Skip to content

Instantly share code, notes, and snippets.

@wh1sks
Last active February 12, 2019 05:01
Show Gist options
  • Save wh1sks/06613e1156d18c3a81895e5f3a6f291c to your computer and use it in GitHub Desktop.
Save wh1sks/06613e1156d18c3a81895e5f3a6f291c to your computer and use it in GitHub Desktop.
draft summary of DNC e-mail timestamps suggests exfiltration times
Disclaimer:
------
Do NOT draw any conclusions from this analysis. It's FAR from complete. There are multiple plausible explanations
which explain these observations. There are also major limitations.
I am posting this because I feel it deserves more attention than me and current collaborators can give it.
I am very open to collaboration and happy to give advice and point out things I noticed.
This is obviously a polarizing issue and all I ask is that collaborators try
to examine the data from an unbiased perspective.
Major limitations:
1. We only used a partial dataset of the DNC e-mails.
2. We haven't had a chance to look closely at the time zone discrepancies.
---------------
Summary:
The DNC deleted e-mails after 30 days as reported by buzzfeed (https://www.buzzfeed.com/sheerafrenkel/it-looks-like-someone-curated-the-wikileaks-emails-before-th)
and this e-mail: https://wikileaks.org/dnc-emails/emailid/43999
Because of this, we can figure estimate what day specific inboxes were exfiltrated.
The dataset used is incomplete and posted here as a .csv:
https://gist.github.com/wh1sks/2a6a51c66771e8beba5f07b519f3b67d
Scott Comer, Zach Allen, Daniel Parrish and Andrew Wright's e-mails were probably all exfiltrated once on 5/25.
Jordan Kaplan's e-mails were likely exfiltrated on 5/25 but appear to have been exfiltrated earlier as well, on 5/23.
Andy Crystal's e-mails were likely exfiltrated late on 5/22
Ryan Banfill's e-mails were likely exfiltrated on 5/23.
Luis Miranda's e-mails were likely exfiltrated on 5/19 and 5/23.
The earliest e-mails appear to come from Jeremy Brinster's inbox on 5/19.
Notes:
There are some discrepancies that appear to be caused by the time zone changes. A good example is e-mail #28062.
If you search for the e-mail, the WikiLeaks search page says the e-mail was sent at 07:28. If you click the e-mail, the page says
05:28. If you download the raw source, the e-mail says 12:28 AM. These discrepancies should be solvable by looking more closely
at the context/body of the e-mails and the raw source and may even reveal something about the chain of custody of the e-mails.
Assessments are the simplest explanation we could come up with. There are definitely other explanations.
----------------------
Scott Comer:
Latest Scott Comer e-mail:
19781 2016-05-25 12:48:34 +0000 RE: DNC FINANCE - CALL TIME - TOMORROW (5/24) BonoskyG@dnc.org ComerS@dnc.org
Earliest Scott Comer e-mail:
18514 2016-04-25 13:17:08 +0000 Call Summary - 04/25/2016 08:57AM noreply@uberconference.com comers@dnc.org
All earlier e-mails from Scott Comer are like this: Incoming call from +1 (609) 501-4687 (Other) transferred by Kaplan, Jordan "+1 (609) 501-4687" <tel:+16095014687> "+1 (609) 501-4687" <+1 (609) 501-4687@dnc.org>, "Comer, Scott" <ComerS@dnc.org>
These appear to be saved.
Assessment: Scott Comer's e-mails were exfiltrated once around 13:00 on 5/25
--------------------------------------
Zach Allen:
Latest Zach Allen e-mail is:
22252 2016-05-25 12:38:38 +0000 Re: Obama dinner zallen@tipahconsulting.com klerer@lererhippeau.com
Next latest Zallen e-mail is:
2016-05-24 23:37:47 +0000 RE: Dinner on June 8 jack.taylor@prcm.com zallen@tipahconsulting.com, parrishd@dnc.org
Because of this, I believe the 5/25 12:38 e-mail had someone else CC'd on it.
The earliest Zallen e-mail is 14634 2016-04-25 00:34:23 +0000 Re: where art thou? AllenZ@DNC.org barcar720@aol.com
Assessment: Zach Allen's e-mails were likely exfiltrated once around 00:00 5/25.
