Probe of Clinton's server could find more than just emails
Now that federal investigators have Hillary Rodham Clinton's homebrew email server, they could examine files on her machine that would be more revelatory than the emails themselves.
Clinton last week handed over to the FBI her private server, which she used to send, receive and store emails during her four years while secretary of state. The bureau is holding the machine in protective custody after the intelligence community's inspector general raised concerns that classified information had traversed the system.
Questions about her use of the server have shadowed her campaign for the Democratic presidential nomination. Clinton again this weekend repeated a carefully constructed defense of her actions, in that she did not send or receive emails marked classified at the time.
But her emails show some messages she wrote were censored by the State Department for national security reasons before they were publicly released. The government blacked out those messages under a provision of the Freedom of Information Act intended to protect material that had been deemed and properly classified for purposes of national defense or foreign policy.
What hasn't been released: data that could show how secure her system was, whether someone tried to break in, and who else had accounts on her system. A lawyer for Platte River Networks, a Colorado-based technology services company that began managing the Clinton server in 2013, said the server was provided to the FBI last week.
Indeed, many physical details of the server remain unknown, such as whether its data was backed up. In March, The Associated Press discovered that her server traced back to an Internet connection at her home in Chappaqua, New York.
A computer server isn't a marvel of modern technology. Just like a home desktop, the computer's data is stored on a hard drive. It's unclear whether the drive that Clinton used was thoroughly erased before the device was turned over to federal agents.
If it had been, it's also uncertain whether the FBI could recover the data. Clinton's lawyer has used a precise term, "wiped," to describe the deleted emails, but it was not immediately clear whether the server had been wiped. Such a process overwrites deleted content to make it harder or impossible to recover.
An FBI spokesman declined to comment.
Investigators who examine her server might find all sorts of information -- how it was configured, whether it received necessary security updates to fix vulnerabilities in software, or whether anyone tried to access it without permission.
Running a server is akin to her messages being stored inside an office file cabinet. But while a file cabinet only yields the documents stored inside, a server can also offer information about the use of that data over time: Who had access to the filing cabinet? Did anyone try to pick the lock? Did the owner attempt to alter the files in any way? And who was given keys to the building in the first place?
Since her server was first installed in 2009, it most likely used a traditional hard disk-based device rather than a newer solid state unit that only has become commonly used in the last two or three years, said computer scientist Darren Hayes. Solid state drives, until recently, were much more expensive than their counterparts for storing lots of data.
Forensics experts would then have an easier time retrieving erased data because such older, disk-based servers are not as efficient in deleting material, said Hayes, assistant professor and director of cybersecurity at Pace University's School of Computer Science and Information Systems in New York.
"A hard disk drive is very difficult to manipulate," he said. "Once you get your hands on a hard drive, there's a lot you can recover."
Even after files are marked for deletion on a disk, Hayes said, their contents remain on the drive and can be retrieved. Even if the full file is gone, fragments can be pulled off the drive. Sometimes a complete email file even can be found inside other files marked for deletion.
Clinton said in March that she had exchanged about 60,000 emails during her four years in the Obama administration, about half of which were personal and deleted. She turned over the others to the State Department, which is reviewing and releasing them on a monthly basis.
Last month, the inspector general for the nation's intelligence community warned that some of the information that passed through Clinton's server was classified information.
It's generally not possible to forward or cut-and-paste an email marked classified to a private account because classified email systems are closed to outsiders. But it can be illegal to paraphrase or retype classified information from a secure email into an unprotected message sent to a personal address.
Hayes said forensics experts could, in most cases, determine whether the server used encryption to transmit emails, which would be important in learning whether her occasional email discussions of classified and sensitive matters might have been vulnerable to hackers and snooping by foreign governments.
The server's internal registry could also provide hints of whether hackers penetrated the server's security.
"They may have deleted a lot of data, but there's a lot of data that a good forensics team would be able to recover," he said.
Associated Press writer Eric Tucker contributed to this report.
Follow Jack Gillum on Twitter: https://twitter.com/jackgillum