Hadley’s Email

Okay, now for the Hadley weirdness revealed in the White House email searches revealed in a document turned over to CREW.

On the morning of October 15, Karl Rove testified before the Plame grand jury for appearance number 3.  He justified testifying to Fitzgerald by handing over the email Rove purportedly sent Hadley on July 11, 2003, just after he leaked Plame’s identity to Matt Cooper.

picture-109.png

Either that day (the file searches appear to be dated October 15) or the next, someone did a series of searches, apparently looking for Hadley’s emails; these searches appear on pages 47-49. Here are the searches in the order of which they were last opened (here’s the spreadsheet if you want to play along).

Search File Last opened Time File size
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA.pst 10/16/04 2:12p 1753302016
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(2).pst 10/16/04 3:26p 1751270400
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(3).pst 10/16/04 4:51p 1751270400
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(4).pst 10/16/04 6:17p 1751270400
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(5).pst 10/16/04 7:07p 1751270400
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(6).pst 10/16/04 8:15p 1751270400
10-1504 Hadley NSC_2004_Saturday, October 16, 2004_MA(7).pst 10/16/04 8:22p 270222336
10-1504 Hadley NSC_2004_Saturday, October 23, 2004_MA(2).pst 10/23/04 2:18a 1865040896
10-1504 Hadley NSC_2004_Saturday, October 23, 2004_MA(3).pst 10/23/04 4:01a 1751270400
10-1504 Hadley NSC_2004_Saturday, October 23, 2004_MA(4).pst 10/23/04 5:13a 1751270400
10-1504 Hadley NSC_2004_Saturday, October 23, 2004_MA(5).pst 10/23/04 5:51a 958940160
10-1504 Hadley NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/04 12:46p 1751270400
10-1504 Hadley NSC_2004_Friday, October 22, 2004_MA(2).pst 3/9/05 5:34p 488177664
10-1504 HadleyInitial Search 1st Hadley Results.pst 3/9/05 5:34p 38944768
10-1504 Hadley NSC_2004_Friday, October 22, 2004_MA.pst 3/9/05 5:34p 1754644480
10-1504 HadleyInitial Search Hadley Final.pst 3/10/05 3:00a 39166978

So here’s what appears to have happened.

Either the same day Rove testified or the next day, someone started doing searches for Hadley’s email. On that day they appear to have run the search at least 7 times, from 2:12 PM to 8:22 PM, until the file size had been shrunk significantly. That Friday, October 22, 2004, at 5:34 PM, someone did two more searches. Then, in the middle of the night that night (that is, from 2 AM to almost 5 AM on a Friday-Saturday night),  someone did five more searches; the first one of these was opened again on November 4. The last of these searches–like the last of the searches saved on October 16, 2004, was significantly smaller than the rest of the searches done that day.

Then, finally, someone did a search under a slightly new name: HadleyInitial Search. We don’t know when this search was saved–the two runs of the search are titled simply 1st Hadley Results and Hadley Final. These files were both much smaller than any of the earlier searches.

On October 28, 2004 someone appears to have done a whole slew of searches in the NSC files, many of them date-specific (these aren’t in the spreadsheet, but appear in the PDF). But a number of these searches were named with the same NSC_2004_Saturday October names that the earlier files had been named. Given the file sizes, it appears that "search" may have consisted of nothing more than renaming the searches done the previous week.

The Appeals Court ruled that Cooper and Judy would have to testify on February 15, 2004. In March, someone opened several of these files.

On March 9,2005, at 5:34 PM, someone opened the two searches saved with an October 22, 2004 file name and the search, 1st Hadley results. And then, in the middle of the night (3 AM), someone opened the filed titled Hadley file.

Now, I’m going to have to let William Ockham (who first pointed these searches out to me) or MadDog or someone explain the intricacies of this. But it looks to me as if within a day after Rove testified about his mysteriously discovered email to Hadley, someone went in and spent 6 hours playing around with the PST file that had Hadley’s emails in it. They may have done so again a week later (or those files could have been renamed). And finally, when it became clear that Judy and Cooper would have to testify, someone was looking at them again. 

Now, the Rove and Cooper searches were called a November 9, 2004 search. The slew of searches on October 28 were called an October 25 search. It looks like it’s possible that someone got into the PST files and altered them before Fitz came looking for the Hadley email. 

image_print
118 replies
  1. MadDog says:

    …Now, I’m going to have to let William Ockham (who first pointed these searches out to me) or MadDog or someone explain the intricacies of this. But it looks to me as if within a day after Rove testified about his mysteriously discovered email to Hadley, someone went in and spent 6 hours playing around with the PST file that had Hadley’s emails in it

    (My Bold)

    I wouldn’t jump to that conclusion. The items that were accessed were merely the “searches”, not the actual PST files with the emails in them.

    Some of the pages in the document do indeed refer to PST files instead of “searches”, so examining these would be more helpful to the question of PST file modification.

    Secondly, I’ve not found (yet) any headings for the columns of data in the document.

    For example, the heading in your spreadsheet entitled “Last opened” is of some value, but another of “Date Modified” would be of even more value.

    EW, can you point me to where you found the headings you are using?

    • emptywheel says:

      Oh, I made them up.

      They may be wrong (maybe WO will show up–he went out for dinner), but part of my impression on this comes from the discussions in these documents, which talks about how they were saving files around the time that this list was constructed. One thing they were watching was the file sizes changing when they got opened.

        • emptywheel says:

          No–it comes from the discussions. if you look in this thread I gave some intro to the files I thought were most interesting, for myself or–better–people with some tech knowledge.

          In any case, a huge percentage of these documents are email threads from October 2005, as they were just trying to figure out WTF was going on, and some of the critical issues they were following become clear in those.

    • WilliamOckham says:

      Actually, they are pst files. The technique they were using to do the searches resulted in a pst file of all emails that met the search criteria.
      You can compare the files listed in that document to the ones in this document (which has column headings for File Accessed/Modified/Created.

      Any tool that opens a pst file in the ‘approved’ way is supposed to reset the file modified date (like Excel does for its files).

