Client: Bruce Hettema
IT STARTED WITH a bad joke. When asked by reporters if her server had been wiped, the leading Democratic presidential candidate Hillary Clinton shot back: “What, like with a cloth or something?” Ha! You know, like dust. She then proceeded not to answer the question.
Like so many subpar technothrillers, the saga of Clinton’s email server has dragged on well beyond the point of exhaustion. The latest chapter, though, in which the FBI combs through the hardware that once hosted tens of thousands of Clinton’s digital epistles, raises the question of just how hard it is to vanish your data—or for someone else to retrieve it after you do.
There’s been mostly muddled information over whether Clinton, or more specifically Platte River Networks, the company entrusted with running her server, did effectively clear out whatever had been on there. In a March letter (PDF) to Congress, Clinton attorney David Kendall stated that “no emails from [email protected] for the time period January 21, 2009 through February 1, 2013 reside on the server or on any back-up systems associated with the server.” Clinton’s campaign, meanwhile, told PolitiFact that the emails had been “deleted,” a word with very different implications. Neither the Clinton campaign nor Platte River Networks responded to WIRED’s requests for clarification.
This may all seem like semantics, but it speaks to an important question for most of us. How can you be sure your data’s really gone?
Many of you may know this already, but if you don’t it may come as a rude surprise: Simply deleting something from your computer doesn’t make it go away.
“We usually compare it to a card catalog in a library,” explains Russell Chozick, co-founder of data recovery and digital forensics firm Flashback Data. “Your card catalog is your file system, and the books on the shelf are your data. When you delete a file, you’ll remove a card from the catalog, but the book’s still on the shelf. The file system doesn’t know where it is, but it’s easily retrievable.”
Easily, at least, for a forensics lab like Flashback, or in this case, like the FBI, which operates 15 Regional Computer Forensics Laboratories throughout the country. If there’s any trace left of emails on Clinton’s email server, they have a wide variety of tools available to them to sniff them out.
“In a forensic lab we would take in a server like that and forensically image all the drives, which means we just make exact duplicates of all the drives with forensic hardware,” says Chozick. “We would then verify the hash values (unique numeric values that identify data) of the source and the destination to make sure that they’re exactly the same, so that I know we have a sanitized, exact copy of the data. We’d work off that so as to not write any data to the originals.”
Writing new data to the originals is an important thing to avoid. While a deleted email still lurks in the background, it can potentially be overwritten by new data. Go back to our library example for a moment; the book will remain on the shelf until room needs to be made for a new shipment.
Once a duplicate of the drive has been made and verified, Chozick says, experts can run a number of tests both to determine if any data remains intact, and to resurrect it if so. An entropy test will tell you the extent to which it’s truly wiped, after which targeted searches can yield a bumper crop of hidden information.
“If we load it up in our forensic utilities and find file utilities or things like that, we could start searching for email types, or the unallocated areas of the drive, the areas that the file system thinks is free space but may not be. It may have fragments of files and things like that in it,” explains Chozick. “Say it’s an Exchange server. Exchange servers use EDB file as the container for all email. We would do a file header search for EDB files—all files have several bytes of data on the front of the file to tell the file what type it is—so we would search for signatures of what an EDB file looks like.”
This sort of digital CSI takes expertise and specialized equipment, but given those it’s actually fairly straightforward. Which isn’t to say that the FBI will end up finding any of these things, or anything at all. In fact, there’s an equally good chance that they’ll come up empty.
According to NBC News, the FBI believes it “may be able to recover at least some data.” Which means the FBI feels fairly confident that Clinton and Platte River didn’t wipe the servers after all. If they did, there’s nothing anyone could do about it.
Much like how shouting “enhance” at a computer doesn’t really magically sharpen an image when you zoom in, despite what every movie and television show of the last 20 years might tell you, there are limits to what data forensics can achieve.
“There are a number of commercially available Department of Defense-approved utilities for wiping a hard drive or a server,” says Michael Hall, Chief Information Security Officer for DriveSavers, a data recovery and digital forensics shop. “Many of the utilities have the ability to wipe a file, a folder, the free space on the drive (also known as unallocated space) or the entire hard drive at a physical level.”
In other words, all it would take is some readily available—and in some cases, free—software to leave no trace of any digital correspondence.
That wouldn’t, though, leave the FBI totally without options. In addition to checking for deleted data on the server, Hall says, there’s a range of things they could try to track down.
“They are probably checking to see if there is evidence that some sort of wiping utility was used to overwrite the deleted data in unallocated space on the server,” explains Hall. “They could also be checking the address book of contacts to determine if they can find emails that had been sent or received that could still be located on another user’s device.”
Hall and Chozick are both quick to point out, too, that without more detail about what this email server actually is, what server software was used, and so on, there’s only so much one can know about this specific situation. Most of this, though, applies to pretty much any computer, be it a RAID-based server or an old ThinkPad.
Besides, what’s true regardless of those variables is that we all leave more of a trace than we might think. Then again, it’s comforting to know that if we ever do need to make our hard drives disappear, there are less messy solutions than busting out a hammer.