The Washington Post examined a copy of what was claimed to be Hunter Biden's hard drive. Two forensic experts examined it to determine the authenticity of the documents. Jack Maxey, an activist working for Steve Bannon, turned the copy of the hard drive over to the Post in June 2021 saying he obtained it from Rudy Giuliani. From the article:
The portable drive provided to The Post contains 286,000 individual user files, including documents, photos, videos and chat logs. Of those, Green and Williams concluded that nearly 22,000 emails among those files carried cryptographic signatures that could be verified using technology that would be difficult for even the most sophisticated hackers to fake. Such signatures are a way for the company that handles the email — in the case of most of these, Google — to provide proof that the message came from a verified account and has not been altered in some way. Alterations made to an email after it has been sent cause the cryptographic signatures to become unverifiable.
The verified emails cover a time period from 2009 to 2019, when Hunter Biden was acting as a consultant to companies from China and Ukraine, and exploring opportunities in several other countries. His father was vice president from 2009 to 2017. Many of the nearly 22,000 verified emails were routine messages, such as political newsletters, fundraising appeals, hotel receipts, news alerts, product ads, real estate listings and notifications related to his daughters’ schools or sports teams. There was also a large number of bank notifications, with about 1,200 emails from Wells Fargo alone. Other emails contained exchanges with Hunter Biden’s business partners, personal assistants or members of his family. Some of these emails appear to offer insights into deals he developed and money he was paid for business activities that opponents of his father’s bid for the presidency sought to make a campaign issue in 2020.
The drive also includes some verified emails from Hunter Biden’s work with Burisma, the Ukrainian energy company for which he was a board member. President Donald Trump’s efforts to tie Joe Biden to the removal of a Ukrainian prosecutor investigating Burisma led to Trump’s first impeachment trial, which ended in acquittal in February 2020. The Post’s review of these emails found that most were routine communications that provided little new insight into Hunter Biden’s work for the company.
In their examinations, [the Post's forensic experts] Green and Williams found evidence that people other than Hunter Biden had accessed the drive and written files to it, both before and after the initial stories in the New York Post and long after the laptop itself had been turned over to the FBI. Maxey had alerted The Washington Post to this issue in advance, saying that others had accessed the data to examine its contents and make copies of files. But the lack of what experts call a “clean chain of custody” undermined Green’s and Williams’s ability to determine the authenticity of most of the drive’s contents. “The drive is a mess,” Green said.
He compared the portable drive he received from The Post to a crime scene in which detectives arrive to find Big Mac wrappers carelessly left behind by police officers who were there before them, contaminating the evidence. That assessment was echoed by Williams. “From a forensics standpoint, it’s a disaster,” Williams said. (The Post is paying Williams for the professional services he provided. Green declined payment.)
But both Green and Williams agreed on the authenticity of the emails that carried cryptographic signatures, though there was variation in which emails Green and Williams were able to verify using their forensic tools. The most reliable cryptographic signatures, they said, came from leading technology companies such as Google, which alone accounted for more than 16,000 of the verified emails. Neither expert reported finding evidence that individual emails or other files had been manipulated by hackers, but neither was able to rule out that possibility.
They also noted that while cryptographic signatures can verify that an email was sent from a particular account, they cannot verify who controlled that account when the email was sent. Hackers sometimes create fake email accounts or gain access to authentic ones as part of disinformation campaigns — a possibility that cannot be ruled out with regard to the email files on Hunter Biden’s laptop. Williams wrote in his technical report that timestamps on a sampling of documents and operating system indexes he examined were consistent with each other, suggesting the authenticity of at least some of the files that lacked cryptographic signatures. But he and Green agreed that sophisticated hackers could have altered the drive’s contents, including timestamps, in a way difficult and perhaps impossible to detect through forensic examination alone.
Analysis was made significantly more difficult, both experts said, because the data had been handled repeatedly in a manner that deleted logs and other files that forensic experts use to establish a file’s authenticity. “No evidence of tampering was discovered, but as noted throughout, several key pieces of evidence useful in discovering tampering were not available,” Williams’ reports concluded.
Out of the drive’s 217 gigabytes of data, there are 4.3 gigabytes of email files. Green, working with two graduate students, verified 1,828 emails — less than 2 percent of the total — but struggled with others that had technical flaws they could not resolve. He said the most common problems resulted from alterations caused when the MacBook’s mail-handling software downloaded files with attachments in a way that made cryptographic verification of those messages difficult.
Williams verified a larger number of emails, nearly 22,000 in total — which included almost all of the ones Green had verified — after overcoming that problem by using software to correct alterations in the files. But he encountered obstacles with other emails that were only partially downloaded onto the drive, creating incomplete files that could not be verified cryptographically. Most of these files, he said, were probably just snippets of emails that would allow a user to preview the messages without downloading the full files. The cryptographic verification techniques worked only on incoming emails, not ones that were sent from Hunter Biden’s accounts. Because the purpose of these signatures is to verify the identity of senders, only the records of an incoming email would contain signatures.
In addition to emails, the drive includes hundreds of thousands of other documents, including more than 36,000 images, more than 36,000 iMessage chat entries, more than 5,000 text files and more than 1,300 videos, according to tallies made by Williams, who, like Green, could not definitively verify any of them. In a small number of cases, The Post was able to establish the veracity of some of these files, such as bank documents, by obtaining copies from other sources.
Among the emails verified by Williams and Green were a batch of messages from Vadym Pozharskyi, an adviser to the board of Burisma, the Ukrainian gas company for which Hunter Biden was a board member. Most of these emails were reminders of board meetings, confirmation of travel, or notifications that his monthly payment had been sent.
Both Green and Williams said the Burisma emails they verified cryptographically were likely to be authentic, but they cautioned that if the company was hacked, it would be possible to fake cryptographic signatures — something much less likely to happen with Google. One of the verified emails from Pozharskyi, which was the focus of one of the initial stories from the New York Post, was written on April 17, 2015. It thanked Hunter Biden “for inviting me to DC and giving me an opportunity to meet your father and spent [sic] some time together.” When the email first emerged in the New York Post about three weeks before the 2020 election, the Biden campaign and Hunter Biden’s lawyer both denied that Pozharskyi had ever met with Joe Biden. Asked recently about the email, the White House pointed to the previous denials, which The Post has examined in detail.
Some other emails on the drive that have been the foundation for previous news reports could not be verified because the messages lacked verifiable cryptographic signatures. One such email was widely described as referring to Joe Biden as “the big guy” and suggesting the elder Biden would receive a cut of a business deal. One of the recipients of that email has vouched publicly for its authenticity but President Biden has denied being involved in any business arrangements.
Months after the laptop itself had been taken into FBI custody — three new folders were created on the drive. Dated Sept. 1 and 2, 2020, they bore the names “Desktop Documents,” “Biden Burisma” and “Hunter. Burisma Documents.” Williams also found records on the drive that indicated someone may have accessed the drive from a West Coast location in October 2020, little more than a week after the first New York Post stories on Hunter Biden’s laptop appeared. Over the next few days, somebody created three additional folders on the drive, titled, “Mail,” “Salacious Pics Package” and “Big Guy File” — an apparent reference to Joe Biden.
There are limits to cryptographic verification of emails, both experts said. Not all email services provide cryptographic signatures, and among those that did, not all did so with the care of Google, which is regarded within the technology industry as having strong security protocols. Green and Williams said the only realistic way to fake Google’s DKIM signatures would be to hack the company’s own secure servers and steal private cryptographic keys — something they considered unlikely even for nation-state-level hackers using the most advanced techniques.
So, to sum up, there were thousands of documents on the hard drive, most of them innocuous, that the experts could verify. In some cases, they verified documents by comparing them to copies available from other sources. They could not verify most of the emails or other documents on the hard drive. The 2015 email from Burisma that went into the New York Post article was "likely to be authentic," but they could not rule out someone hacking into Burisma's servers. Many other emails and documents could not be authenticated. There was no evidence of tampering found but no way to rule out possible tampering. The copy of the drive provided the Post had been accessed on multiple occasions after the FBI seized the original and a number of new files were created.
