You are on page 1of 189
FBI INTC. CLASSIFIED AY: NSIS: SEASON: 1.6 (5) CECLASSIFY cH: 12-91-2043, Sate 09-22-2018 sor Deal ke oe H2 coeweanss FEDERAL BUREAU OF INV! TIGATION Dose wf uanscipins 02 2020. a pow! wa viswed hy Federal Burcu wf investigation (BD) Special Agents| an [a ahe FBI Washington toeet NW. Wash ap DR Lar ibe Gaerdiesy counsel Attorney at Law. at Pas wat as anal fiom the Dyparimenr ot Tustice (DOD Toamierinllience and Papo Con! Seman FA es Ta the interview] lageved w signa non Hselostry aurcernent in anticipation of viewing classified documents curing th salvised of the identities of the imerviewing vigw, Alter being ents, and the purpose of the inter sew. provided she faifowwing ovwne the US. Deparment af Sue (oS Juncied He (OP EAEOF Cn February formation. der] Refore being waned the As the] eas located iy Washington DC but he waveled frequently and ook tips 4 Afghanistan Goad Pakisian every four to sin weeks, “i [dil pot have tregues fy the Sceretary off State when bed lt oF the direst oouiications with the Secrewsy and her team Hi ee cribed his rule unde jas being external facing. He further expl ating red rat he Was tesppansibie tar coord Wah Congess and ucdlitating othee iquamational and economic engagements bese more cused on Afghan ita orators when lbecame the faceause| wanieat te focus mainly on Pakistan, fa this role] Rad more rewufar contact with te Secreiary ae iter wan which included traveling to the region witb them. sree) voided that hy primarily interacted with the following individuals om “ 8 am CHPRYE, MILLS for USAID and communications matters: JAKE SULLIVAN for policy matter p prepare for Deguty Committee or Principal Ci Wittes mevtinus: HMA ABEDIN lili Tov counmonieavons maters [pote hat be fs] BN ab Bia sorts not camels f he HBL ese ees tt HO so pod atte om eS st vets 2 ba Bs “ bh BS 6 7c bs bic bs bic bé bre bs bE 6 BIC bL b3 - communicated directly with SULLIVAN and MILLS for anything shat necited the Secretary alentTon, Exanzpies inclucle topics that invnlved international matters. tapes that ‘could potentially impact DoS equities, and topies involving private sector engayemems, These exchanges could be either classified or unelassitied depensling on the ypecitic content and were done via the appropriate telephone or emutl system, LHOHO] While at Dos, had an OpenNet and ClassNet account a JWICS accounts. DoS alse issued] gokberry. which was linked to his ame emai account and a STE for his home lused fis Blackherey email extensively velten fre wits ocorseas beestise other conmmupication ghamiels were offen nel available a uonen could only recall one instance foHlowing the birth of bis son when he Feceived ant email direetly front the Seerctury. He renmembured that the email cante trom a nun-i}eS ermal ewcount int ie didn'¢ think much of ita the time wasn hat he Secretary wats usin 2 private email account and server to conduct DoS ise. Ror Ws Jase of any other Das caiployees using personal entail accounts for official business, prvi thet he Had the pessonal canal aaklresses of both SULLIVAN and MILLS bat hid norrecail ever using those accounts fo oBisin! business, confined that he was wond into a Special Avcess Promany understood the venti vities surrounding Iie program tnd te nea fo appropriately sulsguand rebated ioloramation, As scl. the DoS singe was oot to publicly cummeat on the program. ‘was showa @ cupy ofan email chain fron December OF 201 wilh the Sibjeet SBL” Afler reviewing the email stated that he did sot remember the cizymstances in which the email was originally sent. However based on the email dime seam] believed he was in California when he received the maj ssauid not have hal anny RET means of forwarding the information to those who needed stated that Do ( bi be bre bs Bre bs BIC 6 bre bi BB bi 3 bl b3 bL b3 bi b3 De] SAMA Hes, bs iotton of PDAMBOE the . . bre wing information on Yay unclassified systens wus not kcal but A , ‘ . \ bi aiid not have a choice when it came ta time sensitive information, did no recall receiving any bs specitle ttining or yuidece op hovw time sensitive inlormation shuld be transmitted was shown a copy of aa emul chain from ‘ebruary OPTS wan The Subyor AEE : ve ‘viewing dhe ena! lie stated th bu bs ionethelens did not have concems sending this typo of Halormation ov a ‘molassified system because fbe story Was ahout to break in Ge news and it was important that th the information to the Secretary Lee that veewrted. us shawn a copy af an email chain front SU stated i asas sent prior to Te relerenoad arucle beiny released Ta the press [could not recall any fhiether details abr tite formation psovipied in ue coral, He noted that a number of similar stories were Being released by the ba press ut that fin. bsctiewed that the information in the email could be treated as uneltssified 23 because the article Was abou! to be reledsed and it was critival that he noti Dh he appropriate people within pe The iby I provided that the emait was forwarding a news aniele Of Mlcresl to malvlduals within DoS. bl stated that the conmments hig included when he forwarded the enmil were nat meautt 10 contirm the veracity bs of the news article but rather to express his trustrution with the artiete. further explained thet 2011 was a particularly ditficoti period (or bilateral relationships in the region and that DoS elfints were ofien complicated by such articles. vwas shown a copy ef an email chain from May bi of 201 WaT subject Update PE ot recall the exact cireunss ‘the email but ba noted that it was unesual for him to bateract dveethy with] provided thst be forecarded she email because iL was a niatier that required the Hmovwdiate attention OF DaS fo preserve ity equities (UH BH4Y AL the conclusiun of the interview noted that nose of the emits that hee eee ‘sas shown were originated by him, The emaily either volved TaTommiation that was about to he veleased publicly or were authored by another indivi bu 3 omttnan oF EDABOD Af Ine on el «te UA envelope. SHH) A cunny of the erfginal Tmlerview notes and te we. DA signed by 4, sre-creeiosed ii a BL ba bs Ie be 7c BL ba _SONFEDENTIAL_ ALL FRE THEORWATICHT HEREIN IS UNCLASSIFIEL FD-3028 (Rev. 1046-95) PATE an-19-2016 BY 22 “ke FEDERAL BUREAU OF INVESTIGATION Date of wanseription _2/420) (U/FOVO) On February 3, 2016[ telephone number was interviewed by Federel Bureau of Investigation (FBI) Special Agents] wn it the offices of| [Washington, DC. Also present for the interview was] Ja Principal, whom asked to sit in on the interview After being advised of the identities of the interviewing agents, and the purpose of the interview, rovided the following information: (UFO) (uieve;_______patice at DoS was located on “Sees Row,” aterm given to the Executive hallway where the Secretary of State's office is also located. ld a Top Secret (TS), Sensitive Compartmented Information (SCI) clearance while at DoS, and handled classified information on 2 daily basis. Jeceived copies of the Presidential Daily Brief (PDB), the dissemination of which was restricted to only the highest positions in the United States Government (U/FEHO) When[_____ heeded to communicate something classified to CLINTON would walk down “Mahogany Row” and talk to CLINTON face-to-face. If C notin OFF office, or on travel, mdb Yreeded to discuss classified information pele contact CLINTON via 2 secure phone or send her a secure memo. (uiFOue| lwas not aware that CLINTON was using a personal_gmail account while she was Secretary oF State, nordi__fecali what address[__}yped in or saw wher]! ent emails to or received emails from CLINTON. jassumed whatever devices CLINTON used to conduct business while she was Secretary of State were approved, because nobody at DoS used devices without approval fas not aware of any DoS policy against using personal or private email accounts to conduct unclassified DoS business. Investignion on _2/32016 ot _Washinsion, File Tao2 Dae ditaed _N/A sf This dacoond contains nother recorsmendations not conclusions of the FBI. Tithe propeny ofthe FBT and is loaned to your agency: find is contents are not 1o be disiiasied onside son agenes CUNESPENTIOL bé Bre be BIC be Ic be pic Bé Bic ba STE 6 pre FD-3028 (Rev. 1046-95) ConimaiionofFD-302 or __ineriew off] On 20,2016, Page (W/FOHE} On a few pcagons| sl with CLINTON. However, the majority of iw travel while }was| fas done so 01 wa, 2 (UFOHO) Agents asked Je. 2013 speech to the American Foreign Service Associ (UFOS) lexplained the quote was in response to a. guesionf in regards further explained thet during” — Jprevious assignment to Dos Thad access to unclassified systems of am 40 how business had changed at DoS since| PRESIDENT. CLIN’ fministration nobody at DoS Blackberries didn't exist, and unclassified computer systems were not yet installed at DoS. The only way imunicate during that time period was via cables and on the telephone. In contrast, when returned to DoS in] SIPRNet, SWICS, and Unclassified computers, as well as unclassified Blackbertes, and secure iPads the above statement,]was trying to explain how technology has allowed for a jad access to GEfferent form oF information flow, and ultimately sped up the way in which DoS does business (uireve| further i st above inf__po13 speech, was unclassified, snot implying thar Mformaton CLINTON may have been communicating classified material on her Blackberry concerning the unclassified matter. (UIFORE) It was] lopinion that cured at DoS takes security very seriously and understands the importance of protecting sources and methods inks there is a misconception about how DoS classifies documents, and further explained that generally the only way to discuss topics with Foreign Partners is via unclassified channels, or in very s sensitive cases, by making arrangements to meet in person at Embassies or at DoS. Since there isn't a classified system that allows DoS to communicate with its foreign counterparts, conversations thet are hel unclassified channels are later “up-classified” to Secret to protect the information (W/FOHO) In defense of DoS practices shared a ston }é with foreign partners in concerning ieraction with then FBI Deputy Director MARK GIULIANO, wherei| — |state___Inieracted frequently with GIULIANO via email stated] fhad the upmosrrekpect for GIULIANO, but believed if was to review{ __|mnclassified email exchalT¥es with GIULIANO ould find emails that some woul consider sensitive, RPSL be Ic be prc be prc 26 pic 6 BIC bé bye be Ic bs Ie FD-3028 (Rev. 1046-95) Contimaiion of FD-502 oF _Inteniewo On 20,2016, Page bs bre (U/POBO) Wher] received a request to produce documents in response to Freedom of Information Act (FOIA) inquires] }lso queried and produced emails from [personal Gmail account that ictermined were “even remotely related 10 work.” [sometimes sent short be emails tof__Family via Gmail whil as on travel and felt that if] peferenced negotiations or bre anything Concerning] Jrole at DoS] should produce the dogumentism an abundance of caution further Explained that it frastot uncommon for_Johavetousd personal Gmail Account 7 communicate while on travel, because there were offen times|__ ould no: access her DoS unclassified account ould try to copy her DoS email account on any Dos related communication way have sent from her Gmail account sre concerning a potential hack of an snail accounts (DoS or personal) or MEemail accounts of other DoS employees. However fexplait ped pes sure people tried to hack into[ personal email account and the accounts of] eam approximately two years ago durin in the Tran negotiations. Specifically, received a similar email [reported the Incident to DoS Diplomatic Security who reportedly traced the emails back t0 4] Bl per Dos (U/IFOLS) A copy of the original interview notes are attached in a 1A envelope, (Uiteede)[____]was not aware of any specific instances wherd __ received notification Be v of f FD-3028 (Rev. 1046-95) ALL PAL INZORMATICK cOUMAIIED “ke HEREIN TS UNCLASSTFTEC CATE 98-13-2018 BY C7evaaRe4 WSICG FEDERAL BUREAU OF INVESTIGATION Date of wanscription 09/17/2015, (WiFOHO) date of birt ] was interviewed at the offices of PLATTE RIVER NETWORKS (PRN), 5700 Washington Street, Denver, Colorado 80216, by Federal Bureau of Investigation (FBI) Special Agents (SAY andl Also present during the interview were| faliomey, U.S Department of Tastice an attorney at [After being advised of the identity of the interviewing agents, and the nature of the interview] |provided the following information: (UiFOO) In mid-2013] Jwas selected to provide technical support on a contract PRN had acquired for the management OF @ new server used solely for email exchange for domains and accounts associated with BILL CLINTON, HILLARY CLINTON and their aides under the PRN account name CESC (CESC client) knew the company InfoGrate to be the contact who initiated the PRN contract with the CESC elient lunderstood the CESC client was already using email domains hosted on a server out of their residence in Chappaqua, New York, and in order to effect the transition to the PRN managed new server In stand the needs of the client and the configuration of the server being hhoused in Chappaqua, fe put in contact with BRYAN PAGLIANO, wh |understood to be the administrator of the server in Chappaqua PAGLIANO grantet remote