Deleting embarrassing e-mails isn't easy, experts say

McClatchy NewspapersApril 13, 2007 

WASHINGTON—If Karl Rove or other White House staffers tried to delete sensitive e-mails from their computers, experts said, investigators usually could recover all or most of them.

The House Committee on Oversight and Government Reform is investigating whether the White House or the Republican National Committee erased "a large volume of e-mails" that may be related to the firings of eight U.S. attorneys.

Rove's lawyer, Robert Luskin, denied Friday that his client, President Bush's top political adviser, intentionally deleted his e-mails. He said Rove thought they were being stored on other machines as well as on his own.

Deleting a document or e-mail doesn't remove the file from a computer's hard drive or a backup server. The only thing that's erased is the address—known as a "pointer"—indicating where the file is stored.

It's like "removing an index card in a library," said Robert Guinaugh, a senior partner at CyberControls LLC, a data forensic-support company in Barrington, Ill. "You take the card out, but the book is still on the shelf."

Similarly, the bits and bytes—the 0's and 1's of computer language—remain on the computer's hard disk until they're overwritten by another file. Portions of the file also are scattered in various locations on the disk, so some parts may not be overwritten for years, if ever. This is a random process directed by the machine's operating system, over which the user has no control.

"People think they can delete e-mails, but that's not always the case," Guinaugh said. "Two years from now I could still find a file I deleted today."

The only sure way to get rid of the data permanently, he said, is to "scrub" the disk with special software or destroy it.

"You could take the hard drive out and smash it with a hammer," said Ron Ravikoff, a senior partner and expert on deleted e-mails at Zuckerman Spaeder, a Miami law firm.

To find a deleted document or e-mail, investigators create what they call a "bitstream"—a bit-by-bit copy of every 0 or 1 on the computer's hard drive. Using forensic software, they scroll through this mass of data looking for names, addresses, key words, dates, times or phrases that might have come from a deleted file. These segments can be partly, or sometimes completely, reassembled.

"It's a painstaking process," Guinaugh said. "There may be pieces of files scattered around. You have to put it together again."

As an investigator works, he may run across evidence that someone had installed scrubbing software or changed the date and time that a file was created.

"That would be suspicious," Guinaugh said. "It might indicate that something nefarious was going on."

The recovery of a deleted file won a settlement in a famous court case in 1999 that involved a woman who died after taking a combination of diet pills from the A.H. Robins Co., a drug manufacturer in Richmond, Va. Her lawyers found an internal e-mail from one Robins employee to another that read: "Do I have to look forward to spending my waning years writing checks to fat people worried about a silly lung problem?"

McClatchy Newspapers 2007

McClatchy Washington Bureau is pleased to provide this opportunity to share information, experiences and observations about what's in the news. Some of the comments may be reprinted elsewhere in the site or in the newspaper. We encourage lively, open debate on the issues of the day, and ask that you refrain from profanity, hate speech, personal comments and remarks that are off point. Thank you for taking the time to offer your thoughts.

Commenting FAQs | Terms of Service