Hadley’s Email
Okay, now for the Hadley weirdness revealed in the White House email searches revealed in a document turned over to CREW.
On the morning of October 15, Karl Rove testified before the Plame grand jury for appearance number 3. He justified testifying to Fitzgerald by handing over the email Rove purportedly sent Hadley on July 11, 2003, just after he leaked Plame’s identity to Matt Cooper.
Either that day (the file searches appear to be dated October 15) or the next, someone did a series of searches, apparently looking for Hadley’s emails; these searches appear on pages 47-49. Here are the searches in the order of which they were last opened (here’s the spreadsheet if you want to play along).
Search | File | Last opened | Time | File size |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA.pst | 10/16/04 | 2:12p | 1753302016 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(2).pst | 10/16/04 | 3:26p | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(3).pst | 10/16/04 | 4:51p | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(4).pst | 10/16/04 | 6:17p | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(5).pst | 10/16/04 | 7:07p | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(6).pst | 10/16/04 | 8:15p | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 16, 2004_MA(7).pst | 10/16/04 | 8:22p | 270222336 |
10-1504 Hadley | NSC_2004_Saturday, October 23, 2004_MA(2).pst | 10/23/04 | 2:18a | 1865040896 |
10-1504 Hadley | NSC_2004_Saturday, October 23, 2004_MA(3).pst | 10/23/04 | 4:01a | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 23, 2004_MA(4).pst | 10/23/04 | 5:13a | 1751270400 |
10-1504 Hadley | NSC_2004_Saturday, October 23, 2004_MA(5).pst | 10/23/04 | 5:51a | 958940160 |
10-1504 Hadley | NSC_2004_Saturday, October 23, 2004_MA.pst | 11/4/04 | 12:46p | 1751270400 |
10-1504 Hadley | NSC_2004_Friday, October 22, 2004_MA(2).pst | 3/9/05 | 5:34p | 488177664 |
10-1504 HadleyInitial Search | 1st Hadley Results.pst | 3/9/05 | 5:34p | 38944768 |
10-1504 Hadley | NSC_2004_Friday, October 22, 2004_MA.pst | 3/9/05 | 5:34p | 1754644480 |
10-1504 HadleyInitial Search | Hadley Final.pst | 3/10/05 | 3:00a | 39166978 |
So here’s what appears to have happened.
Either the same day Rove testified or the next day, someone started doing searches for Hadley’s email. On that day they appear to have run the search at least 7 times, from 2:12 PM to 8:22 PM, until the file size had been shrunk significantly. That Friday, October 22, 2004, at 5:34 PM, someone did two more searches. Then, in the middle of the night that night (that is, from 2 AM to almost 5 AM on a Friday-Saturday night), someone did five more searches; the first one of these was opened again on November 4. The last of these searches–like the last of the searches saved on October 16, 2004, was significantly smaller than the rest of the searches done that day.
Then, finally, someone did a search under a slightly new name: HadleyInitial Search. We don’t know when this search was saved–the two runs of the search are titled simply 1st Hadley Results and Hadley Final. These files were both much smaller than any of the earlier searches.
On October 28, 2004 someone appears to have done a whole slew of searches in the NSC files, many of them date-specific (these aren’t in the spreadsheet, but appear in the PDF). But a number of these searches were named with the same NSC_2004_Saturday October names that the earlier files had been named. Given the file sizes, it appears that "search" may have consisted of nothing more than renaming the searches done the previous week.
The Appeals Court ruled that Cooper and Judy would have to testify on February 15, 2004. In March, someone opened several of these files.
On March 9,2005, at 5:34 PM, someone opened the two searches saved with an October 22, 2004 file name and the search, 1st Hadley results. And then, in the middle of the night (3 AM), someone opened the filed titled Hadley file.
Now, I’m going to have to let William Ockham (who first pointed these searches out to me) or MadDog or someone explain the intricacies of this. But it looks to me as if within a day after Rove testified about his mysteriously discovered email to Hadley, someone went in and spent 6 hours playing around with the PST file that had Hadley’s emails in it. They may have done so again a week later (or those files could have been renamed). And finally, when it became clear that Judy and Cooper would have to testify, someone was looking at them again.
Now, the Rove and Cooper searches were called a November 9, 2004 search. The slew of searches on October 28 were called an October 25 search. It looks like it’s possible that someone got into the PST files and altered them before Fitz came looking for the Hadley email.
Before reading, CONGRATULATIONS on your retirement, MD!
Ta Loo Hoo!
Waiting For Mad Dog.
(hmmm a country western song? or a novel?)
I think that was Samuel Beckett’s first choice, but instead he ended up calling it Waiting For Godot. *g*
(My Bold)
I wouldn’t jump to that conclusion. The items that were accessed were merely the “searches”, not the actual PST files with the emails in them.
Some of the pages in the document do indeed refer to PST files instead of “searches”, so examining these would be more helpful to the question of PST file modification.
Secondly, I’ve not found (yet) any headings for the columns of data in the document.
For example, the heading in your spreadsheet entitled “Last opened” is of some value, but another of “Date Modified” would be of even more value.
EW, can you point me to where you found the headings you are using?
Oh, I made them up.
They may be wrong (maybe WO will show up–he went out for dinner), but part of my impression on this comes from the discussions in these documents, which talks about how they were saving files around the time that this list was constructed. One thing they were watching was the file sizes changing when they got opened.
Well, not actually. Give yourself more credit! I’m guessing that your headings have their genesis in the document WO referred to.
