FAT Anomalies In Leaked DNC Emails Suggest Use Of Thumbdrive
FAT Anomalies In Leaked DNC Emails Suggest Use Of Thumbdrive by Adam Carter for DisObedient Media
In that tweet, I included the following table:
The table outlines the last modification dates on the emails (batched by date) and shows the earliest and latest timestamps, minimum ID, maximum ID, count and a column titled “FAT.”
What the table illustrates is that the first batches of DNC emails published by WikiLeaks have times that indicate the files were transferred to a FAT file system (likely transferred via a USB storage device).
Having received several queries concerning this, I wanted to give a more detailed explanation and, as further observations have been made, to report on these and make some clarifications.
FAT File System Indicators
The “FAT” column is in reference to the FAT file system, a file system that, in recent years, is usually used on USB storage devices (some outdated non-USB disk storage devices used this in the past too, but it’s very rare to find such devices still in use).
One of the shortfalls of the FAT file system is that it stores timestamp data at a lower resolution (to the nearest two seconds). However, this is advantageous for the purpose of digital forensics as it means there is a pattern that can be detected and used to determine whether files were likely to have been transferred via a FAT file system.
The batches of DNC emails that were determined to have been copied to a FAT file system due to this pattern have an “x” in the “FAT” column (in the table referenced at the beginning of this article).
The First Two Batches
Drawing upon a 30-day email retention policy and the sent dates of emails, research in the public domain has suggested that the DNC emails were likely acquired on dates between May 19-25, 2016 [@steemwh1sks] for some time.
Looking at the sent dates of emails and the last modified dates of the email files in the first two batches (those with last modification dates in May, two months prior to initial publication) it is possible to determine that:
- Emails appear to have been copied on May 23, 2016 and May 25, 2016.
- Emails were stored on a device using the FAT file system (very likely to be a USB storage device) at some point in time between acquisition and being published by WikiLeaks.
We can’t, however, make any declaration on exactly when the files were moved to a USB device as different types of copy operations could produce the same result even if the files were transferred to USB weeks after acquisition(as it’s possible to retain the last-modified dates in various circumstances).