      • WilliamOckham says:

        Check out p. 86 of the document I linked to. Fourth listing from the bottom, document # 2868. That’s the document ew is referring to and the timestamps support her conclusion.

        • MadDog says:

          Ok WO, but something strange is shown there too.

          The file headings are in this order:

          Access Date
          Modify Date
          Creation Date

          On the Hadley PST file in question (4th from the bottom), this is what is shown:

          e:/seach results=NSC 10-1504 Hadley=NSC_2004_Saturday, October 16, 2004_MA(7).pst

          (Note: the = sign should be back slash but they don’t show here on this blog).

          And with these file attributes:

          Access Date: Wed, 21 Sep 2005 13:05:24
          Modify Date: Sat, 16 Oct 2004 20:22:18
          Creation Date: Wed, 09 Mar 2005 15:36:45

          (My Bold)

          I’ve run into this before and never bothered digging out the true reason, but as you can see by my bold, the Creation Date is 2005, and that simply can’t be correct.

          You can’t have a Creation Date that follows the Modify Date.

          As I said, I’ve seen this with Microsoft file attributes before, and though it has bugged me forever, I’ve never gone back to find out wtf was going on.

          Any chance you have the explanation handy? *g*

        • WilliamOckham says:

          This can happen in a number of ways. If you copy (with Windows explorer) a file from a different drive, the modified date stays the same and the create date changes to the current date. However, every application can do things its own way. Also, any app can set the values to pretty much anything they want.

          In this case, I’m guessing the file is still in the same directory where it was originally created. There are a number of scenarios I can imagine. First, suppose somebody knows that the tool that opens .pst files changes the modified date (that’s the date that shows up by default in Windows Explorer, right. I don’t remember because I configure my computer to show all three dates, doesn’t everybody?). They might open it, make changes, and then use a widely available utility to reset the modified date without realizing that the create date was also changed.

        • greenbird4751 says:

          i had to run a search myself to explain how “date created” can be later than “date modified” or “date accessed:”
          it’s when a sysadmin migrates data, to be saved, from an old hard drive/server to a new one.
          again, there may be occasions when viewing “properties” reveals more accurate create dates, but not always.
          i have a pst file migrated from its creation sometime in 2000, showing created 8/5/2005.
          also it shows modified 4/23/05.
          i would guess going with the oldest modified date points to a rough actual create date.
          also, my search results show details i’ve selected and arranged, from “view” “choose details” so i can visually locate files.
          sometimes “modified” and “created” are duplications twins: i got modified when i got created.

          what i completely missed in your post was that all but two of the retrieved files include dates as part of the file name. these are the smaller files you focused on.
          this could mean that they were migrated w/o following the previous search pattern of naming.

        • bobschacht says:

          i had to run a search myself to explain how “date created” can be later than “date modified” or “date accessed:” it’s when a sysadmin migrates data, to be saved, from an old hard drive/server to a new one.

          Not just sysadmins. Anyone copying a file from one drive to another will result in the same thing, if I understand correctly. So it’s like “date created” really means “date created on this drive”.

          BTW, I for one would appreciate a recap of the comments in light of EW’s lead post to help us laggards understand the significance of the info developed in the comments. I can follow what the commentors are saying, but I don’t necessarily understand the cumulative significance of the comments.

          Bob from HI currently in IL

      • MadDog says:

        Actually, they are pst files. The technique they were using to do the searches resulted in a pst file of all emails that met the search criteria.

        Hmmm…that is a really strange way to capture search results, but perhaps there was a reason to make them PSTs (it certainly escapes me *g*).

        …You can compare the files listed in that document to the ones in this document (which has column headings for File Accessed/Modified/Created…

        Muchas gracias! I thought there was one, but there were so many CREW-provided PDFs in the latest document dump, I was getting lost.

        …Any tool that opens a pst file in the ‘approved’ way is supposed to reset the file modified date (like Excel does for its files).

        And this gets to the primary point in my # 3. Even if the document that EW is using refers to PST files as you indicated, what the OA turned over in that particular document does not have a “date modified” heading, so one would be stretching it too far to conclude that the file was “modified”.

        Accessed, yes! Modified, can’t be determined.

        Now, beginning on Page 9 of the document you referenced, that is the one that has a “modified date” heading, and should be a source for determining if a file was modified.

  2. tryggth says:

    So MadDog… the first thing I noticed is that these are BIG files. Nothing sinister about that… just a little surprising. And it sort of looks as though the “base” (in some sense) PSTs had a common naming convention. I think these three:

    NSC_2004_Saturday, October 16, 2004_MA.pst 10/16/2004 2:12p 1753302016
    NSC_2004_Friday, October 22, 2004_MA.pst 3/9/2005 5:34p 1754644480
    NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/2004 12:46p 1751270400

    Now I don’t know if they were the results of an initial search. But it looks like “the PST” grew over the course of 6 days by 1.3 MBs. And then magically shrunk by 3 MBs in a single day. I wonder what those original PSTs are were.

  3. emptywheel says:

    Does it strike anyone else that the way they did the searches to respond to Fitz’s subpoenas were to do searches on the PST files, and then just “exclude” stuff they felt was unresponsive?

    And that they’ve saved some of the “excluded” files, but by no means all of them?

    • scribe says:

      Not being a techno-geek, I don’t get all the intricacies of .pst files and all that. But, more to the point, in response to your half-posed question, I respond:

      Think back a few months to KO flipping out about one of the prior iterations of the Risen/Lichtblau warrantless wiretapping story, in which they discussed the creation of two (or more) piles – the “we captured/sieved out all these communications involving journos” and “we captured/sieved out all these communications involving supposed bad people” – and which pile they looked at (Supposedly, the bad people). When, in reality, the point of designing the sieve in the way they did was to watch the journos.

      Apply the same logic – [how to] construct a sieve which looks innocent to the outside observer but in reality “coincidently” captures exactly what you’re looking for, something which if revealed would set off a firestorm. That would seem to be what is going on here, though reversed from the “watch the journo” model – a continual, iterative refinement of the search parameters to exclude from the sieve really nasty stuff that the searcher does not want to get out, while complying in good faith with the subpoena, as written.

