Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
draft summary of DNC e-mail timestamps suggests exfiltration times
Disclaimer:
------
Do NOT draw any conclusions from this analysis. It's FAR from complete. There are multiple plausible explanations
which explain these observations. There are also major limitations.
I am posting this because I feel it deserves more attention than me and current collaborators can give it.
I am very open to collaboration and happy to give advice and point out things I noticed.
This is obviously a polarizing issue and all I ask is that collaborators try
to examine the data from an unbiased perspective.
Major limitations:
1. We only used a partial dataset of the DNC e-mails.
2. We haven't had a chance to look closely at the time zone discrepancies.
---------------
Summary:
The DNC deleted e-mails after 30 days as reported by buzzfeed (https://www.buzzfeed.com/sheerafrenkel/it-looks-like-someone-curated-the-wikileaks-emails-before-th)
and this e-mail: https://wikileaks.org/dnc-emails/emailid/43999
Because of this, we can figure estimate what day specific inboxes were exfiltrated.
The dataset used is incomplete and posted here as a .csv:
https://gist.github.com/wh1sks/2a6a51c66771e8beba5f07b519f3b67d
Scott Comer, Zach Allen, Daniel Parrish and Andrew Wright's e-mails were probably all exfiltrated once on 5/25.
Jordan Kaplan's e-mails were likely exfiltrated on 5/25 but appear to have been exfiltrated earlier as well, on 5/23.
Andy Crystal's e-mails were likely exfiltrated late on 5/22
Ryan Banfill's e-mails were likely exfiltrated on 5/23.
Luis Miranda's e-mails were likely exfiltrated on 5/19 and 5/23.
The earliest e-mails appear to come from Jeremy Brinster's inbox on 5/19.
Notes:
There are some discrepancies that appear to be caused by the time zone changes. A good example is e-mail #28062.
If you search for the e-mail, the WikiLeaks search page says the e-mail was sent at 07:28. If you click the e-mail, the page says
05:28. If you download the raw source, the e-mail says 12:28 AM. These discrepancies should be solvable by looking more closely
at the context/body of the e-mails and the raw source and may even reveal something about the chain of custody of the e-mails.
Assessments are the simplest explanation we could come up with. There are definitely other explanations.
----------------------
Scott Comer:
Latest Scott Comer e-mail:
19781 2016-05-25 12:48:34 +0000 RE: DNC FINANCE - CALL TIME - TOMORROW (5/24) BonoskyG@dnc.org ComerS@dnc.org
Earliest Scott Comer e-mail:
18514 2016-04-25 13:17:08 +0000 Call Summary - 04/25/2016 08:57AM noreply@uberconference.com comers@dnc.org
All earlier e-mails from Scott Comer are like this: Incoming call from +1 (609) 501-4687 (Other) transferred by Kaplan, Jordan "+1 (609) 501-4687" <tel:+16095014687> "+1 (609) 501-4687" <+1 (609) 501-4687@dnc.org>, "Comer, Scott" <ComerS@dnc.org>
These appear to be saved.
Assessment: Scott Comer's e-mails were exfiltrated once around 13:00 on 5/25
--------------------------------------
Zach Allen:
Latest Zach Allen e-mail is:
22252 2016-05-25 12:38:38 +0000 Re: Obama dinner zallen@tipahconsulting.com klerer@lererhippeau.com
Next latest Zallen e-mail is:
2016-05-24 23:37:47 +0000 RE: Dinner on June 8 jack.taylor@prcm.com zallen@tipahconsulting.com, parrishd@dnc.org
Because of this, I believe the 5/25 12:38 e-mail had someone else CC'd on it.
The earliest Zallen e-mail is 14634 2016-04-25 00:34:23 +0000 Re: where art thou? AllenZ@DNC.org barcar720@aol.com
Assessment: Zach Allen's e-mails were likely exfiltrated once around 00:00 5/25.
--------------------------------------
Daniel Parrish:
Latest Daniel Parrish e-mail:
20963 2016-05-25 12:10:00 +0000 Re: June 8th with President Obama ParrishD@dnc.org maurajclark@gmail.com
Earliest Daniel Parrish e-mail:
276 2016-04-25 13:27:53 +0000 List for Vice chairs HoffmanA@dnc.org ParrishD@dnc.org
Assessment: Daniel Parrish's e-mails were exfiltrated once around 12:00 on 5/25
--------------------------------------
Jordan Kaplan:
Latest Jordan Kaplan e-mail:
3256 2016-05-25 12:03:21 +0000 POLITICO's Morning Money: Warren rips into Trump — POLITICO at the conventions — CEI on income inequality — Budget Committee ripped morningmoney@politico.com kaplanj@dnc.org
Earliest Jordan Kaplan e-mail:
958 2016-04-24 03:26:30 +0000 This is happening VaughnJ@dnc.org KaplanJ@dnc.org
Assessment: This discrepancy is interesting. We have a thread of e-mails from kaplanj 1.5 days earlier than we expect as well
as several e-mails from politicoplaybook and others on 4/24, over 30 days before the latest e-mail.
