OT Re: [Am-info] Deleted E-mail Can Still Reside on Hard Drive

[Joe Moore]

On Wed, Jan 30, 2002 at 04:05:37PM -0500, Fred A. Miller wrote:
> Deleted E-mail Can Still Reside on Hard Drive
> Though Enron-related e-mails were deleted, pieces and entire copies
> of the messages can probably be found on the hard drives, according
> to a computer forensics expert.
> http://www.computerworld.com/storyba/0,4125,NAV47_STO67583,00.html
> 
> Now, the question I have is, is this true for all Linux mailers?

No.  (All is such a strong word.  It depends on the particulars of the mailer
and server setup)  I don't see mention of Linux in the article, but...

Depending on which piece of evidence you're referring to, it may be more or
less common:
The sendmail logs (message received from bob sent to jane message ID 2RAAE83P)
are pretty much cross-platform.  Even MsExchange has something like this.

The message spool directory can be backed up depending on the company's
backup policy.  (It's pretty stupid to do intentionally, though)

Files that are deleted are not "really" deleted, but simply get their
disk blocks marked as unused.  This is true on almost all modern operating
systems.  If a block hasn't been overwritten, it could still contain data
from an email message.  This is true both on the servers and on the clients.

On the email client end, there may be multiple copies of the email in
several files, such as INBOX.txt, Trash.txt, as well as in the "unused"
disk blocks these files may have once occupied.

--Joe
-- 
When you find yourself on the cutting edge of technology, remember:
   The trailing edge is sharper than the leading edge.