Yeah, me too.
The insurrection committee's public hearings
Moderators: LawBeefaroni, $iljanus
- El Guapo
- Posts: 41536
- Joined: Sat Jul 09, 2005 4:01 pm
- Location: Boston
- ImLawBoy
- Forum Admin
- Posts: 15062
- Joined: Tue Oct 12, 2004 9:49 pm
- Location: Chicago, IL
- Contact:
Re: The insurrection committee's public hearings
Had he played his cards right, he could have been King of Wisconsin.
That's my purse! I don't know you!
- Blackhawk
- Posts: 44578
- Joined: Tue Oct 12, 2004 9:48 pm
- Location: Southwest Indiana
Re: The insurrection committee's public hearings
The Big Cheese!
(˙pǝsɹǝʌǝɹ uǝǝq sɐɥ ʎʇıʌɐɹƃ ʃɐuosɹǝd ʎW)
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
Heh. We did a deep dive on this today with a few of my work colleagues. It almost certainly wasn't some primitive cipher. Our collective opinion (and several are ex-FBI forensic investigators) is these were printed either physically or to PDF or some other format, and then processed by OCR software, and the spaces are processing artifacts. The software possibly couldn't distinguish between an a 'i' and 'l' and inserted spaces. There are signs of it that in the Tweet. However, this opinion is also heavily informed that they know this is how investigators typically process evidence. This also usually is fixed before it hits the court room. One of the guys in the discussion used to conduct non-NatSec 'mole hunts' and quipped they would look at the investigation team for the source of the leak - if they were looking for the press leaker. Fun color there!
Edit: Just finally read the politico article - it indicates these emails were inadvertently leaked as part of the Congressional investigation. It doesn't change much analysis - and the assumption that it was raw evidence is probably right.
Anyway, the tell tale signs are that the address fields ( To:, From:, or CC:) typically are auto-populated by the email client from the person's contact list or a directory. The first name in the CC: field is 'Chr s Gardner' instead of 'Chris Gardner'. It doesn't make much sense to obfuscate that when the raw email address (presumably blacked out) would necessarily have complete email information. The idea it'd prevent a FOIA search doesn't make sense since at the raw level the email has to have real email addresses and the searches are performed on the email system.
Technically you could do some obfuscation after the mail is received and stored. However, that would probably prevent the auto-population of the names from the directory. There'd have to be a lot of customizations stitched together to make this work end-to-end and it wouldn't even prevent the FOIA search.
I'll also note that the word TENTATIVELY in all upper case is intact. Other capitalized 'I's are also intact.
I rate this as 'not plausible'.
- LawBeefaroni
- Forum Moderator
- Posts: 55452
- Joined: Fri Oct 15, 2004 3:08 pm
- Location: Urbs in Horto, outrageous taxes on everything
Re: The insurrection committee's public hearings
That would be some pretty poor OCR. And at the same time incredibly consistent for a bad OCR. I've OCRd thousands of contract documents over the years, have never seen results like that. It will usually make a best guess rather than delete a character and insert a space.
I wouldn't put it past these wannabe operatives that they just did a find and replace with space for a few letters, thinking it would do the job. The fact that it is useless doesn't make me think it's any less likely. In fact, it makes it seem more likely.
I wouldn't put it past these wannabe operatives that they just did a find and replace with space for a few letters, thinking it would do the job. The fact that it is useless doesn't make me think it's any less likely. In fact, it makes it seem more likely.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
OCR is just one possibility but OCR on consistent fonts is a very different story from handwritten or xerox'ed content where a lot of noise has been introduced. It also could be a range of processing artifacts from other sources. It also could have been introduced while analyzing the documents and it was an intermediate step in a software chain.LawBeefaroni wrote: ↑Thu Nov 03, 2022 11:55 am That would be some pretty poor OCR. And at the same time incredibly consistent for a bad OCR. I've OCRd thousands of contract documents over the years, have never seen results like that.
Again this was a group of people including me who have done thousands of these investigations. Based on the limited information we have this is the opinion. Is it perfect? By no means, we're missing tons of context but the problem remains that we've collectively never seen anyone attempt to cover their tracks *this way* when there are more effective ways that are so much easier.
