Update: News broke Tuesday night that Clinton had two classified "top secret" e-mails on her private server and that her attorney has turned over the server and a thumb drive to the FBI. The below post, which we are re-upping, is from March.
Hillary Clinton's defense for having deleted 31,000 personal e-mails from her home server can be summarized in two words: "Trust me." Trust me that I didn't delete anything related to my time at the State Department; trust me that I turned over everything that might be of interest to investigators. In an interview with the Associated Press, Rep. Trey Gowdy (R-S.C.), the chairman of the committee looking into the 2012 terror attacks in Benghazi, indicated that he'd be applying the maxim of Ronald Reagan to the claim: Trust, but verify. Albeit maybe without the "trust" part.
Gowdy's request to Clinton? Hand over the server. "Gowdy said he hopes Clinton will turn over the server voluntarily," the AP reported, since "the panel does not have the authority to issue a subpoena for the server." If necessary, the House could vote to issue a subpoena for the device (which is just a bulked-up computer with special software).
But, we wondered, what are the odds any of those 31,000 deleted e-mails would be found if the server is turned over? So we called We Recover Data, a straightforwardly named outfit in New York City, and spoke to engineering supervisor Tom Hakim and director of digital forensics Scott Gibbs. We asked them to consider the setup, which appears to be a box running Windows Server 2008 and using Microsoft Exchange as its e-mail system, neither of which is unusual, and both of which were probably in place at the outset.
Gibbs felt confident that an examination would turn up something. "If I had to put a percentage of success on this, it would be anywhere from 90 to 95 percent successful typically," he said, referring to finding those e-mails. That is: "If no other steps were taken to go in and otherwise make the data inaccessible."
Some explanation is in order. When a file is deleted from your computer, it isn't actually deleted. Instead, the pointer the computer uses to find the file is removed, and the computer treats the space on your hard drive as reusable. Think of an abandoned house on a lot owned by the city. Simple enough to bulldoze and build something new -- but you can still see what the house used to look like.
That doesn't mean that things stick around forever. Computers randomly store data on drives, so that lot could be bulldozed and reused at any point. The more you're doing on the machine, the more likely that is. (The Macintosh operating system offers a "secure delete" option, which overwrites the space on the hard drive with gibberish.) When you defragment a hard drive, it moves everything around, sort of pre-bulldozing the lots, to continue the analogy.
Exchange databases are a bit different, Hakim said. The database used to store and deliver the e-mails is in something of a gated community, meaning that the bulldozers have a harder time getting inside. (Just so you know, I'm sick of this analogy, too.) Running clean-up operations in Exchange, reducing the footprint of the database (pulling in the community walls!) can do the same thing, but usually Exchange just keeps expanding the size of the database, making it more likely that deleted files can be recovered.
If the file isn't overwritten, "we can recover that," Hakim said flatly. Otherwise? Probably not. That's the key.
So let's say that Gowdy got Clinton's server into Gibbs's hands. The first thing he'd do is create a "physical forensic image," which creates an "identical, bit-by-bit, zero-by-zero copy of the original hard drive." That is used for the analysis, because it is read-only and can't be changed. He'd then try to locate the databases used by Exchange, and extract them. Then he'd perform forensic analysis of the unallocated spaces (that is, the abandoned houses) in the database itself.
But if someone came through and did clean up, or if the deleted files were overwritten, Gibbs wouldn't necessarily find anything. Asked how likely it would be that he could tell if someone had specifically tried to cover their tracks by wiping the data, he suggested it was about 70 percent likely. In other words: decent odds that a skilled technician would be able to completely hide his tracks.
Gibbs raised another point: backups. Clinton, he assumed, didn't set up the server herself, requiring a professional to come in and set it up. "I cannot believe that any IT professional who would set this up -- knowing the nature of the data that's going to be on it and the person it's for -- would not have any kind of backup," he said. "It's either incompetence or highly dubious." There are a variety of ways this data can be backed up -- onto another hard drive, to the Internet, to magnetic tape -- and the length of time backups are kept varies. But somewhere deep in the Clinton compound at Chappaqua, those old e-mails may still be accessible on some system other than the server itself.
The odds any of this ever happens? Probably pretty low. There's a lot of political value in hammering Clinton on Benghazi (which is how we got to this point), but forcing her to turn over a server that is only tangentially related to that case requires another level of political effort. Overwritten or not, the odds are good that what Clinton deleted will never be seen again.