need to Manage Up, Broadcast Successes
    • Consolidate Support Vendors?
  • March (4)
    • A Potential Sun Acquisition - Impact on Service
    • April 14 is Decision Day for Those Running Microsoft Exchange 2003
    • HIPAA Revitalized in 2009 and Beyond
    • Ten Steps for the Mass Data Security Law
  • February (7)
    • Tightening Budgets and Their Impact on IT Security
    • Recent Breaches Remind us to Focus on Security
    • The Training You Need Vs. The Training You Receive
    • Emphasizing Virtualization Security
    • DNS Audits: A Practical Guide
    • Practical Green IT
    • "Practical Use" Fills the Gap Between Idea and Implementation

BLOGS WE LIKE

• CIO - Blogs and Discussion - Best Practices
• InformationWeek’s Global CIO Weblog