Eh. Not really. The problem is the address fields (why I called it out). That is *auto-populated* so you'd have then argue down a long list of things (for example they changed it in the directory). We talked through a lot of this. But it's all a lot of work. II wouldn't put it past these wannabe operatives that they just did a find and replace with space for a few letters, thinking it would do the job. The fact that it is useless doesn't make me think it's any less likely. In fact, it makes it seem more likely.
The assumption that changes a lot of context is based around the source. Are they a result of discovery from a government system or potentially a cloud-based system? Was this processed by some 'central authority'? That'd mean this was most likely introduced after printing or electronic conveyance.
It's alternatively possible the emails were turned over by Eastman or their tech person themselves and forgot they did this but it's fairly down the list of implausible.
Edit: Another counter argument that just popped into my head. If this was done by humans, why is it so consistent? You'd expect an 'i' or 'l' to slip through here and there then. Instead, it's fairly uniformly processed which points to machine. Could one of these boneheads have written a program to do that? Maybe but again we're still getting into very wacky territory where someone is doing a lot of unnecessary work in the midst of their scheming.
- Alefroth
- Posts: 8663
- Joined: Thu Oct 14, 2004 1:56 pm
- Location: Bellingham WA
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
Re: The insurrection committee's public hearings
OK, first - I think it's clear from the contact's name evidence that the document we are looking at isn't a raw copy of the email - and is rather a 'cut-n-paste' from an email into a Word/rich text file.
I think if we could see the redacted email addresses and if they contained a lowercase I or lowercase L, those would also be replaced with a space - and hence wouldn't have worked as an email.
I think that the above 'document' was then given an ole' Find/Replace on the lowercase I and the lowercase L (never the upper case of either) to be replaced with <space>.
That's the simplest and clearest path from a normal email to the document we are all trying to read.
Why was that was done? I'm not entirely sure - but it would seem it was done to keep the file (the leak) from being found if a search on all files against strings of text from that email were performed. This wasn't done to cover the tracks, was it?
It was done to hide the leaked email, no?
The failed OCR idea seems super weird.
I think if we could see the redacted email addresses and if they contained a lowercase I or lowercase L, those would also be replaced with a space - and hence wouldn't have worked as an email.
I think that the above 'document' was then given an ole' Find/Replace on the lowercase I and the lowercase L (never the upper case of either) to be replaced with <space>.
That's the simplest and clearest path from a normal email to the document we are all trying to read.
Why was that was done? I'm not entirely sure - but it would seem it was done to keep the file (the leak) from being found if a search on all files against strings of text from that email were performed. This wasn't done to cover the tracks, was it?
It was done to hide the leaked email, no?
The failed OCR idea seems super weird.
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
He gouda been king, but he's such an unbrielievable muenster that havarti given up on the old goat.
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
Re: The insurrection committee's public hearings
BLUUEE!!!Carpet_pissr wrote: ↑Thu Nov 03, 2022 12:39 pmHe gouda been king, but he's such an unbrielievable muenster that havarti given up on the old goat.
- LordMortis
- Posts: 70449
- Joined: Tue Oct 12, 2004 11:26 pm
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
The problem here is this was output from an investigation - possibly by Eastman's own lawyers, law enforcement, or a third-party firm (which is the standard when not done by law enforcement). And I work at one of those third-party firms. We know what we are looking at.Unagi wrote: ↑Thu Nov 03, 2022 12:32 pm OK, first - I think it's clear from the contact's name evidence that the document we are looking at isn't a raw copy of the email - and is rather a 'cut-n-paste' from an email into a Word/rich text file.
I think if we could see the redacted email addresses and if they contained a lowercase I or lowercase L, those would also be replaced with a space - and hence wouldn't have worked as an email.
I think that the above 'document' was then given an ole' Find/Replace on the lowercase I and the lowercase L (never the upper case of either) to be replaced with <space>.
That's the simplest and clearest path from a normal email to the document we are all trying to read.
These type of issues are normal during investigations - multiple layers of processing are typically done. That's just part and parcel for the activity. Sometimes you get requests to send over raw work output and it sometimes has errors. That seems the most likely thing here.
