Could this system have been intentionally set to wipe out, lose, obfuscate and obscure? That is not impossible, although it would take real effort.
T. Scheisskopf -- World News Trust
April 14, 2007 -- Recently, there have been a lot of stories regarding missing emails that committees from the U.S. House and Senate would like to see in the course of their investigations. The White House says the emails have gone missing. The Committee for Responsibility and Ethics in Washington (CREW) has issued a report stating that the number of missing emails could total 5 million. What follows are a few technical insights into this imbroglio.
Dana Perino, Press Spokesperson Pro Tempore for the White House, said a significant number of these emails were lost in the migration from a Lotus Notes email and messaging environment to one based upon Microsoft Exchange. Analysis follows:
1. The documents offered up do not have full email headers included. For those who understand such things, email headers are a rich source of information. I do not think that a lack of full email headers in these documents is an mistake.
2. From their format, as supplied, especially as regards how file attachments are shown on them, I would expect that their email server infrastructure is based upon Microsoft Exchange (version unknown, but considering the timeframe of the installation of Exchange, version 2003 is a real possibility). Now, this possibility, taken with the recent CREW information that 5 million emails are missing, tells me something:
Five million emails are missing, out of how many emails? That is hard to divine, but I can say this: this is a very high volume email infrastructure, one that surely has a ton of security. In an Exchange environment like that, you are going to have Exchange bridgehead servers, connectors, routing servers, active directory servers, firewalls, clustering, a number of email stores, IIS servers, service-dedicated servers, ISA servers, SAN storage and a lot more. Plus Blackberry servers. And, most importantly, a dedicated sub-infrastructure of servers for just backups and archiving.
For all these emails to be scrubbed completely is No Small Taters. Either this was the single worst configured and administered Exchange infrastructure in the history of mankind, or one or more people with a very detailed knowledge of Exchange came in, mapped the topology and proceeded to sanitize the system.
3. There is a third possibility: That the White House and the RNC have decided to stonewall and ignore subpoenas.
Any way you slice and dice it, this is big and it points to a potential for organized criminal effort. I also cannot think of any geek who would willingly sign onto duty like this and place themselves in a position of such jeopardy. Especially one with the high level of technical expertise needed to do all of this. Why? They don't let you play with computers in federal stir. That is like taking away breathing rights to a committed geek. Plus the loss of pay. IT pays well.
4. Which leads to a fourth possibility: Could this system have been intentionally set to wipe out, lose, obfuscate and obscure? That is not impossible, although it would take real effort. Exchange is designed for a nominally legal and ethical operating environment, thus, it is designed for the retention of data, not the destruction. It would take real effort to setup an Exchange infrastructure to do anything but retain and protect data.
Were I advising Leahy or Waxman, I would find out where those servers are and put seals on them post haste. I would also be lining up, and blocking time with, noted computer forensics experts. Maybe booking some secure warehouse space and hotel accomdations as well.
Update 4/17/07: A computer forensics expert from Stroz Friedberg LLC, a noted computer forensics firm, was on "Countdown with Keith Olbermann" a couple of nights ago, discussing this matter. To encapsulate what he said: He was clear about the fact that if the email had been merely deleted from an Exchange email system, there were still a number of places where the emails could be found, most notably on backup tapes. Failing that, higher level computer forensics could possibly reclaim the messages from hard drives, if they had not been overwritten with random data from a security hard drive wiping program. If that has happened, there is still a possibility that they could be recovered with low-level computer forensic utilities that analyze the magnetic layer of the disks. Nothing of what he offered contradicted the premises offered in the above article and, indeed, buttressed many of them. He was quite clear about the number of places the messages could still exist on the system, as a whole. He also alluded to the fact that if security hard drive wiping program had been used, that could be evidence of a concerted effort to destroy data.
It should be noted that when, in the course of a computer-based crime investigation(especially one involving child pornography), the investigating agency comes across one of these random-data wiping programs, the agencies involved tend to look upon the existence of that program, on that computer, as a factor that increases the possibility of that computer being used in a crime or crimes. Right or wrong, although such a viewpoint is incredibly simplistic.