b1 b3 b7E U.S. Department of Justice Federal Bureau of Investigation July, 2016 Washington, DC. CLINTON E-MAIL INVESTIGATION MISHANDLING OF CLASSIFIED [l KNOWN SUBJECT OR COUNTRY (SIM) b1 b3 This report recounts the information collected in this investigation. It is not intended to address potential inconsistencies in, or the validity of, the information related herein. b3 b7E (UHF-OHS) On July 10, 2015, the Federal Bureau of Investigation (FBI) initiated a full investigation based upon a referral received from the US Intelligence Community Inspector General (ICIG), submitted in accordance with Section 811(c) of the Intelligence Authorization Act of 1995 and dated July 6, 2015, regarding the potential unauthorized transmission and storage of classi?ed information on the personal e-mail server of former Secretary of State Hillary Clinton (Clinton).a The investigation focused on determining whether classified information was transmitted or stored on unclassified systems in violation of federal criminal a (UHF-GHQ) For a complete listing of the interviews conducted, electronic media collected, legal process issued, and classified e- mails identified during this investigation, please refer to Appendices As background, Clinton was Secretary of State from January 21, 2009 through February 1, 2013Page 1 of47 b3 b7E 131 b3 b7E statutes and whether classi?ed information was compromised by unauthorized individuals, to include foreign governments or intelligence services, via cyber intrusion or other means. (UHF-GEO) In furtherance of its investigation, the FBI acquired computer equipment and mobile devices, to include equipment associated with two separate e-mail server systems used by Clinton, and forensically reviewed the items to recover relevant evidence. In response to FBI requests for classi?cation determinations in support of this investigation, US Intelligence Community (USIC) agencies determined that 81 e-mail chains,b?C which FBI investigation determined were transmitted and stored on Clinton' UNCLASSIFIED personal server systems, contained classi?ed information ranging from the CONFIDENTIAL to TOP SPECIAL ACCESS PROGRAM levels at the time they were sent between 2009-2013. USIC agencies determined that 68 of these e-mail chains remain classi?ed. In addition, the classi?cation determination process administered by the US Department of State (State) in connection with Freedom of Information Act (FOIA) litigation identi?ed approximately 2,000 additional e-mails currently classi?ed CONFIDENTIAL and 1 e-mail currently classi?ed SECRET, which FBI investigation determined were transmitted and stored on at least two of Clinton's personal server systems. The investigation and forensic analysis did not ?nd evidence con?rming that Clinton' e-mail accounts or mobile devices were compromised by cyber means. However, investigative limitations, including the inability to obtain all mobile devices and various computer components associated with Clinton's personal e-mail systems, prevented the FBI from conclusively determining whether the classi?ed information transmitted and stored on Clinton' personal server systems was compromised via cyber intrusion or other means. The FBI did ?nd that hostile foreign actors successfully gained access to the personal e-mail accounts of individuals with whom Clinton was in regular contact and, in doing so, obtained e-mails sent to or received by Clinton on her personal account. 1. Clinton's Personal E-Mail Server Systems A. Initial E?mail Server: June 2008 7 March 2009 In or around 2007, Justin Cooper, at the time an aide to former President William Jefferson Clinton (President Clinton), purchased an Apple OS server (Apple Server) for the sole purpose of hosting e-mail services for President Clinton' staff. 1?2 Due to concern over ensuring e-mail reliability and a desire to segregate e-mail for President Clinton' various post- presidency endeavors, President Clinton' aides decided to maintain physical control of the Apple Server in the Clinton residence in Chappaqua, New York (Chappaqua residence). 3?4?5 According to Cooper, in or around June 2008, a representative from Apple installed the Apple (UHFGHO) The number of classified e-mail chains identified may change as classification determination responses continue to be returned to the FBI. For the purposes of the 5 investigation, an ?e-mail chain? is defined as a set of e-mail responses having the same initial e-mail. The subject line may be edited in these chains to re?ect the purpose of the forward or reply. (UHF-GEO) State did not provide a determination with respect to the classification of these e-mails at the time they were sent. According to State Under Secretary of Management, Patrick Kennedy, unclassified information provided to State in confidence can later be considered classified when it is ?further assessed the disclosure of such information might damage national security or diplomatic relationships.? Such information is referred to as ?up-class? or ?up-classified.? Page 2 of 47 b1 b3 b7E b1 SEC FORN b3 b7E Server6 in the basement of the Chappaqua residence.6?7 The FBI was unable to obtain records from Cooper or Apple to verify the installation. At the time, Cooper was the only individual with administrative access to the Apple Server; however, the Clinton family and their Chappaqua residence staff had physical access to the Apple Server. 8?9 The Apple Server initially hosted the domains presidentclintoncom and chof?ce.com, which were used by President Clinton' flO 11 staff. (UHF-GHQ) Prior to January 21, 2009, when she was sworn in as the US Secretary of State, Clinton used a personally-acquired BlackBerry device with service initially from Cingular Wireless and later Wireless, to access her e-mail accounts. 12?13 Clinton initially used the e-mail addresses hrl5@mvcingularblackberrvnet and then changed to hr15@att.blackberrv.net. 14?? According to Cooper, in January 2009, Clinton decided to stop using her hr15@att.blackberrv.net e-mail address and instead began using a new private domain, clintonemail.com, to host e-mail service on the Apple Server. 16 Clinton stated to the FBI that she directed aides, in or around January 2009, to create the clintonemail.com account, and as a matter of convenience her clintonemail.com account was moved to an e-mail system maintained by President Clinton' aides. 17 While Cooper could not speci?cally recall registering the domain, Cooper was listed as the point of contact for clintonemail.com when the domain was registered with a domain registration services company, Network Solutions, on January 13, 2009.18?19 Clinton used her att.blackberry.net e-mail account as her primary e-mail address until approximately mid-to-late January 2009 when she transitioned to her newly created hdr22@clintonemail.com accountzo?21 The FBI did not recover any information indicating that Clinton sent an e-mail from her hr15@att.blackberrv.net e-mail after March 18, 2009. According to Cooper, in or around January 2009 the decision was made to move to another server because the Apple Server was antiquated and users were experiencing problems with e-mail delivery on their BlackBerry devices. 2?23 At the recommendation of Huma Abedin, Clinton's long-time aide and later Deputy Chief of Staff at State, in or around fall 2008, Cooper contacted Bryan Pagliano, who worked on Clinton' 2008 presidential campaign as an information technology specialist, to build the new server system and to assist Cooper with the administration of the new server system.24?25?26?27 Pagliano was in the process of liquidating the computer equipment from Clinton' presidential campaign when Cooper contacted Pagliano about using some of the campaign's computer equipment to replace the existing Apple Server at Clinton' Chappaqua residencezg?29 Pagliano was unaware the server would be used by Clinton at the time he was building the server system; rather, he believed the server would be used by President Clinton' staff.30 Clinton told the FBI that at some point she became aware there was a server in the basement of her Chappaqua residence. 31 However, she was unaware of the transition from the Apple Server managed by Cooper to another server built by Pagliano and therefore, was not involved in the transition decision.32 B. Second E?mail Server: March 2009 7 June 2013 The Apple Server consisted of an Apple Power Macintosh G4 or G5 tower and an HP printer. (U #5869) Investigation determined - I presidentclinton com domain to include 136 President Clinton did not maintain an e-mail account on the Apple Server. The e-mail b'7C domain choffice.com was primarily a legacy domain that contained mostly forwarded e-mail. Page 3 of 47 b1 SWN b3 b7E Wr Between the fall of 2008 and January 2009, Pagliano requisitioned the original hardware for the second e-mail server from Clinton's presidential campaign headquarters in Arlington, VA. 33 In addition to hardware acquired from Clinton's presidential campaign, Pagliano and Cooperg purchased additional necessary equipment through commercial vendors34?35?36?37 In March 2009, after installed the necessary software, he and Cooper met at Clinton' Chappaqua residence to physically install the server and related equipment in a server rack in the Clintons' basemen t.l1,38,39 agliano had acquired all of the server equipment and (UHF-GHQ) Once the new server system1 was physically installed and powered on, Pagliano began migrating the e-mail data from the Apple Server to the Pagliano-administered server system (Pagliano Server).40 Pagliano believed he ?popped out? all of the e-mail from the Apple Server and that no e-mail content should have remained on the Apple Server once the migration took place.41 Pagliano accounts for Abedin and ated to the FBI the only transferred clintonemailcom e-mail from the Apple Server and said he was unaware of and did not transfer an e-mail account for Clintonj?42 However, Cooper stated to the FBI that he believed Clinton had a clintonemailcom e-mail account on the Apple Server, and that Abedin did not have a clintonemailcom account on the Apple Server.43 As the FBI was unable to obtain the original Apple Server for a forensic review for reasons explained below, the FBI cannot determine which clintonemailcom e-mail accounts were hosted on, and transferred from, the Apple Server to the Pagliano Server. After the e-mail account migration was completed, Cooper changed the Mail Exchange (MX) recordsk to ensure that delivery of all subsequent e-mail to or from e-mail addresses on the presidentclintoncom and clintonemailcom domains would be directed toward the new Pagliano Server instead of the Apple Server. 44 The Pagliano Server was only used for e- mail management, and the review of the oldest available backup image of this server, dated Jupe 24, 2013, did not indicate that any e-mail users' files were stored on the Pagliano Server. In March 2009, following the e-mail migration from the Apple Server to the Pain 0 Server the Apple Server was epurposed to serve as a personal computer for household staff. 4 at Clinton's Chappaqua residence, subsequently used the Apple Server equipment as a workstation.47 In 2014, the data on the Apple computer was transferred to an Apple iMac computer, and the hard drive of the old Apple computer, which ?5 (U7903999) Cooper ha land was often responsible for reimbursing staff for purchases/expe 565. Pagliano visited Clinton' 5 Chappaqua residence on at least three occasions to work on the server: in March 2009, to install the server; in June 2011, to upgrade the equipment; and in January 2012, to fix a hardware issue. 1 The Pagliano Server initially consisted of the following equipment: a Dell PowerEdge 2900 server ninning Microsoft Exchange for e-mail hosting and management, a Dell PowerEdge 1950 server running BlackBerry Enterprise Server (BBS) for the management of BlackBerry devices, a Seagate external hard drive to store backups of the Dell PowerEdge 2900 server, a Dell switch, a Cisco firewall, and a power supply. An e-mail obtained during the FBI investigation from Cooper to Clinton, indicated that in April 2009, Cooper was preparing to update Clinton' 5 BlackBerry to ?put it on our new system.? (U) An MX record determines which server will handle e-mail delivery for a domain and is necessary for routing e-mail to its proper destination. Rl?_ Page b7E 131 b3 b7E previously served as the Apple Server was discarded.48 On October 14, 2015, Williams Connolly LLP (Williams Connolly), counsel for Clinton, con?rmed to the Department of Justice (DOJ) that a review of the iMac was conducted, pursuant to a request by DOJ, and no e- mails were found belonging to Clinton from the period of her tenure as Secretary of State.49 (UHF-GHQ) Pagliano and Cooper both had administrative accounts on the Pagliano Server. 50 At Cooper's direction, Pagliano handled all software upgrades and general maintenance.51 Cooper described his role as ?the customer service face,? and he could add users or reset passwords on the e-mail server. 52 Cooper and Pagliano both handled the acquisition and purchase of server- related items. 53 For example, in March 2009, Cooper registered a Secure Sockets Layer (S certificate at Pagliano' 5 direction for added security when users accessed their e-mail from various computers and devices. 