This wasn't a leak it was provided by the investigation team to the committee. It's possible the investigators got it this way. FWIW the article comes to the same conclusion - they called it a formatting error - which again IMO is the most likely explanation. I have little reason to believe this was some sinister, amateurish plot to obfuscate the activity. It's most likely just an electronic version of the game 'telephone'.Why was that was done? I'm not entirely sure - but it would seem it was done to keep the file (the leak) from being found if a search on all files against strings of text from that email were performed. This wasn't done to cover the tracks, was it?
Probably not.It was done to hide the leaked email, no?
Well weird except that it is actually fairly common. Which is why it is was the top guess as most likely.The failed OCR idea seems super weird.
Last edited by malchior on Thu Nov 03, 2022 1:04 pm, edited 2 times in total.
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
Oh que-so, just partial credit for all that work? I'm feta with this place.
- Alefroth
- Posts: 8663
- Joined: Thu Oct 14, 2004 1:56 pm
- Location: Bellingham WA
Re: The insurrection committee's public hearings
Do Gloucester! Do Gloucester!Carpet_pissr wrote: ↑Thu Nov 03, 2022 12:59 pmOh que-so, just partial credit for all that work? I'm feta with this place.
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
Nay, has it occurd to you that that would be a Gloucester-fuck of dairy-based puns, more than this forum could take, and would likely cheese off a lot of people off that are trying to seriously discuss (check's title) some committe trying to insert a ton of pubic hair (into what?! So weird, and why would that require a committee?!)Alefroth wrote: ↑Thu Nov 03, 2022 1:35 pmDo Gloucester! Do Gloucester!Carpet_pissr wrote: ↑Thu Nov 03, 2022 12:59 pmOh que-so, just partial credit for all that work? I'm feta with this place.
- Alefroth
- Posts: 8663
- Joined: Thu Oct 14, 2004 1:56 pm
- Location: Bellingham WA
- Brian
- Posts: 12608
- Joined: Sat Oct 16, 2004 8:51 am
- Location: South of Heaven
- Contact:
Re: The insurrection committee's public hearings
I camenbert this for much longer.
"Don't believe everything you read on the internet." - Abraham Lincoln
- Blackhawk
- Posts: 44578
- Joined: Tue Oct 12, 2004 9:48 pm
- Location: Southwest Indiana
Re: The insurrection committee's public hearings
Grate. Just grate.
(˙pǝsɹǝʌǝɹ uǝǝq sɐɥ ʎʇıʌɐɹƃ ʃɐuosɹǝd ʎW)
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
Oh well DONE, sir! I was trying so hard to fit camembert in, but I bleu it!
Funny, but nacho best pun work.
Also:
- LawBeefaroni
- Forum Moderator
- Posts: 55452
- Joined: Fri Oct 15, 2004 3:08 pm
- Location: Urbs in Horto, outrageous taxes on everything
Re: The insurrection committee's public hearings
Surely you know of Find & Replace, a feature in most productivity applications.malchior wrote: ↑Thu Nov 03, 2022 12:07 pm
Edit: Another counter argument that just popped into my head. If this was done by humans, why is it so consistent? You'd expect an 'i' or 'l' to slip through here and there then. Instead, it's fairly uniformly processed which points to machine. Could one of these boneheads have written a program to do that? Maybe but again we're still getting into very wacky territory where someone is doing a lot of unnecessary work in the midst of their scheming.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
Believe it or not I like the puns! I mean it's silly but we all need some silly now more than ever.
- LawBeefaroni
- Forum Moderator
- Posts: 55452
- Joined: Fri Oct 15, 2004 3:08 pm
- Location: Urbs in Horto, outrageous taxes on everything
Re: The insurrection committee's public hearings
Always good to have some levity up paneer.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
- Pyperkub
- Posts: 23800
- Joined: Mon Dec 13, 2004 5:07 pm
- Location: NC- that's Northern California
Re: The insurrection committee's public hearings
The Chese has Boro'd too deep for that?LawBeefaroni wrote: ↑Thu Nov 03, 2022 3:56 pmSurely you know of Find & Replace, a feature in most productivity applications.malchior wrote: ↑Thu Nov 03, 2022 12:07 pm
Edit: Another counter argument that just popped into my head. If this was done by humans, why is it so consistent? You'd expect an 'i' or 'l' to slip through here and there then. Instead, it's fairly uniformly processed which points to machine. Could one of these boneheads have written a program to do that? Maybe but again we're still getting into very wacky territory where someone is doing a lot of unnecessary work in the midst of their scheming.
Black Lives definitely Matter Lorini!
Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
Also: There are three ways to not tell the truth: lies, damned lies, and statistics.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
I'll say it again for the cheap seats - it does not explain the address fields - which again is why I pointed them out. What I'm talking about is having the 'cipher text' in the actual emails. It's not possible or so improbable that it is nearly the same thing. It had to be post-email client. We are seeing something received and processed. So if you want to argue these guys copied emails out, then obfuscated them, and kept them lying around that way...and the investigators lazily picked them up and sent them onto the committee...you could do so. However, it doesn't make a lick of sense. Especially if this was some scheme to be sneaky.LawBeefaroni wrote: ↑Thu Nov 03, 2022 3:56 pmSurely you know of Find & Replace, a feature in most productivity applications.malchior wrote: ↑Thu Nov 03, 2022 12:07 pm
Edit: Another counter argument that just popped into my head. If this was done by humans, why is it so consistent? You'd expect an 'i' or 'l' to slip through here and there then. Instead, it's fairly uniformly processed which points to machine. Could one of these boneheads have written a program to do that? Maybe but again we're still getting into very wacky territory where someone is doing a lot of unnecessary work in the midst of their scheming.
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
OK that is hard core. Well played, sir. I glanced at that one for 2 seconds and moved right along. No grater challenge in the list of potential cheese puns than that one.
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
- Carpet_pissr
- Posts: 20189
- Joined: Thu Nov 04, 2004 5:32 pm
- Location: Columbia, SC
Re: The insurrection committee's public hearings
Agreed. Time to rind this down.
- LawBeefaroni
- Forum Moderator
- Posts: 55452
- Joined: Fri Oct 15, 2004 3:08 pm
- Location: Urbs in Horto, outrageous taxes on everything
Re: The insurrection committee's public hearings
We don't know it failed on the address fields since they're redacted. If it didn't, they'd still redact them since they'd be easy to figure out.malchior wrote: ↑Thu Nov 03, 2022 4:38 pmI'll say it again for the cheap seats - it does not explain the address fields - which again is why I pointed them out. What I'm talking about is having the 'cipher text' in the actual emails. It's not possible or so improbable that it is nearly the same thing. It had to be post-email client. We are seeing something received and processed. So if you want to argue these guys copied emails out, then obfuscated them, and kept them lying around that way...and the investigators lazily picked them up and sent them onto the committee...you could do so. However, it doesn't make a lick of sense. Especially if this was some scheme to be sneaky.LawBeefaroni wrote: ↑Thu Nov 03, 2022 3:56 pmSurely you know of Find & Replace, a feature in most productivity applications.malchior wrote: ↑Thu Nov 03, 2022 12:07 pm
Edit: Another counter argument that just popped into my head. If this was done by humans, why is it so consistent? You'd expect an 'i' or 'l' to slip through here and there then. Instead, it's fairly uniformly processed which points to machine. Could one of these boneheads have written a program to do that? Maybe but again we're still getting into very wacky territory where someone is doing a lot of unnecessary work in the midst of their scheming.
If you mean the missing letters in the address names, if the emails were copied whole cloth, find and replace would work on them.
" Hey OP, listen to my advice alright." -Tha General
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
"No scientific discovery is named after its original discoverer." -Stigler's Law of Eponymy, discovered by Robert K. Merton
MYT
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
Re: The insurrection committee's public hearings
Just to be clear LB, you are saying exactly what I was saying below, correct?
Unagi wrote: ↑Thu Nov 03, 2022 12:32 pm OK, first - I think it's clear from the contact's name evidence that the document we are looking at isn't a raw copy of the email - and is rather a 'cut-n-paste' from an email into a Word/rich text file.
I think if we could see the redacted email addresses and if they contained a lowercase I or lowercase L, those would also be replaced with a space - and hence wouldn't have worked as an email.
I think that the above 'document' was then given an ole' Find/Replace on the lowercase I and the lowercase L (never the upper case of either) to be replaced with <space>.
That's the simplest and clearest path from a normal email to the document we are all trying to read.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
I was not commenting on the blanked out fields...since that'd make no sense. I remarked several times about the auto-populated text. The text in the address fields that isn't the email address. That isn't in the raw email. It is populated by the email client (usually from a mail directory).LawBeefaroni wrote: ↑Thu Nov 03, 2022 5:07 pmWe don't know it failed on the address fields since they're redacted. If it didn't, they'd still redact them since they'd be easy to figure out.
