by Adam Carter, Disobedient Media:
In that tweet, I included the following table:
The table outlines the last modification dates on the emails (batched by date) and shows the earliest and latest timestamps, minimum ID, maximum ID, count and a column titled “FAT.”
What the table illustrates is that the first batches of DNC emails published by WikiLeaks have times that indicate the files were transferred to a FAT file system (likely transferred via a USB storage device).
Having received several queries concerning this, I wanted to give a more detailed explanation and, as further observations have been made, to report on these and make some clarifications.
FAT File System Indicators
The “FAT” column is in reference to the FAT file system, a file system that, in recent years, is usually used on USB storage devices (some outdated non-USB disk storage devices used this in the past too, but it’s very rare to find such devices still in use).
One of the shortfalls of the FAT file system is that it stores timestamp data at a lower resolution (to the nearest two seconds). However, this is advantageous for the purpose of digital forensics as it means there is a pattern that can be detected and used to determine whether files were likely to have been transferred via a FAT file system.
The batches of DNC emails that were determined to have been copied to a FAT file system due to this pattern have an “x” in the “FAT” column (in the table referenced at the beginning of this article).
The First Two Batches
Drawing upon a 30-day email retention policy and the sent dates of emails, research in the public domain has suggested that the DNC emails were likely acquired on dates between May 19-25, 2016 [@steemwh1sks] for some time.
Looking at the sent dates of emails and the last modified dates of the email files in the first two batches (those with last modification dates in May, two months prior to initial publication) it is possible to determine that:
- Emails appear to have been copied on May 23, 2016 and May 25, 2016.
- Emails were stored on a device using the FAT file system (very likely to be a USB storage device) at some point in time between acquisition and being published by WikiLeaks.
We can’t, however, make any declaration on exactly when the files were moved to a USB device as different types of copy operations could produce the same result even if the files were transferred to USB weeks after acquisition (as it’s possible to retain the last-modified dates in various circumstances).
Interestingly, the FAT file system indication is in line with claims made by Craig Murray that were published in December 2018 in relation to how WikiLeaks had obtained the DNC leaks through a physical hand-over of the emails.
This particular characteristic was also reported on recently (February 13, 2019) in an article authored by William Binney and Larry Johnson titled “Why The DNC Was Not Hacked By The Russians“. In the article they state:
This data alone does not prove that the emails were copied at the DNC headquarters. But it does show that the data/emails posted by Wikileaks did go through a storage device, like a thumbdrive, before Wikileaks posted the emails on the World Wide Web.
This fact alone is enough to raise reasonable doubts about Mueller’s indictment accusing 12 Russian soldiers as the culprits for the leak of the DNC emails to Wikileaks. A savvy defense attorney will argue, and rightly so, that someone copied the DNC files to a storage device (Eg., USB thumb drive) and transferred that to Wikileaks.
(The article also covers conflicts between intelligence community assessments and Mueller’s July 2018 indictment.)
Looking at the transfer speeds on these batches also gives us reason to doubt that this was a local machine or local network transfer straight to a USB device as the transfers appear to have been at a rate of ~3 megabits/second.
This suggests the files published by WikiLeaks may initially have been transferred remotely.
Some will argue that this supports assertions regarding the DNC being hacked, however, the rates observed alone could just as easily be argued to support statements made by Seymour Hersh that were reported on in July/August 2017 which suggest that WikiLeaks obtained access to a password protected DropBox where the files [DNC and Podesta emails] had been placed.
As well as the batches of emails with last modified dates before the initial publication of DNC Leaks on July 22, 2016, there were two further batches of DNC emails that were made available on WikiLeaks site at later dates and that had last-modified timestamps in August and September 2016.
The third batch, with last modified dates of August 26 2016, also appears to have been transferred via a USB storage device between acquisition and publication.
The fourth of these with last modified dates of September 21 2016, did not have a FAT filesystem indication.
While the new tranches included additional DNC staffers, WikiLeaks did not update their web page to reflect that additions were made. However, publication of the batch with the last modified date of September 21, 2016 was announced via the WikiLeaks Twitter account on November 6, 2016 (or November 7 on my side of the Atlantic):
— WikiLeaks (@wikileaks) 7 November 2016
The DNC emails page on WikiLeaks was updated a little over two weeks later (some time between November 22-25, 2016) with the new total (44,053 emails).