draft summary of DNC e-mail timestamps suggests exfiltration times

dnc_timestamp_summ_draft.txt

Disclaimer:
------
Do NOT draw any conclusions from this analysis. It's FAR from complete. There are multiple plausible explanations 
which explain these observations. There are also major limitations. 

I am posting this because I feel it deserves more attention than me and current collaborators can give it. 

I am very open to collaboration and happy to give advice and point out things I noticed. 

This is obviously a polarizing issue and all I ask is that collaborators try
to examine the data from an unbiased perspective. 

Major limitations: 
1. We only used a partial dataset of the DNC e-mails. 
2. We haven't had a chance to look closely at the time zone discrepancies. 
---------------
Summary: 

The DNC deleted e-mails after 30 days as reported by buzzfeed (https://www.buzzfeed.com/sheerafrenkel/it-looks-like-someone-curated-the-wikileaks-emails-before-th) 
and this e-mail: https://wikileaks.org/dnc-emails/emailid/43999

Because of this, we can figure estimate what day specific inboxes were exfiltrated.

The dataset used is incomplete and posted here as a .csv: 
https://gist.github.com/wh1sks/2a6a51c66771e8beba5f07b519f3b67d


Scott Comer, Zach Allen, Daniel Parrish and Andrew Wright's e-mails were probably all exfiltrated once on 5/25. 

Jordan Kaplan's e-mails were likely exfiltrated on 5/25 but appear to have been exfiltrated earlier as well, on 5/23. 

Andy Crystal's e-mails were likely exfiltrated late on 5/22

Ryan Banfill's e-mails were likely exfiltrated on 5/23. 

Luis Miranda's e-mails were likely exfiltrated on 5/19 and 5/23. 

The earliest e-mails appear to come from Jeremy Brinster's inbox on 5/19. 

Notes: 
There are some discrepancies that appear to be caused by the time zone changes. A good example is e-mail #28062. 
If you search for the e-mail, the WikiLeaks search page says the e-mail was sent at 07:28. If you click the e-mail, the page says
05:28. If you download the raw source, the e-mail says 12:28 AM. These discrepancies should be solvable by looking more closely
at the context/body of the e-mails and the raw source and may even reveal something about the chain of custody of the e-mails. 

Assessments are the simplest explanation we could come up with. There are definitely other explanations.
----------------------

Scott Comer:
Latest Scott Comer e-mail:
19781	2016-05-25 12:48:34 +0000	RE: DNC FINANCE - CALL TIME - TOMORROW (5/24)	BonoskyG@dnc.org	ComerS@dnc.org

Earliest Scott Comer e-mail: 
18514	2016-04-25 13:17:08 +0000	Call Summary - 04/25/2016 08:57AM	noreply@uberconference.com	comers@dnc.org

All earlier e-mails from Scott Comer are like this: Incoming call from +1 (609) 501-4687 (Other) transferred by Kaplan, Jordan	"+1 (609) 501-4687" <tel:+16095014687>	"+1 (609) 501-4687" <+1 (609) 501-4687@dnc.org>,  "Comer,  Scott" <ComerS@dnc.org>
These appear to be saved. 

Assessment: Scott Comer's e-mails were exfiltrated once around 13:00 on 5/25

--------------------------------------
Zach Allen:
Latest Zach Allen e-mail is:
 22252	2016-05-25 12:38:38 +0000	Re: Obama dinner	zallen@tipahconsulting.com	klerer@lererhippeau.com

Next latest Zallen e-mail is: 
2016-05-24 23:37:47 +0000	RE: Dinner on June 8	jack.taylor@prcm.com	zallen@tipahconsulting.com,  parrishd@dnc.org

Because of this, I believe the 5/25 12:38 e-mail had someone else CC'd on it.

The earliest Zallen e-mail is 14634	2016-04-25 00:34:23 +0000	Re: where art thou?	AllenZ@DNC.org	barcar720@aol.com

Assessment: Zach Allen's e-mails were likely exfiltrated once around 00:00 5/25. 

--------------------------------------
Daniel Parrish:
Latest Daniel Parrish e-mail: 
20963	2016-05-25 12:10:00 +0000	Re: June 8th with President Obama	ParrishD@dnc.org	maurajclark@gmail.com

Earliest Daniel Parrish e-mail: 
276	2016-04-25 13:27:53 +0000	List for Vice chairs	HoffmanA@dnc.org	ParrishD@dnc.org

Assessment: Daniel Parrish's e-mails were exfiltrated once around 12:00 on 5/25

--------------------------------------
Jordan Kaplan:
Latest Jordan Kaplan e-mail: 
3256	2016-05-25 12:03:21 +0000	POLITICO's Morning Money: Warren rips into Trump — POLITICO at the conventions — CEI on income inequality — Budget Committee ripped	morningmoney@politico.com	kaplanj@dnc.org

Earliest Jordan Kaplan e-mail: 
958	2016-04-24 03:26:30 +0000	This is happening	VaughnJ@dnc.org	KaplanJ@dnc.org

Assessment: This discrepancy is interesting. We have a thread of e-mails from kaplanj 1.5 days earlier than we expect as well
as several e-mails from politicoplaybook and others on 4/24, over 30 days before the latest e-mail. 
It appears that his e-mails were exfiltrated on 5/24 around 03:30 and then again around 12:00 on 5/25

--------------------------------------
Luis Miranda:
Latest Luis Miranda e-mail
11455	2016-05-23 03:23:05 +0000	RE: Luis -- what do you think of this idea -- JobBlockers.org	atobias123@gmail.com	MirandaL@dnc.org
 
Earliest Luis Miranda e-mail: 
26282	2016-04-19 14:11:48 +0000	RE: For approval: 3 short scripts for AAPI heritage month videos	MirandaL@dnc.org	BagchiK@dnc.org,  ChristopherR@dnc.org,  FreundlichC@dnc.org

Assessment: Luis Miranda's e-mails were exfiltrated twice. First around 14:00 on 5/19, then a second time around 03:30 on 5/23. 

--------------------------------------
Andrew Wright:
Latest Wright e-mail:
16150	2016-05-24 18:55:10 +0000	RE: Voice Mail from Anonymous Caller (59 seconds)	ShapiroA@dnc.org	WrightA@dnc.org

Earliest wright e-mail:
16308	2016-04-25 15:16:03 +0000	Re: What would you say you do here?	WrightA@dnc.org	ShapiroA@dnc.org

Assessment: Because Andrew Wright's e-mails are relatively sparse it is difficult to determine the exfiltration time. It was likely mid-day 5/25. 
----------------------------
Latest Stowe e-mail:
16879	2016-05-24 20:20:47 +0000	Alumni Challenge Update: Donor Honor Roll	pds@communications.providenceday.org	stowee@dnc.org
Earliest Stowe e-mail: 
17097	2016-04-25 14:17:30 +0000	Photo Email	StoweE@dnc.org	FrankC@dnc.org

Assesment: Because Erik Stowe's e-mails are relatively sparse it is difficult to determine the exact exfiltration time. It may have been mid-day 5/25.

----------------------------
Andy Crystal: 

Latest Andy Crystal e-mail: 
2621	2016-05-24 15:05:53 +0000	RE: For approval: POTUS for 5/31	JacquelynLopez@perkinscoie.com	FreundlichC@dnc.org,  ReifE@dnc.org,  CrystalA@dnc.org,  EMail-Vetting_D@dnc.org

There is a conspicuous gap in crystal e-mails. All of the e-mails after following e-mail have vetting_d on them, which may have included a different DNC member. 
I suspect this is the latest Crystal e-mail but am not positive: 
23152	2016-05-22 22:24:48 +0000	Research/Comms: Trump/Trump supporter graphics	ReifE@dnc.org	FreundlichC@dnc.org,  BrinsterJ@dnc.org,  LykinsT@dnc.org,  DieterA@dnc.org,  CrystalA@dnc.org

Earliest Andy Crystal e-mail. All earlier e-mails have either miranda or research_d or something: 
29416	2016-04-22 15:50:39 +0000	RE: For research Az op-ed	CrystalA@dnc.org	WalshT@dnc.org,  RR2@dnc.org

Assessment: E-mails were most likely exfiltrated once around 22:00 on 5/22. 
----------------------------
Jeremy Brinster: 

Latest Jeremy Brinster e-mail
746	2016-05-24 22:55:50 +0000	Re: For approval: minimum wage anniversary graphics	BrinsterJ@dnc.org	ReifE@dnc.org

Earliest Jeremy Brinster e-mail:
28062	2016-04-19 07:28:09 +0000	Makaeff v. Trump University, Llc et al	Notify@CourtLink.LexisNexis.com	brinsterj@dnc.org,  grahamc@dnc.org

Assessment: Jeremy Brinster's e-mails may have been exfiltrated twice. Once no later than 07:28 on 5/19. 
----------------------------
Ryan Banfill: 
latest banfill e-mail: 
42061	2016-05-23 01:57:04 +0000	Re: FYI: My schedule	PoughT@dnc.org	BanfillR@dnc.org
Earliest Banfill e-mail: 
41574	2016-04-28 15:51:49 +0000	Welcome to Exchange Unified Messaging	MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@dnc.org	BanfillR@dnc.org
 
Earliest e-mail corresponds with Banfill setting up DNC e-mail.

Assessment: Probably got exfiltrated once at ~02:00 on 5/23