No–it comes from the discussions. if you look in this thread I gave some intro to the files I thought were most interesting, for myself or–better–people with some tech knowledge.
In any case, a huge percentage of these documents are email threads from October 2005, as they were just trying to figure out WTF was going on, and some of the critical issues they were following become clear in those.
Actually, they are pst files. The technique they were using to do the searches resulted in a pst file of all emails that met the search criteria.
You can compare the files listed in that document to the ones in this document (which has column headings for File Accessed/Modified/Created.
Any tool that opens a pst file in the ‘approved’ way is supposed to reset the file modified date (like Excel does for its files).
Check out p. 86 of the document I linked to. Fourth listing from the bottom, document # 2868. That’s the document ew is referring to and the timestamps support her conclusion.
Ok WO, but something strange is shown there too.
The file headings are in this order:
Access Date
Modify Date
Creation Date
On the Hadley PST file in question (4th from the bottom), this is what is shown:
e:/seach results=NSC 10-1504 Hadley=NSC_2004_Saturday, October 16, 2004_MA(7).pst
(Note: the = sign should be back slash but they don’t show here on this blog).
And with these file attributes:
Access Date: Wed, 21 Sep 2005 13:05:24
Modify Date: Sat, 16 Oct 2004 20:22:18
Creation Date: Wed, 09 Mar 2005 15:36:45
(My Bold)
I’ve run into this before and never bothered digging out the true reason, but as you can see by my bold, the Creation Date is 2005, and that simply can’t be correct.
You can’t have a Creation Date that follows the Modify Date.
As I said, I’ve seen this with Microsoft file attributes before, and though it has bugged me forever, I’ve never gone back to find out wtf was going on.
Any chance you have the explanation handy? *g*
Any chance it has to do with a filename that involves a date after the date the thing was created?
This can happen in a number of ways. If you copy (with Windows explorer) a file from a different drive, the modified date stays the same and the create date changes to the current date. However, every application can do things its own way. Also, any app can set the values to pretty much anything they want.
In this case, I’m guessing the file is still in the same directory where it was originally created. There are a number of scenarios I can imagine. First, suppose somebody knows that the tool that opens .pst files changes the modified date (that’s the date that shows up by default in Windows Explorer, right. I don’t remember because I configure my computer to show all three dates, doesn’t everybody?). They might open it, make changes, and then use a widely available utility to reset the modified date without realizing that the create date was also changed.
i had to run a search myself to explain how “date created” can be later than “date modified” or “date accessed:”
it’s when a sysadmin migrates data, to be saved, from an old hard drive/server to a new one.
again, there may be occasions when viewing “properties” reveals more accurate create dates, but not always.
i have a pst file migrated from its creation sometime in 2000, showing created 8/5/2005.
also it shows modified 4/23/05.
i would guess going with the oldest modified date points to a rough actual create date.
also, my search results show details i’ve selected and arranged, from “view” “choose details” so i can visually locate files.
sometimes “modified” and “created” are duplications twins: i got modified when i got created.
what i completely missed in your post was that all but two of the retrieved files include dates as part of the file name. these are the smaller files you focused on.
this could mean that they were migrated w/o following the previous search pattern of naming.
Not just sysadmins. Anyone copying a file from one drive to another will result in the same thing, if I understand correctly. So it’s like “date created” really means “date created on this drive”.
BTW, I for one would appreciate a recap of the comments in light of EW’s lead post to help us laggards understand the significance of the info developed in the comments. I can follow what the commentors are saying, but I don’t necessarily understand the cumulative significance of the comments.
Bob from HI currently in IL
Hmmm…that is a really strange way to capture search results, but perhaps there was a reason to make them PSTs (it certainly escapes me *g*).
Muchas gracias! I thought there was one, but there were so many CREW-provided PDFs in the latest document dump, I was getting lost.
And this gets to the primary point in my # 3. Even if the document that EW is using refers to PST files as you indicated, what the OA turned over in that particular document does not have a “date modified” heading, so one would be stretching it too far to conclude that the file was “modified”.
Accessed, yes! Modified, can’t be determined.
Now, beginning on Page 9 of the document you referenced, that is the one that has a “modified date” heading, and should be a source for determining if a file was modified.
Oh, go look at OAP500 (WO just sent me to it).
Oh, there he is.
Now that we’ve got the tech whizzes together on this, maybe I’ll go open a beer and let you both haggle this out.
Oh. Page 16 appears to have the stuff I’m talking about here–the file dated October 23 appears to have been created on October 16.
MadDog – left you a comment downstairs.
Now going to try to play catchup with you folks.
So MadDog… the first thing I noticed is that these are BIG files. Nothing sinister about that… just a little surprising. And it sort of looks as though the “base” (in some sense) PSTs had a common naming convention. I think these three:
NSC_2004_Saturday, October 16, 2004_MA.pst 10/16/2004 2:12p 1753302016
NSC_2004_Friday, October 22, 2004_MA.pst 3/9/2005 5:34p 1754644480
NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/2004 12:46p 1751270400
Now I don’t know if they were the results of an initial search. But it looks like “the PST” grew over the course of 6 days by 1.3 MBs. And then magically shrunk by 3 MBs in a single day. I wonder what those original PSTs are were.
Don’t take this file as a naming convention–one of the things McDevitt said really clearly is there were absolutely no naming conventions on thsi stuff.
Thanks.
Yeah, now that I look at it a little closer there are several files of the 1751270400 size.
