The “Louisiana Technology Council” held a press conference today regarding the ongoing attempts to recover Mayor Nagin’s email and calendar information. I just got back from the press conference, but am somewhat disappointed in its content. Some information can be found in these articles:
I’m waiting for the broadcast tonight to review what was said. The meat of the press conference boiled down to a scenario where an Exchange 2003 mail server experienced a significant failure in 2008, the failure was not specified, prompting the city’s IT department to accelerate a planned migration of the mailstore to a new Exchange 2003 server. The old mail server was purged of 22 GB of data with a post-purge store size of 60+ GB at or around May 5th which the individuals associated with the LTC recovery effort described as suspiciously shortly after a conference call about the recovery effort.
They have managed to recover the Mayor’s calendar, but not all of his original emails. No technical details were presented regarding their methodologies for acquisition or analysis. The speaker described his company’s work as data recovery, and email recovery which leads me to believe they occupy a role dealing with recovering accidental deleted information rather than true digital forensics. This view was supported later by their admission no “bit-level” (as they described it) analysis had occurred nor was such an analysis in their realm of expertise.
It was mentioned the FBI took information as well for their own analysis during the operation. The city also was only using a 2 week backup window and had no father-son or grandfather-father-son rotation in place at the time of deletion. It was also mentioned the current store size on the new server is 200GB in size.
The remainder of this post is speculation / brainstorming until I can obtain more technical information on the recovery effort.
Exchange 2003 had an 18GB limit prior to SP2 and was increased to 75GB with SP2 in the standard edition. Enterprise edition has much larger storage sizes, and it was not indicated which edition was in use. 75GB is a soft maximum, exceeding it causes the mailstore to dismount itself but also allows it to be remounted as a kind of “buy the enterprise version” message. A 60ish GB post-deletion store + a 22GB deletion size > the 75GB limit which could lend some credibility to the Mayor’s assertion “he had deleted many of his e-mails on the instruction of his information technology officer, due to a lack of storage space.” This would be off the wall, but it would be par for the course if the mysterious failure was really the mailstore dismounting itself misinterpreted by an ignorant IT staff given recent scandals regarding qualifications for the upper echelons of that department. In all fairness the LTC individuals claimed to have found corruption in the mailstore, but failed to elaborate as to its nature. They also, however, mentioned the “failing” mailserver was still in use as a mail relay which makes a hardware failure somewhat unlikely – if it were just a bad drive that should have been a replace-rebuild scenario rather than migration.
What concerns me is their disclosure as to not be, as they put it, able to perform “bit level” analysis given they have not explained any methodologies used for preserving the data prior to analysis. I really hope they are not working with the live server instead of a dd image.