The private email server used by Hillary Clinton during her tenure as Secretary of State has now been turned over to the FBI. According to reports based on information from the company that had managed the email network, that server is "blank" and "no longer contain[s] useful data."
This doesn't mean that the emails and other files are gone; apparently, the removal of files happened in connection with a server transition, so copies of the files themselves should be accessible on the new server. But that won't stop Clinton critics, some of whom are already asking whether relevant data may have been deleted during the migration. Understanding such accusations requires some background in computer forensics and the ways that files are stored, accessed, deleted, and recovered.
There are three basic categories of information that can be retrieved from a computer. The first type is the ordinary files we normally think of. So, for example, I'm writing this post as a Microsoft Word file. I'll save it on my computer, and that file will be accessible in the future. If I have copies made of all of the files on my computer -- as a backup, or as part of a transition to a new computer -- that Word file will show up in the new set of files.
The second category is "metadata." This is the data that we don't normally think of as part of the content of the file itself; it tends to be technical information about the file's creation and use. Going back to the Word document example, my computer will store data such as the time the file was created, when it was last modified, and when it was last opened.
Although this information isn't always relevant to the file's original users, if the file is ever relevant in a civil case or a criminal investigation, certain details -- such as whether a particular person ever opened it, or whether it's been altered since some point in time -- can become critical. The degree to which metadata is preserved during copying or migration depends on the process used. It's possible to do it in a way that keeps essentially all of that information intact; this is typically how it's done when the copy will be used for forensic purposes. But it's not always done that way, so in some cases the files in the new setting will still be accessible for their normal purposes but the metadata will be gone or changed.
The last category is deleted files -- or, more accurately, the files we thought were "deleted." If I were to delete my Word file after submitting this post, it would first go to the Recycle Bin, where I could still access it if I needed it. But if I then clicked on "Empty the Recycle Bin," it would be gone forever -- right?
Wrong. As many criminal defendants and civil litigants have learned to their chagrin, that file is still there on my computer. I may not be able to access it through the normal point-and-click process, but right after being deleted it's still on my hard drive, just as it had been before. The difference is that it's now in what's called "unallocated space."
Think of it this way. Imagine your computer as a grid with 100 identically sized squares that can hold files, with bigger files taking up more squares. Imagine I have 80 squares filled up, and when I save my Word file that uses up another 10. Once that Word file is saved, those 10 squares are "allocated" to it, and if I then try to save another file that would take up 15 squares, my computer won't let me, because there's not enough room -- there are only 10 "unallocated" squares left.
When I "delete" that Word file from my computer, it doesn't go away -- the computer just stops saving its spot. If I don't save anything else, the file will stay there. Even if I do save a new file, whether or not my new file "displaces" my "deleted" Word file is somewhat random. Remember, before saving my Word file I had 20 unallocated squares, and the Word file only took up 10. If a new file takes up five squares, it might take over part of the Word file's space, or it might go somewhere else.
And here's the key -- even if an ordinary computer user can't recover deleted files from unallocated space, more sophisticated users can. The FBI, in particular, has extremely advanced methods to search for deleted files (or fragments of those files) on computer media. (There are ways to try to avoid such recovery -- there are programs, for example, that will overwrite data into unallocated space to truly get rid of "deleted" files. These aren't necessarily 100 percent effective, and of course evidence that a computer has been "wiped" in this way will raise its own flags.)
It's unlikely that the data from the Clinton server was copied in a way that preserved deleted files. Again, this can be done, but it's not standard practice outside of the forensic setting.
So there's a good chance that in the end, the electronic data will be considered incomplete from an investigative perspective -- even if every file appears to have been carried over, investigators may never have the full metadata showing those files' lifecycles and may not be able to search for deleted data. We can expect to hear a lot more about this from Clinton's accusers as the investigation continues.