      This would also explain the file-size changes. First time through, it would be X megs, then after a change in the search parameters it would be Y>X (oops!), then after going down the hall and getting yelled at and changing the search parameters again, it would be Z, less than Y, and after a couple more iterations of A less than Z, B less than A, etc., a result would have been achieved which would have been “good faith” compliance with the subpoena while excising the really nasty stuff they did not want getting out.

      This requires someone who is quite skilled in little semantic games.

      I would also bet someone – probably with a stubby pencil and a legal pad – sat down between searches to try to logic out how to reconfigure the searches to excise particular documents. That legal pad has likely long since been turned into paper aeroplanes, shredded for packing Aunt Martha’s china, burned or pulped.

      Oh, to have those WH entry and exit logs, just to see who was working late.

    • MadDog says:

      Does it strike anyone else that the way they did the searches to respond to Fitz’s subpoenas were to do searches on the PST files, and then just “exclude” stuff they felt was unresponsive?

      And that they’ve saved some of the “excluded” files, but by no means all of them?

      To get back on track (and out of the techie weeds *g*), I do think you have an important observation here, and I also think it might tie into what Scribed described in his # 23.

      I remember from some of the Libby trial documentation dumps (I think), that some of the Addington search strings were included.

      With these latest CREW documents, I surely wish we had the specific search strings to go along with the PST files they were searching.

      EW, with your prodigious memory, perhaps you know which of the older document dumps contain Addington’s search criteria, and I wonder if any of those can be matched up to the searches in the latest CREW documents?

  4. emptywheel says:

    Just as a reminder, here are the days when there was no email found:

    For the White House Office: December 17, 2003, December 20, 2003, December 21, 2003, January 9, 2004, January 10, 2004, January 11, 2004, January 29, 2004, February 1, 2004, February 2, 2004, February 3, 2004, February 7, 2004, and February 8, 2004.

    For the Office of the Vice President: September 12, 2003, October 1, 2003, October 2, 2003, October 3, 2003, October 5, 2003, January 29, 2004, January 30, 2004, January 31, 2004, February 7, 2004, February 8, 2004, February 15, 2005, February 16, 2005, February 17, 2005, May 21, 2005, May 22, 2005, May 23, 2005.

    For the Council on Environmental Quality: 81 days, including the entire period between November 1, 2003 through January 11, 2004.

    For the Council of Economic Advisers: 103 days, including the entire period between November 2, 2003 through January 11, 2004.

    For the Office of Management and Budget: 59 days, including the entire period between November 1, 2003 through December 9, 2003.

    For the U.S. Trade Representative: 73 days, including the entire period between February 11, 2004 through April 18, 2004.

    • emptywheel says:

      ANd one of the reasons I did that was to see whether some of the days in teh files were considered restored.

      For example, May 10, 2005, the date of the Bradbury memos, was a search. But I guess they got those emails/

  5. emptywheel says:

    You know, I think the first spread sheet is much more useful.
    I think the second one tracks only hte files in the transfer system. Which is why you’ve got creation dates after modify dates–because modify seems to take the last mod in the last system, whereas create is when the new file–the recovery, if you will–was created. so to find the kind of stuff that went on when these searches were run, you gotta go with the older file.

  6. pdaly says:

    To reach my conclusion (below),similar to what emptywheel was finding in her main post, I’m assuming the following in deciphering the columns EW listed in her main post:

    The column headings are as EW surmised.

    The number in parentheses located to the left of “.pst” is the cardinal ordering of the run—for example (2).pst is second run, (3).pst is 3rd run, etc., –and I’m assuming the lack of a parenthesis and lack of number signifies the first run.

    So,
    now look at 12th line down of the 10-1504 Hadley searches:

    NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/04 12:46p 1751270400

    This is the “first run” on October 23, 2004, and this file size (1751270400) is the same size as the third run the same day. It is also the same file size as the second run on October 16, 2004 (1751270400).

    However, this first run (October 23, 2004 12:46p) is smaller than the first run on October 16, 2004, and –more curious still — this first run October 23, 2004 is smaller than its own second run on October 23, 2004. Once again it looks like something was deleted. Have no idea what this means, however.

    One other thing caught my eye in the CREW pdf file EW links to in this post. The memo clarifies that “components” will be broken down and regrouped into individual years, one drive for each year. The emails will also be grouped by To: and From: instead of remaining in components. Would make seaching easier I suppose for both a prosecutor and a saboteur. The mention that some searches would result in duplication of emails caught me eye, because the advice is to manually remove the duplicates, instead of letting Fitz do the work.

    • emptywheel says:

      One of the things that came out in the emails was that just opening the file could make it bigger (don’t look to me to explain that–ask the tech wonks). SO the tech guys in 2005 were finding files growing in size just with the opening.

        • WilliamOckham says:

          Not so odd if you understand that a pst file ‘remembers’ certain personal settings of every MAPI profile that opens the file. Ok, that probably doesn’t make much sense to anybody who doesn’t spend their life coding in the Microsoft world.

          Let me put it like this. The pst file is a little database application that has a built-in set of rules about when to ask for more file space from the operating system.

        • MadDog says:

          Ok, I’m with you (though I guess others are shaking their heads *g*).

          Per Microsoft:

          A profile is what Outlook uses to remember the e-mail accounts and the settings that tell Outlook where your e-mail is stored. A new profile is created automatically when you run Outlook for the first time. The created profile runs whenever you start Outlook. Most people need only one profile. However, sometimes you might find it useful to have more than one profile. For example, you might want one profile for work and another profile for home. Also, if other people use the same computer as you, their accounts and settings can be kept in a separate profile that has a different name from your profile…

          So basically each time someone opened a PST file, their own email profile would get added to that PST file.

      • MadDog says:

        I do remember that, though I don’t remember the “why” of that. If time permits, I may Google around to see if I can find out.

