Why Email Matters: The Science Behind the US Attorney Scandal

Email is more and more in the news these days, it’s near the center of the current US Attorney firing scandal, and for good reason. A substantial amount of communication flows through email, which can be an efficient way to communicate memos and other relationships. Email is nearly instant, costs next to nothing, and has largely replaced the paper note. Email provides a path of inquiry that was previously unavailable to investigators, as a paper document can be shredded or burned, whereas email leaves a trace even when deleted. Also, unlike a piece of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says (quoted by Michael Abramowitz on April 14, 2007 in 4 years of Rove emails missing, GOP admits) “You can’t delete emails, not today… They’ve been through too many servers. Those emails are there -” There are mainly three types of email in common use. One is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. The second type is the predominant Microsoft Outlook, a very different program from the same company’s Outlook Express. The third is commonly known as web mail or Internet mail.

Email client programs store data primarily in the form of text, words that people understand, as opposed to cryptic computer language. In general, all individual emails in a single mailbox (such as “Inbox” or “Sent” mailboxes) are stored together as a single file.

When mail is deleted, it is truncated from the mailbox file, but its data is not actually removed from the computer at this point. Each file has an entry in an index which is something like a table of contents. When an entire mailbox is deleted, part of its entry, the file index, is deleted, but the actual body of the file is not removed from the computer. The area of ​​the computer’s hard drive that contains the file is marked as available for reuse, but the file’s contents may not be overwritten and therefore recoverable for some time, if at all .

The computer forensic specialist can then search the apparently unused part of the computer for text that may have been part of an email. The expert can search for names, phrases, places, or actions that might have been mentioned in an email. The email contains internal data indicating where it has been and who it has been to.

For example, I just sent my wife a 17 word message titled “Where is this email from?” She replied, “Honey, you probably mean, where is this email from? Love, your grammatically correct wife.” – Answers of 15 words. However, when I look below what is displayed on the screen, I see that the email actually contained 246 words. Where did it all come from?

Additional information included a return path with my beloved’s America Online (AOL) email address, the IP address of her computer (“IP” stands for Internet Protocol” – every computer that is connected to a network has a IP address), the IP addresses of three other computers, both email addresses repeated three more times each, the names of three or four mail servers, and four date and time stamps.

If I forwarded or copied the email, I would have more information, especially the email addresses of the other people I copied or forwarded the message to.

By looking at the IP addresses and doing some more research, I was able to find out the approximate physical location of the computer with the given IP addresses. I was able to see who else was involved in the communication chain and roughly where they were.

In an investigation, if a judge sees multiple email addresses indicating that these other people may be involved, and that the original party was not provided with all the requested information, the judge could then allow access to all other computers. to all. the other email addresses to be inspected. Then the big officially sanctioned fishing expedition could begin in earnest.

This is how we read headlines like this one seen on the ThinkProgress website on April 12, 2007: The White House originally claimed RNC emails were on file, only a ‘handful’ of employees had accounts. At a press conference, White House Assistant Press Secretary Dana Perino said that only a handful of White House staffers had RNC (Republican National Committee) email addresses. It may have been in the face of the inevitable discovery that the White House was forced to admit that more than fifty senior officials (of Emails from officials may be missing, White House says – Los Angeles Times, April 12, 2007) had such NCR email addresses – that’s 10 handfuls in most cases.

in your article Follow the emails On Salon.com, Sidney Blumenthal says: “The offshoring of White House records via NCR emails became apparent when an NCR domain, gwb43.com (referring to George W. Bush, 43rd president), appeared in a batch of emails the White House released to House and Senate committees earlier this month Rove deputy Scott Jennings, former Bush legal adviser Harriet Miers, and his associates had strangely used gwb43.com as an email domain. Producing these emails for Congress was something of a slip.” By the way. This is exactly the type of information that computer forensics experts like to have to help them in their electronic discovery process. In my own electronic discovery work, I have found over half a million unexpected references on a single computer.

Investigators can now search the computers at the RNC, the White House, and locations that house computers for both, as well as the laptops and Blackberry computers used by employees of these organizations. The search will fire for any occurrence of “gwb43”, a search that is likely to return more email addresses and more emails, whether they are removed or not.

I mentioned three types of email at the beginning of this article, but I only talked about the one that is most likely to show deleted data. The second type is

represented by Microsoft Outlook. Outlook stores all data in an encrypted file on a user’s computer, on a mail server, or both, depending on the mail server’s settings. All mailboxes are in the same encrypted file. Computer forensics specialists have tools to allow this file to be decrypted in a way that can often recover many or all of the deleted emails. The email server can also have backup copies of users’ email.

Webmail, where mail is stored on a remote server (such as on AOL’s large mail server farm) may leave little or nothing stored on the user’s own computer. Here, the user is essentially looking at a web page that displays mail. Such mail servers are so dynamic that any deleted email is likely to be overwritten in a matter of minutes. Blumenthal refers to the advantages that these systems can have for those who wish to hide information in Follow the emails thus: “As a result, many attendees have switched to Internet email instead of the White House system. ‘It’s Yahoo!, honey,’ says a Bushie.”

On the other hand, while such email content may be difficult to find once removed, email account access logs are likely to be retained for quite some time and may be of some use in an investigation.

The result is that, unlike paper documents, email can spread widely, even by accident. Also unlike paper, when shredded, copies are likely to exist elsewhere; to paraphrase Senator Leahy, electronic data can be almost immortal. Another difference is that the email contains data indicating who wrote it, when and where it was sent. The current US Attorney scandal has shown us once again that email is not only a valuable tool for communication, but has the benefit (or detriment, depending on your perspective) of providing some additional transparency. to the halls of our leaders that would otherwise be closed.