speedy recovery: retrieving lost emails as part of an investigation
TRANSCRIPT
FEATURE
September 2011 Computer Fraud & Security9
He adds: “While prevention is always preferable to cure, companies still need to be prepared to deal with the after-math of data leakage. It sounds obvious, but in my experience, many companies focus all their efforts on the prevention side of this equation, and fail to consider the possibility that their measures might fail. After all, there’s no such thing as
100% secure when users are also part of that equation.”
About the authorTracey Caldwell is a freelance business technology writer who writes regularly on network and security issues. She is editor of Biometric Technology Today, also published by Elsevier.
Resources• Proctor, Paul and Ouellet, Eric.
‘Magic Quadrant for Content-Aware Data Loss Prevention’. Gartner, 2 June 2010.
• ‘Understanding Security Complexity in 21st Century IT Environments’. Check Point and the Ponemon Institute. March 2011.
Speedy recovery: retrieving lost emails as part of an investigation
John Shaw
Recovering missing data
This raises the question of how to retrieve lost or deleted emails, in order to effectively meet evidentiary requests. Recovering missing data, especially in the course of discovery, can be surprisingly simple, or dauntingly complex, depending on how the email was deleted or lost.
In order to explore which avenues exist for recovering the emails, we need to understand the nature of how the emails were lost. What do we actually mean when we say emails have been ‘deleted’? Is it a case of a user in the organisation hav-ing deleted emails from their inbox? Did
the Exchange Server database become corrupt? Was it an automated data reten-tion policy, based on maximum size or age that deleted the relevant content? Did the CEO’s laptop crash and now the machine won’t reboot? Answering these questions is the key to enable the relevant team of experts to find the most appro-priate avenue for recovery.
Handle with care
The methods used to retrieve lost or deleted information can be as vital as the data itself. Computer data can be very fragile and can easily be irretrievably lost or permanently corrupted if searches
for potential electronic evidence are not undertaken using professional procedures by forensic experts. Even turning on a computer may cause changes to critical data. Often, in the early stages of the retrieval process, individuals or organisa-tions may act in haste to recover the data as quickly as possible without taking ade-quate care, which can lead to disastrous consequences. Beware of clumsy handling of the situation in the early stages of recovery, as this may add fuel to the fire and potentially cause irrevocable loss.
It is imperative that the process be han-dled with due diligence by professional forensic experts from the outset, so that recovered emails and communication can survive legal or regulatory scrutiny. There is a real risk on relying on internal IT departments alone to conduct the analysis or recovery, as this may create difficulties with the admissibility of the retrieved emails in court. This is because under certain legal and regulatory procedures, internal IT resources may not be deemed as unbiased parties to provide evidence,
John Shaw, Head of Forensics, First Advantage Litigation Consulting
With the rise of the digital age and the widespread use of computers and electronic communication by individuals and corporations, the volume of emails and business correspondence electronically stored is growing exponentially. As a result, emails are one of the most common forms of documentary evidence requested and admitted as evidence in court, in the same way as other forms of evidentiary data. This means that, with tighter procedural requirements relating to electronic evidence, the way data is stored and recovered plays an integral role in complying with a legal or regulatory investigation.
FEATURE
Computer Fraud & Security September 201110
since they are employed by a party involved in the matter at hand. Even a slight glimpse at the email once recovered could result in the alteration of data, which could be construed as tamper-ing with evidence. There is therefore an increased risk of spoliation and evidence contamination if appropriate forensic methodology is not applied.1,2 For peace of mind, data recovery, analysis and inves-tigation should be undertaken by a third, unbiased party with the requisite techni-cal expertise.
Dependent on how the data has been lost, it is therefore important to consider bringing in a data recovery specialist. If this is a viable option, always contact the team of experts as early as possible. The chances of successful recovery are greatly increased by taking professional, technical consultation at an early stage. Electronic evidence is often composed of tiny file fragments that, without the scrutiny of an expert analyst, might never surface. A vendor will be able to provide advice on the most appropriate course of action to take in the context of the matter at hand. A good vendor may even detect that you don’t need their services if a simpler solution is available. It is paramount to trust in only an expe-rienced, trained investigator, who can put these disparate details into context.
Backup plan
It may be that the easiest recovery method of lost emails is to restore the data from backup media. This is a simple enough task for an internal IT department to per-form without generating any real risk of spoliation. It is important to consider that the faster the email loss can be identified and acted upon, the better the chances of a full recovery. Backup methodologies will typically be more effective to achieve a near to full restoration if done within a week of the data loss. This is because typi-cal backup methodologies revolve around a daily backup for six consecutive days, then a weekly backup which occurs before the six daily backup media items are recycled.
Restoring data from backup media will also only be effective if the email loss occurred on a server or a system that was synchronised with a server that is backed up. Take Microsoft Exchange, for exam-ple. Typically, users of this system, and laptop users in particular, will operate in ‘cached Exchange mode’. In this mode, the email on the computer is constantly synchronised with the data on the server, as long as the connection is active. When the connection is not active the server and the machine go out of sync, so a deletion of data on the machine or server will not be replicated to the other device. This means that, for a period of time, until the devices are synchronised again, one of them will contain the deleted data. Understanding this and acting fast is critical, and the best advice to the user may be to keep the machine switched off until such time as someone with the requisite skills can preserve a copy of the mailbox from either the server or client machine.
“The best advice to the user may be to keep the machine switched off until such time someone with the requisite skills can preserve a copy of the mailbox from either the server or client machine”
It is also possible – and necessary – to retrieve data from multiple types of devices, especially in an age where emails can be sent via hand-held machines and other portable devices. Technical experts can retrieve information from systems including, but not limited to: smartphones, BlackBerry services and other PDA devices; desktop and laptop computers; emails stored as files on CDs, DVDs, floppy disks or external thumb drives; emails stored as files on hard drives; and servers. Specialised hardware and software can even be used to effec-tively collect data from email servers, email archiving services, home/personal drives, group shares and various collabo-rative or database applications.