Does it strike anyone else that the way they did the searches to respond to Fitz’s subpoenas were to do searches on the PST files, and then just “exclude” stuff they felt was unresponsive?
And that they’ve saved some of the “excluded” files, but by no means all of them?
Not being a techno-geek, I don’t get all the intricacies of .pst files and all that. But, more to the point, in response to your half-posed question, I respond:
Think back a few months to KO flipping out about one of the prior iterations of the Risen/Lichtblau warrantless wiretapping story, in which they discussed the creation of two (or more) piles – the “we captured/sieved out all these communications involving journos” and “we captured/sieved out all these communications involving supposed bad people” – and which pile they looked at (Supposedly, the bad people). When, in reality, the point of designing the sieve in the way they did was to watch the journos.
Apply the same logic – [how to] construct a sieve which looks innocent to the outside observer but in reality “coincidently” captures exactly what you’re looking for, something which if revealed would set off a firestorm. That would seem to be what is going on here, though reversed from the “watch the journo” model – a continual, iterative refinement of the search parameters to exclude from the sieve really nasty stuff that the searcher does not want to get out, while complying in good faith with the subpoena, as written.
This would also explain the file-size changes. First time through, it would be X megs, then after a change in the search parameters it would be Y>X (oops!), then after going down the hall and getting yelled at and changing the search parameters again, it would be Z, less than Y, and after a couple more iterations of A less than Z, B less than A, etc., a result would have been achieved which would have been “good faith” compliance with the subpoena while excising the really nasty stuff they did not want getting out.
This requires someone who is quite skilled in little semantic games.
I would also bet someone – probably with a stubby pencil and a legal pad – sat down between searches to try to logic out how to reconfigure the searches to excise particular documents. That legal pad has likely long since been turned into paper aeroplanes, shredded for packing Aunt Martha’s china, burned or pulped.
Oh, to have those WH entry and exit logs, just to see who was working late.
To get back on track (and out of the techie weeds *g*), I do think you have an important observation here, and I also think it might tie into what Scribed described in his # 23.
I remember from some of the Libby trial documentation dumps (I think), that some of the Addington search strings were included.
With these latest CREW documents, I surely wish we had the specific search strings to go along with the PST files they were searching.
EW, with your prodigious memory, perhaps you know which of the older document dumps contain Addington’s search criteria, and I wonder if any of those can be matched up to the searches in the latest CREW documents?
I found one of EW’s posts. There are probably more.
http://emptywheel.firedoglake……rch-terms/
Ta to both you and EW for that. Wish my memory was as good. *g*
Just as a reminder, here are the days when there was no email found:
ANd one of the reasons I did that was to see whether some of the days in teh files were considered restored.
For example, May 10, 2005, the date of the Bradbury memos, was a search. But I guess they got those emails/
Any thoughts on what the hell the suffix “Z” means on these files? The BWS seems to be initials.
Where exactly are you seeing the “Z” suffix?
You know, I think the first spread sheet is much more useful.
I think the second one tracks only hte files in the transfer system. Which is why you’ve got creation dates after modify dates–because modify seems to take the last mod in the last system, whereas create is when the new file–the recovery, if you will–was created. so to find the kind of stuff that went on when these searches were run, you gotta go with the older file.
To reach my conclusion (below),similar to what emptywheel was finding in her main post, I’m assuming the following in deciphering the columns EW listed in her main post:
The column headings are as EW surmised.
The number in parentheses located to the left of “.pst” is the cardinal ordering of the run—for example (2).pst is second run, (3).pst is 3rd run, etc., –and I’m assuming the lack of a parenthesis and lack of number signifies the first run.
So,
now look at 12th line down of the 10-1504 Hadley searches:
NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/04 12:46p 1751270400
This is the “first run” on October 23, 2004, and this file size (1751270400) is the same size as the third run the same day. It is also the same file size as the second run on October 16, 2004 (1751270400).
However, this first run (October 23, 2004 12:46p) is smaller than the first run on October 16, 2004, and –more curious still — this first run October 23, 2004 is smaller than its own second run on October 23, 2004. Once again it looks like something was deleted. Have no idea what this means, however.
One other thing caught my eye in the CREW pdf file EW links to in this post. The memo clarifies that “components” will be broken down and regrouped into individual years, one drive for each year. The emails will also be grouped by To: and From: instead of remaining in components. Would make seaching easier I suppose for both a prosecutor and a saboteur. The mention that some searches would result in duplication of emails caught me eye, because the advice is to manually remove the duplicates, instead of letting Fitz do the work.
One of the things that came out in the emails was that just opening the file could make it bigger (don’t look to me to explain that–ask the tech wonks). SO the tech guys in 2005 were finding files growing in size just with the opening.
how odd.
Not so odd if you understand that a pst file ‘remembers’ certain personal settings of every MAPI profile that opens the file. Ok, that probably doesn’t make much sense to anybody who doesn’t spend their life coding in the Microsoft world.
Let me put it like this. The pst file is a little database application that has a built-in set of rules about when to ask for more file space from the operating system.
Ok, I’m with you (though I guess others are shaking their heads *g*).
Per Microsoft:
So basically each time someone opened a PST file, their own email profile would get added to that PST file.
I do remember that, though I don’t remember the “why” of that. If time permits, I may Google around to see if I can find out.
While we don’t have the actual search strings to validate this, I’m guessing that different file sizes result from adding or subtracting items from the search string.
And that I think goes to Scribe’s comment in # 23.
Which makes me wonder if Patrick Fitzgerald and his team were techie-smart enough to insist that whomever conducted these subpoena-required searches was mandated to produce each and every “attempt” at a search. Even the failures, typos and bad search strings.
I don’t think they were, and I do think that Scribe may be onto something!
Thanks WO and MadDog.
One other thing I should add: I noticed the first run .pst file I was referring to above was opened/accessed again in November 2004–apparently none of the other searches from that date were reaccessed.
Ok, I just verified this is the case on one of my systems.
So, to answer EW (and me), it appears that the Creation Date change on some of these files (where the Creation Date is newer than the Modify Date) is simply because the PST file in question was copied from one drive to another drive.
If that is the case (and I do believe it is), then we shouldn’t place any significant value in the Creation Date in those instances.
And anyways, for our purposes, the real valuable dates are both the Modify Date and Access Date.
But I don’t think that happened with this particular file. I’m still cross-referencing the various spreadsheets included in this document dump.
I’m turning in for the evening. Tomorrow’s Father’s Day, so I will probably not be getting back to all this until sometime late tomorrow.
Happy father’s day, WO!
Here’s my post on Addington’s search terms.
http://emptywheel.firedoglake……rch-terms/
For “Z” look on the Rove section of the emails.
There are file names like: WHO_20031004_1_Z.pst
As of “Z” might signify someone’s review.
Ok, I don’t have a ready answer for what the “Z” means, but I do note that many of the Z named PST files have a corresponding non-Z named PST file immediately preceding it.
And I also note that the file size difference is that the “Z” named PST file is always slightly smaller than its corresponding non-Z named PST file.
And I was looking at page 46 of the document.
I’ll have to ponder why the 2 almost identical searches, but one has a “Z” in its name and the other doesn’t.
compressed file.
I’ll bet Karl Rove is computer savvy. Obama should ask him to be the Computer Security Czar. Rove just might jump at the opportunity and he doesn’t have the baggage that Davis has.
Well, time for me to count some sheep. Hope there aren’t too many, ’cause I’m tired. *g*
Toodles!
Observation: 3 am in Washington, DC is about 9 am in London and (?)10 am in Saudi Arabia, Israel, IIRC.
Also, back in the thread about server crashes, at 112 Rayne asked about a possible Alaskan tie-in, or some Alaskan entity given a contract.
My recollection is ‘Chenega’, which is a native Alaskan corporation, and was also the name of some outfit that got millions of dollars in government (intel? cmu?) contracts. ‘Chenega’ is one of the little villages that was affected by the ExxonValdez oil spill. No clue what the tie-in is, but certainly one exists. And there are very few native Chenegans remaining, so no clue how that term ended up in DC unless it was some method of getting contracts via Women and Minority Owned Biz status.
If there is a connection between the Plame Investigation and the shenanigans that the neocons — especially Franklin, Ledeen, Feith — were pulling (which, as near as I can fathom appears to be trying to get the US involved against Iran), then the timing of an email between Rove and Hadley makes sense around 11 July 2003.
If Plame knew something that the neocons wanted to control, or they wanted to weaken the CIA, then a Rove-Hadley email makes a whole lot of sense b/c they had to coordinate their activities.
But it certainly underscores a ‘conspiracy’, to say nothing of a ‘cloud over the office of the OVP.’
OT – thanks for that name, Chenega, definitely worth a deeper inspection. In 2007 the DHS IG said a half-billion dollar contract had been improperly awarded to Chenega in 2003. Looking at their record, Chenega has received over 1.5B in contracts since 2000, including some for work on telecom/data projects and some for USOC, bulk for DOD.
Very, very fishy.
We’ll have to put this on the back burner since at this point it’s unrelated to the email searches, but definitely keep this in mind. Especially since a large portion of Chenega’s work was done in Rep. Tom Davis’ district…
[edit: definitely look at the jobs Chenega has open, many of them in IT field requiring security clearances AND for projects with code names. Workstation maintenance posting, for example. And Stevens/Murkowski both had a hand in Chenega’s explosive growth which does little for the Alaskan Chenegans.]
Or it could be an acronym…”Cheney” something. Chene-ga or Chen-ega or Che-nega?
No, it’s not a play on Cheney.
Go to Google Maps and enter “Chenega, Alaska”, then if you need to zoom up, do so.
You’ll note that Chenega lies SSW of Valdez Arm, on Prince William Sound.
The village of Chenega was mostly destroyed in the 1964 earthquake IIRC. Many of its residents were relocated to Cordova, or to a village on the sound. There are not many living Chenegans, I don’t believe.
Also, google ‘Chenega + ExxonValdez’.
And if you are ever interested, a PhD in Marine Biology named Riki Ott wrote a stunner of a book on the ExxonValdez disaster — really phenomenal. It was an FDL Book Salon selection. Well worth anyone’s time, and does a terrific job of tracking (and explaining) the effects of pollutants over a period of several decades.
Cheney’s connected only in terms of being obsessed with energy resources.
In itself, not a bad thing; in Cheney’s case, extractive resources that are very 19th century.
Hmmm. I keep forgetting–what was the last theory about why Hadley thought he was going to be indicted?
Probably for perjury, though I’m not sure. But remember that he was brokering relations between the CIA and OVP that week, and as such seems to have been cognizant of at least the late-week plans to leak Plame’s name.
What the hell. Here’s a little kumquat for Marcy:
http://news.yahoo.com/comics/d…..sk1fgDwLAF
Anyone know if those identically sized files of different names from 75 and following in this file are actually the same file?
And if so do the new names suggest someone tried to hide that file?
What is the file size? If its large its almost certainly the same file. And probably the same even if it isn’t so large.
So what appears to have happened is that a few master .pst files were pulled from the archive. Then someone would open and search those .pst for keywords or some criteria. The resulting result set would then be saved out as a different .pst files. I think several of the different named large and identically sized .pst files are just the pulling over of the original archive to begin a new search. In some cases several original archives were duplicated with a copy and paste (after the renaming) and that is why you see the several large identically sized files with the (2), (3), (4), etc suffixes. Windows does that with a copy and paste, I think. It probably was faster to copy in place on the “work” computer than to keep pulling over the original archives.
Now it could be the operator wasn’t [typo corrected] really sure of the approach they were going to use to produce the final results (and hence the multiple copies of the original archive). However, it also could be that they created a “new” “complete” archive for subsequent searches. Really hard to say without being able to ask someone.
What I did wonder about is the Hadley Oct. 22 archives you originally listed. It started with a 1754644480 which is is bigger than the oh-so-popular 1751270400 archive. Then an operation produces a largish 488177664 archive which gets saved in place (the “(2)” suffix). I’m guessing this is something like pulling out Hadley’s inbox and sent mail from the uber archive. Then there are two subsequent searches. One producing “1st Hadley Results.pst” and a second which had a few additional hits that were added in to produce “Hadley Final.pst”. I don’t see the second search results as a standalone search result set. It is probably just how they did this search and nothing significant.
This doesn’t happen. At least in Windows Explorer. But I am sure those large files of the same size are just copies of each other – same set of emails.
32,768 bytes is an empty file. As small as it can make it. Stated so on page 3 of the document.
Oh, thanks–didn’t see the mention of that as empty.
Item 2717 in this file is interesting.
It’s the results of a search for Rove stuff from July 2003. It’s precisely the same size as the results of a search for Cooper stuff from July 2003, so it may be the same set of emails.
But here’s the thing. The search was apparently requested on November 9, 2004.
The initial date on the Rove search was November 5, 2004.
Same thing for 2732.
I wonder if that is the reason this Hadley search from 10/2004 was reaccessed the day before: November 4, 2004.
NSC_2004_Saturday, October 23, 2004_MA.pst 11/4/04 12:46p1751270400
That’s sort of what I was wondering–check back to that search to see what you’re supposed to come up with.
Is “Brian Bravo” some kind of code word for “blind carbon copy”?
Nope, Brian Bravo is a real person who was a press assistant at the White House.
WO: there’s also this (from wikipedia)
“Remote Differential Compression (RDC) is a client-server synchronization algorithm that allows the contents of two files to be synchronized by communicating only the differences between them. It was introduced with Windows Server 2003 R2 and is included with later Windows client and server operating systems.
Unlike Binary Delta Compression (BDC), which is designed to operate only on known versions of a single file, RDC does not make assumptions about file similarity or versioning. The differences between files are computed on the fly, therefore RDC is suitable for efficient synchronization of files that have been updated independently, network bandwidth is small or in scenarios where the files are large but the differences between them are small.
The algorithm used is based on fingerprinting blocks on each file locally at both ends of the replication partners. Since many types of file changes can cause the file contents to move (for example, a small insertion or deletion at the beginning of a file can cause the rest of the file to become misaligned to the original content) the blocks used for comparison are not based on static arbitrary cut points but on cut points defined by the contents of each file segment. This means that if a part of a file changes in length or blocks of the contents get moved to other parts of the file, the block boundaries for the parts that have not changed remain fixed related to the contents, and thus the series of fingerprints for those blocks don’t change either, they just change position. By comparing all hashes in a file to the hashes for the same file at the other end of the replication pair, RDC is able to identify which blocks of the file have changed and which haven’t, even if the contents of the file has been significantly reshuffled. Since comparing large files could imply making large numbers of signature comparisons, the algorithm is recursively applied to the hash sets to detect which blocks of hashes have changed or moved around, significantly reducing the amount of data that needs to be transmitted for comparing files.
The Client Side Caching (CSC) feature in Windows Vista makes use of the technology for the first time, allowing file types such as Microsoft Outlook personal folders (*.pst) to be made available offline. Previously, Windows XP used only file metadata to test if a file such as a .pst had changed. When the application “touches” a .PST file’s date, even when it does not make any changes, it triggers an update of the file in Windows XP causing CSC to recopy these large files unnecessarily. In Windows Vista the file will be updated ony if it has actually been modified, and only the actual parts of the file that have been changed are transmitted.”
I believe that the files with MA at the end of the file name are files created by Mail Attender. I don’t think all files created by Mail Attender got the MA affixed to the file name (a lot of this was very ad hoc). That suggests that the files in the “search results” folders with MA in the name were copied from somewhere else and then searched.
I’m still trying to figure out what BWS at the end of some of the file names means.
Sometimes the reason these pst files have the same size that’s near 2 gigabyte is that the program that collected emails by pulling them out of the Exchange Journal was designed to stop when the file reached a certain size and then start a new file.
Mostly, what I’m doing is just thinking out loud in hopes of spurring other people’s thoughts. I’m going to go play “42″ with my family. It’s a Texan thing.
You think?
Bet you “BWS” = Boston WorkStation scripting software tool.
[edit: Here’s a description of BWS’ capability for messaging management use:
MadDog, you there? does that last line sound like a resource for use in a kingpin/man-in-the-middle operation?]
