What we know about the provenance and authenticity of "Hunter Biden Laptop"
At least some emails are authentic, but at least some innocent modifications have been made
I thought I’d write up some quick notes about what we know about the provenance and authenticity of the Hunter Biden laptop story. The quick answers are this:
The origin of the laptop image isn’t in dispute. Even Hunter’s legal team agrees it probably came from the repair shop.
We know that many modifications have been made to public laptop drive image, the sort of innocent modifications that happen when people don’t correctly handle things. This doesn’t apply to the private image the FBI has — they have the original laptop.
We know at least some of the emails are authentic because they contained cryptographic signatures.
If you don’t know the underlying story, go read the Wikipedia page.
Origin
We have every reason to believe the origin of the laptop image is correct. Hunter hasn’t denied it. Indeed, he has filed a lawsuit against the repair shop owner based upon the assumption the claimed origin is true.
According to the story, Hunter dropped off his laptop at a repair shop in April 2019, claiming water damage, asking for the laptop to be fixed.
It’s not unusual for repair shops to make a backup of hard drives in such situations.
It’s unclear how the files were copied. In some stories, a complete image of the hard-drive was made. This is a bit-by-bit copy of the entire drive. A file will have the same location in the image as the original drive. Deleted files will be copied as well.
In other stories, the repair shop claims to have to copied files individually. This is a less forensically robust method. Files will be in different location in the copy, and deleted files won’t be copied.
Handoff
According to court documents, the shop owner gave both the laptop and one of his copied to the FBI in August 2019. According to this story, these copies are pristine, and no files were changed.
According to the shop owner, he also contacted Guiliani and passed along a copy to his people. At this point, it seems there were multiple changes made to the drive.
This story describes some of these changes.
It’s common for people examining drive images to accidentally make changes. For example, if you open a document in Microsoft’s Word program, it’ll save a backup. It may also save metadata recording who opened the document. We saw that with the Guccifer hack, where some of the Word documents had metadata added hinting Eastern Europe hackers.
Apple stores emails in a database. At some point, somebody had run a program extracting all those emails as individual files, saving them to a directory/folder on the disk image. The timestamps show that this was done after the laptop image was taken. This demonstrates how careless they were dealing with the image.
Thus, the provenance is completely unreliable. We are fairly certain there was a laptop image to start with, but any individual file is suspect.
Passed around
Copies of this thing have mutated and spread among Republican activists and the press. No two copies are likely the same. One copy may be full of problems while another copy relatively pristine.
I mention this because a lot of discussion discuss the laptop image as if it were single thing, as if everyone is working from the same copy. In fact, there is no single image. What happens with one copy says nothing about what happened with other copies.
The FBI grabbed the original laptop themselves. As long as the store owner didn’t do anything wrong, then the FBI has a pristine copy of the original.
Authenticating emails
The above provenance problems don’t necessarily apply to emails. We don’t need provenance to prove authenticity for some emails. Some emails come with anti-spam signatures known as DKIM, using cryptography to verify the email hasn’t been changed.
This is pretty incredible, we can actually verify an email as completely authentic using cryptography. There are assumptions this rests upon, such as Russia hasn’t hacked Google. But these are reasonable assumptions.
Back when the story broke, I verified the “smoking gun” email published by the NYPost when it broke the story. I published this on GitHub so that anybody could replicate the work. It’s not terribly difficult, it’s just normal application of this DKIM technology. Over 22,000 of the Hunter emails have now been authenticated this way.
This doesn’t authenticate they came from the laptop. Burisma was hacked in early 2020, so the emails may have come from there. We don’t know where they came from, but we do know they are authentic.
Summary
In short we know:
the origin is likely true
the path the image/files took is unknown
some things were definitely changed due to mishandling
some things could definitely have been maliciously changed or inserted
some of the emails are authentic, and could not have been maliciously changed or inserted