    • MadDog says:

      …However, this first run (October 23, 2004 12:46p) is smaller than the first run on October 16, 2004, and –more curious still — this first run October 23, 2004 is smaller than its own second run on October 23, 2004. Once again it looks like something was deleted. Have no idea what this means, however…

      While we don’t have the actual search strings to validate this, I’m guessing that different file sizes result from adding or subtracting items from the search string.

      And that I think goes to Scribe’s comment in # 23.

      Which makes me wonder if Patrick Fitzgerald and his team were techie-smart enough to insist that whomever conducted these subpoena-required searches was mandated to produce each and every “attempt” at a search. Even the failures, typos and bad search strings.

      I don’t think they were, and I do think that Scribe may be onto something!

      • pdaly says:

        Thanks WO and MadDog.

        One other thing I should add: I noticed the first run .pst file I was referring to above was opened/accessed again in November 2004–apparently none of the other searches from that date were reaccessed.

  7. MadDog says:

    …If you copy (with Windows explorer) a file from a different drive, the modified date stays the same and the create date changes to the current date…

    Ok, I just verified this is the case on one of my systems.

    So, to answer EW (and me), it appears that the Creation Date change on some of these files (where the Creation Date is newer than the Modify Date) is simply because the PST file in question was copied from one drive to another drive.

    If that is the case (and I do believe it is), then we shouldn’t place any significant value in the Creation Date in those instances.

    And anyways, for our purposes, the real valuable dates are both the Modify Date and Access Date.

    • WilliamOckham says:

      But I don’t think that happened with this particular file. I’m still cross-referencing the various spreadsheets included in this document dump.

  8. WilliamOckham says:

    I’m turning in for the evening. Tomorrow’s Father’s Day, so I will probably not be getting back to all this until sometime late tomorrow.

    • MadDog says:

      Ok, I don’t have a ready answer for what the “Z” means, but I do note that many of the Z named PST files have a corresponding non-Z named PST file immediately preceding it.

      And I also note that the file size difference is that the “Z” named PST file is always slightly smaller than its corresponding non-Z named PST file.

      And I was looking at page 46 of the document.

      I’ll have to ponder why the 2 almost identical searches, but one has a “Z” in its name and the other doesn’t.

  9. hackworth1 says:

    I’ll bet Karl Rove is computer savvy. Obama should ask him to be the Computer Security Czar. Rove just might jump at the opportunity and he doesn’t have the baggage that Davis has.

  10. readerOfTeaLeaves says:

    Observation: 3 am in Washington, DC is about 9 am in London and (?)10 am in Saudi Arabia, Israel, IIRC.

    Also, back in the thread about server crashes, at 112 Rayne asked about a possible Alaskan tie-in, or some Alaskan entity given a contract.

    My recollection is ‘Chenega’, which is a native Alaskan corporation, and was also the name of some outfit that got millions of dollars in government (intel? cmu?) contracts. ‘Chenega’ is one of the little villages that was affected by the ExxonValdez oil spill. No clue what the tie-in is, but certainly one exists. And there are very few native Chenegans remaining, so no clue how that term ended up in DC unless it was some method of getting contracts via Women and Minority Owned Biz status.

    If there is a connection between the Plame Investigation and the shenanigans that the neocons — especially Franklin, Ledeen, Feith — were pulling (which, as near as I can fathom appears to be trying to get the US involved against Iran), then the timing of an email between Rove and Hadley makes sense around 11 July 2003.

    If Plame knew something that the neocons wanted to control, or they wanted to weaken the CIA, then a Rove-Hadley email makes a whole lot of sense b/c they had to coordinate their activities.

    But it certainly underscores a ‘conspiracy’, to say nothing of a ‘cloud over the office of the OVP.’

    • Rayne says:

      OT – thanks for that name, Chenega, definitely worth a deeper inspection. In 2007 the DHS IG said a half-billion dollar contract had been improperly awarded to Chenega in 2003. Looking at their record, Chenega has received over 1.5B in contracts since 2000, including some for work on telecom/data projects and some for USOC, bulk for DOD.

      Very, very fishy.

      We’ll have to put this on the back burner since at this point it’s unrelated to the email searches, but definitely keep this in mind. Especially since a large portion of Chenega’s work was done in Rep. Tom Davis’ district…

      [edit: definitely look at the jobs Chenega has open, many of them in IT field requiring security clearances AND for projects with code names. Workstation maintenance posting, for example. And Stevens/Murkowski both had a hand in Chenega’s explosive growth which does little for the Alaskan Chenegans.]

    • cinnamonape says:

      Or it could be an acronym…”Cheney” something. Chene-ga or Chen-ega or Che-nega?

      • readerOfTeaLeaves says:

        No, it’s not a play on Cheney.

        Go to Google Maps and enter “Chenega, Alaska”, then if you need to zoom up, do so.
        You’ll note that Chenega lies SSW of Valdez Arm, on Prince William Sound.

        The village of Chenega was mostly destroyed in the 1964 earthquake IIRC. Many of its residents were relocated to Cordova, or to a village on the sound. There are not many living Chenegans, I don’t believe.

        Also, google ‘Chenega + ExxonValdez’.

        And if you are ever interested, a PhD in Marine Biology named Riki Ott wrote a stunner of a book on the ExxonValdez disaster — really phenomenal. It was an FDL Book Salon selection. Well worth anyone’s time, and does a terrific job of tracking (and explaining) the effects of pollutants over a period of several decades.

        Cheney’s connected only in terms of being obsessed with energy resources.
        In itself, not a bad thing; in Cheney’s case, extractive resources that are very 19th century.

  11. FrankProbst says:

    Hmmm. I keep forgetting–what was the last theory about why Hadley thought he was going to be indicted?

    • emptywheel says:

      Probably for perjury, though I’m not sure. But remember that he was brokering relations between the CIA and OVP that week, and as such seems to have been cognizant of at least the late-week plans to leak Plame’s name.

  12. emptywheel says:

    Anyone know if those identically sized files of different names from 75 and following in this file are actually the same file?

    And if so do the new names suggest someone tried to hide that file?