54?55 Clinton stated she had no knowledge of the hardware, software, or security protocols used to construct and operate the servers.56 When she experienced technicsal issues with her e-mail account she contacted Cooper for assistance in resolving those 1ssues. Pagliano stated that a complete backup of the Pagliano Server was made on a Seagate external hard drive once a week and a differential backupIn was completed every day, and this continued from the initial Pagliano Server installation in March 2009 until June 2011 when the external hard drive was replaced.58 As space on the hard drive ran out, backups were deleted on a ?first in, first out? basis.59 In June 2011, Pagliano replaced the Seagate external hard drive with a Cisco Network Attached Storage (N AS) device, to store backups of the server.60 The FBI was unable to forensically determine how frequently the NAS captured backups of the Pagliano Server. According to Pagliano, in early 2013, due to user limitations and reliability concerns regarding the Pagliano Server, staff for Clinton and President Clinton discussed future e-mail server options, and a search was initiated to find a vendor to manage a Clinton e-mail server?.61 Additionally, Pagliano' 3 expressed desire to seek new employment contributed to the decision to move to a new server.62 A search for the new vendor was facilitated with the assistance 0 b6 IInfograte, an information technology consulting company.63?6 MC Iwas introduced to Clinton' Chief of Staff, Cheryl Mills, on or about January 2, 2013 through a mutual business she worked with Mills and Pagliano to produce a request for proposal which was used to solicit responses from multiple firms, including Denver-based information technology ?rm Platte River Networks Clinton recalled that the transition to the PRN Server was initiated by President Clinton' 5 aides seeking a higher level of service than could be provided by the Pagliano Server.68 Pagliano identified President Clinton' s Ias making the final decision to 136 select PRN.69 In the spring of 2013, PRN negotiated the terms of the contract to host e-mail MC services and eventually signed a Service Level Agreement on July 18, 2013.70?71 1 (U) SSL is a security protocol used to establish an connection between a server and another machine, allowing sensitive information such as 10 gin credentials or credit card information to be transmitted in an format instead of in plain text. SSL certificates, issued by a third-party Certificate Authority, are small files that must be installed on servers to establish secure sessions with web browsers. (U) A differential backup is a cumulative backup of all changes that have occurred since the last full backup. The new Clinton e-mail server hosted e-mail for Clinton, President their respective b6 Staffs. b7c Page 5 of 47 Wm b1 b3 b7E SEWRB C. Third E?mail Server: June 2013 October 2015 Following the selection of PRN to manage the Clintons' personal e-mail server and accounts, 3 management assigned two PRN employees to handle the rimary installation and administration of the third server stem (PRN Server).7 who worked remotel from his home inl: handled day-to-day administration for the PRN Server, an who worked at headquarters in Colorado, handled all hardware installation and any required physical ?hands-on?) maintenance for the PRN Server.??73 During the transition to the PRN Server, advised he worked with Pagliano to understand the existing architecture of the Pagliano Server.74 As part of this transition process, on or around June 4, 2013 was granted administrator access to the Pagliano Server, as well as anysegc?qorrgpanying services, such as the domain registration services through Network Solutions. (UHF-GEO) On June 23, 2013J: traveled to Clinton's Chappaqua residence, where he powered down the Pagliano Server and transported it to a datacenter in Secaucus, New Jersey, run by Equinix, Inc. The PRN Server remained at the Equinix facilit until it was voluntarily produced to the FBI on October 3, 2015.82?83 The only equipmentlilleft at the Chappaqua residence was the existing ?rewall and switch, since PRN intended to purchase its own ?rewalls and switches. 8 reconnected and powered on the equipment for the Pagliano Server at the datacenter, so users could connect to their e-mail accounts,85 and he continued to work at the datacenter for a few days setting up the remainin equipmentp for the PRN Server.8 completed all of the onsite work, while worked remotely to get the server online. 5? Afte eft Secaucus, New Jersey, to travel back to headquartersj all ihysical pieces of hardware had been installed except for an intrusion detection device old the FBI that Equinix installed this device shortly after he left because the intrusion etection device was shipped later.88 On or around June 30, 2013, began to remotely migrate all e-mail accounts from the Pagliano Server to the PRN Server. 89 During this migration period, the two server systems functioned together to ensure uninterrupted e-mail delivery to users. 90 After several days of migration, all e-mail accounts hosted on the presidentclintoncom, wicofficecom, and clintonemailcom domains were transferred to the PRN Serverq?91 At that point, PRN kept the Pagliano Server online to ensure e-mail was still being delivered; however, the Pagliano Server was no longer hosting e-mail services for the Clintons.92 A third PRN employee,l: only handled a few tasks related to the administration of the server system until he left the company in the Summer of 2015. The PRN Server consisted of the following equipment: a Dell PowerEdge R620 server hosting four virtual machines, including four separate virtual machines for Microsoft Exchange e-mail hosting, a BES for the management of BlackB erry devices, a domain controller to authenticate password requests, and an administrative server to manage the other three virtual machines, a Datto SIRIS 2000 to store onsite and remote backups of the server system, a CloudJacket device for intrusion prevention two Dell switches, and two Fortinet Fortigate 80C firewalls. ?1 (UHF-GEO) Thel: domain was also added to the PRN Server at a later date. Page b7E b1 b3 SECRE FORT As part of the PRN Server environmentl:lold the FBI that he con?gured a backup device from Connecticut-based company Datto, Inc. (Datto), a Datto SIRIS 2000,r to 1,5 take multiple snapshots of the server system daily, with a retention period of 60 days. 93 The b7c backup device also made multiple copies of the Pagliano Server between June 24, 2013 and December 23, 2013.94 At the Clintons' request, PRN only intended that the backup device store local copies of the backupsgs?96 However, in August 2015, Datto informed PRN that, due to a technical oversight, the PRN Server was also backing up the server to Datto' secure cloud storage. (After this noti?cation, PRN instructed Datto to discontinue the secure cloud backups. stated the Clintons originally requested that e-mail on the PRN Server be 136 such that no one but the users could read the content. 101 However, PRN ultimately did MC not con?gure the e-mail settings this way to allow system administrators to troubleshoot problems occurring within user accounts.102 PRN utilized an Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) called CloudJacket from SECNAP Network Security. 103 The device implemented by PRN had pre-con?gured settings that blocked or blacklisted certain e-mail traf?c identi?ed as potentially harmful and provided real-time monitoring, alerting, and incident response services. 104?105 SECNAP personnel would receive noti?cations when certain activity on the network triggered an alert. 106 These noti?cations were reviewed by SECNAP personnel and, at times, additional follow-up was conducted with PRN in order to ascertain whether speci?c activity on the ietwork was normal or anomalous. 107 Occasionally, SECNAP would send e-mail noti?cations to prompting him to block certain IP addresses. 10 described 136 these noti?cations as normal and did not recall any serious security incident or 1ntrus1on b7c attempt.109 PRN also implemented two ?rewalls for additional protection of the network. stated that he put two ?rewalls in place for redundancy in case one went down.110 According to the 3 forensic analysis of the server system, on December 3, 2013, Microsoft Exchange was uninstalled on the Pagliano Server. 111 The Pagliano Server remained in the same server cage at the Equinix datacenter in Secaucus, New Jersey, and a forensic review of the server, which was obtained in August 2015 via consent provided by Clinton through Williams Connolly, indicated that it continued to be powered on and off multiple times before the FBI obtained it.112 At the time of the acquisition of the Pagliano Server, Williams Connolly did not advise the US Government (USG) of the existence of the additional equipment associated with the Pagliano Server, or that Clinton' clintonemailcom e-mails had been migrated to the successor PRN Server remaining at Equinix. The sub sequent investigation identi?ed this additional equipment and revealed the e-mail migration. As a result, on October 3, 2015, the FBI obtained, via consent provided by Clinton through Williams Connolly, both the remaining Pagliano Server equipment and the PRN Server, which had remained operational and was hosting Clinton' personal e-mail account until it was disconnected and produced to the FBI 113,114,115,116 (U The Datto SIRIS 2000 is a device that provides back-up capability and data redundancy. Page 7 of 47 1 SEWRN b3 b7E W121 Investigation determined Clinton and Abedin began using new e-mail accounts on the domain hrcof?cecom in December 2014.111 118,119 Abedin stated the clintonemailcom system was ?going away? and, following the initiation of the new domain, Abedin did not have access to her clintonemailcom 120 account. I 21,122 This is consistent with representations made by Williams Connolly, which stated in a February 22, 2016 letter: ?Secretary Clinton did not transfer her clintonemailcom e-mails for the time period January 21, 2009 through February 1, 2013 to her hrcof?cecom account 123 The investigation found no evidence Clinton' hrcof?cecom account contained or contains potentially classi?ed information or e-mails from her tenure as Secretary of State. The FBI has, therefore, not requested or obtained equipment associated with Clinton's hrcofficecom account. D. Mobile Devices Associated with Clinton?s E?mail Server Systems Clinton stated she used a personal e-mail address and personal BlackBerry for both personal and of?cial business and this decision was made out of convenience.124 Abedin recalled that at the start of Clinton' tenure, State advised personal e-mail accounts could not be linked to State mobile devices and, as a result, Clinton decided to use a personal device in order to avoid carrying multiple devices. 125' Cooper stated that he was aware of Clinton using a second mobile phone number. 5? Cooper indicated Clinton usually carried a ?ip phone along with her BlackBerry because it was more comfortable for communication and Clinton was able to use her BlackBerry while talking on the ?ip phone. 129 Clinton believed 212 was her primary BlackBerry phone number, and she did not recall using a ?ip phone during her tenure at State, only during her service in the Senatet?130 Abedin and Mills advised they were unaware of Clinton ever using a cellular phone other than the BlackBerry. 131?132 FBI investi ation identified 13 total mobile devices, associated with her two known phone numbers, 212I:Iand 212 which potentially were used to send e-mails using Clinton' clintonemailcom e-mail addresses. 133 Investigation determined Clinton used in succession 11 e-mail capable BlackBerry mobile devices associated with 212 eight of which she used during her tenure as Secretary of State. 134 Investi ration identi?ed Clinton used two e-mail capable mobile devices associated with 212 after her tenure.??135 On (UHF-GHQ) During his interview with the FBI, Cooper was mistakenly shown ?202: as the secon mber. Cooper recognized the phone number as Clinton' 5 second number; however the correct phone number is 21 (U #5666) toll records associated with 21 ndicated the number was consistently used for phone calls in 2009 and then used sporadically through the duration of Clinton' 5 tenure and the years following. Records also showed that no BlackBerry devices were associated with this phone number. The FBI identified four additional mobile devices associated with 21 hich were used during Clinton' 5 tenure. However, these devices lacked e-mail capability, and as a remit the FBI did not conduct any further investigation regarding these devices. Page 8 of 47 SWRN b7E b3 February 9, 2016, DOJ requested all 13 mobile devices from Williams Connolly. 136 Williams ME Connolly replied on February 22, 2016 that they were unable to locate any of these devices. 137 As a result, the FBI was unable to acquire or forensically examine any of these 13 mobile devices. On October 16, 2015, Williams Connolly provided two other BlackBerry devices to the FBI and indicated the devices might contain or have previously contained e-mails from Clinton' personal e-mail account during her tenure as Secretary of State.V?138?139 FBI forensic analysis found no evidence to indicate either of the devices provided by Williams Connolly were connected to one of Clinton' personal servers or contained e-mails from her personal accounts during her tenure. 140? 141?142 The FBI identi?ed ?ve iPad devices associated with Clinton which potentially were used to send e-mails from Clinton' clintonemail.com e-mail addresses. 