Discover more from Zero Day
Is the Secret Service’s Claim About Erased Text Messages Plausible? (Updated)
The Secret Service says data erased from the phones of some of its personnel — that may shed light on the agency's handling of the Jan. 6 insurrection — can’t be recovered. Is it telling the truth?
Efforts by a congressional committee to investigate the January 6 insurrection hit a roadblock last week when it came to light that text messages the committee sought from the phones of Secret Service agents may have been permanently deleted last year as part of a scheduled device migration.
That information came to light in a letter sent from the Department of Homeland Security’s inspector general to the House Select Committee, which is investigating the insurrection.
When asked about the claim, the Secret Service gave vague and confusing statements about what occurred and the nature of the messages. An agency spokesman said both that data on the phones was erased during a factory reset and also that none of the erased messages are relevant to the January 6 investigation.
To find out if messages erased in a factory reset are lost for good, and whether the agency was following best practices when it told agents to back up phones on their own before the reset, I spoke with Heather Mahalik, senior director of digital intelligence at Cellebrite, and Robert Osgood, a 26-year veteran of the FBI who worked for the bureau as a digital forensics examiner and is currently director of the forensics and telecommunications program at George Mason University. Cellebrite’s Universal Forensic Extraction Device tool is one of the primary digital forensic tools the FBI and other agencies use to extract data from mobile phones.
Both Osgood and Mahalik said that if the phones underwent a factory reset, then the messages will still be on the phone if the data has not been overwritten by other data since the reset. But they said the messages would not be readable due to the way factory resets work, and therefore would essentially be unrecoverable. To understand why this is the case, what the agency meant by “migration,” and how the missing texts became an issue, read on.
How Did Information about the Messages Come to Light?
Last week the inspector general for the Department of Homeland Security, who is reviewing the Secret Service’s response to the January 6 attack on the Capitol, sent a letter to two house and senate committees informing them that the Secret Service had erased mobile phone text messages sent between agents on January 5 and 6, 2021. The erasure occurred when the agency initiated a “device-replacement program” that same month.
Although the Secret Service subsequently took issue with some of what the inspector general said, it confirmed in a statement that data on “some phones” was lost when the agency “began to reset its mobile phones to factory settings as part of a pre-planned, three-month system migration.” But the agency insisted that even though some data was lost, “none of the texts [the inspector general] was seeking had been lost in the migration.”
The Secret Service didn’t indicate what it meant by “system migration” — as opposed to a “device-replacement program" — but in a statement to CNN this week it mentioned that the migration was an “Intune migration.”
Intune is a Microsoft cloud-based mobile device management system for monitoring and managing a company or organization’s phones, laptops and other devices. Based on this, it appears that the agency may have been migrating from a different system used to manage mobile devices to the Intune system. As part of a migration like this, mobile phones generally need to undergo a factory reset before they are enrolled in the new management system — although there are apparently ways to do this without having to reset phones.
Notably, the DHS inspector general told the House Select Jan. 6 Committee, the special committee that is investigating the insurrection, that the Secret Service’s account about how the data got erased has changed several times. The agency reportedly first told the inspector general that text messages got lost as part of a software upgrade, then said they were lost during device replacements.
But it’s possible that what seems like different accounts may just be a misunderstanding on the part of the inspector general due to the terminology used. Someone may have heard “migration” and assumed this meant a device migration rather than a management-system migration or may have heard “software upgrade” and assumed this meant an upgrade of the software on the phones, rather than a change in the software tool used to manage the phones. It's also possible that the migration involved both a change in the system-management tool and an upgrade to new devices — which would mean the agency hadn’t changed its account of what occurred but simply hadn’t been clear about everything that occurred.
DHS’s inspector general has accused the Secret Service of doing the factory resets after the agency had already been told to preserve the data, which raises additional questions about whether the agency deliberately or only inadvertently violated a preservation order. The Select Committee investigating the insurrection said that on January 16, 2021, several committees directed relevant divisions of the Department of Homeland Security — which overseas the Secret Service — to produce all materials related to the events of January 6. And CNN reported that Congress informed the Secret Service directly on January 16 that it “needed to preserve and produce documents related to January 6,” and then informed it again on January 25, 2021. Although the Secret Service migration had been in the planning stage for months, the actual implementation did not start until January 27, the source told CNN.
The question is, did the preservation order get disseminated to everyone who needed to learn about it, before the factory resets were done?
Did January 6 Messages Really Get Erased?
It’s not clear.
DHS Inspector General Joseph Cuffari told lawmakers that he understood that “a proportion of texts” from January 5 and 6 “remain unaccounted for.” But the Secret Service said that although data from some phones got erased, "none of the texts [the inspector general sought for its review of the January 6 riot] had been lost in the migration.”
The inspector general had requested that the agency hand over text messages sent and received by 24 Secret Service personnel between December 7, 2020 and January 8, 2021, and the Jan. 6 committee also requested any communication related to the riot.
On Tuesday, the Secret Service gave the committee just one text message and said it has no further text messages relevant to the investigation. The single text message was a conversation from former U.S. Capitol Police Chief Steven Sund to former Secret Service Uniformed Division Chief Thomas Sullivan requesting assistance on January 6, 2021, according to CNN.
The Secret Service told the committee that it’s not aware of any text messages being erased during the system migration and that any texts that are related were retained.
"We are currently unaware of text messages issued by Secret Service employees between December 7, 2020 and January 8, 2021… that were not retained as part of the Intune migration,” the agency told the committee. But the agency also said that it is still working to determine if any relevant information was lost.
An unnamed senior official told the Washington Post on Tuesday that other text messages did get purged during the migration, but it’s not clear how the source knows this or whether this included text messages relevant to the investigation.
Shouldn’t the Data Have Been Backed Up Before the Factory Reset?
Yes. But the Secret Service says its employees were responsible themselves “for appropriately preserving government records that may be created via text messaging."
It said employees were told twice to backup their data to an agency drive before the migration occurred in January 2021, but some did not do this.
Agency personnel were first told in December 2020 and then again on January 25, 2021 that “if they were going to back up their phones, they'd need to do it manually,” and they were given instructions for how to do this, a source told CNN. The migration began two days later. It’s not clear how many agents failed to back up their phones.
Osgood said that telling agents to back up their own phones “makes absolutely no sense” — particularly for a government agency engaged in the kind of work the Secret Service does and required to retain records. The agency is not only charged with protecting the president, vice president and others, it also investigates financial crimes and cybercrime.
“I’m pro-government, and [telling agents to backup their own phones] sounds strange,” Osgood says. “If that did happen, the IT manager that’s responsible for that should be censured. Something should happen to that person because that’s one of the dumbest things I've ever heard in my life.”
To adhere to rules that require federal agencies to retain government records, the Secret Service should have an automated collection system in place to backup things like text messages on a regular basis. Unfortunately, it doesn’t appear the agency had such a tool.
It should be noted, though, that having an automated collection tool doesn’t guarantee data is backed up properly. In 2018 when officials sought to obtain text messages from the phones of FBI officials Lisa Page and Peter Strzok — a former FBI attorney and agent, respectively — they discovered that the collection tool failed to collect data from about 10 percent of FBI devices. Notably, although the FBI had such a collection tool in place at the time, its parent organization — the Department of Justice — did not.
If Messages Were Deleted Can They Be Retrieved?
No. Though it depends. Generally the data cannot be recovered if it was erased in a factory restore, as opposed to simply being deleted, say Osgood and Mahalik.
According to Osgood, none of the data is wiped in a factory reset, but the decryption keys do get erased.
“By killing the keys you scramble the data and make it unrecoverable,” he says. “Generally speaking, if you did that to your phone, it’s gone.… There’s no way we’d ever decrypt what’s there. Or it would be a really difficult decryption exercise.”
Once the keys are gone, “everything else is unusable and inaccessible,” he says. “That’s designed by the manufacturers — it’s a perfectly smart way to provide security to people.”
Mahalik agrees, but says it depends on the level of encryption prior to factory reset.
“For [iPhones], the data is all encrypted and protected with a master key. The master key is overwritten during that reset, which makes all of the user-created files stay in an encrypted state with no key to decrypt them,” she says.
For Android phones, it depends on how old the phone is. Some older Samsung phones didn't fully encrypt data, so some data could be carved out and recovered from them. But newer Samsung phones are fully encrypted, like iPhones.
"The data will be treated like the iPhones and will become encrypted and not capable of decrypting after a factory reset,” she says.
Android introduced full-disk encryption with its Marshmallow 6.0 operating system in 2015, and introduced file-based encryption with Nougat 7.0 the next year, which provided more protection.
Osgood, who left the FBI in 2011, notes that there is one possibility the government could recover encrypted messages — if it has “some latest greatest tech to get around” the encryption. But he’s not aware of such technology.
Mahalik said, “I cannot speak to methods of bypass at all. It’s not something I am involved with.”
DHS Inspector General Cuffari told the Jan. 6 committee last week that he hoped the erased texts could be recovered through forensic tools, as the Justice Department’s inspector general had been able to do in 2018 when it recovered text messages from the phones of Lisa Page and Peter Strzok, after the FBI’s automated collection tool failed to capture and preserve data from their devices.
The inspector general in that case examined six devices previously used by Page and Strzok, two of them were iPhones, the others were Samsung Galaxy phones. The iPhones had both undergone factory resets after the agents had stopped using them, and inspectors were unable to extract any data from them, according to a report by the Justice Department’s inspector general office. Investigators were, however, able to extract thousands of text messages from the Samsung devices. The inspector general report doesn’t say if the Samsung devices had undergone a factory reset as well. But given that the phones were used in 2016, it’s possible they were using older versions of the Android operating system, before full-disk and file-based encryption were introduced. So even if the Samsung phones did undergo a factory reset, it may have been possible to recover data because it was not encrypted.
It’s not clear what kinds of phones the Secret Service uses, but an unnamed Secret Service official told CNN this week that the agency “has not been able to recover any records that were lost” during the migration.
Update 7.2.22 8pm PST: After I published this story, CBS published a piece that provides a few more details about the investigation and the Secret Service’s backup operation. It reveals that of the 24 Secret Service officials whose text messages investigators are seeking, the agency has determined that 10 of these officials did not send text messages on Jan. 5 and 6. Three other officials only sent messages that are deemed to be "personal" and not government records. Officials are now working to determine if the 10 remaining individuals had text messages or other government records that they failed to preserve before the factory reset.
CBS reports that officials are examining metadata (information that includes the date and time messages are sent and who sent and received them — but not the content of the messages) to determine if text messages exchanged by any of the officials should have been considered government records. But it’s not clear how metadata can help determine this, and CBS didn’t elaborate. I should note that they only have metadata available to them because telecom carriers don’t retain the content of text messages for very long — usually just a few days (maybe months) depending on the carrier.
Remarkably, CBS also reports that one of the ways that Secret Service personnel were told to back up their text messages was to take screen shots of them and upload these to a dedicated web site the agency had set up for this purpose.
If you like this story, feel free to share it with others.
If you’d like to receive future articles directly to your email in-box, you can subscribe for free or become a paid subscriber to help support my work if you find it valuable: