These Are the Forensic Tests the FBI Is Running on Hillary Clinton’s Server

An expert explains how the agency may be trying to resurrect her emails.

El Nuevo Dia, Andre Kang/Zuma, iStock


Last week, Hillary Clinton finally apologized for using a private email server when she was secretary of state. That server is now in the hands of the FBI, but it took a while to get there. In December, the Clinton camp provided 30,000 or so work-related emails to the State Department after it deleted more than 31,000 emails from the server that it considered personal. In March, while declining to give a congressional committee access to the server, Clinton’s lawyer David Kendall said the emails stored on it had been permanently erased, or “wiped.” But weeks ago, with the email controversy showing no signs of subsiding, Clinton handed over the server to the FBI. The Washington Post reported Saturday that Platte River Networks, the Denver-based company that has managed Clinton’s email system since 2013, had no record of the server being “wiped.” So this could mean the FBI will be able to recover emails that the Clinton crew deleted—and that the bureau will be able to review all the emails and documents on the server to determine if materials, possibly including classified information, were handled properly.

The State Department is currently processing the 30,000 work-related emails Clinton returned to Foggy Bottom, and it is releasing monthly batches of these documents. But the full extent of what was on her private server remains unknown and is now a matter for the FBI to determine. We asked Jon Berryhill, a computer forensics expert and a former US Air Force investigator, to help explain how the FBI might try to resurrect the deleted contents of Clinton’s email server and what challenges the investigators might face. Here are some answers:

The FBI now has Clinton’s email server. What are they doing with it? “When handling any piece of any digital evidence, the first thing is to make what’s called a ‘forensic image copy’ of it, an exact working duplicate, so you’re not messing with the original,” Berryhill says. Once the copy is made, an analyst can quickly determine if there’s any recoverable material by looking at the computer data, which is built on a system of ones and zeros. If a preliminary look reveals nothing other than a trillion zeros, an investigator can quickly conclude there is no data to resurrect. Berryhill notes it should only take a couple of minutes to figure out if there is recoverable information on the server or if the server was purposefully wiped out.

After copying the server’s contents and taking a first look, what is the FBI’s next move? “The first thing I’d want to do is to go knock on the door of whoever it was who set the thing up,” Berryhill says. During the course of “a nice long conversation,” Berryhill says he would try to find out when the server was set up and how it was organized. He would look at the machine to confirm what he was told. Then he would be ready to see if “there’s stuff there that’s recoverable or not.” But Bryan Pagliano, the State Department staffer hired by Clinton to set up this server, has refused to talk with the FBI. “It’s an inconvenience,” Berryhill says. “A lot of times interviews like that are for background purposes, they’ll speed up the work, tell you where to look, where to start.” 

It’s been said that the server was “wiped.” What does that mean? Wiping a computer drive makes files unrecoverable by deleting them and then overwriting the space the files once occupied. Most people assume that wiping is the same as deleting all the files, Berryhill says, “but on the technical side, certainly on the forensic side, wiping is a very specific thing.” It depends on the process that was used. Sometimes the wiping is selective, he explains, “so there may be other copies elsewhere on that drive that they didn’t realize were there.”

Consider what happens to emails. After you email a document, the recipient can do several things once they open it: print the document, forward it to somebody else, save it to the documents folder on the computer, or delete it. As the sender, you can do the same things. Consequently, traces of the document—or even all of it—can remain on the email server, in the documents folder, in the printer’s temporary cache file, or in the sent email folder. “So it gets pretty complicated for people when they start trying to selectively wipe things,” Berryhill says.

Berryhill says he has been able to recover material that was deleted years earlier and, on the other hand, has been unable to access files that were on a computer that very morning. An investigator is most likely to recover material when the server is not heavily used and has a large hard drive. With a heavily used machine that has a very full hard drive, material will get lost and be overwritten much more quickly, and the chances of recovering it are less likely.

The latest news is that the server may not have been wiped, so does that mean the FBI can resurrect everything? Assuming the server was not wiped, computer forensics specialists might be able to recover all the emails—the work-related and the personal emails—that were once on the server. But this depends on the type of email system that was used, how it was maintained, and how the files were deleted. If a conventional email program was used, it might be possible to find all the emails in one big file. “If that file doesn’t exist, you can try to reconstitute it,” Berryhill says. “But it’s very, very difficult to reconstitute the whole thing because you’ve got a very big file, and the chances of recovering all of it are pretty slim—unless it was just deleted and nothing else has happened on the machine.”

Additionally, investigators could find an address book or contact list, and the header information attached to each email, which would include significant data, such as the sender, recipient, the time, and the date. “You could find evidence of attachments by name, and, depending on what you recover, you maybe be able to recover the attachments too,” Berryhill notes, adding that certain types of attachments—pictures, for example—are easier to recover. A crucial variable is whether the server was configured to have redundant drives. (In case one drive failed, others would still function.) Then pieces of these files could exist in many different places.

There are reports that the FBI is trying to figure out if foreign powers or hackers accessed the server. Will that be obvious? Given all the ways people can access computer systems, the FBI might find some evidence of this, but not necessarily. “A lot of that is going to depend on how the machine was configured, mostly in terms of the logs that it kept,” Berryhill says. He compares the process to keeping track of who attempts to get into your house. If you have good logs, then you can see who has tried to gain entry.

How long could the whole process take? Within a couple of hours, Berryhill says, “the analyst is going to have a good feel for the kinds of things that are there and what’s possible.” If there is information to pull from the machine, investigators will likely use automated tools to comb through the system, grab files and piece them together, but this could take weeks. “The time line of something like this gets drawn out usually because of other things and other people,” Berryhill says.” “If you put it on paper, you could have millions of pages out of a process like that.” Given that this involves lawyers, the FBI, the State Department, and a host of intelligence agencies, he adds, “it’s going to be really messy.”