Digital forensic investigation fails to exonerate Heartland of authoring climate strategy memo

On May 1, 2012, The Heartland Institute published a digital forensics report from Protek International, a computer and information forensics and security firm based out of Chicago. Heartland hired Protek to investigate whether there was evidence that anyone from Heartland had written the “2012 Heartland Climate Strategy” memo (aka the Memo) that Heartland claims was fabricated by Peter Gleick when he falsified his identity in order to acquire and then leak confidential Heartland documents in February, 2012.

As a result of their investigation, Protek concluded that the Memo had not been created on Heartland’s computer system and didn’t exist there or in Heartland’s email system prior to its publication on February 14, 2012. An S&R analysis of Protek’s investigation report finds that this broad conclusion is not supported by the details of Protek’s investigation. Specifically, S&R found that Protek may not have interviewed everyone at Heartland who could have authored the Memo, didn’t analyze enough types of computers and storage devices to rule out creation of the Memo, limited their investigation to only one of Heartland’s several offices, and didn’t search through enough different file types and storage to guarantee that they would have detected the Memo.

Protek’s interviews not inclusive enough

In the course of their digital forensics investigation, Protek interviewed a number of Heartland employees, “focusing on those who were part of the e-mail communications and transmission of documents in response to their online solicitation.” In addition, Protek’s report says that they “also interviewed senior officers of Heartland including [Heartland president] Joseph Bast, Diane Bast, and Kevin Fitzgerald.” Furthermore, Protek reported that “everyone interviewed by Protek stated that they had either not seen the Memo, or had not seen it prior to its being posted online on February 14th and all denied creating it as well.” While these statements are reasonable enough, they also raise a number of questions and concerns.

First, why did Protek focus on the employees who were involved in emailing the Board meeting documents to Gleick? Gleick himself said that he’d received the memo in the mail, not electronically, so there’s no evidence presented that these employees would have been the ones to send the Memo to Gleick via the USPS et al. Similarly, Protek doesn’t explain whether these employees could have been the Memo’s author, so there’s no good reason to focus on them in particular.

Second, Protek’s report implies that Protek interviewed other “senior officers” besides the Basts and Fitzgerald, but it leaves the other interviewees unnamed. It’s unclear whether or not these included all the members of the Heartland Board of Directors, for example, and the report specifically doesn’t say that it interviewed all “senior officers.” This approach would not necessarily detect officers who had seen the Memo, as the Memo itself explains.

The Memo’s author proposes that “it be kept confidential and only be distributed to a subset of Institute Board and senior staff.” If the Memo is authentic, this would mean that not all “senior officers” would have seen it. As a result, it’s possible that the Heartland senior officers that Protek interviewed could have honestly said that they didn’t read the memo precisely because they hadn’t been on the Memo’s limited distribution list. Without interviewing all of Heartland’s “senior officers” – senior staff and board members, plus any staff assistants to the “senior officers” – Protek’s interviews might not have detected the Memo’s origin even assuming all the interviewees answered honestly.

Protek too focused on Heartland’s Chicago headquarters

While Protek interviewed only a select few Heartland staff and “senior officers,” those interviews were only a small part of the overall digital forensics investigation that Protek was hired to conduct. In the course of the larger investigation Protek interviewed people and analyzed computers at Heartland’s Chicago headquarters office and at the private home of Joe and Diane Bast. But Protek either did not ask for or was refused access to computers at Heartland’s satellite offices and the private residences of Heartland’s other senior officers besides the Basts. This narrow focus on people and computers at just the Chicago headquarters means that Protek could have missed the Memo’s presence on computers located outside Heartland’s headquarters.

Protek’s report explains why they chose to focus exclusively on the Chicago headquarters. Specifically, Protek writes that “Heartland’s senior officers, who would be most likely authors of [the Memo] work at the Chicago office” and that much of the information needed to write the Memo was “resident only on the Heartland System” (the “Heartland System” is defined as the network and workstation computers present in Heartland’s headquaters).