Data propagation
An often overlooked avenue to recover-ing lost emails is that the data almost certainly exists on someone else’s com-puter. It is highly unlikely that all email evidence is destroyed when deleted because so much information is passed, shared and stored on different comput-ers. Chances are that an email that has been sent is likely to be held by the recipient, or by their relevant backup systems. In many instances, one single email can be used to recreate data trails pointing back to a series of deleted mes-sages. An email will also frequently travel between multiple users and propagate over multiple systems.
Many of these systems may not be accessible, as they may belong to other corporations; however, emails sent inter-nally should exist on other users’ comput-ers or even other servers. Where servers or machines are not under the control of the company, it may be that the recipients of the lost emails are amenable to sending the relevant communications back to you.
Double remedy
In circumstances where email deletion has taken place and backup media does not contain any of the data, an alternative email recovery method may need to be employed. There are essentially two differ-ent ‘remedies’ available that target the sys-tems from which the emails were deleted.
“The recovery of the data also rests on how much usage the system has had since the deletion of the data and how much free space is available on the system’s hard drive”
For example, where an email is deleted from a Microsoft Outlook user’s inbox, the inbox itself is part of an Outlook data file, which could either be an .OST or .PST file. These are very similar and are
FEATURE
September 2011 Computer Fraud & Security11
databases containing information and communication such as emails, contacts and calendar items. Emails exist as records within these databases and so are slightly different from other files, although they share a lot of similar concepts.
The likelihood of recovering email data from one of these databases is
dependent on a number of factors, the most pertinent of which is how much usage the email system has had since deletion. A system that has had little or no usage will present a very good chance of being able to recover the most recent-ly deleted items; conversely the opposite will pertain for high-usage systems.
If an email is saved from Outlook as a standalone item, then it has become a file in its own right and is orphaned from its parent database. In this situation, the recovery of the data also rests on how much usage the system has had since the deletion of the data and how much free space is available on the system’s hard drive. Typically, recovery of files from the file system will have a higher success rate than performing the similar process on an Outlook data file. It is certainly possible to recover email from within an Outlook data file; however, due to the inherent space restrictions in an email container, deleted emails tend to get overwritten faster than those saved and deleted from the file system.
Usage upsurge
The key to recovering all kinds of data, not just email, is how much usage the system has had since that data was deleted. The more usage the system has, the less likely it is that you will be able to recover data. The method used by Windows to delete files means that rather than purging files from the disk, it simply flags the space occupied by the file as available space. From that point forward it is more of a game of chance as to when the deleted file will be over-written with new content. The more the machine is used, the greater that likeli-hood becomes.
The ultimate success of your outcome lies in the practical and technical prowess of your investigative team, who should be able to utilise incident response pro-cedures designed to properly retrieve and preserve electronic evidence.
It is also possible to image the whole hard-drive or other electronic media in
order to recover deleted emails. However, whatever appropriate method of collect-ing computer-based evidence you choose, it should be established and refined by the investigators and supported by courts at an international level, especially if the matter involves multiple jurisdictions.
Unless appropriate procedures are adhered to by a relevant expert to effec-tively locate, retrieve and further protect the lost electronic data, the collection of any evidence to support a fraud or other investigative matter will be incomplete. Significantly, the procedures implemented need to be relevant and flexible to support your specific needs and customised to your particular situa-tion. For more complex matters, experts may employ traditional computer foren-sics, network forensics, or cutting-edge response procedures that involve acquir-ing data from live systems to ensure speedy recovery and preservation of data.
About the author:
John Shaw is forensics manager at First Advantage Litigation Consulting. He man-ages the European computer forensics team and is responsible for the technical and forensic aspects of all European projects. He works closely with clients to map out data collections, ensuring that any potential issues are addressed, and contributes to the ongoing development of bespoke forensic and e-disclosure software solutions. Prior to joining First Advantage, Shaw worked as an IT security consultant, and a com-puter forensics investigator with the Sussex police. For further information about First Advantage Litigation Consulting visit <http://fadvlit.com/>.
References1. ‘Spoliation of evidence’. Wikipedia.
Accessed Aug 2011. <http://en.wikipedia.org/wiki/Spoliation_of_evidence>.
2. Ehlke, Douglas. ‘Evidence Spoliation – A Growing New Tort’. Findlaw.com, 1 Nov 1996. Accessed Aug 2011. <http://library.findlaw.com/1996/Nov/1/231209.html>.
Recovering emailsTypical procedures involved with the investigation and recovery of digital data such as emails include:• Establishing the authenticity of
an electronic file or email. • Ascertaining whether electronic
data has been moved to portable media, between servers or trans-mitted over the Internet.
• Evaluating the degree to which document metadata supports or refutes a claim.
• Discovering evidence that is ‘buried’ within temporary files, replicated files, swap files, other system-created files or in a com-puter’s unallocated space.
• Performing thorough searches of storage media relating to pre-viously deleted or erased docu-ments, parts of documents or drafts of documents.
• Identifying the extent and nature of purpose ful or negligent dele-tions, electronic ‘shredding’, the use of defragmentation programs, the installation of software, and the performance of any activities that destroy, alter or corrupt elec-tronic data.
• Determining how to access emails and electronic informa-tion from password-protected or encrypted data.
• Performing steps to enhance the reliability of email evidence, man-age the storage of email effectively and to have appropriate controls in place regarding email usage to safeguard future losses.