Why Email Matters: The Science Behind The US Attorney Scandal

Email is increasingly in the news these days – it’s close to the center of the current federal prosecutor’s layoff scandal, and for good reason. A substantial amount of communication flows through email, which can be an efficient way to communicate notes and other sexual relationships. Email is almost instant, costs next to nothing, and has largely replaced paper memo. Email provides a query path that was previously unavailable to researchers, as a paper document can be shredded or burned, while email leaves a trail even when deleted. Also, unlike a sheet of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says (quoted by Michael Abramowitz on April 14, 2007 in Rove emails 4 years to go, GOP admits) “Can’t delete emails, not today … They’ve been through too many servers. Those emails are there -” There are mainly three types of email in common use. One is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. The second type is Microsoft Outlook, a very different program from the same company’s Outlook Express. The third is commonly known as webmail or Internet mail.

Email client programs store data primarily in the form of text, words that people understand, unlike the cryptic language of computers. In general, all individual emails in a single mailbox (such as “In” or “Sent” mailboxes) are stored together as a single file.

When mail is deleted, it is truncated from the mailbox file, but its data is not actually removed from the computer at this time. Each file has an entry in an index that is something like a table of contents. When an entire mailbox is deleted, part of its entry, the archive index, is deleted, but the actual body of the archive does not disappear from the computer. The area of ​​the computer’s hard drive containing the file is marked as available for reuse, but the contents of the file may not be overwritten and therefore can be recovered for some time, if it can be recovered. .

The computer forensic specialist can then search the apparently unused part of the computer for text that may have been part of an email. The expert can search for names, phrases, places, or actions that could have been mentioned in an email. The email contains internal data indicating where you have been and who you have gone to.

For example, I just sent my wife a 17-word message titled “Where is this email from?” She replied, “Honey, you must surely mean,” Where is this email from? “With love, Your grammatically correct wife.” – Answer of 15 words. However, when I look below what is displayed on the screen, I see that the email actually contains 246 words. Where did all this come from?

The additional information included a return path with my beloved’s America Online (AOL) email address, her computer’s IP address (“IP” stands for Internet Protocol “- every computer that is connected to a network has a IP address), the IP addresses of three other computers, both email addresses were repeated another three times each, the names of three or four mail servers, and four date / time stamps. Oh, and don’t forget, there are an AOL ad at the end.

If I forwarded or copied the email, I would have more information, especially the email addresses of the other people I copied or forwarded the message to.

By looking at the IP addresses and doing a little more research, I was able to know the approximate physical location of the computer with the given IP addresses. I was able to see who else was involved in the chain of communication and roughly where they were.

In an investigation, if a judge sees the multiple email addresses indicating that these other people might be involved, and that the original party does not contact all of the requested information, the judge could allow all other computers to be accessible to all other email addresses to be inspected. Then the great fishing expedition could begin in earnest and officially sanctioned.

So we read headlines like this one that was seen on the ThinkProgress website on April 12, 2007: RNC emails originally claimed by the White House were archived, only a “ handful ” of employees had accounts. At a press conference, White House Undersecretary of Press Dana Perino said that only a handful of White House employees had Republican National Committee (RNC) email addresses. It may have been in the face of the inevitable discovery, that the White House was forced to admit that more than fifty senior officials (of Officials’ emails may be missing, says White House – Los Angeles Times, April 12, 2007) had such RNC email addresses; that’s 10 handfuls by most counts.

In your article Follow the emails on Salon.com Sidney Blumenthal says: “Offshoring of White House records via RNC emails became apparent when an RNC domain, gwb43.com (referring to George W. Bush, 43rd President), appeared on a batch of emails that the White House delivered to House and Senate committees earlier this month. Rove’s deputy Scott Jennings, former Bush legal counsel Harriet Miers, and their deputies had strangely used gwb43.com as an email domain. Producing these emails for Congress was kind of a slip-up. ” Indeed. This is exactly the kind of information computer forensics experts like to have to aid in your electronic discovery process. In my own electronic discovery work, I have found over half a million unexpected references on a single computer.

Investigators can now search the computers at the RNC, the White House, and the locations that house computers for both, as well as the laptops and Blackberries used by the staff of these organizations. The search will be on for any occurrence of “gwb43”, a search that is likely to return more email addresses and more emails, whether or not they are deleted.

I mentioned three types of email at the beginning of this article, but I only talked about the one that has the best chance of displaying deleted data. The second type is

represented by Microsoft Outlook. Outlook stores all data in an encrypted file on a user’s computer, a mail server, or both, depending on the mail server settings. All mailboxes are in the same encrypted file. Computer forensics specialists have tools to enable the decoding of this file in a way that can often recover many or all of the deleted emails. The email server can also have backup copies of users’ mail.

Webmail, where mail is stored on a remote server (as in AOL’s large mail server farm) can leave little or nothing stored on the user’s own computer. Here the user is essentially looking at a web page displaying mail. These mail servers are so dynamic that any deleted email will likely have been overwritten in a matter of minutes. Blumenthal refers to the advantages that these systems can have for those who wish to hide information in Follow the emails thus: “As a result, many attendees have switched to Internet email instead of the White House system. ‘It’s Yahoo !, honey,’ says a Bushie.”

On the other hand, although such email content may be difficult to find once removed, email account access logs are likely to be kept for quite some time and may be of some use to an investigation.

The result is that, unlike paper documents, e-mail can spread widely, even by accident. Also, unlike paper, when shredded, copies are likely to exist elsewhere; To paraphrase Senator Leahy, electronic data can be almost immortal. Another difference is that the email contains data that indicates who wrote it, when and where it was. The current Federal Attorney scandal has shown us once again that email is not only a valuable tool for communication, but has the benefit (or detriment, depending on your perspective) of providing additional transparency to rooms than otherwise. way they would be closed from our leaders.