There is a near binary conclusion when data is manipulated in the auto-populated fields and the body of the text. It indicates almost with certainty it happened *outside* the email client. The opposite is true. If these changes weren't in the auto-populated fields then it'd be a sure sign someone manipulated the *body* of the email. It's less conclusive that it happened in the email but it is easily verifiable by going to the raw email. These are just a characteristic of the way email is processed and stored. Now you could do surgical manipulation but who has time for that since it's so easy to defeat in a proper investigation.
I never said different. I only commented originally that because the email was almost certainly manipulated outside the email client that it almost certainly means it wasn't something these folks did. And the most likely manipulation would be the manipulation done during the investigation because it is exceedingly common.
The boil down is that if Eastman et. al. did manipulate it to hide their scheming, it'd almost certainly appear ONLY IN THE BODY. And it wouldn't propagate through the email chain. That's it.
I'm not arguing you can't cut and replace text. Of course they could - but only after the emails were copied out of the email client! And maybe they did that but it wouldn't matter (it's easily discovered) and I can't figure out why anyone would do that.If you mean the missing letters in the address names, if the emails were copied whole cloth, find and replace would work on them.
Edit: This whole thing reminds me why electronic evidence is such a time sink. People have to be walked through how it works in painful detail to get them out of thinking it matches with their everyday use of the tools. It's not. You have to understand all the various complexities and decompose all the steps along the way - often without a reliable audit trail. And even then the output is often just a likelihood since there are a lot of potential (but unlikely) ways to get from A to B.
- El Guapo
- Posts: 41536
- Joined: Sat Jul 09, 2005 4:01 pm
- Location: Boston
Re: The insurrection committee's public hearings
Can we create a metadata debate subforum?
Black Lives Matter.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
Metadata. Interesting choice of a word. So what you are saying is you've worked this stuff?
- Jaymann
- Posts: 19739
- Joined: Mon Oct 25, 2004 7:13 pm
- Location: California
Re: The insurrection committee's public hearings
Darn, I was playing games and missed out on the fun due.
Jaymann
]==(:::::::::::::>
Black Lives Matter
]==(:::::::::::::>
Black Lives Matter
- El Guapo
- Posts: 41536
- Joined: Sat Jul 09, 2005 4:01 pm
- Location: Boston
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
I just had to educate a general counsel of a publicly traded company about the concept of metadata. Lawyer's vary greatly on this subject.
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
Re: The insurrection committee's public hearings
Is metadata really that mysterious?
Don’t get me wrong, all this talk about FBI sleuthing is super impressive.
Don’t get me wrong, all this talk about FBI sleuthing is super impressive.
- geezer
- Posts: 7553
- Joined: Wed Oct 13, 2004 1:52 pm
- Location: Yeeha!
- Unagi
- Posts: 26724
- Joined: Wed Sep 20, 2006 5:14 pm
- Location: Chicago
Re: The insurrection committee's public hearings
It sounded like malchior was impressed that El Guapo used the word correctly.
Don’t get me wrong El Guapo, you carry a strong air of impressiveness everywhere you go.
But yeah, I come from a data integration background and so maybe it’s just that point of view speaking
Don’t get me wrong El Guapo, you carry a strong air of impressiveness everywhere you go.
But yeah, I come from a data integration background and so maybe it’s just that point of view speaking
- hepcat
- Posts: 52102
- Joined: Wed Oct 13, 2004 3:02 pm
- Location: Chicago, IL Home of the triple homicide!
Re: The insurrection committee's public hearings
Don’t be offended. Because you graciously converse with me about such things as the acting abilities of Mark Wahlberg (or lack thereof), the importance of Z level comic book characters in a post industrial society, and why green milk would be super cool, it’s easy for others to assume you’re also 9.
Now depoliticized.
-
- Posts: 24795
- Joined: Wed Oct 13, 2004 12:58 pm
Re: The insurrection committee's public hearings
It is the term-of-art for this particular line of discussion during forensic/incident response activities. I expect people to get the concept of metadata but it just spoke to me about experience in eDiscovery/investigation contexts.