Given modern networking and telecommuting, this explanation is insufficient to justify Protek’s narrow investigation. While Protek’s investigation would have presumably turned up evidence of the Memo had it been created at the Heartland Chicago headquarters computers via remote PC login (Windows “Remote Desktop Connection,” for example), the same cannot be said of other access methods.

Many organizations that are scattered across multiple physical locations pay telecommunications companies for secure data connections between those offices. These links would enable a Heartland employee working at a satellite office (for example, the Washington D.C. office) to access to all the information present on the network servers at the Chicago office. As a result, the Memo’s author and hypothetical Heartland employee could have accessed the information that was “resident only on the Heartland System” while editing the Memo on his own local computer. Here’s how:

  1. The Memo’s author sits down at his Heartland-owned computer that resides in a satellite office.
  2. The author logs into the Heartland network and opens the files containing the information he needs to write the Memo.
  3. The author creates a new document in his word processor and either cuts&pastes or transcribes the information into the Memo, then saves the Memo and closes down the other files.

This process would create a Memo where the file resides on a computer at a Heartland satellite office, but not on a Chicago computer. The only evidence that the Memo had been written present on the Chicago network would be a log that the source files had been opened. In this case Protek’s Chicago-only investigation would not detect the creation of the Memo.

A similar scenario would permits the Memo’s author to use a remote desktop connection to author the memo on a home personal computer while still accessing needed information on the Chicago network. Here’s how:

  1. The Memo’s author opens his word processor on his home computer.
  2. The author uses a remote desktop connection to log into his computer located in Heartland’s Chicago headquarters.
  3. The author opens the Chicago-only data on the remote desktop. The data is visible on the author’s PC, but it’s actually open on the headquarters computer.
  4. The author writes the Memo on his home computer, saves the Memo, closes the Chicago-only files, and then logs out of his Chicago headquarters computer.

In this scenario, the Memo resides on the author’s home computer, not in the Chicago network. The only trace that the Memo has been written on the Chicago network is that the Chicago-only files had been opened. As with the prior scenario, Protek’s investigation would not detect the creation of the Memo.

Both of these scenarios are plausible, and neither is even mentioned in Protek’s report.

Protek’s focus on “workstations” too narrow

Protek appears to have missed interviewing a number of possible Memo authors and/or distributors, and their focus on only the Chicago headquarters cannot conclusively demonstrate that the Memo was not authored by a Heartland employee. Similarly, Protek’s investigation of Heartland’s computers and servers was so narrowly focused on “workstations” and network servers that the investigation report raises a number of additional questions and concerns about Protek’s results.

First, what exactly is a “workstation” as Protek defines it? Workstations have historically been desktop PC-sized boxes with external monitors. This historical definition excludes laptop computers, and yet it’s likely that many computers attached to the “Heartland System” are laptops. Moreover, Heartland’s senior officers are the individuals who are most likely to use laptops instead of desktop workstations, and it’s those senior officers that would be likely authors or recipients of the Memo.

Joe and Diane Bast volunteered to have three of their personal computers imaged and analyzed by Protek – a Dell Dimension 3000, a Dell Dimension 2400, and an Dell Inspiron 530. According to the Dell website, all three of these computers are desktop style and the most recently sold (Inspiron 530) was last sold by Dell in 2009. It’s possible but unlikely that neither Bast owns a laptop or tablet computer, yet Protek’s report doesn’t say that they volunteered any laptops or tablets to be imaged in the same way that their personal desktop computers were.

Second, other mobile devices such as tablet computers do not appear to have been included in Protek’s investigation. A tablet computer like the Apple iPad, Dell Latitude, or Samsung Galaxy Tablet are definitely not “workstation” computers, but there’s no reason why the Memo couldn’t have been written on a tablet device instead of a laptop or workstation.

Third, Protek’s investigation report does not mention smartphones such as the iPhone, Blackberry, and various Android phones. Note-taking apps are available for every smartphone on the market, either built into the phone’s operating system or via app store download, and every smartphone has a keyboard of some kind. If the Memo was written during a meeting, it’s plausible that the Memo’s author could have typed it up on a phone and then used a personal email account to distribute it or saved the Memo to a cloud-based storage service like Dropbox. While this is a possible hole in Protek’s investigation, it’s a much smaller one than either the tablet or laptop holes identified above.

S&R repeatedly asked Protek if they created forensic images (exact replicas of the hard drives, including the state of any unused or unallocated storage space) of laptops, tablets, or investigated the possibility the Memo had been created on a smartphone or similar mobile devices, but S&R received no response.

Protek’s focus on computer hard drives too limited

According to Protek’s report, they created forensic images of 32 “Heartland Chicago office computer workstations, as well as the Basts’ privately owned computers.” These exact images were created to permit Protek to run scans on the computer storage looking for files and strings of bits that serve as digital “fingerprints” of the Memo in the data. But as with each of the cases described previously, Protek’s reported approach is too limited.

While Protek claims that they imaged the Chicago servers and workstations and the Basts’ three home computers, the report refers only to “hard drives.” Other types of storage are not mentioned at all, so anyone reading the report doesn’t know whether or not forensic images of other storage media were also created. For example, if Protek imaged only computer and server hard drives, then the 7.3 TB of data they imaged would have missed every one of the following storage media, all of which could reside at Heartland’s Chicago headquarters:

  • CD-RW and/or DVD backups
  • Tape backups
  • USB thumb drives/memory sticks
  • External hard drives

While it is possible that an internal flash drive would have been considered a “hard drive” for the purposes of Protek’s investigation, it’s not clear from the report. And it’s reasonable that a Memo intended for very limited distribution could have been stored on a removable USB thumb drive/memory stick. This doesn’t mean that the Memo would have been kept on a thumb drive, only that Protek’s hard drive-focused investigation can’t say one way or another.

In the course of their investigation, Protek scanned for file fragments of the Memo in “unallocated space,” the portions of the storage that are “blank” and awaiting data. These areas could contain evidence of old data that has been partly overwritten, which is why Protek scanned there. They didn’t find any examples of their four selected digital fingerprints in the unallocated space. But it’s unclear whether Protek scanned for file fragments within “unused” or “slack” space as well as unallocated space. Unused/slack space is parts of the hard drive that were allocated to a file but that were ultimately not used by that file. Unused/slack space may also contain fragments of files that were partly overwritten. Protek’s report makes no mention of scans for the Memo’s digital fingerprints in unused/slack space.

It’s also unclear whether Protek looked into encrypted files or int encrypted hard drive partitions. Windows 7, for example, is shipped with “BitLocker” encryption that essentially scrambles the entire hard drive (or that can be configured to encrypt a specific portion of a hard drive, known as a “partition”) in a way that prevents unauthorized data copying. There’s no mention of Protek having scanned within encrypted files or disk partitions in their report.

Finally, Protek’s report indicates that they may have missed, or been denied access to, Heartland’s cloud storage. Most people are familiar with cloud storage like Google Docs, where files can be created and stored entirely on the Internet. But cloud storage also includes off-site file servers like Dropbox, where documents are stored off-site and encrypted. And cloud storage also includes something that Heartland is known to have – off-site backups like Mozy or Carbonite. According to the published Heartland 2012 budget, Heartland uses an off-site backup for their computers and/or network servers (see Budget item 522 OO on the last page). The name of the backup service provider isn’t important, only that Protek’s hard drive-focused investigation would not detect the Memo if it been securely deleted from Heartland’s Chicago computers and only remained in the off-site backups.

Again, S&R repeatedly asked Protek whether they imaged storage media other than hard drives, whether they scanned unused/slack space in addition to unallocated space, whether they searched for the Memo within encrypted files and encrypted disk partitions, and whether they imaged Heartland’s off-site backup(s). S&R received no response from Protek to our questions.

The investigation report doesn’t say whether Protek didn’t ask to image the alternative storage media that S&R identified above or whether Heartland denied Protek access to those media. But there is no indication from Protek’s report that alternative storage media were forensically imaged and analyzed. As a result, Protek’s investigation could have missed the Memo even if it’s hypothetical Heartland author wrote it at Heartland’s Chicago headquarters but stored it on something other than a hard drive.

Protek’s investigation neglected common file formats

When Protek conducted their analyses, they looked for four different electronic fingerprints in a set of files and in “unallocated” disk storage. The files they analyzed were all of the following types: Word .doc and .docx files, WordPerfect .wpd files, Adobe .pdf files, and Rich Text Format .rtf files. In addition, Protek searched for the fingerprints within all compressed .zip files/archives.

As above, this list of file types is not comprehensive enough to ensure that the Memo did not originate on the “Heartland System.” Specifically, the investigation missed a number of file formats in which the Memo could have saved, it missed a number of compression formats in which the Memo could have archived, it assumed that the document was created in a standard word processing program, and it didn’t mention whether there was evidence on Heartland computers that files had been securely deleted.

Microsoft Word documents are saved in more formats than just the .doc and .docx formats through which Protek searched. For example, some older versions of Word created temporary files that used .tmp file extensions. Word 2007 and 2010 use .asd files as auto-recover files in case Word crashes unexpectedly. And Word can be configured in the “Preferences” to automatically save backup files as .wbk files.

In addition, Protek didn’t investigate whether the file could have been created in Works, which saves files natively as .wps files. And if the Memo was created in Windows’ WordPad or Notepad application, it would have been saved as either a .txt file or an Open Document standard .odt file, neither of which were searched.

On their Fakegate site, Heartland posted images that show they use WordPerfect rather than Word (see the Windows taskbar in the image at right), which could explain why Protek chose not to search Word backup and auto-recover files. However, Protek does not appear to have searched through WordPerfect backup files either, which are .bk* files (where * is a number). Similarly, many programs use the .bak file extension for backups, and the .tmp file extension is common for any temporary working file.

Compressed .zip files and archives (collections of files and folders) are common on Windows computers, but Zip format is not the only compression method that could have been used to collect the Memo and the associated documents that Gleick released. WinZip uses a .zipx extension in addition to standard .zip files. Apple OS computers often use StuffIT, which compresses data into .sit and .sitx files. Gzip is an industry standard and it produces files with a .gz extension. Yet none of these compression file extensions were searched by Protek either. Given the sheer number of possible archive file compression options (see this matrix at Wikipedia for a visual overview of the problem), searching within only .zip files without at least explaining the rationale for ignoring all the other compression files is not credible.

And this doesn’t even begin to touch the complexities of whether the file was written on a device that uses a non-standard text format. Smartphone note-taking apps often save notes in a specialized ASCII text format that is specific to the app instead of attached to some form of standard. Basic text documents can often be saved without any file extension at all. Apple word processors like iWorks use entirely different file extensions, none of which were searched (or their exclusion explained) according to the Protek report. And there’s no indication that Protek looked at Internet files that are generated in the Internet cache when someone edits an on-line document from a site like Google Docs/Drive. Had the Memo been authored using Google Docs, there’s no indication that Protek’s investigation of just standard word processing software would have found it.

Finally, Protek’s report doesn’t mention whether or not there was evidence of secure deletion on any of the imaged hard drives. Secure deletion is a method that permanently removes any indication the bits were ever present, even from “unallocated space.” However, this method often leaves detectable traces that something was securely deleted, either in the form of large regions of 0 bits, 1 bits, or uncharacteristically randomized 0s and 1s. While the Memo, if it ever existed on Heartland’s computers, would not be detectable once it was securely deleted, the deletion of something would have been, and yet Protek’s report doesn’t indicate whether or not they scanned for such evidence.

S&R repeatedly asked Protek why they didn’t investigate (or report investigating) additional file formats, temporary Internet cache files, and securely deleted regions, but they again didn’t respond.

Protek’s email investigation misses webmail options

In addition to the data searches on Heartland’s Chicago workstations and servers, Protek also searched the Heartland email system for evidence of the Memo. Protek created a forensic image of the Exchange Node Database and then searched the image for the same digital fingerprints that they searched for on the hard drives. Protek found that the Memo did not appear to have been created as an email on the Heartland email server or emailed to or from anyone at Heartland as an attachment (but only as a .doc, .docx, .pdf .rtf, .wpd, or .zip file) before it was posted online on February 14, 2012.

There’s two possibilities for how the Memo could have been created in Heartland’s Chicago headquarters but still been missed by Protek’s investigation. First, it could have been attached as some kind of file that Protek failed to search in, like a .odt Open Document file. Second, it could have been composed on a personal Webmail account such as Hotmail and then distributed to the subset of Institute Board and senior staff mentioned by the Memo’s author. In this case, the email might not be detectable anywhere on the Heartland system. Even if the Memo were detectable, it would only be through a careful search of the temporary Internet cache files that Protek did not analyze.

S&R asked Protek if their investigation would have detected the Memo if it had been written via a webmail interface of some kind, but they did not respond to repeated request for comment.


As part of S&R’s analysis of Protek’s investigation report, S&R contacted several computer scientists and information technology experts. All agreed that Protek’s investigation as documented was too narrow to support the broad conclusion that the Memo was not created by someone at The Heartland Institute. What is unclear is whether Protek failed to ask the right questions, whether Heartland denied Protek enough access to their system, or whether Heartland refused to pay Protek for a more thorough analysis.

What is known is the following:

  • Protek’s investigation did not identify all the people they interviewed, and the descriptions of the people interviewed did not include all of the likely sources of the Memo.
  • Protek only analyzed digital data from The Heartland Institute’s Chicago headquarters and three personal computers of Joe and Diane Bast, yet modern networking and telecommuting would enable any Heartland employee to author the Memo from a satellite office or from home in a manner that Protek’s analysis would not detect.
  • Protek’s focus on workstation and server computers might have neglected to scan laptops and would have missed tablet computers, netbooks, and smartphones as devices on which the Memo could have been authored.
  • Protek’s focus on hard drives would have missed thumb drives, tape backups, DVDs and CD-RWs, and perhaps most critical of all, would not have detected the Memo had it been saved in one of Heartland’s off-site backups.
  • Protek’s search for digital fingerprints focused on five word processing file formats and one file compression/archiving format, but would have missed a large number of common text file formats and any file stored in an alternative compression format. Protek also did not search within files created by word processors in the course of authoring and printing, but not saving, the Memo.
  • Protek did not analyze whether the Memo could have been written using an on-line document service such as Google Docs.
  • Protek’s investigation would not detect the Memo if it were an email attachment in any file format other than the five formats they searched, and Protek did not investigate the possibility of the Memo having been authored in a webmail interface.

At the end of their investigation, Protek issued a broad conclusion that “the Memo was not created on the Heartland System and never existed there prior to February 14, 2012.” But the many large holes that S&R identified in Protek’s analysis casts a significant shadow of doubt over Protek’s conclusion. In reality, Protek’s conclusion is more strictly limited than their investigation implies, and the best that Protek can really say is that they found no evidence that the Memo had been created at Heartland’s Chicago headquarters in the few places they looked.

Given the flaws in Protek’s analysis, the absence of evidence demonstrating Heartland authored the Memo cannot be considered evidence that Heartland didn’t author it. A much more thorough investigation than what is documented in the Protek investigation report would be required to prove beyond a reasonable doubt that no-one at Heartland authored the Memo.

Image credits:
Peter Sinclair of Climate Denial Crock of the Week
The Heartland Institute

2 replies »