The AT&T Associations Underlying the Shoddy Laptop Validation

Hunter Biden’s prosecutors may have knowledge of more problems with the laptop attributed to him than they’ve let on.

As I’ve described and quoted hereall the validation they’ve provided for the laptop is that the serial number for the device matches one of the seven or eight laptops he was using in the year leading up to John Paul Mac Isaac receiving it and the invoice from John Paul Mac Isaac’s shop was sent to Hunter’s publicly available email address; the invoice submitted at trial doesn’t even show the metadata.

As I noted, when Derek Hines asked summary witness Erika Jensen (who is not a cybersecurity expert) to describe the genesis of the digital evidence, he only asked her to show the subscriber records.

When Derek Hines had Erika Jensen present the cherry pick of evidence they’re using in this case, he relied on Subscriber records (onetwothree) and Jensen’s testimony to tie the comms depicted in the summary chart to Hunter. She didn’t show Apple’s records of which devices were associated with his account at any given time, which would give jurors a sense of — for example — the precise turmoil in his devices in this period (but would also give some idea of real anomalies that should have led to the exclusion of the laptop). Prosecutors could have shown that Hunter went through a lot of devices by showing that list from Apple. Instead, they’re going to rely on Kestan’s testimony.

He did not ask her to show the list of devices, obtained from Apple, that had been associated with Hunter’s account. We’re just taking Agent Jensen’s word that the laptop is associated with the computer (it is, but I find it notable that prosecutors didn’t submit the list into evidence).

Q. How?

A. Among other things, there was a serial number that’s on the back of this laptop that matches the Apple subpoena records that they obtained in 2019, so it matches the registration of this particular device to the iCloud account at a particular date.

Q. And is that serial number FVFXC2MMHB29?

A. Yes.

Q. And that’s also in the Apple records, you said?

Note: even though elsewhere she describes that the Apple information obtained “purchase history by device,” Jensen doesn’t claim that there’s a receipt showing Hunter buying it from Apple. We know there are receipts for the laptop Hunter bought on September 1 (the one that ended up with Keith Ablow), and the two phones replaced the same day he bought a gun. As far as I know, no one has ever seen a receipt for the laptop that ended up in FBI custody.

For each of the two device iCloud backups used at trial, Jensen made sure that the devices were associated with one of three phone numbers shown on the subscriber subpoenas to AT&T.

Q. What did that response show?

A. It showed — it would be considered supplier records, so it showed purchase history by device associated with Apple ID’s, which are associated with a person, and registration information for devices, and other subscriber information for devices associated with Robert H. Biden or Hunter Biden.

Q. Did those records correlate in some respects to the phone records you received from AT&T?

A. Yes. You could see in the records that the phone numbers that came back from AT&T were associated with various devices every time.

[snip]

Q. Are there two back up files that investigators utilized for evidence in this case?

A. Yes.

Q. What back up files were those?

A. So we named them Apple back up one, two, three and four. Three is a back up of an iPad pro. So that one was one that we used. The second one we used was Apple back up four, which was an iPhone SR.

Q. Were both of these devices registered to the defendant based on the Apple records?

A. Yes, so the extraction report that comes from these back ups show that there were information, including things like the phone number and MIMEI that associated these devices to Mr. Biden.

Q. Did you independently verify the Apple records to make sure they correlated with the AT&T phone records that we saw produced by AT&T?

A. Yes.

While Jensen described that devices could be backed up either via iCloud (to the cloud) or via iTunes (to a device), she didn’t describe that the most important texts in the case were backed up to iTunes on the laptop, and that that device was also using a number in Hunter’s name at the time (actually, he reactivated it the same day he bought the gun).

More notably, she didn’t do the same for a range of other communications obtained from the laptop:

That is, she was not asked to apply her secondary method of validation for a good number of the comms submitted.

Transcript

Q. What phone records did law enforce initially obtain?

A. We had phone records, subscriber and call records, which show the back and forth between numbers for three phone numbers that were used by Mr. Biden.

Q. And I’m showing you Exhibit 22(a), 23(a), and 24(a). Take a moment to look at those. What are those three exhibits, Agent Jensen?

A. So this is wireless subscriber information from AT&T for three telephone numbers, subscribed to Robert Biden.

MR. HINES: Move for the admission of 22(a), 23(a) and 24(a).

MR. LOWELL: No objection.

THE COURT: All right. Thank you, they’re admitted. ( Exhibit Nos. 22(a), 23(a) and 24(a) were admitted into evidence.)

MR. HINES: Ms. Vo, if you could display 22(a).

BY MR. HINES: Q. Agent Jensen, can you describe what this record shows?

A. So this record, which does have some redaction boxes for personal information shows on the top, you can see, financial liable party, billing party, this is information for a telephone number, 202-552-9396.

Q. And Ms. Vo, if we zoom in on the middle of that page where it says user information. Is that the phone number you read right there under MSISBN?

A. Yes.

Q. Is this a record you received in response to a subpoena your investigators received? A. Yes, this is a record we received approximately April 5th of 2019.

Q. It identifies the defendant’s name, as well associated with that number?

A. Yes.

Q. Turning to the next record, 23(a), is this another response to a subpoena from AT&T?

A. Yes, so this came back as part of the same subpoena return, so as part of the same subscriber record. This phone number is 302-377-3313. Also user name Robert H. Biden.

Q. That’s a second phone number that you learned was affiliated with Mr. Biden?

A. Yes.

Q. Turning to Exhibit 24(a), what is the phone number listed here?

A. This is a telephone number 202-285-2473.

Q. Who is it listed under?

A. Robert Biden.

Q. And is this the party that’s the listed financial liable party?

A. It’s both, so at the top it shows Robert Biden as well, and then the user information will typically be the person the phone number is associated with, at least per the AT&T record.

Q. If we zoom out a second Ms. Vo, and look at the date on the top left-hand corner of this document. When were these records provided to law enforcement?

A. On or about, they were generated on 4/5 of 2019, so we would have received them on or just after that date.

Q. After receiving this information from AT&T about the defendant’s phone numbers, did investigators issue other subpoenas?

A. Yes.

Q. What is an example of an entity that the investigator issued a subpoena to?

A. After that April 16th of 2019 there was a subpoena issued to Apple Incorporated.

Q. What is Apple Incorporated?

A. Apple as in Apple iPhones, iPads, MAC computers.

Q. Did Apple provide a response?

A. Yes.

Q. What did that response show?

A. It showed — it would be considered supplier records, so it showed purchase history by device associated with Apple ID’s, which are associated with a person, and registration information for devices, and other subscriber information for devices associated with Robert H. Biden or Hunter Biden.

Q. Did those records correlate in some respects to the phone records you received from AT&T?

A. Yes. You could see in the records that the phone numbers that came back from AT&T were associated with various devices every time.

Q. Was there an iCloud account associated with the Apple records that Apple provided?

A. They didn’t provide at that time contents, so it was just subscriber records, but you can see in some of the records that there were iCloud like services, subscribed to.

Q. What is an iCloud service?

A. So iCloud is essentially a way to replicate your data across your devices, for those who have multiple devices, or as a way to back up your phone and get your — you can find your phone, you can get your information put back on your new phone, it’s essentially a remote server controlled by Apple where you can subscribe to and leave your data on a server.

Q. So as opposed to needing to physically plug it into something, there is a way to also upload it to the cloud?

A. Right. The service changed overtime, but essentially you can back up your devices to a cloud, and the other option is you can back up a device to a computer, any computer actually that uses iTunes in that case to back up a device on a mobile computer.

Q. So the subpoena did not provide content at that time, correct?

A. Correct.

Q. Did it provide an e-mail address or iCloud address for Mr. Biden?

A. Yes. So there were Apple ID’s, which are typically an e-mail address, sometimes it’s not an e-mail address, but you can use your e-mail address, your Apple ID, and there was some provided.

Q. What was one of those iCloud addresses?

A. [email protected].

Q. Did investigators ultimately obtain content from Mr. Biden’s iCloud account?

A. Yes.

Q. How did they do that?

A. They sought and obtained a search warrant from this court house actually for content for the iCloud account, [email protected].

Q. So a judge issued a search warrant for that information?

A. I believe that was August 29th of 2019 that warrant was issued.

Q. How did the investigators get the data?

A. Apple requested a hard drive for the data, so the investigators sent a clean or new hard drive to Apple, Apple provided the data, and sent it back to the investigators.

MR. HINES: Your Honor, may I approach the witness?

BY MR. HINES:

Q. Agent Jensen, I’m showing you what’s been marked as government’s Exhibit 15. Do you recognize that?

A. Yes.

Q. What is it?

A. This is the hard drive that was sent to Apple and then returned to the investigators with the search warrant returned.

MR. HINES: I move Exhibit 15 into evidence.

MR. LOWELL: No objection.

THE COURT: Thank you. It’s admitted. ( Exhibit No. 15 was admitted into evidence.)

BY MR. HINES: Q. Can you please hold that up, Agent Jensen, for a moment? Did investigators ultimately review data from government’s Exhibit 15, that hard drive from Apple?

A. Yes.

Q. What kind of data did investigators derive from that hard drive?

A. There were e-mails that were obtained from the iCloud returned for iCloud back ups, so basically a back up for four different devices was recovered or extracted from the data.

Q. Did these back ups, these extractions have evidence of the defendant’s addiction on them?

A. Yes.

Q. Did that include evidence of addiction in the year 2018?

A. Yes.

Q. Are there two back up files that investigators utilized for evidence in this case?

A. Yes.

Q. What back up files were those?

A. So we named them Apple back up one, two, three and four. Three is a back up of an iPad pro. So that one was one that we used. The second one we used was Apple back up four, which was an iPhone SR.

Q. Were both of these devices registered to the defendant based on the Apple records?

A. Yes, so the extraction report that comes from these back ups show that there were information, including things like the phone number and MIMEI that associated these devices to Mr. Biden.

Q. Did you independently verify the Apple records to make sure they correlated with the AT&T phone records that we saw produced by AT&T?

A. Yes.

Q. Separately, did law enforcement also later obtain the defendant’s laptop and an external hard drive?

A. Yes.

Q. How did they come to receive it?

A. So in late 2019, the FBI received a tip that there was a laptop at a computer repair shop called the MAC Store, here in Wilmington, Delaware, that had been abandoned by its owner, and they ultimately obtained a subpoena and recovered the equipment from the computer store.

MR. HINES: May I approach, Your Honor?

THE COURT: You may. You may freely approach.

MR. HINES: Thank you, I appreciate that.

BY MR. HINES: Q. I’m showing you what has been marked as government’s Exhibit 16. Can you look at government’s Exhibit 16? What is government’s Exhibit 16, Agent Jensen?

A. This is a laptop that was recovered from the computer store.

Q. Did investigators ultimately extract data from that laptop?

A. Yes.

Q. How?

A. So they used forensics, FBI and other federal officials used forensic tools. Actually I think it was just the FBI that used forensic tools to extract data from the laptop.

Q. And was the FBI or law enforcement authorized to look in that laptop?

A. Yeah, so after the — after this laptop was received, the search warrant was obtained for data on the laptop.

Q. Ultimately in examining that laptop, were investigators able to confirm that it was Hunter Biden’s laptop?

A. Yes.

Q. How?

A. Among other things, there was a serial number that’s on the back of this laptop that matches the Apple subpoena records that they obtained in 2019, so it matches the registration of this particular device to the iCloud account at a particular date.

Q. And is that serial number FVFXC2MMHB29?

A. Yes.

Q. And that’s also in the Apple records, you said?

A. Yes.

Q. So from the data from the laptop and the hard drive, did you — what did you do next, or what did the FBI do next when assessing the addiction evidence?

A. So from the data that was extracted from both the iCloud back ups and this — the laptop, investigators were able to go through largely WhatsApp messages, iMessages, and text messages, and found evidence of addiction within the messages.

MR. HINES: Move for the admission of Exhibit 16 and 15 if I did not already, Your Honor.

MR. LOWELL: As we discussed, yes, we understand what that is, so we have that preliminarily, I have no objection.

THE COURT: Okay. It’s admitted. ( Exhibit Nos. 15 and 16 were admitted into evidence.)

image_print
34 replies
  1. Patrick (G) says:

    The implication being that there being no record of Robert Hunter Biden buying this particular piece of hardware that was “abandoned” at the JPMI shop, it may instead be the receptacle of data harvested from other devices stolen from RHB, and potentially altered, because otherwise, why go through the trouble of recreating a laptop to look like a device that the son of a former VPOTUS (and future POTUS candidate) could have owned but actually didn’t?

  2. EuroTark says:

    I don’t think this has been brought up here before, but there is a publically available database for known compromised accounts over at https://haveibeenpwned.com/

    I just checked the [email protected] address listed here (I know there are others that I don’t remember), and it comes up as compromised in three different breaches, with the earliest being 2019.

    • Jeff Landale says:

      Having your email account listed in a data breach doesn’t mean the email account was compromised, but likely that the email address was used to create an account at a company that was compromised.

      • EuroTark says:

        For each of the breaches they list what kind of account information was compromised. Hunter strikes me as the kind of guy who reuses passwords, so it’s not unlikely you could account-surfing from the information in one of these breaches. These all post-date the “laptop”, but it’s not unlikely there are other compromises (or other compromised accounts).

  3. Xboxershorts says:

    Something that’s missing from all I’ve read about Hunter’s devices, and as a computer tech/IT person since 1981, I find it kind of troubling…that’s gonna be the hardware (MAC) address associated with each device that accessed either iTunes or the iCloud. Email addresses, usernames and passwords are all “fungible” in that anyone can enter that info from any device and even random network addresses. A MAC address tho, must be unique and it will follow the device. So, the only way to verify it was one of Hunter’s devices doing the accessing would be to match the hardware (MAC) address of the network port of each device to the iCloud/iTunes login. That address is recorded deep within the network that Apple operates.

    Is there any record of the MAC address from each device being associated to each login or is the prosecution relying solely upon logins and email addresses?

    • algebraist says:

      Fellow IT professional here. The one place it might be is in Apple’s GSX system (Global Services eXchange) which contains records of devices and their precise device spec down to serial and MAC addresses. That’d involve getting that information out of Apple Legal.

      Here’s the problem though. An authorised repair center has the ability to “re-serialize” a replacement logic board so that any replacement matches the serial number that’s printed on the device. That process should also update the records in GSX as part of the repair process. Those tools are Apple restricted and while I know about them, I have never personally seen them. So in this example, a logic board replacement would change that hardware MAC address (and also the hardware UUID which never changes) and thus potentially corrupt that information.

      I’ve no idea if the repair shop guy is an authorised repair center or not. I doubt he is. Anyway, the chain of custody is sufficiently screwed that any expert witness that Abbe Lowell cares to call could pull that apart.

      • P J Evans says:

        I keep going back to “chain of custody? what chain of custody?” with the prosecution’s attitude of “we don’t need to show you any chain of custody or any actual documents”.

        • Super Nintendo Chalmers says:

          Regarding the chain of custody, wasn’t it proven that certain computer files were created months after the FBI supposedly had custody of the devices?

      • Super Nintendo Chalmers says:

        AFAIK JPMI’s “Mac” Store was NOT an authorized Apple repair shop. Moreover, the name of his store was likely a trademark/copyright violation.

      • bmaz says:

        Yes, yes, you relentlessly claim to be an “IT Professional”. You clearly do not know jack about trial law though.

        • algebraist says:

          And thus I only comment on the technical IT matters.

          You should try it sometime vs your usual threadcrapping. You know, I would LOVE to see you act like this in court and see how long it takes before some judge rebukes the crap out of you.

      • zscoreUSA says:

        Is UUID the same thing as the 40 digit device identifiers from the warrants? And is there a reason that those device identifiers on the warrants don’t match the ones from Dimitrelos?

    • EuroTark says:

      You’re right that MAC addresses used to be unique, but following Snowden’s revelation that they were being used to track devices that changed. Apple was one of the first vendors to offer randomization of MAC for each network you connect to. MAC addresses would also only be visible on the same local network.

      • Xboxershorts says:

        Source MAC address always, ALWAYS follows the full path to the destination. It is recorded at the Ingress switch and stored in a table and is included in the frame header that is switched across every network it crosses, until it gets to the destination device. Network Switch records are almost never retained and usually don’t log MAC addresses of transit traffic, but the firewall will see that source MAC address and firewall records, on the other hand, are almost always retrieved and archived.

        If the laptop has had it’s MAC address altered, does MAC OS record the time/date and login that altered it? I am not a MAC person by any means, Cisco, Juniper, Palo Alto, *nix and Winblows were the bulk of my experience. So I must ask about MACos. And even if that MAC Address has been reprogrammed, it still must be unique on that network segment. It can’t be shared with any other device on that network (technically, it kinda can be but that’s black hat stuff and likely irrelevant here).