    • tryggth says:

      What is the file size? If its large its almost certainly the same file. And probably the same even if it isn’t so large.

      So what appears to have happened is that a few master .pst files were pulled from the archive. Then someone would open and search those .pst for keywords or some criteria. The resulting result set would then be saved out as a different .pst files. I think several of the different named large and identically sized .pst files are just the pulling over of the original archive to begin a new search. In some cases several original archives were duplicated with a copy and paste (after the renaming) and that is why you see the several large identically sized files with the (2), (3), (4), etc suffixes. Windows does that with a copy and paste, I think. It probably was faster to copy in place on the “work” computer than to keep pulling over the original archives.

      Now it could be the operator wasn’t [typo corrected] really sure of the approach they were going to use to produce the final results (and hence the multiple copies of the original archive). However, it also could be that they created a “new” “complete” archive for subsequent searches. Really hard to say without being able to ask someone.

      What I did wonder about is the Hadley Oct. 22 archives you originally listed. It started with a 1754644480 which is is bigger than the oh-so-popular 1751270400 archive. Then an operation produces a largish 488177664 archive which gets saved in place (the “(2)” suffix). I’m guessing this is something like pulling out Hadley’s inbox and sent mail from the uber archive. Then there are two subsequent searches. One producing “1st Hadley Results.pst” and a second which had a few additional hits that were added in to produce “Hadley Final.pst”. I don’t see the second search results as a standalone search result set. It is probably just how they did this search and nothing significant.

      • tryggth says:

        Windows does that with a copy and paste, I think

        This doesn’t happen. At least in Windows Explorer. But I am sure those large files of the same size are just copies of each other – same set of emails.

    • Garrett says:

      identically sized files of different names

      32,768 bytes is an empty file. As small as it can make it. Stated so on page 3 of the document.

  13. emptywheel says:

    Item 2717 in this file is interesting.

    It’s the results of a search for Rove stuff from July 2003. It’s precisely the same size as the results of a search for Cooper stuff from July 2003, so it may be the same set of emails.

    But here’s the thing. The search was apparently requested on November 9, 2004.

    The initial date on the Rove search was November 5, 2004.

    • pdaly says:

      The initial date on the Rove search was November 5, 2004.

      I wonder if that is the reason this Hadley search from 10/2004 was reaccessed the day before: November 4, 2004.
      NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/04 12:46p1751270400

  14. greenbird4751 says:

    WO: there’s also this (from wikipedia)
    “Remote Differential Compression (RDC) is a client-server synchronization algorithm that allows the contents of two files to be synchronized by communicating only the differences between them. It was introduced with Windows Server 2003 R2 and is included with later Windows client and server operating systems.

    Unlike Binary Delta Compression (BDC), which is designed to operate only on known versions of a single file, RDC does not make assumptions about file similarity or versioning. The differences between files are computed on the fly, therefore RDC is suitable for efficient synchronization of files that have been updated independently, network bandwidth is small or in scenarios where the files are large but the differences between them are small.

    The algorithm used is based on fingerprinting blocks on each file locally at both ends of the replication partners. Since many types of file changes can cause the file contents to move (for example, a small insertion or deletion at the beginning of a file can cause the rest of the file to become misaligned to the original content) the blocks used for comparison are not based on static arbitrary cut points but on cut points defined by the contents of each file segment. This means that if a part of a file changes in length or blocks of the contents get moved to other parts of the file, the block boundaries for the parts that have not changed remain fixed related to the contents, and thus the series of fingerprints for those blocks don’t change either, they just change position. By comparing all hashes in a file to the hashes for the same file at the other end of the replication pair, RDC is able to identify which blocks of the file have changed and which haven’t, even if the contents of the file has been significantly reshuffled. Since comparing large files could imply making large numbers of signature comparisons, the algorithm is recursively applied to the hash sets to detect which blocks of hashes have changed or moved around, significantly reducing the amount of data that needs to be transmitted for comparing files.

    The Client Side Caching (CSC) feature in Windows Vista makes use of the technology for the first time, allowing file types such as Microsoft Outlook personal folders (*.pst) to be made available offline. Previously, Windows XP used only file metadata to test if a file such as a .pst had changed. When the application “touches” a .PST file’s date, even when it does not make any changes, it triggers an update of the file in Windows XP causing CSC to recopy these large files unnecessarily. In Windows Vista the file will be updated ony if it has actually been modified, and only the actual parts of the file that have been changed are transmitted.”

  15. WilliamOckham says:

    I believe that the files with MA at the end of the file name are files created by Mail Attender. I don’t think all files created by Mail Attender got the MA affixed to the file name (a lot of this was very ad hoc). That suggests that the files in the “search results” folders with MA in the name were copied from somewhere else and then searched.

    I’m still trying to figure out what BWS at the end of some of the file names means.

    Sometimes the reason these pst files have the same size that’s near 2 gigabyte is that the program that collected emails by pulling them out of the Exchange Journal was designed to stop when the file reached a certain size and then start a new file.

    Mostly, what I’m doing is just thinking out loud in hopes of spurring other people’s thoughts. I’m going to go play “42″ with my family. It’s a Texan thing.

    • Rayne says:

      Bet you “BWS” = Boston WorkStation scripting software tool.

      [edit: Here’s a description of BWS’ capability for messaging management use:

      Message Management
      Boston WorkStation provides a variety of messaging pathways for external communication, including email via SMTP, FTP, TCP/IP, SOAP, SNMP, and the Citrix shared clipboard. Boston WorkStation can interact with message queuing systems such as MSMQ and also provides an internal queuing system, allowing the creation of by-directional scripts that interact with messages from interface engines or by listening / sending directly to a port.

      MadDog, you there? does that last line sound like a resource for use in a kingpin/man-in-the-middle operation?]

    • tryggth says:

      Sometimes the reason these pst files have the same size that’s near 2 gigabyte is that the program that collected emails by pulling them out of the Exchange Journal was designed to stop when the file reached a certain size and then start a new file.

      That makes perfect sense and explains why the (7) file listed above is so small and why so many files have the size 1751270400.

