Matthew Edman, one of the expert witnesses in the Kleiman vs Wright case, disagrees.
Edman has a background of assisting law enforcement like the FBI in various criminal and national security investigations, including the Silk Road case.
First, Edman describes the forged Tulip Trust email that purports to have been sent from Dave Kleiman to Craig Wright in 2011. The original evidence was a scan of a printout, but Wright also provided the original PDF to the plaintiffs as part of discovery. There was also another version of the PDF provided, one where the visible timestamp says 2014. (Note that the linked PDFs are from the court ledger, and have had the relevant metadata stripped out.)
The metadata extracted from the 2014 email PDF contains plenty of information:
The XMP metadata was written by a library compiled on August 23, 2012.
The PDF was created using Acrobat PDF Maker 11 for Microsoft Outlook.
This software helpfully embeds a lot of the email metadata into the PDF.
The email was received on October 17, 2014, at 12:04:57 PM in the UTC+10 time zone (eastern Australia).
The MailFrom field indicates the email was sent by
craig@panopticrypt.com (not Dave Kleiman).
The MailTo field shows the same
craig@panopticrypt.com as the recipient of the email (i.e. Wright sent the email to himself).
The email headers, embedded in the MailTransportHeader field, contain numerous other indications that Craig Wright was the real sender:
There's a valid DKIM signature for panopticrypt.com, timestamped October 17, 2014.
The first machine in the Received chain to have processed the email as it was being sent was named "PCCSW01" (Craig Steven Wright's PC?) and listed
craig@panopricrypt.com as an authenticated sender.
The IP of this machine, 14.1.18.30, is registered in geo-ip databases as being associated with eastern Australia.
The email headers contain contradictory information for when the email was sent:
The Date header (controlled by the sender) claims the email was sent on June 24, 2011.
The X-Mailer header says the sending email client was Microsoft Outlook 15.0. This is Outlook 2013, released in early 2013.
The email attachment was a Tulip Trust PDF that appears to visually match the pages seen in the original scanned printout.
Edman points out that the date inconsistency can be explained if the sender simply changed their computer clock before sending the email, whereas the other headers are added by the servers routing the email, so they will typically record the true date.
Next Edman compares the above to the metadata extracted from the "2011" email PDF, and finds that:
The two PDFs have the same DocumentID, strongly indicating that one is an edited version of the other.
The 2011 email has an embedded modification date of October 22, 2014.
The MailFrom field in this metadata now says
dave@davekleiman.com instead of
craig@panopticrypt.com.
The email headers had been truncated, leaving only a small portion.
The remaining portion of the email headers matches up against the beginning of the headers of the 2014 email PDF, except a timestamp that used to say "Thu, 16 Oct 2014 20:05:55 -0500" now says "Thu, 24 Jun 2011 20:04:55 -0500". However, June 24, 2011 was a Friday.
There is no way for a computer to make this kind of mistake, so this was hand-edited. Incompetently.
For the lulz, the plaintiffs submit a plain calendar into evidence.
The truncated email headers still include a Return-Path of
craig@panopticrypt.com.
The Microsoft SMTP Server that processed the email came out in November 2013.
Clearly, the second "2011" email PDF is a further modified version of the "2014" PDF, trying to make it further look like an email that was actually sent by Dave Kleiman in 2011.
Edman says he's further looked at the document structure of the PDFs, and found the marker /TouchUp_TextEdit MP in the PDF code, a tell-tale marker of someone having made edits to the PDF such as adding/removing/editing text. This is something of a recurring trait for Wright, as it appears in many documents from him, including the recent manipulated Bitcoin whitepaper. In the case of the "2011" email, the date was manually edited in the PDF:
The defense makes an objection that metadata that's generated by user input (such as Date fields) should be considered hearsay by a third party. The judge overrules the objection, and the objection is honestly pure nonsense; Edman's testimony is not relying on user-generated metadata fields being accurate, in fact he's doing the complete opposite; pointing out that they have clearly been falsified.
It turns out Wright also provided the email in question in raw form (a .msg file) ahead of the previous June 28 hearing. Edman analyzed the email headers of this file as well. While these headers were more thoroughly manipulated to look like a genuine 2011 email from Dave Kleiman, several things still reveal manipulations:
UNIX timestamps don't match the human-readable dates (October 2012 vs. June 2011).
This email passed through Google servers; the previous email indicated
craig@panopticrypt.com was handled by servers running Microsoft software.
According to Edman, the .msg file contained a reference to the email address
craig.wright@hotwirepe.com, however that domain did not exist in June 2011.
The headers of this email are actually from an email sent through Google servers in October 2012, and are completely different from the headers embedded in the previous PDF files.
Edman is asked whether this new .msg file is an authentic email from Dave Kleiman to Craig Wright from June 2011, and answers no. (The defense objects because they don't want this to be taken as a finding that Dave Kleiman did not send an email like this to Craig Wright.) It looks like this new variant of the email was created from some unrelated old 2012 email, instead of the email Wright sent to himself that was used as the basis for the original forgery.
Edman has also analyzed another email provided by Wright that contains the same document ID (indicating it was created by editing the other document). This document purports to be an email from Dave to Craig in April 2013 regarding Dave accepting a role as director of Coin-Exch. (This was three weeks before his death.) The metadata in this PDF is obviously based on and is practically identical to the earlier "2011" email, except the PDF has been edited to contain a different email body. Even the MailAttachments field is still present, even though the printed email in the PDF does not have any attachments.
This email body contains a PGP signature, which has an embedded timestamp of October 23, 2014. This is very reminiscent of the other forged email Wright was caught submitting as evidence (and subsequently withdrew). Edman is asked if he's aware that Dave Kleiman died in April 2013, which the defense objects to as irrelevant. The judge overrules, and Edman gets to explain how this signature cannot possibly be authentic. Further, the key used for this signature has been used and mentioned in other Tulip Trust documents.
Edman next talks about the metadata of a Deed of Trust previously sworn by Wright in this trial, ostensibly created in 2012 but containing font files that were created in 2015. The fonts contain a 2015 copyright notice and also contain timestamped digital signatures from May 22, 2015.
The defense objects to relevance as plaintiffs question Edman about yet another email, but the judge allows it as it pertains to Wright's intent and credibility. This email, purportedly from September 2012, also contains digital signatures, these ones timestamped February 28, 2014 and March 5, 2014 (UTC), and using a version of GnuPG (2.0.20) that was released in May 2013.
Yet another email quoting a purported email from Kleiman to Wright in 2012 containing a list Bitcoin addresses supposedly held by the Tulip Trust. The signature in this message was timestamped March 2, 2014. "Dave" describes how at least some of these bitcoins are held as paper wallets while others are on a TrueCrypt drive (directly contradicting Wright's later story about a deterministic wallet where the addresses/keys aren't stored but generated from random seeds).
The PGP key used to sign these last couple of emails was 0415E6CBE23FCC2D "Dave Kleiman (Bitcoin so we neer have to wotty about infaltion and easing) <
dave@davekleiman.com>" [sic]. (Craig Wright is known to be a poor speller, and many of the forgeries also contain poor spelling.)
There is plenty of other evidence that Craig has submitted forged documents and contradicting statements in court. He'll soon find out how U.S. judges feel about perjury
.
