2 experts used email headers to determine veracity

The methodology behind the examination of data purportedly from Hunter Biden's laptop.

By Craig Timberg

The Washington Post
March 30, 2022 at 9:44PM
Family members gather for a road naming ceremony with U.S. Vice President Joe Biden, centre, his son Hunter Biden, left, and his sister Valerie Biden Owens, right, joined by other family members during a ceremony to name a national road after his late son Joseph R. "Beau" Biden III, in the village of Sojevo, Kosovo, on Wednesday, Aug. 17, 2016. President Joe Biden is the guest of honor during the street dedication ceremony naming the national road Joseph R. "Beau" Biden III.AP Photo/Visar Kryeziu)
Vice President Joe Biden, center, with son Hunter Biden and sister Valerie Biden Owens at a ceremony to name a road after Joseph R. “Beau” Biden III in Sojevo, Kosovo, on Aug. 17, 2016. (Visar Kryeziu, AP file/The Minnesota Star Tribune)

The Washington Post asked two computer security experts to review a portable hard drive that purportedly contained data from Hunter Biden's MacBook Pro computer. The Post obtained the drive last year from a conservative political researcher who had once worked for former Donald Trump adviser Stephen Bannon.

The Post asked the two experts, Matt Green, a Johns Hopkins University cryptologist, and Jake Williams, a faculty member for the information security research group IANS, to determine if the information on the drive was authentic.

Hunter Biden's laptop has been the subject of intense debate since October 2020, when the New York Post first published accusations that the laptop contained information suggesting that Biden's business deals had also enriched his father, now President Joe Biden. Republicans have hailed the laptop as evidence of wrongdoing, while Democrats have suggested it had been manipulated and may have included misinformation planted by the Russian government.

The examinations of the portable drive by Green and Williams were largely inconclusive. Both researchers, who worked independently of each other, determined that the data contained on the drive was so compromised by a variety of factors that definitive conclusions about most of its contents were impossible.

But they did agree that nearly 22,000 emails contained on the portable drive were authentic - meaning they contained cryptographic signatures that indicated they came from the accounts that they claimed to be from and had not been manipulated in some way.

This was determined by examining what's known as the headers of the emails. Headers are rarely visible to people reading their emails, but they contain what is known as metadata that includes information about an email's sending account, its recipient and its path through the internet. In some cases, headers also include a series of letters and numbers that appear unintelligible but, in fact, are cryptographic signatures that can be used to verify an email's sender and contents.

Green and Williams between them were able to use cryptographic signatures to verify 22,000 emails out of the nearly 129,000 on the portable drive.

They also agreed that they found no clear evidence that data on the hard drive had been tampered with, but said that it was difficult to reach a conclusion on the data on the drive as a whole. The ability to verify it, they said, was undermined by the fact the hard drive had been handled over the years in a manner that damaged some key files, making them unusable for the purposes of forensic examination. As Williams noted in his technical report, "several key pieces of evidence useful in discovering tampering were not available."

In writing about the emails on the drive, The Washington Post applied a two-part test. One was whether the emails could be cryptographically verified by the experts. The other was whether there was outside information confirming the validity of the emails.

For example, like other news organizations, The Post received records from the Swedish government that confirmed emails related to office space that Hunter Biden rented. In other cases, The Post relied on bank documents acquired by Senate investigators that confirmed the substance of email traffic and financial documents on the drive. The Post also confirmed emails with other recipients.

about the writer

about the writer

Craig Timberg

More from Politics

card image

Our mission this election cycle is to provide the facts and context you need. Here’s how we’ll do that.