Forensics firm will scour hard drive

Specialists say retrieval likely for city’s data

David Papargiris, director of the attorney general’s Computer Forensics Lab, gave a tour of the new state-of-the art facility yesterday in Boston. The lab will expand forensic capabilities for use on computers, cellphones, laptops, PDAs and GPS devices. David Papargiris, director of the attorney general’s Computer Forensics Lab, gave a tour of the new state-of-the art facility yesterday in Boston. The lab will expand forensic capabilities for use on computers, cellphones, laptops, PDAs and GPS devices. (Bizuayehu Tesfaye/ Associated Press)
By Jonathan Saltzman
Globe Staff / September 16, 2009

E-mail this article

Invalid email address
Invalid email address

Sending your article

Your article has been sent.

  • Email|
  • Print|
  • Reprints|
  • |
Text size +

Computer forensics specialists will probably be able to retrieve at least some of the e-mails deleted, in an apparent violation of state public records law, by the top policy aide to Mayor Thomas M. Menino, according to several specialists who provide such services.

Yesterday, responding to an order by Secretary of State William F. Galvin, the city hired a computer forensics firm, StoneTurn Group, to scour City Hall computers for the missing e-mail of Michael J. Kineavy, Menino’s chief of policy and planning. The issue came to light after the Globe filed a public records request for the messages.

It is possible that recovering the data might prove a challenge, specialists said, because Kineavy apparently dragged e-mail into his trash folder and then emptied the folder each day before the city’s computer system made an automatic backup at midnight. But much, if not all, of the e-mails are probably somewhere on Kineavy’s hard drive, which the city, under Galvin’s orders, seized and secured yesterday.

“If it’s only been going on for a few years, I would be surprised if all of it isn’t called back,’’ said Rob Fitzgerald, chief executive of the Lorenzi Group, a Topsfield-based provider of digital forensic services.

Nonetheless, Fitzgerald said, the routine deletions of e-mails by Kineavy was disturbing because state public records law requires municipal employees to save electronic correspondence for at least two years, even if the contents are of “no informational or evidential value.’’

Fitzgerald, whose company has been hired by cities and towns investigating employees for misusing computers, said municipal workers in Massachusetts too often flout the law about saving digital documents. He said that if Kineavy routinely deleted e-mails, it was probable that other City Hall workers were doing the same.

“If this one aide is doing it, how many more have been deleting e-mails?’’ he asked. “No city or town should allow employees to be able to delete information.’’

StoneTurn Group is an international consulting firm that provides computer forensic analysis and other services to a range of clients. In an interview with the Globe about an hour before the city announced it had hired the firm, Sean Tuttle, manager of the company’s Boston computer forensics lab, said that such data could probably be retrieved, but that it was impossible to say for sure “until those images are preserved in a forensic manner and analyzed in a laboratory.’’

He indicated that companies seeking to retrieve such data can also reach out to recipients to reconstruct Kineavy’s e-mail exchanges. “There are lots of sources when e-mail is sent - the sender, recipients - that will give us a couple of options to investigate,’’ Tuttle said.

In recent years, tracing and recovering lost computer data has become a big business, particularly since the information is often evidence in criminal and civil litigation. Criminal trials frequently feature computer forensics specialists who are able to reconstruct e-mails that defendants sent and deleted and web searches they made.

James Berriman - chief executive officer of Evidox, an electronic discovery service in Boston - said that Kineavy’s practice of “double-deleting’’ his e-mails at the end of each day might pose hurdles for recovering them.

“By deleting them every night, the local repository can be synchronized with the main server, and they may indeed be gone from both locations, the server and the local hard drive,’’ said Berriman, who was formerly a lawyer at Goodwin Procter in Boston.

Even so, he said, some of the data might still be cached on the hard drive, making recovery possible.

At times, even when e-mails are deleted from a computer’s hard drive and then overwritten with new data, specialists can retrieve the deleted information, said Alfred Demirjian, chief executive of Techfusion in Cambridge.

Demirjian said he recently was able to retrieve from a hard drive surveillance photographs of the scene where a Turkish-Armenian journalist, Hrant Dink, was assassinated in Istanbul in January 2007 by a Turkish nationalist even though authorities feared the information was lost. Demirjian said he was confident he could use a similar process to retrieve deleted e-mails in a case such as Boston’s.

“Even in the worst situation, I’m 100 percent confident that we would recover at least partial data,’’ he said.

Saltzman can be reached at