  16. oldtree says:

    To my disbelief, but consternation, the use of vista is rather unlikely isn’t it? Why would an email system be set up around a flawed system to begin with? For the Windows techies; Are these files modifiable in such a way that the originals do not then exist when forwarded? Open source systems keep all the data and show the thread move, but add the dates of modification by showing a continuous pattern or thread.
    Not having used an MS program, is it truly this easy to manipulate the files to create what appear to be, on first through 5th read, new dates and origins? Are we talking about emails being searched for that the originals have been deleted and modified to appear as though original? It is the only thing that makes any sense to someone that would not want to archive all emails for reference later based on the complete history.
    And for reality’s sake, why wouldn’t the email program be one written for the entity itself? They would really use a swiss cheese for something requiring a brick?
    Is this all about destroying the content of the originals to make the finally presented emails more, “sanitary”?

    • Rayne says:

      Vista would be extremely unlikely especially given the time frame, and is probably still not used to this day in this setting. I think the point of the piece furnished above in thread is a comparison of XP vs. Vista which laid out XP’s functions.

      I’m not even certain XP would have been a given on the desktop across the EOP-OA, considering how slow and backwards this entire environment was during the Bush years. Would not surprise me at all to see Win2000, which might be worth exploring. (Server OS would be another issue altogether.)

  17. emptywheel says:

    So, from the file documents, I’m guessing that the following happened with the OVP PSTs:

    February 5, 2004: EOPRM server crashes
    February 11, 2004: Files mostly reconstructed from two-week old backup
    July 27, 2004: A chunk of the OVP PST files restored
    December 9, 2004: Significant Plame-related search (search titled December 2, 2004)
    June 2005: Another attempt to reconstruct files
    October 2005: Other files discovered missing, the attempt to reconstruct them begins

    Is that all right?

    • WilliamOckham says:

      No, in Feb 2004, the Microsoft guys were able to restore the data from the crashed server. From the post-mortem:

      On 2/5/2004, the EOPRM server’s drives crashed and caused the server to bluescreen at bootup.
      Solution:
      … We then worked with [redacted] on recovering the public folder database where the query results were held. The solution provided was a complete rebuild of EOPRM to a new server and then the recovery of the Exchange databases.
      Lessons Learned:
      There was an Exchange database backup but it was two weeks old. If we were unable to access the databases on the bad drives, two weeks worth of query results could have been lost.

      [My bold]

      The MS guy is saying that they were able to recover the Exchange databases from the crashed server.

        • WilliamOckham says:

          Yes, when a Microsoft guy says “solution provided”, that means that’s what they did (they may have tried a bazillion other things, but they always document what worked). If they hadn’t been able to recover the Exchange databases, they wouldn’t have written it this way. This sentence:

          If we were unable to access the databases on the bad drives, two weeks worth of query results could have been lost.

          really means

          If we had been unable to access the databases on the bad drives, two weeks worth of query results would have been lost.

          They never write it that way, because they hold out the possibility that even they hadn’t been able to recover the databases they would have used some other Microsoft magic to get those results back.

    • WilliamOckham says:

      btw, where’s the evidence for this:

      July 27, 2004: A chunk of the OVP PST files restored

      Not disputing it, I thought I had that too, but now I’ve lost it in all the other stuff I’ve been looking at.

      • emptywheel says:

        Look at items 2351 through 2373 on OAP500. Titled “OVP/2004_July/20040727 with a whole series–most first saved on July 28 or 29 (though there are some August ones). That first saved date of July 28 and 29 shows up for a lot of the “OLD FILES” and similar. It could have just been a regular dump for July 2004 (making that month the rare month OVP decided to archive), but it seems there’s a lot more info in there.

  18. emptywheel says:

    Incidentally, as I noted on the NOvak Plame Wilson thread, that search came 10 days after Novak gave a deposition, so the dates likely came from him in some way. If so that means he admits to talking (emailing) the White House on July 7, 2003–before he spoke with Armitage. He has intimated he was working on the Frances Fragos Townsend story. The one Libby and Addington were pushing…

    • Garrett says:

      If so that means he admits to talking (emailing) the White House on July 7, 2003–before he spoke with Armitage.

      The gap between the type and level of detail being looked at here (file names, file sizes, times of night of file accesses) and the type and level of implication and understanding being derived from it (Novak was emailing with the White House just before talking to Armitage, or it sure looks like someone wanted to see if it had left a trace), I’m finding kind of provoking and challenging to my ideas about big databases of information.

      Computer extraction versus crowd sourced extraction is a current subject of debate. I’ve always thought both, each according to their strengths.

      The tables in these documents have a grammar than can be read. Nothing new about that idea.

      But just how much meaning is potentially readable is the part I find provoking.

      • emptywheel says:

        I do caveat it–”if so.” Those dates don’t make sense from an investigative standpoint, per se, according to any known details. (That is, why search for emails from before the Kristof article?) So all I’m trying to do is figure out an explanation for it.

        I’m fairly comfortable with teh guess that Fitz asked for them. There are a number of other logical searches (notably, after Fitz gets the Rove-Hadley email mentioning Cooper in October), which seems to suggest a bit about the timing of new requests.

        The coincidence of the Novak deposition and the search seems to be related in some way. That’s all I can say for sure.

        Though the July 7 date IS a signature date, particularly to be searched at that late date. We know that–at some point–Novak testified he was working on the Fran Fragos TOwnsend story with teh White House, we know he has testified he worked on that story on July 7, 2003. It’s just a guess, but it’s a likely guess.

        • emptywheel says:

          Mind you, we don’t know that there were emails from that date. Just that someone–probably Fitz, in this case–checked to see if any of the emails discussed Joe and Valerie.

        • cinnamonape says:

          When did Fitz actually receive the roster of the searches? And wouldn’t he have received hard copies rather than be able to do a search himself? I don’t recall him requesting access to the email storage of the WH (passwords, etc.) as part of his subpoena.