administrator access to the server under the administrator user name C4 and in mid-2013, logged in to the server at Chappaqua. (uFeve)[_____] described the physical equipment comprising the email server at the Chappaqua residence as a Dell PowerEdge 2900 (PowerEdge 2900) running Microsoft Exchange 2007, a Dell PowerEdge 1950 (PowerEdge 1950) being solely used as a BlackBerry Enterprise Server (BES), Cisco NSS 324 for Network Attached Storage (NAS), a switch, a firewall and a Uninterruptible Power Supply (UPS). The PowerEdge 2900 server hosted the email domain presidentclinton.com, wicotfice com and clintonemail.com, and had 20 to 30 email accounts associated. The PowerEdge 2900 was used exclusively for email, with no file or print options. The PowerEdge 2900 had Microsoft Forefront security and Norton Symantec anti-virus sofiware installed on it_No one but PAGLIANO had administrator rights to the PowerEdge 2900 server| loctieved the Chappaqua residence had Comcast as an Internet Service Provider (ISP) (U/FOUO) In order to effect the transition from the foregoing server equipment in the CLINTON’ s residence in Chappaqua to the new PRN server infrastructure and service, CESC and PRN Invesigation on 00/8013 at __ Dams. Colo tee [Fn Date dctad__N/A »y sf s This dacoond contains nother recorsmendations not conclusions of the FBI. Tithe propeny ofthe FBT and is loaned to your agency: find is contents are not 1o be disiiasied onside son agenes be Ie 26 bre be pie bo BE be bre FD-3028 (Rev. 1046-95) Continuaion of FO-302 of _Imenie On LW/130015, Page 2 arranged a time to power down the equipment in Chappaqua, transport it to a data center and migrate the existing email accounts and domains to the new server infrastructure being provided by PRN (U/FOO) On or around 06/22/2013, and based on an infrastructure plan as part of Service Level Agreement (SLA) to provide the CLINTONs with new hardware, aPRN employee, setup a Dell PowerEdge 620 (PowerEdge 620), two PowerConnect 2824 switches, two Fortinet firewalls and a Datto SIRIS 2000 (DATTO), and hooked them up in a rented space at Equinix, a date center located in Secaucus, New Jersey. (U/APOH6) On 06/23/2013[_____ traveled to the CLINTON residence in Chappaqua and picked up the PowerEdge 2900, the Powerbdge 1950, and the NAS, while leaving the switch, firewall and UPS at the residence| {cansported the equipment to the same rented space at Equinix as the PowerBidge 620, where| plugged in and networked all the equipment to get it back online in order to provide CESC with continued email access plugged in the NAS, but according to ‘no email archiving or back-up was on it and it appeared to only have install files. The NAS Gas norconigured to achive ema by oeor PRN atany bine Tchan ged the mal exchanger (MX) record to specify the transition to the new IP address and configuration at Equinix. (U/PERE) On or around 06/30/2013. Tbegan the email migration for all CESC accounts from the PowerEdge 2900 to the PowerFdge 620] performed this by right-clicking on individual mailboxes and migrating them over one at a time stated he brought over the entire content of all the mailboxes from the PowerEdge 2900 to the PowerEdge 620 as there was no way to doit “piece meal” ot partially, Jdescribed the migration process as more of a “sync” and once the servers “agree” that the mailbox is moved, the mailbox is removed from the old server. As a result of the migration, no email content existed on the PowerEdge 2900. During the migration, the PowerEdge 2900 and 620 worked together in the same exchange. where the servers agree that ech email sent or received is an identical copy. Additionally, Jconfigured the PowerEdge 620 to host a Blackberry Enterprise Server (BES) and 2 Domain Controller as virtual machines| explained the Domain Controller as being used for password and authentication requests. The PowerEdge 620 was also running Microsoft Exchange 2010 software, which was ar. upgrade from the software on th PowerEdge 2900. Additionally, as part of the new server infrastructure provided by PRN,| configured the DATTO back-up device to take multiple snapshots of the server a day that purged at 60 day intervals[______ also configured both sets of firewalls and switches for redundancy in case one went down, Afler several days of migration, the PowerEdge 620 had all email mailboxes migrated to it and was processing email on Microsofi Exchange 2010 for the email domains presidentelinton.com, wjcoffice.com and clintonemail,com. |was “very confident” that all email had migrated from the PowerEdge 2900 to the PowerEdge 620. At some point later; remembers adding the coma to the PowerEdge 620. After total migration, PRN decided to keep the PowerEdge 2900, 1950 and NAS mmning, even though it was no be prc Be 7c 6 pre be 7c FD-3028 (Rev. 1046-95) Contisuuion of FO-302 of _Imeniew off On 9152013, Pave 3. longer processing email, in order to ensure email was being delivered without failure through the PowerEdge 620. There was no official user security policy 10 have an account on the PowerEdge 620. registered the Secure Sockets Layer (SSL) certificate for the domains hosted on the PowerEdge 620. Additionally, PAGLIANO ae credentials for the clintonemail.com domain, registered at Network Solutions (UPOVO) On or around 12/2013, PRN made the decision that email delivery was working well afier the migration from the PowerEdge 2900 to the PRN managed PowerEdge 620. In order to power down the PowerEdge 2900] stated Microsoft Exchange 2007 would need to be uninstalled from the PowerEdge 2900, or the PowerBdge 620 would generate error messages. uninstalled Microsoft Exchange 2007 from the PowerEdge 2900 by clicking on uninstall and following the system prompted checks to ensure there were no ties between the PowerEdge 2900 and the PowerEdge 620 and no active mailboxes were on the PowerEdge 2900. From that point on, the PowerEdge 2900, 1950 and NAS sat disconnected in the cage at Equinix until the FBI picked up the PowerEdge 2900 on 08/12/2015. The uninstallation of Microsoft Exchange and powering down of the PowerEdge 2900 was an action taken by PRN as stendard protocol without order or direction from the CESC client (Ui/FOWE) Based on his experience described PAGLIANO'S set-up on the PowerEdge 2900 as a standard email setup, Iso described his set-up on the PowerEdge 620 as standard. Moreover, described that email messayes accepted by the PowerEdye 620 ‘would first go through MX Logie, « third party company that removes viruses and spam defore sendin the message through Giglinx, the Internet Service Provider (ISP) at Equinix, From there] could not recall ifthe enaail would go through CloudJacket or the firewall, but he knew they were in succession. CloudJacket was an appliance used for intrusion prevention on the PowerEdge 620. Cloudlacket had pre-configured settings that would block or blacklist certain email traffic it identified as potentizlly harmful. Occasionally, Cloudacket would send email notifications & as the system administrator, prompting him to block certain IP addresses. described these notifications as normal and could not recall any serious security incident or intrusion attempt that he was aware of _______ ould not identify any IP addresses, or their country of origin, that were involved in a brute force attack (BFA) against the PowerEdge 620. Email traffic would then go through the switch and to the PowerEdge 620 where it would be processed by Microsoft Exchange 2010, Adéitionally, installed Trend Micro AntiVirus and later, Webroot AntiVirus. (WifFove[____]stated the CESC client originally requested to encrypt email such that 1no one but the user Could read the content, This, ultimately, was not the way the email was configured s that system administrators could troubleshoot all problems occurring within user accounts| recalled] faq| i jas having system administrator rights to the Powerbdge 6 Bre 6 BIC Be pic 6 bre be Bie FD-3028 (Rev. 1046-95) Continwion of FO-302 of __tueniew of]. On LW/130015, Page 4 be pie 620, although believed he handled almost all issues entirely[____]was seldom used, if at all, for work om CESC. System administrators could move mailboxes, change and reset passwords, and sometimes view emiail for archive searches wien the users didn't have the time and CESC requested PRN complete the task. After PRN took control of the server, the CESC client never requested another individual have administrator access|____|stated BRYAN PAGLIANO's password for the be PowerEdge 2900 was changed and he did not have access to the PowerEdge 620. The CESC client did pre request 24 hour access to someone wito could assist with any issues that should arise regarding their email accounts. In order to meet this request, PRN contracted with Level Platforms or Managed Workplace, « third-party company used for troubleshooting and help desk related issues for any late night or off-hour requests thaf Jcould not handle. The third-party company did not have administrator access to the server or email content, but could provide assistance with troubleshooting devices, connectivity to the server and password resets tated the help desk service was not used often and the CESC client would contact him directly jwas unsure, but thought the third party help desk service was no longer contracted with PRN for CESC client help. (U/P@HO) In oF around 02/2014[_______] was contacted by someone from CESC, that he recalled as [Last Name Unknown (CNU), informing him that she was going to ship him a MacBook containing a folder with od HILLARY CLINTON emails. recalled no other identifying information regarding the MacBook, Tecalled the MacBook being shipped via FedEx to his personal residence in| Dut does not recall any other information regarding the shipment. Once| received the MacBook, he identified the folders containing the HILLARY B6 CLINTON email and recalled five subfolders being labeled 2009 through 2014 lid not bre recall the specific HILLARY CLINTON email account the tranche was from created @ local storage folder under the address hrcarchive(@clintonemail com and copied the pst files toit, The account was not configured to send or receive email messages. or someone fiom CESC, requested that only HILLARY CLINT ssociates be granted aecess bu could not recall the names of the a the foregoing MacBook back to ILNU, but recalled nothing about the return shipment (U/fPOBO) In or around 09/2014 was contacted by CLINTON aide CHERYL MILLS requesting] [perform an archive search of all HILLARY CLINTON email, during her tenure as Secretary of State, from 01/2009 to 02/2013, sent to or received from an email address ending in gov. It was originally requested att doa the foregoing archive search toa DVD and be FouEx ito CHERYL MILLS. Instead oMha Ganemitall_—Jeonductod the foregoing achive Ste search, zipped the resulting pst email files, encrypted them with AES256, and used a Secure File Transfer Protocol (SFTP) to transfer the files to the workstations of CHERYL MILLS and HEATHER SAMUELSON. Additionally password protected the pst files. Sometime shorlly after, CHERYL MILLS contacted Jand asked him to perform another archive search for all email on all accounts in HILLARY CLINTON'S mailbox duing her tenure as Secretary of State FD-3028 (Rev. 1046-95) Continuaion of FO-302 of _Imenie On 91 ¥OM15, Page 5. be 7c lconducted the requested archive search and transmitted it to MILLS and SAMUELSON Using the same process, an SFTP transfer using AES256 encryption to their personal workstations. knew no additional detail regarding the workstations of MILLS and SAMUELSON, bE Additionally, the archive search conducted by| did not contain email from the local storage SIC folder bre: chive@eli com. U/FOHO) In or around 12/2014, Jwas put in touch with an individual named lby someone from the CESC client }nform: |that HILLARY. CLINTON and HUMA ABEDIN were going to have new email accounts on a new domain hosted on another server not administered by PRNE informed|__]that HILLARY CLINTON's new email address was____]@hzcoffice, com and HUMA ABEDIN's new email address was 6 Vithsco‘Tox.com. requested that begin forwarding the email from HILLARY 7c CLINTON’ s bro 7.GicTimiongmail com account, hosted on the PowerEdge 620, to her new ‘Mucoflice. corp, account, hosted on another server unknown to| nor anyone Trom the CESC cliemt, requested jo transfer any archived email 10 the new serve} é BS as nol aware of any detail related to the new server referenced a) to inclade who managed it or what it was being used for. (U//FOPO) In or around 03/2015, lwas contacted by CESC with a request to inventory the CESC mailboxes to determine what exists, where it was stored and how it was backed up. jialked with] to coordinate the request and it was decided| ould BS travel to Equini: ie the PowerEdge 2900, 1950 and NAS contained no email data, Once onsite at pre Equinix, yowered on the PowerEdge 2900, 1950 and NAS and verified no old email data or backups existed. Wher| Jeturned to Equinix in 08/2015 to provide the PowerEdge 2900 to the FBI, he powered it up to check for any email or backup data, The 08/2015 inventory i | ‘was not requested by anyone from CESC and was a step taken by PRN (uFove] stated all email accounts on the PowerEdge 620 had some back-up policy. Everything on the PowerEdge 620 was backed up through the DATTO device by taking several snapshots of the server daily and maintaining the data for 60 days. Additionally, all accounts had some back-up set by the user in their individual email client settings. Users could also archive email locally, by making .pst files on their computer workstation for example| tated the server just presents the email to the user ~ after that, the user could do whatever they want with the email. did not know what any CESC client individual email user's setting was, Additionally, in or around 08/06/2015, PRN was made aware that DATTO was syncing with the DATTO cloud and storing email Gata related to CESC off-site, This off-site logging to DATTO's datacenter was niot requested by PRN or CESC. Once the DATTO offsite logging was discovered, DATTO cisabled the offsite logging feature leaving DATTO with 60 days of CESC email back-up from the day it was disabled believed DATTO was preserving the offsite email data. be Ic FD-3028 (Rev. 1046-95) Continuaion of FO-302 of _Imenie On 0132015, Page __ 6 zl |was shown a list of CESC email accounts provided to the FBI by PRN, recognized most of the email accounts and knew that some were added and deleted Throughout the life of the contract, but couldn't give a timeframe for the addition/celetions and wasn't aware of all of the users for each account. Additionally! was unaware of the devices used by each user. When CESC users would acquire a new mobile device, they could configure it themselves due to Microsoft ActiveSync technology on the mobile device. On rare deeesionsf would have to assist old blackberry users with synchronization with the BES (U/#OHO) PRN set-up a share folder on the PRN network for all documentation related to the CESC client] believed PRN took this step to limit the individuals at PRN that had access to information regarding the CESC client cuiFeve] believed that PRN never used the company TechnotRescue to recycle any equipment related to the CESC account| Jpetieved that PRN never used Veeam software cor service to backup the PowerEdge 620. (U#FEBO) PRN never took action to purge or delete CESC email data from the PowerFidge 620 or DATTO. CESC never requested that PRN purge of delete email data associated with their account (uirredey| was aware of no discussions with CESC regarding classified formation or retention of federal records Bé Bic Be pie bs BIC 6 Bre 6 BIC UNCLASSIFLED/ Areas ALL FRE THFORWATICH ccemanseD HEREIN T= UNGLASSIFZEL cle paRE aa-15-2015 AY coewaanee Ysze6 FEDERAL BUREAU OF INVESTIGATION FD-328 (Rev. 1046-95) Date of wanscription _OV01/2016 (U/FOHO} On Fedruary 18,2016[ _____] ate of birea was interviewed by Federal Bureau of Investigation (FBD Special Agent (SA\ nd SA at the offices of Platte River Networks (PRN), 5700 Washington Street, Denver, CO, Also present for ihe interview were S, Information Technology Specialisy Forensic eee Examine: Department of Justice (DOI) Attorney and| To er being advised of the identily of the Iiterviewing agents and the nature of the interview provided the following (UU) MONICA HANLEY contacted! via email on or about February 2014 regarding email belonging to HILLARY CLINTON. The email was stored on a Macbook and CLINTON did not want to lose the email, so HANLEY requested| lransfer it to the Climton Executive Services Corporation (CESC) server (Server) managed by PRN, The Server housed four virtual bé machines: a Microsoft Exchange server, a BlackBerry enterprise server, an administrative server, and @ bre domain controller. Do dattempted to accomplish the task via a remote session using 2 remote support application called SereenComnect. However ‘was unable to import the files using SoreenConnect since the email was stored in the Macbook’ s Mail program. Therefore] had HANLEY ship him the Macbook so he could import the mail files manvally. (W/O) Upon receipt of the Macbook | Trevienes the files and noticed there were several mail folders and each was labeled with a different year from 2009-2013. He then conducted 4 Google search to idemify an appropriate method for converting the Mac Mail files into .pst files, believed he used Gmail 2s a way to convert the Mac Mail files to a format that could be ported into the Microsoft Exchange server. Once the conversion was complete, he created a new bs mailbox named HRC Archive. It was likely a regular Microsofi Exchange mailbox that could send and bre receive email did not recall who had access to the mailbox, Once the import onto the Server was successful, he deleted the email from the Macbook, but did not use any data wiping tools on the Macbook. never deleted the HRC Archive mailbox from the Server and believed it should stil] exist there today; however, users with access t0 the mailbox could have altered its contents, Investgionon _o24gzuLs __at_Daner Cola 3 Fite # _f Fite Date dictated N/A Te esa] 2s bic “This dacuneny contains neither recommendations Nor conclusions OF the FB]. 118th propery ofthe FB and és losaed to your agency: ‘andl conten ate not Lobe distibuled ontse your agen UNCLASSIFIED/ /eue- UNCLASSIFIED//FO8e- FD-328 (Rev. 1046-95) Contimation of FD-302 ot haus of n OB BON6 Pa (U/FOBS) In April 2014, Fremotely instructe: ow to access the HRC Archive mailbox using Microsoft Outlook on her computer likely provided this assistance using the ScreenConnect application, (U/MOVO) After reviewing several documents dated in and around July 23,2014.) stated in July 2014 he had ¢ conversation with CHERYL MILLS during which she requested Jexport a pst file with all email in CLINTON’ s mailbox that was sent to or received from a gov email address (July Export), After reviewing ¢ list of pst files modified in or around the same time, ES onined he might have attempted the July Export using different tools, such as Outlook or PowerShell, He did not recognize the file name export.pst_ After completing the July Export and verifying it would open correctly in Outlook, burned DVDs of the files and arranged for a FedEx pickup the next day, However, MILLS susequently requested a secure electronic transfer of the files insiead of shipping physical media, Once the secure electronic transfer was complete] Gestroyed the DWDs by breaking them in half (U/POVO) After reviewing a July 24, 2014 email fom BRYAN PAGLIANO regarding a regular expression text editor] lexplained when a user changes his or her email address, Outlook updates the old email address with the new email address. MILLS was concerned CLINTON 's then- current email address would be disclosed publicly and would be different from the one CLINTON was using at the time the emails were actually sent. ee PAGLIANO discussed using a regular expression text editor to find and replace the new emai] address with the old, but the tool could not accomplish the replacement, (umeBe) used the email address[____________ gmail.com as an account to test email flow when he worked on the Server. It was a"dummy” account he used to test email issues for various PRN clients. (U/FAVO) After reviewing work tickets from July 29-30, 2014, stated the SoreenConnect remote sessions with MILLS and HEATHER SAMUELSON were for the purpose of transferring copies of the July Export to their Windows workstations, Prior to the transfer! password-protected the .pst, then placed it in an Advanced Encryption Standard (AES) zip Sle. The ScreenConnect tunnel was also encrypted, resulting in three layers of protection. (U/POHO) After reviewing an invoice dated August 12, aor] Joated he assisted SAMUELSON in reconnecting to the July Export archive (UiFOHO) After reviewing a work ticket dated September 29, 2014 and invoices df September 30, 2014 and October 1, 2014] stated he spoke with MILLS about a new email archive export (September Export) could not recall if the Septe: consisted of the complete live mailbox belonging to CLINTON, the exported emails from 1 UNCLASSIFIED/ Ano¥e be 7c 6 BIC bé pic be 7c Be 7c be pre be pre UNCLASSIFIED//e8e FD-328 (Rev. 1046-95) Continuation of FD-302 af __Intervie On 2/18/2016. Page Archive mailbox, or both, The September Export was several gigabytes in size. did not place any limitations or delete any content from the September Export (U/FOBO) After reviewing a work ticket dated November 18, 2014] stated he worked with SAMUELSON to reestablish her connection to an archive of CLINTON 's emails. could not recall ifit was to the July Export, the September Export, the live HRC Archive mailbox, or something else. UNIFOUO) After reviewing a work ticket dated November 24, 2014 and an email dated the same day stated he participated in an urgent call with SAMUELSON regarding more specific export requizements, He could not recall the details of the conversation, ‘U/FGHO) After reviewing an administrative server log file from November 24, 2014, jexplained he used Microsoft Outlook on the administrative server to test any pst file exporis he created for CESC. The testing consisted of opening the pst files to ensure they loaded into Outlook correctly + Regarding Outlook Office Alert event log entries indicating 2 mailbox and a “gov export” folder were deleted[_____kpeculated they were deleted because they were no longer needed on the adminisirative server. * Regarding the log eniry referencing “huma-gmail-yahoo pst Ink," taied HUMA ABEDIN requested her email from Gmail and Yahoo be imported into her mailbox on the Microsoft Exchange server. [ould not recall when ABEDIN requested this assistance. (UiFOLO) After reviewing a document where “HRC Archive" is referenced in the Windows Messaging Subsystem profile for____tmp, stated he believed this file to be a reference related to the transfer of email from the Macbook he received from HANLEY described above. Specifically ____pelieved he used the Gmail account1_________ gmail.com to effect the transfer fo the HRC Archive mailbox. He might have used the Macbook for this process, but probably used the Server (FORO) After reviewing emails dated December 10, 2014 and December 12, 2014, as well as work tickets regarding December 9-10, 2014 telephone calls with MILLS and SAMUELSON, stated they wanted the last 60 days of email for CLINTON and ABEDIN in new accounts that were not on the Microsoft Exchange server, but did not request the migration of any other content. (UiPOHO) After reviewing an email dated December |1, 2014 with the subject [ine “RE: 2 items for IT support,” and a December 12, 2014 work ticket referencing email retention changes and archivefemail cleanup] stated his reference in the email to". ..the Hilary [sic] coverup [sic] UNCLASSIFIED/ /PeBe— 6 Ic be bre bé Bre be pre Bé BIC Be pic Be pic Bé Bic UNCLASSIFIED/ /Fe80 FD-328 (Rev. 1046-95) Coutimationof F0-392 of _inersiew si] __. on ngna0i6. Page __4__ operation...” was probably due to the recently requested change to a 60 day email retention policy and the comment was 2 joke, He did not recall the prior retention policy (U/FOHO) Afer reviewing a work ticket dated January 5, 2015, referencing a remote session with MILLS and SAMUELSON, stated the session was possibly to remove the July Export ot September Export pst files from their workstations, (UiFEYO) After reviewing a Server Loe entry fiom January, 5, 2015, noting the installation of Ontrack PowerControls (PowerControls), stated PowerControls was the software utility ‘bundled with the Datto backup device empl f the CESC Server architecture, Its used for Microsoft Exchange server restoration, bu cid not recall ever taking any actions with it (U/FORO) After reviewing a document identifying the “Last Written Time” as January 6, 2015 for “HRC gov email Archive pst, HRC gov emails pst, HRC gov emails pst, and export pst,” |staied Outlook updates the modification time and date for any pst files attached to a mail account when the program is opened (L/S) After reviewing an email dated January 7, 2015 containing a list of mailboxes on the CESC server, stated he believed the HRC Archive mailbox should still be on the Server in the possession OF He PBI. He did not know why it would not be on the server and said he would check the current server for the existence of an. iailhox. Users could control the content of a nailbox, but not the existence of it, Only| nd had the capability to login to the Server as an administrator and remove & mailbox stated he did not remove the mailbox, nor did anyone request he remove the mailbox. (UiFOL) After reviewing administrative server log entries ranging from January to October 2015, referencing multiple Google Apps stated the office of used Google Apps for business, so he used Google migration tools to pull the email accounts of users from her office to the ange server. January 2015, however, was not the correct timeframe for that migration and did not recall what he might have used Google Apps for in January 2015, (uh Jgwing an email dated March 5, 2015, referencing] from Security Pursuit, stated he did not know Jand did not recall implementing any new security features during that timeframe, (U/FORO) After reviewing an email dated March 3, 2015, referencing a .pst file containing all of “HRC’s emails to/from any gov addresses,"[___] stated he used filters based on sending and receiving email addresses, as well as a date fifer for CLINTON'S time as Secretary of State to produce