That makes perfect sense and explains why the (7) file listed above is so small and why so many files have the size 1751270400.
To my disbelief, but consternation, the use of vista is rather unlikely isn’t it? Why would an email system be set up around a flawed system to begin with? For the Windows techies; Are these files modifiable in such a way that the originals do not then exist when forwarded? Open source systems keep all the data and show the thread move, but add the dates of modification by showing a continuous pattern or thread.
Not having used an MS program, is it truly this easy to manipulate the files to create what appear to be, on first through 5th read, new dates and origins? Are we talking about emails being searched for that the originals have been deleted and modified to appear as though original? It is the only thing that makes any sense to someone that would not want to archive all emails for reference later based on the complete history.
And for reality’s sake, why wouldn’t the email program be one written for the entity itself? They would really use a swiss cheese for something requiring a brick?
Is this all about destroying the content of the originals to make the finally presented emails more, “sanitary”?
Vista would be extremely unlikely especially given the time frame, and is probably still not used to this day in this setting. I think the point of the piece furnished above in thread is a comparison of XP vs. Vista which laid out XP’s functions.
I’m not even certain XP would have been a given on the desktop across the EOP-OA, considering how slow and backwards this entire environment was during the Bush years. Would not surprise me at all to see Win2000, which might be worth exploring. (Server OS would be another issue altogether.)
So, from the file documents, I’m guessing that the following happened with the OVP PSTs:
February 5, 2004: EOPRM server crashes
February 11, 2004: Files mostly reconstructed from two-week old backup
July 27, 2004: A chunk of the OVP PST files restored
December 9, 2004: Significant Plame-related search (search titled December 2, 2004)
June 2005: Another attempt to reconstruct files
October 2005: Other files discovered missing, the attempt to reconstruct them begins
Is that all right?
No, in Feb 2004, the Microsoft guys were able to restore the data from the crashed server. From the post-mortem:
[My bold]
The MS guy is saying that they were able to recover the Exchange databases from the crashed server.
Were they, though?
Yes, when a Microsoft guy says “solution provided”, that means that’s what they did (they may have tried a bazillion other things, but they always document what worked). If they hadn’t been able to recover the Exchange databases, they wouldn’t have written it this way. This sentence:
really means
They never write it that way, because they hold out the possibility that even they hadn’t been able to recover the databases they would have used some other Microsoft magic to get those results back.
btw, where’s the evidence for this:
Not disputing it, I thought I had that too, but now I’ve lost it in all the other stuff I’ve been looking at.
Look at items 2351 through 2373 on OAP500. Titled “OVP/2004_July/20040727 with a whole series–most first saved on July 28 or 29 (though there are some August ones). That first saved date of July 28 and 29 shows up for a lot of the “OLD FILES” and similar. It could have just been a regular dump for July 2004 (making that month the rare month OVP decided to archive), but it seems there’s a lot more info in there.
Incidentally, go back to the 177 document and look how centrally July 28, 2004 plays into some of the dupes there.
Oh, I forgot, there’s also an August 2005 “Server/application reconfigure error.”
Incidentally, as I noted on the NOvak Plame Wilson thread, that search came 10 days after Novak gave a deposition, so the dates likely came from him in some way. If so that means he admits to talking (emailing) the White House on July 7, 2003–before he spoke with Armitage. He has intimated he was working on the Frances Fragos Townsend story. The one Libby and Addington were pushing…
The gap between the type and level of detail being looked at here (file names, file sizes, times of night of file accesses) and the type and level of implication and understanding being derived from it (Novak was emailing with the White House just before talking to Armitage, or it sure looks like someone wanted to see if it had left a trace), I’m finding kind of provoking and challenging to my ideas about big databases of information.
Computer extraction versus crowd sourced extraction is a current subject of debate. I’ve always thought both, each according to their strengths.
The tables in these documents have a grammar than can be read. Nothing new about that idea.
But just how much meaning is potentially readable is the part I find provoking.
I do caveat it–”if so.” Those dates don’t make sense from an investigative standpoint, per se, according to any known details. (That is, why search for emails from before the Kristof article?) So all I’m trying to do is figure out an explanation for it.
I’m fairly comfortable with teh guess that Fitz asked for them. There are a number of other logical searches (notably, after Fitz gets the Rove-Hadley email mentioning Cooper in October), which seems to suggest a bit about the timing of new requests.
The coincidence of the Novak deposition and the search seems to be related in some way. That’s all I can say for sure.
Though the July 7 date IS a signature date, particularly to be searched at that late date. We know that–at some point–Novak testified he was working on the Fran Fragos TOwnsend story with teh White House, we know he has testified he worked on that story on July 7, 2003. It’s just a guess, but it’s a likely guess.
Mind you, we don’t know that there were emails from that date. Just that someone–probably Fitz, in this case–checked to see if any of the emails discussed Joe and Valerie.
When did Fitz actually receive the roster of the searches? And wouldn’t he have received hard copies rather than be able to do a search himself? I don’t recall him requesting access to the email storage of the WH (passwords, etc.) as part of his subpoena.
Also it’s all a bit odd that someone would be up all night on October 23rd, 2004 on the eve of the 2004 election doing these searches. Someone musrt have been tasked with that duty during the final flurry of activity before the election. Cheney and Bush were on the campaign trail, and I doubt that they, or their immediate political staffs would have been doing this themselves. Condi was also on the campaign trail. I can’t conceive that Rove would be up all night searching emails at that period.
Someone must have been tasked with this by one of the principals. IF it was done at the White House or Cheneys’ residence they’d likely be operating from a “center” where all-night activity wasn’t unheard of (the Situation Room, perhaps an NSC office). They would have had to have known what to look for and what was potentially dangerous. To do that they’d have to know enough of the details to create a “firewall” (or at least know that if certain individuals or titles were mentioned to create an exclusionary protocol for that).
Also who would have the right/power to undertake an examination of secure email communications? Presumably, unless the documents were only excluded by some content search criteria, they were actually read/reviewed. And if they weren’t read and reviewed what individual would be up all night on a weekend doing this stuff?
I don’t know what Fitz got. I know Luskin claims Fitz got Rove’s computer. But I also know that there was uncertainly among members of Fitz’s team whether they had gotten the Libby email as recently as last year.
What were the details and scope of the Franny Frag story? I ought to know, but instead I lamely ask…..
I don’t have the timeline down cold like you do, EW, but I wonder if the time window in advance of publication of Kristof’s article reflects two things:
– the window of time between editorial review and actual publication (Kossack EZWriter always had stories 12+ hours before they actually published, as one example of the lag);
– timing between Kristof offering the administration or sources close to a chance to offer comment/rebuttal before it went into editorial review.
???
William Ockham — from my limited IT exposure to Exchange / Outlook, I know that the maximum recommended file size for a PST is 2 gb. In companies where I have worked, they are used as a personal work archive to retain email in specific subject folders. Mail that was stored in PSTs was no longer on the mail servers or subject to backup.
So, following that line of thought with, say, a Karl Rove, would all of his email that he chose to save in PST be removed from the White House servers and no longer subject to backup?
I guess what I am wondering is whether or not certain select officials elected to retain only what they wanted to in their own personal PST files on their personal computers. The searches that are being discussed here would not necessarily hit their personal files… or would they?
Alternatively, would all WH email be automatically kept on servers and backed up, regardless?
(Irrelevant to this discussion, but the 2gb limit on PST files was removed as of Outlook 2003, if you use Unicode instead of ANSI. Of course, that pretty much doubles the size of your pst file.]
Well, the answers to your questions are pretty complicated. And they could have changed over the time in question (and I’m pretty sure some of them did).
Let’s start with a short primer on how Microsoft Exchange (the server software) and Microsoft Outlook (the client software that each user runs). Let’s suppose you get a job with the White House. An Exchange Administrator (normally somebody in IT) would create a mailbox for your user account. A mailbox is where email sent to you gets delivered. It doesn’t really exist in a physical sense, it’s more like a table in database. If allowed by policy, you, the user, can choose to have your email delivered to a personal file, a pst file. A pst file is a lot like a database file. While almost everybody thinks of pst files being associated with a particular user, it’s really just a database-like file for storing related emails, calendars, or anything else you can store in Outlook.
Now, even if you choose to have your mail delivered to a personal pst file, it still goes through the Exchange Server. The EOP’s ’strategy’ for records management involved something called journaling. When you turn on journaling in Exchange, a copy of every email (meeting your criteria) will be stored in a special ‘mailbox’. The way it was supposed to work was that a special application would regularly remove emails from the journals, and create pst files for all the email of a particular component (OVP, WHO, etc.) that was sent or received over a specific time period. This special application worked pretty much the same way Outlook does when it connectes to Exchange Server, except that instead of working for a particular person, it worked for an office or department.
In theory, nobody could avoid having their email backed up. I say in theory because the ’system’ never worked properly, the pst files it created weren’t secured, and the EOP was using Exchange 2000 which didn’t journal BCC copies of emails. So, the answers to your questions are all no, but not completely.
Understand, and thanks! My experience was the only context that I had for PST files, so that expands my knowledge a good bit.
Happy Father’s Day to you!
According to Murray, Libby and Addington were trying to sink her nomination to be Homeland Security ADvisor because they thought she’d be soft on torture and renditions and whatnot. Rove claimed to have had a conversation with Novak to present Bush’s side, that she was a good appointee. In his testiomony Novak said this about July 7:
He went on to say he was working on the Wilson story too. I have always suspected that Libby coached Novak to grill Armitage about HOW Wilson got sent in a conversatoin on the 7th. That’s what had elicited the Plame stuff from Armi in June, and the structure of the question was precisely the same as described by Novak (and totally illogical in both, made more egregious in NOvak’s case with his claim to KNOW that Wilson had never done anything for the CIA before, which he appears to have done going back years).
Interesting. She always struck me as being good to go with whatever BS the Bushies were up to. Maybe just the fact that she had a law degree and had actually prosecuted and had at least a minimal amount of international law experience freaked them out. I can see how anybody, even Franny Frag, might give them jitters.
“Hey Scoots, what do you think of Fran Townsend?” “Gosh Addy, she worries me, suppose she is not bat shit crazy insane like we are?”
That, plus the fact that she had worked for Janet Reno and therefore was suspect.
I just found something I was looking for. The earlier pst files (from 2003 and the first half of 2004) have file date/timestamps from the second half of 2004 or later. However, on October 6, 2005 (look starting on pg 4), a Unisys contractor sent what looks to be the first such spreadsheet and the date/timestamps on the earlier pst files are contemporaneous to the file name. For example, ovp_20030930.pst is stamped 9/30/2003 2:17pm.
WO
Can you explain what you think that email thread means? Unisys to WHO on October 6, WHO to WHO and CC on October 8, and then someone resernding it in November?
