Thousands of emails purportedly from the laptop computer of Hunter Biden, President Biden’s son, are authentic communications that can be verified through cryptographic signatures from Google and other technology companies, say two security experts who examined the data at the request of The Washington Post.
The verifiable emails are a small fraction of 217 gigabytes of data provided to The Post on a portable hard drive by Republican activist Jack Maxey. He said the contents of the portable drive originated from Hunter Biden’s MacBook Pro, which Hunter reportedly dropped off at a computer repair shop in Wilmington, Del., in April 2019 and never reclaimed.
The vast majority of the data — and most of the nearly 129,000 emails it contained — could not be verified by either of the two security experts who reviewed the data for The Post. Neither found clear evidence of tampering in their examinations, but some of the records that might have helped verify contents were not available for analysis, they said. The Post was able in some instances to find documents from other sources that matched content on the laptop that the experts were not able to assess.
Among the reasons for the inconclusive findings was sloppy handling of the data, which damaged some records. The experts found the data had been repeatedly accessed and copied by people other than Hunter Biden over nearly three years. The MacBook itself is now in the hands of the FBI, which is investigating whether Hunter Biden properly reported income from business dealings.
Most of the data obtained by The Post lacks cryptographic features that would help experts make a reliable determination of authenticity, especially in a case where the original computer and its hard drive are not available for forensic examination. Other factors, such as emails that were only partially downloaded, also stymied the security experts’ efforts to verify content.
The contents of Hunter Biden’s laptop computer have sparked debate and controversy since the New York Post and other news organizations in the closing month of the 2020 presidential campaign reported stories based on data purportedly taken from it.
Many Republicans have portrayed this data as offering evidence of misbehavior by Hunter Biden that implicated his father in scandal, while Democrats have dismissed it as probable disinformation, perhaps pushed by Russian operatives acting in a well-documented effort to undermine the elder Biden. Facebook and Twitter in 2020 restricted distribution of stories about the drive’s contents out of concern that the revelations might have resulted from a nefarious hacking campaign intended to upend the election, much as Russian hacks of sensitive Democratic Party emails shaped the trajectory of the 2016 election.
The Washington Post’s forensic findings are unlikely to resolve that debate, offering instead only the limited revelation that some of the data on the portable drive appears to be authentic. The security experts who examined the data for The Post struggled to reach definitive conclusions about the contents as a whole, including whether all of it originated from a single computer or could have been assembled from files from multiple computers and put on the portable drive.
At The Post’s request, Matt Green, a Johns Hopkins University security researcher who specializes in cryptography, and Jake Williams, a forensics expert and former National Security Agency operative who once hacked the computers of foreign adversaries, separately examined two copies The Post made of the portable drive Maxey provided.
The portable drive provided to The Post contains 286,000 individual user files, including documents, photos, videos and chat logs. Of those, Green and Williams concluded that nearly 22,000 emails among those files carried cryptographic signatures that could be verified using technology that would be difficult for even the most sophisticated hackers to fake.
Such signatures are a way for the company that handles the email — in the case of most of these, Google — to provide proof that the message came from a verified account and has not been altered in some way. Alterations made to an email after it has been sent cause the cryptographic signatures to become unverifiable.
The verified emails cover a time period from 2009 to 2019, when Hunter Biden was acting as a consultant to companies from China and Ukraine, and exploring opportunities in several other countries. His father was vice president from 2009 to 2017.
Many of the nearly 22,000 verified emails were routine messages, such as political newsletters, fundraising appeals, hotel receipts, news alerts, product ads, real estate listings and notifications related to his daughters’ schools or sports teams. There was also a large number of bank notifications, with about 1,200 emails from Wells Fargo alone.
Other emails contained exchanges with Hunter Biden’s business partners, personal assistants or members of his family. Some of these emails appear to offer insights into deals he developed and money he was paid for business activities that opponents of his father’s bid for the presidency sought to make a campaign issue in 2020.
In particular, there are verified emails illuminating a deal Hunter Biden developed with a fast-growing Chinese energy conglomerate, CEFC China Energy, for which he was paid nearly $5 million, and other business relationships. Those business dealings are the subject of a separate Washington Post story published at the same time as this one on the forensic examinations of the drive.
The drive also includes some verified emails from Hunter Biden’s work with Burisma, the Ukrainian energy company for which he was a board member. President Donald Trump’s efforts to tie Joe Biden to the removal of a Ukrainian prosecutor investigating Burisma led to Trump’s first impeachment trial, which ended in acquittal in February 2020.
The Post’s review of these emails found that most were routine communications that provided little new insight into Hunter Biden’s work for the company.
The laptop’s journey begins
John Paul Mac Isaac, the owner of the Wilmington repair shop, has said he received the 13-inch MacBook Pro on April 12, 2019, when Hunter Biden asked him to recover data from the computer because it had been damaged by liquid.
According to Mac Isaac’s attorney, Brian Della Rocca, recovering the data was challenging for Mac Isaac.
“He would boot the computer and transfer as much as he could before the computer shut down. Then, he would boot up the computer again, verify what was copied, and then transfer more data until the computer shut down again. This process repeated several times,” Della Rocca said in a prepared statement.
When his work was completed, Della Rocca said, Mac Isaac repeatedly attempted to contact Hunter Biden, who had signed a repair authorization, to advise him the laptop was ready to be picked up, but Hunter never responded. Della Rocca added that Mac Isaac finally came to regard the MacBook as abandoned property.
In July 2019, when news of Hunter Biden’s business dealings with Ukraine was gaining attention — largely because Trump’s private attorney, Rudy Giuliani, was making public allegations of wrongdoing — Mac Isaac contacted the FBI about the MacBook.
On Dec. 9, 2019, FBI agents from the Wilmington field office served a subpoena on Mac Isaac for the laptop, the hard drive and all related paperwork.
“He willingly gave it to the FBI and was happy to see it go,” Della Rocca said.
He added that Mac Isaac, before turning over the computer, made a copy of its hard drive “in case he was ever thrown under the bus as a result of what he knew.”
By then, Trump’s first impeachment trial, which ran from Jan. 16 to Feb. 5, 2020, was underway and Mac Isaac attempted to contact several members of Congress, none of whom replied.
He later contacted Giuliani, whose attorney, Robert Costello, responded almost immediately.
In an email with the subject line “Why is it so difficult to be a whistleblower when you are on the right?” written on Aug. 26, 2020, Mac Isaac told Costello that he had copies of the hard drive from Hunter Biden’s laptop.
“For my protection I made sevral copies and I have been trying quietly to bring it to peoples attention. I am reaching out to you for assistance and making sure the people that need to know about this do.”
Costello said he received a copy of the laptop’s hard drive from Mac Isaac. Giuliani has said he provided that data to the New York Post.
After the New York Post began publishing reports on the contents of the laptop in October 2020, The Washington Post repeatedly asked Giuliani and Republican strategist Stephen K. Bannon for a copy of the data to review, but the requests were rebuffed or ignored.
In June 2021, Maxey, who previously worked as a researcher for Bannon’s “War Room” podcast, delivered to The Washington Post a portable hard drive that he said contained the data. He said he had obtained it from Giuliani.
Responding to findings from news organizations that some material on the drive could be corroborated, Mac Isaac said in a statement: “I am relieved that finally, after 18 months of being persecuted and attacked for my actions, the rest of the country is starting to open their eyes.”
What the experts found
In their examinations, Green and Williams found evidence that people other than Hunter Biden had accessed the drive and written files to it, both before and after the initial stories in the New York Post and long after the laptop itself had been turned over to the FBI.
Maxey had alerted The Washington Post to this issue in advance, saying that others had accessed the data to examine its contents and make copies of files. But the lack of what experts call a “clean chain of custody” undermined Green’s and Williams’s ability to determine the authenticity of most of the drive’s contents.
“The drive is a mess,” Green said.
He compared the portable drive he received from The Post to a crime scene in which detectives arrive to find Big Mac wrappers carelessly left behind by police officers who were there before them, contaminating the evidence.
That assessment was echoed by Williams.
“From a forensics standpoint, it’s a disaster,” Williams said. (The Post is paying Williams for the professional services he provided. Green declined payment.)
But both Green and Williams agreed on the authenticity of the emails that carried cryptographic signatures, though there was variation in which emails Green and Williams were able to verify using their forensic tools. The most reliable cryptographic signatures, they said, came from leading technology companies such as Google, which alone accounted for more than 16,000 of the verified emails.
Neither expert reported finding evidence that individual emails or other files had been manipulated by hackers, but neither was able to rule out that possibility.
They also noted that while cryptographic signatures can verify that an email was sent from a particular account, they cannot verify who controlled that account when the email was sent. Hackers sometimes create fake email accounts or gain access to authentic ones as part of disinformation campaigns — a possibility that cannot be ruled out with regard to the email files on Hunter Biden’s laptop.
Williams wrote in his technical report that timestamps on a sampling of documents and operating system indexes he examined were consistent with each other, suggesting the authenticity of at least some of the files that lacked cryptographic signatures. But he and Green agreed that sophisticated hackers could have altered the drive’s contents, including timestamps, in a way difficult and perhaps impossible to detect through forensic examination alone.
Analysis was made significantly more difficult, both experts said, because the data had been handled repeatedly in a manner that deleted logs and other files that forensic experts use to establish a file’s authenticity.
“No evidence of tampering was discovered, but as noted throughout, several key pieces of evidence useful in discovering tampering were not available,” Williams’ reports concluded.
Some contents matched data from other sources
Out of the drive’s 217 gigabytes of data, there are 4.3 gigabytes of email files.