          Also it’s all a bit odd that someone would be up all night on October 23rd, 2004 on the eve of the 2004 election doing these searches. Someone musrt have been tasked with that duty during the final flurry of activity before the election. Cheney and Bush were on the campaign trail, and I doubt that they, or their immediate political staffs would have been doing this themselves. Condi was also on the campaign trail. I can’t conceive that Rove would be up all night searching emails at that period.

          Someone must have been tasked with this by one of the principals. IF it was done at the White House or Cheneys’ residence they’d likely be operating from a “center” where all-night activity wasn’t unheard of (the Situation Room, perhaps an NSC office). They would have had to have known what to look for and what was potentially dangerous. To do that they’d have to know enough of the details to create a “firewall” (or at least know that if certain individuals or titles were mentioned to create an exclusionary protocol for that).

          Also who would have the right/power to undertake an examination of secure email communications? Presumably, unless the documents were only excluded by some content search criteria, they were actually read/reviewed. And if they weren’t read and reviewed what individual would be up all night on a weekend doing this stuff?

        • emptywheel says:

          I don’t know what Fitz got. I know Luskin claims Fitz got Rove’s computer. But I also know that there was uncertainly among members of Fitz’s team whether they had gotten the Libby email as recently as last year.

        • Rayne says:

          I don’t have the timeline down cold like you do, EW, but I wonder if the time window in advance of publication of Kristof’s article reflects two things:

          – the window of time between editorial review and actual publication (Kossack EZWriter always had stories 12+ hours before they actually published, as one example of the lag);

          – timing between Kristof offering the administration or sources close to a chance to offer comment/rebuttal before it went into editorial review.

          ???

  19. sojourner says:

    William Ockham — from my limited IT exposure to Exchange / Outlook, I know that the maximum recommended file size for a PST is 2 gb. In companies where I have worked, they are used as a personal work archive to retain email in specific subject folders. Mail that was stored in PSTs was no longer on the mail servers or subject to backup.

    So, following that line of thought with, say, a Karl Rove, would all of his email that he chose to save in PST be removed from the White House servers and no longer subject to backup?

    I guess what I am wondering is whether or not certain select officials elected to retain only what they wanted to in their own personal PST files on their personal computers. The searches that are being discussed here would not necessarily hit their personal files… or would they?

    Alternatively, would all WH email be automatically kept on servers and backed up, regardless?

    • WilliamOckham says:

      (Irrelevant to this discussion, but the 2gb limit on PST files was removed as of Outlook 2003, if you use Unicode instead of ANSI. Of course, that pretty much doubles the size of your pst file.]

      Well, the answers to your questions are pretty complicated. And they could have changed over the time in question (and I’m pretty sure some of them did).

      Let’s start with a short primer on how Microsoft Exchange (the server software) and Microsoft Outlook (the client software that each user runs). Let’s suppose you get a job with the White House. An Exchange Administrator (normally somebody in IT) would create a mailbox for your user account. A mailbox is where email sent to you gets delivered. It doesn’t really exist in a physical sense, it’s more like a table in database. If allowed by policy, you, the user, can choose to have your email delivered to a personal file, a pst file. A pst file is a lot like a database file. While almost everybody thinks of pst files being associated with a particular user, it’s really just a database-like file for storing related emails, calendars, or anything else you can store in Outlook.

      Now, even if you choose to have your mail delivered to a personal pst file, it still goes through the Exchange Server. The EOP’s ’strategy’ for records management involved something called journaling. When you turn on journaling in Exchange, a copy of every email (meeting your criteria) will be stored in a special ‘mailbox’. The way it was supposed to work was that a special application would regularly remove emails from the journals, and create pst files for all the email of a particular component (OVP, WHO, etc.) that was sent or received over a specific time period. This special application worked pretty much the same way Outlook does when it connectes to Exchange Server, except that instead of working for a particular person, it worked for an office or department.

      In theory, nobody could avoid having their email backed up. I say in theory because the ’system’ never worked properly, the pst files it created weren’t secured, and the EOP was using Exchange 2000 which didn’t journal BCC copies of emails. So, the answers to your questions are all no, but not completely.

      • sojourner says:

        Understand, and thanks! My experience was the only context that I had for PST files, so that expands my knowledge a good bit.

        Happy Father’s Day to you!

  20. emptywheel says:

    According to Murray, Libby and Addington were trying to sink her nomination to be Homeland Security ADvisor because they thought she’d be soft on torture and renditions and whatnot. Rove claimed to have had a conversation with Novak to present Bush’s side, that she was a good appointee. In his testiomony Novak said this about July 7:

    I was working on the change of the counterterrorism aide, Ms. Townsend, at the White House.

    He went on to say he was working on the Wilson story too. I have always suspected that Libby coached Novak to grill Armitage about HOW Wilson got sent in a conversatoin on the 7th. That’s what had elicited the Plame stuff from Armi in June, and the structure of the question was precisely the same as described by Novak (and totally illogical in both, made more egregious in NOvak’s case with his claim to KNOW that Wilson had never done anything for the CIA before, which he appears to have done going back years).

    • bmaz says:

      Interesting. She always struck me as being good to go with whatever BS the Bushies were up to. Maybe just the fact that she had a law degree and had actually prosecuted and had at least a minimal amount of international law experience freaked them out. I can see how anybody, even Franny Frag, might give them jitters.

      “Hey Scoots, what do you think of Fran Townsend?” “Gosh Addy, she worries me, suppose she is not bat shit crazy insane like we are?”

  21. WilliamOckham says:

    I just found something I was looking for. The earlier pst files (from 2003 and the first half of 2004) have file date/timestamps from the second half of 2004 or later. However, on October 6, 2005 (look starting on pg 4), a Unisys contractor sent what looks to be the first such spreadsheet and the date/timestamps on the earlier pst files are contemporaneous to the file name. For example, ovp_20030930.pst is stamped 9/30/2003 2:17pm.

    • emptywheel says:

      WO

      Can you explain what you think that email thread means? Unisys to WHO on October 6, WHO to WHO and CC on October 8, and then someone resernding it in November?