    • dopefish says:

      Its not widely known, but hardware MAC addresses on computers can usually be changed. (unlike small devices such as USB network dongles). Its not a good idea to ever change a computer’s MAC address, because if you put two devices with the same MAC on a network you will have very difficult-to-debug network problems.

      My point is just that a hardware MAC address can’t be relied on to prove it was “absolutely the same device”, if your adversary is a nation-state actor such as Russian intelligence.

      • Xboxershorts says:

        Yah, it’s why I ask if MACos records the who and when if the MAC address has been reprogrammed.

    • initial40forlorn says:

      Remarkable, the recent “counterfeit” iPhone replacement scam indictments are very instructive. Identity data used on illegally flashed counterfeit iPhones shipped to the US and returned to Apple Stores for fresh brand new iClones to run ops from…This on any “validity” to such weak providence of said evidence. Especially obvious, a political hit-job of this magnitude and duration seems to be all-source, packaged and delivered precisely for 2024 election fodder.

  4. Fancy Chicken says:

    Let me preface by saying this might sound like tin foil talk, but hear me out-

    So the MacBook Pro entered into evidence has no receipt, no record from bank statements to show he purchased it. And it is the Mac allegedly brought to MacIssac.

    Could this be the laptop HB claims was stolen in Las Vegas in August of 2018 by Russian drug dealers and which he told a sex worker had “sensitive information”?

    I think it’s entirely possible that HB’s laptop truly was stolen in LasVegas in August 2018, along with a phone or two before or after that time, because the computer found at Kieth Ablow’s was purchased on August 31st 2018 making it a likely replacement for the one stolen.

    And what about the external drive MacIssac said was dropped off the next day? I’ve tried to look in past posts here and online, but I can’t find that the FBI “verified” it as belonging to HB. Has it been used to pull evidence from?

    Is it possible a hacked phone HB lost at some point and that stolen laptop could be the devices that largely manipulated HB’s digital life and from which a hard drive could be created and dropped off at MacIssac’s? Could that stolen laptop be the one now in the FBI’s possession?

    I have no doubt HB was being tailed for an opportunity to exploit and of course those devices would have been taken to MacIssac when he was in DE for plausible deniability.

    What data am I missing that proves this is a moonbat theory?

    This post was particularly helpful to reference-

    https://www.emptywheel.net/2024/02/05/hunter-bidens-delayed-email-access-on-the-jpmi-laptop/

    • emptywheel says:

      No. The Las Vegas device is understood to be an iPad, for starters. But this laptop never accessed Hunter’s account until October 2018.

      • zscoreUSA says:

        Even if I am wrong about the stolen device being an iPad, the laptop that would have been stolen in August 2018 was a 12 inch MacBook Retina, not a 13 inch MacBook Pro.

        It looks smaller and thinner and has less ports.

  5. Upisdown says:

    The prosecution has no witness who saw Hunter Biden doing drugs during that time period and have to rely on statements they purchased at Barnes & Noble. They have some emails off a laptop that are dated prior to the manufacture date of the laptop. The only person who can testify to Biden physically possessing the gun is the salesman who did not question Biden’s mental state at the time of the sale. The officer investigating the missing gun did not suspect Biden of using drugs. Biden’s daughter, one of the few witnesses who was in contact with Biden during the time period in question, testified that he acted cleaner than she had seen him for some time.

    To me that sounds like reasonable doubt unless the statute is intended to cover every gun owner who ever used drugs at some point before or after they possessed a firearm.

  6. scroogemcduck says:

    The defense has now rested and it looks from the news reporting, unless I’ve missed something, like there was no expert rebuttal of the reliability of the laptop.

    • John Paul Jones says:

      My understanding is that the judge severely limited Lowell’s ability to introduce such testimony, ostensibly to avoid confusing the jury over issues tangential to the crimes charged and to avoid a mini-trial-within-a-trial.

  7. zscoreUSA says:

    Did the FBI agent really testify that the phone was an “SR”? And if so does she say it was backed up to the iCloud? And is she saying the iPad had an associated phone number?

    I’m really confused here.

  8. Gern Blanston says:

    It wouldn’t be difficult at all to take a hard drive out of the laptop, alter the files, put it back in the laptop and sync it to iCloud.

Comments are closed.