I do not know. But as late as 2005, some of the pst files had their original dates. I think it is more likely that somebody deleted the October 1-3 OVP pst files. I can’t explain why.
Why you think someone deleted them, or why the data show that someone did?
Cause I think I can explain why someone would have deleted them ;-p
The question is did they ever reconstruct all of them–what’s your take of what SIS did?
Working on it.
Take a look at pg. 7 of doc 778. That page is the second half of pg. 3 (it’s a spreadsheet that wraps across two pages).
You’ll notice there’s a lot of overlap between the pst files. For example, one file covers 6/22/2003 to 7/10/2003 and the next one starts at 7/7/2003, giving double coverage for 7/7, 7/8, 7/9, and 7/10. The thing I find interesting is that there is a file that spans the end of every month into the start of the next month, until you get to the end of September/October:
Realizing that they were adding users to Exchange at this time and that each pst was limited to 2 gigs, I think there’s at least one and maybe 2 files missing. There “should” be a pst file with emails from late Sept to early Oct. Somthing like 9/18 – 10/11. Also, why is there no coverage for 9/12?
After Oct 2003, they changed the procedures (at least they told Microsoft that in Feb 2004).
Isn’t it possible that the change in procedure was all about skipping those days? We haven’t seen an explanation for why they changed the procedure.
That would have been dangerous, the techies might have figured out what was going on. Let me spin a specific scenario. I’m not (yet) saying this happened, but it is consistent with what we see.
On Sept. 30, the word goes out that there is a DOJ investigation. Suppose somebody in the OVP who doesn’t use email, we’ll call him Irv, gives some instructions to an underling that could be construed as obstruction of justice. The underling, being clueless, sends an email referencing this action. Irv tells her to delete the email. In January 2004, when Fitzgerald takes over and asks for records from October 2003, Irv panics when realizes that even deleted email has been archived. He talks to a more tech-savvy co-conspirator about his problem. This tech-savvy co-conspirator has been, um, “roving” around the network and realized that the pst files that are going to be searched are not protected at all. He suggest to Irv that the simple answer to their problem is to delete the pst file that contains the incriminating email. Problem solved.
I believe that’s what happened. Now, how do you prove that, is it
a lost cause. I’ve always recommended that we hire techie experts to
review/prepare a report for Congress that we can rely on…
I don’t care how much it costs…
Remember that the investigation was out there on Septmeber 26, at least.
Like you, I do think that’s a likely scenario. The email we have is Cathie Martin making sure others get any references to Libby from Scottie McC. Now it’s possible that they did so only out of protection, but it’s possible they knew more (remember, Martin says she told Libby about Plame). Remember too that Jenny Mayfield was holding documents–a folder of Niger stuff–until March or so, so she was clearly knowingly withholding evidence. So she might be a good candidate (she seemed pretty not-bright in her leniency letter).
One more question, WO. What do you make of the fact that the dates are non-continuous?
I agree that it’s probably something about the Chenega Integrated Systems group (the spurious “Native Alaska” Corporation)…but it’s odd that they show up in this context. They were essentially doing security contract work at places like Ft. Detrick and some other Army bio-weapons labs (Hmmm?) for the Army. Then they shifted in their hiring for people in the IT filed, as Rayne has pointed out.
Perhaps the reference was just something tangential that was raised in the discussion about several topics, but it’s nonetheless interesting that the WH was so interested in a firm that was involved in such activities and that may have been created to be the recipient of pork.
Maybe Hadley was concerned about the security at places with the Missile Defense Systems at
BurplesonElmendorf AFB and in Japan, where Chenega was actually a front organization for Blackwater.very interesting, cinnamonape.
The Republicans certainly have shown an amazing attraction to exploit all things Native American this century.
Aside from just fronting a Native American relationship, I wonder what the requirement is to be considered Native American these days?
I seem to recall it was if a great grandparent was Native American that one (with 1/16 Native American Indian blood) can claim the same. Don’t know how that then works for one’s own children, however. Do they have to move off the Indian reservation once they are no longer minors? or does an initiation rite take care of the tribe membership and benefits after that?
roTL will have to confirm, but I think the Chenega reference in this thread was only tangentially related to the post here, was more responsive to content in the Fitzgerald Subpoenas and Server Crashes thread from several days ago when I’d commented about the different vendors who worked on the IT messaging infrastructure for EOP-OA. One of the vendors was an Alaskan native firm TKC, cited in testimony by Steven McDevitt; roTL mentioned in this thread that Chenega was yet another Alaskan native firm working on IT products (but I note not cited by Steven McDevitt as a direct contract).
As of this thread, we still do not have any solid information about which vendors provided the services required save for Microsoft with regard to message restoration.
OT: have you seen Eli’s post at FDL? (”Obama administration finally takes a stand against waterboarding”)
http://firedoglake.com/2009/06…..#comments.
Seems the National Park Service is threatening to prosecute anti-torture activists if they carry out their plan to demonstrate waterboarding.
Wo,
congrAtulations on retirement
THanks for the comments.
EW ,
Thanks for the posts. wish I could be adding info in the comments. our computer died; thus,I’m texting.
hope your computer gets fixed soon. You are an important spoke in the ew wheel
One more thing about the October 1-3 timeframe. Remember that Irv and Dick were in Jackson Hole, WY at the time, conspiring a coverup. That may explain why incriminating things would have been emailed.
EW, MadDog, WO parting the “clouds”.
Damn good to know folks committed to truth and accountability keep pushing so hard. Thanks