143?144?145?146 The FBI obtained three of the iPads. 147?148?149 One iPad contained three e-mails from 2012 in the hdr22@clintonemail.com ?drafts? folder. 150 The FBI assessed the three e-mails did not contain potentially classi?ed information. 151 The FBI did not recover e-mails from Clinton' 5 personal e- mail accounts from either of the other two iPads in its possession. 152 (UHF-OHS) Monica Hanley, a former Clinton aide, often purchased replacement BlackBerry devices for Clinton during her tenure at State. 153 Hanley recalled purchasing most of the BlackBerry devices for Clinton from stores located in the Washington, DC. area. 154 Whenever Clinton acquired new mobile devices, Cooper was usual responsible for setting up the new devices and syncing them to the server. 155 Abedin, and Hanley also assisted Clinton with setting up any new devices. 156 According to Abedm, it was not uncommon for Clinton to use a new BlackBerry for a few days and then immediately switch it out for an older version with which she was more familiar. 157 Clinton stated that when her BlackBerry device malfunctioned, her aides would assist her in obtaining a new BlackBerry, and, after moving to a new device, her old SIM cards were disposed of by her aides. 158 Cooper advised he sometimes assisted users, including Clinton, when they obtained a new mobile device by helping them back up the data from the old device before transferring it to the new device and syncing the new device with Clinton' server. 159 Abedin and Hanley indicated the whereabouts of Clinton' devices would frequently become unknown once she transitioned to a new device. 160?161 Cooper did recall two instances where he destroyed Clinton' old mobile devices by breaking them in half or hitting them with a hammer. 162 b6 b7C 2. Clinton's Handling of E-mail and Classi?ed Information A. Clinton?s Decision 0 Use Personal E?mail and Server Systems (UHF-GHQ) FBI investigation determined the State Executive Secretariat' 5 Of?ce of Information Resource Management offered Clinton a State e-mail address at the start of her The mobile devices provided to the FBI from Williams Connolly on October 16, 2015 did not contain SIM cards or Secure Digital (SD) cards. Page 9 of 47 b1 b3 SECRET ME b1 133 SEC NOFORD b7}: tenure' however, Clinton' staffW declined the offer. 163 According to I: State Clinton was offered a State e-mail address, but instead decided to use b6 the personal server from her 2008 presidential campaign. 164 Investigation identi?ed the NC existence of two State-issued e-mail accounts associated with Clinton; however, these accounts were used on Clinton' 5 behalf and not by Clinton herself. According to State, was used to send e-mail messages from the Secretary to all State employees. 161166 This account was not configured to receive e-mails, and authored the messages sent from this account. 167 created to manage an Outlook calendar for Clinton, but this account was not configured to send or receive e-mails other than calendar invitations. 168?169 A May 25, 2016 report issued by the State Office of Inspector General stated that, during Clinton' 3 tenure as Secretary of State, the State Foreign Affairs Manual (FAM) required day-to-day operations at State be conducted using an authorized information system.170 The OIG stated it found ?no evidence? that Clinton sought approval to conduct State business via her personal e-mail account or private servers, despite her obligation to do so. 171 Clinton told the FBI that she did not explicitly request permission from State to use a private server or e-mail address. 172 According to the State OIG report, State employees alleged that John Bentel, then-Director of discouraged employees from raising concerns about Clinton' 5 use of personal e-mail. 2?1? When interviewed by the FBI, Bentel denied that State employees raised concerns about Clinton' e-mail to him, that he discouraged employees from discussing it, or that he was aware during Clinton' tenure that she was using a personal e-mail account or server to conduct official State business. 174 (UMP-866) The FBI investigation determined some Clinton aides and senior-level State employees were aware Clinton used a personal e-mail address for State business during her tenure. Clinton told the FBI it was common knowledge at State that she had a private e-mail address because it was displayed to anyone with whom she exchanged e-mails.175 However, some State employees interviewed by the FBI explained that e-mails from Clinton only contained the letter in the sender ?eld and did not display her e-mail address. 176?177?178 The majority of the State employees interviewed by the FBI who were in e-mail contact with Clinton indicated they had no knowledge of the private server in her Chappaqua Clinton' immediate aides, to include Mills, Abedin, Jacob Sullivan,a&l and : told the FBI they were unaware of the existence of the private server until 135 after Clinton' 5 tenure at State or when it became public knowledge. 185?186?187?188 b7c (U1713630) employees interviewed indicated they did not communicate directly with Clinton regarding this issue and could not specifically ident' the members of Clinton's immediate staff with whom they spoke. According tol?lpart of his job at State was to maintain and support the infrastructure for the 136 UNCLASSIFIED and SECRET networks for the Executive Secretariat. b7c (U #17669) Independent of the 5 investigation, in April 2015, the State OIG initiated its own investigation and review of records management policies and practices regarding the use of non-State communications systems during the tenure of five Secretaries of State, including Clinton. Portions of the State May 25, 2016 report relevant to the 5 investigation are cited herein. 2 (U) According to the State OIG report, two State information management staff members approached the Director of the IRM in 2010 with concerns they had about Clinton' 5 use of a personal e-mail account and compliance with federal records requirements. According to one staff member, the Director stated that Clinton's personal system had been reviewed and approved by State legal staff. The Director allegedly told both staff members never to discuss Clinton's personal e-mail system again. OIG found no evidence that State legal staff reviewed or approved Clinton's personal e-mail system. 33 (U) Sullivan served as the Deputy Chief of Staff and later the Director of Policy and Planning during Clinton's tenure as Secretary of State. Page 10 of 47 b1 SECRET b3 b7E b1 b3 b7E SWN The FBI investigation indicated Clinton was aware her use of a personal device, e- mail account, and server did not negate her obligation to preserve federal records. On January 23, 2009, Clinton contacted former Secretary of State Colin Powell via e-mail to inquire about his use of a BlackBerry while he was Secretary of State (January 2001 to January In his e-mail reply, Powell warned Clinton that if it became ?public? that Clinton had a BlackBerry, and she used it to ?do business,? her e-mails could become ?of?cial record[s] and subject to the law.?190 Powell further advised Clinton, ?Be very careful. I got around it all by not saying much and not using systems that captured the data.? 191 Clinton indicated to the FBI that she understood Powell's comments to mean any work-related communications would be government records, and she stated Powell' 5 comments did not factor into her decision to use a personal e-mail account. 192 In an e-mail to Mills on August 30, 2011, State Executive Secretary, Stephen Mull, cited a request from Clinton to replace her temporarily malfunctioning personal BlackBerry with a State-issued device. 193 Mull informed Mills that a State-issued replacement device for Clinton' personal BlackBerry would be subject to FOIA requests. 194 On that same day, Bentel sent a separate e-mail to Hanley, which was later forwarded to Abedin, stating that e-mails sent to a State e-mail address for Clinton would be ?subject to FOIA searches.?195 A State-issued device was not ultimately issued to Clinton; in her FBI interview, Abedin stated she felt it did not make sense to temporarily issue Clinton a State BlackBerry because it would have required significant effort to transfer all of her e-mails and contacts to a device that she would have only used for a few days. 196 The Mull and Bentel e-mails to Mills and Hanley did not indicate that transferring e-mail and/or contacts from Clinton' 5 clintonemailcom account would be necessary to issue her a State BlackBerry.197?198?199 Abedin stated she always assumed all of Clinton' 5 communications, regardless of the account, would be subject to FOIA if they contained work- related material.200 b6 While State policy during Clinton' tenure required that ?day-to-day operations jat b7C State] be conducted on [an authorized informatioa svsteml ?201 a cording to the the Bureau of Information Security Management, there was no restriction on the use of personal email accounts for of?cial business.M However, State employees were cautioned about security and records retention concerns regarding the use of personal e-mail. In 2011, a notice to all State employees was sent on Clinton' behalf, which recommended employees avoid conducting State business from personal e-mail accounts due to information security concerns.203 Clinton stated she did not recall this specific notice, and she did not recall receiving any guidance from State regarding e-mail policies outlined in the State FAM.204 Interviews with two State employees determined that State issued guidance which required employees who used personal e-mail accounts for State business to forward those work-related e-mails to their official State account for record-keeping purposeszos?206 Investigation determined that State used the State Messaging and Archive Retrieval Toolset (SMART), which allows employees to electronically tag e-mails to preserve a record According to Ithen State's] ISMART was developed to automate and streamline the process for archiving records. ?1 1? According to the b6 b7C bb (U) According to the State OIG report, when Powell arrived at State in 2001, the official unclassified e-mail system in place only permitted communication among State employees; therefore, Powell requested the use of a private line for his America Online (AOL) e-mail account to communicate with individuals outside of State. Prior to Powell' 5 tenure, State employees did not have Internet connectivity on their desktop computers. During Powell' 5 tenure, State introduced unclassified desktop external e- mail capability on a system known as OpenNet. Page 11 of 47 b1 b3 b7E b1 b3 b7E SEC State OIG Report, IRM introduced SMART throughout State in 2009; however, the Of?ce of the Secretary elected not to use the SMART system to preserve e-mails, part1 due to concerns that the system would ?allow overly broad access to sensitive the FBI that representatives from the Executive Secretariat asked to be the last to receive the SMART rollout, and ultimately SMART was never rolled out to the Executive Secretariat Of?ce.2 12 This left the ?print and ?le? method as the only approved method by which the Of?ce of the Secretary could preserve record e-mails.213 b6 b7C Mills wrote in a letter to State, dated December 5, 2014, that it was Clinton's practice to e-mail State of?cials at their government e-mail accounts for of?cial business, and, therefore, State already had records of Clinton' 5 e-mails preserved within State recordkeeping systems.214 Abedin also stated in her FBI interview that Clinton' 5 staff believed relevant e-mails would be captured and preserved by State if any of the senders or recipients were using an of?cial State e-mail account.215 The State OIG stated in its report that this was not an appropriate method of preserving record e-mails, and Clinton should have preserved any record e-mails created and received on her personal account by printing and ?ling the e-mails in the Of?ce of the Secretary.216 State OIG also determined Clinton should have surrendered all e-mails relating to State business before leaving her post as Secretary of State.217 Clinton stated that she received no instructions or direction regarding the preservation or production of records from State during the transition out of her role as Secretary of State in early 2013.218 Furthermore, Clinton believed her work-related e-mails were captured by her practice of sending e-mails to State employees' of?cial State e-mail accounts.219 B. Communications Equipment in linton?s State O?ice and Residences Investigation determined Clinton did not have a computer in her State of?ce, which was located in a Sensitive Compartmented Information Facility (SCIF) on the seventh ?oor of State headquarters, in an area often referred to as ?Mahogany Row.?220?221?222 State Diplomatic Security Service (DS) instructed Clinton that because her of?ce was in a SCIF, the use of mobile devices in her of?ce was prohibited.223 Interviews of three former DS agents revealed Clinton stored her personal BlackBerry in a desk drawer in DS ?Post which was located within the SCIF on Mahogany Row.224?225?226 State personnel were not authorized to bring their mobile devices into Post 1, as it was located within the SCIF.227 According to Abedin, Clinton primarily used her personal BlackBerry or personal iPad for checking e-mails, and she left the SCIF to do so, often visiting State' eighth ?oor balcony.228 Former Assistant Secretary of State for DS Eric Boswell stated he never received any complaints about Clinton using her personal BlackBerry inside the SCIF.229 W) b1 b3 ll his decision was relayed to Clinton' 5 executive staff via a memo titled ?Use of Blackberries in Mahogany Row,? dated March 6, 2009.232 Clinton stated to the FBI that she requested a secure BlackBerry while at State after hearing President Obama had one, but she The DS security detachment maintained a Post, known as Post 1, located in the SCIF and directly outside of Clinton's office on Mahogany Row. Page 12 of 47 SEW b1 b3 b7E -- Investigation determined Clinton had access to a number of State-authorized secure b1 b3 b7E mi could not recall the reasons why State was unable to ful?ll this requestdd?233 Early in Clinton' 3 tenure at State, Clinton' 8 executive staff also inquired about the possibility of the Secretary using an iPad to receive communications in her of?ce; however, this request was also denied due to restrictions associated with the Secretary's of?ce being in a SCIF.234 According to the State OIG report, in January 2009, in response to Clinton' desire to take her BlackBerry into secure areas, Mills discussed with of?cials and with the State Under Secretary for Management, Patrick Kennedy, alternative solutions which would allow Clinton to check e-mail from her desk.235 Setting up an Internet-connected, stand-alone computer was discussed as a viable solution; however, a stand-alone system was never set up.236 ?6,237 means of telephonic communication in her residences and in her of?ce at State. At the start . . . . . b3 of Clinton' 3 tenure, State installed a SCIF and secure communications equipment, 11 her residences 1n 7 According to Clinton, her request for a State-issued secure BlackBerry was not out of concern for the sensitivity of Washington, DC. (Whitehaven res1dence) and According to Abedin, Cooper, and there were personally-owned desktop computers in the SCIFs in Whitehaven and Chappaqua.243?244?245 Conversely, Clinton stated to the FBI she did not have a computer of any kind in the SCIFs in her residences.246 According to Abedin and Clinton, Clinton did not use a computer, and she primarily used her BlackBerry or iPad for checking e- mails. b6 b7C C. Individuals in Direct Communication with linton?s Personal E?mail Address Investigation determined a limited number of individuals maintained direct e-mail contact with Clinton through her personal clintonemailcom e-mail account during her tenure at State. Thirteen individuals, consisting of State senior-level employees, work-related advisors, and State executive administrative staff, maintained direct e-mail contact with Clinton and individually e-mailed her between 100 and 1,000 times during her tenure.11 Abedin, Mills, and Sullivan, were most frequently in e-mail contact with Clinton and accounted for 68 percent of the e-mails sent directly to Clinton. In addition to sending Clinton messages they wrote, Abedin, Mills, and Sullivan reviewed e-mails they received from other State employees, USG contacts, and foreign government contacts, and if deemed appropriate they then forwarded the information the information on the device she was using at the time, rather she b1 63 (snow According to Abedin Clinton' 5 State office containe b3 b6 Investigation determined the Chappaqua SCIF was not always seemed, and Abedin, Hanley, andl: had According to Abedin, the bur door at the Whitehaven residence was not always locked, and Abedin, Hanley, and b7c Ihad access to the SCIF. b6 routine access to the SCIF. hh 0 State installed the followin communications lines at the Whitehaven residence I bit Btate installed communications equipment at 3 the Chappa ua residence similar to that at the Whitehaven residence. State finished installation of the SCIF in the Chappaqua residence I ii The statistics in this paragraph are based on the e-mails provided by Williams Connolly as part of Clinton' 5 production to the FBI, excluding Clinton's personal correspondence with family and close friends, as well as e-mails Clinton forwarded to herself. Page 13 of 47 b1 b3 b7E b1 SECRE b3 - 247,248,249 - . . . . . b7E 0 Clinton. State employees adv1sed they cons1dered Abedln, Mills, and Sullivan the equivalent of e-mailing Clintonm251 Investigation identified hundreds of e-mails sent by Abedin and other State staff to presidentclintoncom e-mail address requesting him to print documents for Clinton. 135 b7C Some of these e-mails were determined to contain information classi?ed at the CONFIDENTIAL a security clearance at the SECRET level on October 25, 2007 from the Department of Defense Documentation retained by DOD and provided to the FBI did not indicatel security clearance was deactivated upon his retirement from the US Navy Reserves in September 2010.259 D. Clinton Sta?? Use of Personal E?mail Accounts for Official Business Clinton' immediate staff, to include Mills, Sullivan, Hanley, b6 told the FBI in interviews that they predominantly used their State-provided OpenNet e-mail MC accounts to conduct official State business.260?261?262?263?264 Exceptions to this practice included instances when the State OpenNet e-mail system was down or when staff was traveling internationally and OpenNet was not readily accessible.265?266?267?268?269 The 5 investigation confirmed that Clinton' immediate staff used their personal e-mail accounts in combination with their State-provided OpenNet e-mail accounts for official State business.kk E. Clinton?s Use ofPersonal E?mail Accounts While Overseas (UHF-GHQ) FBI investigation and the State OIG report determined that State issued regular notices to staff during Clinton' tenure highlighting cybersecurity threats and advising that mobile devices must be configured to State security guidelinesm?271 Clinton and her immediate staff were notified of foreign travel risks and were warned that digital threats began immediately upon landing in a foreign country, since connection of a mobile device to a local network provides opportunities for foreign adversaries to intercept voice and e-mail transmissions. The State Mobile Communications (MC) Team was responsible for establishing secure mobile voice and data communications for Clinton and her team when they were travelin domesticallv and abroad 274?275 When the securitv climate reouired the State MC was capable 0 lb): 272,273 could be recelved and v1ewed by and/or her deSIgnated startInvestlgatlon determlned that of the e-mall prov1ded by Connolly as b3 part of Clinton' production to the FBI, approximately e-mails were sent or received by Clinton on her personal e-mail accounts while she was traveling outside the continental United States (OCONUS) on of?cial State business??ml I 1? (UHF-6699 Investigation identified six e-mail chains forwarded chat were determined from the State FOIA review to b5 contain CONFIDENTIAL information. Five were forwarded by Abedin, and one was from Clinton. b7C kk (U) Section 3C for discussion of classified e-mails contained in Clinton's staff 5 personal e-mail accounts. State listed Clinton's overseas travel by individual days, but did not provide additional information such as arrival and departure times. As a result, the FBI could not determine specifically which e-mails were sent while she was on the ground OCONUS versus in ?ight. Page 14 of 47 b1 SW5 b3 b7E iFBl investigation determined that hundreds of e-mails classi?ed :ate FOIA process were sent or received by Clinton while she was OCONUS. Approximately -mails were sent or received by Clinto On] [occasions while OCONUS, Clinton had direct e-mail contact with an e-mail address for President Barack Obama. Of the e-mails between Clinton a 1d President sent and receivedl INone of these --mails were determined to contain classi?ed information. Clinton told the FBI that she received no particular guidance as to how she should use President Obama' e-mail address, and the e-mails sent while Clinton wasl [mm F. (UH-7989) Clinton?s Production ofE?mail in Response to 01A and Other Requests The House Select Committee on Benghazi was established on May 8, 2014 and reached an agreement with State on July 23, 2014 regarding the production of records.280 State sent a formal request to former Secretaries of State on October 28, 2014, asking them to produce e-mails related to their government work.281 After State requested that Clinton provide her e- mails}111 Clinton asked her attorneys, David Kendall00 and Mills, to oversee the process of providing Clinton's work-related e-mails to State.282 Heather Samuelson,pp an attorney working with Mills, undertook a review to identify work-related e-mails, while Kendall and Mills oversaw the process.283 Ultimately, on December 5, 2014, Williams Connolly provided approximately 55,000 pages of e-mailsqq to State in response to State' request for Clinton to produce all e-mail in her possession that constituted a federal record from her tenure as Secretary of State.284 State ultimately reviewed the 55,000 pages of e-mail to meet its production obligations related to FOIA lawsuits and requests. On May 27, 2015, State received a court order to post Clinton' e-mails to the State FOIA website on a production schedule with a completion date of January 29, 2016.285 State ultimately concluded its FOIA-related production on February 29, 2016. Clinton told the FBI that she directed her legal team to provide any work- related or arguably work-related e-mails to State; however she did not participate in the development of the speci?c process to be used or in discussions of the locations of where her e- mails might exist.286 Clinton was not consulted on speci?c e-mails in order to determine if they were work-related. 287 mm During the summer of 2014, State indicated to Mills a request for Clinton' 5 work-related e-mails would be forthcoming, and in October 2014, State followed up by sending an official request to Clinton asking for her work-related e- mails. 00 (U) Kendall is a partner at Williams Connolly. pp (U) Samuelson worked in the White House Liaison Office at State during Clinton's tenure and currently serves as Clinton's personal attorney. According to Clinton' 5 campaign website, 30,490 potentially work-related e-mails were provided to State on December 5, 2014. On August 6, 2015, Williams Connolly provided the FBI a .PST file containing 30,542 e-mail related files, which included 30,524 e-mail messages. Page b7E b1 b3 b?7E (UMP-GHQ) In Jul 2014, to initiate the review of Clinton' e-mails for production to State, Mills arranged for 0 export from the PRN Server all of Clinton' e-mails sent to or received from a . gov e-mail address during Clinton's tenure as Secretary of State.288?289?290 Once completed this export from the PRN Server, he remotely transferred a .PST file containing the e- mails onto Mills' 5 and Samuelson' lantons via ScreenConnect.??291?292?293 In late September 2014, Mills and Samuelson asked to provide a full export of all of Clinton' 5 e-mails from her tenure, to include e-mails sent to and received from non-. gov e-mail addresses.294?295?296 b5 Mills and Samuelson explained that this follow-up request was made to ensure their review b7c captured all of the relevant e-mails from Clinton' 5 tenurem?29 bompleted this export and transfer in the same manner as the Jul 2014 request. SS Mills and Samuelson did not know from what location on the serverljlextracted Clinton' 5 gave the FBI inconsistent statements over the course of three interviews regarding from where on the server he extracted Clinton' e-mails, and FBI investigation and forensic analysis have been unable to specifically identify the location and composition of the repository used to create the export of Clinton's e-mails from her tenure.301?302?303 (UHF-GHQ) The FBI interviewed Samuelson on May 24, 2016 about her review of the PRN- provided e-mails. Samuelson indicated she conducted the review of these e-mails over the course of several months and completed it just prior to December 5, 2014, when hard copies of the work-related e-mails were turned over to State. 304 Using her laptop to conduct the review, Samuelson placed any work-related e-mails into a folder that she had created in Microsoft Outlook.305 Samuelson ?rst added to this folder all e-mails sent to or from Clinton's personal e- mail account with . gov and .mil e-mail addresses.306 Samuelson then searched the remaining e- mails for the names of State senior leadership, as well as any members of Congress, foreign leaders, or other official contacts. 307 Finally, Samuelson conducted a key word search of terms such as ?Afghanistan,? ?Libya,? and Samuelson reviewed the ?From,? and ?Subject? fields of every e-mail during this review, however, she did not read the content of each individual e-mail, indicating that, in some instances, she made a determination as to whether it was one of Clinton' 5 work or personal e-mails by only reviewing the ?From,? and ?Subject? ?elds of the e-mail.309 As she completed the review, Samuelson printed all of the e-mails to be turned over to State using a printer in Mills' 5 office.310 According to Samuelson, Mills and Kendall subsequently reviewed e-mails that Samuelson printed, and any hard copy of an e-mail Mills and Kendall deemed not to be work-related was shredded, and the digital copy of the e-mail was not included in the folder Samuelson created in Microsoft Outlook to contain all of the work-related e-mails.311 Mills stated that, other than instances where Samuelson requested Mills' guidance, Mills did not review the e-mails Samuelson identified as work-related, and once the review was complete, Samuelson printed the work-related e-mails.312 After the review was completed, Samuelson created a .PST file containing all of the work-related e-mails and ensured that all work-related e-mails were printed. 