You’ve heard the term before – wiping a server. But what does it really mean? It seems presidential hopeful Hillary Clinton may or may not know either. This week, she held a press conference regarding the hard drive of her private email server, which two U.S. government officials allegedly tried to wipe, specifically deleting work-related emails during her time as Secretary of State.
A reporter asked Clinton whether she had wiped the server. “With a cloth?” she asked, and then added, “I don’t know how it all works.”
Whether she really knows or not, it begs the question: How does wiping a server work and what can really be recovered from a server that has seemingly been wiped?
Question 1: When is a server considered completely wiped? Hillary’s server may or may not have been properly wiped – or not wiped at all – so the FBI may be able to recover sensitive data from it. A layperson who has no knowledge of forensics might think reformatting a hard drive is enough to wipe all of that information from a server. But it’s not. You have to wipe the entire hard drive and boot the system with an operating system using free or paid software. The Department of Defense’s standard for securely wiping a drive increased from three to seven times a couple of years ago, so it’s possible bits of data are still on Hillary’s server.
Question 2: What happens when you wipe a server multiple times? When you wipe a hard drive, the process overwrites the entire disk with zeros or ones. To ensure all areas are completely overwritten, most software will overwrite the drive multiple times to ensure that nothing is recoverable – unless you are the NSA and can supposedly use a device to reconstruct the data from the actual platter of the drive.
Question 3: What if there’s a backup server? If Hillary has a backup server for her work-related emails, it will have all of the data and files of the server she allegedly wiped. The data has essentially been replicated to another machine.
Question 4: What are investigators doing? They are likely doing a full forensic search of the server plus a backup server if it exists – and then making a forensic image of the drive. The investigators are looking at that drive sector by sector. Once they get what they can, they will put that together and start analyzing the data. They may find operating system files and logs that can help determine who had access to the machine and if they had security set up properly. The event logs will identify any bogus or failed log-ins, anybody that attempted to log in, or if someone was able to hack in. They can recover computer code or find some other backdoor on the machine. They can recover deleted files even if they don’t have the master file list.
Question 5: What kind of software may be used? Investigators may be using something similar to FTK®. They may be able to get from the computer because the data is still sitting on the drive even after you reformat the drive. Reformatting only erases the master file table, but the items are still recoverable.