BleachBit’s claim of permanently deleting emails from Exchange

by Bharat Suneja

In a recent news segment featuring BleachBit, Fox Business questioned whether Democratic presidential nominee Hillary Clinton may have used the software to permanently delete emails from her mail server. The segment features BleachBit lead developer Andrew Viem.

Politics and click bait headlines aside, readers will find the claims interesting.

How to delete secret emails from Microsoft Exchange Server

Curiosity sufficiently piqued, I headed to BleachBit’s web site to learn more about the tool. It’s a free tool to securely wipe files and free up disk space. Importantly, BleachBit is not an Exchange tool – it’s neither Exchange aware, nor does it have any plug-ins/modules (it calls them “Cleaners”) for Exchange. In fact, it doesn’t mention email, Exchange or Outlook on its features page.

BleachBit does have an article titled How to Delete Secret Emails from Microsoft Exchange Server, which walks you through the process. Here’s an excerpt:

Do you have private, secret, or confidential emails on your Microsoft Exchange server that you do not want someone else to see? One user of BleachBit seems to have mixed success with this task: on one hand some emails have been found, and on the other emails were deleted “so that even God could not read them.”

Perhaps we shouldn’t take the article/post seriously, because it’s tagged as “humor”. But BleachBit is in the news as the tool used to have email “deleted where even God can’t read them”, and deserves some discussion. Let’s continue looking at the instructions that follow.

  1. Shut the doors and curtains, and turn on loud music.
  2. Using an email client such as a Blackberry smartphone delete the confidential emails. From the trash too.
  3. PROTIP: After you think you are done deleting emails, double check. Do a search for the keywords classified, secret, and Benghazi and the top-level-domains .gov and .mil.
  4. Wipe all devices that were ever mail clients for the affected account.
  5. From a separate computer download portable BleachBit for Windows. The download is anonymous, free, and leaves no money trail.
  6. Unpack it onto a portable storage device such as a USB drive.
  7. On the email server:
    1. In Microsoft Exchange run a Page Zeroing operation to hide traces of the deleted emails, though this may still leave some traces.
    2. Connect the portable storage device to the email server.
    3. Disable and delete the Windows page file.
    4. Stop the Microsoft Exchange and other network services.
    5. Close all applications.
    6. Start BleachBit.
    7. Click File – Wipe Free Space, and use it for each fixed storage device. This will help eliminate residual traces of secret information on parts of the server’s storage device that are marked not in use.
    8. Wait a long time.
    9. While you wait, clean the server’s case, keyboard, and screen “like with cloth or something” to remove any fingerprints.

These instructions show BleachBit is not an Exchange tool. It doesn’t delete email, or search or scrub Exchange databases or logs for specified content. Instead, you’re required to delete email “using an email client such as a Blackberry smartphone”. You’re also required to “wipe all devices that ever accessed the affected account” and delete the page file on Exchange Server. You can then use BleachBit to “wipe free space” on the file system.

The first requirement, and one that most organizations shouldn’t take lightly: you will need to run the tool on your Exchange servers and take Exchange offline. Should you still need to use it, follow the best practice oft repeated here and elsewhere – do not use code downloaded from the Internet in a production environment without testing. Given this code is meant to delete stuff, you’d want to subject it to more thorough testing.

Page zeroing in Microsoft Exchange

Page zeroing is an Exchange Server security feature that overwrites database pages containing deleted data with a byte pattern. The net result is deleted information becomes unrecoverable using conventional means. But page zeroing only comes into play for items that are permanently deleted, which means after any Deleted Item Retention/Single Item Recovery period has elapsed, and the mailbox is not placed on hold.

Importantly, page zeroing is enabled by default in Exchange 2013 and later and is part of the always-on database maintenance process that runs in the background. It occurs within milliseconds of record deletion.

Destroy database copies and delete all backups

The author adds:

  1. Destroy the replicated copies.
  2. Delete all backups.

Assuming the replicated copies the author refers to are database copies in a Database Availability Group (DAG), before you decide to “destroy” database copies or delete all backups, consider the following:

  • If you delete all replicas (passive database copies), you’ll lose high availability until you recreate them and wait for them to replicate.
  • If you delete all backups, you will no longer have the ability to recover mailbox data to a point in time.
  • Taking either step will put your organization at a substantial risk.

Besides, removing database replicas isn’t really necessary because changes made to the active copy of a database are replicated to the passive copy as they become available, unless you have a lagged copy. Exchange doesn’t play back transactions to a lagged database copy until the replay lag time configured for the database  copy elapses.

The virtually impossible last step

If you’re almost expecting an “All your base are belong to us” moment, BleachBit doesn’t disappoint. Here’s the last step in the process:

  1. Do likewise on all remote email servers for all emails sent. For example if you sent emails to someone at senate.gov, then you need to clean that email server too.

For obvious reasons, this last step is virtually impossible.

Can you permanently delete email?

All this begs the question, can you really delete an email message and remove all its traces? It’s possible, but practically speaking, it may be a fool’s errand. Here’s why:

  • Multiple hops: An email you send or receive likely traverses more than one mail server. Copies of messages or parts of it may reside and be recovered from these servers, or their logs.
  • External recipients:An email resides in the sender’s and the recipients’ mailbox. If any of them are external, you have little control over their mail servers. To BleachBit’s credit, Andrew mentions that in the news segment on Fox Business and also in the above article.
  • Message queues: If a message is in transit, it resides in message queues, waiting to be routed and delivered. It must be deleted from queues.
  • Message synced to devices: If a message is delivered to recipients, it may be synced to one or more email clients. After you delete it from the server, the message will be deleted from the client upon next sync, but you can’t control when the device syncs. You can wipe mobile devices remotely, but the desktop Outlook client doesn’t have remote wipe functionality.
  • Forwarded messages: A recipient may forward a message to one or more recipients, including to their personal email addresses.
  • Archived messages: One or more copies of the message may be journaled or archived in the sender’s and the recipients’ email systems, or to an external archiving system or service.
  • Mailboxes on hold: The sender or recipients’ mailboxes may be placed on In-Place Hold or Litigation Hold.

Exchange’s native search and delete feature

Many customers find Exchange’s native Search and delete functionality useful. It requires you to disable Single Item Recovery for a mailbox, remove the mailbox from any In-Place Holds and Litigation Hold. Using the native functionality, you can delete messages from mailboxes, ensuring that your users can’t access them and they’re not returned in eDiscovery searches. Search and delete operations are captured in audit logs, so it’s not quite a stealth mode deletion mechanism.

Considering all the locations where a message or its fragments may reside, within and outside your organization, it doesn’t guarantee deletion of messages.

{ 1 comment… read it below or add one }

Jim Sullivan August 31, 2016 at 12:48 pm

Thanks for looking into exaggerated claims by Fox News and BleachBit!

Reply

Leave a Comment

Previous post:

Next post: