Even if Judge Maryellen Noreika threw out the gun charges against Hunter Biden today, I’d be grateful for the recent squabble over Hunter Biden’s motion to compel, and not just for the endless amusement of seeing an experienced drug prosecutor like Derek Hines claim sawdust on a table saw is cocaine.

That’s because by providing what he thinks is solid proof that Hunter was an addict in 2018, Hines has revealed a bit about where such evidence exists among the digital evidence he has in hand and where it doesn’t.

Most significantly, for this case, it appears Derek Hines relied exclusively on the laptop to get the texts surrounding the period immediately after Hunter Biden bought a gun. Particularly given the turmoil in Hunter’s access to his devices in those precise days, without validation of the texts in an Apple database, that would make the texts far harder to use at trial.

As a reminder, the Apple data at issue comes from three places:

• An initial warrant dated August 29, 2019 to obtain all the contents of Hunter Biden’s iCloud account
• The December 13, 2019 warrant to access all the contents of the laptop obtained from John Paul Mac Isaac, which investigators used to access devices backed up to iTunes on it
• A follow-up warrant dated July 10, 2020 to access the backups of four devices saved to Hunter’s iCloud account, described in a fourth warrant as:
  • iPhone X (Apple Backup 1)
  • iPhone 6S (Apple Backup 2)
  • iPad Pro (Apple Backup 4)
  • iPhone XR (Apple Backup 11)

In December, Hines got a warrant to search the existing data for gun crime evidence, but did not go back to obtain a warrant to access any backed up devices — if they exist — that would be more appropriate to the gun charges.

Hines claimed, in his response to Hunter’s selective prosecution bid that, “the results of the search” of the laptop “were largely duplicative of information investigators had already obtained from Apple.” In his response to Hunter’s motion to compel, he claimed that, “Many of the same messages, photographs, and information that were obtained from the iCloud warrants were also located on the defendant’s laptop,” but made no representations about the reverse — whether all the messages present on the laptop were in the iCloud production.

It appears they were not.

This table shows my rough transcription the 28 items included in Hines’ exhibit of gun-related evidence. Let me know of errors, particularly with my time conversations between UTC and “Hunter time,” which I’ve assumed was PT for the earlier texts and ET for the later ones. I’ve bolded those instances where “Hunter time” is the day before UTC time. My transcription of the hex identifiers, where Hines included them, are especially likely to have errors (and only include the first identified hex for each item).

These items include:

Items 1, 26-28: Four pictures, all of which he has presented without hex identifiers or EXIF metadata. Two come from iPhone backups obtained from Hunter’s iCloud (one being the iPad on which items 28-25 were found); two (including the sawdust picture) come from what is described as an iPhone 11 backed up to iTunes, apparently found on the laptop; I’m aware of no public record of Hunter owning an iPhone 11. Note: for the reason zscoreUSA notes below, Hines’ label of the sawdust picture as an iPhone 11 must be an error, as those were first released on September 20, 2019, too late to be on the laptop, and only possible to be included in the iCloud returns if Hunter got one the day they were released and backed up everything to an iPhone 11. So it may be a typo for iCloud backup 11, which would be an iPhone XR. 

Items 2-10: Nine texts, dated between May and July 2018, obtained from iCloud Backup 1, which the warrant return describes as an iPhone X. Six of those, items 5 through 10, appear to record a drug transaction arranged over the course of a half hour overnight on July 25-26. While this backup is associated with an iPhone X of uncertain vintage (Hunter went through at least three iPhone Xes in 2018), seven items were obtained from a device called XRNASHUA, an iPhone XR; Apple did not introduce the iPhone XR until October 2018 and Hunter is not known to have obtained his first one until spring 2019, in New Haven, not Nashua. The only two communications obtained from an iPhone X, Items 3 and 4, used an unknown phone number. Item 2 is a WhatsApp text.

Items 11-17: These texts, showing exchanges between Hunter and Hallie Biden on October 13, 14, and 23, derive from what Hines describes as an iTunes Backup. Hines doesn’t identify of which phone — not even the device type — nor does the metadata included identify which phone Hunter used. Just one of the texts Hunter sent, item 13, is described as “delivered” after it was “sent.” I’ll return to these below.

Items 18-25: These texts came from an iPad Pro called “Robert’s iPad” which, based on the serial number included in Gus Dimitrelos’ report, was purchased in November 2015.

iPad Pro 12.9-inch (1st generation) Wi-Fi
Purchase Date: November 2015

Serial Number: DLXQL4EUGMLD

Emails released on BidenLaptopEmails dot com show someone logging into Hunter’s iCloud, Facetime, and iMessage with an iPad Pro on November 11, 2015, the same day Gus Dimitrelos shows it — named as Roberts, no apostrophe, iPad — logging into Hunter’s iCloud account. The next day, a pricy iPad pencil was ordered from Apple, though it was on backorder until January 2016. On May 20, 2016, Find my iPad was used to play a sound on an iPad called “iPad 206” twice. The process of signing into iCloud, then Facetime and iMessage with an iPad Pro, was repeated on September 11, 2016, what Dimitrelos describes as the first access by iPad 206, the one already associated with Hunter’s account earlier that year. On October 26, 2016, Find my iPad was disabled on iPad Pro 206 and on November 13, 2016 the cards were removed and the device was deleted — presumably, given that Find my iPad had been disabled, in person. Those same publicly released emails show no other iPad Pros logging for the first time into Hunter’s account, though in August 2018, an iPad (not identified as a Pro) was deleted, with that process completing in September 2018. But Dimitrelos shows four other iPads named either “Robert’s” or “Roberts” iPad logging into Hunter’s account (February 19, 2013, August 24, 2017, October 21, 2017, January 21, 2018). Of the texts included in Hines’ exhibit, which were sent between November 8 and December 27, 2018, just one, item 20, was marked as delivered and read, and it wasn’t one of the ones sent to probable family members.

I’ll leave the technical discussion there, in case anyone understands how Apple tracks iMessage texts or the difference between texts saved in ChatStorage and SMS.

But several general conclusions stick out. First, it’s likely that two of the devices for which Hines got a new warrant for drug crimes in December 2018, iCloud Backup 2, a 6S, and iCloud Backup 3, seemingly a different XR, had no communications pertinent to the year in question, 2018 [update: unless the explanation for Hines’ error in labeling photos as iPhone 11 is a typo for iCloud backup 11]. That will be of interest if Abbe Lowell ever gets to file a suppression motion, since there could be no probable cause to obtain content from an unrelated period. Second, it’s not clear that any of these devices were the devices on which the communications in question were sent. Hines’ best evidence of a drug purchase — those texts from July 25-26, 2018 — would probably have been sent in an iPhone X and then synched onto an iPhone XR purchased quite a bit later. As with all the other digital evidence Hines seems not to have thought through, given how often Hunter lost devices with access to his iCloud account and how rarely he reset it, it’s not enough to show that texts saved through Hunter’s iCloud showed evidence of a drug purchase. You would have to show that the phone on which those texts were originally sent was in Hunter’s hand at the time the texts were sent.

And this problem is especially fraught for those October 13-14 texts sent between Hallie and Hunter in October 2018, by far the most important evidence for his case. Here’s how they fit in with the timeline I laid out here, showing how Hunter responded after realizing he had misplaced both his main phones on October 11. The two main texts (in bold below) appear to have been sent before Hunter first logged into his new replacement iPhone and before he changed his password, even while people were clearly trying to break into some of his accounts. So prosecutors would have to prove that those texts weren’t sent by whoever inherited the phones Hunter had just lost.

Timeline

October 12, 12:56PM: As you requested, your temporary [AT&T] password is: ****** Use your user ID and temporary password to sign in to your account.

October 12, 12:56PM: Looks like you recently updated the AT&T password.

October 12, 12:57PM: Critical security alert for your linked Google Account, Sign-in attempt was blocked for your linked [RosemontSeneca] Google Account [device not specified]

October 12, 3:25PM: Thanks for using your AT&T Device Protection Plan! Your claim [ending in 431] has been started

October 12, 3:32PM: Thanks for using your AT&T Device Protection Plan! Your claim [ending in 431] has been started

October 12, 3:38PM: Thanks for using your AT&T Device Protection Plan! Your claim [ending in 579] has been started

October 12, 3:40PM: Your [AT&T] insurance claim [phone ending in 96]

October 12, 3:44PM: Your [AT&T] insurance claim [phone ending in 13]

October 12, 3:49PM: Thanks for using your AT&T Device Protection Plan! Your claim [ending in 701] has been started

October 12, 3:55PM: Please complete and return your claim documents Wireless Number: **94

October 12, 3:57PM: Thanks for using your AT&T Device Protection Plan! Your claim [ending in 799] has been started

October 12, 4:03PM: Please complete and return your claim documents Wireless Number: **29

October 12, 5:35PM: Hello. Review your AT&T order

October 12, 6:22PM: Good news. Your replacement device [grey Apple iPhoneX] has shipped. [phone ending in 13]

October 12, 6:24PM: Phone [email from Joey]

Hey, You left your phone and other things. Tried to reach you at 202 and 302 all day but no luck. Let me know where to overnight.

October 12, 7:20PM: Good news. Your replacement device [iPhone 8] has shipped. [phone ending in 96]

October 12, 8:00PM: Verify your Samsung account [accessing Hunter’s iCloud]

October 12, 11:31PM: Someone Just Checked Your Background Report

October 13, 7:10AM: (Email) You left your phone. How do I get it to you?

joey

October 13, 7:26AM: (Email) You left your phone. How do I get it to you?

joey

October 13, 11:13AM: Let’s setup your AT&T replacement device [phone ending in 13]

October 13, 12:35AM: Someone Just Checked Your Background Report

October 13, 2:00PM: Hello, Review your AT&T order [changes to wireless]

October 13, 9:17PM: Your [RosemontSeneca] Google Account was just signed in to from a new Samsung Galaxy Note 9 device

October 13 10:30PM: I’m now off MD Ave behind blue rocks

October 13, 11:36PM: Wells Fargo Has Registered Your Mobile Device

October 14, 5:37AM: I was sleeping in a car

October 14, 2:24PM: Your Apple ID password has been reset

October 14, 2:24PM: Your Apple ID was used to sign in to iCloud on an iPhone X

October 14, 3:28PM: Wells Fargo card added to Apple Pay

October 14, 3:36PM: Verify your Samsung account [on iCloud]

October 14, 7:48PM: (Email from Joey) “Overcoming myself”

When you have a minute, read ….

Open my shared note: