emptywheel Writes Letters: The FBI Extraction of the Hunter Biden Hard Drive Is 62% Bigger than the Laptop
As I did in January, I’ve written a letter asking Judge Maryellen Noreika to liberate two documents, the more interesting of which are the forensic reports FBI did of the Hunter Biden laptop and the hard drive John Paul Mac Isaac made of the laptop. (Yes, I know it has my personal information.)
In a key passage explaining the significance of the two forensic reports, I noted that the extraction of the hard drive that purports to be a copy of the laptop is 62% bigger than extraction of the laptop itself.
In the motion in limine in support (“MIL”) of introducing those communications via summary report (DE 120), SCO relied on the expert certification of Michael Waski, a Senior Digital Forensic Examiner who, as a Forensic Analyst, was involved in exploiting the laptop in 2019. Accompanying the MIL, SCO provided Mr. Waski’s certification, which in turn incorporates by reference his expert Disclosure. (DE 120-2) The only reasons given why SCO did not docket expert Disclosures themselves were, “because those documents are voluminous and because the defendant agrees these files are self-authenticating.” Nevertheless, Mr. Waski’s certification describes his Disclosure as, “attached hereto.”
Mr. Waski’s certification, as docketed, does not by itself certify that the laptop was among the devices extracted. While the MIL describes that Mr. Waski’s certification pertains to, “two backup files from laptop and hard drive” (DE 120 at 3), Mr. Waski’s certification itself mentions neither. Instead, it references a “Digital Forensics Report and [an] Extraction Report,” singular. Compare Robert Gearhart’s certification at DE 120-1, which lists the four iCloud backups described in the MIL, “Apple Backup 1, Apple Backup 2, Apple Backup 3, Apple Backup 4,” which in turn match the warrant. (20-mj-165 DE 3 at 2) To confirm that Mr. Waski’s certification pertains to the laptop and hard drive incorporated into the summary and described in the warrant (19-mj-309 DE 3) requires inspecting the Disclosure.
Beyond that issue of completeness, Mr. Waski’s Disclosure holds additional significant public interest: (1) it would reaffirm the integrity of these proceedings, (2) it might address concerns raised in two separate Congressional investigations incorporating Mr. Biden’s devices (3) it would provide insight into derivative hard drives that have been the subject of controversy for years.
Some background explains why. The FBI obtained the two devices referenced in the MIL from computer repairman John Paul Mac Isaac. (19-mj-309 DE 3) One device, introduced into evidence as GTX16, is a MacBook Pro. The other device, a Western Digital hard drive, purports to be a copy that Mr. Mac Isaac made of the laptop; that copy is, in turn, the source of a number of other hard drives disseminated publicly, including to Congress, since 2020.
Because the hard drive purports to be a copy of the laptop, the content on those devices should substantially match. Yet the MIL suggests it may not. According to SCO, the “backup file” of the laptop (the original source) consists of 4,198 pages (DE 120 at 5). The “backup file” of the hard drive derived from the laptop (the purported copy) consists of 6,801 pages (Id.). In other words, the extracted copy made of the laptop is 62% larger, measured in pages, than the extracted original source. SCO’s office provided no response to an inquiry regarding the significant size difference in these backup files. [my emphasis]
Judge Noreika has asked the two sides to weigh in on these requests by end of day.
ORAL ORDER re Letter ( 247 ): IT IS HEREBY ORDERED that, by the close of business today, the parties shall provide the Court with their respective positions on the request for the unsealing of the two documents referenced in the letter. ORDERED by Judge Maryellen Noreika on 7/17/2024. (mdb) (Entered: 07/17/2024)
It is part of the slime oozing out of rockpiles theme. It is also a significant indication of the additions that probably came from the Russians, and frankly all evidence that touched the ‘laptop’ should be tossed.
And then, HB should file an appeal about SC Weiss being illegally installed. Goose, gander…
I am going to probably get moderated, but the maybe it’s the “red slime oozing out of Trump’s ear” theme. Can’t wait to hear about how it affected him after the next debate.
I think perhaps you missed the obvious Frank Zappa reference.
Possibly dumb question – Backups are typically compressed. Could the copy be simply an uncompressed version? An uncompressed copy could definitely be checked against a compressed original.
Also, what does it mean to measure in “pages”?
marcy’s twitter reply to someone asking the pages question: “No hash possible bc JPMI copied via drag and drop. So you’d want the # of files to match. But they did no index of the laptop. And I don’t believe the hard drive claims to copy the entire laptop, it being a purported drag and drop.”
Measured in “pages”, the discrepancy _could_ be formatting, so it’s possible there’s a reasonable explanation for this. The response should be interesting.
Absolutely possible there’s a sound explanation.
As I noted in the letter, I asked Weiss if they had one.
They didn’t respond. So now I want the report.
Well, I wanted the report anyway. But I want it more now.
The measure of backups in page number is a dumb way to do it anyway. But it may stem from some problems they had extracting the laptop.
Indeed. “Pages” is a measure of document size when printed. It’s not how file sizes are measured on computers.
I was expecting to see some measurement in terms of megabytes. If we had that, we could theorize that a compression algorithm would reduce the file sizes. Of course, the easiest way to test whether a file could be compressed by 1/3rd would be to just compress it and see what you get. Image files typically can be compressed a lot. Text files? Not as much.
Regardless, if “pages” is the measure cited, I’m puzzled why the page number would _increase_ after the files were copied from “Hunter’s laptop”. (I still maintain that there isn’t really any proof that the computer the blind repair shop guy received ever belong to HB himself – that it had his personal files on it means squat when it comes to hardware ownership.)
And text can be compressed *much* more than images, as anyone who has compressed files knows. (I have backup files that are about 20% the size of the original.)
Reply to WhispersRDsays: “Of course, the easiest way to test whether a file could be compressed by 1/3rd would be to just compress it and see what you get. Image files typically can be compressed a lot. Text files? Not as much.”
Actually it’s usually the other way around, but it depends a lot on the image format. Most modern image formats come with built-in compression, and trying to compress them further can actually increase the size. Most compression algorithms can be divided into two groups: Trying to use a formula to describe the pattern, or using a more efficient encoding. IE, most text files only use about 50-70 or so of the 256 signs that can be embedded in a byte. There are some clever algorithms that use bitwise encoding, assigning shorter bitcycles to the most frequently used signs.
256 characters? Sorry. Nobody has used ASCII even in a simple editor for more than a decade. Think Unicode and more like 64,000 characters. The principle is probably the same, but you’re wildly out of date!
This was a copy, different than backup. Backup compression (assuming done w/a backup managing software) is (or used to be last time I did it about 10 yrs ago) simply an option.
Copy will write to media receiving the copy exactly as target drive had it written. Few people use compression in a working drive. Encryption yes, but not compression.
This was 1st I heard of Isaac copying w/drag & drop. Pretty amateurish for someone running a Mac repair shop. Standard fare in any professional shop is software that does bit by bit copy. Takes a little longer (usually, but not always), but its almost bullet proof. FWIW we used these guys products, top shelf and superb support.
I’m at a loss as to what “page(s)” even means. It has several entirely distinct meanings wrt HD, depending on context.
I just do not recall the names of gov “experts” (cough) whose description of their HB computer/drive “analysis” (cough cough) you (Marcy) wrote about +/- 6-8 months ago. What I do remember is those “experts” didn’t know what they were talking about.
This (eg everything to do with HD’s) was not my specific expertise. I had a shop writing custom biz software. But we had professional grade tools to do all this stuff and more simply as a service to our customers. We knew what we were doing. I do not recall if Waski was one of the rubes you wrote about back then. His name doesn’t sound familiar. I do remember clearly when you were writing about this stuff that the FBI forensic team did not, to me, seem malfeasant but rather grossly incompetent. It was almost embarasing.
This stuff is just not that hard to do with a few software tools that cost in total a few 100 $
I may have described it wrong.
Here are two passages where he explains it:
I’m pretty sure the explanation doesn’t match up too closely with what actually happened, but doing a manual drag-and-drop is the only way they can explain why he started looking at files with interesting filenames. Even a drag-and-drop copy would probably have been done on a folder/directory level, where files weren’t apparent.
Responding to Eurotark:
Precisely. THe story he tells has to entail drag and drop of individual files to excuse snooping.
So the drive was 256GB, 85% full, and had about 300GB of data on it. Hmm…
Or do the two paragraphs refer to two different machines?
Hi Marcy.
I assume those 2 paragraphs are Isaac? If so…
– description in first one sounds like a “bit by bit” copy. That’s ok. The FWIW I linked to had excellent software to do this professionally. There are many other very good vendors.
– 2nd paragraph to me is just plain weird. If the battery is low. then plug in the charger. (sheesh) Knowing volume (eg. xxx.xx gb) being copied, one should make sure destination drive has the capacity. He’s saying destination drive was about 2/3 short. I mean, its almost comical. I doubt Isaac is/was really that stupid.
Something just doesn’t add up there. If a light comes on for me as to what that is, I’ll chime in. Having read here when you were dealing with all that, I’m suspicious of Isaac. Nevertheless, him playing stupid there to me, is suspicious. There’s something he doesn’t want to say explicitly.
Ithaqua0
Nope, that is a pretty glaring discrepancy!
Of course that’s only a 17% discrepancy.
One more thing about the 2nd paragraph. I don’t remember details about that “liquid-damaged” MacBook. Reading that again, seems to me maybe that machine died? Seems I remember something to that effect.
If so, it’s a simple matter to remove the drive and copy it that way. Also, he sounds exasperated at lost time because of interrupted copy. Sure, it takes a while to copy a couple gb’s +, but nothing like an eternity. Off top of my head, I’d guess 4-5 hours.
So unless he was in a big hurry for some reason, and this was the only job he had going, an extra few hours is not a big thing.
Ithaqua0says @ July 17, 2024 at 2:19 pm
Reads that way to me.
Is there a reason it couldn’t be plugged in for the cloning operation? It’s not reasonable to expect a battery to run all night, is it?
Further,
Cloning and “drag and drop” are two distinct and seperate procedures though I don’t recall the exact details. If I’m not mistaken, “drag and drop” copies one file at a time, searching the source drive for all the associated fragments and then writing the file to the target drive, where ever it can sqeeze in, refragmenting it in the process and creating further meta data.
A bit for bit clone of the source disk would create one giant file on the target disk which is not readable by the operating system without intervening software.
I just read those 2 paragraphs again. I think I was wrong about 2 different machines. 2nd paragraph was morning after he began the copy night before. Unless he changed strategy overnight (eg. from block by block > drag and drop), seems to me his use of “simple drag and drop operation” was just real sloppy language. I can’t say for sure, but I think he meant he was going to re-run the copying (block by block) software.
Copy that volume of data by drag and drop would take forever, and there’s no stated reason why he would have abandoned the copying software and manually drag and drop. Maybe if he was just copying selected files, but I don’t see that he said that. He said he wanted to clone the drive.
Only other thing I’d add: since clone failed when source machine battery died, it would be almost impossible to resume copy with his software *exactly* where it stopped. I still don’t see where “pages” had anything to do with anything.
Apologies for my mis-take earlier. The 2nd paragraph and “morning after” reference to “liquid damaged machine” is a little ambiguous IMO. It could be different machine, but I think probably not. The ambiguity is in his language, its not a tech thing.
I think now, just more sloppy language on Isaac’s part. He just rounded up.
Mac OS 10 runs on top of UNIX, which means both files and configuration data are in the same folder, which is probably
/home/hunter. If that’s the only data being saved someone might drag and drop, but I’d sure hope not!
Troutwaxersays @ July 17, 2024 at 5:49 pm
Techie clarification. What is now Mac OS was developed by Steve Jobs company: Next (hardware) and NextStep (development software and OS) which he undertook after being exiled from Apple by the Pepsi guy. The OS was build on open source BSD operating system, often referred to as Open Source Unix. NextStep significantly improved BSD, many thought he made into best OS in the world. NextStep “wrapped” all the BSD code, taking it from procedural (eg. if one line of code breaks, it can take the system down) to Objects. So every function in the operating system they retained was an individual entity. If code in a given object failed, the object can shut down or recover gracefully w/out bringing down the whole thing.
So there’s no separation between Apple OS and Unix. It’s one thing.
Apple bought it from Next after Pepsi guy almost ran the company into the ground, and Jobs came back to save the day. He was quite a guy, I’m huge admirer. Wikipedia has a good writeup on Next.
A good forensic approach would have been to do a clone block copy of the offline drive before touching the drive in any other way. For some reason they were in a hurry to look at files why?
I don’t know a soul who attempts that sort of data transfer without plugging it in. Surely a repair person had power cables on hand.
rvhisheresays @ July 17, 2024 at 3:26 pm
Stupidity is the only one. This is not a techi thing btw. Most folks who’ve used a laptop for a while came to a moment battery was dead, they plugged in charger, and went back to work. Especially for a tech guy like Isaac, this is a no-brainer.
Not a Mac user but I had an old laptop that used the same port for charging and data transfer. I ran into the same problem when it started to die and I wanted to get my files off of it. I had to copy a few files at a time then recharge the laptop and repeat.
There’s more background here: https://www.emptywheel.net/2023/12/17/john-paul-mac-isaacs-serial-inaccuracies-and-the-ablow-laptop/
In the comments, there’s also another discussion of “JPMI claims to have copied the files in the manner he did — by dragging-and-dropping files — is because he didn’t have ports to plug both a keyboard, power, and a cable to his own server” (e.g., Dave_MB: “It beggars belief that JPMI didn’t have a USB hub where he could plug a power source, keyboard and connection to another computer”).
Thanks for digging up that post.
Isaac said as you describe, reasons he had to drag and drop.
But from what Marcy posted today in this article, he *did* begin “bit wise” clone on a liquid damaged machine. EG. with cIoning software, not drag ‘n drop. don’t know how to resolve this with info available. I’m wondering if there was more than 1 “liquid damaged” machine.
Post you linked also mentioned Isaac didn’t record serial numbers for any machines. So…
I don’t have Isaac’s book, so can’t read all this in sequence. Right now, and after re-reading post you linked from last December & comments several times, seems there were multiple “liquid damaged” Macs. Not clear to me at all which one was referenced in Marcy’s 2nd paragraph above. But it sure reads like he copied from multiple laptops using different means: copy/paste and bit wise (block).
Reply to Troutwaxersays:
Not even close i’m afraid. macOS user folders are in the /Users folder. Configuration data for apps are sometimes in /Users/username/Library/Preferences folder … but can also be a system wide preference in /Library/Preferences.
(it’s more complicated with the sandbox container folders but I can’t remember offhand the version of the OS on Hunter’s laptop).
Now, it sounds like Carbon Copy Cloner was attempted to be used here. There’s only two macOS utilities that can do what’s described. And as for the copy + paste stuff, that is also very possible if 1) the laptop is not booted from the installed OS, but from external media (hence using CCC) and 2) the disk is not encrypted / the person with the laptop has the password for it.
So copy + paste is indeed very tech plausible here.
If it was a physical drive and not bonded to the motherboard, the drive should have been removed from the device and cloned with a duping box. That assumes that File Vault encryption wasn’t setup for the drive/laptop though.
Very interesting. This is the analysis that should have been done years ago – I can hardly wait to hear someone try to reconcile these differences. However, with Hunter’s conviction on the gun charges, the frothy right has moved on to the latest irrelevant, bogus story – like Ashley Biden’s diary or the audio of Joe Biden’s testimony to Robert Hur.
Thank you.
Fingers crossed on getting the Waski disclosures. That would be awesome.
Was the other FBI agent with a disclosure, Gearhart, not of interest?
Also, your filing mentions Gearhart describing Apple Backup 1, Apple Backup 2, Apple Backup 3, Apple Backup 4, which match the 2020 warrant. How do we know it matches the warrant? Or I’m just confused and bogged down by details.
Barring any major errors on my part:
July 2020 warrant:
iPhone X ending in f68f
iPhone 6s ending in 9a70
iPad Pro ending in 8db4
iPhone XR ending in a323
The 2023 warrant adds the following
Apple Backup 1= iPhone X ending in f68f
Apple Backup 2= iPhone 6s ending in 9a70
Apple Backup 4= iPad Pro ending in 8db4
Apple Backup 11= iPhone XR ending in a323
Agent Jensen’s testimony has the following:
Apple Backup 3 = iPad Pro
Apple Backup 4 = “iPhone SR” [I think she means XR]
I’m doing my best to follow and keep score. I double checked, unless I mixed something up, I believe the trial exhibits have a different backup numbering scheme than the warrants.
The IRS disclosures by Ziegler/Shapley I think match the warrants.
I’ve been looking closely at the trial summary exhibits and data from the laptop and noticed a couple things on Exhibit 18 and 125 that I didn’t initially notice.
I really don’t expect the Gearhart ones to be interesting, because they are straight validation of content from Apple. It would take a lot more to get the actual content, but without the laptop there’d be no case to make for it.
What have you noticed in the trial exhibits?
I was genuinely giddy when I saw your letter pop up on the docket this morning. Hopefully provides valuable information like with the warrants.
Observations from Govt exhibits 18 and 125A, that hopefully add value to following this topic:
1) Rows 164-166 11/21/18: I don’t know how important these texts were to prosecution case or if brought up in testimony. But if somehow Zoe viewed, in testimony prep or immunity negotiations, would have likely caused her to remember how upset and hurt she was by Hunter. ie if there was any hesitation on her part to cooperate with prosecution, viewing these messages would tip her towards cooperating. Or maybe my imagination is running wild that sort of thing only happens in movies.
2) Row 213, 12/29/18, the video of crack on a scale: sent by Hunter to D Yeller with a DC area code, which is Hunter’s own phone number, which I call Hunter’s DC Bat Phone. The woman using that phone number during that time period is from Delaware and has her own Delaware phone number that appears elsewhere in text messages. Did prosecutors try to get her to cooperate and she wouldn’t?
3) Row 289, 3/7/19, text “no” to a Delaware number: this message only one in set to that number; this is Hunter’s friend who assisted with the cell placed in Hallie’s car. According to Marco Polo, they allege helped Hunter procure drugs. So why is this singular text in the chart? Did prosecution try to get her to testify and she declined? Did they include whole conversations with this number originally included in the chart then changed their mind and accidentally left that random message?
4) On GTX 125A, Rows 1-23, sourced to Laptop Messages: these messages involving drug purchases at a 7/11 a day or 2 before the gun purchase were important to conviction so why were they not included in original GTX 18? Were they sent on a device owned by Hunter that the prosecution for some reason didn’t want to bring up? Such as the LA Number? Or the DC Bat Phone? And on the laptop, that conversation has a contact name which is just the letter “q”. So why did the chart only list the number and not include the contact name? Haste because Hines asked Jensen to put together that supplemental chart over the weekend?
I double checked on the Marco Polo Report about item 2 above and noticed something interesting.
On page 303 they have that image of crack on a scale reading 20.7 from 12/28/18 (not 12/29/18) and they list that Delaware woman’s phone number as her normal Delaware phone number, not Hunter’s DC secret phone number that he let her borrow, which the prosecution shows in GTX 18.
They show the image saved as IMG_0193.mov, next to an image with a MacBook Pro that is same model as Mac Isaac laptop saved as IMG_0195.mov. I’m not sure what devices have that naming convention or if it indicates age of the device.
The Marco Polo interestingly suggests that there is a misdemeanor Delaware prostitution crime being committed.
But I don’t see evidence of prostitution. This is really interesting here, and may seem like a really minor point.
But I don’t see evidence she is a prostitute. Recording sex videos is not evidence of being a prostitute. The August 2021 Daily Mail article about the device stolen by a Russian drug dealer refers to her as a “hooker” and a “prostitute” without providing evidence that is an accurate description.
Tore Says later comes along and refers to her as Hunter’s “prime hooker” while describing an elaborate scenario where she claims to have been communicating with prostitutes in real time to task them with getting Hunter to abandon his laptops at a repair place. If the reference to this particular woman as a prostitute is false, then that is evidence Tore’s tale is false and suggests that a reason Rudy brought her in as part of a crew to analyze the laptop was to come up with a cover story to explain why Hunter would abandon a laptop.
Crazy.
Correction, mistake on my part.
The 2023 warrant says about the 6s:
Apple Backup 3 = iPhone 6s ending in 9a70
Backup 3, not Backup 2 on the warrant.
Joseph Ziegler’s recent Affidavit 8, dated 3/12/24 lists the 6s as “Backup 02 / Backup 03” and the iPad Pro as “Backup 04 / iPad”.
Why didn’t Lowell do more with this discrepancy? There are some weird details that don’t line up and indications that the FBI didn’t follow procedure and failed to properly document certain steps in order to get evidence in the official record despite gaps in their records.
Judge Noreika’s discretionary rulings favored the prosecution but nothing horrible (like the young Aileen in the documents case favoring the defendant). Her background with a Master’s in biology and 25 years of patent law in biotech and computer science puts her in the top 1% of all attorneys and judges in terms of technical knowledge, so I can’t see this situation as an “I don’t know how the Interwebs work” situation where Weiss bamboozled her.
So, was she just smart about hiding her thumb on the scale (better than young Aileen in Florida) or is something else going on?
One of the issues here might be Apple’s APFS file system – released with MacOS 10.13 on 25 Sep 2017.
Wikipedia article
It has a number of ways of handling files that obscure their “real” sizes. In particular, a copied file comprises only pointers to the original but, if the copy is modified, its stored size increases according only to the changes.
A copy moved to a new disk will regain the full size.
There be dragons and the weeds are thick and deep, but if you must, Howard Oakley provides some waymarks:
Sparse files in APFS
Finder can’t work out file sizes
Finder file size accuracy
Extremely useful. Thanks.
Yep, it’s a CoW (Copy on Write) filesystem. I can duplicate the same file 50 times, but it doesn’t take 50 times the space until you alter all of them individually in some way.
And that is how you can theoretically have 300Gb+ on a 85% used 256Gb drive.
Oh, thanks for that. It had been nagging me.
Only peripherally related: Guo convicted in 9 of 12 counts. No mention of the Hunter Biden disinformation he engendered, though. But, besides Bannon, I was unaware of the interactions Guo had with multiple members of Trump’s administration or campaign as listed below:
“Guo and his companies also paid or employed other prominent MAGA figures, including Trump adviser Jason Miller, Rudy Giuliani, former White House aide Peter Navarro, Trump national security adviser Michael Flynn, Turning Point USA chief Charlie Kirk, and Trump campaign spokesperson Karoline Leavitt. Guo supporters are surely hoping those relationships, should Trump return to the White House next year, could help Guo secure a pardon or commutation.”
https://www.motherjones.com/politics/2024/07/miles-guo-wengui-verdict-guilty/
“MAGA Mogul Guo Wengui Found Guilty in Massive Fraud Case”
I am always floored about how much technical knowledge
is shared and discussed on these comment threads!
When I want to learn something, I just pull the string tighter and cup the can more closely to my ear. /s
:-) <3
Works for me! ;-))
I’ve actually cloned several apple drives (both APFS and HFS+). A 256GB apple SSD, cloned to an external SATA SSD, using an adapter to usb, from my recollection takes under 1.5 hrs. If a mechanical spinner drive is used as the cloned-to drive it would take considerably longer. A ‘clone’ is an exact, bit-for-bit copy of the cloned drive–right down to the UUID of the cloned drive. The clone cannot be booted on the original computer with the cloned drive installed, because the firmware cannot distinguish between the drives. One of the two must be disconnected in order to boot. One thing — the cloned-to drive must be the same size or larger than the cloned drive — there is no file compression involved in cloning (although compressed files on the cloned drive will be cloned as compressed files, too).
I always wondered about the FBI buying an identical macbook pro. If the reason was ever explained, I don’t remember what it was, but I would want to remove the SSD from Hunter’s non-functional macbook and install it into a working one to see if the drive would boot.
I thought you did that last December. :)
https://www.emptywheel.net/2023/12/17/john-paul-mac-isaacs-serial-inaccuracies-and-the-ablow-laptop/#comment-1029063
There are companies that specialize in replacing soldered components on macs, including drives. They can make most repairs to fried macbook motherboards. Nothing that I’ve read says what the FBI was actually going to do (or actually did) with that bought macbook. I’d like to know and not have to speculate.
APFS has overloaded the term “clone”. In addition to the bit by bit copy you mention, it is also used to refer to files comprising pointers to the data bit stream for the original file.
I had to have that done with a 1TB PC hard drive where the internal connector went bad. I took it in, bought an external HD, and had the old drive cloned.
It took many hours.
“Absolutely possible there’s a sound explanation.”
The number of pages!! To me— this was the best part of the letter. Something that the eggheads around here (no offense) and elsewhere would debunk and dispute based on their learned years of compiling files and such. And yet it hits hard and sticks— 62% more!!!!— emulating the style of Trump himself.
Truly insightful and, IMO brilliant
Frankly if anyone had been the least bit competent, as soon as the laptops came into possession of the feds they immediately should have 1) contacted Apple via the recognised law enforcement contacts for the iOS cloud backups and then 2) immediately ran forensics backup software such as Axiom 3 to make a searchable image.
As far as I can tell, none of this happened. How this is credible as evidence is still beyond me.
Most intelligent comments section in the Intarweb right here.
Doesn’t matter what the subject is, the amount of shared knowledge here is a gift.
Thanks to you all.
I went to bed last night with this stuff on my mind. Apologies if I contributed to diversion from what you’re trying to do. Which is, as I understand it, your effort with that letter to shake hard on the tree where Weiss, FBI people involved and anyone else who was involved in this HB laptop(s) saga, hoping some more revealing facts fall out which more clearly identify just how this whole HB smear really happened. The public deserves to know.
So as far as the court/judge is concerned, if they grant your request and answer the other questions you said you want to ask more now…
Fact remains the “pages” and copy/paste vs bit wise copy was their language. Presented with discrepancies you’ve identified, let them explain all this. That could get interesting because (at least IMO) so much of what their experts have aid sounds questionable at best. If things get to that point, then maybe some techies among us can identify veracity of what they have to say w/degrees of certainty. And do so to squeeze hard on their veracity, rather than educate your commenters on finer tech intracies nobody else really gives a shit about. :)
I’ll ask some questions over the weekend on Apple tech forums and see what those folks have to say. After-reading and re-reading those 2 paragraphs you posted, the 300 gb of data on a 265 gb drive looks to me like very sloppy, and poorly proof read “stuff”. Yes it is suspicious, but to me seems likely just very sloppy writing.
Since he said destination drive (eg. copy to drive) was on his server, it would be helpful to know what OS he was running on that thing. I guess he ran an Apple OS (since he was running an Apple products shop), but Linux would do the job. If it was IOS, useful to know if he was running a version before Apple started using their APFS file system. If so, that would eliminate APFS Sparse file writing feature (thank you canajan-eh_I) which could be responsible for volume of copied files exceeding that of the same files on the MacBook.
If post AFPS, could be the culprit right there.
FWIW, I went by Genius Bar @ our Apple Store in Albuquerque. I specifically asked if there was any measure of volume on a HD in units called: Page(s). Got a definitive no.
mtwheel–thanks for providing a copy of your letter to Judge Noreika. very interesting