In any crime investigation, one of the first tasks of the detectives is to determine when the crime occurred. The metadata of the DNC archive at Wikileaks provides more or less irrefutable evidence that the DNC emails were exfiltrated on May 23, 2016 and May 25, 2016 in two sessions totaling about 76 minutes in length. Yet this information appears nowhere in official reporting.
Worse, there is evidence that the original intel assessments on the DNC hack - the assessments which influenced the Crossfire Hurricane investigation and the January 6, 2017 ICA - incorrectly placed the exfiltration of DNC emails one month too early - in April 2016.
Such an error would have multiple consequences:
- first, the incorrect dating to April 2016 meant that the emails were exfiltrated before CrowdStrike arrived on scene and, thus, by the time that CrowdStrike arrived, it was too late. The search for fault accordingly turned to why CrowdStrike was called so late. (This theme dominates the Senate Intelligence Committee report.) In fact, the emails were exported three weeks after CrowdStrike arrived on the scene. Which makes it entirely legimate to ask why CrowdStrike's supposedly super-duper cybersecurity not only failed to protect the DNC from exporting of emails by an "adversary" known to be in the system, but didn't even observe the exfiltration of 2 GB of emails and data. The April 2016 misdating seems to have totally forestalled such questioning.
- second, and perhaps most importantly, an April 2016 misdating was essential for the Crossfire Hurricane predicate that Papadopoulos had foreknowledge of the DNC hack at his meetings with the Australian diplomats on May 6, 2016 and/or May 10, 2016. An April 22, 2016 exfiltration date meant that it would be (theoretically) possible for Mifsud to have told Papadopoulos of this development at their (supposed) meeting of April 26, 2016. But since the DNC emails were not exported until May 23-25, 2016, it was impossible for Papadopoulos to have had the (supposed) foreknowledge that predicated the Crossfire Hurricane investigation.
The One of the few windows into early intelligence on this issue was the memoir of James Clapper, the Obama administration Director of National Intelligence, published in June 2018. Clapper clearly and incorrectly placed the export of DNC emails in April 2016 - one month prior to their actual export.
In this article, I will first discuss what is known for sure
from metadata about the exfiltration of DNC emails, then, after discussing Clapper's dating, will examine other contemporary reporting that pointed to incorrect April 2016 dating.
Known For Sure
Every email in the Wikileaks DNC archive was linked to its
eml format version, which contained date and timestamp information on the date-time that the eml document was copied, as well as the date-time that the email was sent.
While the sent-time metadata attracted attention early on (Climate Audit, Sep 2, 2017; wh1sks, Oct 2017), the first known utilization of the eml-time metadata appears to have been in January 2019, when with_integrity reported (X
link) that all of the DNC emails in the original July 22, 2016 publication (emails 1-22456) had datestamps of May 23, 2016 or May 25, 2016. He also observed that the second publication (November 5, 2016) of DNC emails at Wikileaks had eml-timestamps on August 26. 2016 and September 21, 2016 and that Podesta email archive (except for two anomalous emails) had eml-times on September 19, 2016. His key table is shown below.
This tweet was followed up with more detailed reporting by with_integrity in February 2019
here and more definitively in April 2019 by Forensicator
here.
In these articles, other key details were described:
- the DNC archive published on July 22, 2016 was just under 1 GB in size; its component eml's had sequential timestamps showing a continuous and steady rate of exfiltration over a combined period of approximately 76 minutes (May 23 - 33 minutes; May 25 = 43 minutes). The observed exfiltration rate for DNC emails was approximately 0.4 MB/second (two orders of magnitude slower than the widely publicized copying rate (47 MB/second) of the Guccifer 2 documents on July 5, 2016 - a different operation which will not be discussed today.)
- the May 25 export was done sequentially for six individual mailboxes without interruption between mailboxes.
- the sent times for emails within each mailbox go right up to the exfiltration times.
- Forensicator's analysis timestamps proved convincingly that the timestamps for the DNC emails shown above were in Pacific timezone - a surprising discovery that has been little discussed
- in the second (little discussed) publication of DNC emails - published on November 5, 2016, the latest sent times were on May 23, 2016, from which it was convincingly argued by Forensicator that these were exported on May 23, 2016 in the same operation as the single May 23 mailbox (Miranda) published in the first tranche;
- in the first publication (July 22, 2016), within each mailbox, the emails were exported in the following order: by folder within the mailbox (Sent folder last) and latest-to-earliest within each folder. The Wikileaks numbering was in order of export. In the second publication, the emails were exported in order of increasing size. (Unpublished analysis).
- the DNC had a 30-day retention policy. While the original general understanding was that the emails went back to January 2015, most of the folders do not contain any emails prior to the 30-day retention period and, for the four mailboxes exported on May 23, 2016, none show emails prior to a 30-day retention period.
- In total, 97.5% of all the emails were sent between April 19, 2016 and the latest date of May 25, 2016, contrary to any implication that there had been continuous monitoring. This was pointed out (by myself) as early as September 2, 2017 and independently in fall 2017 by wh1sks.
- the eml-times for the DNC emails with datestamps on May 23, 2016, May 25, 2016 and August 26, 2016 are in FAT format - a format used in thumb drives. According to past technical discussion, FAT format also occurs in some older forms of zip compression.
- in general terms: if eml documents are uploaded to a server within a zip file (or similar compression file), the underlying eml-timestamps remain unchanged, but if they are uploaded as contents in a directory, the timestamps are updated to the time of copying. This suggests that a zipfile containing the May 23 and May 25, 2016 emails were transferred to the Wikileaks server and unzipped on the server, whereas (for the DNC emails) we know that the emails in the August 26, 2016 and September 21, 2016 batches had been exfiltrated on May 23, 2016 and that the later eml-times showed that the emails had been unzipped prior to the server and uploaded sequentially.
Clapper 2018
Turning now to Clapper's 2018 memoir (
link) entitled "Facts and Fears: Hard Truths from a Life in Intelligence". Clapper stated that "in
April [2016], Russia used a third-party 'cutout' to send more than nineteen thousand DNC emails and more than eight thousand documents to Wikileaks and Julian Assange" (The numbers - 19,000 emails and more than 8,000 documents - match the figures originally reported by Wikileaks at their website.)
Clapper was interviewed by Michael Isikoff (one of the earliest users of Steele dossier claims) in June 2018 shortly after publication (
covering article;
podcast).
Isikoff was particularly interested in the "cutout" (about minute 24:30-26:30 in podcast) who, according to Clapper, transferred the hacked emails to Wikileaks. Isikoff said to Clapper:
Quote:
One line in the book leapt out at me. It's never been clear how the Russians transmitted DNC and Podesta emails to Wikileaks. It's always been a gap - how did they get there. In the book, in April, Russia used a third party cutout attempting to cover their tracks. That suggested to me that you know who the cutout was".
Clapper refrained from divulging anything further, but said that they were "pretty confident" that they had identified the "cutout" who had transmitted the DNC emails to Wikileaks in April.