Computer forensics experts are questioning the supposed loss of five months of text messages between two FBI officials who privately disparaged President Trump before helping investigate his campaign’s possible links to Russia.
Some experts say the messages, sent during a turbulent period between Dec. 14, 2016, to May 17, 2017, may not be gone forever.
The missing messages between Peter Strzok, a senior FBI official, and alleged mistress Lisa Page immediately precede special counsel Robert Mueller’s May 17 appointment to investigate Russia's role in the 2016 election. Strzok was taken off Mueller’s team in August after discovery of his messages with Page, who previously left Mueller’s team.
“The loss of these text messages is an unbelievable coincidence – literally,” a House Intelligence Committee source told the Washington Examiner.
A one-paragraph official explanation offers little clarity on what happened, and the FBI declined to comment on the physical whereabouts of the couple's government-issued Samsung Galaxy S5 devices or whether additional forensic recovery steps are being taken.
Some experts say, however, that it may be possible to recover the missing communications.
“A sharp digital forensic expert may still be able to recover them,” said Andrew Ziem, creator of BleachBit, the software that Hillary Clinton subordinates used to clear information from her private server. “In general whenever any software deletes any information, traces are left on the storage device, though they become disorganized like the proverbial needle in the haystack.”
Ziem said that “success requires physical access to at least one of the unlocked devices, and it depends whether the messages were accidentally or intentionally erased, as well as other factors. As the device is used over time, the chances of accidental overwriting become more likely, and because so much time has passed since the critical period in the Strzok-Page case, success is not likely. On the other hand, individual text messages are small, so maybe a few survived.”
Investigators “may be able to recover deleted text messages from the cellphones used by the parties,” agreed Dennis Williams, a partner at Pathway Forensics LLC who worked three decades with the FBI, including as director of the Greater Houston Regional Computer Forensics Laboratory.
Don Vilfer, a former supervisory special agent at the FBI who leads the computer forensics division at VAND Group LLC, said “we often find the messages in other locations such as on a local computer drive as a backup or on cloud storage.”
“If the users were using the Google cloud as a backup, messages could be found there. If the phone had been synced with the FBI desktop computer, or even a home computer, the messages could also be located on those devices. If the old phones are available, forensic exams of those phones could also recover the messages,” Vilfer said. “The particular FBI employees of interest in this case had texted that they would be using an alternative messaging system, iMessage. This is on the Apple platform and would come with similar sources of possible backups—iCloud, their personal iPhone or Macs etc. I suspect that is where some real meat might be as it relates to their discussions.”
Vilfer said “having worked in the FBI, I know it is like any other organization where things don’t always get done the way they are supposed to, but people are not above trying to hide information either. I would want to know how this upgrade took place and what processes were followed or in what instances not followed.”
Strzok and Page denounced Trump during 2016. Some messages have been released, including Strzok calling Trump an “utter idiot” and discussing an “insurance policy” related to the election. In addition to his role investigating Trump, Strzok reportedly took a lead role investigating Clinton’s use of a private email server, softening language in a statement that found Clinton mishandled classified information but should not be prosecuted.
Trump has cited the exchanges as evidence of bias against him, but some Democrats argue the couple has a right to private political viewpoints.
The missing text messages were revealed by Sen. Ron Johnson, R-Wis., who excerpted a Jan. 19 message from Stephen Boyd, assistant attorney general for legislative affairs, in which Boyd told Johnson about the issue.
“[M]any FBI-provided Samsung 5 mobile devices did not capture or store text messages due to misconfiguration issues related to rollouts, provisioning, and software upgrades the conflicted with the FBI’s collection capabilities,” Boyd wrote to Johnson, as quoted by the senator in a response letter. “The result was that data that should have been automatically collected and retained for long-term storage and retrieval was not collected.”
Experts cautioned that very little has been made public about the issues the FBI reportedly had recovering the messages, but point out that very short retention periods by cellphone carriers makes it unlikely that service providers would have the communications.
Among the top recommendations are finding the actual devices and ensuring that their full contents are analyzed, as well as searching for copies backed up elsewhere. Some experts say the missing messages may be lurking in plain sight.
Matthew Green, a computer science professor at Johns Hopkins University, said it’s possible the messages could be in an overlooked database file, even if there was a backup configuration issue.
“These messages are usually stored in a ‘lightweight’ database on the phone. That database sometimes keeps all of its data in a single file on the phone’s drive,” he said. “Sometimes bad database implementations can hold onto deleted records just because it’s hard to reorganize the whole file. But overall it’s pretty unlikely.”
Trent Leavitt, a Utah-based expert whose firm Decipher Forensics recently was absorbed into EideBailly, noted that the FBI uses forensic technology from the company Cellebrite, which he said offers the industry standard for governments and companies that preserve phone records.
Leavitt said FBI analysts may have selected the less-comprehensive Cellebrite “logical” download option, which includes viewable information on the phone, rather than a more advanced “file system capture” option that also includes deleted pieces of information.
“With most Samsung devices you can get back deleted text messages, but it’s always iffy because of something called trim command,” Leavitt added. Trim command, debuting on Androids around 2012, improves phone operations by rapidly writing over deleted data, shrinking deleted text recovery times from longer than 2 years to potentially very short windows if phones are in active use.
“Because of the model of the phone, getting back those messages is slim. Not impossible, but slim,” Leavitt said. “The best thing they would hope for is actually finding the device itself,” he said.
Jim Jones, a digital forensics expert at George Mason University, believes finding backed up messages may be the most likely route to recovery, perhaps on a personal computer, or by a more comprehensive review of the devices.
“As soon as they knew these two individuals were of interest, I would expect they would have ‘imaged’ the phones,” Jones said. But he added, “there may be some legal or procedural or policy reason why they wouldn’t.”
“If the individuals made backups of their phones locally, they could be sitting on one of their home computers,” he added. “Even if those backups got deleted, the data doesn’t go away immediately… it really depends on how carefully they deleted those files.”
Jones said that “the phones, if they were confiscated soon enough” also may have the texts. "If the phone is turned off, there’s not danger” of the data being automatically deleted, he said.
Johnson, the senator who revealed the missing texts, sent the Justice Department a list of questions himself, including a request for more comprehensive information on what Strzok-Page communications are available during the five-month gap, and an inquiry into whether the couple's non-official devices have been searched.
Many experts declined to comment for this story, citing the lack of transparency on what happened.
“There’s not enough information supplied to allow me to do more than speculate. There’s too much of that extant without my adding to the din," said Craig Ball, a computer forensics expert who teaches at the University of Texas at Austin School of Law.