the July Export, UNCLASSIFIED/ e8e be prc 6 BIC be 7c bé Bre 6 BIC 6 pre be Bic Be BIC UNCLASSIFIED/ BeHe- FD-328 (Rev. 1046-95) Contiaaion of FD-302 of _interiew: of]. _. on ganas. Page __$_ coe After reviewing an email dated March 5, 2015 with the subject line “RE: Share,” stated the shared drive was located on PRN hardware in Denver, It was a limited access shared drive for individuals working with CESC. (U/POTO) After reviewing an email dated March 5, 2015 with the subject line “RE: CESC Firewall, stated“. HIRC's backup device...” referred to a second mobile device that belonged CLINTON, He did not recall any details about the device, (U//F@O) After reviewing a document with information conceming “export pst, HRC archive — complete pst, and hrearchive@clintonemail com - HRC srohiveos ee heed, based on the Last Written Time in the registry, that export pst existed on the administrative server as of March 7, 2015. He did not recall when it was removed or who removed it from the administrative server. (WAPOA) Atter reviewing work tickets from March 7-8, 2015._____]stated he determined the Cisco Network Attached Storage device brought to the Equinix data center when PRN took possession of CESC’s predecessor server and associated equipment did not contain any email conten: PAGLIANO had used it for extra storage and it only contained BlackBerry server logs. did not kaow what was on the external USB hard drive that was also part of the predecessor server architecture. PRN did not use either device as part of the Server architecture they designed and implemented. (us After reviewing an email dated March 9, 2015 with the subject line “Re: Email/Data Systems,” wherel lis listed as one of the recipients, stated he did not recall seeing the preservation documentation from DAVID KENDALL referenced in the email the movement of email for MILLS, stated MILLS did not have an account on the Server and he could not recall what work he might have done for MILLS, MILLS occasionally contacted with problems related to her personal email account, so the work tickets may have been of (U/PORO) After reviewing wor tickets dated March 10, 2015 and March 12, 2015, referencing, that nature. stated he had no recollection of the call or what it wes abou hen reviewed an email dated March 25, 2015 with the subject line “Clintons” and a work ticket dated March 31, 2015 referencing a conference call with KENDALL end MILLS. Atthis point in the interview] —__] PRN's counsel, advised not to answer any questions related to conversations Wh RENDALL besed on] [protections under the Fifth Amendment (UIMOTO) After reviewing an email dated March 25, 2015 with the subject line “CESC call,” (UNFOYO) After reviewing log files dated March 31, 2015, referencing multiple manual deletions from the Datto server used to backup the sener[ puted ‘he did not recall UNCLASSIFIED/ /Beue— be BIC bé Ie Be pie be prc be prc Be pie be Ic Be 7c be bre UNCLASSIFIED//Be¥e FD-328 (Rev. 1046-95) Coutimation of FD-32 of _Imersiew aff]. On zit8.2016. Page _ 6. forming the deletions, nor did he recall being asked to delete backups from the Datto server. ee enther stated everyone at PRN has access to the Datto client portal, which is used to manage the backups for all of PRN's clients who employ Datto's services, (UIIFORE) After reviewing log files dated March 31, 2015, referencing the installation of BleachBit on the administrative server] stated he believed he used the program for the removal of .pst files related to the various exports of CLINTON's email discussed above from the administrative server. He took this action of his own accord based on his normal practices as an engineer He did not recall which settings he used, to include the overwrite free space feature later stated he might have used BleachBit on the Microsoft Exchange server because any pst exports would be created there, then moved over to the administrative server and opened to verify the exported pst file worked correctly. (UiFORO) JGoes not recall who or when the conversation occurred, but someone from CESC told him at some point s/he did not want the pst files hanging around and wanted them off of the Server after the export (Ui/FOBO} After reviewing a text document with the first line “June of 2013," stated he did not recall creating the document. However, the statement “PST Files were shredded” is probably a reference to his use of BleachBit U//FOBB) After reviewing log files from the administrative server dated January — October 2015] stated the reference 10 Google Apps Sync on April 4, 2015 was possibly an automatic update to the software. (UMFOBOR After reviewing an email dated April 24, 2015 with the subject line [__]4/27-5/1,” |stated the entry on April 27, 2015 was a calendar appointment related to regular maintenance of the Server and associated equipment UFERO} After reviewing an email dated August 18, 2015 with the subject “RE: email,” stated CESC wanted to verify they had a 60 day retention policy. He believed Imisspoke when ‘ommented on a 30 day retention policy (U/PORD) After reviewing an email dated August 21, 2015 with the subject line “RE: Datto remote access,” and sn email dated August 20, 2015 with the subject line “RE. CESC Datto,” [staied PRN might have received a new Datto server because in the initial setup of the “Original Datto server, it auto synced with the Datto data center and created an offsite copy. The new Daito server would not allow that to happen UNCLASSLFLED/ / PE8O 6 BIC Pe Bre be Ic be Ic Be pic be Ic 6 Bic bs BIC be Bie UNCLASSIFIED/ /Feuer FD-328 (Rev. 1046-95) Coutimationof 70-392 ot _inersiew of] __. on ng1na0i6, Page (U/#OBO) Aer reviewing logs dated September 21-September 26, 2015 ft fcrosoft Exchange server and September 25-October 2, 2015 from the administrative seve oe speculated he may have removed mailboxes attached to Outlook on the administrative server, He was not instructed to delete any user mailboxes on the Microsoft Exchange server in September 2015, nor did he delete any mailboxes. Furthermore, did not do any work with any email exporisin the September 2015 timefame, It was standard practice for| to install OnTrack PowerContro!s on a server because it is required to restore a system froma Datto backup, Additionally ‘would login to the Datto server during regular maintenance appointments to check the a Regarding the October visits to the CESC Datto Control Panel referenced in the logs| lor Iprobably logged into the Datto server using ScreenConnect to verify it was running properly, ScreenConnect was primary method of connecting to the administrative server. (UiiFOBE) id not recall manually running a