Comics Books

Monday, May 5, 2008

Challenges in Recovering Deleted Email

Both machine forensics experts and data recovery technicians seek to recover deleted data. Data recovery is primarily interested in bringing back files, while machine forensics tends to dig deeper, looking not just for deleted documents, but Federwrsgxl for metadata (data about data such as file attributes, descriptions, dates, and other information) and meaningful snippets of unrecoverable files. One area of particular interest is email.

When most documents are written to a machines hard disk, each newly created document has its own directory entry (what the user sees as a listing in a folder). Fedxrmcsjaojo a file has been deleted, but has not been overwritten by another document, the recovery process is a relatively trivial part of e-discovery or of data recovery. But when the data of interest is from deleted email, the discovery process is likely to differ significantly from that of data recovery. Individual emails are stored differently than individual files. Different types of email plans store data differently on the users hard disk and require different schemes for finding useful information. As a result, the deletion of emails and recovering of deleted emails differs not only from that for other types of documents, but also between different types of email plans.

There are three main types of email in common usage Aquaman Outlook (often paired with a Microsoft Exchange Server), text-based email client plans, and web-based email, or webmail.

In Microsoft Outlook, all emails are kept in one large, encrypted, non-text file - the PST, or Personal Folders file. Outlook has additional functions and additional content as well. There is an integrated address book, multiple mailboxes, a calendar, and a scheduler, all of which are contained in the PST file. When one looks into a PST file with a file editor or word processing application, there is little or nothing intelligible to the human eye. The file content looks like nearly random characters.

In general, the PST file must Exorcism loaded into Outlook to be read. When an email is deleted, or even when it is purged, it may be kept within the body of the single large file, but become inaccessible to the plan. Some deleted emails may be recovered by manipulating the file though a manual process, repairing the resultant file, and then loading back into Outlook.

Text-based email plans include Microsoft Outlook Express, Qualcomm Eudora Pro, Mozilla Thunderbird, Macintosh Mail, and others. In text-based mail applications, each mailbox has its own file, and all emails from a given mailbox are kept in that one file. For instance, there is likely to be a single file for all of the emails in the Inbox, one for all in the Outbox, one for each user-generated mailbox, and so on. The mailbox files are primarily text files, When an individual email is deleted, the text may be orphaned, or released from the body of the file, but may still be recoverable as a file remnant that may contain the body of the email as well as information such dates, times, and sender.

A standard data recovery process would not recover such deleted email as the mailbox that had contained them may still be intact just not still holding the deleted email. Part of electronic discovery would include searching the unallocated (when a file is written, the operating system allocates a specific area of the hard disk to that file. When the file is deleted, that space is de-allocated, and is referred to as unallocated space) portion of the hard disk for specific terms or phrases that are likely to be within the body of suspect emails. A search may also be performed for email headers that are also text-based. The resulting data may then be gathered and displayed as text files.

A third form of email is Web-accessed email. Many, if not most, commercial email providers offer the user the opportunity to access email via a web browser. America Online is another email provider that generally does not store email on the users machine by sildenafil Email is stored on a remote machine, or distributed across many remote machines, that may be any place on the Internet. As these machines host hundreds or even millions of users and their email, the storage of such email is extremely dynamic. When emails are erased in such an environment, remnants of individual emails and files tend to be overwritten quickly and repeatedly. There may be some remnants found on the users machine in a Virtual memory or a buffer file, however. The recent US Attorneys scandal highlighted the use of such web-based email (see ezinearticles.com/?Why-Email-Matters---The-Science-Behind-the-US-Attorney-Scandal&id=531412" target="_blankWhy Email Matters: the Science Behind the US Attorney Scandal, by Steve Burgess).

There is always a chance that remaining deleted files, or remnants thereof may be overwritten. Due to this possibility, it is best to immediately turn off any machine where the recoverability of data is in question. The longer the machine remains in use, the greater the likelihood of useful data being irreparably destroyed. If a users machine is likely to be used or inspected during legal matters, or if document discovery is expected, the machine should be turned off to avoid spoliation of evidence.

If precautions are taken once a file is deleted, the file is likely to be recoverable. The same is true of email. While deleted or trashed email may not be recoverable as a complete mailbox file, the content of said email and its metadata might be discoverable or recoverable through the different methodologies available to machine forensics specialists.

Steve Burgess is a freelance technology writer, a practicing machine forensics specialist as the principal of Burgess Forensics, and a contributor to the ucomputeroming Scientific Evidence in Civil and Criminal Cases, 5th Edition by Moenssens, et al. Mr. Burgess may be reached at

www.burgessforensics.comhttp://www.burgessforensics.com

href="mailto:steve@burgessforensics.comsteve@burgessforensics.com

Apr 8, 2008 Apr 9, 2008 Apr 10, 2008 Apr 11, 2008 Apr 12, 2008 Apr 13, 2008 Apr 14, 2008 Apr 15, 2008 Apr 16, 2008 Apr 17, 2008 Apr 18, 2008 Apr 19, 2008 Apr 20, 2008 Apr 21, 2008 Apr 22, 2008 Apr 23, 2008 Apr 24, 2008 Apr 25, 2008 Apr 26, 2008 Apr 27, 2008 Apr 28, 2008 Apr 29, 2008 Apr 30, 2008 May 1, 2008 May 2, 2008 May 3, 2008 May 4, 2008 May 5, 2008 May 6, 2008 May 7, 2008 May 8, 2008 May 9, 2008 May 10, 2008 May 11, 2008 May 12, 2008 May 13, 2008 May 14, 2008 May 15, 2008 May 16, 2008 May 17, 2008 May 18, 2008 May 19, 2008 May 20, 2008 May 21, 2008 May 22, 2008 May 23, 2008 May 24, 2008 May 25, 2008 May 26, 2008 May 27, 2008 May 28, 2008 May 29, 2008 May 30, 2008 May 31, 2008 Jun 1, 2008 Jun 2, 2008