More on DNC Email Metadata

Last year, following classification techniques originally described by Forensicator, Tralfamadorenik was able to add additional details to the database of DNC email metadata, adding descriptors for external received emails, internal received emails (DAG and AppRiver), voice mail and other. (AppRiver appears to have checked inbound emails for spam/malware.) Applying these additional details, I plotted the sent_time versus exfiltration_time for the first (July 22, 2016) Wikileaks, color coding the point for each email according to its type. It’s a complicated, but interesting figure.

Figure 1. DNC emails sent_date-time vs exfiltration_time. Left panel - May 23, 2016; right panel - May 25, 2016. Blue - incoming via App River; Light blue - incoming via DAG; gold- sent; black - voice mail; rd - other.

The Wikileaks July 22, 2016 tranche contained emails from seven accounts: Luis Miranda emails exfiltrated on May 23. 2016; and, on May 25, 2016, mailboxes from Jordan Kaplan, Erik Stowe, Wright, Zach Allen, Parrish and Scott Comer in that order.

The above plot shows some details that weren’t discussed by Forensicator.

• Within each mailbox, the emails were exported in order of folder, then latest to earliest within each folder. In each case, the Sent folder (gold) was exported last.

• the “folder” structure observed in the export pattern is clearly consistent with the folder structure of Microsoft email system. A minimum of three folders (Inbox, Sent, Drafts) plus, presumably, one or more Archive or other folders.

The 30-day DNC retention policy (previously reported) is clearly visible in the structure of sent_dates. It was strictly observed in the Sent folders and in nearly all of the probably Inbox folders. The presence of emails with datestamps prior to the 30-day retention period has been noted previously (e.g. link), but never explained. The vast majority of pre-retention emails occur in two folders: a Scott Comer folder containing voice mails and a Zach Allen inbox folder. I haven’t parsed the other stragglers, but they all appear to be from Archive or Draft folders.

Metadata extracted by Tralfamadorenik showed presence of numbered DNCDAG servers in inbound metadata. Tralfamadorenik observed a shift from DNCDAG1 to DNCDAG2 between May 23, 2016 and May 25, 2016 - see his discussion on X.

The Miranda emails were exported from about 02:13 to 02:46 AM (Pacific time) and the May 25 emails were exported from about 05:21 to 06:04 AM (Pacific time.) The time zone was first identified as Pacific time by Forensicator in April 2019 (link). The exfiltration rates - originally calculated by with_integrity and Forensicator (and verified by me) were all “slow” - about 400 KB/second. This is opposite of claims associated with VIPS. See link.

August 26 and September 21, 2016 Tranches

Subsequent Wikileaks tranches of DNC emails had datestamps of August 26, 2016 and September 21, 2016. In these tranches, the distinctive sent_date-time versus exfiltration_time patterns observed in the July 22, 2016 do not exist, as shown below:

However, there was pattern to exfiltation sequence: the August 26, 2016 and September 21, 2016 emails were in timestamp batches, each of which was sorted by increasing size (Mb). Shown below are plots for two August 26, 2016 batches: left - Brinster; right - Banfill. (These are NOT cumulative size, but the size of each email and attachments).

Order of Exfiltration on May 23, 2016

The emails in the three mailboxes in the August 26, 2016 and September 21, 2016 tranches all appear to have been exfiltrated on May 23, 2016 in the hour prior to 2:04AM Pacific time. The reasoning (due to Forensicator) is as follows:

• the latest email in each of the “May 23” mailboxes (Banfill, Brinster, Crystal) is earlier than the latest email in the Miranda mailbox.

• From this detail, Forensicator plausibly assigned their export to the period immediately preceding the Miranda export - which began at 02:04 AM Pacific time on May 23, 2016. This would place the exfiltration of the Banfill, Brinster and Crystal emails to approximately 1:00AM - 2AM on May 23, 2016 Pacific time.

• All three, like Luis Miranda of the July 22, 2016 drop, had a latest sent date of May 23, 2016.

Earliest Sent_Dates

Long ago (September 2017), I observed (link) that nearly all of the DNC emails were in the 35 days prior to May 25, 2016 - the date of the latest email in the archive, as shown in the figure below copied from that article.

The figure below shows additional detail on the late April 2016 period, color coding the mailbox count for each day. The “May 25” mailboxes have substantial volumes beginning on April 25, 2016. Two of the four “May 23” mailboxes have first volume on April 23, 2016; the Jeremy Brinster mailbox, anomalously, has significant volume beginning on April 19, 2016; the fourth “May 23” mailbox starts later in early May 2016. This suggests earlier access to the Jeremy Brinster mailbox.

Jeremy Brinster Anomaly

Some time ago, I observed (link) that Brinster was last Modifier for all the docx and xlsx documents in the June 21 Guccifer 2 blog (about the HRC_pass zipfile) as shown below:

At the time, I also identified (link) Brinster as the unidentified “member of the DNC’s research team” referred to in Sussmann defense exhibit DX-165 (an email dated October 14, 2016) as recognizing Guccifer 2 documents that appeared to have come from his desktop, as, to his knowledge, he had not attached them in emails:

Forensicator (link) had previously identified Brinster as the author of nearly all the documents in the hrc_pass_.zip file uploaded by Guccifer 2 to his blog on June 21. Separately, Bruce Leidl had observed that the documents in the hrc_pass..zip file had been exfiltrated on April 26, 2016 at a very slow rate - a result confirmed by Forensicator (link) who calculated exfiltration at an average of about 26 kB/second.

DETAILS - APPENDIX

Following are some notes on three individual inboxes (Miranda, Comer, Kaplan) that were in my inventory.

Luis Miranda, May 23, 2016

Miranda inbox was exported on May 23, 2016. All the emails were within the 30 day retention period. The mailbox appears to consist of a large Inbox folder, a large Sent folder and several minor folders - all ordered latest to earliest.

• a very large Inbox (9064) - latest 5/23, earliest 4/23

• a large Sent folder (1244)- latest 5/23, earliest 4/23

• first folder (156) consists of voice mails and (apparently) unsent drafts. Filenames in form 05E01258E71AC046852ED29DFCD139D54DEF4239@dncdag1.dnc.org.

• second folder consists of a small Inbox and small Sent (9)

Scott Comer

The Scott Comer mailbox was exfiltrated on May 25, 2016.

·       Large (525) folder of voice mails in both current and past. (May 24 latest) These have 5C041 format.

·       334 emails inbox in current period DAG-format

·       Tiny folder (4) from Jan 2016. Non-5C041

·       Large current inbox 5C041 format from May 25 to Apr 25

·       Snall folder (8) old – notes to self and passwords.

·       Large current folder (Sent) May 25 to Apr 25

·       Small (current 9 ) folder

Jordan Kaplan

This was first inbox exfiltrated on May 25, 2016. It contains the following folders.

• 1.     Small (9) folder – current and old.

• 2.     Large(1894) inbox May 25 to Apr 25

• 3.     One email (May 23) Inbox.

• 4.     Sent (80) – a couple of current. Mostly old.

• 5.     Big inbox (1148) -5/25 to 4/24

• 6.     One (1) oddball inbox (E93A19). Old.

• 7.     Large Sentbox (670) – May 35 to Apr 24. Phone format.

Comments

[Jason Cloninger]

I would love to get the NSA members of FIPS and you in the room together to review findings!

[Hunterson7]

The NSA likely has copies of the much more important unlawful server Hillary kept in her closet.