--------------------------------------
Daniel Parrish:
Latest Daniel Parrish e-mail:
20963 2016-05-25 12:10:00 +0000 Re: June 8th with President Obama ParrishD@dnc.org maurajclark@gmail.com
Earliest Daniel Parrish e-mail:
276 2016-04-25 13:27:53 +0000 List for Vice chairs HoffmanA@dnc.org ParrishD@dnc.org
Assessment: Daniel Parrish's e-mails were exfiltrated once around 12:00 on 5/25
--------------------------------------
Jordan Kaplan:
Latest Jordan Kaplan e-mail:
3256 2016-05-25 12:03:21 +0000 POLITICO's Morning Money: Warren rips into Trump — POLITICO at the conventions — CEI on income inequality — Budget Committee ripped morningmoney@politico.com kaplanj@dnc.org
Earliest Jordan Kaplan e-mail:
958 2016-04-24 03:26:30 +0000 This is happening VaughnJ@dnc.org KaplanJ@dnc.org
Assessment: This discrepancy is interesting. We have a thread of e-mails from kaplanj 1.5 days earlier than we expect as well
as several e-mails from politicoplaybook and others on 4/24, over 30 days before the latest e-mail.
It appears that his e-mails were exfiltrated on 5/24 around 03:30 and then again around 12:00 on 5/25
--------------------------------------
Luis Miranda:
Latest Luis Miranda e-mail
11455 2016-05-23 03:23:05 +0000 RE: Luis -- what do you think of this idea -- JobBlockers.org atobias123@gmail.com MirandaL@dnc.org
Earliest Luis Miranda e-mail:
26282 2016-04-19 14:11:48 +0000 RE: For approval: 3 short scripts for AAPI heritage month videos MirandaL@dnc.org BagchiK@dnc.org, ChristopherR@dnc.org, FreundlichC@dnc.org
Assessment: Luis Miranda's e-mails were exfiltrated twice. First around 14:00 on 5/19, then a second time around 03:30 on 5/23.
--------------------------------------
Andrew Wright:
Latest Wright e-mail:
16150 2016-05-24 18:55:10 +0000 RE: Voice Mail from Anonymous Caller (59 seconds) ShapiroA@dnc.org WrightA@dnc.org
Earliest wright e-mail:
16308 2016-04-25 15:16:03 +0000 Re: What would you say you do here? WrightA@dnc.org ShapiroA@dnc.org
Assessment: Because Andrew Wright's e-mails are relatively sparse it is difficult to determine the exfiltration time. It was likely mid-day 5/25.
----------------------------
Latest Stowe e-mail:
16879 2016-05-24 20:20:47 +0000 Alumni Challenge Update: Donor Honor Roll pds@communications.providenceday.org stowee@dnc.org
Earliest Stowe e-mail:
17097 2016-04-25 14:17:30 +0000 Photo Email StoweE@dnc.org FrankC@dnc.org
Assesment: Because Erik Stowe's e-mails are relatively sparse it is difficult to determine the exact exfiltration time. It may have been mid-day 5/25.
----------------------------
Andy Crystal:
Latest Andy Crystal e-mail:
2621 2016-05-24 15:05:53 +0000 RE: For approval: POTUS for 5/31 JacquelynLopez@perkinscoie.com FreundlichC@dnc.org, ReifE@dnc.org, CrystalA@dnc.org, EMail-Vetting_D@dnc.org
There is a conspicuous gap in crystal e-mails. All of the e-mails after following e-mail have vetting_d on them, which may have included a different DNC member.
I suspect this is the latest Crystal e-mail but am not positive:
23152 2016-05-22 22:24:48 +0000 Research/Comms: Trump/Trump supporter graphics ReifE@dnc.org FreundlichC@dnc.org, BrinsterJ@dnc.org, LykinsT@dnc.org, DieterA@dnc.org, CrystalA@dnc.org
Earliest Andy Crystal e-mail. All earlier e-mails have either miranda or research_d or something:
29416 2016-04-22 15:50:39 +0000 RE: For research Az op-ed CrystalA@dnc.org WalshT@dnc.org, RR2@dnc.org
Assessment: E-mails were most likely exfiltrated once around 22:00 on 5/22.
----------------------------
Jeremy Brinster:
Latest Jeremy Brinster e-mail
746 2016-05-24 22:55:50 +0000 Re: For approval: minimum wage anniversary graphics BrinsterJ@dnc.org ReifE@dnc.org
Earliest Jeremy Brinster e-mail:
28062 2016-04-19 07:28:09 +0000 Makaeff v. Trump University, Llc et al Notify@CourtLink.LexisNexis.com brinsterj@dnc.org, grahamc@dnc.org
Assessment: Jeremy Brinster's e-mails may have been exfiltrated twice. Once no later than 07:28 on 5/19.
----------------------------
Ryan Banfill:
latest banfill e-mail:
42061 2016-05-23 01:57:04 +0000 Re: FYI: My schedule PoughT@dnc.org BanfillR@dnc.org
Earliest Banfill e-mail:
41574 2016-04-28 15:51:49 +0000 Welcome to Exchange Unified Messaging MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@dnc.org BanfillR@dnc.org
Earliest e-mail corresponds with Banfill setting up DNC e-mail.
Assessment: Probably got exfiltrated once at ~02:00 on 5/23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment