I was being interviewed a little while ago by John Batchelor for his show (The John Batchelor Show), talking — as we have a few times already — about the Clinton e-mail scandal. John asked me about recovery of deleted e-mails on the near-mythical clintonemail.com server; I pointed out that — in my opinion — there is a very good chance that the server has already been “sanitized”, that is, various “clean-up” programs have already been run on it to zero out all unused disk space, delete all temp and log files, reset all OS file metadata, and so on. I also pointed out that this could have been masked by saying, “Oh, we wanted to upgrade to Windows 7 (or 8.1, or whatever), so we did a clean wipe before installation.”
But then John asked a very important question, one that had escaped me through all this: he said (as best as I recall),
“What about the computers used by the Clinton staff to review and print the e-mails turned over to the State Department?”
As I explained in my response, the purpose of an e-mail server is to hold and dispense e-mails to a client computer: laptop, workstation, mobile device, and so on. In other words, you don’t (and, for security reasons, shouldn’t) do work directly on the server computer. Thus, there is a good chance that during the e-mail review process, the staff was not working directly on the server itself; instead, they were using one or more laptops or desktop systems to do the keyword searches on the e-mail. And if that is the case, then there may be forensically-recoverable information about the e-mails on those systems as well.
In related news, Clinton associates are now trying desperately to walk back their original claim that the ‘private’ e-mails were deleted without examination. This means that forensic examination of those work systems is now even more important, since traces of the delete e-mails should be on those systems.
Assuming they haven’t already been sanitized as well. ..bruce..