Gone, But Not ForeverE-mail difficult (actually impossible) to delete, easy to recover, experts say
By John Roach, special to MSN Tech & Gadgets
This may be an old article, but it is still as true as ever.
Maybe even more true than we want to know.
As Karl Rove may soon find out, truly deleting an e-mail is a difficult thing to do, according to computer forensics experts.
The White House and the Republican National Committee announced last month they may have lost millions of e-mails from an RNC-sponsored computer system.
Congressional leaders are keen to find and read the e-mails—especially those sent by Rove, President Bush’s chief political adviser—because they may contain information on the controversial firings of eight federal prosecutors. Some leaders believe the dismissals were politically motivated.
Senate Judiciary Committee Chairman Patrick Leahy (D-Vt.) is confident the e-mails can be found.
"You can't erase e-mails, not today. They've gone through too many servers," he said last month from the Senate floor.
Leahy later added to reporters that "a teenage kid in my neighborhood can go get 'em for them."
Really? How hard is it to make an e-mail message disappear forever? How hard is it to find an e-mail you thought was long gone?
Marc Rogers, chairman of the cyber forensics program at Purdue University in West Lafayette, Ind., says that truly deleting e-mail is "very difficult" and that finding deleted e-mail is a "pretty trivial" process.
Every e-mail program has a delete button that, when hit, will make a message vanish from the inbox. This action cleans up clutter and generally helps people feel on top of their workload.
But does that mean the message is gone?
"To be quite honest, nothing happens to the actual data itself," Rogers says.
Hitting the delete button, he explains, is like taking an eraser to the table of contents but not the contents themselves.
"It basically gets delisted as an area that has any information, and your system can write back to it,” he says. “But until your system actually writes back to it, that data in that storage area is not affected at all."
Michele Lange is the director of legal technology for Kroll Ontrack, a Minnesota-based computer forensics company. She likens deleting an e-mail to removing a card catalog entry for a book.
"Only until the librarian actually goes out to the library shelf and takes the book off the shelf and puts a new one in its spot is the book truly gone," she says.
Most hard drives today are so large that they are like a library with rows and rows of unused shelves. Rogers explains that computers tend to fill up the unused space before they reclaim areas with deleted data.
"That data stays there for a long time," he says.
A Clean Slate
To truly delete an e-mail, computer users can run so-called wiping programs that overwrite the deleted e-mail with a series of nonsensical ones and zeros, according to Rogers.
But, he adds, research out of Carnegie Mellon University found that a lot of the available software fails to do what it claims.
Another approach, Lange says, is to fill up the hard drive with junk files in an attempt to overwrite every available bit.
"I've worked cases where we opened the hard drive and found 6 gigabytes of Whitney Houston songs and we couldn't get anything back because they were obviously trying to overload the drive," she says.
But since e-mail is used to communicate among users of different computers, it leaves a trail as it jumps across the Internet from server to server to the recipients' inboxes.
Thus, in order for a message to completely vanish, it would have to be wiped from the sender's computer, the mail servers in between, any backups of those servers and the recipients' machines.
"That's pretty difficult to do," Rogers says.
Since truly deleting an e-mail is nearly impossible, recovery is usually a matter of some low-tech sleuthing, according to Rogers.
Simple software programs are designed to search areas of a hard drive where e-mail is commonly stored. If the area has not been overwritten with a new message or wiped, the missing file usually turns up.
"This is not rocket science," Rogers says.
Even if the storage file containing the e-mail is wiped, pieces of the message may be scattered elsewhere on the hard drive.
Computer forensics experts like Rogers can search these areas for keywords thought to be in the message.
"Quite often we'll get maybe not the entire message—you might lose a little bit of information off the front—but you'll get the body of what that message was," he says.
Given the difficulty of deleting an e-mail from sender through recipient and the relative ease of finding messages thought deleted, the spirit of Sen. Leahy's comments on finding the missing White House e-mails is "absolutely true," Lange says.
But, she adds, the high profile of the case requires a seasoned investigator, not a tech-savvy teenager from down the street, to recover the missing messages.
"This is sensitive information that could lead to litigation or investigation,” she says, “and so you want to make sure you are handling this almost like a crime scene."
John Roach frequently writes about technology, science and the environment for National Geographic News. He lives in Seattle.