Digital Forensics Dispatch

Digital Forensics Blog
by Sensei Enterprises, Inc.

Deleted and Encrypted Data in the Mueller Investigation

July 30, 2019

The Mueller report produced in March, which totals 448 pages, is continually being analyzed and broken down. An article written by Kevin Collier details the use of encrypted messaging applications used by the parties investigated by Mueller and his team, and what that meant for the investigation.

Collier’s article details how Mueller and his team were able to gain access to some conversations/communications by obtaining the proper legal documents to seize and examine some of the recipients’ devices. One of the issues that Mueller and his team encountered was that several of the secure messaging applications used do not retain messages for an extended amount of time unless the user chooses to save them. It was discovered many communications during the timeframe of interest were deleted, along with any potential backups.

Encrypted messaging applications such as WhatsApp and Signal can be difficult to recover existing communications from let alone deleted communications. These applications utilize the Signal Protocol, which ensures that communications are sent and received in an encrypted format. These applications also allow for the user to delete their message history, individual chats, and single or multiple messages in a thread, all while storing the information on encrypted databases on a device. In some cases, decrypting the databases is possible but highly unlikely without the proper decryption key.

Without the communications to back up stories relayed to the special counsel and investigators, there was not much that could be done to prove if what they were being told was accurate or not. A quote from Mueller’s report, detailing communications between former White House Chief Strategist Steve Bannon and American businessman Erik Prince reads: “The conflicting accounts provided by Bannon and Prince could not be independently clarified by reviewing their communications, because neither one was able to produce any of the messages they exchanged in the time period surrounding the Seychelles meeting.”

One of the methods that we employ when attempting to recover or retrieve communications that occurred through encrypted messaging applications is to analyze potential backups that were made. The capabilities to generate a backup of messages vary depending based on the messaging service used.

Email: Phone: 703.359.0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com/services/digital-forensics/

Sensei Enterprises

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Digital Forensics Dispatch

Deleted and Encrypted Data in the Mueller Investigation

Ride the Lightning

Your IT Consultant

Disclaimer