Forensics in the Case Against the 20th 9/11 Hijacker
An affidavit filed by an FBI agent with a Government response to a court order on computer and email evidence in the case against the '20th hijacker', Zacarias Moussaoui, in the 9/11 attacks provides insight into the limitations of collecting email forensic evidence. Moussaoui was arrested in August 2001 as a result of his suspicious behavior at a flight training school in Oklahoma. The government's response notes that Hotmail account names cannot be found from a forensically examined computer if the user did not download data from the account to the hard drive.
The affidavit of Bridget A. Lawler, a special agent with the FBI, states that, "nearly all of the useful information about account activity of a Hotmail account is maintained at Hotmail and not on individual computers used by someone with access to the Hotmail account." While a computer's HTTP log will show the addresses of Hotmail pages, Hotmail cannot search for an account name from an IP address, and while it's theoretically possible for Microsoft to do so, it will not be able to do it if too much time has passed since an account from accessed from a particular computer. When an email account was inactive for more than 30 days, Hotmail deleted the IP connection log. After 90 days of inactivity a registered account would be disabled and the name would be made available to other users.
Lawler acknowledges in the affidavit that a Hotmail account name might be included in file slack, but concludes that, "such a find is very,very rare."
The affidavit recounts how Moussaoui accessed his Hotmail account from Kinko's stores in several locations in the United States. They could not recover data from these computers because they learned from, "various contacts it appears that Kinko’s stores erase data from, or re-image, the computers they rent to the public at varying times, from every 24 hours to every 30 days"
16 years later, this information about tracing Hotmail accounts and the hardware security practices of Kinko's may only be of historical interest, but it still provides a basis for which to ask questions about whether or not a third party company can assist investigators beyond the limitations of Microsoft and Kinko's in 2001.