E-mails are messy entities, leaving little bits of themselves all over the network. That’s why the attempts of employees in the Houston office of Arthur Andersen LLC to delete e-mails related to failed commodities exchange Enron were futile.
“It is impossible that [congressional investigators] cannot find data on those hard drives. There are too many computers involved,” said Michael Sanders, a computer forensics expert who specializes in e-mail recovery at New Technologies Inc. in Gresham, Ore. “[They] will find enough information to make a story.”
As e-mail travels through the network, it leaves bits, and sometimes entire copies of itself, that aren’t affected when the Delete button is hit. And that doesn’t even take into account the e-mail remnants left on users’ hard drives or the periodic backups made of the server contents.
According to published reports, Andersen acknowledges that in October and November, its employees deleted e-mails related to their work as accountants and auditors for Enron.
While e-mail servers and applications vary in how they move and store electronic messages, all of them hoard information on hard drives in the same way if they’re running on Windows-based PCs, Sanders said. He added that Lotus Notes is a particularly easy program from which to recover deleted messages.
Arthur Andersen uses e-mail software and servers from IBM’s Cambridge, Mass.-based Lotus Software Group subsidiary, according to Lotus CEO Al Zollar. At a conference last spring, he discussed the possibility that Lotus might lose Andersen as a client.
Lotus declined an offer to comment for this story. Representatives for the other companies didn’t return calls.
According to John Korsak, product manager for Lexington, Mass.-based Ipswitch Inc.’s IMail Server, a few firewalls are even configured to log information about e-mail passing in and out. For POP3 e-mail, the message spools to a temporary file on the e-mail server while it’s being accepted. Though it may stay there for only a millisecond, Sanders said, a message can get stuck in spools, bouncing around from directory to directory.
Enron was using Ipswitch’s IMail server, according to a list of technology assets sold to UBS Warburg, the investment banking arm of Swiss bank UBS AG, as part of Enron’s bankruptcy proceedings.
Sendmail, a freeware application that is the most common mail transfer agent (MTA), also records a log of all the header information for each e-mail that passes through a server. Once the MTA assigns the message to a directory on a server, it may be backed up to a storage tape. After a user downloads the message from the server, it sits in the in-box view until it’s deleted. From there, it goes to the deleted files view, and if deleted from there, it is simply removed from the user’s display. But the message is still in the application and remains there until it’s marked as free space by a process known as compression, or archiving in Notes. The message remains until the application overwrites it with a new message, which could take weeks or months.
Even then, it will still remain, in part or in whole, on the hard drive in what are known as swap files. If an end user copied the e-mail to removable media, like a floppy disk, the registry would have a record of that activity.
And with Web-based e-mail, the messages would be in the temporary files, even if deleted, until that space is overwritten.
If nowhere else, the data is almost certainly on the hard drive, Sanders said. “As an administrator, that would be the first place I’d look,” he added.