disk defragmenting utility, but would sometimes do it as part of routine maintenance. (UiFOXO) as shown several other documemts for which le had no information. All documents used during the interview are attached to this communication as a 1A. UNCLASSIFIED/ /#e¥e— Bé BIC Be 7c be pie bs pre UNCLASSIFIED/ /6¥6 FD-3028 (Rev. 1046-95) “ke FEDERAL BUREAU OF INVESTIGATION Date of wanscription 0510120165, (UFO) On May 3, 2016] Platte River Networks (PRN), date of birth f ‘yas interviewed by Federal Bureau of Investigation (FBI) Special Agent (SA\ fand 8) lat the United States Attomey' s Office for the Easter District of Virginia located at 2100 Jamieson Avenue, Alexandria, VA 22314, Also present for the interview were Supervisory Special Agent] Information Technology Specialist/Forensic Examiner [ Department of Justice (DOJ) Attozne [DOF Anton: —— EDVA Attome and EDVA Attome: las well as counsel an After being advised of the identity of the interviewing agents and the nature of the interview| provided the following (U/POHO) In February 2014,[_____] worked with MONICA HANLEY to import an archive of HILLARY CLINTON's email from an Apple MacBook to the PRN-maintained server hosted for the CLINTON EXECUTIVE SERVICES CORPORATION (CESC). This server hosted CLINTON's email account, HANLEY told the MacBook contained old email that only existed on the laptop and HANLEY did not wantto Tose = The email was stored in Mac Mail within folders labeled by year as 2009 Inbox, 2009 Sent Items, 2010 Inbox, 2010 Sent Items, etc. ried to effect the iransfer of the archived email through @ remote session using SereenConneet, but the WiFi connection ‘was intermittent and the MacBook repeatedly turned itself off Therefore, HANLEY shipped the MacBook Oe unaware of a USB flash drive containing an identical set of the email fTes (UiFOBO} tried various tools and Googled for solutions to effectively transfer the email files. Afer researching options,| Jransferred all of the email content to the “dummy” gmail accoun jegmail com, connected the administrative server to the gmail account and used it as a bridge to move the email into a mailbox named hrearchive on the Exchange server. The PRN architecture consisted of a BlackBerry Enterprise server, domain controller, administrative server, and Microsoft Exchange server (PRN server). After the transfer was complete, he Geleted the content from the gmail account and provided the hrcarchive login oredentials to HANLEY or nd demonstrated how to access the mailbox using Outlook Web Access. [did not know i Jor HANLEY provided the credentials to others; however, anyone with the credentials could access the account. Prior to shipping back the MacBook, either Investigation on 05032015 al esandia, Fite | hor Date dictated Ni py sal sa nt cowains noir recommendattous nor conclusious ofthe FBI. Ik is the propery of the FBL and is loaned fo your agency: it ste nt lo be distributed outside your agency UNCLASS I FIED/ /Be86 be Ic 6 bre 6 pre ba bE be prc FD-3028 (Rev. 1046-95) UNCLASSIFIED//$8¥6 Continmuion of FD-342 of, Jervis On 45/03/2016 Pa 2 HANLEY requested the email be deleted from the MacBook, léeleted the files containing the email, but did not use any special tools to remove the files. vided an address for the return shipment of the MacBook and| used either the United States Postal Service or United Parcel Service. WEOUO and| fall had access to the praadmin account credentials to access the PRN server. The [account on the server maintained by BRYAN PAGLIANO was created by PAGLIANO Curing the transition to the PRN server. There was also @ built-in administrator account on the PRN server, bu never used it. handled most day-to-day work tickets for CLINTON 's account, while| andled the physical infrastructure setup and maintenance. Lwas authorized to work on the account and served as a backup tal Jang however, he only handled a few work tickets. left PRN in June or July 2015 and, Based on PRN’ s normal business practice, passwords were changed for all admin accounts. (U/POVO) In July 2014, CHERYL MILLS ematled[Ito schedule a phone call, On the call, MILLS outined tof te needed an export oF a CLINTON’ email sent to oF received from a .gov email address (July Export) for the purpose of #RWidi- ~ them to the United States Departinent of State (State). searched “* gov" in thilive “A” ailbox to find email responsive to MILLS’ request. Afier preparing the export, worked with MILLS and HEATHER SAMUELSON to transfer the export to each of their v orkstations_ This interaction was the first with MILLS, reviously interacted with] jand MILLS served as the primary contact from whiel [took direction for this export and later exports. Jonly interacted with SAMUELSON once or twice beyond troubleshooting her access to the exports, He described MILLS and SAMUELSON as proficient computer users with knowledge of basic programs. (UsFOHE) Based on the direction provided by MILLS as described above, prepared an export of CLINTON's email from her live account on the PRN server. then sed 7-Zip to compress the export and password-protect it. To transfer the export to MILLS and SAMUELSON, he connected to each of their workstations remotely using ScreenConnect and installed 7- Zip. On SAMUELSON 's laptop he also installed Outlook 2013 because she did not have Outlook at that time. After the installation of 7-Zip on both workstations and Outlook 2013 on SAMUELSON' s workstation, 1 the export, and opened the export in Outl. Wherteansfering te fle] ransferred the zip file using Secure File Transfer Protocol (SFTP), unzipped 3k by navigating to it using File->Open->Outlook Data File. ely dropped it on the desktop or in a folder on the C (U/FOVO) In September 2014, MILLS contacted Jind requested an export of CLINTON's entire mailbox (September Export), so| Followed a similar process to the July Export He prepared a .pst file, zipped it using 7-Zip, and transferred it to MILLS and SAMUELSON UNCLASSIFIED/ Pee be prc bé Bic pre bé bre Bé BIC Be pic UNCLASSIFIED//PO¥0 FD-3028 (Rev. 1046-95) CContinsiion of FD-82 of _lenve On {08016 Page 3 through SereenConnect, In the preparation of this export, discussed different options for the transfer based on the size of the file, but ultimately decided on the same process using ScreenConnect as the July Export. MILLS never requested assistance from[______Jin locating CLINTON 's email from January 2009 ~ March 2009 andl wes never aware there was a gap during that timeframe (uiFeve)[______]did not know aa the Ps file provided to the FBI from CLINTON’ s counsel contained the email address {gmail com in the metadata because he beligves he

You might also like