WBURForensic Data Expert: Deleted E-mails Aren’t Really Gone

Listen Now

Deleting an e-mail doesn’t always mean it’s gone forever.

“They’re not necessarily deleted,” said data forensics expert and Medford Police Det. Lawrence James.

James explained the process to WBUR in light of the recent controversy at City Hall. The state gave Boston city officials 10 days to find hundreds of e-mails allegedly deleted by a top aide to Mayor Thomas Menino.

(Andrew Phelps/WBUR)

(Andrew Phelps/WBUR)

The head of the secretary of state’s public records division, Alan N. Cote, wrote to Menino saying he believed e-mail correspondence had been “improperly deleted.” Secretary of State William Galvin said the deletion of e-mails is a violation of state public records law, which requires municipal employees to save messages for two years.

State officials ordered the city hire an independent computer forensics expert to track down those messages. The possibilities of recovering the e-mails are high, but the process includes many hours of work.

James said computer operating systems mark files for deletion but do not immediately wipe them off the hard drive.

“What (operating systems) do is, they tend to remove the information that allows the operating system to find the data. And then it assigns it to an area of the hard drive that is waiting to be reused by the operating system,” he said.

There is a chance the area of the hard drive where the e-mails were saved has been overwritten with new data. But if the information can be retrieved and reconstructed, James said, it would be acceptable as evidence in court — if that’s where the case ends up.

The examination of a single hard drive can take from 20 to 80 hours, James said, based on the complexity of the exam. The city’s expert will also be able to tell how the e-mails were deleted.

James explained how it might have happened.

“There are many possibilities … The e-mail server was improperly configured, it was purposely misconfigured to allow the user to delete them, or that some of the archive utilities were not running properly at that point in time,” James said.

City Councilors Sam Yoon and Michael Flaherty and South End contractor Kevin McCrea — the candidates to replace Menino in the upcoming mayoral race — say the e-mail deletions were calculated. Menino insists he has “corrected the situation.”

Martha Coakley, the state’s attorney general, said her office won’t get involved because it’s a political matter in the middle of an election.

WBUR intern Luciana Almeida compiled this report.

Related Links

WBUR Topics · Boston · Crime & Justice · Politics
Please follow our community rules when engaging in comment discussion on wbur.org.
  • rworeilly

    I have listened to this story and wonder if you guys have it right. You keep saying users deleted the emails without archiving them. Any email capture system that relies on humnans to archive their email is bound to fail — we make mistakes or delete deliberately. My question is did the city have an automatic archiving system that woudl capture the mail w/o the need for individuals to take action. If they did a persons were circumventing that system then there is a real problem. It is impostant for listeners to have this information.

  • http://www.smpone.com Lawrence James

    In response to rworeilly, In my experience automated archiving utilities are reliable. They operate on the server and regardless of a “user” deleting an email, the message has already been stored. Many email servers also have a “deleted item retention period” setting which allows the server to reatin the messages that the user has deleted so he/she can retireive them from the abyss. It is very curious that in this instance the users were capable of truly deleting the emails in question. It would definately require a series of steps be in place to accomplish this. That being said it will be interesting to see what the forensic examination yields as to how this server was configured.

More stories in 'Politics'
 
UNDERWRITING
Most Popular
SUPPORT
WBUR Programs
Arts, Music and Theater
SUPPORT
This site is best viewed with: Firefox | Internet Explorer 9 | Chrome | Safari
Reporting Copyright Infringement