It appears that his e-mails were exfiltrated on 5/24 around 03:30 and then again around 12:00 on 5/25
--------------------------------------
Luis Miranda:
Latest Luis Miranda e-mail
11455 2016-05-23 03:23:05 +0000 RE: Luis -- what do you think of this idea -- JobBlockers.org atobias123@gmail.com MirandaL@dnc.org
Earliest Luis Miranda e-mail:
26282 2016-04-19 14:11:48 +0000 RE: For approval: 3 short scripts for AAPI heritage month videos MirandaL@dnc.org BagchiK@dnc.org, ChristopherR@dnc.org, FreundlichC@dnc.org
Assessment: Luis Miranda's e-mails were exfiltrated twice. First around 14:00 on 5/19, then a second time around 03:30 on 5/23.
--------------------------------------
Andrew Wright:
Latest Wright e-mail:
16150 2016-05-24 18:55:10 +0000 RE: Voice Mail from Anonymous Caller (59 seconds) ShapiroA@dnc.org WrightA@dnc.org
Earliest wright e-mail:
16308 2016-04-25 15:16:03 +0000 Re: What would you say you do here? WrightA@dnc.org ShapiroA@dnc.org
Assessment: Because Andrew Wright's e-mails are relatively sparse it is difficult to determine the exfiltration time. It was likely mid-day 5/25.
----------------------------
Latest Stowe e-mail:
16879 2016-05-24 20:20:47 +0000 Alumni Challenge Update: Donor Honor Roll pds@communications.providenceday.org stowee@dnc.org
Earliest Stowe e-mail:
17097 2016-04-25 14:17:30 +0000 Photo Email StoweE@dnc.org FrankC@dnc.org
Assesment: Because Erik Stowe's e-mails are relatively sparse it is difficult to determine the exact exfiltration time. It may have been mid-day 5/25.
----------------------------
Andy Crystal:
Latest Andy Crystal e-mail:
2621 2016-05-24 15:05:53 +0000 RE: For approval: POTUS for 5/31 JacquelynLopez@perkinscoie.com FreundlichC@dnc.org, ReifE@dnc.org, CrystalA@dnc.org, EMail-Vetting_D@dnc.org
There is a conspicuous gap in crystal e-mails. All of the e-mails after following e-mail have vetting_d on them, which may have included a different DNC member.
I suspect this is the latest Crystal e-mail but am not positive:
23152 2016-05-22 22:24:48 +0000 Research/Comms: Trump/Trump supporter graphics ReifE@dnc.org FreundlichC@dnc.org, BrinsterJ@dnc.org, LykinsT@dnc.org, DieterA@dnc.org, CrystalA@dnc.org
Earliest Andy Crystal e-mail. All earlier e-mails have either miranda or research_d or something:
29416 2016-04-22 15:50:39 +0000 RE: For research Az op-ed CrystalA@dnc.org WalshT@dnc.org, RR2@dnc.org
Assessment: E-mails were most likely exfiltrated once around 22:00 on 5/22.
----------------------------
Jeremy Brinster:
Latest Jeremy Brinster e-mail
746 2016-05-24 22:55:50 +0000 Re: For approval: minimum wage anniversary graphics BrinsterJ@dnc.org ReifE@dnc.org
Earliest Jeremy Brinster e-mail:
28062 2016-04-19 07:28:09 +0000 Makaeff v. Trump University, Llc et al Notify@CourtLink.LexisNexis.com brinsterj@dnc.org, grahamc@dnc.org
Assessment: Jeremy Brinster's e-mails may have been exfiltrated twice. Once no later than 07:28 on 5/19.
----------------------------
Ryan Banfill:
latest banfill e-mail:
42061 2016-05-23 01:57:04 +0000 Re: FYI: My schedule PoughT@dnc.org BanfillR@dnc.org
Earliest Banfill e-mail:
41574 2016-04-28 15:51:49 +0000 Welcome to Exchange Unified Messaging MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@dnc.org BanfillR@dnc.org
Earliest e-mail corresponds with Banfill setting up DNC e-mail.
Assessment: Probably got exfiltrated once at ~02:00 on 5/23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.