In Bid to Withhold Laptop and Hard Drive Forensic Reports, Derek Hines Misstates Hunter Biden’s View on Authenticity of Data on Laptop
As I noted in this post, I wrote a letter to Judge Maryellen Noreika asking her to release several documents, the more interesting of which are the forensic reports on the laptop attributed to Hunter Biden and the hard drive with John Paul Mac Isaac’s purported copy of the laptop.
Abbe Lowell had no problem with the release of the forensic reports.
Mr. Biden has no objection to the release of either item requested by the journalist—the motion for miscellaneous relief at DE 167 and/or the expert disclosure of Michael Waski at DE 120-2.
Derek Hines did. He said that because he never filed the forensic reports, they are not judicial records before Judge Noreika.
However, his disclosure was never filed with the Court because the defendant agreed that the information derived from his laptop was authentic. Therefore, the expert disclosure was not included as an exhibit for ECF 120 because the certification itself sufficiently supported the motion. Moreover, since there was no dispute about the authenticity of the information derived from the defendant’s laptop, the government did not call Mr. Waski as an expert witness at trial. Accordingly, the expert disclosure is not a judicial record and is not a record before this Court that the Court could unseal.
There are several problems with this response.
First, as I wrote in my letter, nothing in the certification mentioned the laptop or hard drive it certified.
Mr. Waski’s certification, as docketed, does not by itself certify that the laptop was among the devices extracted. While the MIL describes that Mr. Waski’s certification pertains to, “two backup files from laptop and hard drive” (DE 120 at 3), Mr. Waski’s certification itself mentions neither. Instead, it references a “Digital Forensics Report and [an] Extraction Report,” singular. Compare Robert Gearhart’s certification at DE 120-1, which lists the four iCloud backups described in the MIL, “Apple Backup 1, Apple Backup 2, Apple Backup 3, Apple Backup 4,” which in turn match the warrant. (20-mj-165 DE 3 at 2) To confirm that Mr. Waski’s certification pertains to the laptop and hard drive incorporated into the summary and described in the warrant (19-mj-309 DE 3) requires inspecting the Disclosure.
There is no way the public — or Judge Noreika herself — can be certain that the “Digital Forensics Report and Extraction Report,” singular, mentioned in the certification describes the forensics of both (or either!) the laptop and the hard drive. We need to see the description of that report in the Disclosure itself.
The certification relies on the Disclosure to even identify what it is certifying.
More importantly, Hines blatantly misstates Hunter Biden’s view on the authenticity of the data on the laptop. In Abbe Lowell’s response to Hines’ motion to bypass any expert witness, he specifically debunked that claim.
Defense counsel has numerous reasons to believe the data had been altered and compromised before investigators obtained the electronic material from Apple Inc. and The Mac Shop, such that the Special Counsel’s claim that the underlying data is “authentic” (id. at 4) and accurately reflects “defendant’s Apple Macbook Pro and [] hard drive” (id. at 2) is mistaken.
Mr. Biden’s counsel told the Special Counsel on May 10, 2024 it agrees not to challenge the authenticity of the electronic data the Special Counsel intends to use with respect to it being what law enforcement received on December 9, 2019 from John Paul Mac Isaac (owner of The Mac Shop), and from Apple on August 29, 2019 and in a follow-up search on July 10, 2020. (Mot. at n.3.) However, Mr. Biden cannot agree this electronic data is “authentic” as to being his data as he used and stored it prior to Mac Issac obtaining it.
He pointedly did not agree that the data derived from the laptop (and hard drive, which I suspect has more irregularities) was “authentic” as to being his own data.
One reason I’m interested in the hard drive is because Hines himself revealed that the “backup” of it is 62% bigger than the laptop of which it purports to be a copy. Understanding why that is so might go a long way to explain anything John Paul Mac Isaac did with Hunter Biden’s data.
