FAT Anomalies In Leaked DNC Emails Suggest Use Of
Post# of 65629
(Total Views: 96)
Posted On: 02/17/2019 10:23:55 PM
FAT Anomalies In Leaked DNC Emails Suggest Use Of Thumbdrive
Recently, I tweeted about several different batches of emails that made up the DNC emails collection initially published by WikiLeaks on July 22, 2016.
In that tweet, I included the following table:
The table outlines the last modification dates on the emails (batched by date) and shows the earliest and latest timestamps, minimum ID, maximum ID, count and a column titled “FAT.”
What the table illustrates is that the first batches of DNC emails published by WikiLeaks have times that indicate the files were transferred to a FAT file system (likely transferred via a USB storage device).
Having received several queries concerning this, I wanted to give a more detailed explanation and, as further observations have been made, to report on these and make some clarifications.
FAT File System Indicators
The “FAT” column is in reference to the FAT file system, a file system that, in recent years, is usually used on USB storage devices (some outdated non-USB disk storage devices used this in the past too, but it’s very rare to find such devices still in use).
One of the shortfalls of the FAT file system is that it stores timestamp data at a lower resolution (to the nearest two seconds). However, this is advantageous for the purpose of digital forensics as it means there is a pattern that can be detected and used to determine whether files were likely to have been transferred via a FAT file system.
The batches of DNC emails that were determined to have been copied to a FAT file system due to this pattern have an “x” in the “FAT” column (in the table referenced at the beginning of this article).
The First Two Batches
Drawing upon a 30-day email retention policy and the sent dates of emails, research in the public domain has suggested that the DNC emails were likely acquired on dates between May 19-25, 2016 [@steemwh1sks] for some time.
Looking at the sent dates of emails and the last modified dates of the email files in the first two batches (those with last modification dates in May, two months prior to initial publication) it is possible to determine that:
Emails appear to have been copied on May 23, 2016 and May 25, 2016.
Emails were stored on a device using the FAT file system (very likely to be a USB storage device) at some point in time between acquisition and being published by WikiLeaks.
We can’t, however, make any declaration on exactly when the files were moved to a USB device as different types of copy operations could produce the same result even if the files were transferred to USB weeks after acquisition (as it’s possible to retain the last-modified dates in various circumstances).
Interestingly, the FAT file system indication is in line with claims made by Craig Murray that were published in December 2018 in relation to how WikiLeaks had obtained the DNC leaks through a physical hand-over of the emails.
This particular characteristic was also reported on recently (February 13, 2019) in an article authored by William Binney and Larry Johnson titled “Why The DNC Was Not Hacked By The Russians“. In the article they state:
This data alone does not prove that the emails were copied at the DNC headquarters. But it does show that the data/emails posted by Wikileaks did go through a storage device, like a thumbdrive, before Wikileaks posted the emails on the World Wide Web.
This fact alone is enough to raise reasonable doubts about Mueller’s indictment accusing 12 Russian soldiers as the culprits for the leak of the DNC emails to Wikileaks. A savvy defense attorney will argue, and rightly so, that someone copied the DNC files to a storage device (Eg., USB thumb drive) and transferred that to Wikileaks.
(The article also covers conflicts between intelligence community assessments and Mueller’s July 2018 indictment.)
Looking at the transfer speeds on these batches also gives us reason to doubt that this was a local machine or local network transfer straight to a USB device as the transfers appear to have been at a rate of ~3 megabits/second.
This suggests the files published by WikiLeaks may initially have been transferred remotely.
Some will argue that this supports assertions regarding the DNC being hacked, however, the rates observed alone could just as easily be argued to support statements made by Seymour Hersh that were reported on in July/August 2017 which suggest that WikiLeaks obtained access to a password protected DropBox where the files [DNC and Podesta emails] had been placed.
Later Batches
As well as the batches of emails with last modified dates before the initial publication of DNC Leaks on July 22, 2016, there were two further batches of DNC emails that were made available on WikiLeaks site at later dates and that had last-modified timestamps in August and September 2016.
The third batch, with last modified dates of August 26 2016, also appears to have been transferred via a USB storage device between acquisition and publication.
The fourth of these with last modified dates of September 21 2016, did not have a FAT filesystem indication.
While the new tranches included additional DNC staffers, WikiLeaks did not update their web page to reflect that additions were made. However, publication of the batch with the last modified date of September 21, 2016 was announced via the WikiLeaks Twitter account on November 6, 2016 (or November 7 on my side of the Atlantic):
RELEASE: 8263 new emails from the DNC #DNCLeak2 #feelthebern #imwithher #demexithttps://t.co/ftwH5t57lj pic.twitter.com/EljYHE0n9E
— WikiLeaks (@wikileaks) November 7, 2016
The DNC emails page on WikiLeaks was updated a little over two weeks later (some time between November 22-25, 2016) with the new total (44,053 emails).
Additional Observations
Some emails had internal send times that were later than the last modified timestamps by up to as much as 7 hours in some cases.
The IDs assigned to the different batches of files aren’t in a consistent sequence and it seems possible that the files were renamed after acquisition. (The May 23 batch, however, did use a subset of IDs used by the May 25 batch.)
Total counts of emails associated with separate mailboxes that were published by WikiLeaks are interesting too.
When looking solely at the emails, there are many sent to mailing list groups and, in these instances, it’s extremely difficult (maybe impossible!?) to determine whose mailbox the email came from (see email 15384 for an example of this).
There is also some disparity between the totals WikiLeaks cites and the number of emails that can be identified as belonging to a specific mailbox (with the latter being lower).
These factors combined suggest that WikiLeaks were either told the totals for each mailbox or were provided the emails segregated by mailbox.
There are approximately a thousand older emails (with dates prior to April 1, 2016) that account for a little over 2% of the emails released.
While there could be various explanations for this, it appears (based on what is disclosed in one of the leaked emails) that the email retention rules didn’t apply to emails if they were moved into other folders.
This at least gives a good explanation for what would otherwise seem an anomalous presence of old emails.
While there are 44,053 email files, WikiLeaks only indexes 27,515 (as can be seen when doing a blank search in their database): Total counts of emails associated with separate mailboxes that were published by WikiLeaks are interesting too.
When looking solely at the emails, there are many sent to mailing list groups and, in these instances, it’s extremely difficult (maybe impossible!?) to determine whose mailbox the email came from (see email 15384 for an example of this).
There is also some disparity between the totals WikiLeaks cites and the number of emails that can be identified as belonging to a specific mailbox (with the latter being lower).
These factors combined suggest that WikiLeaks were either told the totals for each mailbox or were provided the emails segregated by mailbox.
There are approximately a thousand older emails (with dates prior to April 1, 2016) that account for a little over 2% of the emails released.
While there could be various explanations for this, it appears (based on what is disclosed in one of the leaked emails) that the email retention rules didn’t apply to emails if they were moved into other folders.
This at least gives a good explanation for what would otherwise seem an anomalous presence of old emails.
While there are 44,053 email files, WikiLeaks only indexes 27,515 (as can be seen when doing a blank search in their database):
Recently, I tweeted about several different batches of emails that made up the DNC emails collection initially published by WikiLeaks on July 22, 2016.
In that tweet, I included the following table:
The table outlines the last modification dates on the emails (batched by date) and shows the earliest and latest timestamps, minimum ID, maximum ID, count and a column titled “FAT.”
What the table illustrates is that the first batches of DNC emails published by WikiLeaks have times that indicate the files were transferred to a FAT file system (likely transferred via a USB storage device).
Having received several queries concerning this, I wanted to give a more detailed explanation and, as further observations have been made, to report on these and make some clarifications.
FAT File System Indicators
The “FAT” column is in reference to the FAT file system, a file system that, in recent years, is usually used on USB storage devices (some outdated non-USB disk storage devices used this in the past too, but it’s very rare to find such devices still in use).
One of the shortfalls of the FAT file system is that it stores timestamp data at a lower resolution (to the nearest two seconds). However, this is advantageous for the purpose of digital forensics as it means there is a pattern that can be detected and used to determine whether files were likely to have been transferred via a FAT file system.
The batches of DNC emails that were determined to have been copied to a FAT file system due to this pattern have an “x” in the “FAT” column (in the table referenced at the beginning of this article).
The First Two Batches
Drawing upon a 30-day email retention policy and the sent dates of emails, research in the public domain has suggested that the DNC emails were likely acquired on dates between May 19-25, 2016 [@steemwh1sks] for some time.
Looking at the sent dates of emails and the last modified dates of the email files in the first two batches (those with last modification dates in May, two months prior to initial publication) it is possible to determine that:
Emails appear to have been copied on May 23, 2016 and May 25, 2016.
Emails were stored on a device using the FAT file system (very likely to be a USB storage device) at some point in time between acquisition and being published by WikiLeaks.
We can’t, however, make any declaration on exactly when the files were moved to a USB device as different types of copy operations could produce the same result even if the files were transferred to USB weeks after acquisition (as it’s possible to retain the last-modified dates in various circumstances).
Interestingly, the FAT file system indication is in line with claims made by Craig Murray that were published in December 2018 in relation to how WikiLeaks had obtained the DNC leaks through a physical hand-over of the emails.
This particular characteristic was also reported on recently (February 13, 2019) in an article authored by William Binney and Larry Johnson titled “Why The DNC Was Not Hacked By The Russians“. In the article they state:
This data alone does not prove that the emails were copied at the DNC headquarters. But it does show that the data/emails posted by Wikileaks did go through a storage device, like a thumbdrive, before Wikileaks posted the emails on the World Wide Web.
This fact alone is enough to raise reasonable doubts about Mueller’s indictment accusing 12 Russian soldiers as the culprits for the leak of the DNC emails to Wikileaks. A savvy defense attorney will argue, and rightly so, that someone copied the DNC files to a storage device (Eg., USB thumb drive) and transferred that to Wikileaks.
(The article also covers conflicts between intelligence community assessments and Mueller’s July 2018 indictment.)
Looking at the transfer speeds on these batches also gives us reason to doubt that this was a local machine or local network transfer straight to a USB device as the transfers appear to have been at a rate of ~3 megabits/second.
This suggests the files published by WikiLeaks may initially have been transferred remotely.
Some will argue that this supports assertions regarding the DNC being hacked, however, the rates observed alone could just as easily be argued to support statements made by Seymour Hersh that were reported on in July/August 2017 which suggest that WikiLeaks obtained access to a password protected DropBox where the files [DNC and Podesta emails] had been placed.
Later Batches
As well as the batches of emails with last modified dates before the initial publication of DNC Leaks on July 22, 2016, there were two further batches of DNC emails that were made available on WikiLeaks site at later dates and that had last-modified timestamps in August and September 2016.
The third batch, with last modified dates of August 26 2016, also appears to have been transferred via a USB storage device between acquisition and publication.
The fourth of these with last modified dates of September 21 2016, did not have a FAT filesystem indication.
While the new tranches included additional DNC staffers, WikiLeaks did not update their web page to reflect that additions were made. However, publication of the batch with the last modified date of September 21, 2016 was announced via the WikiLeaks Twitter account on November 6, 2016 (or November 7 on my side of the Atlantic):
RELEASE: 8263 new emails from the DNC #DNCLeak2 #feelthebern #imwithher #demexithttps://t.co/ftwH5t57lj pic.twitter.com/EljYHE0n9E
— WikiLeaks (@wikileaks) November 7, 2016
The DNC emails page on WikiLeaks was updated a little over two weeks later (some time between November 22-25, 2016) with the new total (44,053 emails).
Additional Observations
Some emails had internal send times that were later than the last modified timestamps by up to as much as 7 hours in some cases.
The IDs assigned to the different batches of files aren’t in a consistent sequence and it seems possible that the files were renamed after acquisition. (The May 23 batch, however, did use a subset of IDs used by the May 25 batch.)
Total counts of emails associated with separate mailboxes that were published by WikiLeaks are interesting too.
When looking solely at the emails, there are many sent to mailing list groups and, in these instances, it’s extremely difficult (maybe impossible!?) to determine whose mailbox the email came from (see email 15384 for an example of this).
There is also some disparity between the totals WikiLeaks cites and the number of emails that can be identified as belonging to a specific mailbox (with the latter being lower).
These factors combined suggest that WikiLeaks were either told the totals for each mailbox or were provided the emails segregated by mailbox.
There are approximately a thousand older emails (with dates prior to April 1, 2016) that account for a little over 2% of the emails released.
While there could be various explanations for this, it appears (based on what is disclosed in one of the leaked emails) that the email retention rules didn’t apply to emails if they were moved into other folders.
This at least gives a good explanation for what would otherwise seem an anomalous presence of old emails.
While there are 44,053 email files, WikiLeaks only indexes 27,515 (as can be seen when doing a blank search in their database): Total counts of emails associated with separate mailboxes that were published by WikiLeaks are interesting too.
When looking solely at the emails, there are many sent to mailing list groups and, in these instances, it’s extremely difficult (maybe impossible!?) to determine whose mailbox the email came from (see email 15384 for an example of this).
There is also some disparity between the totals WikiLeaks cites and the number of emails that can be identified as belonging to a specific mailbox (with the latter being lower).
These factors combined suggest that WikiLeaks were either told the totals for each mailbox or were provided the emails segregated by mailbox.
There are approximately a thousand older emails (with dates prior to April 1, 2016) that account for a little over 2% of the emails released.
While there could be various explanations for this, it appears (based on what is disclosed in one of the leaked emails) that the email retention rules didn’t apply to emails if they were moved into other folders.
This at least gives a good explanation for what would otherwise seem an anomalous presence of old emails.
While there are 44,053 email files, WikiLeaks only indexes 27,515 (as can be seen when doing a blank search in their database):
(0)
(0)Scroll down for more posts ▼