Recovery of "Deleted" Email
Clive D.W. Feather
clive at davros.org
Mon Aug 15 10:35:16 BST 2011
Ian Batten said:
> If two people, communicating via ordinary commercial webmail services, exchange unencrypted email, and they both then delete the messages using the normal deletion facilities the providers' usual interfaces offer, how recoverable are the messages by a discovery motion?
> His contention was that, for practical purposes, a sufficiently resourced adversary all email is discoverable indefinitely, or, alternatively, you cannot know that it is not discoverable at any specific point in time.
> My suspicion is that commercial providers don't take their whole email float to tape, and therefore "at some point" (where that point is ill-defined) the email will not be recoverable even with forensic tools, so the position is "you cannot know when, but it will become non-discoverable within a year or so of notional deletion". I'm assuming that service providers buy disk on demand, so over time "older" storage will fill and overwrite deleted items. But I may well be being naive.
Email churns a *lot* - from memory, at Demon the mean lifetime of a
message in the mailstore was 2 to 3 days, meaning that 30% to 50% of the
files would be less than a day old. In that environment, backups are
largely useless. Instead, you keep email on highly reliable filesystems and
pray that you don't get hit by the thousand-year error that destroys every
copy of a file.
I have no idea if that's current practice, but it still feels to me like
the best approach.
Clive D.W. Feather | If you lie to the compiler,
Email: clive at davros.org | it will get its revenge.
Web: http://www.davros.org | - Henry Spencer
Mobile: +44 7973 377646
More information about the ukcrypto