      • WilliamOckham says:

        I do not know. But as late as 2005, some of the pst files had their original dates. I think it is more likely that somebody deleted the October 1-3 OVP pst files. I can’t explain why.

        • emptywheel says:

          Why you think someone deleted them, or why the data show that someone did?

          Cause I think I can explain why someone would have deleted them ;-p

          The question is did they ever reconstruct all of them–what’s your take of what SIS did?

        • WilliamOckham says:

          Take a look at pg. 7 of doc 778. That page is the second half of pg. 3 (it’s a spreadsheet that wraps across two pages).

          You’ll notice there’s a lot of overlap between the pst files. For example, one file covers 6/22/2003 to 7/10/2003 and the next one starts at 7/7/2003, giving double coverage for 7/7, 7/8, 7/9, and 7/10. The thing I find interesting is that there is a file that spans the end of every month into the start of the next month, until you get to the end of September/October:

          6/9 – 6/23
          6/22 – 7/10
          7/7 – 7/24
          7/15 – 8/4
          8/4 – 8/27
          8/18 – 9/11
          9/13 – 9/30
          10/4 – 10/31
          10/21 – 10/31

          Realizing that they were adding users to Exchange at this time and that each pst was limited to 2 gigs, I think there’s at least one and maybe 2 files missing. There “should” be a pst file with emails from late Sept to early Oct. Somthing like 9/18 – 10/11. Also, why is there no coverage for 9/12?

          After Oct 2003, they changed the procedures (at least they told Microsoft that in Feb 2004).

        • emptywheel says:

          Isn’t it possible that the change in procedure was all about skipping those days? We haven’t seen an explanation for why they changed the procedure.

        • WilliamOckham says:

          That would have been dangerous, the techies might have figured out what was going on. Let me spin a specific scenario. I’m not (yet) saying this happened, but it is consistent with what we see.

          On Sept. 30, the word goes out that there is a DOJ investigation. Suppose somebody in the OVP who doesn’t use email, we’ll call him Irv, gives some instructions to an underling that could be construed as obstruction of justice. The underling, being clueless, sends an email referencing this action. Irv tells her to delete the email. In January 2004, when Fitzgerald takes over and asks for records from October 2003, Irv panics when realizes that even deleted email has been archived. He talks to a more tech-savvy co-conspirator about his problem. This tech-savvy co-conspirator has been, um, “roving” around the network and realized that the pst files that are going to be searched are not protected at all. He suggest to Irv that the simple answer to their problem is to delete the pst file that contains the incriminating email. Problem solved.

        • BayStateLibrul says:

          I believe that’s what happened. Now, how do you prove that, is it
          a lost cause. I’ve always recommended that we hire techie experts to
          review/prepare a report for Congress that we can rely on…
          I don’t care how much it costs…

        • emptywheel says:

          Remember that the investigation was out there on Septmeber 26, at least.

          Like you, I do think that’s a likely scenario. The email we have is Cathie Martin making sure others get any references to Libby from Scottie McC. Now it’s possible that they did so only out of protection, but it’s possible they knew more (remember, Martin says she told Libby about Plame). Remember too that Jenny Mayfield was holding documents–a folder of Niger stuff–until March or so, so she was clearly knowingly withholding evidence. So she might be a good candidate (she seemed pretty not-bright in her leniency letter).

  22. cinnamonape says:

    I agree that it’s probably something about the Chenega Integrated Systems group (the spurious “Native Alaska” Corporation)…but it’s odd that they show up in this context. They were essentially doing security contract work at places like Ft. Detrick and some other Army bio-weapons labs (Hmmm?) for the Army. Then they shifted in their hiring for people in the IT filed, as Rayne has pointed out.

    Perhaps the reference was just something tangential that was raised in the discussion about several topics, but it’s nonetheless interesting that the WH was so interested in a firm that was involved in such activities and that may have been created to be the recipient of pork.

  23. cinnamonape says:

    Maybe Hadley was concerned about the security at places with the Missile Defense Systems at Burpleson Elmendorf AFB and in Japan, where Chenega was actually a front organization for Blackwater.

    • pdaly says:

      very interesting, cinnamonape.

      The Republicans certainly have shown an amazing attraction to exploit all things Native American this century.

      Aside from just fronting a Native American relationship, I wonder what the requirement is to be considered Native American these days?

      I seem to recall it was if a great grandparent was Native American that one (with 1/16 Native American Indian blood) can claim the same. Don’t know how that then works for one’s own children, however. Do they have to move off the Indian reservation once they are no longer minors? or does an initiation rite take care of the tribe membership and benefits after that?

    • Rayne says:

      roTL will have to confirm, but I think the Chenega reference in this thread was only tangentially related to the post here, was more responsive to content in the Fitzgerald Subpoenas and Server Crashes thread from several days ago when I’d commented about the different vendors who worked on the IT messaging infrastructure for EOP-OA. One of the vendors was an Alaskan native firm TKC, cited in testimony by Steven McDevitt; roTL mentioned in this thread that Chenega was yet another Alaskan native firm working on IT products (but I note not cited by Steven McDevitt as a direct contract).

      As of this thread, we still do not have any solid information about which vendors provided the services required save for Microsoft with regard to message restoration.

  24. pdaly says:

    OT: have you seen Eli’s post at FDL? (”Obama administration finally takes a stand against waterboarding”)
    http://firedoglake.com/2009/06…..#comments.

    Seems the National Park Service is threatening to prosecute anti-torture activists if they carry out their plan to demonstrate waterboarding.

  25. klynn says:

    Wo,
    congrAtulations on retirement
    THanks for the comments.
    EW ,
    Thanks for the posts. wish I could be adding info in the comments. our computer died; thus,I’m texting.

  26. emptywheel says:

    One more thing about the October 1-3 timeframe. Remember that Irv and Dick were in Jackson Hole, WY at the time, conspiring a coverup. That may explain why incriminating things would have been emailed.

  27. Leen says:

    EW, MadDog, WO parting the “clouds”.

    Damn good to know folks committed to truth and accountability keep pushing so hard. Thanks

Comments are closed.