313 This .PST ?le was provided to Kendall on a USB thumb (U) ScreenConnect is a remote support administration tool that allows technicians to remotely connect to customers via a central web application to control and view end users' machines. According to product specifications, ScreenConnect data transmitted from one machine to another, to include screen data, file transfers, key strokes, and chat messages. 55 Mills did not recall if this second .PST file was transferred to her computer. (UHF-GHQ) The FBI was unable to obtain a complete list of keywords or named officials searched from Samuelson, Mills, or Clinton's other attorneys due to an assertion of privilege. Page 16 of 47 MN b1 b3 b7E drive. 314 On August 6, 2015, this thumb drive was obtained by the FBI from Williams Connolly via consent from Clinton. G. Deletion of E?mail Associated with Clinton's Personal E?mail Accounts (UHF-9H9) According to Hanley, in spring 2013, Cooper assisted Hanley in creating an archive of Clinton' e-mails.315 Cooper provided Hanley with an Apple MacBook laptop (the Archive Laptop)? from the Clinton Foundation and telephonically walked Hanley through the process of remotely transferring Clinton's e-mails from the Pagliano Server to the laptop and a thumb drive. 316 Hanley completed this task from her personal residence. 317 The two copies of the Clinton e-mail archive (one on the Archive Laptop and one on the thumb drive) were intended to be stored in Clinton' Chappaqua and Whitehaven residences; however, Hanley explained this did not occur as Hanley forgot to provide the Archive Laptop and the thumb drive to Clinton' staff following the creation of the archivewg?319 In earl 2014, Hanley located the Archive Laptop at her personal residence and worked with :io transfer the archive of Clinton's e-mails to After trying unsucce sfullv to re ioter transfer the e-mails to Hanley shi ed the Archive Laptop to residence in in February 2014, and inigrated Clinton' e-mails from the Archive Laptop onto the PRN Server.324?325?326?327? To accomplish this ransferred all of the Clinton e-mail content to a personal Google e-mail (Gmail) address he created, @gmailcom, and then downloaded all of the e-mail content from the Gmail account to a mailbox named Archive? with the e-mail address hrcarchivechlintonemail.com on the PRN Server. 329?330?331 I:Iadvised he used the gmailcom e-mail account to facilitate the transfer because he had trouble exporting the e-mail from the Apple MacMail format to a format that would be compatible with Microsoft Exchange. 332 Hanley stated she recommended tha PRN win the Archive Laptop after the e-mails were transferred to the PRN Server. 333 However, told the FBI that, after the transfer was complete, he deleted the e-mails from the Archive Laptop but did not wipe the laptop. 334 He also advised he deleted the e-mails uploaded to the mailcom e-mail account per Hanley' instructions and shipped the Arctiive Laptop via United States Posta Service or United Parcel Service to who was Clinton' at the time. 335?336?33 told the FBI that she never received the laptop from however, she advised that Clinton's staff was moving offices at the time, and 1t wou ave been easy for the package to get lost during the transition period. 338 Neither Hanley nor could identify the current whereabouts of the Archive Laptop or thumb drive the archive, and the FBI does not have either item in its possession.339 (UHF-666) FBI investigation identified 940 e-mails associated with Clinton's personal e-mail account from October 25 2010 to December 31, 2010 that as of June 21, 2016 remained within the ngmailcom account.340 The FBI was able to determine that 56 of these According to Abedin, the archive of Clinton's e-mails was created as a reference for the future production of a book. According to Hanley, the archive of Clinton' 5 e-mails was created in response to Clinton's hdr22@clintonemail.com address being released to the public following the online posting of e-mail exchanges between Clinton and an informal political advisor, Sidney Blumenthal. Blumenthal' 5 personal e-mail account, which contained his e-mails with Clinton, was compromised on March 14, 2013 by a Romanian cyber hacker. Section 4D. Page b7E b1 b3 Wr b7E e-mails have been identi?ed as currently classi?ed at the CONFIDENTIAL level through the Sta? FOIA process 341 Ac ditionally, the FBI determined that 302 of the 940 e-mails identi?ed in the ngailcom account were not found in the set of e-mails Clinton produced to State in December 2014. 342 Of the 302 e-mails, the FBI disseminated 18 to USG agencies for classi?cation review. State determined one e-mail to be classi?ed SECRET when sent and to be classi?ed CONFIDENTIAL currently. State determined a second e-mail to be classi?ed as CONFIDENTIAL when sent and to be currently UNCLASSIFIED. b6 b7C (I In or around December 2014 or January 2015, Mills and Samuelson requested that b6 remove from their laptops all of the e-mails from the July and September 2014 b7C exports. 34 they could not be recovere laptops via ScreenConnect to complete the deletions. tated to the FBI that an unknown Clinton staff member told him s/he did not want the .PST ?le after the export and wanted it removed from the PRN Server. 352 According to Mills, in December 2014, Clinton decided she no lon:er needed access to any of her e-mails older than 60 days. 353 Therefore, Mills ?344?34 sed a program called BleachBitW to delete the e-mail-related ?les so 346 347 34 - d. emotely connected to and Samuelson' 349,350,35 instructe modify the e-mail retention policv on Clinton' 5 clintonemail.com e-mail account to re ectt 1s change. 354 However, according to he did not make these changes to Clinton' clintonemail.com account until March 2015. Clinton told the FBI that, after her staff completed her e-mail production to State in December 2014, she was asked what she wanted to do with her remaining personal e-mails, Clinton instructed her staff she no longer needed the e-mails. 356 Clinton stated she never deleted, nor did she instruct anyone to delete, her e-mails to avoid complying with FOIA, State or FBI requests for information.357 On March 2, 2015, he New York Times (NYT) published an article titled, ?Hillary Clinton Used Personal Email Account at State Dept., Possibly Breaking Rules.?WW?358 This article identi?ed publicly that Clinton exclusively used a personal e-mail account to conduct of?cial State business while she was Secretary of State and had not produced her federal records to State until December 2014. 359 On March 3, 2015, the United States House Select Committee on Benghazi provided a letter to Williams Connolly requesting the preservation and production of all documents and media related to hdr22@clintonemail.com and The following day, the House Select Committee on Benghazi issued a subpoena to Clinton to produce e-mails from hdr22@clintonemail.com, hrodl7@clintonemail.com, and other e-mail addresses 131651ed by Clinton, pursuant to the events surrounding the 2012 terrorist attack in Ben ghazr (UHF-GHQ) In the days following the publication of the NYT article, Mills requested that PRN conduct a com lete inver tory of all equipment related to the Pagliano Server.362?363 In response to this request, traveled to the Equinix d2 :acenter in Secaucus, New Jersey to conduct an onsite review of the equipment, while also logged in to the server b6 b7C (U) BleachBit is open source software that allows users to ?shred? files, clear Internet history, delete system and temporary files and Wipe free space on a hard drive. Free space is the area of the hard drive that can contain data that has been deleted. BleachBit' ?shred files? function claims to securely erase files by overwriting data to make the data unrecoverable. (U) The same article was released on the NYT website on March 2, 2015. The print version appeared on page Al the following day, March 3, 2015. (U) The House Select Committee on Benghazi submitted a preservation request for an accurate e-mail address, hdr22@clintonemail.com. and an inaccurate e-mail address, hrcl7@clintonemail.com. for Clinton. Page 18 of 47 b1 SECRE b3 b7E bl b3 SECRET ORN b?7E remotely. powered on the Pagliano Server and con?rmed for Mills that no additional data existed on any server equipment, as all data was migrated to the PRN b5 Serveryy?367?368 b7c 364,365,366 Investigation indicated that on March 25, 2015, PRN held a conference call with President Clinton' staff.369?370 In his interviews with the FBI, ndicated that sometime between March 25-31, 2015, he realized he did not make the e-mail retention policy changes to Clinton' clintonemail.com e-mail account that Mills had requested in December 2014. 371 In his FBI interview on February 18, 2016 indicated that he did not recall conducring deletions based upon this realization.? In a follow-up FBI interview on May 3, 2016 I indicated he believed he had an ?oh shit? moment and sometime between March 25-31, 2015 deleted the Clinton archive mailbox from the PRN server and used BleachBit to delete the exported .PST ?les he had created on the server system containing Clinton' e-mails.373 Investigation found evidence of these deletions374 and determined the Datto backups of the PRN Server were also manually deleted during this timeframe.375 Investigation identi?ed a PRN work ticket, which referenced a conference call among PRN, Kendall, and Mills on March 31, 2015.376?377 attorney advised not to comment on the conversation with Kendall based upon the assertion of the attomey-client privilege. 378 Investigation identi?ed a March 9, 2015 e-mail to PRN from Mills, of which was a reci ient referencing the preservation request from the Committee on 136 Benghazi.379?381iladvised during his February 18, 2016 interview that he did not recall MC seeing the preservation re uest referenced in the March 9, 2015 e-mail. 381 During his May 3, 2016 that, at the time he made the deletions in March 2015, he was aware of the existence of the preservation request and the fact that it meant he should not disturb Clinton' e-mail data on the PRN Server. 3Elm stated during this interview, he did not receive guidance from other PRN personnel, 5 legal counsel, or others regarding the meaning of the preservation request. 383 Mills stated she was unaware tha ad conducted these deletions and modi?cations in March 2015.384 Clinton stated she was also unaware of the March 2015 e-mail deletions by PRN.385 3. Results of FBI Review of Clinton E-mails Stored and Transmitted on Personal Server Systems A. Quantities of Clinton '5 E?mails Recovered ?om Personal Server Systems (UHF-6663 To date, the FBI has recovered from additional data sources and reviewed approximately 17,448 unique work-related and personal e-mailsZZ from Clinton' tenure containing Clinton' 5 e-mail address that were not provided by FBI forensically identified deletions from the PRN Server on March 8, 2015 of .P ST files not associated with Clinton's e-mail account or domain, and other server data. 22 These approximately 17,448 e-mails were determined to be unique from the e-mails provided by Williams Connolly as part of Clinton' 5 production to the FBI, through a distinctive Internet Message ID. These files do not include documents or partial e-mail files without an Internet Message ID in the metadata. 333 The appr0ximate 17,448 e-mails may contain chains of e-mails in which Clinton is not on the most recent ?From,? or line. Page 19 of 47 b3 b7E b1 SECR Rl\ b3 b7E Williams Connolly as part of Clinton' production to the FBI, including e-mails from January 23, 2009 through March 18, B. (UM-399971 Classification Portion Markings in E?mail Recovered from Personal Server Systems The FBI identi?ed three e-mail chains, encompassing eight individual e-mail exchanges to or from Clinton' personal e-mail accounts, which contained at least one paragraph marked a marking ostensibly indicating the presence of information classi?ed at the CONFIDENTIAL level. 386?387?388 The emails contained no additional markings, such as a header or footer, indicating that they were classi?ed. State con?rmed through the FOIA review process that one of these three e-mail chains contains information which is currently classi?ed at the CONFIDENTIAL State determined that the other two e-mail chains are currently State did not provide a determination as to whether any of these three e- mails were classi?ed at the time they were sent. When asked about the e-mail chain containing portion markings that State determined to currently contain CONFIDENTIAL information, Clinton stated she did not know what the meant at the beginning of the paragraphs and speculated it was referencing paragraphs marked in alphabetical order. Clinton identi?ed a header and footer (inserted in the document by the FBI prior to the interview) and asked if the related to the header and footer.393 Clinton did not believe the content of the e-mail was classi?ed and questioned the classi?cation determination.394 When asked of her knowledge regarding TOP SECRET, SECRET, and CONFIDENTIAL classi?cation levels of USG information, Clinton responded that she did not pay attention to the ?level? of classi?cation and took all classi?ed information seriously. 395 C. (Um Classified Information Found in linton?s E?mails on Personal Server Systems FBI and USIC classi?cation reviews identi?ed 81 e-mail chains containing approximately 193 individual e-mail exchanges666 that were classi?ed from the CONFIDENTIAL to TOP SECRET levels at the time the e-mails were drafted on UNCLASSIFIED systems and sent to or from Clinton' 5 personal server. Of the 81 e-mail chains classi?ed at the time of transmittal, 68 remain classi?ed. Twelve of the e-mail chains, classi?ed According to Clinton's campaign website, Clinton only provided State her work-related e-mails dated after March 18, 2009. E-mails from January 21, 2009 to March 18, 2009 were not produced to State or the FBI by Williams Connolly. According to Samuelson and Mills, they were unable to locate Clinton's e-mails from this period. The e-mails from this time period were not provided to them by PRN, and they believed the e-mails were not backed up on any server. Investigation determined some of Clinton's e-mails from January 23, 2009 to March 17, 2009 were captured through a Datto backup on June 29, 2013. However, the e-mails obtained are likely only a subset of the e-mails sent or received by Clinton during this time period. The three e-mail chains containing the portion mark of are not considered as part of the group of e-mails classified through the FBI classification review because State has not responded to the FBI request for classification determinations for these e-mails. dd? (U #313989) Earlier in her FBI interview, when asked what the classification marking meant, Clinton correctly stated Sensitive But Unclassified. Gee Due to the limited insight into other USG and personal e-mail accounts, the investigation was unable to determine if e-mails from the classified e-mail chains were forwarded to other USG or personal e-mail addresses. Page 20 of 47 b1 FORN b3 b7E by State as SECRET or CONFIDENTIAL, were not among the approximately 30,000 e-mails provided to State and the FBI by Williams Connolly. In addition to State classi?ed equities, Wm the investigation determined the 81 e-mail chains contained classi?ed equities from 5 other USIC agencies: the CIA, DOD, FBI, National Geospatial?Intelligence Agency (NGA), and National Security Agency (NSA). (SW) The 81 classi?ed e-mail chains contained 8 e-mail chains classi?ed TOP SECRET, 37 e-mail chains classi?ed SECRET, and 36 e-mail chains classi?ed CONFIDENTIAL at the time they were sent. Of these e-mail chains, 7 e-mail chains contained information associated with a Special Access Program (SAP) and 3 e-mail chains contained Sensitive Compartmented Information Of the 81 classi?ed e-mail chains, 36 e-mail chains were determined to be Not-Releasable to Foreign Governments (N OFORN) and 2 were considered releasable only to Five Allied partners Sixteen of the e-mail chains, classi?ed at the time the e-mails were sent, were downgradec current classi?cation by USIC agencies. - (S/reemr (9/667?le in (snooty; (S/fee?NF (swears; (sweat; The State FOIA process identi?ed 2,093 e-mails currently classi?ed as CONFIDENTIAL or SECRET. Of these e-mails, FBI investigation identi?ed approximately 100 e-mails that overlapped with the 193 e-mails (80 e-mail chains) determined through the FBI Page 21 of 47 SE ORNI (U 1605-999) One of the TOP SCI e-mails was downgraded to a current classification of TO USA, FVEY by the owning agency during a FOIA-related review. b1 b3 1371b7E SE l\ b3 b7E classi?cation review to be classi?ed at the time sent. All except one of the remaining 2,093 e- mails were determined by the State FOIA process to be CONFIDENTIAL, with one e-mail determined to be SECRET at the time of the FOIA State did not provide a determination as to whether the 2,093 e-mails were classi?ed at the time they were sent. The FBI investigation determined Clinton contributed to discussions in four e-mail chains classi?ed as CONFIDENTIAL, three e-mail chains classi?ed as and four e-mail chains classi?ed as TOP SAP. Inv astigati 11 identi?ed 67 instances where Clinton forwarded e-mails to either State personnel or for printing that were identi?ed as classi?ed CONFIDENTIAL or SECRET through either the State FOIA process or FBI classi?cation determination requests. b6 b7C FBI investigation determined at least 32 classi?ed e-mail chains transited both the personal e-?mail account of Clinton and the personal e-mail accounts of Abedin, Mills, Sullivan, orl:l111 One of these e-mails was TOP SCI at the time of transmission, and is 1?6 currently considered TO USA, ?ve were classi?ed as MC and one as SECRET both when sent and currently; two were classi?ed SECRET when sent and are CONFIDENTIAL currently; one was classi?ed as SECRET when sent and is UNCLAS currently; 16 were classi?ed CONFIDENTIAL both when sent and currently; ?ve were CONFIDENTIAL when sent and UNCLAS currently; and one was CONFIDENTIAL when sent and UNCLASSIFIED Investigation determined at least 80 e-mails from the 2,093 e-mails deemed classi?ed through the State FOIA process were sent to or from the personal accounts of Abedin, Mills, Sullivan, or D. Witness Statements Related to Classified E?mails Found on Itnton's Personal Server Systems (UHF-GHQ) The FBI interviewed multiple of?cials who authored and/or contributed to e-mails, the content of which has since been determined to contain classi?ed USG employees responsible for initiating classi?ed e-mail chains included State Civil Service employees, Foreign Service employees, Senior Executive Service employees, Presidential appointees, and non-State elected of?cials. (UHF-OHS) During FBI interviews, the authors of these e-mails provided context surrounding the e-mails in question as well as reasons for sending the e-mails on unclassi?ed systems. (U #5669) Investigation determined the following types of e-mails were not included in the list of 2,093 e-mails classified through the State FOIA review: e-mails; e-mails not produced to State by Williams Connolly; formerly classified e- mails now considered and classified e-mails improperly released during FOIA production. (UHF-SEQ) Two attachments labeled as SECRET through State FOIA process were not tracked as separate classified documents in the 5 classification review. ?1 (UM-1666) Due to the limited insight into other USG and personal e-mail accounts, FBI investigation was unable to determine e-mails from classified e-mail chains were forwarded to other personal e-mail 1? In addition to the personal accounts of Abedin, Mills, Sullivan, an seven classified e-mail chains were 136 initially drafted in or sent from the private e-mail accounts of five non-State individuals, to include Kerry and Blumenthal. b7C (U IFF-GEG) Personal e-mail accounts of Abedin, Mills, Sullivan, an appeared in the ?From,? or line of the e-mail. Investigation was not able to determine if additional personal accounts were blind carbon copied Page 22 of 47 b1 SECRET l\ b3 b7E b1 WN b3 b7E Individuals who worked in the State Bureau of Public Affairs111 often accessed classi?ed information to understand the context of unclassi?ed information that was to be disseminated publioly.409 The Public Affairs of?cials primarily relied upon reporting from country desk of?cers to generate talking points and believed the country desk of?cers were experienced in protecting sensitive information within their reporting.410 The Public Affairs of?cials were also responsible for notifying State leadership of impending reports by the news media regarding sensitive or controversial topics.411 Furthermore, a former DOD of?cial explained that he sent an e-mail, since deemed to contain classi?ed information, in order to quickly coordinate public affairflresponses by State and DOD with respect to a speci?c incident referenced in the e- mail. Individuals, including those in the State Operations Center (Ops Center), mm who were responsible for passing information to high-level State of?cials, worked to identify and disseminate the information they deemed critical for review by State leadershipm?414 These individuals noted that such information was generally sent on State unclassi?ed e-mail systems because of the need to quickly elevate information at times when the intended recipients did not all have immediate access to classi?ed e-mail accounts.nm?415?416 (UHF-OHS) Investigation identi?ed seven e-mail chains comprised of 22 e-mails on Clinton' server classi?ed by the USIC as TOP SAP. State Department of?cials, both in Washington, DC. and overseas, were briefed into the SAP and communicated both internally and with other USIC of?cials about the program.4l7?418?419?420 Only internal State e-mails regarding the SAP were forwarded to Clinton, all of which were sent to Clinton' 5 server by Sullivan. Clinton and Sullivan engaged in discussions regarding the SAP in four of the seven e- mail chains. Dnrino FRI interviews ate employees explained the context for why classi?ed material was sent and provided reasons to ex lain wh they did not - - - - - - 421 422 423 421 believe informatl on in the e-malls was claSSl?ed Istated thali b1 b3 b6 b7C ml stated the right method of communication was whichever method allowed for the fastest possible dissemination of the message.428 He also stated that information he received from other USG agencies was ?technically probably classi?ed? but that ?you can't do business "1 According to State's website, the Bureau of Public Affairs ?engages domestic and international media to communicate timely and accurate information with the goal of furthering US foreign policy and national security interests as well as broadening understanding of American values.? (U llf'e?d?e') The Ops Center is staffed 24 hours a day and constantly monitors reporting from State cables, other USG agencies, and open source news outlets for information of interest to State leadership. Individuals who inputted classified information into e-mail chains to pass to high-level State officials indicated that at times they were relying on information that others had summarized and provided to them. Page 23 of 47 W. b1 b3 b7E ind: b1 b3 b7E that way.? 429 When interviewed by the FBI, authors of the e-mails stated that they used their best judgment in drafting the messages and that it was common practice at State to carefully 131 word e- nails on UNCLASSIFIED networks so as to avoid sensitive details or ?ta b3 classified information 430?431?432?43 stated the information in the b5 Iformerl I declined to comment on the e-mails.43fl Ireferenced news articles claiming e-mails on Clinton' server were over-classified, but after seeing the e-mails during the interview, stated he ?now understood why people were concerned about this matter.?436 Sullivan indicated he had no reason to believe any State employee ever intentionally mishandled classified information.437 The FBI interviewed four USIC executives stationed both in the United States and overseas The USIC executives reviewed theI_Ie-mail chains which transited Clinton' personal e-mail account and assessed that some of the e-mail chains should be considered classi?ed442?443?44 b3 I440 However, two of the USIC executives 1nterv1ewed sald some of thei b1 b3 A maiorit? of the USIC executives interviewed expressed concerns with how State handled 49?450?451 According to a ISIC executive who 1 am 45 State employees were aware of the sensitivities (UMP-GHQ) On April 9, 2016, Mills, who served as Chief of Staff to Clinton at State between 2009 and 2013, was interviewed by the FBI. During this interview, Mills was provided seven e- mails which contained information later determined to be classified. While Mills did not specifically remember any of the e-mails, she stated that there was nothing in them that concerned her regarding their transmission on an unclassi?ed e-mail system.455 Mills also stated that she was not concerned about her decision to forward certain of these e-mails to Clinton.456 In reviewing e-mails related to the SAP referenced above, Mills explained that some of the e- mails were designed to inform State officials of media reports concerning the subject matter and that the information in the e-mails merely con?rmed what the public already knew.457 (UHF-GEO) The FBI interviewed Sullivan on February 27, 2016. Sullivan, who between 2009 and 2013 served at State first as the Deputy Chief of Staff for Policy and then as the Director of Policy Planning, communicated extensively with Clinton by e-mail. Their communications included both e-mails written by Sullivan and e-mails written by others that Sullivan forwarded to Clinton. During the interview, the FBI asked Sullivan to review approximately 14 e-mails Sullivan sent or received on unclassi?ed systems that were later determined to contain classi?ed information up to the TOP SAP level. Sullivan did not speci?cally recall the e-mails, aside from recognizing some of them from the materials released pursuant to FOIA litigation, but Page 24 of 47 b1 b3 b?7E SEC b1 b3 b7E l? provided reasons why the e-mails may have been sent by him or others on unclassi?ed systems.458 With respect to the SAP, Sullivan stated that it was discussed on unclassi?ed systems due to the operational tempo at that time, and State employees attempted to talk around classi?ed information.459 Sullivan also indicated that, for some of the e-mails, information about the incidents described therein may have already appeared in news reports.460 Furthermore, Sullivan stated that his colleagues at State worked hard while under pressure and used their best judgment to accomplish their mission.461 When forwarding e-mails, Sullivan relied on the judgment of the individuals who sent the e-mails to him to ensure that the e-mails did not contain classi?ed information.462 Sullivan did not recall any instances in which he felt uneasy about information conveyed on unclassi?ed systems, nor any instances in which others expressed concerns about the handling of classi?ed information at Sullivan was also asked about an e-mail exchange between him and Clinton in which, on the morning of June 17, 2011, Clinton asked Sullivan to check on the status of talking points she was supposed to have received.464 Sullivan responded that the secure fax was malfunctioning but was in the process of being ?xed. Clinton instructed Sullivan that if the secure fax could not be ?xed, he should ?turn [the talking points] into nonpaper [with] no identifying heading and send nonsecure.? 465 State uses the term ?non-paper? to refer to a document which is authorized for distribution to a foreign government without explicit attribution to the US. government and without classi?ed information. Sullivan did not recall this speci?c e-mail but believed that Clinton's request indicated that she would have wanted him to make an unclassified versinn m? the document 7e the contents and then send it tn her on a non-secure fax.46 bl b3 On April 5, 2016, Abedin, who served as Deputy Chief of Staff to Clinton at State between 2009 and 2013, was interviewed by the FBI. When asked about an e-mail subsequently determined to contain CONFIDENTIAL information, Abedin noted that she had only conveyed the information from the e-mail and had not originated it.470 She also stated that she relied upon the sender to properly mark the e-mail for classi?cation purposes and did not take it upon herself to question the sender' judgment as to such Investigation determined Sidney Blumenthal, a former political aide to President Clinton and an informal political advisor to Clinton during her tenure at State, had direct e-mail contact with Clinton during her tenure at State. FBI investigation identi?ed at least 179 e- Abedin and Mills also provided similar responses when asked about State security practices regarding classified information. (U weenie) Although Abedin was a party to e-mails containing information that has since been determined to be classified, due to the nature of her position at State, Abedin was not regularly included in the e-mail chains (discussed in this section of the memorandum) about which Sullivan and Mills were questioned. Abedin' 5 position at State did not consistently involve her participation in substantive policy decisions, and she was not a regular user of classified e-mail systems. Page 25 of 47 b1 b3 b7E b1 Wm b3 b7E that Blumenthal sent to Clinton containing information in memorandum format. The State FOIA process identi?ed 24 memos from Blumenthal that contained information currently classi?ed as CONFIDENTIAL and one as SECRET both when sent and The FBI interviewed Blumenthal on January 7, 2016. According to Blumenthal, the content of the memos, which addressed topics to include Benghazi and foreign political developments, was provided to him from a number of different sources to include former USIC employees and contacts, as well as contacts within foreign The memos contained a notation of and then often included a source summary similar to those frequently found in USIC intelligence products.488?489?490 Blumenthal indicated he was not tasked to provide this information to Clinton; rather, he provided it because he deemed the information helpful, which Clinton occasionally acknowledged via e-mail.491 Clinton often forwarded the memos to Sullivan asking him to remove information identifying Blumenthal as the originator and to pass the information to other State employees to solicit their inputlgz?493 According to e- mails between Clinton and Sullivan, Clinton discussed passing the information to the White House, other USG agencies, and foreign E. Clinton's Statements Related to lasst?ed E?mails Found on Her Personal Server Systems On July 2, 2016, the FBI interviewed Clinton. Clinton was aware she was an Original Classi?cation Authority (OCA) at State, however, she could not recall how often she used this authority nor could she recall any training or guidance provided by State.496 Clinton could not give an example of how the classi?cation of a document was determined; rather she stated there was a process in place at State before her tenure, and she relied on career foreign service professionals to appropriately mark and handle classi?ed information.497 Clinton believed information should be classi?ed when it relates tol Ithe use of hi sensitive sources, or sensitive deliberations.498 When asked whether she believed information 133 should be classi?ed if its unauthorized release would cause damage to national security, Clinton responded ?yes, that is the understanding.?499 Clinton did not recall receiving any e-mails she thought should not have been on an unclassi?ed system.500 She relied on State of?cials to use their judgment when e-mailing her and could not recall anyone raising concerns with her regarding the sensitivity of the information she received at her e-mail address.501 The FBI provided Clinton with copies of her classi?ed e-mails ranging from CONFIDENTIAL to TOP SAP and Clinton said she did not believe the e-mails contained classi?ed information. 502 Upon reviewing an e-mail classi?ed dated December 27, 2011, Clinton stated no policy or practice existed (U The FBI obtained 177 of Blumenthal' memos from the e-mails provided by Williams Connolly as part of Clinton's production to the FBI. The FBI recovered two additional memos during the investigation from BlackBerry backups provided by Cooper; State did not provide a classification determination on those additional memos. r" (U ALF-GHQ) According to Blumenthal, meant the memo was personal in nature and did not refer to classi?ed USG information. 555 (U #1391910) According to Blumenthal, the individual who provided the content for a number of the memos authored the source summary statements (caveats provided regarding the SOurce of information) in the memos. (U MIT-GEO) Investigation was unable to determine if any of Blumenthal' memos were forwarded to the White House, or to other USG agencies and foreign governments, as Sullivan's OpenNet sent items were not present in the data provided by State to the FBI. Page 26 of 47 b1 W. b3 b7E b1 b3 13713 RD related to communicating around holidays, and it was often necessary to communicate in code or do the best you could to convey the information considering the e-mail system you were using.503 In reference to the same e-mail, Clinton believed if the foreign press was to obtain information from that e-mail, it would not cause damage to the US Government.504 When asked, Clinton recalled being briefed on SAP information but could not recall any speci?c brie?ng on how to handle SAP information.505 Clinton stated she knew SAP information was of great importance and needed to be handled carefully. 506 F. Gaps in Clinton E?mal'l Recovered from Personal Server Systems There were no e-mails provided by Williams Connolly to State or the FBI dated from January 21, 2009 to March 18, 2009. FBI investigation identi?ed an additional 18 days where Clinton did not provide State any responsive e-mail. FBI investigation determined 14 of the 18 days where Clinton did not provide State any responsive e-mail correspond with e-mail outages affecting Clinton's personal server systems as a result of both Hurricane and Hurricane FBI investigation indicated other explanations for gaps in Clinton' e-mail production could include user deletion prior to transfer of Clinton' e-mails for review, or ?aws in the archiving and sorting process used to generate the responsive production to State. 4. Results of the FBI Investigation and Analysis of vaer Intrusion Potential A. Cyber Analysis of Clinton ?5 Personal Server Systems FBI investigation and forensic analysis did not ?nd evidence con?rming that Clinton' e-mail server systems were compromised by cyber means. The inability to recover all server equipment and the lack of complete server log data for the relevant time period limited the 5 forensic analysis of the server systems. As a result, FBI cyber analysis relied, in large part, on witness statements, e-mail correspondence, and related forensic content found on other devices to understand the setup, maintenance, administration, and security of the server systems. Investigation determined Clinton' clintonemail.com e-mail traf?c was potentially vulnerable to compromise when she ?rst began using her personal account in January 2009. It was not until late March 2009, when the Pagliano Server was set up and an SSL was acquired for the clintonemailcom domain?providing of login credentials, but not e-mail content stored on the server?that access to the server was afforded an added layer of security.507?508 The certificate was valid until September 13, 2013, at which time PRN obtained a new certificate valid until September 13, 2018. 509 (UMP-GEO) During his December 22, 2015 FBI interview. Pagliano recalled a conversation with b6 at the beginning of Clinton' tenure, in which advised he would not be MC (U IPEGHG) The first of two extended outages occurred from August 28 to 30, 2011 (3 days) as a result of Hurricane Irene. The second extended outage occurred from October 30, 2012 to November 9, 2012 (11 days) as a result of Hurricane Sandy. According to FBI forensic analysis, there was no SSL certificate on the Pagliano Server between March 19, 2009, when the mail service was operational, and March 29 or 30, 2009, when the SSL certificate was installed on the server. Page 27 of 47 b1 - b3 b7E bl b3 b'7E su rised if classi?ed information was being transmitted to Clinton' personal server. 510 urther recommended that e-mail transiting from a stategov account to the server 136 sent through a Transport Layer Security Pagliano advised that the MC dm?512 The FBI was unable to forensically determine if TLS was ou transition to TLS never occurre implemented on the Pagliano Server. When asked about the maintenance and security of the server system he administered, Pagliano stated there were no security breaches, but he was aware there were many failed login attempts, which he referred to as brute force attacks. He added that the failed attempts increased over the life of the Pagliano Server, and he set up the server's logs to alert Cooper when they occurred.514 Pagliano knew the attempts were potential attackers because the credentials attempting to log in did not match legitimate users on the system.515 Pagliano could not recall if a high volume of failed login attempts emanated from any speci?c country. 516 In an attempt to thwart potential attacks, Pagliano set up Internet Protocol (IP) on the ?rewall and tried to review the ?rewall log ?les once a month.517 After the Pagliano Server was established, Cooper put Pagliano in contact with: a United b5 States Secret Service agent, who recommended Pagliano also perform outbound ?ltering MC of e-mail traf?c.518 Pagliano further considered, but ultimately did not implement, a Virtual Private Network or two-factor to better secure administrative access to the server system by him and Cooper. 519 The FBI forensically determined that Remote Desktop Protocol was enabled on the Pagliano Server and was used by Pagliano, Cooper, and later PRN, for remote administration of the server. 520 While the availability of RDP (U) TLS is a protocol that ensures privacy between communicating applications, such as web browsing, e-mail, and instant- messaging, with their users on the Internet. TLS ensures that no third-party eavesdrops on the two-way communication. TLS is the successor to SSL and is considered more secure. (U) According to the State OIG report, State policy (12 FAM 544.3) stipulates normal day-to-day operations must be conducted on an authorized system. In the absence of a device, such as a State OpenNet terminal, employees can send most Sensitive But Unclassified (SBU) information via the Internet only when necessary, with the knowledge that the nature of the transmission lends itself to unauthorized access, however remote that chance might be. Furthermore, in August 2008, 12 FAM 682.2-5 was amended and mandated that SBU information on non-Department-owned systems at non- Departmental facilities had to meet certain criteria. Employees had to: 1) ensure that SBU information was 2) destroy SBU information on their personally owned and managed computers and removable media when the files are no longer required; and 3) implement certified by the National Institute of Science and Technology (NIST), among other things. Although 12 FAM 682.2-5 was further amended in 2009, 2011, 2014, and 2015, the basic requirements did not change. (U) A brute force attack is a trial-and-error method used to obtain information, such as a password or personal identification number (PIN). In a bmte force attack, passwords may be attempted manually or automated software can be used to generate a large number of consecutive guesses as to the targeted information. 3333 (U) IP filtering is the practice of identifying and manually blocking IP addresses based on the identification of patterns that are indicative of a potential attack. (U) VPN is a private network that runs on top of a larger network to provide access to shared network resources, which may or may not include the physical hard drives of individual computers, as in the case of Remote Desktop Protocol (RDP). VPN offers an additional layer of security by the data traveling to the private network before sending it over the Internet. Data is then when it reaches the private network. (U) Two-factor authentication is a method of confirming a user' 5 claimed identity by utilizing a combination of two different components, often something the user knows and something the user has?such as a RSA keyfob/token. (U) RDP is a proprietary protocol developed by Microsoft that allows a user to remotely connect to another computer over a network connection to view the computer and control it remotely. RDP is implemented in every version of Windows starting with Windows XP. Page 28 of 47 b1 SECRE 1? b3 b7E b1 SECR server 1s convenient for remote access, the FBI 1s aware of known associated with the protocol. b3 (UHF-GHQ Im?m Pagliano recalled ?nding ?a virus,? but could provide no additional details, other than it was nothing of great concern. 525 FBI examination of the Pagliano Server and available server backups did not reveal any indications of malware.526 On January 9, 2011, Cooper sent Abedin an e-mail stating someone was attempting to ?hack? the server, prompting him to shut it down.527 Cooper sent Abedin another e-mail later the same day stating he had to reboot the server again.528 The 5 investigation did not identify successful malicious login activity associated with this incident.529 The review of available Internet Information Services (118) web logs showed scanning attempts from external IP addresses over the course of Pagliano' administration of the server, though only one appears to have resulted in a successful compromise of an e-mail account on the server.530 Forensic analysis noted that on January 5, 2013, three IP addresses matching known exit nodes were observed accessing a user e-mail account on the Pagliano Server believed to belong to President Clinton stafferl IFBI b6 investigation indicated the Tor user logged in t( e-mail account and browsed e-mail MC folders and attachments. 531?532 When asked during her interview, stated to the FBI she is not familiar with nor has she ever used Tor software.533 FBI investigation to date was unable to identify the actor(s) responsible for this login or hov1: ogin credentials were compromised. Forensic analysis of alert e-mail records automatically generated by Cloud] acket revealed multiple instances of potential malicious actors attempting to exploit vulnerabilities on the PRN Server. FBI determined none of the activity, however, was successful against the 535 Following the March 3, 2015 New York Times article publicly revealing Clinton' 5 use of personal e-mail to conduct government business,536 the FBI identi?ed an increased number of login attempts to the PRN Server and its associated domain ?537 Forensic analysis revealed none of the login attempts were successful. FBI investigation also identified an 6666 (U) Older versions of RDP had a vulnerability in the method used to RDP sessions. While security patches, if applied, have remedied these vulnerabilities, exposing RDP to direct connections could allow remote attackers the opportunity to guess lo gin credentials. (U) Tor is free software allowing end users to direct their Internet traffic through a group of volunteer-operated servers around the world in order to conceal their location and Internet usage. (U) A domain controller is a Microsoft server that responds to security authentication requests (10 gins, checking permissions, etc.) within a Windows domain. Page 29 of 47 b1 SECRET RN b3 b7E b1 b3 b7E increase in unauthorizedlogin attempts into the Apple account likely associated with Clinton' e-mail address1111 during this time period. Investigation determined all potentially suspicious Apple iCloud login attempts were unsuccessful.538 Additionally, PRN made various network changes to the PRN Server around March 7, 2015, to include disabling the server' public-facing VPN page and switching from SSL protocol to TBS to increase security.539 Staff also discussed the possibility of conducting penetration against the PRN Server to highlight vulnerabilities in the network.540 The FBI interviewed an employee of the company with which PRN had discussed the issue. The employee stated that the topic was broached but that penetration testing against the PRN Server, ultimately, did not happen.541 B. Cyber Analysis of Clinton 's Mobile Devices The FBI does not have in its possession any of Clinton' 13 mobile devices which potentially were used to send e-mails using Clinton' clintonemailcom e-mail addresses. As a result, the FBI could not make a determination as to whether any of the devices were subject to compromise. Similarly, the FBI does not have in its possession two of the ?ve iPad devices which potentially were used by Clinton to send and receive e-mails during her tenure.542?543?544?545 The FBI forensically examined two of the three iPadsl?quk it obtained and found no evidence of cyber intrusion. 546 C. yber Targeting of Clinton ?5 Personal E?mail and Associated Accounts Investigation identi?ed multiple occurrences of phishing an d/or Spear-phishing e- mails sent to Clinton' 5 account during her tenure as Secretarv of State 54 b1 b3 b6 b7C Clinton received another phishing e-mail, purportedly sent from the personal e-mail 11:: account of a State official. The e-ma'l contained a potentially malicious b6 link.552 Clinton replied to the e-mail stating, ?Is this really from you? Iwas b7C worried about opening it!?SSj I I In a separate incident Abedin sent an e-mail tc indicating Clinton was Apple iCloud is a cloud storage medium available to users of Apple products. Clinton is known to have used Apple iPads during the course of her tenure, and hdr22@clintonemail.com was likely used as her ApplelD to set up a new Apple device. While the NYT article did not reveal Clinton's e-mail address?and by default the domain name?it is very likely those who tried to gain access to the related Apple iCloud account searched for and found the e-mail address in open sources. News articles from 2013 contained a screenshot of Blumenthal' 5 communication with ?hdr22,? thereby divulging Clinton' 5 e- mail alias. Other outlets mentioned the domain name in articles but withheld Clinton's e-mail alias. Clinton's full e-mail address could therefore have been ascertained through piecing together various sources. 3? (U) Penetration testing, more commonly known as pentesting, is the practice of testing a computer system, network, or web application to find vulnerabilities that an attacker could exploit. The third iPad the FBI obtained was not actually used by Clinton. Shortly after it was purchased, it was given as a gift to a member of her staff, and therefore the FBI did not forensically examine the device. ml (U) RAT is a piece of software that facilitates remote operation of a computer system. Page 30 of 47 b1 b3 b7E b1 b3 SE RN b?7E worried ?someone [was] hacking into her email? given that she received an e-mail from a known associate containing a link to a website with pornographic material.554 There b7c Informatlon as to why Clmton was concerned about someone hackmg 1nto her e-mall account, or if the speci?c link referenced by Abedin was used as a vector to infect Clinton's _device I ?35? I IOpen source bl information indicated, if opened, the targeted user' device may have been infected, and b3 information would have been sent to at least three computers overseas, including one in Russia.560?56i I D. Potential Loss of Classi?ed Information On March 11, 2011, Boswell sent a memo directly to Clinton outlining an increase since January 2011 of cyber actors targeting State employees' personal e-mail accounts.563 The memo included an attachment which urged State employees to limit the use of personal e-mail for of?cial business since ?some compromised home systems have been recon?gured by these actors to automatically forward copies of all composed e-mails to an undisclosed recipient.?564 Clinton' immediate staff was also briefed on cybersecurity threats in April and May 2011.565 b1 b3 1:36 1370 b7E (S/teese- b1 b3 b6 b?7C b7E (U) In order for malicious executables to be effective, the targeted host device has to have the correct pro gram/applications installed. If, for example, the host is running an older version of Adobe but the exploit being used is newer, there is a chance the host will not be infected because the exploit was unable to execute using the older version of the program. ?m (U) A ?drop? aCCOunt, in this case, is an e-mail account controlled by foreign cyber actors and which serves as the recipient of auto-forwarded e-mails from victim accounts. Page 31 of 47 131 b3 b7E SECR OFORD b1 b3 b7E On or about March 14, 2013, Blumenthal' AOL e-mail account was compromised by Marcel Lehel Lazar, aka Guccifer, a Romanian cyber hacker. Lazar disseminated e-mails and attachments sent Ibroadcasting companv 58 b7E One of the screenshots captured a list of 19 foreign policy and intelligence memos authored by Blumenthal for Clinton.589 The content of one of the memos on the list was determined by State to be classified at the CONFIDENTIAL level. 590 Lazar was extradited from Romania to the United States on March 31, 2016.591 Between April 25, 2016 and May 2, 2016, Lazar made a claim to FOX News that he used information from Blumenthal' compromise as a stepping stone to hack Clinton' 5 personal server.592 On May 26, 2016, the FBI interviewed Lazar, who admitted he lied to FOX News about hacking the Clinton server. 593 FBI forensic analysis of the Clinton server during the timeframe Lazar claimed to have compromised the server did not identify evidence that Lazar hacked the server.594 An examination of log files from March 2013 indicated that IP addresses from Russia and Ukraine attempted to scan the server on March 15, 2013, the day after the Blumenthal compromise, and on March 19 and March 21, 2013.595 However, none of these attemp5t9s6were successful, and it could not be determined whether this activity was attributable to Lazar. E. (U7151366) General yber Analysis Conducted The FBI conducted general cyber research and analysis of e-mail addresses 11:: and user accounts associated with the clintonemail.com and presidentclintoncom domains. b6 3 b7C b7E FBI extracted the Thread-Index0000 and values for each identi?ed confirmed classi?ed e-mail relevant to this investigation. The values were extracted from the e- mail in order to develop speci?c electronic signatures that could be used when searching for exact references in large data repositories. In an effort to identify whether any confirmed classi?ed e-mails may have been compromised through computer intrusion methods, the FBI conducted signature-based searches in available databases, to The 1373 FBI also provided the unique identifiers to other government agencies, and one entity 0000 (U) A Thread-Index value is a unique, alphanumeric, Microsoft Outlook-centric field found in an e-mail' 5 header. The identifier is used to track e-mail threads (or conversations). Each time there is a reply or forward in the e-mail thread, Outlook? if it is the e-mail client being used?will append additional alphanumeric characters to the e-mail' 5 original Thread-Index value. pm (U) A Message-ID is a unique identifier found in an e-mail' header. Message-IDs are required to have a specific format and be globally unique. Unlike Thread-Index values, Message-IDS are unique to every individual e-mail, regardless of whether two e- mails belong to the same thread (or conversation). (U) A header precedes the body (content text) of an e-mail, and contains lines (metadata) that identify particular routing information. rm b7E Page 32 of 47 SECR b1 b3 b7E b1 b3 b7E To date, the signature-based searches in USG databases have not identi?ed the relevant e-mails. 601 55? (UHF-GHQ) The FBI provided the Executive Office of the President (EOP), State Cyber Threat Analysis Division (CTAD), and State's Information Resource Bureau (IRB) with Thread-Index and Message-ID values. CTAD found no record of the signatures provided. EOP stated they could only search ?From,? and ?Subject? lines, as did State IRB. Separately, in an attempt to identify whether confirmed classified e-mails resided in unidentified e-mail provider accounts, or whether identified accounts forwarded or replied to the classified messages, the FBI explored the possibility of sharing Thread-Index Value and Message-IDS with e-mail service providers of interest. Google was asked if they could search those header fields in its dataset. The company stated it does not index Thread-Index values, which is the identifier the FBI was mo st interested in, as it would have provided insight into the extent the messages were forwarded. Page 33 of 47 b3 b7E 3 SEW Page34of47 SECRET OFORN b1 b3 b7E b3 b5 b6 b7C b'7E b1 b3 b7E SW Page b7C b?7E b1 b3 b7E SECRE Page 36 of 47 FORD b7E SECR Page b7E Page b7E Page 39 of 47 SECRET FORT bl 103 1071b7E INOFORI SEC Page b7E Page b7E SEC Page 42 of 47 FORD b1 b3 b7E b3 b5 1:36 1370. b7E b1 b3 b7E Sm Page 45 ot?ll SECRE Page 44 of 47 SECRE b7E XX SEC Page b7E SECR OFORB XX Page b7E XX Page 47 of 47 FORD b7E