As House Republican leaders weigh whether to try to force former Secretary of State Hillary Clinton to hand over her personal email server, experts say the messages she deleted from it — or at least portions of them — can almost certainly be recovered.

Half a dozen computer forensics experts interviewed by POLITICO said remnants of Clinton’s emails likely still exist on the server, although retrieving them could be time intensive and expensive.


Clinton’s attorney David Kendall on Friday wrote Benghazi Committee Chairman Rep. Trey Gowdy (R-S.C.), declining the committee’s request for the server to be turned over to an independent third party. The committee said it wants a third party to verify that all Benghazi-related emails were in fact turned over to the panel—especially after Clinton acknowledged deleting anything determined to be “personal” messages.

Kendall called the request pointless, saying Clinton’s IT staff had confirmed to him the messages are gone for good.

But permanent deletion is extremely difficult to achieve, the experts said. Enterprise servers built in the last decade or so are increasingly designed to preserve emails more rigorously, either as a document trail in case of a lawsuit, to comply with industry regulations or to allow system administrators to “idiot proof” their systems so they can save the day when non-technically proficient executives accidentally delete emails.

The key principle of digital forensics is “Delete doesn’t and restore won’t,” said Mark Rasch, a former federal prosecutor who worked on computer crimes.

A telling precedent is the case of former Internal Revenue Service official Lois Lerner, who came under scrutiny over charges that the IRS targeted tea party groups for heightened scrutiny.

The IRS said that a 2011 hard-drive crash rendered her emails irretrievable. The agency trashed the hard drive and said it had over-written back-up tapes.

But the Treasury Inspector General for Tax Administration found a pile of several hundred old back-up tapes and hired an outside forensic expert to recover the old messages.

It’s taken them eight months — and a sum of money that TIGTA has repeatedly refused to disclose — but they believe they’ve discovered the missing correspondence.

In the Hillary Clinton matter, House Republican investigators have bickered with the State Department over Benghazi documents since soon after the 2012 attack and formally subpoenaed all correspondence and other documents in 2013.

But it only came to light this month that the State Department did not have copies of Clinton’s emails because she used a personal account and server to conduct official business — instead of a standard government address. The House Benghazi committee subpoenaed Benghazi correspondence from Clinton’s personal email March 4, and Gowdy followed up March 20, formally asking Clinton to turn her server over to the State Department inspector general or another neutral third party to assess whether any of the ostensibly personal emails contain government business.

The subpoena, which deadlined Friday, requested only documents. But after Clinton refused to hand over the server, top House Republicans are coalescing around a plan to talk to her first before they consider subpoenaing it, according to someone familiar with the conversations.

In the letter Friday, Clinton’s attorney said there was no legal authority to force Clinton to turn over the server and that any arguments related to public access to federal records were addressed because she turned over her work emails to the State Department.

The experts interviewed by POLITICO said the amount of information that can be retrieved depends on the type of server Clinton used, its control settings and the rigor and expertise of the people who pressed the delete key.

“Obviously Clinton has someone with technical capability to run a mail server for her. Whether that person is actively capable of interfering with an investigation, I don’t know. That’s another technological step up.” said Hal Pomeranz, founder of Deer Run Associates, a computer forensics investigation firm.

Rasch, the cyber-crimes prosecutor now in private practice, compared deleting an email in standard email systems, such as Microsoft’s Outlook or Google’s Gmail, to placing a computer desktop item in the recycle bin.

In other words, the item can still be recovered until you do something else, such as empty the bin.

With most email systems, that something else would be putting another email in the deleted email’s place, a process called “overwriting.” A file may need to be overwritten multiple times before it’s totally gone. It may fast begin to look like a piece of Swiss cheese, however, with section after section degraded or missing.

On a busy corporate network, a deleted email might be overwritten within a few hours because emails are constantly coming in and going out and system administrators are regularly compressing email storage to save space, said Jake Williams, a principal consultant at Rendition Infosec.

On a personal server with only one or a few users, however, it could take months or years to overwrite that space, said Williams, also a computer forensics consultant at the SANS Institute, a non-profit computer security training center.

Clinton’s statement from her March 10 press conference – “at the end, I chose not to keep my private personal emails” — suggests that the emails were not deleted sporadically over the course of the last several years but all at once a couple of weeks ago after she stopped regularly using the server or the email system. That would indicate that most of the emails are likely intact and in good shape, Williams said.

That’s provided, of course, that whoever deleted the emails simply pressed the delete key rather than running a more complex command, such as ordering the computer to “wipe” or “burn” its email contents or using a plug in that ensures deleted emails are rapidly overwritten.

Clinton Spokesman Nick Merrill declined to say what kind of server the former secretary used or the year it was built. He also declined to comment on the server’s e-discovery settings or the specific deletion protocol.

Even if Clinton’s staffers successfully wiped all emails from her server, there are other places they could show up, forensics experts said, such as in a temporary file elsewhere on the server, in a file on her computer hard drive, or on her BlackBerry.

There also are likely logs of emails sent and received elsewhere on the server or on Clinton’s devices, separate from the emails themselves, forensics practitioners said.

Finally, of course, the emails themselves may be stored in the computers, phones and servers of people Clinton corresponded with – and who might be identified in email logs.

“It’s an obvious point, but you can’t delete email,” Rasch said. “By definition, I have sent my emails to or received them from someone else, which means…someone else has a copy…Deleting emails is really not an effective way to conceal what you’re doing.”