Green, working with two graduate students, verified 1,828 emails — less than 2 percent of the total — but struggled with others that had technical flaws they could not resolve. He said the most common problems resulted from alterations caused when the MacBook’s mail-handling software downloaded files with attachments in a way that made cryptographic verification of those messages difficult.
Williams verified a larger number of emails, nearly 22,000 in total — which included almost all of the ones Green had verified — after overcoming that problem by using software to correct alterations in the files. But he encountered obstacles with other emails that were only partially downloaded onto the drive, creating incomplete files that could not be verified cryptographically. Most of these files, he said, were probably just snippets of emails that would allow a user to preview the messages without downloading the full files.
The cryptographic verification techniques worked only on incoming emails, not ones that were sent from Hunter Biden’s accounts. Because the purpose of these signatures is to verify the identity of senders, only the records of an incoming email would contain signatures.
In addition to emails, the drive includes hundreds of thousands of other documents, including more than 36,000 images, more than 36,000 iMessage chat entries, more than 5,000 text files and more than 1,300 videos, according to tallies made by Williams, who, like Green, could not definitively verify any of them. In a small number of cases, The Post was able to establish the veracity of some of these files, such as bank documents, by obtaining copies from other sources.
Among the emails verified by Williams and Green were a batch of messages from Vadym Pozharskyi, an adviser to the board of Burisma, the Ukrainian gas company for which Hunter Biden was a board member. Most of these emails were reminders of board meetings, confirmation of travel, or notifications that his monthly payment had been sent.
Both Green and Williams said the Burisma emails they verified cryptographically were likely to be authentic, but they cautioned that if the company was hacked, it would be possible to fake cryptographic signatures — something much less likely to happen with Google.
One of the verified emails from Pozharskyi, which was the focus of one of the initial stories from the New York Post, was written on April 17, 2015. It thanked Hunter Biden “for inviting me to DC and giving me an opportunity to meet your father and spent [sic] some time together.”
When the email first emerged in the New York Post about three weeks before the 2020 election, the Biden campaign and Hunter Biden’s lawyer both denied that Pozharskyi had ever met with Joe Biden. Asked recently about the email, the White House pointed to the previous denials, which The Post has examined in detail.
Some other emails on the drive that have been the foundation for previous news reports could not be verified because the messages lacked verifiable cryptographic signatures. One such email was widely described as referring to Joe Biden as “the big guy” and suggesting the elder Biden would receive a cut of a business deal. One of the recipients of that email has vouched publicly for its authenticity but President Biden has denied being involved in any business arrangements.
New folders created on drive given to The Post
The Post spent months reviewing the data on the portable drive in its entirety and seeking forensic verification of its contents. It made two new copies of the portable drive provided by Maxey so the experts could analyze them.
Green examined the drive first and, based on his initial findings, urged The Post to seek a second review to verify more of its contents. The Post then hired Williams, who has conducted forensic analyses for Fortune 100 financial services companies and also did similar work during his time at the NSA. He is now on the faculty of the information security research group IANS.
Many questions about the drive remained impossible to answer definitively. That includes what happened during a nearly year-long period of apparent inactivity from September 2019 — about five months after Hunter Biden reportedly dropped off the laptop at the repair shop — until August 2020, when the presidential campaign involving his father was entering its final months.
Soon after that period of inactivity — and months after the laptop itself had been taken into FBI custody — three new folders were created on the drive. Dated Sept. 1 and 2, 2020, they bore the names “Desktop Documents,” “Biden Burisma” and “Hunter. Burisma Documents.”
Williams also found records on the drive that indicated someone may have accessed the drive from a West Coast location in October 2020, little more than a week after the first New York Post stories on Hunter Biden’s laptop appeared.
Over the next few days, somebody created three additional folders on the drive, titled, “Mail,” “Salacious Pics Package” and “Big Guy File” — an apparent reference to Joe Biden.
Attempts to verify the emails relied mainly on a technology called DKIM, which stands for DomainKeys Identified Mail. DKIM is a cryptographic technology used by Google and some other email services to verify the identities of senders.
Williams also used a second cryptographic technology called ARC, for Authenticated Received Chain. It was created to make cryptographic verification possible even when email moves through multiple services.
Williams said ARC, though slightly less reliable than DKIM, was a worthy alternative for emails for which DKIM verification was not possible. Overall, his list of emails included 16,425 verified by DKIM and 5,521 verified by ARC.
There are limits to cryptographic verification of emails, both experts said. Not all email services provide cryptographic signatures, and among those that did, not all did so with the care of Google, which is regarded within the technology industry as having strong security protocols. Green and Williams said the only realistic way to fake Google’s DKIM signatures would be to hack the company’s own secure servers and steal private cryptographic keys — something they considered unlikely even for nation-state-level hackers using the most advanced techniques.