As I noted in my letter to Judge Noreika, Congressman Dan Bishop suggested in a deposition on the laptop last year that if the FBI, “has conducted a forensic investigation and has suppressed the results,” people shouldn’t defer to the FBI. This was an opportunity for the FBI to show it’s work.
It — or at least, David Weiss — doesn’t want to.
Update: Corrected misspelling of Hines’ last name. My apologies to him.
Update: Judge Noreika has now docketed my reply. Among other things, I noted that the creation date for the PDF of Waski’s certification post-dates the day when it was sent to Hunter Biden’s team on April 24.
The other certification is dated April 23.
Update: Judge Noreika has, unsurprisingly, granted the request to docket the Hallie Biden related filing, but denied the Disclosure on the laptop and hard drive.
ORAL ORDER re: D.I. [247], IT IS HEREBY ORDERED that the Sealed Motion (DI [167]) is hereby unsealed. The expert disclosure of Michael Waski is not part of the record of this case or in the Courts possession. IT IS HEREBY FURTHER ORDERED that the Court will not address further informal requests made by letter rather than appropriate motion. Ordered by Judge Maryellen Noreika on 7/18/2024. (as)
Apple’s APFS file system (introduced in 2017) could contribute to the size issue. A copied file on the original drive comprises only pointers to the original but, if the copy is modified, its stored size increases according only to the changes. This applies even if the file name is changed. A copy moved to a new disk will regain the full size.
Some Iinks to this rabbit hole are in a post by me on the previous article “Empty Wheel writes letters: …” on July 17, 2024 3:12
I’ve been trying to figure out a technical explanation for this also and my first guess of something like block level deduplication is not supported by stock Mac OS so that is right out.
Something like the Mac OS “TimeMachine” feature which stores different versions of documents could be at play? It is hard to say, a bit for bit copy would not inflate the numbers, but a drag and drop would if it brings the other copies along with it. I’ve been researching to find answers to rule this explanation in or out, would love for someone with more technical Mac knowledge to weigh in.
I’m not sure why different versions would be stored that way. changes, maybe, but only if you set it to track changes.
(I have software that adds the date to backups, but it can overwrite on the same day.)
I think canajan-eh_I’s post & links are honing in on the discrepancy of source/destination file size Marcy’s chasing down. I haven’t had a MAC in 10+ years, a lot has changed. As explained in canajan-eh_I’s links, the new file system can/does expand size of some files significantly. It’s entirely a function of the filesystem: user and/or app writing file to disk have nothing to do with it.
I do Linux work these days. There’s several excellent journaling filesystems in use now, that can handle catastrophic data loss recovery fast and gracefully. They can produce this same thing, eg destination files larger then source. At least one of these adds the extra volume (size) externally of the files. All those filesystems have different design and approach.
This stuff is above my pay grade on Mac(s) now. Mastering how this works on a given filesystem is a (at least to me) fascinating task, but decidedly non-trivial. I’m interested to see what the Mac guys who’ve shown up here before have to say about this.
anajan-eh_I’s links here:
https://www.emptywheel.net/2024/07/17/emptywheel-writes-letters-the-fbi-extraction-of-the-hunter-biden-hard-drive-is-62-bigger-than-the-laptop/#comment-1061127
Thanks, but the size discrepancy could simply be the use of the bizarre and flexible unit “printer pages”. Already mentioned elsewhere e.g. https://www.emptywheel.net/2024/07/17/emptywheel-writes-letters-the-fbi-extraction-of-the-hunter-biden-hard-drive-is-62-bigger-than-the-laptop/#comment-1061091
Yes. Data should be measured in the total number of bits: bytes, kilobytes, megabytes, etc. “Pages” is how documents are measured. To see this in action find a large block of text and copy enough of that text to fill one page of an MS Word document at font size 10. It will print as one page.
Now expand all the letters in that document to font size 40. It will print as several pages.
Canajan-eh_Isays @
July 17, 2024 at 8:54 pm
I’m thinking somebody should take this to the APPLE tech forums. There’s people there who know this stuff inside out. Take the uncertainty out of it.
The fact that the two sizes are measured in “pages” makes me think we are not dealing with actual files and file sizes, but with the output of some extraction tool that rips through and produces a big pdf of all the media it can find, with associated metadata—a post-processed view of a hard drive that is suitable for docketing.
If that’s true, the discrepancy could be as simple as different tool settings. Or the latter report includes cracking open the iCloud backup and scanning it, whereas the first report skipped it as unreadable.
I’m at a loss to understand why defense counsel or the judge would allow in so-called certifications of report(s) or data – without also seeing the underlying work product. As I think you argue, the prosecution would have to at least incorporate that underlying work by reference. It’s a big red flag waving in a stiff breeze.
I suppose the defense might treat it as a hole it could drive a truck through, in closing or on appeal. But it’s a thin hope, if judges ignore the potential for error.
Lowell did get expert notice on April 24.
I have … questions, which I’ll withhold until I figure out whether Noreika will let me respond.
I hope you get to respond.
It would be great if one of her clerks reads Emptywheel and shares what you noted. Because you really didn’t get an answer. One side said yes. The other side “sorta no” by dumping false statements.
The false statements about Biden agreeing to the authenticity I hope would motivate her to address or rectify the misrepresentation.
I believe they will post my reply.
I recall reading here that the prosecution previously told the defendants that they would not be relying on the laptop but could get all the information they needed from other warrants. Which turned out to be untrue.
I also recall that the prosecution spent 5ish years digging through the defendants financial records. But curiously, when they used the laptop at trial, they did not establish that Hunter Biden had actually bought that particular device, only that messaging data on it matched up to phone numbers that were associated with Hunter Biden.
Given that the world had been publicly warned that the circumstances of appearance of this laptop had all of the hallmarks of a Russian disinformation operation, one would think that the FBI would have been meticulous in establishing provenance and authenticity of this material before relying on it, right?
Correct: there is no known receipt for it, while there is for the Ablow laptop purchased on 9/1/18.
They also never told the judge that the laptop first associated with Hunter’s iCloud account on 10/21/18, right in the middle of the 11 days he owned a gun, while he was in NYC.
Which gets really interesting when you consider Hunter lost his phones on 10/11/18, but somehow SMS texts from that phone made it onto a laptop not put into service until 10 days later.
I’ve thought many times that your command of multiple related event timelines qualifies as Justice League-worthy, but at this point, I’m now imagining what a suitable superhero costume for you would look like.
I suspect a magnifying glass would be involved.
All that to continue thanking you for your diligence and determination.
A couple of data points to add:
* On 8/31/18, the same date as the $1000+ purchase of the Ablow laptop & Apple Care at a Best Buy in LA, there is a charge at the same Best Buy for $388 on the banking statement from trial. So that might be a charge for taking a laptop in for repair or service or to transfer data to a new laptop, then purchasing the new laptop at the regular checkout.
* On 10/16/18, Hunter sent a text indicating that his computer is still at Hallie’s house, before he goes to New York. Possibly the Ablow laptop, and he decides to purchase the Mac Isaac laptop because he didn’t yet get the Ablow laptop back from Hallie’s
* Based on the banking records from trial, Hunter returns to Delaware on 10/20/18, so back from New York. I didn’t see evidence of a purchase at an Apple Store or Best Buy. But the prosecution didn’t file the statement for every account.
As I note in the attached letter and screen cap update, the certification for Gearhart, the iClouds, was PDFed on April 23, before SCO sent expert notice to Hunter Biden.
The certification for Waski was PDFed on May 13, only in advance of this filing.
Congratulations on a fine letter to Judge Noreika!
Prosecutor Derek Hines has released a real stinker here. Like a skunk, he is dependable and consistent.
As to what Judge Noreika will do, I’m betting she schedules an additional hearing on this matter before issuing her ruling.
I pulled the following quote from the Baldwin motion for dismissal (https://nmcourts.gov/wp-content/uploads/2024/07/July-11-2024-Defendants-Motion-for-Dismissal-and-Sanctions-under-Brady-Giglio-and-Rule-5-501-752p.pdf), curious how these trials are not dissimilar. Also interested in arguments of intervening cause. ????
“Simply put, the State was provided highly exculpatory evidence that supports Baldwin’s argument of intervening cause; it also supports Baldwin’s case that the SFSO’s investigation was biased, improperly motivated, and incompetent, which the Court has already ruled is relevant and admissible.”
Bummer on Noreika not unsealing the forensic report. Fingers crossed, maybe it could come through the CA court.
” IT IS HEREBY FURTHER ORDERED that the Court will not address further informal requests made by letter rather than appropriate motion. Ordered by Judge Maryellen Noreika on 7/18/2024. (as)”
IANAL Does this open a door for Hunter in any way?
At least you got serious discrepancies on the record.
Since the laptop is being discussed, here are a few random notes. Hopefully helpful to people following the laptop story
1) 2/6/19- Hunter’s email begins receiving Wells Fargo Account updates that have charges and ATM w/d info, so theoretically if someone had access to Hunter’s email they could track Hunter’s location. Reminiscent to Zoe’s testimony that she used his Wells Fargo account to try to locate Hunter.
2) 2/18/19- On Marco Polo, full screen laptop screen shot open to Hunter’s Uber account, including looking at a 2016 trip in the Trip history. Not sure why Hunter would be randomly looking at the Uber history and need to take full size screenshot on a laptop, but it made me recall emptywheel raising possibility of someone potentially using Hunter’s Uber account to try to make it look like he was somewhere he wasn’t.
The screen shot is similar to the one I mentioned previously from 2/16/19, full screen from a laptop, showing that Hunter’s apple account is set to back up data to the serial numbers belonging to Robert’s iPad and the Mac Isaac laptop. Both screenshots, I don’t understand why Hunter would take these screenshots, but could picture someone not Hunter, sitting at the laptop, with interest in taking the screenshots. That and the screenshots have dimensions 2880×1800, which indicate being taken on a 15” MacBook Pro, not the 13” MacBook Pros Hunter owned. But maybe that is an artifact from the Marco Polo group opening and saving the files on a different machine.
Which is interesting to compare to this article from a year ago: https://www.emptywheel.net/2023/07/08/the-laptop-everyone-knows-as-hunter-bidens-appears-to-have-been-deleted-starting-february-15-2019/
1) What laptop is that 9/16 message referring to? “Robert’s MacBook Pro”, per Dimitrelos doesn’t associate to Hunter’s Apple ID until 10/22/18
2) Look carefully at the laptops mentioned on 2/15. Anything look off in the spelling of the device names? Are both messages referring to the same device? Are they referring to devices even cited by Dimitrelos? Is it possible for a device to change names? If a device was deleted from Hunter’s Apple account in 2018, would it still appear on Dimitrelos’s chart?
Here’s a partial list from Dimiitrelos, focusing on the laptops from 2018 and later since that’s when it appears laptops began being named in this convention:
1) “Bobbys MacBook Pro” (1/8/18)- 13” MacBook Pro w Touch Bar, breaks, likely the one cited by Zoe during testimony that she took to Apple Store in March
2) “Roberts MacBook” (5/29/18)- 12” MacBook Retina w/o Touch Bar, unclear what happened to it, one theory is that it was stolen by a Russian dealer in Las Vegas on 8/5/18 (which I disagree and believe the device stolen was an iPad); possibly breaks late August/early Sept per text messages on laptop
3) “Bobby’s MacBook Pro” (9/1/18)- 13” MacBook Pro w Touch Bar, aka the Ablow laptop
4) “Robert’s MacBook Pro” (10/22/18)- 13” MacBook Pro w/o Touch Bar, which will end up with Mac Isaac; there are photos from 1/29/18 of a laptop of this model while at Ablow’s
5) “Roberts MacBook Pro” (11/15/18)– same serial number as previous device, I am listing it separately because Dimitrelos doesn’t include the apostrophe. Does the lack of apostrophe mean anything forensically or just that Dimitrelos didn’t maintain fidelity in transposing his chart?
Source (pages 13-15):
https://www.scribd.com/document/575556723/Final-Hunter-Biden-Laptop-Report-Redacted
Here is some more background observations for people following along. Hopefully the CA case will have more forensic data points.
There are at least 5 phone numbers used/owned by Hunter for time periods relevant to the DE trial exhibits. The below information is all based from photos, messages, emails released by Marco Polo, and to a much smaller extent exhibits from Joseph Ziegler.
The 3 AT&T numbers presented by the prosecutors, which I have mentioned previously as:
1. DC Number 1 (long time number, used throughout 2018 except during stretches when broken or lost as Zoe testified bringing phone to Apple Store in March)
2. DC Number 2 (begins using 10/13/18, previously used by ex-wife and possibly a daughter)
3. Joe’s Number (DE area code, previously used by Joe, used by Hunter throughout 2018 except during stretches while lost or broken, likely the number used with Whats App messages from GTX 18 4/18/18-7/25/18)
Here are a couple of more numbers:
4. DC Bat Phone (long time more private number w DC area code that appears on a different AT&T family plan account; a secret phone that doesn’t show up at all as a call back number when Hunter writes “call me back at _______” dozens of times, but there are a few instances when Marco Polo redacted the entire call back number deviating from their more common partial redaction leaving last 4 digits visible; unclear which device(s) used with, I suspect an older device such as the 6s or an older 8 Plus or iPhone 7; loaned to the Delaware woman photo’d with during the airgun pictures on 10/17/18 and the 20.7 on scale showing crack 12/28/18, Hunter speaks with in the video from 1/6/19 mentioning the “computer” stolen in August by a Russian drug dealer, and in the room in February when the Hunter app emails her “test”; loaned I think roughly 10/17/18 to 2/6/19 but not certain about exact dates; Hunter saved to his contact as name D Yeller)
5. LA Number (in use by mid September thru at least 10/4/18 and lost sometime by 10/12/18, unclear to me if lost in LA before 10/5/18 return to east coast, or on east coast; functionally replaced by DC Number 2 as his 3rd regularly used phone number, but definitely synced with Apple ID in September, likely the 8 Plus device that is literally Red)
Hunter’s iPhone placed in Hallie’s car to monitor GPS while at Ablow’s
I’m pretty confident of the following. The phone is the Space Gray 8 Plus named rediPhone on Dimitrelos, associated with DC Number 1. Phone placed on or about 1/6/19 under the seat, delaying scheduled 1/5/19 return to Ablow; from Newburyport 1/29/19 Hunter coordinates with a friend in Delaware to place her own phone under Hallie’s seat to monitor GPS. Hunter leaves Newburyport 2/4/19, early AM, plan to return late 2/4/19 to Ablow but delays in order to retrieve the phones from Hallie’s car, 2/5/19, and finds both phones missing from Hallie’s car. Hallie drops off the phone at Joe’s house a few days later. [I think Hunter somehow synced that 8 Plus onto the XS (DC Number 2), which might explain why those photos and messages are on the XS phone which is extracted onto the laptop 2/6/19. Also note the Live Photos on the XS are a mix of iPhone XS & iPhone 8 Plus interspersed 10/13/18 to 2/5/19 but also have a random November 2017 iPhone 7 photo as the first in the set]
Early November 2018 old devices possibly returned
Sometime around 11/5/18, I think Hunter retrieves a lost phone. I’m not sure which one. Also, around that time and shortly prior, Hudson West/Kevin Dong relationship winding down, so he may bring an older, seldomly used device back into regular rotation.